finit_module
Eric Paris
eparis at redhat.com
Mon Apr 7 18:29:40 UTC 2014
On Mon, 2014-04-07 at 12:50 -0400, Steve Grubb wrote:
> On Monday, April 07, 2014 12:37:48 PM Eric Paris wrote:
> > On Fri, 2014-04-04 at 08:43 -0400, Steve Grubb wrote:
> > > Hello,
> > >
> > > In checking a system with newish kernel, 3.13.7, I noticed that sometimes
> > > finit_module is producing PATH records. Why?
> >
> > Because the module created all of those files while it was loading...
>
> Hmm...I don't think what we are getting is expected or useful. It would be
> nice to know what the paths are instead of NULL.
Is every single record NULL? I felt like it once upon a time had some
information.... Usually these are files in debugfs and sysfs being
created by the module load.
> It would also be highly
> desirable to get some basic information recorded about what module is getting
> loaded in an aux record.
Might be do-able to get something from the module header...
with finit_module (as opposed to init_module) we probably can get
something about the file descriptor...
> Especially since loading modules are how system tap
> and some of the kernel bug patching tools get loaded.
Not sure how reliable/useful these fields are, but we can possibly get
something...
More information about the Linux-audit
mailing list