From: Jiri Olsa <jolsa@redhat.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
Andrii Nakryiko <andriin@fb.com>, Yonghong Song <yhs@fb.com>,
Martin KaFai Lau <kafai@fb.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Steve Grubb <sgrubb@redhat.com>, David Miller <davem@redhat.com>,
Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>,
Jiri Benc <jbenc@redhat.com>
Subject: Re: [RFC] bpf: emit audit messages upon successful prog load and unload
Date: Wed, 20 Nov 2019 22:30:11 +0100 [thread overview]
Message-ID: <20191120213011.GA6829@krava> (raw)
In-Reply-To: <20191120211438.x5dn2ns755bv3q63@ast-mbp.dhcp.thefacebook.com>
On Wed, Nov 20, 2019 at 01:14:40PM -0800, Alexei Starovoitov wrote:
> On Wed, Nov 20, 2019 at 03:38:10PM +0100, Jiri Olsa wrote:
> >
> > The only info really needed from BPF side is the globally unique
> > prog ID where then audit user space tooling can query / dump all
> > info needed about the specific BPF program right upon load event
> > and enrich the record, thus these changes needed here can be kept
> > small and non-intrusive to the core.
>
> ...
>
> > +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)
> > +{
> > + bool has_task_context = event == BPF_EVENT_LOAD;
> > + struct audit_buffer *ab;
> > +
> > + if (audit_enabled == AUDIT_OFF)
> > + return;
> > + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> > + if (unlikely(!ab))
> > + return;
> > + if (has_task_context)
> > + audit_log_task(ab);
> > + audit_log_format(ab, "%sprog-id=%u event=%s",
> > + has_task_context ? " " : "",
> > + prog->aux->id, bpf_event_audit_str[event]);
> > + audit_log_end(ab);
>
> Single prog ID is enough for perf_event based framework to track everything
> about the programs and should be enough for audit.
> Could you please resend as proper patch with explicit 'From:' ?
> Since I'm not sure what is the proper authorship of the patch.. Daniel's or yours.
it's Daniel's I'll resend
jirka
next prev parent reply other threads:[~2019-11-20 21:30 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 14:38 [RFC] bpf: emit audit messages upon successful prog load and unload Jiri Olsa
2019-11-20 21:14 ` Alexei Starovoitov
2019-11-20 21:30 ` Jiri Olsa [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-11-28 9:16 [RFC] bpf: Emit " Jiri Olsa
2019-11-28 9:18 ` Jiri Olsa
2019-12-02 23:00 ` Paul Moore
2019-12-02 23:00 ` Paul Moore
2019-12-03 4:57 ` Steve Grubb
2019-12-03 8:46 ` Jiri Olsa
2019-12-03 9:38 ` Jiri Olsa
2019-12-04 2:53 ` Paul Moore
2019-12-04 14:08 ` Jiri Olsa
2019-12-04 14:38 ` Paul Moore
2019-12-04 15:26 ` Jiri Olsa
2019-12-04 14:02 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191120213011.GA6829@krava \
--to=jolsa@redhat.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@redhat.com \
--cc=eparis@redhat.com \
--cc=jakub.kicinski@netronome.com \
--cc=jbenc@redhat.com \
--cc=jolsa@kernel.org \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.