On Mon, Dec 02, 2019 at 06:00:14PM -0500, Paul Moore wrote:
SNIP
> > +
> > +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_audit op)
> > +{
> > + struct audit_buffer *ab;
> > +
> > + if (audit_enabled == AUDIT_OFF)
> > + return;
>
> I think you would probably also want to check the results of
> audit_dummy_context() here as well, see all the various audit_XXX()
> functions in include/linux/audit.h as an example. You'll see a
> pattern similar to the following:
>
> static inline void audit_foo(...)
> {
> if (unlikely(!audit_dummy_context()))
> __audit_foo(...)
> }
>
> > + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> > + if (unlikely(!ab))
> > + return;
> > + audit_log_format(ab, "prog-id=%u op=%s",
> > + prog->aux->id, bpf_audit_str[op]);
>
> Is it worth putting some checks in here to make sure that you don't
> blow past the end of the bpf_audit_str array?
forgot answer this one.. there are only 2 callers:
bpf_audit_prog(prog, BPF_AUDIT_UNLOAD);
bpf_audit_prog(prog, BPF_AUDIT_LOAD);
that's not going to change any time soon,
so I dont think we don't need such check
jirka
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
