On Wed, Nov 20, 2019 at 01:14:40PM -0800, Alexei Starovoitov wrote:
> On Wed, Nov 20, 2019 at 03:38:10PM +0100, Jiri Olsa wrote:
> >
> > The only info really needed from BPF side is the globally unique
> > prog ID where then audit user space tooling can query / dump all
> > info needed about the specific BPF program right upon load event
> > and enrich the record, thus these changes needed here can be kept
> > small and non-intrusive to the core.
>
> ...
>
> > +static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)
> > +{
> > + bool has_task_context = event == BPF_EVENT_LOAD;
> > + struct audit_buffer *ab;
> > +
> > + if (audit_enabled == AUDIT_OFF)
> > + return;
> > + ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);
> > + if (unlikely(!ab))
> > + return;
> > + if (has_task_context)
> > + audit_log_task(ab);
> > + audit_log_format(ab, "%sprog-id=%u event=%s",
> > + has_task_context ? " " : "",
> > + prog->aux->id, bpf_event_audit_str[event]);
> > + audit_log_end(ab);
>
> Single prog ID is enough for perf_event based framework to track everything
> about the programs and should be enough for audit.
> Could you please resend as proper patch with explicit 'From:' ?
> Since I'm not sure what is the proper authorship of the patch.. Daniel's or yours.
it's Daniel's I'll resend
jirka
