Skip to content

finit_module

Intro

finit_module - request the kernel to initialize or delete a kernel module

Description

The finit_module system call requests the kernel to initialize (instantiate) or delete (remove) a kernel module. At the end of the initializing procedure, the module code will be executed. If the module removal is requested, all its resources will be freed. This call is intended to be used by privileged processes.

The param_values argument points to a block of memory containing one or more parameters with fixed limit size, passed to the kernel module initialization function. The flags argument is used to control the operation of the module. It can be bitwise ORed of zero or more of the following values:

  • O_TRACE - flag to trace module
  • O_DEBUG - debug flag
  • O_ASYNC - asynchronous initialization
  • O_EXCL - exclusive module initializing

Arguments

  • fd: int - an open file descriptor for the module file that needs to be loaded.
  • param_values: const char* - a pointer to a block of memory containing one or more parameters with a fixed limit size, to be passed to the kernel module initialization function.
  • flags: int - a flag which used to control the operation of the module. It can be bitwise ORed of zero or more values.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_init_module

Type

kprobe

Purpose

To allow userspace to request initialization of a module.

finit_module_ret

Type

kretprobe

Purpose

To allow system-calls tracing and further inspection of the module init process outcome.

Example Use Case

When debugging kernel modules, finit_module can be used to manually load and unload the module from userspace and allow the debugging process to continue.

Issues

Currently, finit_module cannot be linked with other syscalls, as it does not return any useful data about its outcome or the status of the module.

  • init_module
  • delete_module

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.