Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756441AbdCGUn7 (ORCPT ); Tue, 7 Mar 2017 15:43:59 -0500 Received: from mail.kernel.org ([198.145.29.136]:39524 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755923AbdCGUle (ORCPT ); Tue, 7 Mar 2017 15:41:34 -0500 Date: Tue, 7 Mar 2017 13:04:09 -0500 From: Steven Rostedt To: Richard Guy Briggs Cc: Paul Moore , Linux-Audit Mailing List , LKML , Greg Kroah-Hartman , Ingo Molnar , Al Viro Subject: Re: Hundreds of null PATH records for *init_module syscall audit logs Message-ID: <20170307130409.40d1963c@gandalf.local.home> In-Reply-To: <20170307173955.GC10258@madcap2.tricolour.ca> References: <20170301031549.GT18258@madcap2.tricolour.ca> <20170301033704.GU18258@madcap2.tricolour.ca> <20170307033954.GS18258@madcap2.tricolour.ca> <20170307104139.38f5cd38@gandalf.local.home> <20170307160027.GB10258@madcap2.tricolour.ca> <20170307112056.4e27424a@gandalf.local.home> <20170307173955.GC10258@madcap2.tricolour.ca> X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.31; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1142 Lines: 29 On Tue, 7 Mar 2017 12:39:55 -0500 Richard Guy Briggs wrote: > We normally don't expect the init_module syscall to have any PATH > records associated with it, so when a few of them had hundreds or more > this was surprising. Hmm, how does the syscall get a path associated to it? Just by its creation? That is, by calling init_module() which would load a module, would indeed create a path. Some modules do create their own debugfs files, which would explain why debugfs is shown too. > > If there is a way that debugfs or tracefs could be abused during an > init_module call (or any other syscall for that matter), we want to be > aware of it. This is why simply ignoring those PATH records is making > two of us nervous. If there's a bug in the kernel code, then I'm sure there's probably a way to abuse it. I also don't believe it should be ignored, which is why I'm asking these questions. I want to know what exactly is being looked at, and what is considered "OK" and what isn't. Now loading modules can indeed create files and directories. Is this something that the audit system needs to understand? -- Steve