On Fri, Jun 23, 2023 at 7:37 AM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Wed, Jun 21, 2023 at 5:01 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > > > We are utilizing BPF LSM to monitor BPF operations within our container > > environment. Our goal is to examine the program type and perform the > > respective audits in our LSM program. > > > > When it comes to the perf_event BPF program, there are no specific > > definitions for the perf types of kprobe or uprobe. In other words, there > > is no PERF_TYPE_[UK]PROBE. It appears that defining them as UAPI at this > > stage would be impractical. > > and yet that's what your patch does. > New helpers are uapi too. > So no-go. > > Just do in your filtering bpf prog: > is_kprobe = event->tp_event->flags & TRACE_EVENT_FL_KPROBE; > is_uprobe = event->tp_event->flags & TRACE_EVENT_FL_UPROBE; > when it's checking perf_ioctl. Right. We can hook security_perf_event_write. Thanks for your suggestion. -- Regards Yafang
