[PATCH v1] audit,module: restore audit logging in load failure case
by Richard Guy Briggs
The move of the module sanity check to earlier skipped the audit logging
call in the case of failure and to a place where the previously used
context is unavailable.
Add an audit logging call for the module loading failure case and get
the module name when possible.
Link: https://issues.redhat.com/browse/RHEL-52839
Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/module/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 49b9bca9de12..1f482532ef66 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3057,8 +3057,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
* failures once the proper module was allocated and
* before that.
*/
- if (!module_allocated)
+ if (!module_allocated) {
+ audit_log_kern_module(info->name ? info->name : "(unavailable)");
mod_stat_bump_becoming(info, flags);
+ }
free_copy(info, flags);
return err;
}
--
2.43.5
1 month, 2 weeks
- 4
- 8
audit-4.0.3 released
by Steve Grubb
Hello,
We just released a new version of the audit daemon. It can be
downloaded from https://github.com/linux-audit/audit-userspace/releases/tag/
v4.0.3. The ChangeLog is:
- Remove a RHEL4 flag table since it's been unsupported for a while
- Change dependency from Requires to Wants for audit-rules.service
- Disable ProtectKernelModules by default in auditd.service
- Skip plugin configs that do not have .conf suffix
- audisp-filter: iterate records correctly when forwarding
- Update syscall table for missing syscalls
- Modify ausearch checkpoint code to address 64 inode and device numbers
- Fix potential segfault interpreting relative paths
- Add audit_set_enabled & audit_is_enabled back to the libaudit python
bindings
- Log runlevel changes to console during boot (Attila Lakatos)
- Add audit-tmpfiles.conf to ensure /var/log/audit exists (Colin Walters)
- Propagate event format to the audisp-af_unix plugin (Attila Lakatos)
- Add support for RISC-V - riscv32, riscv64 (David Abdurachmanov)
Note the change in distributing the tar file. I will no longer distribute
audit releases from my people page. This change is so that other team members
can do official releases. If you have a tool that watches for new releases,
you'll need to adjust it to watch the right place. I don't intend to delete
the historical cache of releases from https://people.redhat.com/sgrubb/audit/
but at some future point in time, they may go away.
This first release has a small hiccup that we'll fix next release. The
downloaded tar file is v4.0.3.tar.gz. Next time its should have a longer name.
Also note that it will unpack into audit-userspace-4.0.3. Any build scripts
will need to take this into account. Also, since this is a pure github
release, you'll need to add dependencies on autoconf, automake, and libtool.
And you'll need to add the following line before the configure command:
autoreconf -fv --install
Aside from this, it's a normal release. I'll call out a couple items. An old
RHEL4 flag table was causing some weird name collision for some build systems.
Since RHEL4 is ancient, the file was dropped to prevent the collision. A
segfault was fixed when parsing relative paths in the log search tools. Since
this has never been reported, I suspect it's hard to naturally generate a
path that triggers it. The daemon is not affected since it doesn't parse.
Lastly, support was added for RISC-V hardware. It needs to be enabled by --
with-riscv.
If you notice any problems with this release, please let us know.
SHA256: 154b3e77b3d47be95f765376d45bb0d8952c06c361f2806b573ed0d8bd652372
-Steve
3 months, 2 weeks
- 1
- 0
- ← Newer
- 1
- Older →