On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote: > On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <[email protected]> wrote: > > On 2017-02-14 13:02, Steve Grubb wrote: > >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote: > >> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <[email protected]> wrote: > >> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event. > >> > > > >> > > We get finit_module for free since it made most sense to hook this in > >> > > to > >> > > load_module(). > >> > > > >> > > https://github.com/linux-audit/audit-kernel/issues/7 > >> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-reco > >> > > rd-fo > >> > > rmat > >> > > >> > Correction for the record: > >> > > >> > * > >> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record > >> > -For > >> > mat > >> > > >> > [NOTE: don't resend please, I'll fix this when merging] > >> > >> OK. Support was added to user space for this record. While doing this, I > >> wondered if we also get this auxiliary record when unloading a module? > > > > I thought of that at the time, which influenced the design and wording. > > It is not supported yet, but that should be easier to add. > > As a reminder, this is currently in audit/next and will be going up to > Linus next week during the merge window, if you want to change this > record in some backwards incompatible way, e.g. putting a field before > "name", you've got until the end of this week to figure that out.
This isn't necessary. The syscall used denotes the meaning of the action. -Steve
