[PATCH v2] audit,module: restore audit logging in load failure case
by Richard Guy Briggs
The move of the module sanity check to earlier skipped the audit logging
call in the case of failure and to a place where the previously used
context is unavailable.
Add an audit logging call for the module loading failure case and get
the module name when possible.
Link: https://issues.redhat.com/browse/RHEL-52839
Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Changelog:
v2
- use info->name for both audit_log_kern_module() calls and add const
---
include/linux/audit.h | 9 ++++-----
kernel/audit.h | 2 +-
kernel/auditsc.c | 2 +-
kernel/module/main.c | 6 ++++--
4 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 0050ef288ab3..a394614ccd0b 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -417,7 +417,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
extern void __audit_openat2_how(struct open_how *how);
-extern void __audit_log_kern_module(char *name);
+extern void __audit_log_kern_module(const char *name);
extern void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar);
extern void __audit_tk_injoffset(struct timespec64 offset);
extern void __audit_ntp_log(const struct audit_ntp_data *ad);
@@ -519,7 +519,7 @@ static inline void audit_openat2_how(struct open_how *how)
__audit_openat2_how(how);
}
-static inline void audit_log_kern_module(char *name)
+static inline void audit_log_kern_module(const char *name)
{
if (!audit_dummy_context())
__audit_log_kern_module(name);
@@ -677,9 +677,8 @@ static inline void audit_mmap_fd(int fd, int flags)
static inline void audit_openat2_how(struct open_how *how)
{ }
-static inline void audit_log_kern_module(char *name)
-{
-}
+static inline void audit_log_kern_module(const char *name)
+{ }
static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
{ }
diff --git a/kernel/audit.h b/kernel/audit.h
index 0211cb307d30..2a24d01c5fb0 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -200,7 +200,7 @@ struct audit_context {
int argc;
} execve;
struct {
- char *name;
+ const char *name;
} module;
struct {
struct audit_ntp_data ntp_data;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 9c853cde9abe..7bc0462e86f3 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2866,7 +2866,7 @@ void __audit_openat2_how(struct open_how *how)
context->type = AUDIT_OPENAT2;
}
-void __audit_log_kern_module(char *name)
+void __audit_log_kern_module(const char *name)
{
struct audit_context *context = audit_context();
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 1fb9ad289a6f..efa62ace1b23 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3346,7 +3346,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
module_allocated = true;
- audit_log_kern_module(mod->name);
+ audit_log_kern_module(info->name);
/* Reserve our place in the list. */
err = add_unformed_module(mod);
@@ -3506,8 +3506,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
* failures once the proper module was allocated and
* before that.
*/
- if (!module_allocated)
+ if (!module_allocated) {
+ audit_log_kern_module(info->name ? info->name : "(unavailable)");
mod_stat_bump_becoming(info, flags);
+ }
free_copy(info, flags);
return err;
}
--
2.43.5
2 weeks, 5 days
[PATCH v1] audit,module: restore audit logging in load failure case
by Richard Guy Briggs
The move of the module sanity check to earlier skipped the audit logging
call in the case of failure and to a place where the previously used
context is unavailable.
Add an audit logging call for the module loading failure case and get
the module name when possible.
Link: https://issues.redhat.com/browse/RHEL-52839
Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/module/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/module/main.c b/kernel/module/main.c
index 49b9bca9de12..1f482532ef66 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3057,8 +3057,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
* failures once the proper module was allocated and
* before that.
*/
- if (!module_allocated)
+ if (!module_allocated) {
+ audit_log_kern_module(info->name ? info->name : "(unavailable)");
mod_stat_bump_becoming(info, flags);
+ }
free_copy(info, flags);
return err;
}
--
2.43.5
3 weeks, 5 days
[PATCH v1 0/2] override audit silence norule for fs cases
by Richard Guy Briggs
The audit subsystem normally suppresses output when there are no rules
present to avoid overwhelming the user with unwanted messages. It could
be argued that another security subsystem would generally want to
override that default. Allow them through for fsnotify and filesystem
security violations.
Richard Guy Briggs (2):
audit: record fanotify event regardless of presence of rules
audit: record AUDIT_ANOM_* events regardless of presence of rules
include/linux/audit.h | 8 +-------
kernel/audit.c | 2 +-
kernel/auditsc.c | 2 +-
3 files changed, 3 insertions(+), 9 deletions(-)
--
2.43.5
4 weeks, 1 day