On Wed, Dec 21, 2022 at 9:44 AM Paul Moore <[email protected]> wrote: > On Tue, Dec 20, 2022 at 7:02 PM Burn Alting <[email protected]> wrote: > > And to cap this off, the program id will always be zero on an UNLOAD, as > > the routine that sets it to zero, kernel/bpf/syscall.c:bpf_prog_free_id(), > > is called before the emit audit event routine, > > kernel/bpf/syscall.c:bpf_audit_prog(). > > > > So a bug! > > Ooof :/ Independent of the other issues this is something we should > fix as soon as we can. I'll take a look during the holiday and see > what we can do to fix this; looking quickly at it now I don't think it > will be too bad, but one never knows for sure ...
I'm still just looking at the code, but I think we can also do a better job associating eBPF UNLOAD operations. -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
