[PATCH 1/3] hornet: log map hash check failures in prog map validation

Tue Jun 2 20:23:20 UTC 2026

Add a pr_notice() before returning -EPERM when
hornet_check_prog_maps() fails to find a matching map hash.

This makes policy denials observable in kernel logs and improves
triage/debuggability of rejected BPF program loads without changing
enforcement behavior.

Signed-off-by: Blaise Boscaccy <bboscaccy at linux.microsoft.com>
---
 security/hornet/hornet_lsm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/hornet/hornet_lsm.c b/security/hornet/hornet_lsm.c
index eeb422db1092d..fe133a0e8a11a 100644
--- a/security/hornet/hornet_lsm.c
+++ b/security/hornet/hornet_lsm.c
@@ -221,6 +221,7 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
 		}
 		if (!found) {
 			mutex_unlock(&prog->aux->used_maps_mutex);
+			pr_notice("hornet: map hash check failed");
 			return -EPERM;
 		}
 	}
-- 
2.53.0


