Re: [PATCH v2] kernel-chktaint: add reporting for tainted modules

[Thorsten Leemhuis]

On 10/29/25 05:39, Randy Dunlap wrote:
> Check all loaded modules and report any that have their 'taint'
> flags set along with a count of all tainted modules.
> The tainted module output format is:
>  * <module_name> (<taint_flags>)
> 
> Example output:
> 
> Kernel is "tainted" for the following reasons:
>  * externally-built ('out-of-tree') module was loaded  (#12)
>  * unsigned module was loaded (#13)
> Raw taint value as int/string: 12288/'G           OE      '
> 
> Modules tainted: 1
>  * dump_test (OE)

Great. Now I wonder if the "1" really is needed, but whatever. I only
mentioned that because something else came to my mind:

The script can be called with a positive integer as parameter to decode
a value you retrieved from /proc/sys/kernel/tainted on another system.
Then the module check likely should be omitted. 

[...] 
> +echo "Raw taint value as int/string: $taint/'$out'"
> +
> +# report on any tainted loadable modules
> +[ -r /sys/module/ ] && cnt=`grep [A-Z] /sys/module/*/taint | wc -l` || cnt=0

Maybe by replacing that line with something like this (untested;
not even sure if the foo && bar && baz || foobar really works):

[ $1 -eq 0 ] && [ -r /sys/module/ ] && cnt=`grep [A-Z] /sys/module/*/taint | wc -l` || cnt=0  
> +if [ $cnt -ne 0 ]; then
> +	echo
> +	echo "Modules tainted: $cnt"
> +	for dir in `ls /sys/module` ; do
> +		if [ -r /sys/module/$dir/taint ]; then
> +			modtnt=`cat /sys/module/$dir/taint`
> +			[ "$modtnt" = "" ] || echo " * $dir ($modtnt)"
> +		fi
> +	done
> +fi
> +
> +echo
>  echo "For a more detailed explanation of the various taint flags see"
>  echo " Documentation/admin-guide/tainted-kernels.rst in the Linux kernel sources"
>  echo " or https://kernel.org/doc/html/latest/admin-guide/tainted-kernels.html";
> -echo "Raw taint value as int/string: $taint/'$out'"
>  #EOF#
>