Re: [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs

Next message: zhaoyang.huang: "[PATCHv3] mm: remove '!root_reclaim' checking in should_abort_scan()"
Previous message: Baolin Wang: "Re: [PATCH] mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()"
In reply to: Kumar Kartikeya Dwivedi: "Re: [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs"
Next in thread: Frederick Lawler: "Re: [PATCH RFC bpf-next 0/4] audit: Expose audit subsystem to BPF LSM programs via BPF kfuncs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexei Starovoitov

Date: Tue Mar 17 2026 - 21:17:26 EST

On Mon, Mar 16, 2026 at 7:44 PM Kumar Kartikeya Dwivedi
<memxor@xxxxxxxxx> wrote:
>
> On Wed, 11 Mar 2026 at 22:31, Frederick Lawler <fred@xxxxxxxxxxxxxx> wrote:
> >
> > The motivation behind the change is to give BPF LSM developers the
> > ability to report accesses via the audit subsystem much like how LSMs
> > operate today.

Sure, but bpf lsm-s don't need to follow such conventions.
audit is nothing but a message passing from kernel to user space
and done in a very inefficient way by wrapping strings into skb/netlink.
bpf progs can do this message passing already via various ways:
perfbuf, ringbuf, streams.
Teach your user space to consume one of them.