Skip to content

init_module

Intro

init_module - load a kernel module into the running Linux kernel.

Description

The init_module() system call is responsible for loading and initializing a kernel module into the running Linux kernel. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionalities of the kernel without the need to reboot the system.

This system call facilitates dynamic extension of kernel functionalities, enabling features like device drivers, filesystems, and network protocols to be added or removed on-the-fly.

Arguments

  • module_image:void *[U] - Pointer to the binary image of the module.
  • len:unsigned long[K] - Length of the module image.
  • param_values:const char *[U] - A string of module parameters, used for customizing the module's behavior. Null-terminated and usually specified in the form "param1=value1 param2=value2".

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space.
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use).
  • OPT - Optional argument - might not always be available (passed with null value).

Hooks

sys_init_module

Type

Tracepoint (through sys_enter).

Purpose

To monitor and document when the init_module() system call is employed, recording information about the module being loaded and its associated parameters.

Example Use Case

Detecting unauthorized or suspicious kernel module loadings in security-critical environments can prevent potential system breaches or malicious activities.

Issues

Loading malicious or poorly designed kernel modules can pose severe security risks or destabilize the system. It's imperative to validate and ensure that only trusted and well-audited modules get loaded into the kernel.

  • delete_module() - Remove a loaded kernel module.
  • finit_module() - Load a kernel module from a file descriptor.

This document was automatically generated by OpenAI and reviewed by a Human.