| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2743964.lGaqSPkdTl@x2>
Date: Fri, 07 Mar 2025 14:41:48 -0500
From: Steve Grubb <sgrubb@...hat.com>
To: Paul Moore <paul@...l-moore.com>, Richard Guy Briggs <rgb@...hat.com>
Cc: Linux-Audit Mailing List <linux-audit@...ts.linux-audit.osci.io>,
LKML <linux-kernel@...r.kernel.org>, linux-modules@...r.kernel.org,
Linux Kernel Audit Mailing List <audit@...r.kernel.org>,
Eric Paris <eparis@...isplace.org>
Subject:
Re: [PATCH v1] audit,module: restore audit logging in load failure case
On Thursday, March 6, 2025 4:41:40 PM Eastern Standard Time Richard Guy
Briggs wrote:
> On 2024-10-24 16:41, Paul Moore wrote:
> > On Oct 23, 2024 Richard Guy Briggs <rgb@...hat.com> wrote:
> > > The move of the module sanity check to earlier skipped the audit
> > > logging
> > > call in the case of failure and to a place where the previously used
> > > context is unavailable.
> > >
> > > Add an audit logging call for the module loading failure case and get
> > > the module name when possible.
> > >
> > > Link: https://issues.redhat.com/browse/RHEL-52839
> > > Fixes: 02da2cbab452 ("module: move check_modinfo() early to
> > > early_mod_check()") Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> > > ---
> > >
> > > kernel/module/main.c | 4 +++-
> > > 1 file changed, 3 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/kernel/module/main.c b/kernel/module/main.c
> > > index 49b9bca9de12..1f482532ef66 100644
> > > --- a/kernel/module/main.c
> > > +++ b/kernel/module/main.c
> > > @@ -3057,8 +3057,10 @@ static int load_module(struct load_info *info,
> > > const char __user *uargs,> >
> > > * failures once the proper module was allocated and
> > > * before that.
> > > */
> > >
> > > - if (!module_allocated)
> > > + if (!module_allocated) {
> > > + audit_log_kern_module(info->name ? info->name :
"(unavailable)");
> > >
> > > mod_stat_bump_becoming(info, flags);
> > >
> > > + }
> >
> > We probably should move the existing audit_log_kern_module() to just
> > after the elf_validity_cache_copy() call as both info->name and
> > info->mod->name should be as valid as they are going to get at that
> > point. If we do that then we only have two cases we need to worry about,
> > a failed module_sig_check() or a failed elf_validity_cache_copy(), and
> > in both cases we can use "(unavailable)" without having to check
> > info->name first.
>
> Fair enough.
>
> > However, assuming we move the audit_log_kern_module() call up a bit as
> > described above, I'm not sure there is much value in calling
> > audit_log_kern_module() with an "(unavailable)" module name in those
> > early two cases. We know it's an attempted module load based on the
> > SYSCALL record, seeing an associated "(unavailable)" KERN_MODULE record
> > doesn't provide us with any more information than if we had simply
> > skipped the KERN_MODULE record.
>
> Understood. I wonder if the absence of the record in the error case
> will leave us guessing if we lost a record from the event? We will have
> the error code from the SYSCALL record but not much more than that, and
> some of those error codes could just as well be generated after that
> point too. This would be a similar situation to the vanishing fields in
> an existing record, but is likely easier to mitigate than a
> non-last-field vanishing or shifting around in an existing record.
>
> Steve? Atilla? Any comments?
We should only get the events if we have syscall rules that would result in
kernel module loading/unloading events. I suppose that by the time audit
loads it's rules, many modules have already loaded. So, I don't think we need
to worry about early cases. But when we do get a kernel module load/unload
event based on the rules, we need it's name - even in failures. We need to be
able to determine what was attempted since this could affect system
integrity.
-Steve
> > Untested, but this is what I'm talking about:
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 0050ef288ab3..eaa10e3c7eca 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -417,7 +417,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm
> > *bprm,>
> > extern void __audit_log_capset(const struct cred *new, const struct cred
> > *old); extern void __audit_mmap_fd(int fd, int flags);
> > extern void __audit_openat2_how(struct open_how *how);
> >
> > -extern void __audit_log_kern_module(char *name);
> > +extern void __audit_log_kern_module(const char *name);
> >
> > extern void __audit_fanotify(u32 response, struct
> > fanotify_response_info_audit_rule *friar); extern void
> > __audit_tk_injoffset(struct timespec64 offset);
> > extern void __audit_ntp_log(const struct audit_ntp_data *ad);
> >
> > @@ -519,7 +519,7 @@ static inline void audit_openat2_how(struct open_how
> > *how)>
> > __audit_openat2_how(how);
> >
> > }
> >
> > -static inline void audit_log_kern_module(char *name)
> > +static inline void audit_log_kern_module(const char *name)
> >
> > {
> >
> > if (!audit_dummy_context())
> >
> > __audit_log_kern_module(name);
> >
> > @@ -677,7 +677,7 @@ static inline void audit_mmap_fd(int fd, int flags)
> >
> > static inline void audit_openat2_how(struct open_how *how)
> > { }
> >
> > -static inline void audit_log_kern_module(char *name)
> > +static inline void audit_log_kern_module(const char *name)
> >
> > {
> > }
> >
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index a60d2840559e..5156ecd35457 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -199,7 +199,7 @@ struct audit_context {
> >
> > int argc;
> >
> > } execve;
> > struct {
> >
> > - char *name;
> > + const char *name;
> >
> > } module;
> > struct {
> >
> > struct audit_ntp_data ntp_data;
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 0627e74585ce..f79eb3a5a789 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2870,7 +2870,7 @@ void __audit_openat2_how(struct open_how *how)
> >
> > context->type = AUDIT_OPENAT2;
> >
> > }
> >
> > -void __audit_log_kern_module(char *name)
> > +void __audit_log_kern_module(const char *name)
> >
> > {
> >
> > struct audit_context *context = audit_context();
> >
> > diff --git a/kernel/module/main.c b/kernel/module/main.c
> > index 49b9bca9de12..3acb65073c53 100644
> > --- a/kernel/module/main.c
> > +++ b/kernel/module/main.c
> > @@ -2884,6 +2884,8 @@ static int load_module(struct load_info *info,
> > const char __user *uargs,>
> > if (err)
> >
> > goto free_copy;
> >
> > + audit_log_kern_module(info->name);
> > +
> >
> > err = early_mod_check(info, flags);
> > if (err)
> >
> > goto free_copy;
> >
> > @@ -2897,8 +2899,6 @@ static int load_module(struct load_info *info,
> > const char __user *uargs,>
> > module_allocated = true;
> >
> > - audit_log_kern_module(mod->name);
> > -
> >
> > /* Reserve our place in the list. */
> > err = add_unformed_module(mod);
> > if (err)
> >
> > --
> > paul-moore.com
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@...hat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> Upstream IRC: SunRaycer
> Voice: +1.613.860 2354 SMS: +1.613.518.6570
Powered by blists - more mailing lists