audit: Add AUDIT_PERF_DETACH_BPF audit event for bpf program detach
Adding AUDIT_PERF_DETACH_BPF audit event be
displayed when the BPF program is detached.
# auditctl -D
# auditctl -a always,exit -F arch=b64 -S ioctl
# ausearch --start recent -m 1333
time->Tue Oct 2 15:20:00 2018
type=UNKNOWN[1334] msg=audit(1538486400.783:17171): event=__x64_sys_execve prog_name=bpf_prog_8afd4fa41e00ce03_syscall__execve prog_type=2
The 'type=UNKNOWN[1334]' will be 'type=PERF_DETACH_BPF' once libaudit is updated.
Following fields are added to AUDIT_PERF_DETACH_BPF event:
event=__x64_sys_execve
prog_name=bpf_prog_TAG_NAME (same name as in /proc/kallsyms)
prog_type=enum bpf_prog_type value
We can't add special type hook for close syscall,
because the file release is processed in delayed
work context.
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
2 files changed