On Tue, Dec 20, 2022 at 7:02 PM Burn Alting <burn.alting(a)iinet.net.au> wrote:
And to cap this off, the program id will always be zero on an UNLOAD,
as
the routine that sets it to zero, kernel/bpf/syscall.c:bpf_prog_free_id(),
is called before the emit audit event routine, kernel/bpf/syscall.c:bpf_audit_prog().
So a bug!
Ooof :/ Independent of the other issues this is something we should
fix as soon as we can. I'll take a look during the holiday and see
what we can do to fix this; looking quickly at it now I don't think it
will be too bad, but one never knows for sure ...
--
paul-moore.com