From: "Mickaël Salaün" <mic@digikod.net>
To: David Windsor <dwindsor@gmail.com>
Cc: fred@cloudflare.com, paul@paul-moore.com, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org, audit@vger.kernel.org,
ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, kpsingh@kernel.org
Subject: Re: [PATCH RFC 1/4] audit: Implement bpf_audit_log_*() wrappers
Date: Tue, 17 Mar 2026 20:12:40 +0100 [thread overview]
Message-ID: <20260317.maoD7thah7pi@digikod.net> (raw)
In-Reply-To: <20260316221440.2043299-1-dwindsor@gmail.com>
On Mon, Mar 16, 2026 at 06:14:40PM -0400, David Windsor wrote:
> Hi Frederick,
>
> On Wed, Mar 11, 2026 at 04:31:17PM -0500, Frederick Lawler wrote:
> > +__bpf_kfunc int bpf_audit_log_cause(struct bpf_audit_context *ac,
> > + const char *cause__str)
> > +{
> > + if (log_once(ac, BIT_ULL(LSM_AUDIT_DATA_CAUSE)))
> > + return -EINVAL;
> > +
> > + audit_log_format(ac->ab, " cause=");
> > + audit_log_untrustedstring(ac->ab, cause__str);
> > + return 0;
> > +}
>
> Rather than putting everything in the cause field, could we perhaps
> have a separate kfunc here that appends normal stringpairs (not
> format strings) to the audit record:
>
> bpf_audit_log_str(ac, "result", "denied");
> bpf_audit_log_str(ac, "op", "read");
> bpf_audit_log_str(ac, "scontext", ctx_str);
That would mean arbitrary audit keys (and values), which would not be
acceptable (i.e. no consistency).
>
> I know you didn't want to wrap audit_log_format(), which makes sense,
> this would be a midway point between that and stuffing everything in
> one field.
next prev parent reply other threads:[~2026-03-17 19:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 21:31 [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 1/4] audit: Implement bpf_audit_log_*() wrappers Frederick Lawler
2026-03-11 22:08 ` bot+bpf-ci
2026-03-16 22:14 ` [PATCH RFC " David Windsor
2026-03-17 19:12 ` Mickaël Salaün [this message]
2026-03-17 2:04 ` [PATCH RFC bpf-next " Kumar Kartikeya Dwivedi
2026-03-11 21:31 ` [PATCH RFC bpf-next 2/4] audit/security: Enable audit BPF kfuncs Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 3/4] selftests/bpf: Add audit helpers for BPF tests Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 4/4] selftests/bpf: Add lsm_audit_kfuncs tests Frederick Lawler
2026-03-17 2:43 ` [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs Kumar Kartikeya Dwivedi
2026-03-18 1:15 ` Alexei Starovoitov
2026-03-18 17:49 ` Frederick Lawler
2026-03-18 20:55 ` Alexei Starovoitov
2026-03-18 17:34 ` Frederick Lawler
2026-04-21 21:07 ` Frederick Lawler
2026-04-21 21:12 ` Alexei Starovoitov
2026-04-21 22:10 ` Paul Moore
2026-04-21 22:14 ` Alexei Starovoitov
2026-04-21 22:49 ` Paul Moore
2026-04-21 23:08 ` Alexei Starovoitov
2026-04-22 14:33 ` Paul Moore
2026-04-22 18:50 ` Frederick Lawler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260317.maoD7thah7pi@digikod.net \
--to=mic@digikod.net \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=audit@vger.kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dwindsor@gmail.com \
--cc=fred@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.