Commit 84bb46cd authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Revert "bpf: Emit audit messages upon successful prog load and unload" 



This commit reverts commit 91e6015b ("bpf: Emit audit messages
upon successful prog load and unload") and its follow up commit
7599a896 ("audit: Move audit_log_task declaration under
CONFIG_AUDITSYSCALL") as requested by Paul Moore. The change needs
close review on linux-audit, tests etc.

Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
parent 8dcdc952

include/linux/audit.h

+0 −5
Original line number Diff line number Diff line
@@ -358,8 +358,6 @@ static inline void audit_ptrace(struct task_struct *t) 
		__audit_ptrace(t);

}



extern void audit_log_task(struct audit_buffer *ab);



				/* Private API (for audit.c only) */

extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);

extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
@@ -647,9 +645,6 @@ static inline void audit_ntp_log(const struct audit_ntp_data *ad) 


static inline void audit_ptrace(struct task_struct *t)

{ }



static inline void audit_log_task(struct audit_buffer *ab)

{ }

#define audit_n_rules 0

#define audit_signals 0

#endif /* CONFIG_AUDITSYSCALL */

include/uapi/linux/audit.h

+0 −1
Original line number Diff line number Diff line
@@ -116,7 +116,6 @@ 
#define AUDIT_FANOTIFY		1331	/* Fanotify access decision */

#define AUDIT_TIME_INJOFFSET	1332	/* Timekeeping offset injected */

#define AUDIT_TIME_ADJNTPVAL	1333	/* NTP value adjustment */

#define AUDIT_BPF		1334	/* BPF subsystem */



#define AUDIT_AVC		1400	/* SE Linux avc denial or grant */

#define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */

kernel/auditsc.c

+1 −1
Original line number Diff line number Diff line
@@ -2545,7 +2545,7 @@ void __audit_ntp_log(const struct audit_ntp_data *ad) 
	audit_log_ntp_val(ad, "adjust",	AUDIT_NTP_ADJUST);

}



void audit_log_task(struct audit_buffer *ab)

static void audit_log_task(struct audit_buffer *ab)

{

	kuid_t auid, uid;

	kgid_t gid;

kernel/bpf/syscall.c

+0 −31
Original line number Diff line number Diff line
@@ -23,7 +23,6 @@ 
#include <linux/timekeeping.h>

#include <linux/ctype.h>

#include <linux/nospec.h>

#include <linux/audit.h>

#include <uapi/linux/btf.h>



#define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \
@@ -1322,34 +1321,6 @@ static void free_used_maps(struct bpf_prog_aux *aux) 
	kfree(aux->used_maps);

}



enum bpf_event {

	BPF_EVENT_LOAD,

	BPF_EVENT_UNLOAD,

};



static const char * const bpf_event_audit_str[] = {

	[BPF_EVENT_LOAD]   = "LOAD",

	[BPF_EVENT_UNLOAD] = "UNLOAD",

};



static void bpf_audit_prog(const struct bpf_prog *prog, enum bpf_event event)

{

	bool has_task_context = event == BPF_EVENT_LOAD;

	struct audit_buffer *ab;



	if (audit_enabled == AUDIT_OFF)

		return;

	ab = audit_log_start(audit_context(), GFP_ATOMIC, AUDIT_BPF);

	if (unlikely(!ab))

		return;

	if (has_task_context)

		audit_log_task(ab);

	audit_log_format(ab, "%sprog-id=%u event=%s",

			 has_task_context ? " " : "",

			 prog->aux->id, bpf_event_audit_str[event]);

	audit_log_end(ab);

}



int __bpf_prog_charge(struct user_struct *user, u32 pages)

{

	unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
@@ -1466,7 +1437,6 @@ static void __bpf_prog_put(struct bpf_prog *prog, bool do_idr_lock) 
{

	if (atomic64_dec_and_test(&prog->aux->refcnt)) {

		perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_UNLOAD, 0);

		bpf_audit_prog(prog, BPF_EVENT_UNLOAD);

		/* bpf_prog_free_id() must be called first */

		bpf_prog_free_id(prog, do_idr_lock);

		__bpf_prog_put_noref(prog, true);
@@ -1876,7 +1846,6 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr) 
	 */

	bpf_prog_kallsyms_add(prog);

	perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);

	bpf_audit_prog(prog, BPF_EVENT_LOAD);



	err = bpf_prog_new_fd(prog);

	if (err < 0)

CRA Git | Maintained and supported by SUSTech CRA and CCSE