Re: [PATCH] bpf: emit audit messages upon successful prog load and unload

On Wed, Nov 20, 2019 at 4:49 PM Alexei Starovoitov <alexei.starovoitov(a)gmail.com&gt; wrote: > On Wed, Nov 20, 2019 at 1:46 PM Daniel Borkmann <daniel(a)iogearbox.net&gt; wrote: >> On 11/20/19 10:38 PM, Jiri Olsa wrote: >>> From: Daniel Borkmann <daniel(a)iogearbox.net&gt; >>> >>> Allow for audit messages to be emitted upon BPF program load and >>> unload for having a timeline of events. The load itself is in >>> syscall context, so additional info about the process initiating >>> the BPF prog creation can be logged and later directly correlated >>> to the unload event. >>> >>> The only info really needed from BPF side is the globally unique >>> prog ID where then audit user space tooling can query / dump all >>> info needed about the specific BPF program right upon load event >>> and enrich the record, thus these changes needed here can be kept >>> small and non-intrusive to the core. >>> >>> Raw example output: >>> >>> # auditctl -D >>> # auditctl -a always,exit -F arch=x86_64 -S bpf >>> # ausearch --start recent -m 1334 >>> [...] >>> ---- >>> time->Wed Nov 20 12:45:51 2019 >>> type=PROCTITLE msg=audit(1574271951.590:8974): proctitle="./test_verifier" >>> type=SYSCALL msg=audit(1574271951.590:8974): arch=c000003e syscall=321 success=yes exit=14 a0=5 a1=7ffe2d923e80 a2=78 a3=0 items=0 ppid=742 pid=949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="test_verifier" exe="/root/bpf-next/tools/testing/selftests/bpf/test_verifier" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) >>> type=UNKNOWN[1334] msg=audit(1574271951.590:8974): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=949 comm="test_verifier" exe="/root/bpf-next/tools/testing/selftests/bpf/test_verifier" prog-id=3260 event=LOAD >>> ---- >>> time->Wed Nov 20 12:45:51 2019 >>> type=UNKNOWN[1334] msg=audit(1574271951.590:8975): prog-id=3260 event=UNLOAD >>> ---- >>> [...] >>> >>> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net&gt; >>> Signed-off-by: Jiri Olsa <jolsa(a)kernel.org&gt; >> >> LGTM, thanks for the rebase! > > Applied to bpf-next. Thanks! [NOTE: added linux-audit to the To/CC line] Wait a minute, why was the linux-audit list not CC'd on this? Why are you merging a patch into -next that adds to the uapi definition *and* creates a new audit record while we are at -rc8? Aside from that I'm concerned that you are relying on audit userspace changes that might not be okay; I see the PR below, but I don't see any comment on it from Steve (it is his audit userspace). I also don't see a corresponding test added to the audit-testsuite, which is a common requirement for new audit functionality (link below). I'm also fairly certain we don't want this new BPF record to look like how you've coded it up in bpf_audit_prog(); duplicating the fields with audit_log_task() is wrong, you've either already got them via an associated record (which you get from passing non-NULL as the first parameter to audit_log_start()), or you don't because there is no associated syscall/task (which you get from passing NULL as the first parameter). Please revert, un-merge, etc. this patch from bpf-next; it should not go into Linus' tree as written.

Audit userspace PR: * https://github.com/linux-audit/audit-userspace/pull/104 Audit test suite: * https://github.com/linux-audit/audit-testsuite Audit folks, here is a link to the thread in the archives: * https://lore.kernel.org/bpf/20191120213816.8186-1-jolsa@kernel.org/T/#u