hi,
I posted initial change that allows auditd to log BPF program
load/unload events, it's in here:
https://github.com/linux-audit/audit-userspace/pull/104
We tried to push pure AUDIT interface for BPF program notification,
but it was denied, the discussion is in here:
https://marc.info/?t=153
On Mon, Aug 12, 2019 at 09:49:43AM -0400, Steve Grubb wrote:
> On Monday, August 12, 2019 3:59:22 AM EDT Jiri Olsa wrote:
> > On Fri, Aug 09, 2019 at 01:45:21PM -0400, Steve Grubb wrote:
> > > Hello,
> > >
> > > On Friday, August 9, 2019 10:18:31 AM EDT Jiri
On Fri, Aug 09, 2019 at 01:45:21PM -0400, Steve Grubb wrote:
> Hello,
>
> On Friday, August 9, 2019 10:18:31 AM EDT Jiri Olsa wrote:
> > I posted initial change that allows auditd to log BPF program
> > load/unload events, it's in here:
> > https://github.com/
Olsa wrote:
> On Mon, Aug 12, 2019 at 09:49:43AM -0400, Steve Grubb wrote:
> > On Monday, August 12, 2019 3:59:22 AM EDT Jiri Olsa wrote:
> > > On Fri, Aug 09, 2019 at 01:45:21PM -0400, Steve Grubb wrote:
> > > > Hello,
> > > >
> > > > On
cc-ing Petr Matousek
jirka
On Wed, Aug 14, 2019 at 09:33:34AM +0200, Jiri Olsa wrote:
> hi,
> Adding Vlad Dronov to the loop, because he asked
> about this functionality some time ago.
>
> Vlad, the full thread can be found in here:
> https://www.redhat.com/archives/linux
e audit support
> for bpf programs loading/unloading a requirement for full support of
> eBPF (as opposed to tech preview)?
>
> Thanks,
>
> Jiri
>
> On Tue, 20 Aug 2019 15:54:53 +0200, Jiri Olsa wrote:
> > cc-ing Petr Matousek
> >
> > jirka
> >
On Thu, Nov 21, 2019 at 06:41:31PM -0500, Paul Moore wrote:
> On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov
> wrote:
> > On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann
> > wrote:
> > > On 11/20/19 10:38 PM, Jiri Olsa wrote:
> > > > From: Daniel Bo
On Thu, Nov 21, 2019 at 06:41:31PM -0500, Paul Moore wrote:
SNIP
> a common requirement for new audit functionality (link below). I'm
> also fairly certain we don't want this new BPF record to look like how
> you've coded it up in bpf_audit_prog(); duplicating the fields with
> audit_log_task()
> > On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann
> > > > wrote:
> > > > > On 11/20/19 10:38 PM, Jiri Olsa wrote:
> > > > > > From: Daniel Borkmann
> > > > > >
> > > > > > Allow for audit messages to be emit
On Fri, Nov 22, 2019 at 04:19:55PM -0500, Paul Moore wrote:
> On Fri, Nov 22, 2019 at 2:24 PM Jiri Olsa wrote:
> > Paul,
> > would following output be ok:
> >
> > type=SYSCALL msg=audit(1574445211.897:28015): arch=c03e syscall=321
> > success=no exit=-1
On Sat, Nov 23, 2019 at 10:03:40AM -0800, Jakub Kicinski wrote:
> On Sat, 23 Nov 2019 09:57:19 +0100, Jiri Olsa wrote:
> > Alexei already asked Dave to revert this in previous email,
> > so that should happen
>
> Reverted in net-next now.
>
> But this is not reall
053.120:84665): prog-id=76 op=UNLOAD
...
Signed-off-by: Daniel Borkmann
Co-developed-by: Jiri Olsa
Signed-off-by: Jiri Olsa
---
include/uapi/linux/audit.h | 1 +
kernel/bpf/syscall.c | 27 +++
2 files changed, 28 insertions(+)
diff --git a/include/uapi/linux/audit.
On Thu, Nov 28, 2019 at 10:16:32AM +0100, Jiri Olsa wrote:
> From: Daniel Borkmann
>
> Allow for audit messages to be emitted upon BPF program load and
> unload for having a timeline of events. The load itself is in
> syscall context, so additional info about the process initi
On Mon, Dec 02, 2019 at 06:00:14PM -0500, Paul Moore wrote:
> On Thu, Nov 28, 2019 at 4:16 AM Jiri Olsa wrote:
> > From: Daniel Borkmann
> >
> > Allow for audit messages to be emitted upon BPF program load and
> > unload for having a timeline of events. The load itsel
On Mon, Dec 02, 2019 at 11:57:22PM -0500, Steve Grubb wrote:
> On Monday, December 2, 2019 6:00:14 PM EST Paul Moore wrote:
> > On Thu, Nov 28, 2019 at 4:16 AM Jiri Olsa wrote:
> > > From: Daniel Borkmann
> > >
> > > Allow for audit messages to be emitted up
On Mon, Dec 02, 2019 at 06:00:14PM -0500, Paul Moore wrote:
SNIP
> > +
> > +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_audit op)
> > +{
> > + struct audit_buffer *ab;
> > +
> > + if (audit_enabled == AUDIT_OFF)
> > + return;
>
> I think you would p
On Wed, Dec 04, 2019 at 09:38:10AM -0500, Paul Moore wrote:
SNIP
> > +
> > +static const char * const bpf_audit_str[] = {
> > + [BPF_AUDIT_LOAD] = "LOAD",
> > + [BPF_AUDIT_UNLOAD] = "UNLOAD",
> > +};
> > +
> > +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_audit o
On Tue, Dec 03, 2019 at 09:53:16PM -0500, Paul Moore wrote:
SNIP
> > >
> > > static inline void audit_foo(...)
> > > {
> > > if (unlikely(!audit_dummy_context()))
> > > __audit_foo(...)
> > > }
> >
> > bpf_audit_prog might be called outside of syscall context for UNLOAD event,
> > so that w
053.120:84665): prog-id=76 op=UNLOAD
...
Signed-off-by: Daniel Borkmann
Co-developed-by: Jiri Olsa
Signed-off-by: Jiri Olsa
---
include/uapi/linux/audit.h | 1 +
kernel/bpf/syscall.c | 33 +
2 files changed, 34 insertions(+)
v2 changes:
addressed Paul'
On Fri, Dec 06, 2019 at 04:11:13PM -0500, Paul Moore wrote:
SNIP
> >
> > #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY
> > || \
> > @@ -1306,6 +1307,36 @@ static int find_prog_type(enum bpf_prog_type type,
> > struct bpf_prog *prog)
> > return 0;
> > }
> >
053.120:84665): prog-id=76 op=UNLOAD
...
Signed-off-by: Daniel Borkmann
Co-developed-by: Jiri Olsa
Signed-off-by: Jiri Olsa
---
include/uapi/linux/audit.h | 1 +
kernel/bpf/syscall.c | 33 +
2 files changed, 34 insertions(+)
diff --git a/include/uapi/linux/
On Mon, Dec 09, 2019 at 06:53:23PM -0500, Paul Moore wrote:
> On Mon, Dec 9, 2019 at 6:19 PM Daniel Borkmann wrote:
> > On 12/9/19 3:56 PM, Paul Moore wrote:
> > > On Mon, Dec 9, 2019 at 7:15 AM Daniel Borkmann
> > > wrote:
> > >> On Fri, Dec 06, 20
On Wed, Dec 11, 2019 at 11:21:33AM -0500, Paul Moore wrote:
> On Wed, Dec 11, 2019 at 8:20 AM Daniel Borkmann wrote:
> > On Tue, Dec 10, 2019 at 05:45:59PM -0500, Paul Moore wrote:
> > > On Tue, Dec 10, 2019 at 10:37 AM Jiri Olsa wrote:
> > > > On Mon, Dec 09,
On Thu, Dec 22, 2022 at 02:03:41PM -0500, Paul Moore wrote:
> On Thu, Dec 22, 2022 at 12:19 PM wrote:
> > On 12/21, Paul Moore wrote:
> > > When changing the ebpf program put() routines to support being called
> > > from within IRQ context the program ID was reset to zero prior to
> > > generating
On Fri, Dec 23, 2022 at 10:58:37AM -0500, Paul Moore wrote:
> On Fri, Dec 23, 2022 at 10:37 AM Paul Moore wrote:
> > On Thu, Dec 22, 2022 at 6:20 PM Jiri Olsa wrote:
> > > On Thu, Dec 22, 2022 at 02:03:41PM -0500, Paul Moore wrote:
> > > > On Thu, Dec 22, 2022 at 12
On Fri, Dec 23, 2022 at 01:55:31PM -0500, Paul Moore wrote:
SNIP
> diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
> index 50854265864d..2795f03f5f34 100644
> --- a/drivers/net/netdevsim/bpf.c
> +++ b/drivers/net/netdevsim/bpf.c
> @@ -109,7 +109,7 @@ nsim_bpf_offload(struct
org
> Fixes: d809e134be7a ("bpf: Prepare bpf_prog_put() to be called from irq
> context.")
> Reported-by: Burn Alting
> Reported-by: Jiri Olsa
> Suggested-by: Stanislav Fomichev
> Suggested-by: Alexei Starovoitov
> Signed-off-by: Paul Moore
>
> ---
27 matches
Mail list logo
