From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Stanislav Kozina" <skozina@redhat.com>,
"Yauheni Kaliuta" <yauheni.kaliuta@redhat.com>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Jiri Benc" <jbenc@redhat.com>,
"Arnaldo Carvalho de Melo" <acme@redhat.com>,
"Jesper Dangaard Brouer" <brouer@redhat.com>,
"Jiri Olsa" <jolsa@redhat.com>
Subject: Re: [RFC] audit support for BPF notification
Date: Fri, 09 Aug 2019 13:45:21 -0400 [thread overview]
Message-ID: <2985228.9kGasGrDWd@x2> (raw)
In-Reply-To: <20190809141831.GB9377@krava>
Hello,
On Friday, August 9, 2019 10:18:31 AM EDT Jiri Olsa wrote:
> I posted initial change that allows auditd to log BPF program
> load/unload events, it's in here:
> https://github.com/linux-audit/audit-userspace/pull/104
Thanks for the patch...but we probably should have talked a bit more before
undertaking this effort. We normally do not audit from user space what happens
in the kernel. Doing this can be racy and it keeps auditd from doing the one
job it has - which is to grab events and record them to disk and send them
out the realtime interface.
> We tried to push pure AUDIT interface for BPF program notification,
> but it was denied, the discussion is in here:
> https://marc.info/?t=153866123200003&r=1&w=2
Hmm. The email I remember was here:
https://www.redhat.com/archives/linux-audit/2018-October/msg00053.html
and was only 2 emails long with no answer to my question. :-)
> The outcome of the discussion was to use perf event interface
> for BPF notification and use it in some deamon.. audit was our
> first choice.
>
> thoughts?
I'd like to understand what the basic problem is that needs to be solved.
-Steve
next prev parent reply other threads:[~2019-08-09 17:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-09 14:18 [RFC] audit support for BPF notification Jiri Olsa
2019-08-09 17:45 ` Steve Grubb [this message]
2019-08-12 7:59 ` Jiri Olsa
2019-08-12 13:49 ` Steve Grubb
2019-08-12 14:32 ` Jiri Olsa
2019-08-14 7:33 ` Jiri Olsa
2019-08-20 13:54 ` Jiri Olsa
2019-11-04 13:05 ` Jiri Benc
2019-11-04 13:28 ` Jiri Olsa
2019-11-04 13:41 ` Vladis Dronov
2019-11-04 13:46 ` Vladis Dronov
2019-11-05 0:18 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2985228.9kGasGrDWd@x2 \
--to=sgrubb@redhat.com \
--cc=acme@redhat.com \
--cc=brouer@redhat.com \
--cc=jbenc@redhat.com \
--cc=jolsa@redhat.com \
--cc=linux-audit@redhat.com \
--cc=skozina@redhat.com \
--cc=toke@redhat.com \
--cc=yauheni.kaliuta@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox