On Mon, Sep 4, 2017 at 4:27 AM, Vegard Nossum <[email protected]> wrote: > A few years ago, I suggested a feature dubbed "known exploit detection". > This feature defines an interface that allows kernel developers to add > a tripwire for somebody who tries to exploit a known security hole in > older versions of the kernel. See [1] for an article and the original > discussion. > > [1]: https://lwn.net/Articles/577432/ > > Due to the somewhat controversial nature of this feature, I never pushed > very hard for it to go upstream. However, regardless of whether this code > ever makes it upstream, it would still be useful to reserve a numerical > code for the audit message in order to ensure that private deployments > never conflicts with future upstream kernels. > > I hereby request the reservation of AUDIT_ANOM_PATCHED as code 1703. This > message should be used when userspace makes a request which in previous > (unpatched) versions of the kernel would have allowed the process to > illicitly gain privileges (e.g. arbitrary code execution, etc.). > > Signed-off-by: Vegard Nossum <[email protected]> > --- > include/uapi/linux/audit.h | 1 + > 1 file changed, 1 insertion(+)
In general I'm opposed to reserving audit message IDs for kernel code that hasn't been accepted upstream and I don't yet see a compelling reason to do so here. > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 0714a66f0e0c..7813efc09480 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -139,6 +139,7 @@ > #define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode > */ > #define AUDIT_ANOM_ABEND 1701 /* Process ended abnormally */ > #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file > links */ > +#define AUDIT_ANOM_PATCHED 1703 /* Patched security vulnerability */ > #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ > #define AUDIT_INTEGRITY_METADATA 1801 /* Metadata integrity verification > */ > #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ > -- > 2.12.0.rc0 -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
