Hello,
attached is an user-space patch that adds support for auditing uses of the AF_ALG protocol
family developed by Herbert Xu to provide user-space access to kernel crypto accelerators.
Kernel patches will follow.
One new record is defined: AUDIT_CRYPTO_USERSPACE_OP. An audited event is always caused
by a syscall, and all other syscall-related data (process identity, syscall result) is
audited in the usual records.
To disable auditing crypto by default and to allow the users to selectively enable them
using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto
operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
In addition to the user-space patch, attached are also a few example audit entries.
Mirek