From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Subject: Re: [PATCH bpf-next] bpf: emit audit messages upon successful prog
 load and unload
Date: Wed, 10 Oct 2018 12:53:48 -0700
Message-ID: <20181010195346.mu2mkw2vvpbkj6w7@ast-mbp.dhcp.thefacebook.com>
References: <20181004135038.2876-1-daniel@iogearbox.net>
 <20181004171141.tsggdqnh65x2si4d@ast-mbp.dhcp.thefacebook.com>
 <20181004203949.388e9a38@redhat.com>
 <36266cde-3aa0-aeb4-9888-5e3f0e4d1911@iogearbox.net>
 <20181004222231.2edd5add@redhat.com>
 <20181004221013.o3c5junwfyaasuxo@ast-mbp.dhcp.thefacebook.com>
 <20181008115740.GA17355@krava>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Jesper Dangaard Brouer <brouer@redhat.com>,
        Daniel Borkmann <daniel@iogearbox.net>, ast@kernel.org,
        netdev@vger.kernel.org, Jiri Olsa <jolsa@kernel.org>,
        acme@kernel.org
To: Jiri Olsa <jolsa@redhat.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pf1-f196.google.com ([209.85.210.196]:35936 "EHLO
        mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727388AbeJKDRf (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 10 Oct 2018 23:17:35 -0400
Received: by mail-pf1-f196.google.com with SMTP id l81-v6so3161027pfg.3
        for <netdev@vger.kernel.org>; Wed, 10 Oct 2018 12:53:55 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <20181008115740.GA17355@krava>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Mon, Oct 08, 2018 at 01:57:40PM +0200, Jiri Olsa wrote:
> 
> I check that discussion and it's related only to bpf program load/unload,
> is there any plan to also notify about bpf program attachment?
> 
> in the step 2 you described:
> 
>   step 2 (future work)
>   single event for bpf prog_load with prog_id only.
>   Either via perf ring buffer or ftrace or tracepoints or some
>   other notification mechanism.
> 
> would you see this to be feasible also for bpf prog attachment notification?

I agree that on the first glance ring buffer notifications
for program attachment sound useful, but I have a hard time
seeing how we can build the complete solution on top of them.
progs can be attached via netlink, perf_event ioctl, bpf syscall.
Theoretically we can insert ring buffer events in all those places,
but there is no common format we can use. In networking cases
ifindex alone won't be enough, since there is xdp vs tc vs lwt vs etc.
Furthermore the program can run without being attached to anything.
Like the way folks use xdp is they load mini bpf prog that dispatches
all other progs via prog_array via tail_call mechanism.
So to execute newly loaded program users space only needs to store its FD
into prog_array.
Would you want to add notifications for all map updates then as well?
What would be the format of such notification? map_id and slot index?
but how audit daemon will now that this particular map is used
for running and under what conditions?
Single bpf dispatcher program can use multiple prog_arrays.
It seems to me that attach notifications are not a practical way
to introspect the "bpf program execution graph" in the kernel.
I suggest to take a look at bpftool. It can inspect networking,
cgroup, tracing progs already and show what programs are loaded and where
they are attached to. I think improving bpftool style of introspection
is more practical than inventing notifications for everything.