[RFC PATCH 6/9] Loadpol LSM: emit an audit log

Simon THOBY git at nightmared.fr
Wed May 21 14:01:10 UTC 2025


When a decision is reached, emit an audit log so that the userland may
know why the module load (eventually) failed.

Signed-off-by: Simon THOBY <git at nightmared.fr>
---
 include/uapi/linux/audit.h        |  1 +
 security/loadpol/loadpol_policy.c | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9a4ecc9f6dc5..592070fd3c1a 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -148,6 +148,7 @@
 #define AUDIT_IPE_POLICY_LOAD	1422	/* IPE policy load */
 #define AUDIT_LANDLOCK_ACCESS	1423	/* Landlock denial */
 #define AUDIT_LANDLOCK_DOMAIN	1424	/* Landlock domain status */
+#define AUDIT_LOADPOL_ACTION	1430	/* Module load request filtered */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff --git a/security/loadpol/loadpol_policy.c b/security/loadpol/loadpol_policy.c
index 366046f00959..de2b116bc09d 100644
--- a/security/loadpol/loadpol_policy.c
+++ b/security/loadpol/loadpol_policy.c
@@ -6,6 +6,7 @@
 #include <linux/sched.h>
 #include <linux/sysctl.h>
 #include <linux/parser.h>
+#include <linux/audit.h>
 
 #include "loadpol.h"
 
@@ -257,6 +258,7 @@ int loadpol_kernel_module_load(const char *kmod)
 	struct task_struct *parent_task;
 	struct loadpol_policy_entry *entry;
 	struct list_head *policy_list_tmp;
+	struct audit_buffer *ab;
 	enum policy_entry_origin orig = ORIGIN_USERSPACE;
 	bool allowed = false;
 
@@ -293,6 +295,14 @@ int loadpol_kernel_module_load(const char *kmod)
 unlock_and_exit:
 	rcu_read_unlock();
 
+	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOADPOL_ACTION);
+	if (!ab)
+		goto out;
+	audit_log_format(ab, "allowed=%d requested_module=%s", allowed, kmod);
+	audit_log_task_info(ab);
+	audit_log_end(ab);
+
+out:
 	pr_debug("Loadpol: load of module '%s' %s",
 		 kmod,
 		 allowed ? "allowed" : "blocked");
-- 
2.49.0




More information about the Linux-security-module-archive mailing list