[RFC PATCH 6/9] Loadpol LSM: emit an audit log
Simon THOBY
git at nightmared.fr
Wed May 21 14:01:10 UTC 2025
When a decision is reached, emit an audit log so that the userland may
know why the module load (eventually) failed.
Signed-off-by: Simon THOBY <git at nightmared.fr>
---
include/uapi/linux/audit.h | 1 +
security/loadpol/loadpol_policy.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9a4ecc9f6dc5..592070fd3c1a 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -148,6 +148,7 @@
#define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */
#define AUDIT_LANDLOCK_ACCESS 1423 /* Landlock denial */
#define AUDIT_LANDLOCK_DOMAIN 1424 /* Landlock domain status */
+#define AUDIT_LOADPOL_ACTION 1430 /* Module load request filtered */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/security/loadpol/loadpol_policy.c b/security/loadpol/loadpol_policy.c
index 366046f00959..de2b116bc09d 100644
--- a/security/loadpol/loadpol_policy.c
+++ b/security/loadpol/loadpol_policy.c
@@ -6,6 +6,7 @@
#include <linux/sched.h>
#include <linux/sysctl.h>
#include <linux/parser.h>
+#include <linux/audit.h>
#include "loadpol.h"
@@ -257,6 +258,7 @@ int loadpol_kernel_module_load(const char *kmod)
struct task_struct *parent_task;
struct loadpol_policy_entry *entry;
struct list_head *policy_list_tmp;
+ struct audit_buffer *ab;
enum policy_entry_origin orig = ORIGIN_USERSPACE;
bool allowed = false;
@@ -293,6 +295,14 @@ int loadpol_kernel_module_load(const char *kmod)
unlock_and_exit:
rcu_read_unlock();
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOADPOL_ACTION);
+ if (!ab)
+ goto out;
+ audit_log_format(ab, "allowed=%d requested_module=%s", allowed, kmod);
+ audit_log_task_info(ab);
+ audit_log_end(ab);
+
+out:
pr_debug("Loadpol: load of module '%s' %s",
kmod,
allowed ? "allowed" : "blocked");
--
2.49.0
More information about the Linux-security-module-archive
mailing list