Hi,
I note that the unsolicited AUDIT_BPF audit event only provides a program id and
operation (load or unload). For example, type=BPF msg=audit(21/12/22
09:03:35.765:439) : prog-id=75 op=LOAD or type=BPF msg=audit(21/12/22
09:04:05.883:460) : prog-id=0 op=UNLOAD
I also note that the bpf auxillary structure (struct bpf_prog_aux) that holds the
program id value, also holds a name (struct bpf_prog_aux->name) and uid (struct
bpf_prog_aud->user_struct->uid). Perhaps adding these two items to the AUDIT_BPF
event would provide more security context for this unsolicited event.
Thoughts?
RgdsBurn Alting