From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [RFC] audit support for BPF notification Date: Fri, 09 Aug 2019 13:45:21 -0400 Message-ID: <2985228.9kGasGrDWd@x2> References: <20190809141831.GB9377@krava> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20190809141831.GB9377@krava> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Stanislav Kozina , Yauheni Kaliuta , Toke =?ISO-8859-1?Q?H=F8iland=2DJ=F8rgensen?= , Jiri Benc , Arnaldo Carvalho de Melo , Jesper Dangaard Brouer , Jiri Olsa List-Id: linux-audit@redhat.com Hello, On Friday, August 9, 2019 10:18:31 AM EDT Jiri Olsa wrote: > I posted initial change that allows auditd to log BPF program > load/unload events, it's in here: > https://github.com/linux-audit/audit-userspace/pull/104 Thanks for the patch...but we probably should have talked a bit more before undertaking this effort. We normally do not audit from user space what happens in the kernel. Doing this can be racy and it keeps auditd from doing the one job it has - which is to grab events and record them to disk and send them out the realtime interface. > We tried to push pure AUDIT interface for BPF program notification, > but it was denied, the discussion is in here: > https://marc.info/?t=153866123200003&r=1&w=2 Hmm. The email I remember was here: https://www.redhat.com/archives/linux-audit/2018-October/msg00053.html and was only 2 emails long with no answer to my question. :-) > The outcome of the discussion was to use perf event interface > for BPF notification and use it in some deamon.. audit was our > first choice. > > thoughts? I'd like to understand what the basic problem is that needs to be solved. -Steve