From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Olsa Subject: Re: [RFC] bpf: Emit audit messages upon successful prog load and unload Date: Wed, 4 Dec 2019 15:02:51 +0100 Message-ID: <20191204140251.GA11548@krava> References: <20191128091633.29275-1-jolsa@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Content-Disposition: inline Sender: netdev-owner@vger.kernel.org To: Paul Moore Cc: Jiri Olsa , Alexei Starovoitov , Daniel Borkmann , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-audit@redhat.com, Andrii Nakryiko , Yonghong Song , Martin KaFai Lau , Jakub Kicinski , Steve Grubb , David Miller , Eric Paris , Jiri Benc List-Id: linux-audit@redhat.com On Mon, Dec 02, 2019 at 06:00:14PM -0500, Paul Moore wrote: SNIP > > + > > +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_audit= op) > > +{ > > + struct audit_buffer *ab; > > + > > + if (audit_enabled =3D=3D AUDIT_OFF) > > + return; >=20 > I think you would probably also want to check the results of > audit_dummy_context() here as well, see all the various audit_XXX() > functions in include/linux/audit.h as an example. You'll see a > pattern similar to the following: >=20 > static inline void audit_foo(...) > { > if (unlikely(!audit_dummy_context())) > __audit_foo(...) > } >=20 > > + ab =3D audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF); > > + if (unlikely(!ab)) > > + return; > > + audit_log_format(ab, "prog-id=3D%u op=3D%s", > > + prog->aux->id, bpf_audit_str[op]); >=20 > Is it worth putting some checks in here to make sure that you don't > blow past the end of the bpf_audit_str array? forgot answer this one.. there are only 2 callers: bpf_audit_prog(prog, BPF_AUDIT_UNLOAD); bpf_audit_prog(prog, BPF_AUDIT_LOAD); that's not going to change any time soon, so I dont think we don't need such check jirka