From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org,
Jessica Yu <jeyu@redhat.com>
Subject: Re: [PATCH V2] audit: log module name on init_module
Date: Tue, 14 Feb 2017 13:43:44 -0500 [thread overview]
Message-ID: <4894541.cmgDuFZMe5@x2> (raw)
In-Reply-To: <CAHC9VhRxn5u0Tj2E4wZEu9J9r6EnMMgE=deDdqw2FQmReAEk7Q@mail.gmail.com>
On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-02-14 13:02, Steve Grubb wrote:
> >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> >> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com>
wrote:
> >> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >> > >
> >> > > We get finit_module for free since it made most sense to hook this in
> >> > > to
> >> > > load_module().
> >> > >
> >> > > https://github.com/linux-audit/audit-kernel/issues/7
> >> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-reco
> >> > > rd-fo
> >> > > rmat
> >> >
> >> > Correction for the record:
> >> >
> >> > *
> >> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record
> >> > -For
> >> > mat
> >> >
> >> > [NOTE: don't resend please, I'll fix this when merging]
> >>
> >> OK. Support was added to user space for this record. While doing this, I
> >> wondered if we also get this auxiliary record when unloading a module?
> >
> > I thought of that at the time, which influenced the design and wording.
> > It is not supported yet, but that should be easier to add.
>
> As a reminder, this is currently in audit/next and will be going up to
> Linus next week during the merge window, if you want to change this
> record in some backwards incompatible way, e.g. putting a field before
> "name", you've got until the end of this week to figure that out.
This isn't necessary. The syscall used denotes the meaning of the action.
-Steve
next prev parent reply other threads:[~2017-02-14 18:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-04 18:10 [PATCH V2] audit: log module name on init_module Richard Guy Briggs
2017-02-13 21:20 ` Paul Moore
2017-02-13 21:33 ` Jessica Yu
2017-02-14 18:02 ` [PATCH V2] " Steve Grubb
2017-02-14 18:11 ` Richard Guy Briggs
2017-02-14 18:38 ` Paul Moore
2017-02-14 18:43 ` Steve Grubb [this message]
2017-02-14 19:24 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4894541.cmgDuFZMe5@x2 \
--to=sgrubb@redhat.com \
--cc=jeyu@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.