On Wed, Jun 21, 2023 at 5:01 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote:
>
> We are utilizing BPF LSM to monitor BPF operations within our container
> environment. Our goal is to examine the program type and perform the
> respective audits in our LSM program.
>
> When it comes to the perf_event BPF program, there are no specific
> definitions for the perf types of kprobe or uprobe. In other words, there
> is no PERF_TYPE_[UK]PROBE. It appears that defining them as UAPI at this
> stage would be impractical.
and yet that's what your patch does.
New helpers are uapi too.
So no-go.
Just do in your filtering bpf prog:
is_kprobe = event->tp_event->flags & TRACE_EVENT_FL_KPROBE;
is_uprobe = event->tp_event->flags & TRACE_EVENT_FL_UPROBE;
when it's checking perf_ioctl.
