From: Jiri Olsa <jolsa@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Jiri Olsa <jolsa@kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
linux-audit@redhat.com, Andrii Nakryiko <andriin@fb.com>,
Yonghong Song <yhs@fb.com>, Martin KaFai Lau <kafai@fb.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Steve Grubb <sgrubb@redhat.com>, David Miller <davem@redhat.com>,
Eric Paris <eparis@redhat.com>, Jiri Benc <jbenc@redhat.com>
Subject: Re: [RFC] bpf: Emit audit messages upon successful prog load and unload
Date: Tue, 3 Dec 2019 10:38:37 +0100 [thread overview]
Message-ID: <20191203093837.GC17468@krava> (raw)
In-Reply-To: <CAHC9VhQ7zkXdz1V5hQ8PN68-NnCn56TjKA0wCL6ZjHy9Up8fuQ@mail.gmail.com>
On Mon, Dec 02, 2019 at 06:00:14PM -0500, Paul Moore wrote:
> On Thu, Nov 28, 2019 at 4:16 AM Jiri Olsa <jolsa@kernel.org> wrote:
> > From: Daniel Borkmann <daniel@iogearbox.net>
> >
> > Allow for audit messages to be emitted upon BPF program load and
> > unload for having a timeline of events. The load itself is in
> > syscall context, so additional info about the process initiating
> > the BPF prog creation can be logged and later directly correlated
> > to the unload event.
> >
> > The only info really needed from BPF side is the globally unique
> > prog ID where then audit user space tooling can query / dump all
> > info needed about the specific BPF program right upon load event
> > and enrich the record, thus these changes needed here can be kept
> > small and non-intrusive to the core.
> >
> > Raw example output:
> >
> > # auditctl -D
> > # auditctl -a always,exit -F arch=x86_64 -S bpf
> > # ausearch --start recent -m 1334
> > ...
> > ----
> > time->Wed Nov 27 16:04:13 2019
> > type=PROCTITLE msg=audit(1574867053.120:84664): proctitle="./bpf"
> > type=SYSCALL msg=audit(1574867053.120:84664): arch=c000003e syscall=321 \
> > success=yes exit=3 a0=5 a1=7ffea484fbe0 a2=70 a3=0 items=0 ppid=7477 \
> > pid=12698 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 \
> > egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=4 comm="bpf" \
> > exe="/home/jolsa/auditd/audit-testsuite/tests/bpf/bpf" \
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > type=UNKNOWN[1334] msg=audit(1574867053.120:84664): prog-id=76 op=LOAD
> > ----
> > time->Wed Nov 27 16:04:13 2019
> > type=UNKNOWN[1334] msg=audit(1574867053.120:84665): prog-id=76 op=UNLOAD
> > ...
> >
> > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> > Co-developed-by: Jiri Olsa <jolsa@kernel.org>
> > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> > ---
> > include/uapi/linux/audit.h | 1 +
> > kernel/bpf/syscall.c | 27 +++++++++++++++++++++++++++
> > 2 files changed, 28 insertions(+)
>
> Hi all, sorry for the delay; the merge window in combination with the
> holiday in the US bumped this back a bit. Small comments inline below
np, thanks for review
> ...
>
> > --- a/kernel/bpf/syscall.c
> > +++ b/kernel/bpf/syscall.c
> > @@ -23,6 +23,7 @@
> > #include <linux/timekeeping.h>
> > #include <linux/ctype.h>
> > #include <linux/nospec.h>
> > +#include <linux/audit.h>
> > #include <uapi/linux/btf.h>
> >
> > #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \
> > @@ -1306,6 +1307,30 @@ static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
> > return 0;
> > }
> >
> > +enum bpf_audit {
> > + BPF_AUDIT_LOAD,
> > + BPF_AUDIT_UNLOAD,
> > +};
> > +
> > +static const char * const bpf_audit_str[] = {
> > + [BPF_AUDIT_LOAD] = "LOAD",
> > + [BPF_AUDIT_UNLOAD] = "UNLOAD",
> > +};
> > +
> > +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_audit op)
> > +{
> > + struct audit_buffer *ab;
> > +
> > + if (audit_enabled == AUDIT_OFF)
> > + return;
>
> I think you would probably also want to check the results of
> audit_dummy_context() here as well, see all the various audit_XXX()
> functions in include/linux/audit.h as an example. You'll see a
> pattern similar to the following:
>
> static inline void audit_foo(...)
> {
> if (unlikely(!audit_dummy_context()))
> __audit_foo(...)
> }
bpf_audit_prog might be called outside of syscall context for UNLOAD event,
so that would prevent it from being stored
I can see audit_log_start checks on value of audit_context() that we pass in,
should we check for audit_dummy_context just for load event? like:
static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_audit op)
{
struct audit_buffer *ab;
if (audit_enabled == AUDIT_OFF)
return;
if (op == BPF_AUDIT_LOAD && audit_dummy_context())
return;
ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
if (unlikely(!ab))
return;
...
}
>
> > + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> > + if (unlikely(!ab))
> > + return;
> > + audit_log_format(ab, "prog-id=%u op=%s",
> > + prog->aux->id, bpf_audit_str[op]);
>
> Is it worth putting some checks in here to make sure that you don't
> blow past the end of the bpf_audit_str array?
>
> > + audit_log_end(ab);
> > +}
>
> The audit record format looks much better now, thank you. Although I
> do wonder if you want bpf_audit_prog() to live in kernel/bpf/syscall.c
> or in kernel/auditsc.c? There is plenty of precedence for moving it
> into auditsc.c and defining a no-op version for when
> CONFIG_AUDITSYSCALL is not enabled, but I personally don't feel that
> strongly about either option. I just wanted to mention this in case
> you weren't already aware.
>
> If you do keep it in syscall.c, I don't think there is a need to
> implement a no-op version dependent on CONFIG_AUDITSYSCALL; that will
> just clutter the code.
>
> If you do move it to auditsc.c please change the name to
> audit_bpf()/__audit_bpf() so it matches the other functions; if you
> keep it in syscall.c you can name it whatever you like :)
ok, so far I think we'll keep it kernel/bpf/syscall.c
thanks,
jirka
next prev parent reply other threads:[~2019-12-03 9:38 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-28 9:16 [RFC] bpf: Emit audit messages upon successful prog load and unload Jiri Olsa
2019-11-28 9:18 ` Jiri Olsa
2019-12-02 23:00 ` Paul Moore
2019-12-02 23:00 ` Paul Moore
2019-12-03 4:57 ` Steve Grubb
2019-12-03 8:46 ` Jiri Olsa
2019-12-03 9:38 ` Jiri Olsa [this message]
2019-12-04 2:53 ` Paul Moore
2019-12-04 14:08 ` Jiri Olsa
2019-12-04 14:38 ` Paul Moore
2019-12-04 15:26 ` Jiri Olsa
2019-12-04 14:02 ` Jiri Olsa
-- strict thread matches above, loose matches on Subject: below --
2019-11-20 14:38 [RFC] bpf: emit " Jiri Olsa
2019-11-20 21:14 ` Alexei Starovoitov
2019-11-20 21:30 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191203093837.GC17468@krava \
--to=jolsa@redhat.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@redhat.com \
--cc=eparis@redhat.com \
--cc=jakub.kicinski@netronome.com \
--cc=jbenc@redhat.com \
--cc=jolsa@kernel.org \
--cc=kafai@fb.com \
--cc=linux-audit@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sgrubb@redhat.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.