[PATCH 2/4] audit: do not audit actions during init module

Eric Paris eparis at redhat.com
Mon May 10 18:23:07 UTC 2010 

Module loading code can do anything it damn well pleases.  At the moment
we have examples where module loading code is creating lots of objects in
debugfs and this is overflowing the number of inodes the audit system can
keep track of.  We can't really trust ANYTHING that happens during module
loading so we might as well just not even try.

Signed-off-by: Eric Paris <eparis at redhat.com>
---

 kernel/module.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/kernel/module.c b/kernel/module.c
index 8ae93db..380615d 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -55,6 +55,7 @@
 #include <linux/async.h>
 #include <linux/percpu.h>
 #include <linux/kmemleak.h>
+#include <linux/audit.h>
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/module.h>
@@ -2521,6 +2522,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
 {
 	struct module *mod;
 	int ret = 0;
+	struct audit_context *audit_context;
 
 	/* Must have permission */
 	if (!capable(CAP_SYS_MODULE) || modules_disabled)
@@ -2530,10 +2532,18 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
 	if (mutex_lock_interruptible(&module_mutex) != 0)
 		return -EINTR;
 
+	/*
+	 * Module loading can do anything it wants and if it is violent audit
+	 * won't matter.  So just don't even bother
+	 */
+	audit_context = current->audit_context;
+	current->audit_context = NULL;
+
 	/* Do all the hard work */
 	mod = load_module(umod, len, uargs);
 	if (IS_ERR(mod)) {
 		mutex_unlock(&module_mutex);
+		current->audit_context = audit_context;
 		return PTR_ERR(mod);
 	}
 
@@ -2559,6 +2569,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
 		free_module(mod);
 		mutex_unlock(&module_mutex);
 		wake_up(&module_wq);
+		current->audit_context = audit_context;
 		return ret;
 	}
 	if (ret > 0) {
@@ -2593,6 +2604,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
 	mod->init_size = 0;
 	mod->init_text_size = 0;
 	mutex_unlock(&module_mutex);
+	current->audit_context = audit_context;
 
 	return 0;
 }

More information about the Linux-audit mailing list