Eoin Miller
10/31/2019, 10:04 PMpath
and maybe some signing information to the kernel_modules
table? It looks like table currently is very similar to output from lsmod
, but if we could also get some of the items from modinfo
(like filename and signing info) then you could do things like JOIN hash USING (path)
to get hashes of the modules to find unique ones and do hash lookups for known bad.
user@ubuntu:~$ lsmod | grep intel_rapl_perf
intel_rapl_perf 16384 0
user@ubuntu:~$ sudo modinfo intel_rapl_perf
filename: /lib/modules/4.15.0-66-generic/kernel/arch/x86/events/intel/intel-rapl-perf.ko
license: GPL
srcversion: F7ACBF921FF58C3A9F81470
...
signat: PKCS#7
signer:
sig_key:
sig_hashalgo: md4
theopolis
10/31/2019, 10:25 PMEoin Miller
10/31/2019, 11:36 PMmodinfo
just searches /lib/modules/
for the module name in question (after replacing all _
with -
and ignores the file extension)
https://git.kernel.org/pub/scm/utils/kernel/module-init-tools/module-init-tools.git/tree/modinfo.c#n187
https://git.kernel.org/pub/scm/utils/kernel/module-init-tools/module-init-tools.git/tree/modinfo.c#n140theopolis
11/01/2019, 1:16 AMEoin Miller
11/01/2019, 2:28 PMon_disk
column as well?theopolis
11/05/2019, 12:41 AM