On 2017-03-09 16:15, peter enderborg wrote:
On 03/09/2017 03:08 PM, Richard Guy Briggs wrote:
> Record the module name of a delete_module call.
>
> See:
https://github.com/linux-audit/audit-kernel/issues/37
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/module.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 5432dbe..633f6da 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -943,6 +943,8 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
> return -EFAULT;
> name[MODULE_NAME_LEN-1] = '\0';
>
> + audit_log_kern_module(name);
> +
> if (mutex_lock_interruptible(&module_mutex) != 0)
> return -EINTR;
Is it not better to have that log when we are sure that the module
will be deleted and are stopped?
We went to know what module deletion was attempted. The return code in
the syscall record will tell us whether or not it succeeded and if it
failed, with which error.
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635