[PATCH RFC 1/4] audit: Implement bpf_audit_log_*() wrappers
Mickaël Salaün
mic at digikod.net
Tue Mar 17 19:12:40 UTC 2026
On Mon, Mar 16, 2026 at 06:14:40PM -0400, David Windsor wrote:
> Hi Frederick,
>
> On Wed, Mar 11, 2026 at 04:31:17PM -0500, Frederick Lawler wrote:
> > +__bpf_kfunc int bpf_audit_log_cause(struct bpf_audit_context *ac,
> > + const char *cause__str)
> > +{
> > + if (log_once(ac, BIT_ULL(LSM_AUDIT_DATA_CAUSE)))
> > + return -EINVAL;
> > +
> > + audit_log_format(ac->ab, " cause=");
> > + audit_log_untrustedstring(ac->ab, cause__str);
> > + return 0;
> > +}
>
> Rather than putting everything in the cause field, could we perhaps
> have a separate kfunc here that appends normal stringpairs (not
> format strings) to the audit record:
>
> bpf_audit_log_str(ac, "result", "denied");
> bpf_audit_log_str(ac, "op", "read");
> bpf_audit_log_str(ac, "scontext", ctx_str);
That would mean arbitrary audit keys (and values), which would not be
acceptable (i.e. no consistency).
>
> I know you didn't want to wrap audit_log_format(), which makes sense,
> this would be a midway point between that and stuffing everything in
> one field.
More information about the Linux-security-module-archive
mailing list