[PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs
Paul Moore
paul at paul-moore.com
Tue Apr 21 22:49:57 UTC 2026
On Tue, Apr 21, 2026 at 6:15 PM Alexei Starovoitov
<alexei.starovoitov at gmail.com> wrote:
> On Tue, Apr 21, 2026 at 3:10 PM Paul Moore <paul at paul-moore.com> wrote:
> >
> > > It's still Nack.
> >
> > Based solely on the diffstat and a quick look, this appears to be an
> > LSM patchset, not necessarily a BPF patchset; yes, there are kfuncs,
> > but they are LSM/audit kfuncs and not core BPF functionality.
> > Regardless, I want to see how the LSS presentation is received before
> > worrying about this too much, but your NACK has been noted.
>
> Paul,
>
> told you countless times LSM cannot touch BPF bits without
> explicit Ack.
Based on a quick glance it doesn't appear that Fred's patches touch
BPF bits, they simply supply kfuncs for users to use in their BPF
programs.
> So, no, you cannot add bpf kfuncs in random places in the kernel
I see plenty of places outside of kernel/bpf that define kfuncs.
> And, no, you cannot call bpf internals through bpf_map_ops, etc.
It doesn't appear that Fred is doing that in his patches.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list