| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170309161845.GN3818@madcap2.tricolour.ca>
Date: Thu, 9 Mar 2017 11:18:45 -0500
From: Richard Guy Briggs <rgb@...hat.com>
To: peter enderborg <peter.enderborg@...ymobile.com>
Cc: linux-kernel@...r.kernel.org, linux-audit@...hat.com,
Jessica Yu <jeyu@...hat.com>
Subject: Re: [PATCH] audit: log module name on delete_module
On 2017-03-09 16:15, peter enderborg wrote:
> On 03/09/2017 03:08 PM, Richard Guy Briggs wrote:
> > Record the module name of a delete_module call.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/37
> >
> > Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > ---
> > kernel/module.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
> >
> > diff --git a/kernel/module.c b/kernel/module.c
> > index 5432dbe..633f6da 100644
> > --- a/kernel/module.c
> > +++ b/kernel/module.c
> > @@ -943,6 +943,8 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
> > return -EFAULT;
> > name[MODULE_NAME_LEN-1] = '\0';
> >
> > + audit_log_kern_module(name);
> > +
> > if (mutex_lock_interruptible(&module_mutex) != 0)
> > return -EINTR;
>
> Is it not better to have that log when we are sure that the module
> will be deleted and are stopped?
We went to know what module deletion was attempted. The return code in
the syscall record will tell us whether or not it succeeded and if it
failed, with which error.
- RGB
--
Richard Guy Briggs <rgb@...hat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
Powered by blists - more mailing lists