From: Paul Moore <paul@paul-moore.com>
To: Jiri Olsa <jolsa@redhat.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
linux-audit@redhat.com, Jiri Olsa <jolsa@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Network Development <netdev@vger.kernel.org>,
bpf <bpf@vger.kernel.org>, Andrii Nakryiko <andriin@fb.com>,
Yonghong Song <yhs@fb.com>, Martin KaFai Lau <kafai@fb.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Steve Grubb <sgrubb@redhat.com>, David Miller <davem@redhat.com>,
Eric Paris <eparis@redhat.com>, Jiri Benc <jbenc@redhat.com>
Subject: Re: [PATCH] bpf: emit audit messages upon successful prog load and unload
Date: Fri, 22 Nov 2019 16:19:55 -0500 [thread overview]
Message-ID: <CAHC9VhRi0JtKgHyAOdAJ=_--vL1VbK7BDq1FnRQ_GwW9P4J_zA@mail.gmail.com> (raw)
In-Reply-To: <20191122192353.GA2157@krava>
On Fri, Nov 22, 2019 at 2:24 PM Jiri Olsa <jolsa@redhat.com> wrote:
> Paul,
> would following output be ok:
>
> type=SYSCALL msg=audit(1574445211.897:28015): arch=c000003e syscall=321 success=no exit=-13 a0=5 a1=7fff09ac6c60 a2=78 a3=6 items=0 ppid=1408 pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="test_verifier" exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
> type=PROCTITLE msg=audit(1574445211.897:28015): proctitle="./test_verifier"
> type=BPF msg=audit(1574445211.897:28016): prog-id=8103 event=LOAD
>
> type=SYSCALL msg=audit(1574445211.897:28016): arch=c000003e syscall=321 success=yes exit=14 a0=5 a1=7fff09ac6b80 a2=78 a3=0 items=0 ppid=1408 pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="test_verifier" exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
> type=PROCTITLE msg=audit(1574445211.897:28016): proctitle="./test_verifier"
> type=BPF msg=audit(1574445211.897:28017): prog-id=8103 event=UNLOAD
There is some precedence in using "op=" instead of "event=" (an audit
"event" is already a thing, using "event=" here might get confusing).
I suppose if we are getting really nit-picky you might want to
lower-case the LOAD/UNLOAD, but generally Steve cares more about these
things than I do.
For reference, we have a searchable database of fields here:
* https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv
> I assume for audit-userspace and audit-testsuite the change will
> go in as github PR, right? I have the auditd change ready and will
> add test shortly.
You can submit the audit-testsuite either as a GH PR or as a
patch(set) to the linux-audit mailing list, both work equally well. I
believe has the same policy for his userspace tools, but I'll let him
speak for himself.
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 18925d924c73..c69d2776d197 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -358,8 +358,6 @@ static inline void audit_ptrace(struct task_struct *t)
> __audit_ptrace(t);
> }
>
> -extern void audit_log_task(struct audit_buffer *ab);
> -
> /* Private API (for audit.c only) */
> extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
> @@ -648,8 +646,6 @@ static inline void audit_ntp_log(const struct audit_ntp_data *ad)
> static inline void audit_ptrace(struct task_struct *t)
> { }
>
> -static inline void audit_log_task(struct audit_buffer *ab)
> -{ }
> #define audit_n_rules 0
> #define audit_signals 0
> #endif /* CONFIG_AUDITSYSCALL */
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 9bf1045fedfa..4effe01ebbe2 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2545,7 +2545,7 @@ void __audit_ntp_log(const struct audit_ntp_data *ad)
> audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST);
> }
>
> -void audit_log_task(struct audit_buffer *ab)
> +static void audit_log_task(struct audit_buffer *ab)
I'm slightly concerned that this is based on top of your other patch
which was NACK'ed. I might not have been clear before, but with the
merge window set to open in a few days, and this change affecting the
kernel interface (uapi, etc.) and lacking a test, this isn't something
that I see as a candidate for the upcoming merge window. *Please*
revert your original patch first; if you think I'm cranky now I can
promise I'll be a lot more cranky if I see the original patch in -rc1
;)
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index b51ecb9644d0..e3a7fa4d7a82 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -1334,7 +1334,6 @@ static const char * const bpf_event_audit_str[] = {
>
> static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)
> {
> - bool has_task_context = event == BPF_EVENT_LOAD;
> struct audit_buffer *ab;
>
> if (audit_enabled == AUDIT_OFF)
> @@ -1342,10 +1341,7 @@ static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)
> ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> if (unlikely(!ab))
> return;
> - if (has_task_context)
> - audit_log_task(ab);
> - audit_log_format(ab, "%sprog-id=%u event=%s",
> - has_task_context ? " " : "",
> + audit_log_format(ab, "prog-id=%u event=%s",
> prog->aux->id, bpf_event_audit_str[event]);
Other than the "op" instead of "event", this looks reasonable to me.
I would give Steve a chance to comment on it from the userspace side
of things.
> audit_log_end(ab);
> }
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2019-11-22 21:20 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 21:38 [PATCH] bpf: emit audit messages upon successful prog load and unload Jiri Olsa
2019-11-20 21:46 ` Daniel Borkmann
2019-11-20 21:48 ` Alexei Starovoitov
2019-11-21 23:41 ` Paul Moore
2019-11-22 0:22 ` Alexei Starovoitov
2019-11-22 0:36 ` Paul Moore
2019-11-22 19:23 ` Jiri Olsa
2019-11-22 21:19 ` Paul Moore [this message]
2019-11-23 8:57 ` Jiri Olsa
2019-11-23 18:03 ` Jakub Kicinski
2019-11-24 22:38 ` Jiri Olsa
2019-11-25 18:38 ` Steve Grubb
2019-11-25 18:38 ` Steve Grubb
2019-11-22 0:25 ` Daniel Borkmann
2019-11-22 0:42 ` Paul Moore
2019-11-22 9:32 ` Jiri Olsa
2019-11-22 9:35 ` Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhRi0JtKgHyAOdAJ=_--vL1VbK7BDq1FnRQ_GwW9P4J_zA@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@redhat.com \
--cc=eparis@redhat.com \
--cc=jakub.kicinski@netronome.com \
--cc=jbenc@redhat.com \
--cc=jolsa@kernel.org \
--cc=jolsa@redhat.com \
--cc=kafai@fb.com \
--cc=linux-audit@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=sgrubb@redhat.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.