A few years ago, I suggested a feature dubbed "known exploit detection".
This feature defines an interface that allows kernel developers to add
a tripwire for somebody who tries to exploit a known security hole in
older versions of the kernel. See [1] for an article and the original
discussion.
[1]:
https://lwn.net/Articles/577432/
Due to the somewhat controversial nature of this feature, I never pushed
very hard for it to go upstream. However, regardless of whether this code
ever makes it upstream, it would still be useful to reserve a numerical
code for the audit message in order to ensure that private deployments
never conflicts with future upstream kernels.
I hereby request the reservation of AUDIT_ANOM_PATCHED as code 1703. This
message should be used when userspace makes a request which in previous
(unpatched) versions of the kernel would have allowed the process to
illicitly gain privileges (e.g. arbitrary code execution, etc.).
Signed-off-by: Vegard Nossum <vegard.nossum(a)oracle.com>
---
include/uapi/linux/audit.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 0714a66f0e0c..7813efc09480 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -139,6 +139,7 @@
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
#define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */
#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
+#define AUDIT_ANOM_PATCHED 1703 /* Patched security vulnerability */
#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
#define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification */
#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
--
2.12.0.rc0