On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
We get finit_module for free since it made most sense to hook this in to
load_module().
https://github.com/linux-audit/audit-kernel/issues/7
https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-f... Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
include/linux/audit.h | 12 ++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 3 +++
kernel/auditsc.c | 14 ++++++++++++++
kernel/module.c | 5 ++++-
5 files changed, 34 insertions(+), 1 deletions(-)
This patch looks fine to me, and due to lack of comments I'm going to
assume that Jessica is okay with the kernel/module.c portions of this
patch. Normally this would be too close to the merge window, but this
patch is trivial and since it is new functionality it is unlikely to
cause any regressions so I'm going to merge it into audit/next now.
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2be99b2..aba3a26 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
const struct cred *old);
extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
+extern void __audit_log_kern_module(char *name);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
__audit_mmap_fd(fd, flags);
}
+static inline void audit_log_kern_module(char *name)
+{
+ if (!audit_dummy_context())
+ __audit_log_kern_module(name);
+}
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
{ }
static inline void audit_mmap_fd(int fd, int flags)
{ }
+
+static inline void audit_log_kern_module(char *name)
+{
+}
+
static inline void audit_ptrace(struct task_struct *t)
{ }
#define audit_n_rules 0
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 3f24110..3c02bb2 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.h b/kernel/audit.h
index 431444c..144b7eb 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -199,6 +199,9 @@ struct audit_context {
struct {
int argc;
} execve;
+ struct {
+ char *name;
+ } module;
};
int fds[2];
struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bb5f504..bde3aac 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int
*call_panic)
case AUDIT_EXECVE: {
audit_log_execve_info(context, &ab);
break; }
+ case AUDIT_KERN_MODULE:
+ audit_log_format(ab, "name=");
+ audit_log_untrustedstring(ab, context->module.name);
+ kfree(context->module.name);
+ break;
}
audit_log_end(ab);
}
@@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP;
}
+void __audit_log_kern_module(char *name)
+{
+ struct audit_context *context = current->audit_context;
+
+ context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+ strcpy(context->module.name, name);
+ context->type = AUDIT_KERN_MODULE;
+}
+
static void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;
diff --git a/kernel/module.c b/kernel/module.c
index 529efae..5432dbe 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -61,6 +61,7 @@
#include <linux/pfn.h>
#include <linux/bsearch.h>
#include <linux/dynamic_debug.h>
+#include <linux/audit.h>
#include <uapi/linux/module.h>
#include "module-internal.h"
@@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user
*uargs,
goto free_copy;
}
+ audit_log_kern_module(mod->name);
+
/* Reserve our place in the list. */
err = add_unformed_module(mod);
if (err)
@@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user
*uargs,
mod->name, after_dashes);
}
- /* Link in to syfs. */
+ /* Link in to sysfs. */
err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
if (err < 0)
goto coming_cleanup;
--
1.7.1
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit