Hi,

I note that the unsolicited AUDIT_BPF audit event only provides a program id and operation (load or unload). For example,

type=BPF msg=audit(21/12/22 09:03:35.765:439) : prog-id=75 op=LOAD 

or

type=BPF msg=audit(21/12/22 09:04:05.883:460) : prog-id=0 op=UNLOAD

I also note that the bpf auxillary structure (struct bpf_prog_aux) that holds the program id value, also holds a name (struct bpf_prog_aux->name) and uid (struct bpf_prog_aud->user_struct->uid). 

Perhaps adding these two items to the AUDIT_BPF event would provide more security context for this unsolicited event.

Thoughts?

Rgds

Burn Alting