On Fri, Nov 22, 2019 at 2:24 PM Jiri Olsa <jo...@redhat.com> wrote: > Paul, > would following output be ok: > > type=SYSCALL msg=audit(1574445211.897:28015): arch=c000003e syscall=321 > success=no exit=-13 a0=5 a1=7fff09ac6c60 a2=78 a3=6 items=0 ppid=1408 > pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts0 ses=1 comm="test_verifier" > exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" > EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" > type=PROCTITLE msg=audit(1574445211.897:28015): > proctitle="./test_verifier" > type=BPF msg=audit(1574445211.897:28016): prog-id=8103 event=LOAD > > type=SYSCALL msg=audit(1574445211.897:28016): arch=c000003e syscall=321 > success=yes exit=14 a0=5 a1=7fff09ac6b80 a2=78 a3=0 items=0 ppid=1408 > pid=9266 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts0 ses=1 comm="test_verifier" > exe="/home/jolsa/linux/tools/testing/selftests/bpf/test_verifier" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null)ARCH=x86_64 SYSCALL=bpf AUID="jolsa" UID="root" GID="root" > EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" > type=PROCTITLE msg=audit(1574445211.897:28016): > proctitle="./test_verifier" > type=BPF msg=audit(1574445211.897:28017): prog-id=8103 event=UNLOAD
There is some precedence in using "op=" instead of "event=" (an audit "event" is already a thing, using "event=" here might get confusing). I suppose if we are getting really nit-picky you might want to lower-case the LOAD/UNLOAD, but generally Steve cares more about these things than I do. For reference, we have a searchable database of fields here: * https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv > I assume for audit-userspace and audit-testsuite the change will > go in as github PR, right? I have the auditd change ready and will > add test shortly. You can submit the audit-testsuite either as a GH PR or as a patch(set) to the linux-audit mailing list, both work equally well. I believe has the same policy for his userspace tools, but I'll let him speak for himself. > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 18925d924c73..c69d2776d197 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -358,8 +358,6 @@ static inline void audit_ptrace(struct task_struct *t) > __audit_ptrace(t); > } > > -extern void audit_log_task(struct audit_buffer *ab); > - > /* Private API (for audit.c only) */ > extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); > extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, > umode_t mode); > @@ -648,8 +646,6 @@ static inline void audit_ntp_log(const struct > audit_ntp_data *ad) > static inline void audit_ptrace(struct task_struct *t) > { } > > -static inline void audit_log_task(struct audit_buffer *ab) > -{ } > #define audit_n_rules 0 > #define audit_signals 0 > #endif /* CONFIG_AUDITSYSCALL */ > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 9bf1045fedfa..4effe01ebbe2 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2545,7 +2545,7 @@ void __audit_ntp_log(const struct audit_ntp_data *ad) > audit_log_ntp_val(ad, "adjust", AUDIT_NTP_ADJUST); > } > > -void audit_log_task(struct audit_buffer *ab) > +static void audit_log_task(struct audit_buffer *ab) I'm slightly concerned that this is based on top of your other patch which was NACK'ed. I might not have been clear before, but with the merge window set to open in a few days, and this change affecting the kernel interface (uapi, etc.) and lacking a test, this isn't something that I see as a candidate for the upcoming merge window. *Please* revert your original patch first; if you think I'm cranky now I can promise I'll be a lot more cranky if I see the original patch in -rc1 ;) > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index b51ecb9644d0..e3a7fa4d7a82 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -1334,7 +1334,6 @@ static const char * const bpf_event_audit_str[] = { > > static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event) > { > - bool has_task_context = event == BPF_EVENT_LOAD; > struct audit_buffer *ab; > > if (audit_enabled == AUDIT_OFF) > @@ -1342,10 +1341,7 @@ static void bpf_audit_prog(const struct bpf_prog > *prog, enum bpf_event event) > ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF); > if (unlikely(!ab)) > return; > - if (has_task_context) > - audit_log_task(ab); > - audit_log_format(ab, "%sprog-id=%u event=%s", > - has_task_context ? " " : "", > + audit_log_format(ab, "prog-id=%u event=%s", > prog->aux->id, bpf_event_audit_str[event]); Other than the "op" instead of "event", this looks reasonable to me. I would give Steve a chance to comment on it from the userspace side of things. > audit_log_end(ab); > } -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
