On Fri, Dec 15, 2023 at 1:00 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > On Fri, Dec 15, 2023 at 9:47 AM Dave Tucker <dave@xxxxxxxxxxxxx> wrote: > > > > Current output from auditd is as follows: > > > > time->Wed Dec 13 21:39:24 2023 > > type=BPF msg=audit(1702503564.519:11241): prog-id=439 op=LOAD > > > > This only tells you that a BPF program was loaded, but without > > any context. If we include the prog-name, pid, uid and comm we get > > output as follows: > > > > time->Wed Dec 13 21:59:59 2023 > > type=BPF msg=audit(1702504799.156:99528): op=UNLOAD prog-id=50092 > > prog-name="test" pid=27279 uid=0 comm="new_name" > > > > With pid, uid a system administrator has much better context > > over which processes and user loaded which eBPF programs. > > comm is useful since processes may be short-lived. > > > > Signed-off-by: Dave Tucker <dave@xxxxxxxxxxxxx> Assuming you have audit configured to not disable syscall auditing (most distros disable it by default[1]), you should see a SYSCALL audit record associated with the bpf(BPF_PROG_LOAD) call. Below is a quick example taken from a Fedora Rawhide test system: type=PROCTITLE msg=audit(12/19/2023 13:44:22.917:1976) : proctitle=(systemd) type=SYSCALL msg=audit(12/19/2023 13:44:22.917:1976) : arch=x86_64 syscall=bpf success=yes exit=11 a0=BPF_PROG_LOAD a1=0x7ffd6c818190 a2=0x90 a3=0x13 items=0 ppid=1 pid=29898 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=systemd exe=/usr/lib/systemd/systemd subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=BPF msg=audit(12/19/2023 13:44:22.917:1976) : prog-id=128 op=LOAD You will notice that the full user credentials and process information, e.g. PID, are captured in the SYSCALL record. Admittedly, we are missing the BPF program name, which I think could be a reasonable addition to the BPF record, but I don't want to see us duplicate information from the SYSCALL record in the BPF record unless we have a situation where we are loading BPF programs outside a user syscall event. [1] https://github.com/linux-audit/audit-documentation/wiki/HOWTO-Fedora-Enable-Auditing > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > > index 06320d9abf33..86600ca1f106 100644 > > --- a/kernel/bpf/syscall.c > > +++ b/kernel/bpf/syscall.c > > @@ -35,6 +35,7 @@ > > #include <linux/rcupdate_trace.h> > > #include <linux/memcontrol.h> > > #include <linux/trace_events.h> > > +#include <linux/uidgid.h> > > > > #include <net/netfilter/nf_bpf_link.h> > > #include <net/netkit.h> > > @@ -2110,6 +2111,8 @@ static void bpf_audit_prog(const struct bpf_prog *prog, unsigned int op) > > { > > struct audit_context *ctx = NULL; > > struct audit_buffer *ab; > > + const struct cred *cred; > > + char comm[sizeof(current->comm)]; > > > > if (WARN_ON_ONCE(op >= BPF_AUDIT_MAX)) > > return; > > @@ -2120,8 +2123,22 @@ static void bpf_audit_prog(const struct bpf_prog *prog, unsigned int op) > > ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_BPF); > > if (unlikely(!ab)) > > return; > > - audit_log_format(ab, "prog-id=%u op=%s", > > - prog->aux->id, bpf_audit_str[op]); > > + > > + audit_log_format(ab, "op=%s prog-id=%u", > > + bpf_audit_str[op], prog->aux->id); > > + audit_log_format(ab, " prog-name="); > > + audit_log_untrustedstring(ab, prog->aux->name ?: "(none)"); > > + > > + if (current->mm) { > > + cred = current_cred(); > > Is this how you're trying to detect whether it's running > out of workqueue? > You probably need: > if (!current->mm || (current->flags & PF_KTHREAD)) > > But even with that it looks wrong, since > BPF_AUDIT_UNLOAD message will be _randomly_ unbalanced > with LOAD message. > Last __bpf_prog_put() can happen in either context. > > You also need to cc Paul. > He needs to ack it before we can take it. > As it stands I think this change makes the audit worse. Thanks Alexei. Yes, please send any audit related patches to the audit mailing list. It's listed in MAINTAINERS, but I've also added it to the CC line above. -- paul-moore.com
