* [PATCH V2] audit: log module name on init_module
@ 2017-02-04 18:10 Richard Guy Briggs
2017-02-13 21:20 ` Paul Moore
0 siblings, 1 reply; 8+ messages in thread
From: Richard Guy Briggs @ 2017-02-04 18:10 UTC (permalink / raw)
To: linux-kernel, linux-audit
Cc: Richard Guy Briggs, Jessica Yu, Eric Paris, Paul Moore, Steve Grubb
This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
We get finit_module for free since it made most sense to hook this in to
load_module().
https://github.com/linux-audit/audit-kernel/issues/7
https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
include/linux/audit.h | 12 ++++++++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.h | 3 +++
kernel/auditsc.c | 14 ++++++++++++++
kernel/module.c | 5 ++++-
5 files changed, 34 insertions(+), 1 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2be99b2..aba3a26 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
const struct cred *old);
extern void __audit_log_capset(const struct cred *new, const struct cred *old);
extern void __audit_mmap_fd(int fd, int flags);
+extern void __audit_log_kern_module(char *name);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
__audit_mmap_fd(fd, flags);
}
+static inline void audit_log_kern_module(char *name)
+{
+ if (!audit_dummy_context())
+ __audit_log_kern_module(name);
+}
+
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
@@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
{ }
static inline void audit_mmap_fd(int fd, int flags)
{ }
+
+static inline void audit_log_kern_module(char *name)
+{
+}
+
static inline void audit_ptrace(struct task_struct *t)
{ }
#define audit_n_rules 0
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 3f24110..3c02bb2 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -111,6 +111,7 @@
#define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
#define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
+#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
diff --git a/kernel/audit.h b/kernel/audit.h
index 431444c..144b7eb 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -199,6 +199,9 @@ struct audit_context {
struct {
int argc;
} execve;
+ struct {
+ char *name;
+ } module;
};
int fds[2];
struct audit_proctitle proctitle;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bb5f504..bde3aac 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int *call_panic)
case AUDIT_EXECVE: {
audit_log_execve_info(context, &ab);
break; }
+ case AUDIT_KERN_MODULE:
+ audit_log_format(ab, "name=");
+ audit_log_untrustedstring(ab, context->module.name);
+ kfree(context->module.name);
+ break;
}
audit_log_end(ab);
}
@@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
context->type = AUDIT_MMAP;
}
+void __audit_log_kern_module(char *name)
+{
+ struct audit_context *context = current->audit_context;
+
+ context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
+ strcpy(context->module.name, name);
+ context->type = AUDIT_KERN_MODULE;
+}
+
static void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;
diff --git a/kernel/module.c b/kernel/module.c
index 529efae..5432dbe 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -61,6 +61,7 @@
#include <linux/pfn.h>
#include <linux/bsearch.h>
#include <linux/dynamic_debug.h>
+#include <linux/audit.h>
#include <uapi/linux/module.h>
#include "module-internal.h"
@@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
goto free_copy;
}
+ audit_log_kern_module(mod->name);
+
/* Reserve our place in the list. */
err = add_unformed_module(mod);
if (err)
@@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
mod->name, after_dashes);
}
- /* Link in to syfs. */
+ /* Link in to sysfs. */
err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
if (err < 0)
goto coming_cleanup;
--
1.7.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH V2] audit: log module name on init_module
2017-02-04 18:10 [PATCH V2] audit: log module name on init_module Richard Guy Briggs
@ 2017-02-13 21:20 ` Paul Moore
2017-02-13 21:33 ` Jessica Yu
2017-02-14 18:02 ` [PATCH V2] " Steve Grubb
0 siblings, 2 replies; 8+ messages in thread
From: Paul Moore @ 2017-02-13 21:20 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-kernel, linux-audit, Jessica Yu
On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>
> We get finit_module for free since it made most sense to hook this in to
> load_module().
>
> https://github.com/linux-audit/audit-kernel/issues/7
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
Correction for the record:
* https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-Format
[NOTE: don't resend please, I'll fix this when merging]
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/linux/audit.h | 12 ++++++++++++
> include/uapi/linux/audit.h | 1 +
> kernel/audit.h | 3 +++
> kernel/auditsc.c | 14 ++++++++++++++
> kernel/module.c | 5 ++++-
> 5 files changed, 34 insertions(+), 1 deletions(-)
This patch looks fine to me, and due to lack of comments I'm going to
assume that Jessica is okay with the kernel/module.c portions of this
patch. Normally this would be too close to the merge window, but this
patch is trivial and since it is new functionality it is unlikely to
cause any regressions so I'm going to merge it into audit/next now.
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 2be99b2..aba3a26 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
> const struct cred *old);
> extern void __audit_log_capset(const struct cred *new, const struct cred *old);
> extern void __audit_mmap_fd(int fd, int flags);
> +extern void __audit_log_kern_module(char *name);
>
> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> {
> @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
> __audit_mmap_fd(fd, flags);
> }
>
> +static inline void audit_log_kern_module(char *name)
> +{
> + if (!audit_dummy_context())
> + __audit_log_kern_module(name);
> +}
> +
> extern int audit_n_rules;
> extern int audit_signals;
> #else /* CONFIG_AUDITSYSCALL */
> @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
> { }
> static inline void audit_mmap_fd(int fd, int flags)
> { }
> +
> +static inline void audit_log_kern_module(char *name)
> +{
> +}
> +
> static inline void audit_ptrace(struct task_struct *t)
> { }
> #define audit_n_rules 0
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 3f24110..3c02bb2 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,7 @@
> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
> +#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
>
> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 431444c..144b7eb 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -199,6 +199,9 @@ struct audit_context {
> struct {
> int argc;
> } execve;
> + struct {
> + char *name;
> + } module;
> };
> int fds[2];
> struct audit_proctitle proctitle;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index bb5f504..bde3aac 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int *call_panic)
> case AUDIT_EXECVE: {
> audit_log_execve_info(context, &ab);
> break; }
> + case AUDIT_KERN_MODULE:
> + audit_log_format(ab, "name=");
> + audit_log_untrustedstring(ab, context->module.name);
> + kfree(context->module.name);
> + break;
> }
> audit_log_end(ab);
> }
> @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
> context->type = AUDIT_MMAP;
> }
>
> +void __audit_log_kern_module(char *name)
> +{
> + struct audit_context *context = current->audit_context;
> +
> + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
> + strcpy(context->module.name, name);
> + context->type = AUDIT_KERN_MODULE;
> +}
> +
> static void audit_log_task(struct audit_buffer *ab)
> {
> kuid_t auid, uid;
> diff --git a/kernel/module.c b/kernel/module.c
> index 529efae..5432dbe 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -61,6 +61,7 @@
> #include <linux/pfn.h>
> #include <linux/bsearch.h>
> #include <linux/dynamic_debug.h>
> +#include <linux/audit.h>
> #include <uapi/linux/module.h>
> #include "module-internal.h"
>
> @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
> goto free_copy;
> }
>
> + audit_log_kern_module(mod->name);
> +
> /* Reserve our place in the list. */
> err = add_unformed_module(mod);
> if (err)
> @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
> mod->name, after_dashes);
> }
>
> - /* Link in to syfs. */
> + /* Link in to sysfs. */
> err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
> if (err < 0)
> goto coming_cleanup;
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: audit: log module name on init_module
2017-02-13 21:20 ` Paul Moore
@ 2017-02-13 21:33 ` Jessica Yu
2017-02-14 18:02 ` [PATCH V2] " Steve Grubb
1 sibling, 0 replies; 8+ messages in thread
From: Jessica Yu @ 2017-02-13 21:33 UTC (permalink / raw)
To: Paul Moore; +Cc: Richard Guy Briggs, linux-kernel, linux-audit
+++ Paul Moore [13/02/17 16:20 -0500]:
>On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>>
>> We get finit_module for free since it made most sense to hook this in to
>> load_module().
>>
>> https://github.com/linux-audit/audit-kernel/issues/7
>> https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
>
>Correction for the record:
>
>* https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-Format
>
>[NOTE: don't resend please, I'll fix this when merging]
>
>> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> ---
>> include/linux/audit.h | 12 ++++++++++++
>> include/uapi/linux/audit.h | 1 +
>> kernel/audit.h | 3 +++
>> kernel/auditsc.c | 14 ++++++++++++++
>> kernel/module.c | 5 ++++-
>> 5 files changed, 34 insertions(+), 1 deletions(-)
>
>This patch looks fine to me, and due to lack of comments I'm going to
>assume that Jessica is okay with the kernel/module.c portions of this
>patch. Normally this would be too close to the merge window, but this
>patch is trivial and since it is new functionality it is unlikely to
>cause any regressions so I'm going to merge it into audit/next now.
Hi Paul, Richard,
Apologies, I had missed this mail earlier back. The module.c bits look
fine to me, so feel free to add my ACK.
Acked-by: Jessica Yu <jeyu@redhat.com>
Thanks!
Jessica
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index 2be99b2..aba3a26 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
>> const struct cred *old);
>> extern void __audit_log_capset(const struct cred *new, const struct cred *old);
>> extern void __audit_mmap_fd(int fd, int flags);
>> +extern void __audit_log_kern_module(char *name);
>>
>> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
>> {
>> @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
>> __audit_mmap_fd(fd, flags);
>> }
>>
>> +static inline void audit_log_kern_module(char *name)
>> +{
>> + if (!audit_dummy_context())
>> + __audit_log_kern_module(name);
>> +}
>> +
>> extern int audit_n_rules;
>> extern int audit_signals;
>> #else /* CONFIG_AUDITSYSCALL */
>> @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
>> { }
>> static inline void audit_mmap_fd(int fd, int flags)
>> { }
>> +
>> +static inline void audit_log_kern_module(char *name)
>> +{
>> +}
>> +
>> static inline void audit_ptrace(struct task_struct *t)
>> { }
>> #define audit_n_rules 0
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 3f24110..3c02bb2 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -111,6 +111,7 @@
>> #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
>> #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */
>> #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */
>> +#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
>>
>> #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
>> #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
>> diff --git a/kernel/audit.h b/kernel/audit.h
>> index 431444c..144b7eb 100644
>> --- a/kernel/audit.h
>> +++ b/kernel/audit.h
>> @@ -199,6 +199,9 @@ struct audit_context {
>> struct {
>> int argc;
>> } execve;
>> + struct {
>> + char *name;
>> + } module;
>> };
>> int fds[2];
>> struct audit_proctitle proctitle;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index bb5f504..bde3aac 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int *call_panic)
>> case AUDIT_EXECVE: {
>> audit_log_execve_info(context, &ab);
>> break; }
>> + case AUDIT_KERN_MODULE:
>> + audit_log_format(ab, "name=");
>> + audit_log_untrustedstring(ab, context->module.name);
>> + kfree(context->module.name);
>> + break;
>> }
>> audit_log_end(ab);
>> }
>> @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
>> context->type = AUDIT_MMAP;
>> }
>>
>> +void __audit_log_kern_module(char *name)
>> +{
>> + struct audit_context *context = current->audit_context;
>> +
>> + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
>> + strcpy(context->module.name, name);
>> + context->type = AUDIT_KERN_MODULE;
>> +}
>> +
>> static void audit_log_task(struct audit_buffer *ab)
>> {
>> kuid_t auid, uid;
>> diff --git a/kernel/module.c b/kernel/module.c
>> index 529efae..5432dbe 100644
>> --- a/kernel/module.c
>> +++ b/kernel/module.c
>> @@ -61,6 +61,7 @@
>> #include <linux/pfn.h>
>> #include <linux/bsearch.h>
>> #include <linux/dynamic_debug.h>
>> +#include <linux/audit.h>
>> #include <uapi/linux/module.h>
>> #include "module-internal.h"
>>
>> @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
>> goto free_copy;
>> }
>>
>> + audit_log_kern_module(mod->name);
>> +
>> /* Reserve our place in the list. */
>> err = add_unformed_module(mod);
>> if (err)
>> @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
>> mod->name, after_dashes);
>> }
>>
>> - /* Link in to syfs. */
>> + /* Link in to sysfs. */
>> err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
>> if (err < 0)
>> goto coming_cleanup;
>> --
>> 1.7.1
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>--
>paul moore
>www.paul-moore.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2] audit: log module name on init_module
2017-02-13 21:20 ` Paul Moore
2017-02-13 21:33 ` Jessica Yu
@ 2017-02-14 18:02 ` Steve Grubb
2017-02-14 18:11 ` Richard Guy Briggs
1 sibling, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2017-02-14 18:02 UTC (permalink / raw)
To: linux-audit; +Cc: Paul Moore, Richard Guy Briggs, linux-kernel, Jessica Yu
On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >
> > We get finit_module for free since it made most sense to hook this in to
> > load_module().
> >
> > https://github.com/linux-audit/audit-kernel/issues/7
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-fo
> > rmat
> Correction for the record:
>
> *
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-For
> mat
>
> [NOTE: don't resend please, I'll fix this when merging]
OK. Support was added to user space for this record. While doing this, I
wondered if we also get this auxiliary record when unloading a module?
Thanks,
-Steve
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >
> > include/linux/audit.h | 12 ++++++++++++
> > include/uapi/linux/audit.h | 1 +
> > kernel/audit.h | 3 +++
> > kernel/auditsc.c | 14 ++++++++++++++
> > kernel/module.c | 5 ++++-
> > 5 files changed, 34 insertions(+), 1 deletions(-)
>
> This patch looks fine to me, and due to lack of comments I'm going to
> assume that Jessica is okay with the kernel/module.c portions of this
> patch. Normally this would be too close to the merge window, but this
> patch is trivial and since it is new functionality it is unlikely to
> cause any regressions so I'm going to merge it into audit/next now.
>
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 2be99b2..aba3a26 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm
> > *bprm,>
> > const struct cred *old);
> >
> > extern void __audit_log_capset(const struct cred *new, const struct cred
> > *old); extern void __audit_mmap_fd(int fd, int flags);
> >
> > +extern void __audit_log_kern_module(char *name);
> >
> > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > {
> >
> > @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
> >
> > __audit_mmap_fd(fd, flags);
> >
> > }
> >
> > +static inline void audit_log_kern_module(char *name)
> > +{
> > + if (!audit_dummy_context())
> > + __audit_log_kern_module(name);
> > +}
> > +
> >
> > extern int audit_n_rules;
> > extern int audit_signals;
> > #else /* CONFIG_AUDITSYSCALL */
> >
> > @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred
> > *new,>
> > { }
> > static inline void audit_mmap_fd(int fd, int flags)
> > { }
> >
> > +
> > +static inline void audit_log_kern_module(char *name)
> > +{
> > +}
> > +
> >
> > static inline void audit_ptrace(struct task_struct *t)
> > { }
> > #define audit_n_rules 0
> >
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 3f24110..3c02bb2 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -111,6 +111,7 @@
> >
> > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature
> > changes */ #define AUDIT_REPLACE 1329 /* Replace auditd if
> > this packet unanswerd */>
> > +#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
> >
> > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> >
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 431444c..144b7eb 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -199,6 +199,9 @@ struct audit_context {
> >
> > struct {
> >
> > int argc;
> >
> > } execve;
> >
> > + struct {
> > + char *name;
> > + } module;
> >
> > };
> > int fds[2];
> > struct audit_proctitle proctitle;
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index bb5f504..bde3aac 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context
> > *context, int *call_panic)>
> > case AUDIT_EXECVE: {
> >
> > audit_log_execve_info(context, &ab);
> > break; }
> >
> > + case AUDIT_KERN_MODULE:
> > + audit_log_format(ab, "name=");
> > + audit_log_untrustedstring(ab, context->module.name);
> > + kfree(context->module.name);
> > + break;
> >
> > }
> > audit_log_end(ab);
> >
> > }
> >
> > @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
> >
> > context->type = AUDIT_MMAP;
> >
> > }
> >
> > +void __audit_log_kern_module(char *name)
> > +{
> > + struct audit_context *context = current->audit_context;
> > +
> > + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
> > + strcpy(context->module.name, name);
> > + context->type = AUDIT_KERN_MODULE;
> > +}
> > +
> >
> > static void audit_log_task(struct audit_buffer *ab)
> > {
> >
> > kuid_t auid, uid;
> >
> > diff --git a/kernel/module.c b/kernel/module.c
> > index 529efae..5432dbe 100644
> > --- a/kernel/module.c
> > +++ b/kernel/module.c
> > @@ -61,6 +61,7 @@
> >
> > #include <linux/pfn.h>
> > #include <linux/bsearch.h>
> > #include <linux/dynamic_debug.h>
> >
> > +#include <linux/audit.h>
> >
> > #include <uapi/linux/module.h>
> > #include "module-internal.h"
> >
> > @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const
> > char __user *uargs,>
> > goto free_copy;
> >
> > }
> >
> > + audit_log_kern_module(mod->name);
> > +
> >
> > /* Reserve our place in the list. */
> > err = add_unformed_module(mod);
> > if (err)
> >
> > @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const
> > char __user *uargs,>
> > mod->name, after_dashes);
> >
> > }
> >
> > - /* Link in to syfs. */
> > + /* Link in to sysfs. */
> >
> > err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
> > if (err < 0)
> >
> > goto coming_cleanup;
> >
> > --
> > 1.7.1
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2] audit: log module name on init_module
2017-02-14 18:02 ` [PATCH V2] " Steve Grubb
@ 2017-02-14 18:11 ` Richard Guy Briggs
2017-02-14 18:38 ` Paul Moore
0 siblings, 1 reply; 8+ messages in thread
From: Richard Guy Briggs @ 2017-02-14 18:11 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit, Paul Moore, linux-kernel, Jessica Yu
On 2017-02-14 13:02, Steve Grubb wrote:
> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> > >
> > > We get finit_module for free since it made most sense to hook this in to
> > > load_module().
> > >
> > > https://github.com/linux-audit/audit-kernel/issues/7
> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-fo
> > > rmat
> > Correction for the record:
> >
> > *
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-For
> > mat
> >
> > [NOTE: don't resend please, I'll fix this when merging]
>
> OK. Support was added to user space for this record. While doing this, I
> wondered if we also get this auxiliary record when unloading a module?
I thought of that at the time, which influenced the design and wording.
It is not supported yet, but that should be easier to add.
> -Steve
>
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > >
> > > include/linux/audit.h | 12 ++++++++++++
> > > include/uapi/linux/audit.h | 1 +
> > > kernel/audit.h | 3 +++
> > > kernel/auditsc.c | 14 ++++++++++++++
> > > kernel/module.c | 5 ++++-
> > > 5 files changed, 34 insertions(+), 1 deletions(-)
> >
> > This patch looks fine to me, and due to lack of comments I'm going to
> > assume that Jessica is okay with the kernel/module.c portions of this
> > patch. Normally this would be too close to the merge window, but this
> > patch is trivial and since it is new functionality it is unlikely to
> > cause any regressions so I'm going to merge it into audit/next now.
> >
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 2be99b2..aba3a26 100644
> > > --- a/include/linux/audit.h
> > > +++ b/include/linux/audit.h
> > > @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm
> > > *bprm,>
> > > const struct cred *old);
> > >
> > > extern void __audit_log_capset(const struct cred *new, const struct cred
> > > *old); extern void __audit_mmap_fd(int fd, int flags);
> > >
> > > +extern void __audit_log_kern_module(char *name);
> > >
> > > static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > > {
> > >
> > > @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
> > >
> > > __audit_mmap_fd(fd, flags);
> > >
> > > }
> > >
> > > +static inline void audit_log_kern_module(char *name)
> > > +{
> > > + if (!audit_dummy_context())
> > > + __audit_log_kern_module(name);
> > > +}
> > > +
> > >
> > > extern int audit_n_rules;
> > > extern int audit_signals;
> > > #else /* CONFIG_AUDITSYSCALL */
> > >
> > > @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred
> > > *new,>
> > > { }
> > > static inline void audit_mmap_fd(int fd, int flags)
> > > { }
> > >
> > > +
> > > +static inline void audit_log_kern_module(char *name)
> > > +{
> > > +}
> > > +
> > >
> > > static inline void audit_ptrace(struct task_struct *t)
> > > { }
> > > #define audit_n_rules 0
> > >
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index 3f24110..3c02bb2 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -111,6 +111,7 @@
> > >
> > > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */
> > > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature
> > > changes */ #define AUDIT_REPLACE 1329 /* Replace auditd if
> > > this packet unanswerd */>
> > > +#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
> > >
> > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
> > > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
> > >
> > > diff --git a/kernel/audit.h b/kernel/audit.h
> > > index 431444c..144b7eb 100644
> > > --- a/kernel/audit.h
> > > +++ b/kernel/audit.h
> > > @@ -199,6 +199,9 @@ struct audit_context {
> > >
> > > struct {
> > >
> > > int argc;
> > >
> > > } execve;
> > >
> > > + struct {
> > > + char *name;
> > > + } module;
> > >
> > > };
> > > int fds[2];
> > > struct audit_proctitle proctitle;
> > >
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index bb5f504..bde3aac 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context
> > > *context, int *call_panic)>
> > > case AUDIT_EXECVE: {
> > >
> > > audit_log_execve_info(context, &ab);
> > > break; }
> > >
> > > + case AUDIT_KERN_MODULE:
> > > + audit_log_format(ab, "name=");
> > > + audit_log_untrustedstring(ab, context->module.name);
> > > + kfree(context->module.name);
> > > + break;
> > >
> > > }
> > > audit_log_end(ab);
> > >
> > > }
> > >
> > > @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
> > >
> > > context->type = AUDIT_MMAP;
> > >
> > > }
> > >
> > > +void __audit_log_kern_module(char *name)
> > > +{
> > > + struct audit_context *context = current->audit_context;
> > > +
> > > + context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
> > > + strcpy(context->module.name, name);
> > > + context->type = AUDIT_KERN_MODULE;
> > > +}
> > > +
> > >
> > > static void audit_log_task(struct audit_buffer *ab)
> > > {
> > >
> > > kuid_t auid, uid;
> > >
> > > diff --git a/kernel/module.c b/kernel/module.c
> > > index 529efae..5432dbe 100644
> > > --- a/kernel/module.c
> > > +++ b/kernel/module.c
> > > @@ -61,6 +61,7 @@
> > >
> > > #include <linux/pfn.h>
> > > #include <linux/bsearch.h>
> > > #include <linux/dynamic_debug.h>
> > >
> > > +#include <linux/audit.h>
> > >
> > > #include <uapi/linux/module.h>
> > > #include "module-internal.h"
> > >
> > > @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const
> > > char __user *uargs,>
> > > goto free_copy;
> > >
> > > }
> > >
> > > + audit_log_kern_module(mod->name);
> > > +
> > >
> > > /* Reserve our place in the list. */
> > > err = add_unformed_module(mod);
> > > if (err)
> > >
> > > @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const
> > > char __user *uargs,>
> > > mod->name, after_dashes);
> > >
> > > }
> > >
> > > - /* Link in to syfs. */
> > > + /* Link in to sysfs. */
> > >
> > > err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
> > > if (err < 0)
> > >
> > > goto coming_cleanup;
> > >
> > > --
> > > 1.7.1
> > >
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2] audit: log module name on init_module
2017-02-14 18:11 ` Richard Guy Briggs
@ 2017-02-14 18:38 ` Paul Moore
2017-02-14 18:43 ` Steve Grubb
0 siblings, 1 reply; 8+ messages in thread
From: Paul Moore @ 2017-02-14 18:38 UTC (permalink / raw)
To: Steve Grubb, Richard Guy Briggs; +Cc: linux-audit, linux-kernel, Jessica Yu
On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-02-14 13:02, Steve Grubb wrote:
>> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
>> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>> > >
>> > > We get finit_module for free since it made most sense to hook this in to
>> > > load_module().
>> > >
>> > > https://github.com/linux-audit/audit-kernel/issues/7
>> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-fo
>> > > rmat
>> > Correction for the record:
>> >
>> > *
>> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-For
>> > mat
>> >
>> > [NOTE: don't resend please, I'll fix this when merging]
>>
>> OK. Support was added to user space for this record. While doing this, I
>> wondered if we also get this auxiliary record when unloading a module?
>
> I thought of that at the time, which influenced the design and wording.
> It is not supported yet, but that should be easier to add.
As a reminder, this is currently in audit/next and will be going up to
Linus next week during the merge window, if you want to change this
record in some backwards incompatible way, e.g. putting a field before
"name", you've got until the end of this week to figure that out.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2] audit: log module name on init_module
2017-02-14 18:38 ` Paul Moore
@ 2017-02-14 18:43 ` Steve Grubb
2017-02-14 19:24 ` Richard Guy Briggs
0 siblings, 1 reply; 8+ messages in thread
From: Steve Grubb @ 2017-02-14 18:43 UTC (permalink / raw)
To: Paul Moore; +Cc: Richard Guy Briggs, linux-audit, linux-kernel, Jessica Yu
On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-02-14 13:02, Steve Grubb wrote:
> >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> >> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com>
wrote:
> >> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >> > >
> >> > > We get finit_module for free since it made most sense to hook this in
> >> > > to
> >> > > load_module().
> >> > >
> >> > > https://github.com/linux-audit/audit-kernel/issues/7
> >> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-reco
> >> > > rd-fo
> >> > > rmat
> >> >
> >> > Correction for the record:
> >> >
> >> > *
> >> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record
> >> > -For
> >> > mat
> >> >
> >> > [NOTE: don't resend please, I'll fix this when merging]
> >>
> >> OK. Support was added to user space for this record. While doing this, I
> >> wondered if we also get this auxiliary record when unloading a module?
> >
> > I thought of that at the time, which influenced the design and wording.
> > It is not supported yet, but that should be easier to add.
>
> As a reminder, this is currently in audit/next and will be going up to
> Linus next week during the merge window, if you want to change this
> record in some backwards incompatible way, e.g. putting a field before
> "name", you've got until the end of this week to figure that out.
This isn't necessary. The syscall used denotes the meaning of the action.
-Steve
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH V2] audit: log module name on init_module
2017-02-14 18:43 ` Steve Grubb
@ 2017-02-14 19:24 ` Richard Guy Briggs
0 siblings, 0 replies; 8+ messages in thread
From: Richard Guy Briggs @ 2017-02-14 19:24 UTC (permalink / raw)
To: Steve Grubb; +Cc: Paul Moore, linux-audit, linux-kernel, Jessica Yu
On 2017-02-14 13:43, Steve Grubb wrote:
> On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> > On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > > On 2017-02-14 13:02, Steve Grubb wrote:
> > >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> > >> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> > >> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> > >> > >
> > >> > > We get finit_module for free since it made most sense to hook this in
> > >> > > to
> > >> > > load_module().
> > >> > >
> > >> > > https://github.com/linux-audit/audit-kernel/issues/7
> > >> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-reco
> > >> > > rd-fo
> > >> > > rmat
> > >> >
> > >> > Correction for the record:
> > >> >
> > >> > *
> > >> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record
> > >> > -For
> > >> > mat
> > >> >
> > >> > [NOTE: don't resend please, I'll fix this when merging]
> > >>
> > >> OK. Support was added to user space for this record. While doing this, I
> > >> wondered if we also get this auxiliary record when unloading a module?
> > >
> > > I thought of that at the time, which influenced the design and wording.
> > > It is not supported yet, but that should be easier to add.
> >
> > As a reminder, this is currently in audit/next and will be going up to
> > Linus next week during the merge window, if you want to change this
> > record in some backwards incompatible way, e.g. putting a field before
> > "name", you've got until the end of this week to figure that out.
>
> This isn't necessary. The syscall used denotes the meaning of the action.
Yeah, that's why I moved away from "init" or "load" in the record name
or format and why an "op=" field wasn't added.
> -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-02-14 19:24 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-04 18:10 [PATCH V2] audit: log module name on init_module Richard Guy Briggs
2017-02-13 21:20 ` Paul Moore
2017-02-13 21:33 ` Jessica Yu
2017-02-14 18:02 ` [PATCH V2] " Steve Grubb
2017-02-14 18:11 ` Richard Guy Briggs
2017-02-14 18:38 ` Paul Moore
2017-02-14 18:43 ` Steve Grubb
2017-02-14 19:24 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).