lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQZJT7FLQ66mnKVhGn9CM2CATAqpf0kj43bxoCp_+zebQ@mail.gmail.com>
Date:   Mon, 13 Feb 2017 16:20:55 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Richard Guy Briggs <rgb@...hat.com>
Cc:     linux-kernel@...r.kernel.org, linux-audit@...hat.com,
        Jessica Yu <jeyu@...hat.com>
Subject: Re: [PATCH V2] audit: log module name on init_module

On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@...hat.com> wrote:
> This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>
> We get finit_module for free since it made most sense to hook this in to
> load_module().
>
> https://github.com/linux-audit/audit-kernel/issues/7
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format

Correction for the record:

* https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-Format

[NOTE: don't resend please, I'll fix this when merging]

> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> ---
>  include/linux/audit.h      |   12 ++++++++++++
>  include/uapi/linux/audit.h |    1 +
>  kernel/audit.h             |    3 +++
>  kernel/auditsc.c           |   14 ++++++++++++++
>  kernel/module.c            |    5 ++++-
>  5 files changed, 34 insertions(+), 1 deletions(-)

This patch looks fine to me, and due to lack of comments I'm going to
assume that Jessica is okay with the kernel/module.c portions of this
patch.  Normally this would be too close to the merge window, but this
patch is trivial and since it is new functionality it is unlikely to
cause any regressions so I'm going to merge it into audit/next now.

> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 2be99b2..aba3a26 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
>                                   const struct cred *old);
>  extern void __audit_log_capset(const struct cred *new, const struct cred *old);
>  extern void __audit_mmap_fd(int fd, int flags);
> +extern void __audit_log_kern_module(char *name);
>
>  static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
>  {
> @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
>                 __audit_mmap_fd(fd, flags);
>  }
>
> +static inline void audit_log_kern_module(char *name)
> +{
> +       if (!audit_dummy_context())
> +               __audit_log_kern_module(name);
> +}
> +
>  extern int audit_n_rules;
>  extern int audit_signals;
>  #else /* CONFIG_AUDITSYSCALL */
> @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
>  { }
>  static inline void audit_mmap_fd(int fd, int flags)
>  { }
> +
> +static inline void audit_log_kern_module(char *name)
> +{
> +}
> +
>  static inline void audit_ptrace(struct task_struct *t)
>  { }
>  #define audit_n_rules 0
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 3f24110..3c02bb2 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -111,6 +111,7 @@
>  #define AUDIT_PROCTITLE                1327    /* Proctitle emit event */
>  #define AUDIT_FEATURE_CHANGE   1328    /* audit log listing feature changes */
>  #define AUDIT_REPLACE          1329    /* Replace auditd if this packet unanswerd */
> +#define AUDIT_KERN_MODULE      1330    /* Kernel Module events */
>
>  #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
>  #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 431444c..144b7eb 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -199,6 +199,9 @@ struct audit_context {
>                 struct {
>                         int                     argc;
>                 } execve;
> +               struct {
> +                       char                    *name;
> +               } module;
>         };
>         int fds[2];
>         struct audit_proctitle proctitle;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index bb5f504..bde3aac 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int *call_panic)
>         case AUDIT_EXECVE: {
>                 audit_log_execve_info(context, &ab);
>                 break; }
> +       case AUDIT_KERN_MODULE:
> +               audit_log_format(ab, "name=");
> +               audit_log_untrustedstring(ab, context->module.name);
> +               kfree(context->module.name);
> +               break;
>         }
>         audit_log_end(ab);
>  }
> @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
>         context->type = AUDIT_MMAP;
>  }
>
> +void __audit_log_kern_module(char *name)
> +{
> +       struct audit_context *context = current->audit_context;
> +
> +       context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
> +       strcpy(context->module.name, name);
> +       context->type = AUDIT_KERN_MODULE;
> +}
> +
>  static void audit_log_task(struct audit_buffer *ab)
>  {
>         kuid_t auid, uid;
> diff --git a/kernel/module.c b/kernel/module.c
> index 529efae..5432dbe 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -61,6 +61,7 @@
>  #include <linux/pfn.h>
>  #include <linux/bsearch.h>
>  #include <linux/dynamic_debug.h>
> +#include <linux/audit.h>
>  #include <uapi/linux/module.h>
>  #include "module-internal.h"
>
> @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
>                 goto free_copy;
>         }
>
> +       audit_log_kern_module(mod->name);
> +
>         /* Reserve our place in the list. */
>         err = add_unformed_module(mod);
>         if (err)
> @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
>                        mod->name, after_dashes);
>         }
>
> -       /* Link in to syfs. */
> +       /* Link in to sysfs. */
>         err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
>         if (err < 0)
>                 goto coming_cleanup;
> --
> 1.7.1
>
> --
> Linux-audit mailing list
> Linux-audit@...hat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ