[PATCH v3] audit,module: restore audit logging in load failure case
by Richard Guy Briggs
The move of the module sanity check to earlier skipped the audit logging
call in the case of failure and to a place where the previously used
context is unavailable.
Add an audit logging call for the module loading failure case and get
the module name when possible.
Link: https://issues.redhat.com/browse/RHEL-52839
Fixes: 02da2cbab452 ("module: move check_modinfo() early to early_mod_check()")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Changelog:
v2
- use info->name for both audit_log_kern_module() calls and add const
v3
- use "?" rather than "(unavailable)" for consistency with other records
---
include/linux/audit.h | 9 ++++-----
kernel/audit.h | 2 +-
kernel/auditsc.c | 2 +-
kernel/module/main.c | 6 ++++--
4 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 0050ef288ab3..a394614ccd0b 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -417,7 +417,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
extern void __audit_openat2_how(struct open_how *how);
-extern void __audit_log_kern_module(char *name);
+extern void __audit_log_kern_module(const char *name);
extern void __audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar);
extern void __audit_tk_injoffset(struct timespec64 offset);
extern void __audit_ntp_log(const struct audit_ntp_data *ad);
@@ -519,7 +519,7 @@ static inline void audit_openat2_how(struct open_how *how)
__audit_openat2_how(how);
}
-static inline void audit_log_kern_module(char *name)
+static inline void audit_log_kern_module(const char *name)
{
if (!audit_dummy_context())
__audit_log_kern_module(name);
@@ -677,9 +677,8 @@ static inline void audit_mmap_fd(int fd, int flags)
static inline void audit_openat2_how(struct open_how *how)
{ }
-static inline void audit_log_kern_module(char *name)
-{
-}
+static inline void audit_log_kern_module(const char *name)
+{ }
static inline void audit_fanotify(u32 response, struct fanotify_response_info_audit_rule *friar)
{ }
diff --git a/kernel/audit.h b/kernel/audit.h
index 0211cb307d30..2a24d01c5fb0 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -200,7 +200,7 @@ struct audit_context {
int argc;
} execve;
struct {
- char *name;
+ const char *name;
} module;
struct {
struct audit_ntp_data ntp_data;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 78fd876a5473..eb98cd6fe91f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2864,7 +2864,7 @@ void __audit_openat2_how(struct open_how *how)
context->type = AUDIT_OPENAT2;
}
-void __audit_log_kern_module(char *name)
+void __audit_log_kern_module(const char *name)
{
struct audit_context *context = audit_context();
diff --git a/kernel/module/main.c b/kernel/module/main.c
index a2859dc3eea6..4860e534de05 100644
--- a/kernel/module/main.c
+++ b/kernel/module/main.c
@@ -3297,7 +3297,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
module_allocated = true;
- audit_log_kern_module(mod->name);
+ audit_log_kern_module(info->name);
/* Reserve our place in the list. */
err = add_unformed_module(mod);
@@ -3458,8 +3458,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
* failures once the proper module was allocated and
* before that.
*/
- if (!module_allocated)
+ if (!module_allocated) {
+ audit_log_kern_module(info->name ? info->name : "?");
mod_stat_bump_becoming(info, flags);
+ }
free_copy(info, flags);
return err;
}
--
2.43.5
6 days, 10 hours
audit-4.0.5 released
by Steve Grubb
Hello,
We just released a new version of the audit daemon. It can be
downloaded from
https://github.com/linux-audit/audit-userspace/releases/
The ChangeLog is:
- Rework audisp queue to be lockless
- Fix missing delete command in auditctl
- Allow plus addresses (rfc5233) to auditd email.
- Reduce memory churn in auditd event dispatching
- Add configurable recurring state report in auditd
- Switch audisp-statsd to stop sending signals
- Add glibc memory stats to audisp-statsd
The main point of this release is to restore the missing functionality in
auditctl. But this was kind of unplanned. There are some big changes in the
plugins area that I wanted to highlight. The dispatcher queue is now
lockless. This should let auditd get back to processing new events faster. It
also removed one malloc/free in the dispatcher path. This should lower memory
churn for auditd and allow somewhat faster dispatching. (The next release
will continue this work in the plugins to make them even faster.)
The other items to mention is auditd's email can now support plus addresses
(rfc5233). And the last item is the new glibc metrics have been added to the
statsd plugin. Also to note, auditd now has a configurable timer that can
trigger the publishing of the state report to /var/run/auditd.state. The
statsd plugin reads this, but if you have any kind of metrics collection
system, you can also point it to this file.
f you notice any problems with this release, please let us know.
SHA256: 76159def49df28f50353976bed52801af6039a15bd691e3bb216cb2dcaa78d86
-Steve
2 weeks, 5 days