From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753539AbdAZUPB (ORCPT ); Thu, 26 Jan 2017 15:15:01 -0500 Received: from mx1.redhat.com ([209.132.183.28]:52518 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753415AbdAZUO7 (ORCPT ); Thu, 26 Jan 2017 15:14:59 -0500 Date: Thu, 26 Jan 2017 15:14:51 -0500 From: Richard Guy Briggs To: linux-kernel@vger.kernel.org, linux-audit@redhat.com Cc: Rusty Russell Subject: Re: [RFC] [PATCH] audit: log module name on init_module Message-ID: <20170126201451.GC3092@madcap2.tricolour.ca> References: <2daec184298ee74022846c40791cbb13d39fd564.1485459246.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2daec184298ee74022846c40791cbb13d39fd564.1485459246.git.rgb@redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 26 Jan 2017 20:14:55 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017-01-26 14:50, Richard Guy Briggs wrote: > This adds a new auxiliary record MODULE_INIT to the SYSCALL event. > > We get finit_module for free since it made most sense to hook this in to > load_module(). > > https://github.com/linux-audit/audit-kernel/issues/7 > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format > > Signed-off-by: Richard Guy Briggs Self-NACK. I just realize this is on a crusty version. I'll send an updated patch. > --- > include/linux/audit.h | 12 ++++++++++++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 3 +++ > kernel/auditsc.c | 20 ++++++++++++++++++++ > kernel/module.c | 5 ++++- > 5 files changed, 40 insertions(+), 1 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 476bc12..6222042 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -358,6 +358,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, > const struct cred *old); > extern void __audit_log_capset(const struct cred *new, const struct cred *old); > extern void __audit_mmap_fd(int fd, int flags); > +extern void __audit_module_init(char *name); > > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) > { > @@ -434,6 +435,12 @@ static inline void audit_mmap_fd(int fd, int flags) > __audit_mmap_fd(fd, flags); > } > > +static inline void audit_module_init(char *name) > +{ > + if (!audit_dummy_context()) > + __audit_module_init(name); > +} > + > extern int audit_n_rules; > extern int audit_signals; > #else /* CONFIG_AUDITSYSCALL */ > @@ -539,6 +546,11 @@ static inline void audit_log_capset(const struct cred *new, > { } > static inline void audit_mmap_fd(int fd, int flags) > { } > + > +static inline void audit_module_init(char *name) > +{ > +} > + > static inline void audit_ptrace(struct task_struct *t) > { } > #define audit_n_rules 0 > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 843540c..513c930 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -110,6 +110,7 @@ > #define AUDIT_SECCOMP 1326 /* Secure Computing event */ > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */ > +#define AUDIT_MODULE_INIT 1329 /* Module init event */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.h b/kernel/audit.h > index de6cbb7..cf86486 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -198,6 +198,9 @@ struct audit_context { > struct { > int argc; > } execve; > + struct { > + char *name; > + } module; > }; > int fds[2]; > struct audit_proctitle proctitle; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index b86cc04..93967b8 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1168,6 +1168,14 @@ static void audit_log_execve_info(struct audit_context *context, > kfree(buf); > } > > +static void audit_log_kern_module(struct audit_context *context, > + struct audit_buffer **ab) > +{ > + audit_log_format(*ab, " name="); > + audit_log_untrustedstring(*ab, context->module.name); > + kfree(context->module.name); > +} > + > static void show_special(struct audit_context *context, int *call_panic) > { > struct audit_buffer *ab; > @@ -1264,6 +1272,9 @@ static void show_special(struct audit_context *context, int *call_panic) > case AUDIT_EXECVE: { > audit_log_execve_info(context, &ab); > break; } > + case AUDIT_MODULE_INIT: > + audit_log_kern_module(context, &ab); > + break; > } > audit_log_end(ab); > } > @@ -2356,6 +2367,15 @@ void __audit_mmap_fd(int fd, int flags) > context->type = AUDIT_MMAP; > } > > +void __audit_module_init(char *name) > +{ > + struct audit_context *context = current->audit_context; > + > + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); > + strcpy(context->module.name, name); > + context->type = AUDIT_MODULE_INIT; > +} > + > static void audit_log_task(struct audit_buffer *ab) > { > kuid_t auid, uid; > diff --git a/kernel/module.c b/kernel/module.c > index 8f051a1..214ba85 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -59,6 +59,7 @@ > #include > #include > #include > +#include > #include > #include "module-internal.h" > > @@ -3441,6 +3442,8 @@ static int load_module(struct load_info *info, const char __user *uargs, > goto free_copy; > } > > + audit_module_init(mod->name); > + > /* Reserve our place in the list. */ > err = add_unformed_module(mod); > if (err) > @@ -3525,7 +3528,7 @@ static int load_module(struct load_info *info, const char __user *uargs, > mod->name, after_dashes); > } > > - /* Link in to syfs. */ > + /* Link in to sysfs. */ > err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); > if (err < 0) > goto bug_cleanup; > -- > 1.7.1 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635