lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <6553266e-aa0e-4ca7-b83c-cf6df2764f3c@infradead.org>
Date: Wed, 29 Oct 2025 23:25:43 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: Thorsten Leemhuis <linux@...mhuis.info>, linux-kernel@...r.kernel.org
Cc: Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org
Subject: Re: [PATCH v2] kernel-chktaint: add reporting for tainted modules



On 10/29/25 6:56 AM, Thorsten Leemhuis wrote:
> On 10/29/25 05:39, Randy Dunlap wrote:
>> Check all loaded modules and report any that have their 'taint'
>> flags set along with a count of all tainted modules.
>> The tainted module output format is:
>>  * <module_name> (<taint_flags>)
>>
>> Example output:
>>
>> Kernel is "tainted" for the following reasons:
>>  * externally-built ('out-of-tree') module was loaded  (#12)
>>  * unsigned module was loaded (#13)
>> Raw taint value as int/string: 12288/'G           OE      '
>>
>> Modules tainted: 1
>>  * dump_test (OE)
> 
> Great. Now I wonder if the "1" really is needed, but whatever. I only
> mentioned that because something else came to my mind:

Agreed. Will drop that line.

> The script can be called with a positive integer as parameter to decode
> a value you retrieved from /proc/sys/kernel/tainted on another system.
> Then the module check likely should be omitted. 
> 
> [...] 
>> +echo "Raw taint value as int/string: $taint/'$out'"
>> +
>> +# report on any tainted loadable modules
>> +[ -r /sys/module/ ] && cnt=`grep [A-Z] /sys/module/*/taint | wc -l` || cnt=0
> 
> Maybe by replacing that line with something like this (untested;
> not even sure if the foo && bar && baz || foobar really works):
> 
> [ $1 -eq 0 ] && [ -r /sys/module/ ] && cnt=`grep [A-Z] /sys/module/*/taint | wc -l` || cnt=0  
Looks good. I'll test that and send v3.Thanks.
-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ