From: Jiri Olsa <jolsa@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
linux-audit@redhat.com, Jiri Olsa <jolsa@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Network Development <netdev@vger.kernel.org>,
bpf <bpf@vger.kernel.org>, Andrii Nakryiko <andriin@fb.com>,
Yonghong Song <yhs@fb.com>, Martin KaFai Lau <kafai@fb.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Steve Grubb <sgrubb@redhat.com>, David Miller <davem@redhat.com>,
Eric Paris <eparis@redhat.com>, Jiri Benc <jbenc@redhat.com>
Subject: Re: [PATCH] bpf: emit audit messages upon successful prog load and unload
Date: Fri, 22 Nov 2019 10:32:32 +0100 [thread overview]
Message-ID: <20191122093232.GB8287@krava> (raw)
In-Reply-To: <CAHC9VhQbQoXacbTCNJPGNzFOv30PwLeiWu4ROQFU46=saTeTNQ@mail.gmail.com>
On Thu, Nov 21, 2019 at 06:41:31PM -0500, Paul Moore wrote:
> On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov
> <alexei.starovoitov@gmail.com> wrote:
> > On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> > > On 11/20/19 10:38 PM, Jiri Olsa wrote:
> > > > From: Daniel Borkmann <daniel@iogearbox.net>
> > > >
> > > > Allow for audit messages to be emitted upon BPF program load and
> > > > unload for having a timeline of events. The load itself is in
> > > > syscall context, so additional info about the process initiating
> > > > the BPF prog creation can be logged and later directly correlated
> > > > to the unload event.
> > > >
> > > > The only info really needed from BPF side is the globally unique
> > > > prog ID where then audit user space tooling can query / dump all
> > > > info needed about the specific BPF program right upon load event
> > > > and enrich the record, thus these changes needed here can be kept
> > > > small and non-intrusive to the core.
> > > >
> > > > Raw example output:
> > > >
> > > > # auditctl -D
> > > > # auditctl -a always,exit -F arch=x86_64 -S bpf
> > > > # ausearch --start recent -m 1334
> > > > [...]
> > > > ----
> > > > time->Wed Nov 20 12:45:51 2019
> > > > type=PROCTITLE msg=audit(1574271951.590:8974): proctitle="./test_verifier"
> > > > type=SYSCALL msg=audit(1574271951.590:8974): arch=c000003e syscall=321 success=yes exit=14 a0=5 a1=7ffe2d923e80 a2=78 a3=0 items=0 ppid=742 pid=949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="test_verifier" exe="/root/bpf-next/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > > > type=UNKNOWN[1334] msg=audit(1574271951.590:8974): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=949 comm="test_verifier" exe="/root/bpf-next/tools/testing/selftests/bpf/test_verifier" prog-id=3260 event=LOAD
> > > > ----
> > > > time->Wed Nov 20 12:45:51 2019
> > > > type=UNKNOWN[1334] msg=audit(1574271951.590:8975): prog-id=3260 event=UNLOAD
> > > > ----
> > > > [...]
> > > >
> > > > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> > > > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> > >
> > > LGTM, thanks for the rebase!
> >
> > Applied to bpf-next. Thanks!
>
> [NOTE: added linux-audit to the To/CC line]
>
> Wait a minute, why was the linux-audit list not CC'd on this? Why are
> you merging a patch into -next that adds to the uapi definition *and*
> creates a new audit record while we are at -rc8?
my bad sorry, I included only maintainers
there was previous RFC post:
https://lore.kernel.org/netdev/20191120143810.8852-1-jolsa@kernel.org/
but I guess the patch followed up too fast
> Aside from that I'm concerned that you are relying on audit userspace
> changes that might not be okay; I see the PR below, but I don't see
> any comment on it from Steve (it is his audit userspace). I also
> don't see a corresponding test added to the audit-testsuite, which is
> a common requirement for new audit functionality (link below). I'm
> also fairly certain we don't want this new BPF record to look like how
> you've coded it up in bpf_audit_prog(); duplicating the fields with
> audit_log_task() is wrong, you've either already got them via an
> associated record (which you get from passing non-NULL as the first
> parameter to audit_log_start()), or you don't because there is no
> associated syscall/task (which you get from passing NULL as the first
> parameter). Please revert, un-merge, etc. this patch from bpf-next;
> it should not go into Linus' tree as written.
the original audit approach for BPF notification was declined
in favor of perf-based approach:
https://marc.info/?l=linux-netdev&m=153866106418036&w=2
We tried to add perf based notification support to auditd,
but it did not fit and was nack-ed by audit guys:
https://www.redhat.com/archives/linux-audit/2019-August/msg00004.html
so we returned to the original approach
>
> Audit userspace PR:
> * https://github.com/linux-audit/audit-userspace/pull/104
this is the perf-based notification approach, that got nacked
>
> Audit test suite:
> * https://github.com/linux-audit/audit-testsuite
I'll check on these
thanks,
jirka
next prev parent reply other threads:[~2019-11-22 9:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 21:38 [PATCH] bpf: emit audit messages upon successful prog load and unload Jiri Olsa
2019-11-20 21:46 ` Daniel Borkmann
2019-11-20 21:48 ` Alexei Starovoitov
2019-11-21 23:41 ` Paul Moore
2019-11-22 0:22 ` Alexei Starovoitov
2019-11-22 0:36 ` Paul Moore
2019-11-22 19:23 ` Jiri Olsa
2019-11-22 21:19 ` Paul Moore
2019-11-23 8:57 ` Jiri Olsa
2019-11-23 18:03 ` Jakub Kicinski
2019-11-24 22:38 ` Jiri Olsa
2019-11-25 18:38 ` Steve Grubb
2019-11-25 18:38 ` Steve Grubb
2019-11-22 0:25 ` Daniel Borkmann
2019-11-22 0:42 ` Paul Moore
2019-11-22 9:32 ` Jiri Olsa [this message]
2019-11-22 9:35 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191122093232.GB8287@krava \
--to=jolsa@redhat.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@redhat.com \
--cc=eparis@redhat.com \
--cc=jakub.kicinski@netronome.com \
--cc=jbenc@redhat.com \
--cc=jolsa@kernel.org \
--cc=kafai@fb.com \
--cc=linux-audit@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.