From: David Windsor <dwindsor@gmail.com>
To: fred@cloudflare.com
Cc: paul@paul-moore.com, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org, audit@vger.kernel.org,
ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, kpsingh@kernel.org
Subject: Re: [PATCH RFC 1/4] audit: Implement bpf_audit_log_*() wrappers
Date: Mon, 16 Mar 2026 18:14:40 -0400 [thread overview]
Message-ID: <20260316221440.2043299-1-dwindsor@gmail.com> (raw)
In-Reply-To: <20260311-bpf-auditd-send-message-v1-1-10a62db5c92f@cloudflare.com>
Hi Frederick,
On Wed, Mar 11, 2026 at 04:31:17PM -0500, Frederick Lawler wrote:
> +__bpf_kfunc int bpf_audit_log_cause(struct bpf_audit_context *ac,
> + const char *cause__str)
> +{
> + if (log_once(ac, BIT_ULL(LSM_AUDIT_DATA_CAUSE)))
> + return -EINVAL;
> +
> + audit_log_format(ac->ab, " cause=");
> + audit_log_untrustedstring(ac->ab, cause__str);
> + return 0;
> +}
Rather than putting everything in the cause field, could we perhaps
have a separate kfunc here that appends normal stringpairs (not
format strings) to the audit record:
bpf_audit_log_str(ac, "result", "denied");
bpf_audit_log_str(ac, "op", "read");
bpf_audit_log_str(ac, "scontext", ctx_str);
I know you didn't want to wrap audit_log_format(), which makes sense,
this would be a midway point between that and stuffing everything in
one field.
> +__bpf_kfunc int bpf_audit_log_net_sock(struct bpf_audit_context *ac, int netif,
> + const struct socket *sock)
> +{
> + struct lsm_network_audit net = { .sk = sock->sk, .netif = netif };
> + struct common_audit_data ad;
> +
> + ad.type = LSM_AUDIT_DATA_NET;
> + ad.u.net = &net;
> + return __audit_log_lsm_data(ac, &ad);
> +}
Should we also wrap ipv4_skb_to_auditdata() /
ipv6_skb_to_auditdata()? Smack uses it in smack_socket_sock_rcv_skb.
Thanks,
David
next prev parent reply other threads:[~2026-03-16 22:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 21:31 [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 1/4] audit: Implement bpf_audit_log_*() wrappers Frederick Lawler
2026-03-11 22:08 ` bot+bpf-ci
2026-03-16 22:14 ` David Windsor [this message]
2026-03-17 19:12 ` [PATCH RFC " Mickaël Salaün
2026-03-17 2:04 ` [PATCH RFC bpf-next " Kumar Kartikeya Dwivedi
2026-03-11 21:31 ` [PATCH RFC bpf-next 2/4] audit/security: Enable audit BPF kfuncs Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 3/4] selftests/bpf: Add audit helpers for BPF tests Frederick Lawler
2026-03-11 21:31 ` [PATCH RFC bpf-next 4/4] selftests/bpf: Add lsm_audit_kfuncs tests Frederick Lawler
2026-03-17 2:43 ` [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs Kumar Kartikeya Dwivedi
2026-03-18 1:15 ` Alexei Starovoitov
2026-03-18 17:49 ` Frederick Lawler
2026-03-18 20:55 ` Alexei Starovoitov
2026-03-18 17:34 ` Frederick Lawler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260316221440.2043299-1-dwindsor@gmail.com \
--to=dwindsor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=audit@vger.kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=fred@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox