Would it be a good idea to add

path

and maybe some signing information to the

kernel_modules

table? It looks like table currently is very similar to output from

lsmod

, but if we could also get some of the items from

modinfo

(like filename and signing info) then you could do things like

JOIN hash USING (path)

to get hashes of the modules to find unique ones and do hash lookups for known bad.

user@ubuntu:~$ lsmod | grep intel_rapl_perf
intel_rapl_perf        16384  0

user@ubuntu:~$ sudo modinfo intel_rapl_perf
filename:       /lib/modules/4.15.0-66-generic/kernel/arch/x86/events/intel/intel-rapl-perf.ko
license:        GPL
srcversion:     F7ACBF921FF58C3A9F81470
...
signat:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4

I think yes, iirc it was difficult to get this information from the APIs available.

It looks like

modinfo

just searches

/lib/modules/

for the module name in question (after replacing all

_

with

-

and ignores the file extension) https://git.kernel.org/pub/scm/utils/kernel/module-init-tools/module-init-tools.git/tree/modinfo.c#n187 https://git.kernel.org/pub/scm/utils/kernel/module-init-tools/module-init-tools.git/tree/modinfo.c#n140

How “correct” and “perfect” is that approach. Seems prone to error if at runtime I delete/modify one of those files.

I think that could that be said about hashing any file on disk? I would think that attackers would want the module they dropped to stay there for persistence.

You could hack this together with a query, right? Knowing the kernel version and the common path structure?