lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170213213327.valbpyl5dq4m5nk6@jeyu>
Date:   Mon, 13 Feb 2017 13:33:27 -0800
From:   Jessica Yu <jeyu@...hat.com>
To:     Paul Moore <paul@...l-moore.com>
Cc:     Richard Guy Briggs <rgb@...hat.com>, linux-kernel@...r.kernel.org,
        linux-audit@...hat.com
Subject: Re: audit: log module name on init_module

+++ Paul Moore [13/02/17 16:20 -0500]:
>On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@...hat.com> wrote:
>> This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
>>
>> We get finit_module for free since it made most sense to hook this in to
>> load_module().
>>
>> https://github.com/linux-audit/audit-kernel/issues/7
>> https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-record-format
>
>Correction for the record:
>
>* https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-Format
>
>[NOTE: don't resend please, I'll fix this when merging]
>
>> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
>> ---
>>  include/linux/audit.h      |   12 ++++++++++++
>>  include/uapi/linux/audit.h |    1 +
>>  kernel/audit.h             |    3 +++
>>  kernel/auditsc.c           |   14 ++++++++++++++
>>  kernel/module.c            |    5 ++++-
>>  5 files changed, 34 insertions(+), 1 deletions(-)
>
>This patch looks fine to me, and due to lack of comments I'm going to
>assume that Jessica is okay with the kernel/module.c portions of this
>patch.  Normally this would be too close to the merge window, but this
>patch is trivial and since it is new functionality it is unlikely to
>cause any regressions so I'm going to merge it into audit/next now.

Hi Paul, Richard,

Apologies, I had missed this mail earlier back. The module.c bits look
fine to me, so feel free to add my ACK.

Acked-by: Jessica Yu <jeyu@...hat.com>

Thanks!

Jessica

>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index 2be99b2..aba3a26 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
>>                                   const struct cred *old);
>>  extern void __audit_log_capset(const struct cred *new, const struct cred *old);
>>  extern void __audit_mmap_fd(int fd, int flags);
>> +extern void __audit_log_kern_module(char *name);
>>
>>  static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
>>  {
>> @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags)
>>                 __audit_mmap_fd(fd, flags);
>>  }
>>
>> +static inline void audit_log_kern_module(char *name)
>> +{
>> +       if (!audit_dummy_context())
>> +               __audit_log_kern_module(name);
>> +}
>> +
>>  extern int audit_n_rules;
>>  extern int audit_signals;
>>  #else /* CONFIG_AUDITSYSCALL */
>> @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new,
>>  { }
>>  static inline void audit_mmap_fd(int fd, int flags)
>>  { }
>> +
>> +static inline void audit_log_kern_module(char *name)
>> +{
>> +}
>> +
>>  static inline void audit_ptrace(struct task_struct *t)
>>  { }
>>  #define audit_n_rules 0
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 3f24110..3c02bb2 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -111,6 +111,7 @@
>>  #define AUDIT_PROCTITLE                1327    /* Proctitle emit event */
>>  #define AUDIT_FEATURE_CHANGE   1328    /* audit log listing feature changes */
>>  #define AUDIT_REPLACE          1329    /* Replace auditd if this packet unanswerd */
>> +#define AUDIT_KERN_MODULE      1330    /* Kernel Module events */
>>
>>  #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
>>  #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */
>> diff --git a/kernel/audit.h b/kernel/audit.h
>> index 431444c..144b7eb 100644
>> --- a/kernel/audit.h
>> +++ b/kernel/audit.h
>> @@ -199,6 +199,9 @@ struct audit_context {
>>                 struct {
>>                         int                     argc;
>>                 } execve;
>> +               struct {
>> +                       char                    *name;
>> +               } module;
>>         };
>>         int fds[2];
>>         struct audit_proctitle proctitle;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index bb5f504..bde3aac 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int *call_panic)
>>         case AUDIT_EXECVE: {
>>                 audit_log_execve_info(context, &ab);
>>                 break; }
>> +       case AUDIT_KERN_MODULE:
>> +               audit_log_format(ab, "name=");
>> +               audit_log_untrustedstring(ab, context->module.name);
>> +               kfree(context->module.name);
>> +               break;
>>         }
>>         audit_log_end(ab);
>>  }
>> @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags)
>>         context->type = AUDIT_MMAP;
>>  }
>>
>> +void __audit_log_kern_module(char *name)
>> +{
>> +       struct audit_context *context = current->audit_context;
>> +
>> +       context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL);
>> +       strcpy(context->module.name, name);
>> +       context->type = AUDIT_KERN_MODULE;
>> +}
>> +
>>  static void audit_log_task(struct audit_buffer *ab)
>>  {
>>         kuid_t auid, uid;
>> diff --git a/kernel/module.c b/kernel/module.c
>> index 529efae..5432dbe 100644
>> --- a/kernel/module.c
>> +++ b/kernel/module.c
>> @@ -61,6 +61,7 @@
>>  #include <linux/pfn.h>
>>  #include <linux/bsearch.h>
>>  #include <linux/dynamic_debug.h>
>> +#include <linux/audit.h>
>>  #include <uapi/linux/module.h>
>>  #include "module-internal.h"
>>
>> @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
>>                 goto free_copy;
>>         }
>>
>> +       audit_log_kern_module(mod->name);
>> +
>>         /* Reserve our place in the list. */
>>         err = add_unformed_module(mod);
>>         if (err)
>> @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
>>                        mod->name, after_dashes);
>>         }
>>
>> -       /* Link in to syfs. */
>> +       /* Link in to sysfs. */
>>         err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp);
>>         if (err < 0)
>>                 goto coming_cleanup;
>> --
>> 1.7.1
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@...hat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>-- 
>paul moore
>www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ