[PATCH 2/4] audit: do not audit actions during init module
Module loading code can do anything it damn well pleases. At the moment
we have examples where module loading code is creating lots of objects in
debugfs and this is overflowing the number of inodes the audit system can
keep track of. We can't really trust ANYTHING that happens during module
loading so we might as well just not even try.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/module.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index 8ae93db..380615d 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -55,6 +55,7 @@
#include <linux/async.h>
#include <linux/percpu.h>
#include <linux/kmemleak.h>
+#include <linux/audit.h>
#define CREATE_TRACE_POINTS
#include <trace/events/module.h>
@@ -2521,6 +2522,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
{
struct module *mod;
int ret = 0;
+ struct audit_context *audit_context;
/* Must have permission */
if (!capable(CAP_SYS_MODULE) || modules_disabled)
@@ -2530,10 +2532,18 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
if (mutex_lock_interruptible(&module_mutex) != 0)
return -EINTR;
+ /*
+ * Module loading can do anything it wants and if it is violent audit
+ * won't matter. So just don't even bother
+ */
+ audit_context = current->audit_context;
+ current->audit_context = NULL;
+
/* Do all the hard work */
mod = load_module(umod, len, uargs);
if (IS_ERR(mod)) {
mutex_unlock(&module_mutex);
+ current->audit_context = audit_context;
return PTR_ERR(mod);
}
@@ -2559,6 +2569,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
free_module(mod);
mutex_unlock(&module_mutex);
wake_up(&module_wq);
+ current->audit_context = audit_context;
return ret;
}
if (ret > 0) {
@@ -2593,6 +2604,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
mod->init_size = 0;
mod->init_text_size = 0;
mutex_unlock(&module_mutex);
+ current->audit_context = audit_context;
return 0;
}