On 2017-03-09 16:15, peter enderborg wrote: > On 03/09/2017 03:08 PM, Richard Guy Briggs wrote: > > Record the module name of a delete_module call. > > > > See: https://github.com/linux-audit/audit-kernel/issues/37 > > > > Signed-off-by: Richard Guy Briggs <[email protected]> > > --- > > kernel/module.c | 2 ++ > > 1 files changed, 2 insertions(+), 0 deletions(-) > > > > diff --git a/kernel/module.c b/kernel/module.c > > index 5432dbe..633f6da 100644 > > --- a/kernel/module.c > > +++ b/kernel/module.c > > @@ -943,6 +943,8 @@ SYSCALL_DEFINE2(delete_module, const char __user *, > > name_user, > > return -EFAULT; > > name[MODULE_NAME_LEN-1] = '\0'; > > > > + audit_log_kern_module(name); > > + > > if (mutex_lock_interruptible(&module_mutex) != 0) > > return -EINTR; > > Is it not better to have that log when we are sure that the module > will be deleted and are stopped?
We went to know what module deletion was attempted. The return code in the syscall record will tell us whether or not it succeeded and if it failed, with which error. - RGB -- Richard Guy Briggs <[email protected]> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635
