// the find
brunoanc/AuditPatch-KPM
Replace sensitive context in audit log.
A KernelPatch Module (KPM) that hooks into the Android audit log subsystem to strip or replace sensitive context from kernel audit records before they hit userspace. Targets rooted Android devices using the KernelPatch framework, sitting alongside KernelSU/susfs. Niche enough that if you don't already know what KPM is, this isn't for you.
Single-file kernel module keeps the attack surface small and the code reviewable in one sitting. Ties directly into an upstream AOSP patch (android-review.googlesource.com/3725346) so there's a legitimate reference point for the hooking strategy. Uses a linker script (.lds) to control section layout, which is the right approach for KPM modules that need to be injected correctly.
The README is essentially blank — two external links and nothing else. No explanation of which audit fields are redacted, under what conditions, or what the security model is; you have to read the source and the linked patches yourself. 92 stars with 6 forks and a single C file suggests this is used more than it is understood, which is a red flag for a kernel-level security component. No test harness or CI beyond a build workflow, so regressions in hooking behavior are invisible until something breaks on device.