On Tue, Dec 20, 2022 at 7:02 PM Burn Alting <burn.alt...@iinet.net.au> wrote: > And to cap this off, the program id will always be zero on an UNLOAD, as > the routine that sets it to zero, kernel/bpf/syscall.c:bpf_prog_free_id(), > is called before the emit audit event routine, > kernel/bpf/syscall.c:bpf_audit_prog(). > > So a bug!
Ooof :/ Independent of the other issues this is something we should fix as soon as we can. I'll take a look during the holiday and see what we can do to fix this; looking quickly at it now I don't think it will be too bad, but one never knows for sure ... -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
