| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Dec 2019 00:19:51 +0100
From: Daniel Borkmann <daniel@...earbox.net>
To: Paul Moore <paul@...l-moore.com>
Cc: Jiri Olsa <jolsa@...nel.org>, Alexei Starovoitov <ast@...nel.org>,
netdev@...r.kernel.org, bpf@...r.kernel.org,
linux-audit@...hat.com, Andrii Nakryiko <andriin@...com>,
Yonghong Song <yhs@...com>, Martin KaFai Lau <kafai@...com>,
Jakub Kicinski <jakub.kicinski@...ronome.com>,
Steve Grubb <sgrubb@...hat.com>,
David Miller <davem@...hat.com>,
Eric Paris <eparis@...hat.com>, Jiri Benc <jbenc@...hat.com>
Subject: Re: [PATCHv3] bpf: Emit audit messages upon successful prog load and
unload
On 12/9/19 3:56 PM, Paul Moore wrote:
> On Mon, Dec 9, 2019 at 7:15 AM Daniel Borkmann <daniel@...earbox.net> wrote:
>> On Fri, Dec 06, 2019 at 10:49:34PM +0100, Jiri Olsa wrote:
>>> From: Daniel Borkmann <daniel@...earbox.net>
>>>
>>> Allow for audit messages to be emitted upon BPF program load and
>>> unload for having a timeline of events. The load itself is in
>>> syscall context, so additional info about the process initiating
>>> the BPF prog creation can be logged and later directly correlated
>>> to the unload event.
>>>
>>> The only info really needed from BPF side is the globally unique
>>> prog ID where then audit user space tooling can query / dump all
>>> info needed about the specific BPF program right upon load event
>>> and enrich the record, thus these changes needed here can be kept
>>> small and non-intrusive to the core.
>>>
>>> Raw example output:
>>>
>>> # auditctl -D
>>> # auditctl -a always,exit -F arch=x86_64 -S bpf
>>> # ausearch --start recent -m 1334
>>> ...
>>> ----
>>> time->Wed Nov 27 16:04:13 2019
>>> type=PROCTITLE msg=audit(1574867053.120:84664): proctitle="./bpf"
>>> type=SYSCALL msg=audit(1574867053.120:84664): arch=c000003e syscall=321 \
>>> success=yes exit=3 a0=5 a1=7ffea484fbe0 a2=70 a3=0 items=0 ppid=7477 \
>>> pid=12698 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 \
>>> egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=4 comm="bpf" \
>>> exe="/home/jolsa/auditd/audit-testsuite/tests/bpf/bpf" \
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>>> type=UNKNOWN[1334] msg=audit(1574867053.120:84664): prog-id=76 op=LOAD
>>> ----
>>> time->Wed Nov 27 16:04:13 2019
>>> type=UNKNOWN[1334] msg=audit(1574867053.120:84665): prog-id=76 op=UNLOAD
>>> ...
>>>
>>> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
>>> Co-developed-by: Jiri Olsa <jolsa@...nel.org>
>>> Signed-off-by: Jiri Olsa <jolsa@...nel.org>
>>
>> Paul, Steve, given the merge window is closed by now, does this version look
>> okay to you for proceeding to merge into bpf-next?
>
> Given the change to audit UAPI I was hoping to merge this via the
> audit/next tree, is that okay with you?
Hm, my main concern is that given all the main changes are in BPF core and
usually the BPF subsystem has plenty of changes per release coming in that we'd
end up generating unnecessary merge conflicts. Given the include/uapi/linux/audit.h
UAPI diff is a one-line change, my preference would be to merge via bpf-next with
your ACK or SOB added. Does that work for you as well as?
Thanks,
Daniel
Powered by blists - more mailing lists