Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp7277352ybl; Mon, 23 Dec 2019 22:52:49 -0800 (PST) X-Google-Smtp-Source: APXvYqxxOUXl8luRO9fhR118odvu30I870WYn1DA1mL6iPGVFUZh3K+lkE/ETCS7ua1M7mqLNj7c X-Received: by 2002:a9d:51c1:: with SMTP id d1mr35054343oth.136.1577170369694; Mon, 23 Dec 2019 22:52:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577170369; cv=none; d=google.com; s=arc-20160816; b=yiVeSNcCjs8cq6JC2+L37toP2/CaK6VUQQjje8lSOx3+uUaWS9QYp1L+u9cSOQ8KuR 4crt067uDoMoWoT2qav6EpviAAOYWiD9ayyIcRHjSXsbY3XkpzWVnpArdy/NJ60fes/K 8gTxuGPNujeygzfBRmXi6EQvUnZGMV4pxEBQj/DjQNASNVKlMbSIGae+Wwl7J1uy6Bjv KIfJURgDfklrwxevNHrbRt+sJ+l7juEzlbpPIq2gSTPudV0UOMPAsGHQ097KCskg+mGU zUBF5KNIDRaUos28SU//FDRrrjOC+hQC7FjnYH5Xxg9P67Ib4OQfjGlUiSk3CQdj9/aP R6XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=2FiFs5c//TsPMpAtCEnFYceuoC6j/d/tXyUmG5GN0MI=; b=PY7ue0o2rYV0oXBPkG4tuhRRXM8zIPGVPlHwZO9e6bpQ7+g6OaJKw8+izNABSvcaz1 oVH2DVBiVtfbA5+oAkVKO8JQ2qwlLdHm20EfVIXJl0pJjvfTI3d4rI3fslL9ZKxi2+Ak nD8bHQ62VAU0S8nq7ol+NEr9+t2OWCUm4YOTzRzeMYMlD7LpHlVpWYn4MUSCsCwXW5u8 F69DMc/O32Dl09lRlMKYL2Ytlo1ZdcHJckr8lQpnvGtW4ZCcI1ma5CRoTHUwDve0EBzL lrsvk3RVoy5RtRoTkP/lv45CaEfAIIF2n4Mg7yCOncam7yFEUYzHQkiIq5tBJdUOOy0h X5BA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RJSWRglU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2si8697383oig.255.2019.12.23.22.52.38; Mon, 23 Dec 2019 22:52:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RJSWRglU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726160AbfLXGwA (ORCPT + 99 others); Tue, 24 Dec 2019 01:52:00 -0500 Received: from mail-qv1-f68.google.com ([209.85.219.68]:41505 "EHLO mail-qv1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726043AbfLXGwA (ORCPT ); Tue, 24 Dec 2019 01:52:00 -0500 Received: by mail-qv1-f68.google.com with SMTP id x1so7165943qvr.8; Mon, 23 Dec 2019 22:52:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2FiFs5c//TsPMpAtCEnFYceuoC6j/d/tXyUmG5GN0MI=; b=RJSWRglUT8sjanJ6gOTOiSGTeN28TU8bhPDg44fzSvrbSNTeNQRCUltg6gXVCJHEDB PaXMWRk/kd6CVUfS6bhL35GSDTFn/z6xiZ69kqT9Bt31JBELPNbiesGmrBRltEmqyFwl GnGbPAhIyrWIgiPc5aBj5wGk1tSEdmLJklHE09mY7q4tDCFo8vZ2xgO8gxwEoaT4Q0Ac 6THgzf1HXYVM4KtKNVsbpCSyKLJ38MppiqgMvx69i57kSm2PLglHyDWfU/LR+QhXfjfN UA/UL7xVLxA9yNDGkexyv5Gm+77k807l8sYR9/95dX2GKG8HhWaF5GD8khF2605AsSRu HKTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2FiFs5c//TsPMpAtCEnFYceuoC6j/d/tXyUmG5GN0MI=; b=LWfJKa6nc02uhrNt8nPSfSU8Y/AbYYsHZMDRGT4w8djfLwMCLGKZjyKkq98LXZi6Mz +o+Q3a5ypV2uHbKL0XHP9g6T9lL06FTDiqepXwhCcbZZaz3LdY54E4TASe9phmrX3yBc gZwH4B9KTuIhCbHgOWMlKyE4R+pOp6iFFjGj4ZjNvTs+gL1tKJx8JsnF+Tb7TzL+VVeh 0fPbWfhotqu9JyCsxieU0ax30RmXS/bROldCLmw8L+vDDCebXh6LqY+z36/5XDiZNlHF YGvvfOyjSrY8Vio9xcEnF/zGavwzk8ltctXvU4Mc8I5g2R5FLT3ji518Fd9zAHQH1+Fc HYMQ== X-Gm-Message-State: APjAAAWrElITEVZsjdaDx3+jSHGYHra22nP2p2zImSozBE98lEu99kfn Yit3ywQAgaUWhD51ngZUvhl++TL584sVOGEMsjg= X-Received: by 2002:a05:6214:38c:: with SMTP id l12mr27595725qvy.224.1577170319418; Mon, 23 Dec 2019 22:51:59 -0800 (PST) MIME-Version: 1.0 References: <20191220154208.15895-1-kpsingh@chromium.org> In-Reply-To: <20191220154208.15895-1-kpsingh@chromium.org> From: Andrii Nakryiko Date: Mon, 23 Dec 2019 22:51:48 -0800 Message-ID: Subject: Re: [PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI) To: KP Singh Cc: open list , bpf , linux-security-module@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Thomas Garnier , Michael Halcrow , Paul Turner , Brendan Gregg , Jann Horn , Matthew Garrett , Christian Brauner , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Florent Revest , Brendan Jackman , Martin KaFai Lau , Song Liu , Yonghong Song , "Serge E. Hallyn" , Mauro Carvalho Chehab , "David S. Miller" , Greg Kroah-Hartman , Nicolas Ferre , Stanislav Fomichev , Quentin Monnet , Andrey Ignatov , Joe Stringer Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 20, 2019 at 7:42 AM KP Singh wrote: > > From: KP Singh > > This patch series is a continuation of the KRSI RFC > (https://lore.kernel.org/bpf/20190910115527.5235-1-kpsingh@chromium.org/) > [...] > # Usage Examples > > A simple example and some documentation is included in the patchset. > > In order to better illustrate the capabilities of the framework some > more advanced prototype code has also been published separately: > > * Logging execution events (including environment variables and arguments): > https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_audit_env.c > * Detecting deletion of running executables: > https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_detect_exec_unlink.c > * Detection of writes to /proc//mem: > https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_audit_env.c Are you planning on submitting these examples for inclusion into samples/bpf or selftests/bpf? It would be great to have more examples and we can review and suggest nicer ways to go about writing them (e.g., BPF skeleton and global data Alexei mentioned earlier). > > We have updated Google's internal telemetry infrastructure and have > started deploying this LSM on our Linux Workstations. This gives us more > confidence in the real-world applications of such a system. > > KP Singh (13): > bpf: Refactor BPF_EVENT context macros to its own header. > bpf: lsm: Add a skeleton and config options > bpf: lsm: Introduce types for eBPF based LSM > bpf: lsm: Allow btf_id based attachment for LSM hooks > tools/libbpf: Add support in libbpf for BPF_PROG_TYPE_LSM > bpf: lsm: Init Hooks and create files in securityfs > bpf: lsm: Implement attach, detach and execution. > bpf: lsm: Show attached program names in hook read handler. > bpf: lsm: Add a helper function bpf_lsm_event_output > bpf: lsm: Handle attachment of the same program > tools/libbpf: Add bpf_program__attach_lsm > bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM > bpf: lsm: Add Documentation > [...]