All of lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Guy Briggs <rgb@redhat.com>
To: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>,
	Alexei Starovoitov <alexei.starovoitov@gmail.com>,
	Daniel Borkmann <daniel@iogearbox.net>,
	ast@kernel.org, netdev@vger.kernel.org,
	Jiri Olsa <jolsa@kernel.org>,
	acme@kernel.org, linux-audit@redhat.com
Subject: Re: [PATCH bpf-next] bpf: emit audit messages upon successful prog load and unload
Date: Thu, 18 Oct 2018 15:53:06 -0400	[thread overview]
Message-ID: <20181018195306.td5ijww3lk3knswx@madcap2.tricolour.ca> (raw)
In-Reply-To: <20181007181939.38742d42@redhat.com>

On 2018-10-07 18:19, Jesper Dangaard Brouer wrote:
> On Sat, 6 Oct 2018 00:05:22 +0200
> Jiri Olsa <jolsa@redhat.com> wrote:
> 
> > On Fri, Oct 05, 2018 at 11:44:35AM -0700, Alexei Starovoitov wrote:
> > > On Fri, Oct 05, 2018 at 08:14:09AM +0200, Jiri Olsa wrote:  
> > > > On Thu, Oct 04, 2018 at 03:10:15PM -0700, Alexei Starovoitov wrote:  
> > > > > On Thu, Oct 04, 2018 at 10:22:31PM +0200, Jesper Dangaard Brouer wrote:  
> > > > > > On Thu, 4 Oct 2018 21:41:17 +0200 Daniel Borkmann <daniel@iogearbox.net> wrote:
> > > > > >   
> > > > > > > On 10/04/2018 08:39 PM, Jesper Dangaard Brouer wrote:  
> > > > > > > > On Thu, 4 Oct 2018 10:11:43 -0700 Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:    
> > > > > > > >> On Thu, Oct 04, 2018 at 03:50:38PM +0200, Daniel Borkmann wrote:    
> > > > > > [...]  
> > > > > > > >>
> > > > > > > >> If the purpose of the patch is to give user space visibility into
> > > > > > > >> bpf prog load/unload as a notification, then I completely agree that
> > > > > > > >> some notification mechanism is necessary.    
> > > > > > > 
> > > > > > > Yeah, I did only regard it as only that, nothing more. Some means
> > > > > > > of timeline and notification that can be kept in a record in user
> > > > > > > space and later retrieved e.g. for introspection on what has been
> > > > > > > loaded.
> > > > > > >   
> > > > > > > >> I've started working on such mechanism via perf ring buffer which is
> > > > > > > >> the fastest mechanism we have in the kernel so far.
> > > > > > > >> See long discussion here: https://patchwork.ozlabs.org/patch/971970/    
> > > > 
> [...]
> > > > > > > 
> > > > > > > That one is definitely needed in any case to resolve the kallsyms
> > > > > > > limitations, and it does have overlap in that in either case we
> > > > > > > want to look at past BPF programs that have been unloaded in the
> > > > > > > meantime, so I don't have a strong preference either way, and the
> > > > > > > former is needed in any case. Though thought was that audit might
> > > > > > > be an option for those not running profiling daemons 24/7, but
> > > > > > > presumably bpftool could be extended to record these events as
> > > > > > > well if we don't want to reuse audit infra.  
> > > > > > 
> > > > > > Yes, exactly, I don't want to run a profiling daemon 24/7 to record
> > > > > > these events.  I do acknowledge that this perf event is relevant,
> > > > > > especially for catching the kernel symbols (I need that myself), but it
> > > > > > does not cover my use-case.
> > > > > > 
> > > > > > My use-case is to 24/7 collect and keep records in userspace, and have a
> > > > > > timeline of these notifications, for later retrieval.  The idea is that
> > > > > > our support engineers can look at these records when troubleshooting
> > > > > > the system.  And the plan is also to collect these records as part of
> > > > > > our sosreport tool, which is part of the support case.  
> > > > > 
> > > > > I don't think you're implying that prog load/unload should be spamming dmesg
> > > > > and auditd not even running...  
> > > > 
> > > > I think the problem Jesper implied is that in order to collect
> > > > those logs you'll need perf tool running all the time.. which
> > > > it's not equipped for yet  
> > > 
> > > I'm not proposing to run 'perf' binary all the time.
> > > Setting up perf ring buffer just for these new bpf prog load/unload events
> > > and epolling it is simple enough to do from any application including auditd.
> > > selftests/bpf/ do it for bpf output events.  
> > 
> > ok, did not think about the possibility to teach auditd talk to perf,
> > time to get that tool evsel/evlist/rb library ready ;-)
> 
> Interesting, I also didn't consider teaching auditd to gets its 'bpf'
> events from a separate perf ring-buffer, that might work.  I do wonder
> how the audit people will take this suggestion.

Including the linux-audit list to get userspace audit folks in the
loop...

> Best regards,
>   Jesper Dangaard Brouer
>   MSc.CS, Principal Kernel Engineer at Red Hat
>   LinkedIn: http://www.linkedin.com/in/brouer

- RGB

  reply	other threads:[~2018-10-19  3:55 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-04 13:50 [PATCH bpf-next] bpf: emit audit messages upon successful prog load and unload Daniel Borkmann
2018-10-04 17:11 ` Alexei Starovoitov
2018-10-04 18:39   ` Jesper Dangaard Brouer
2018-10-04 19:41     ` Daniel Borkmann
2018-10-04 20:22       ` Jesper Dangaard Brouer
2018-10-04 22:10         ` Alexei Starovoitov
2018-10-05  6:14           ` Jiri Olsa
2018-10-05 18:44             ` Alexei Starovoitov
2018-10-05 19:42               ` Arnaldo Carvalho de Melo
2018-10-05 20:26                 ` Alexei Starovoitov
2018-10-05 22:05               ` Jiri Olsa
2018-10-07 16:19                 ` Jesper Dangaard Brouer
2018-10-18 19:53                   ` Richard Guy Briggs [this message]
2018-10-18 22:09                     ` Steve Grubb
2018-10-08 11:57           ` Jiri Olsa
2018-10-10 19:53             ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181018195306.td5ijww3lk3knswx@madcap2.tricolour.ca \
    --to=rgb@redhat.com \
    --cc=acme@kernel.org \
    --cc=alexei.starovoitov@gmail.com \
    --cc=ast@kernel.org \
    --cc=brouer@redhat.com \
    --cc=daniel@iogearbox.net \
    --cc=jolsa@kernel.org \
    --cc=jolsa@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.