search

CamFlow / camflow-dev

Generates kernel patch for CamFlow Linux Provenance Capture.
http://camflow.org/
GNU General Public License v2.0
26 stars 15 forks source link

CamFlow Should Always Reflect Kernel File Loading Action #95

Closed michael-hahn closed 5 years ago

michael-hahn commented 5 years ago

Currently, the following kernel load-file activity subtypes are recorded: load_unknown, load_firmware, load_firmware_prealloc_buffer, load_module, load_kexec_image, load_kexec_initramfs, load_policy, load_certificate. However, if any other types occurred, such action would not be recorded by CamFlow or reflected in the provenance graph. We recommend that a new relationship subtype, maybe called load_undefined to be implemented to capture unexpected cases during kernel file loading.

tfjmp commented 5 years ago

https://github.com/CamFlow/camflow-dev/commit/e84608debb699332c381b37de7c3f65ef0500b6e should have fixed the issue.

@michael-hahn please double check and close the issue if it is ok.

michael-hahn commented 5 years ago

TinkerBell shows that all possible kernel file loading actions can be captured. This enhancement also helped discovered a bug in TinkerBell. Thanks @tfjmp!