Module loading code can do anything it damn well pleases. At the moment we have examples where module loading code is creating lots of objects in debugfs and this is overflowing the number of inodes the audit system can keep track of. We can't really trust ANYTHING that happens during module loading so we might as well just not even try.
Signed-off-by: Eric Paris <[email protected]> --- kernel/module.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) diff --git a/kernel/module.c b/kernel/module.c index 8ae93db..380615d 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -55,6 +55,7 @@ #include <linux/async.h> #include <linux/percpu.h> #include <linux/kmemleak.h> +#include <linux/audit.h> #define CREATE_TRACE_POINTS #include <trace/events/module.h> @@ -2521,6 +2522,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, { struct module *mod; int ret = 0; + struct audit_context *audit_context; /* Must have permission */ if (!capable(CAP_SYS_MODULE) || modules_disabled) @@ -2530,10 +2532,18 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, if (mutex_lock_interruptible(&module_mutex) != 0) return -EINTR; + /* + * Module loading can do anything it wants and if it is violent audit + * won't matter. So just don't even bother + */ + audit_context = current->audit_context; + current->audit_context = NULL; + /* Do all the hard work */ mod = load_module(umod, len, uargs); if (IS_ERR(mod)) { mutex_unlock(&module_mutex); + current->audit_context = audit_context; return PTR_ERR(mod); } @@ -2559,6 +2569,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, free_module(mod); mutex_unlock(&module_mutex); wake_up(&module_wq); + current->audit_context = audit_context; return ret; } if (ret > 0) { @@ -2593,6 +2604,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, mod->init_size = 0; mod->init_text_size = 0; mutex_unlock(&module_mutex); + current->audit_context = audit_context; return 0; } -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
