From: Richard Guy Briggs <rgb@redhat.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: linux-kernel@vger.kernel.org, linux-audit@redhat.com,
Eric Paris <eparis@redhat.com>, Paul Moore <pmoore@redhat.com>,
Steve Grubb <sgrubb@redhat.com>, Jessica Yu <jeyu@redhat.com>
Subject: Re: [RFC] [PATCH] audit: log module name on init_module
Date: Sat, 28 Jan 2017 13:48:24 -0500 [thread overview]
Message-ID: <20170128184824.GN3087@madcap2.tricolour.ca> (raw)
In-Reply-To: <87sho5qsew.fsf@rustcorp.com.au>
On 2017-01-27 10:34, Rusty Russell wrote:
> Hi RGB!
Hey Rusteeee! Hi Jeyu,
> This should get acked by the new module maintainer (and your RH
> peer!) Jeyu, cc'd.
Ah ok, that changed 4.9, this patch was based on 4.8 (audit/next).
Thanks!
> Cheers,
> Rusty.
>
> Richard Guy Briggs <rgb@redhat.com> writes:
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >
> > We get finit_module for free since it made most sense to hook this in to
> > load_module().
> >
> > https://github.com/linux-audit/audit-kernel/issues/7
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > include/linux/audit.h | 12 ++++++++++++
> > include/uapi/linux/audit.h | 1 +
> > kernel/audit.h | 3 +++
> > kernel/auditsc.c | 20 ++++++++++++++++++++
> > kernel/module.c | 5 ++++-
> > 5 files changed, 40 insertions(+), 1 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 476bc12..6222042 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -358,6 +358,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
> > const struct cred *old);
> > extern void __audit_log_capset(const struct cred *new, const struct cred *old);
> > extern void __audit_mmap_fd(int fd, int flags);
> > +extern void __audit_module_init(char *name);
> >
> > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > {
> > @@ -434,6 +435,12 @@ static inline void audit_mmap_fd(int fd, int flags)
> > __audit_mmap_fd(fd, flags);
> > }
> >
> > +static inline void audit_module_init(char *name)
> > +{
> > + if (!audit_dummy_context())
> > + __audit_module_init(name);
> > +}
> > +
> > extern int audit_n_rules;
> > extern int audit_signals;
> > #else /* CONFIG_AUDITSYSCALL */
> > @@ -539,6 +546,11 @@ static inline void audit_log_capset(const struct cred *new,
> > { }
> > static inline void audit_mmap_fd(int fd, int flags)
> > { }
> > +
> > +static inline void audit_module_init(char *name)
> > +{
> > +}
> > +
> > static inline void audit_ptrace(struct task_struct *t)
> > { }
> > #define audit_n_rules 0
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 843540c..513c930 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -110,6 +110,7 @@
> > #define AUDIT_SECCOMP 1326 /* Secure Computing event */
> > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> > +#define AUDIT_MODULE_INIT 1329 /* Module init event */
> >
> > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index de6cbb7..cf86486 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -198,6 +198,9 @@ struct audit_context {
> > struct {
> > int argc;
> > } execve;
> > + struct {
> > + char *name;
> > + } module;
> > };
> > int fds[2];
> > struct audit_proctitle proctitle;
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index b86cc04..93967b8 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1168,6 +1168,14 @@ static void audit_log_execve_info(struct audit_context *context,
> > kfree(buf);
> > }
> >
> > +static void audit_log_kern_module(struct audit_context *context,
> > + struct audit_buffer **ab)
> > +{
> > + audit_log_format(*ab, " name=");
> > + audit_log_untrustedstring(*ab, context->module.name);
> > + kfree(context->module.name);
> > +}
> > +
> > static void show_special(struct audit_context *context, int *call_panic)
> > {
> > struct audit_buffer *ab;
> > @@ -1264,6 +1272,9 @@ static void show_special(struct audit_context *context, int *call_panic)
> > case AUDIT_EXECVE: {
> > audit_log_execve_info(context, &ab);
> > break; }
> > + case AUDIT_MODULE_INIT:
> > + audit_log_kern_module(context, &ab);
> > + break;
> > }
> > audit_log_end(ab);
> > }
> > @@ -2356,6 +2367,15 @@ void __audit_mmap_fd(int fd, int flags)
> > context->type = AUDIT_MMAP;
> > }
> >
> > +void __audit_module_init(char *name)
> > +{
> > + struct audit_context *context = current->audit_context;
> > +
> > + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
> > + strcpy(context->module.name, name);
> > + context->type = AUDIT_MODULE_INIT;
> > +}
> > +
> > static void audit_log_task(struct audit_buffer *ab)
> > {
> > kuid_t auid, uid;
> > diff --git a/kernel/module.c b/kernel/module.c
> > index 8f051a1..214ba85 100644
> > --- a/kernel/module.c
> > +++ b/kernel/module.c
> > @@ -59,6 +59,7 @@
> > #include <linux/jump_label.h>
> > #include <linux/pfn.h>
> > #include <linux/bsearch.h>
> > +#include <linux/audit.h>
> > #include <uapi/linux/module.h>
> > #include "module-internal.h"
> >
> > @@ -3441,6 +3442,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
> > goto free_copy;
> > }
> >
> > + audit_module_init(mod->name);
> > +
> > /* Reserve our place in the list. */
> > err = add_unformed_module(mod);
> > if (err)
> > @@ -3525,7 +3528,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
> > mod->name, after_dashes);
> > }
> >
> > - /* Link in to syfs. */
> > + /* Link in to sysfs. */
> > err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
> > if (err < 0)
> > goto bug_cleanup;
> > --
> > 1.7.1
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Jessica Yu <jeyu@redhat.com>,
linux-kernel@vger.kernel.org, linux-audit@redhat.com
Subject: Re: [RFC] [PATCH] audit: log module name on init_module
Date: Sat, 28 Jan 2017 13:48:24 -0500 [thread overview]
Message-ID: <20170128184824.GN3087@madcap2.tricolour.ca> (raw)
In-Reply-To: <87sho5qsew.fsf@rustcorp.com.au>
On 2017-01-27 10:34, Rusty Russell wrote:
> Hi RGB!
Hey Rusteeee! Hi Jeyu,
> This should get acked by the new module maintainer (and your RH
> peer!) Jeyu, cc'd.
Ah ok, that changed 4.9, this patch was based on 4.8 (audit/next).
Thanks!
> Cheers,
> Rusty.
>
> Richard Guy Briggs <rgb@redhat.com> writes:
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >
> > We get finit_module for free since it made most sense to hook this in to
> > load_module().
> >
> > https://github.com/linux-audit/audit-kernel/issues/7
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > include/linux/audit.h | 12 ++++++++++++
> > include/uapi/linux/audit.h | 1 +
> > kernel/audit.h | 3 +++
> > kernel/auditsc.c | 20 ++++++++++++++++++++
> > kernel/module.c | 5 ++++-
> > 5 files changed, 40 insertions(+), 1 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 476bc12..6222042 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -358,6 +358,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
> > const struct cred *old);
> > extern void __audit_log_capset(const struct cred *new, const struct cred *old);
> > extern void __audit_mmap_fd(int fd, int flags);
> > +extern void __audit_module_init(char *name);
> >
> > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > {
> > @@ -434,6 +435,12 @@ static inline void audit_mmap_fd(int fd, int flags)
> > __audit_mmap_fd(fd, flags);
> > }
> >
> > +static inline void audit_module_init(char *name)
> > +{
> > + if (!audit_dummy_context())
> > + __audit_module_init(name);
> > +}
> > +
> > extern int audit_n_rules;
> > extern int audit_signals;
> > #else /* CONFIG_AUDITSYSCALL */
> > @@ -539,6 +546,11 @@ static inline void audit_log_capset(const struct cred *new,
> > { }
> > static inline void audit_mmap_fd(int fd, int flags)
> > { }
> > +
> > +static inline void audit_module_init(char *name)
> > +{
> > +}
> > +
> > static inline void audit_ptrace(struct task_struct *t)
> > { }
> > #define audit_n_rules 0
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 843540c..513c930 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -110,6 +110,7 @@
> > #define AUDIT_SECCOMP 1326 /* Secure Computing event */
> > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> > +#define AUDIT_MODULE_INIT 1329 /* Module init event */
> >
> > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index de6cbb7..cf86486 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -198,6 +198,9 @@ struct audit_context {
> > struct {
> > int argc;
> > } execve;
> > + struct {
> > + char *name;
> > + } module;
> > };
> > int fds[2];
> > struct audit_proctitle proctitle;
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index b86cc04..93967b8 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1168,6 +1168,14 @@ static void audit_log_execve_info(struct audit_context *context,
> > kfree(buf);
> > }
> >
> > +static void audit_log_kern_module(struct audit_context *context,
> > + struct audit_buffer **ab)
> > +{
> > + audit_log_format(*ab, " name=");
> > + audit_log_untrustedstring(*ab, context->module.name);
> > + kfree(context->module.name);
> > +}
> > +
> > static void show_special(struct audit_context *context, int *call_panic)
> > {
> > struct audit_buffer *ab;
> > @@ -1264,6 +1272,9 @@ static void show_special(struct audit_context *context, int *call_panic)
> > case AUDIT_EXECVE: {
> > audit_log_execve_info(context, &ab);
> > break; }
> > + case AUDIT_MODULE_INIT:
> > + audit_log_kern_module(context, &ab);
> > + break;
> > }
> > audit_log_end(ab);
> > }
> > @@ -2356,6 +2367,15 @@ void __audit_mmap_fd(int fd, int flags)
> > context->type = AUDIT_MMAP;
> > }
> >
> > +void __audit_module_init(char *name)
> > +{
> > + struct audit_context *context = current->audit_context;
> > +
> > + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
> > + strcpy(context->module.name, name);
> > + context->type = AUDIT_MODULE_INIT;
> > +}
> > +
> > static void audit_log_task(struct audit_buffer *ab)
> > {
> > kuid_t auid, uid;
> > diff --git a/kernel/module.c b/kernel/module.c
> > index 8f051a1..214ba85 100644
> > --- a/kernel/module.c
> > +++ b/kernel/module.c
> > @@ -59,6 +59,7 @@
> > #include <linux/jump_label.h>
> > #include <linux/pfn.h>
> > #include <linux/bsearch.h>
> > +#include <linux/audit.h>
> > #include <uapi/linux/module.h>
> > #include "module-internal.h"
> >
> > @@ -3441,6 +3442,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
> > goto free_copy;
> > }
> >
> > + audit_module_init(mod->name);
> > +
> > /* Reserve our place in the list. */
> > err = add_unformed_module(mod);
> > if (err)
> > @@ -3525,7 +3528,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
> > mod->name, after_dashes);
> > }
> >
> > - /* Link in to syfs. */
> > + /* Link in to sysfs. */
> > err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
> > if (err < 0)
> > goto bug_cleanup;
> > --
> > 1.7.1
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2017-01-28 18:49 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-26 19:50 [RFC] [PATCH] audit: log module name on init_module Richard Guy Briggs
2017-01-26 19:50 ` Richard Guy Briggs
2017-01-26 20:14 ` Richard Guy Briggs
2017-01-27 0:04 ` Rusty Russell
2017-01-27 0:04 ` Rusty Russell
2017-01-28 18:48 ` Richard Guy Briggs [this message]
2017-01-28 18:48 ` Richard Guy Briggs
2017-01-30 10:54 ` Steve Grubb
2017-01-30 10:54 ` Steve Grubb
2017-01-30 11:43 ` Richard Guy Briggs
2017-01-30 11:43 ` Richard Guy Briggs
2017-01-26 21:21 Richard Guy Briggs
2017-01-26 21:21 ` Richard Guy Briggs
2017-01-31 11:59 ` Paul Moore
2017-01-31 11:59 ` Paul Moore
2017-01-31 12:36 ` Richard Guy Briggs
2017-01-31 12:36 ` Richard Guy Briggs
2017-01-31 16:07 ` Paul Moore
2017-01-31 20:02 ` Richard Guy Briggs
2017-01-31 20:02 ` Richard Guy Briggs
2017-02-04 0:18 ` Paul Moore
2017-02-04 0:18 ` Paul Moore
2017-02-04 13:27 ` Steve Grubb
2017-02-04 17:20 ` Richard Guy Briggs
2017-02-04 17:19 ` Richard Guy Briggs
2017-02-01 8:30 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170128184824.GN3087@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=eparis@redhat.com \
--cc=jeyu@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.