On Tue, Dec 20, 2022 at 7:02 PM Burn Alting <[email protected]> wrote: > And to cap this off, the program id will always be zero on an UNLOAD, as > the routine that sets it to zero, kernel/bpf/syscall.c:bpf_prog_free_id(), > is called before the emit audit event routine, > kernel/bpf/syscall.c:bpf_audit_prog(). > > So a bug!
Ooof :/ Independent of the other issues this is something we should fix as soon as we can. I'll take a look during the holiday and see what we can do to fix this; looking quickly at it now I don't think it will be too bad, but one never knows for sure ... -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
