From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752721AbdBNSns (ORCPT <rfc822;w@1wt.eu>);
        Tue, 14 Feb 2017 13:43:48 -0500
Received: from mx1.redhat.com ([209.132.183.28]:36860 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752397AbdBNSnl (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Feb 2017 13:43:41 -0500
From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com,
        linux-kernel@vger.kernel.org, Jessica Yu <jeyu@redhat.com>
Subject: Re: [PATCH V2] audit: log module name on init_module
Date: Tue, 14 Feb 2017 13:43:44 -0500
Message-ID: <4894541.cmgDuFZMe5@x2>
Organization: Red Hat
User-Agent: KMail/5.3.3 (Linux/4.9.9-100.fc24.x86_64; KDE/5.29.0; x86_64; ; )
In-Reply-To: <CAHC9VhRxn5u0Tj2E4wZEu9J9r6EnMMgE=deDdqw2FQmReAEk7Q@mail.gmail.com>
References: <bcc1867e105b1ef0d92778c7bd718c46353e4cad.1486230328.git.rgb@redhat.com> <20170214181124.GC21519@madcap2.tricolour.ca> <CAHC9VhRxn5u0Tj2E4wZEu9J9r6EnMMgE=deDdqw2FQmReAEk7Q@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 14 Feb 2017 18:43:41 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote:
> On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-02-14 13:02, Steve Grubb wrote:
> >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote:
> >> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <rgb@redhat.com> 
wrote:
> >> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event.
> >> > > 
> >> > > We get finit_module for free since it made most sense to hook this in
> >> > > to
> >> > > load_module().
> >> > > 
> >> > > https://github.com/linux-audit/audit-kernel/issues/7
> >> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-reco
> >> > > rd-fo
> >> > > rmat
> >> > 
> >> > Correction for the record:
> >> > 
> >> > *
> >> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record
> >> > -For
> >> > mat
> >> > 
> >> > [NOTE: don't resend please, I'll fix this when merging]
> >> 
> >> OK. Support was added to user space for this record. While doing this, I
> >> wondered if we also get this auxiliary record when unloading a module?
> > 
> > I thought of that at the time, which influenced the design and wording.
> > It is not supported yet, but that should be easier to add.
> 
> As a reminder, this is currently in audit/next and will be going up to
> Linus next week during the merge window, if you want to change this
> record in some backwards incompatible way, e.g. putting a field before
> "name", you've got until the end of this week to figure that out.

This isn't necessary. The syscall used denotes the meaning of the action.

-Steve