| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Dec 2019 18:53:23 -0500
From: Paul Moore <paul@...l-moore.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Jiri Olsa <jolsa@...nel.org>, Alexei Starovoitov <ast@...nel.org>,
netdev@...r.kernel.org, bpf@...r.kernel.org,
linux-audit@...hat.com, Andrii Nakryiko <andriin@...com>,
Yonghong Song <yhs@...com>, Martin KaFai Lau <kafai@...com>,
Jakub Kicinski <jakub.kicinski@...ronome.com>,
Steve Grubb <sgrubb@...hat.com>,
David Miller <davem@...hat.com>,
Eric Paris <eparis@...hat.com>, Jiri Benc <jbenc@...hat.com>
Subject: Re: [PATCHv3] bpf: Emit audit messages upon successful prog load and unload
On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann <daniel@...earbox.net> wrote:
> On 12/9/19 3:56 PM, Paul Moore wrote:
> > On Mon, Dec 9, 2019 at 7:15 AM Daniel Borkmann <daniel@...earbox.net> wrote:
> >> On Fri, Dec 06, 2019 at 10:49:34PM +0100, Jiri Olsa wrote:
> >>> From: Daniel Borkmann <daniel@...earbox.net>
> >>>
> >>> Allow for audit messages to be emitted upon BPF program load and
> >>> unload for having a timeline of events. The load itself is in
> >>> syscall context, so additional info about the process initiating
> >>> the BPF prog creation can be logged and later directly correlated
> >>> to the unload event.
> >>>
> >>> The only info really needed from BPF side is the globally unique
> >>> prog ID where then audit user space tooling can query / dump all
> >>> info needed about the specific BPF program right upon load event
> >>> and enrich the record, thus these changes needed here can be kept
> >>> small and non-intrusive to the core.
> >>>
> >>> Raw example output:
> >>>
> >>> # auditctl -D
> >>> # auditctl -a always,exit -F arch=x86_64 -S bpf
> >>> # ausearch --start recent -m 1334
> >>> ...
> >>> ----
> >>> time->Wed Nov 27 16:04:13 2019
> >>> type=PROCTITLE msg=audit(1574867053.120:84664): proctitle="./bpf"
> >>> type=SYSCALL msg=audit(1574867053.120:84664): arch=c000003e syscall=321 \
> >>> success=yes exit=3 a0=5 a1=7ffea484fbe0 a2=70 a3=0 items=0 ppid=7477 \
> >>> pid=12698 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 \
> >>> egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=4 comm="bpf" \
> >>> exe="/home/jolsa/auditd/audit-testsuite/tests/bpf/bpf" \
> >>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> >>> type=UNKNOWN[1334] msg=audit(1574867053.120:84664): prog-id=76 op=LOAD
> >>> ----
> >>> time->Wed Nov 27 16:04:13 2019
> >>> type=UNKNOWN[1334] msg=audit(1574867053.120:84665): prog-id=76 op=UNLOAD
> >>> ...
> >>>
> >>> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> >>> Co-developed-by: Jiri Olsa <jolsa@...nel.org>
> >>> Signed-off-by: Jiri Olsa <jolsa@...nel.org>
> >>
> >> Paul, Steve, given the merge window is closed by now, does this version look
> >> okay to you for proceeding to merge into bpf-next?
> >
> > Given the change to audit UAPI I was hoping to merge this via the
> > audit/next tree, is that okay with you?
>
> Hm, my main concern is that given all the main changes are in BPF core and
> usually the BPF subsystem has plenty of changes per release coming in that we'd
> end up generating unnecessary merge conflicts. Given the include/uapi/linux/audit.h
> UAPI diff is a one-line change, my preference would be to merge via bpf-next with
> your ACK or SOB added. Does that work for you as well as?
I regularly (a few times a week) run the audit and SELinux tests
against Linus+audit/next+selinux/next to make sure things are working
as expected and that some other subsystem has introduced a change
which has broken something. If you are willing to ensure the tests
get run, including your new BPF audit tests I would be okay with that;
is that acceptable?
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists