Hello,
attached is an user-space patch that adds support for auditing uses of the AF_ALG protocol family developed by Herbert Xu to provide user-space access to kernel crypto accelerators.  Kernel patches will follow.

One new record is defined: AUDIT_CRYPTO_USERSPACE_OP.  An audited event is always caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records.

To disable auditing crypto by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0).

In addition to the user-space patch, attached are also a few example audit entries.
    Mirek