From: Frederick Lawler <fred@cloudflare.com>
To: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Cc: "Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Eric Paris" <eparis@redhat.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"John Fastabend" <john.fastabend@gmail.com>,
"KP Singh" <kpsingh@kernel.org>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
"Shuah Khan" <shuah@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, audit@vger.kernel.org,
bpf@vger.kernel.org, linux-kselftest@vger.kernel.org,
kernel-team@cloudflare.com
Subject: Re: [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs
Date: Wed, 18 Mar 2026 12:34:17 -0500 [thread overview]
Message-ID: <abriGVbtYY1zhupD@CMGLRV3> (raw)
In-Reply-To: <CAP01T77VyW=5SHDvM3HXPNHaxRdzs8H__MOh2zx1dQ6STeAUtg@mail.gmail.com>
Hi Kumar,
On Tue, Mar 17, 2026 at 03:43:36AM +0100, Kumar Kartikeya Dwivedi wrote:
> On Wed, 11 Mar 2026 at 22:31, Frederick Lawler <fred@cloudflare.com> wrote:
> > 3. All bpf_audit_log_*() functions are destructive
> >
> > The audit subsystem allows for AUDIT_FAIL_PANIC to be set when the
> > subsystem can detect that missing events. Further, some call paths may
> > invoke a BUG_ON(). Therefore all the functions are marked destructive.
>
> I think the first part makes sense (i.e., the policy simply configured
> the system to panic on failure).
> However, in the second case, if the program is somehow able to trigger
> BUG_ON() relied upon for internal invariants, it would be considered
> broken.
> I tried grepping through and didn't find anything that would cause
> this, hence the whole thing about BUG_ON() in the cover letter only
> adds to confusion.
> Please drop it or describe cases which you were concerned about.
>
bpf_audit_log_cause()
-> audit_log_untrustedstring()
-> audit_log_n_untrustedstring()
-> audit_log_n_hex()
Was the primary call chain I was referring to, and yes this relies on
internal invariant of the SKB existing. I can remove from cover.
> >
> > 4. Functions are callable once per bpf_audit_context
> >
> > The rationale for this was to prevent abuse. Logs with repeated fields
> > are not helpful, and may not be handled by user space audit coherently.
> >
>
> This rationale feels weak. What abuse are we talking about?
> The LSM program is already written by a trusted entity.
>
I learned through off-list discussions that there's "undocumented" or
"unspoken" rules of log formatting and how auditd expects logs. Without
knowing exactly what these rules are, I can't provide any stronger
arguments other than to reduce duplication of fields in messages, or
exclude wrappers that supply unverified data.
WRT to unverified data, the socket wrappers accepting a netinf int.
In that case, the variable is at least verified via lookup to
report the interface in which it belongs. I left out wrapping
LSM_AUDIT_DATA_ANONINODE due to the passing of arbitrary string,
LSM_AUDIT_DATA_IPC arbitrary int. Others like for infiniband,
lockdown, nlmsgtype, were left out due to specificity, and not general
purpose usage.
Some of the rationale behind this is _not_ trusting BPF LSM authors as
much due to BPF LSM flexibility and accommodating user space audit.
Best,
Fred
next prev parent reply other threads:[~2026-03-18 17:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 21:31 [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 1/4] audit: Implement bpf_audit_log_*() wrappers Frederick Lawler
2026-03-11 22:08 ` bot+bpf-ci
2026-03-16 22:14 ` [PATCH RFC " David Windsor
2026-03-17 19:12 ` Mickaël Salaün
2026-03-17 2:04 ` [PATCH RFC bpf-next " Kumar Kartikeya Dwivedi
2026-03-11 21:31 ` [PATCH RFC bpf-next 2/4] audit/security: Enable audit BPF kfuncs Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 3/4] selftests/bpf: Add audit helpers for BPF tests Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 4/4] selftests/bpf: Add lsm_audit_kfuncs tests Frederick Lawler
2026-03-17 2:43 ` [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs Kumar Kartikeya Dwivedi
2026-03-18 1:15 ` Alexei Starovoitov
2026-03-18 17:49 ` Frederick Lawler
2026-03-18 20:55 ` Alexei Starovoitov
2026-03-18 17:34 ` Frederick Lawler [this message]
2026-04-21 21:07 ` Frederick Lawler
2026-04-21 21:12 ` Alexei Starovoitov
2026-04-21 22:10 ` Paul Moore
2026-04-21 22:14 ` Alexei Starovoitov
2026-04-21 22:49 ` Paul Moore
2026-04-21 23:08 ` Alexei Starovoitov
2026-04-22 14:33 ` Paul Moore
2026-04-22 18:50 ` Frederick Lawler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abriGVbtYY1zhupD@CMGLRV3 \
--to=fred@cloudflare.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=audit@vger.kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=eparis@redhat.com \
--cc=gnoack@google.com \
--cc=haoluo@google.com \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=sdf@fomichev.me \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.