On Mon, Mar 16, 2026 at 7:44 PM Kumar Kartikeya Dwivedi <[email protected]> wrote: > > On Wed, 11 Mar 2026 at 22:31, Frederick Lawler <[email protected]> wrote: > > > > The motivation behind the change is to give BPF LSM developers the > > ability to report accesses via the audit subsystem much like how LSMs > > operate today.
Sure, but bpf lsm-s don't need to follow such conventions. audit is nothing but a message passing from kernel to user space and done in a very inefficient way by wrapping strings into skb/netlink. bpf progs can do this message passing already via various ways: perfbuf, ringbuf, streams. Teach your user space to consume one of them.
