From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA48A37A49C for ; Tue, 21 Apr 2026 21:07:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776805673; cv=none; b=bf6yoDrv7kx2YQGCkTXAI5uih6DwPf4X1BfNUUpz/8ZK2UEzrAcIosMndE7JZkNJXNUUKvxYQmQ4YjWX4PHO24682WUThQ0mkelddHQrkMWdTtBIV3bI7YRHzh/bms5pRGdIej5ZdXVlBZ2WOauQoTT6/66OwSTxhqAnKjwuaMI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776805673; c=relaxed/simple; bh=a4ioXq7GCu9ZHZCCYlN3qWWxkA2Z1IF6fJUhQYxTSo8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=PLtvBSOyeBtb4sPKBR2ea6VOQ/HUO1caWHvXciGzOFnbSTCNkrWeNNb9ecaW/aEZXnjvaHv+u6YbZeMjkVQZVULb5o0oCh8F44Geo7L1D+gw4fuSC6ClAIhIaBaPVHc78f9TtmWP4skeVB/2PHz7PZQo0fy9n0V7AMZbEpZxsZw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=Cuo41REd; arc=none smtp.client-ip=209.85.128.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="Cuo41REd" Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-79885f4a8ffso49650087b3.3 for ; Tue, 21 Apr 2026 14:07:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1776805671; x=1777410471; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=a4ioXq7GCu9ZHZCCYlN3qWWxkA2Z1IF6fJUhQYxTSo8=; b=Cuo41REdwqnfkE6Xb7l4KSv4/sB1yDNdJ3cDP+TNhCo2l7nRisNkPfPe8TBtXTeTKC 0WZQAqL94pwUMrkQIq6BpBMQtcogPtqFbLKVlzbze1Xnfm3jGmRGr2AKluquDzGBQTHx rexQVLNltdxE7v5PPMcAr4GOEQ8he0fhUX5NUNp9StiJzsfgrQ2JcAZQnL2+HyxSBWaX I6p2SzTF9ReHE6AFwxIEgO0sin09/uWwdeYDL8s91Mhu7Sp99GA58Tni1i8D3eEC0CBi X8i9bqQSIc5ZcFnD8lBi8P7HnQYbiTRLYu3cZ3m1EIw1jF1GuskJZx2/BGBe0Q77tNwX 4/7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776805671; x=1777410471; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a4ioXq7GCu9ZHZCCYlN3qWWxkA2Z1IF6fJUhQYxTSo8=; b=eA2fYMwv/1/vARU7ECFDpL3icvZJIxZD9+GKnoFel0op6R8cY4sM3FbiOkSnQGFVQC V/gErr1OHCDftPgk6CZjTbj+vOAp2RuX1dn95z8v97g2ZRR5f+oIELuXaZgFzWO9MDv7 8Ng6CtAp9HcZjrwPcxzfPL6bdj/xrUoRxTmGaOC9q8oORbJAEwpFk3EIFTwoJSrkcyYs 5C9ynbHciZjha8iJsdhzn+MumJtB3kF08dWdTpzDl7OEOkGIj4zDob/UcLUae0JlIIyu xvWV5i5v7juBUVae7Or6OGfo931GFas9Fg/aNs046Dv943ZfAi5PxTIohTI7US2l1zfr R2Ng== X-Gm-Message-State: AOJu0YzF8767K0Ehiz05zM5b3FJb77d5Tj6plHZgLr1Go2qbfcw2KvK6 XfRy7Bo/WiuyX94xc3kDXFZYoPyYnK8doXtKtvFaZxla66p5u8xB/2QbLLUpnlPDUSI= X-Gm-Gg: AeBDietbac9n6x+YArCHANadnEbbDXC6wXNplJ00l+MMG4+tLGiXHRjJ5qGmfrw6i// BW5pXF99ieaEhCAOM043xcgOABEerpR0JVTwTq+bJPICrXx3mqmb0oPyIlYsBKa21BxHVBueGwB JRiRkqlmHNlHPNl6RVPvR+Qh7dBWn4aJfgYSMUWKtWG8sDfK1VmO3RDJPDzASANU7gEkRoLVLUH FV2iGLw855Hee2eR1V9R6BCgWZ+Loukuww8PWgPwBpw49+Xr6WoorJcswM/yvM2R69wjSLyZYqf DFvZjAbw87tswXffB5slcovepKeaYG1B1jV1uxROP3Og9pZecz6t17TfUuQHacGTHyEvHBnBRqW XQ4PW5SaFPrujt5I4LmYSPHFuhIt8y4exGFxT8+v7siUbomZ9HVXk6HiXNEk1KR2iLM4TRUl717 JnJdhzSFQDCnVWZh9EcgHlhp8= X-Received: by 2002:a05:690c:a054:b0:7ba:ef98:9712 with SMTP id 00721157ae682-7baef98a6e9mr82622297b3.11.1776805670803; Tue, 21 Apr 2026 14:07:50 -0700 (PDT) Received: from CMGLRV3 ([2a09:bac6:947f:3af::5e:42]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7b9ee89da0csm61303767b3.8.2026.04.21.14.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 14:07:50 -0700 (PDT) Date: Tue, 21 Apr 2026 16:07:47 -0500 From: Frederick Lawler To: Paul Moore , James Morris , "Serge E. Hallyn" , Eric Paris , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , =?iso-8859-1?Q?G=FCnther?= Noack Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-team@cloudflare.com Subject: Re: [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs Message-ID: References: <20260311-bpf-auditd-send-message-v1-0-10a62db5c92f@cloudflare.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260311-bpf-auditd-send-message-v1-0-10a62db5c92f@cloudflare.com> Hi folks, I was accepted to speak a little bit about this patch series at Linux Security Summit this May [1]. I'm going to use this opportunity to re-iterate some of the motivation, what can be done today with BPF, drawbacks, and wrap up with discussion topics. I'd love to hear feedback from audit, BPF, and security folks to work towards a viable solution that addresses shortcomings to allow for better integration with BPF. Best, Fred [1]: https://lssna2026.sched.com/event/2KEc3/bridging-bpf-lsm-and-the-linux-audit-subsystem-frederick-lawler-cloudflare?iframe=yes&w=100%&sidebar=yes&bg=no