[PATCH RFC 1/4] audit: Implement bpf_audit_log_*() wrappers
David Windsor
dwindsor at gmail.com
Mon Mar 16 22:14:40 UTC 2026
Hi Frederick,
On Wed, Mar 11, 2026 at 04:31:17PM -0500, Frederick Lawler wrote:
> +__bpf_kfunc int bpf_audit_log_cause(struct bpf_audit_context *ac,
> + const char *cause__str)
> +{
> + if (log_once(ac, BIT_ULL(LSM_AUDIT_DATA_CAUSE)))
> + return -EINVAL;
> +
> + audit_log_format(ac->ab, " cause=");
> + audit_log_untrustedstring(ac->ab, cause__str);
> + return 0;
> +}
Rather than putting everything in the cause field, could we perhaps
have a separate kfunc here that appends normal stringpairs (not
format strings) to the audit record:
bpf_audit_log_str(ac, "result", "denied");
bpf_audit_log_str(ac, "op", "read");
bpf_audit_log_str(ac, "scontext", ctx_str);
I know you didn't want to wrap audit_log_format(), which makes sense,
this would be a midway point between that and stuffing everything in
one field.
> +__bpf_kfunc int bpf_audit_log_net_sock(struct bpf_audit_context *ac, int netif,
> + const struct socket *sock)
> +{
> + struct lsm_network_audit net = { .sk = sock->sk, .netif = netif };
> + struct common_audit_data ad;
> +
> + ad.type = LSM_AUDIT_DATA_NET;
> + ad.u.net = &net;
> + return __audit_log_lsm_data(ac, &ad);
> +}
Should we also wrap ipv4_skb_to_auditdata() /
ipv6_skb_to_auditdata()? Smack uses it in smack_socket_sock_rcv_skb.
Thanks,
David
More information about the Linux-security-module-archive
mailing list