On Fri, Dec 20, 2019 at 7:43 AM KP Singh [off-list ref] wrote:

From: KP Singh <redacted>

This helper is similar to bpf_perf_event_output except that
it does need a ctx argument which is more usable in the
BTF based LSM programs where the context is converted to
the signature of the attacthed BTF type.

An example usage of this function would be:

struct {
         __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
         __uint(key_size, sizeof(int));
         __uint(value_size, sizeof(u32));
} perf_map SEC(".maps");

BPF_TRACE_1(bpf_prog1, "lsm/bprm_check_security,
            struct linux_binprm *, bprm)
{
        char buf[BUF_SIZE];
        int len;
        u64 flags = BPF_F_CURRENT_CPU;

        /* some logic that fills up buf with len data */
        len = fill_up_buf(buf);
        if (len < 0)
                return len;
        if (len > BU)
                return 0;

        bpf_lsm_event_output(&perf_map, flags, buf, len);

This seems to be generally useful and not LSM-specific, so maybe name
it more generically as bpf_event_output instead?

I'm also curious why we needed both bpf_perf_event_output and
bpf_perf_event_output_raw_tp, if it could be done as simply as you did
it here. What's different between those three and why your
bpf_lsm_event_output doesn't need pt_regs passed into them?

        return 0;
}

Signed-off-by: KP Singh <redacted>
---
 include/uapi/linux/bpf.h       | 10 +++++++++-
 kernel/bpf/verifier.c          |  1 +
 security/bpf/ops.c             | 21 +++++++++++++++++++++
 tools/include/uapi/linux/bpf.h | 10 +++++++++-
 4 files changed, 40 insertions(+), 2 deletions(-)

[...]