From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH V2] audit: log module name on init_module
Date: Tue, 14 Feb 2017 13:43:44 -0500
Message-ID: <4894541.cmgDuFZMe5@x2>
References: <bcc1867e105b1ef0d92778c7bd718c46353e4cad.1486230328.git.rgb@redhat.com> <20170214181124.GC21519@madcap2.tricolour.ca> <CAHC9VhRxn5u0Tj2E4wZEu9J9r6EnMMgE=deDdqw2FQmReAEk7Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7Bit
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <CAHC9VhRxn5u0Tj2E4wZEu9J9r6EnMMgE=deDdqw2FQmReAEk7Q@mail.gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com, linux-kernel@vger.kernel.org, Jessica Yu <jeyu@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-02-14 13:02, Steve Grubb wrote:
> >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> >> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com> 
wrote:
> >> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >> > > 
> >> > > We get finit_module for free since it made most sense to hook this in
> >> > > to
> >> > > load_module().
> >> > > 
> >> > > https://github.com/linux-audit/audit-kernel/issues/7
> >> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-reco
> >> > > rd-fo
> >> > > rmat
> >> > 
> >> > Correction for the record:
> >> > 
> >> > *
> >> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record
> >> > -For
> >> > mat
> >> > 
> >> > [NOTE: don't resend please, I'll fix this when merging]
> >> 
> >> OK. Support was added to user space for this record. While doing this, I
> >> wondered if we also get this auxiliary record when unloading a module?
> > 
> > I thought of that at the time, which influenced the design and wording.
> > It is not supported yet, but that should be easier to add.
> 
> As a reminder, this is currently in audit/next and will be going up to
> Linus next week during the merge window, if you want to change this
> record in some backwards incompatible way, e.g. putting a field before
> "name", you've got until the end of this week to figure that out.

This isn't necessary. The syscall used denotes the meaning of the action.

-Steve