diff options
| author | Richard Guy Briggs <rgb@redhat.com> | 2017-02-04 13:10:38 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2017-02-13 16:17:13 -0500 |
| commit | ca86cad7380e373fa17bc0ee8aff121380323e69 (patch) | |
| tree | 68407211f533b1e8c30ce3ffc60206347d3811af | |
| parent | 62bc306e2083436675e33b5bdeb6a77907d35971 (diff) | |
audit: log module name on init_module
This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
We get finit_module for free since it made most sense to hook this in to
load_module().
https://github.com/linux-audit/audit-kernel/issues/7
https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record-Format
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Jessica Yu <jeyu@redhat.com>
[PM: corrected links in the commit description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | include/linux/audit.h | 12 | ||||
| -rw-r--r-- | include/uapi/linux/audit.h | 1 | ||||
| -rw-r--r-- | kernel/audit.h | 3 | ||||
| -rw-r--r-- | kernel/auditsc.c | 14 | ||||
| -rw-r--r-- | kernel/module.c | 5 |
5 files changed, 34 insertions, 1 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 2be99b276d29..aba3a2684300 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -360,6 +360,7 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm, | |||
| 360 | const struct cred *old); | 360 | const struct cred *old); |
| 361 | extern void __audit_log_capset(const struct cred *new, const struct cred *old); | 361 | extern void __audit_log_capset(const struct cred *new, const struct cred *old); |
| 362 | extern void __audit_mmap_fd(int fd, int flags); | 362 | extern void __audit_mmap_fd(int fd, int flags); |
| 363 | extern void __audit_log_kern_module(char *name); | ||
| 363 | 364 | ||
| 364 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) | 365 | static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp) |
| 365 | { | 366 | { |
| @@ -450,6 +451,12 @@ static inline void audit_mmap_fd(int fd, int flags) | |||
| 450 | __audit_mmap_fd(fd, flags); | 451 | __audit_mmap_fd(fd, flags); |
| 451 | } | 452 | } |
| 452 | 453 | ||
| 454 | static inline void audit_log_kern_module(char *name) | ||
| 455 | { | ||
| 456 | if (!audit_dummy_context()) | ||
| 457 | __audit_log_kern_module(name); | ||
| 458 | } | ||
| 459 | |||
| 453 | extern int audit_n_rules; | 460 | extern int audit_n_rules; |
| 454 | extern int audit_signals; | 461 | extern int audit_signals; |
| 455 | #else /* CONFIG_AUDITSYSCALL */ | 462 | #else /* CONFIG_AUDITSYSCALL */ |
| @@ -561,6 +568,11 @@ static inline void audit_log_capset(const struct cred *new, | |||
| 561 | { } | 568 | { } |
| 562 | static inline void audit_mmap_fd(int fd, int flags) | 569 | static inline void audit_mmap_fd(int fd, int flags) |
| 563 | { } | 570 | { } |
| 571 | |||
| 572 | static inline void audit_log_kern_module(char *name) | ||
| 573 | { | ||
| 574 | } | ||
| 575 | |||
| 564 | static inline void audit_ptrace(struct task_struct *t) | 576 | static inline void audit_ptrace(struct task_struct *t) |
| 565 | { } | 577 | { } |
| 566 | #define audit_n_rules 0 | 578 | #define audit_n_rules 0 |
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 3f24110ae63c..3c02bb2ff779 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h | |||
| @@ -111,6 +111,7 @@ | |||
| 111 | #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ | 111 | #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ |
| 112 | #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */ | 112 | #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */ |
| 113 | #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ | 113 | #define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ |
| 114 | #define AUDIT_KERN_MODULE 1330 /* Kernel Module events */ | ||
| 114 | 115 | ||
| 115 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 116 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
| 116 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 117 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |
diff --git a/kernel/audit.h b/kernel/audit.h index 431444c3708b..144b7ebd2deb 100644 --- a/kernel/audit.h +++ b/kernel/audit.h | |||
| @@ -199,6 +199,9 @@ struct audit_context { | |||
| 199 | struct { | 199 | struct { |
| 200 | int argc; | 200 | int argc; |
| 201 | } execve; | 201 | } execve; |
| 202 | struct { | ||
| 203 | char *name; | ||
| 204 | } module; | ||
| 202 | }; | 205 | }; |
| 203 | int fds[2]; | 206 | int fds[2]; |
| 204 | struct audit_proctitle proctitle; | 207 | struct audit_proctitle proctitle; |
diff --git a/kernel/auditsc.c b/kernel/auditsc.c index bb5f504592c6..bde3aac4deed 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c | |||
| @@ -1268,6 +1268,11 @@ static void show_special(struct audit_context *context, int *call_panic) | |||
| 1268 | case AUDIT_EXECVE: { | 1268 | case AUDIT_EXECVE: { |
| 1269 | audit_log_execve_info(context, &ab); | 1269 | audit_log_execve_info(context, &ab); |
| 1270 | break; } | 1270 | break; } |
| 1271 | case AUDIT_KERN_MODULE: | ||
| 1272 | audit_log_format(ab, "name="); | ||
| 1273 | audit_log_untrustedstring(ab, context->module.name); | ||
| 1274 | kfree(context->module.name); | ||
| 1275 | break; | ||
| 1271 | } | 1276 | } |
| 1272 | audit_log_end(ab); | 1277 | audit_log_end(ab); |
| 1273 | } | 1278 | } |
| @@ -2368,6 +2373,15 @@ void __audit_mmap_fd(int fd, int flags) | |||
| 2368 | context->type = AUDIT_MMAP; | 2373 | context->type = AUDIT_MMAP; |
| 2369 | } | 2374 | } |
| 2370 | 2375 | ||
| 2376 | void __audit_log_kern_module(char *name) | ||
| 2377 | { | ||
| 2378 | struct audit_context *context = current->audit_context; | ||
| 2379 | |||
| 2380 | context->module.name = kmalloc(strlen(name) + 1, GFP_KERNEL); | ||
| 2381 | strcpy(context->module.name, name); | ||
| 2382 | context->type = AUDIT_KERN_MODULE; | ||
| 2383 | } | ||
| 2384 | |||
| 2371 | static void audit_log_task(struct audit_buffer *ab) | 2385 | static void audit_log_task(struct audit_buffer *ab) |
| 2372 | { | 2386 | { |
| 2373 | kuid_t auid, uid; | 2387 | kuid_t auid, uid; |
diff --git a/kernel/module.c b/kernel/module.c index 529efae9f481..5432dbedf8cf 100644 --- a/kernel/module.c +++ b/kernel/module.c | |||
| @@ -61,6 +61,7 @@ | |||
| 61 | #include <linux/pfn.h> | 61 | #include <linux/pfn.h> |
| 62 | #include <linux/bsearch.h> | 62 | #include <linux/bsearch.h> |
| 63 | #include <linux/dynamic_debug.h> | 63 | #include <linux/dynamic_debug.h> |
| 64 | #include <linux/audit.h> | ||
| 64 | #include <uapi/linux/module.h> | 65 | #include <uapi/linux/module.h> |
| 65 | #include "module-internal.h" | 66 | #include "module-internal.h" |
| 66 | 67 | ||
| @@ -3593,6 +3594,8 @@ static int load_module(struct load_info *info, const char __user *uargs, | |||
| 3593 | goto free_copy; | 3594 | goto free_copy; |
| 3594 | } | 3595 | } |
| 3595 | 3596 | ||
| 3597 | audit_log_kern_module(mod->name); | ||
| 3598 | |||
| 3596 | /* Reserve our place in the list. */ | 3599 | /* Reserve our place in the list. */ |
| 3597 | err = add_unformed_module(mod); | 3600 | err = add_unformed_module(mod); |
| 3598 | if (err) | 3601 | if (err) |
| @@ -3681,7 +3684,7 @@ static int load_module(struct load_info *info, const char __user *uargs, | |||
| 3681 | mod->name, after_dashes); | 3684 | mod->name, after_dashes); |
| 3682 | } | 3685 | } |
| 3683 | 3686 | ||
| 3684 | /* Link in to syfs. */ | 3687 | /* Link in to sysfs. */ |
| 3685 | err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); | 3688 | err = mod_sysfs_setup(mod, info, mod->kp, mod->num_kp); |
| 3686 | if (err < 0) | 3689 | if (err < 0) |
| 3687 | goto coming_cleanup; | 3690 | goto coming_cleanup; |