Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp7879415ybl;
        Thu, 16 Jan 2020 07:07:22 -0800 (PST)
X-Google-Smtp-Source: APXvYqxZZfDc/ibZPWzuXc0ostoYlLHAN8SZgCbXhNkKgPICC7XmzV6HYiSGWpFbL6yu9dqTPIxg
X-Received: by 2002:aca:5588:: with SMTP id j130mr4307062oib.122.1579187242035;
        Thu, 16 Jan 2020 07:07:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579187242; cv=none;
        d=google.com; s=arc-20160816;
        b=b8vyMywU8d1OZE6QZ13/++ZsAm3+XmPsKZa7O20LQbbaItLsy//7XyPRYKtKzdea57
         kepLlVmMJexVOg7D+/2KSXNs9gp9XX9YlyNTx3oQdtROpkPnq1MLjZSWjaycT/6znIwH
         EArRjBv3Pv7lM8Q9lvw260lHj2b3aKxGpDqVsRSwsokhIw66zG7Mqhm2M2kCbysnlbv3
         sG8g93mMxBETW9W688ER/RVl1K6n4Mxe01K1zEDYtB3qSaluSwJColpztReU9XuQ5+yv
         xwFqCz1c7GIRKf6724gPqJZzM/Hq/RJ6oV4/ieEYz2cgl18RI/m8dAopT1tJE8ZASRRQ
         2M6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=T+/Iq423DIBPsZthRm2VxRnp6PAaMOuSkiYvKcDcAz0=;
        b=kRKm1uz2Ufab2HiXgbEz/IVnSKNQNlbGWq/R3HSUMwEkNL54W+E9mKpigPwrIHjyrX
         zBY+Mcnb/Z4ZsPVimF4/OgkfkzVvndny2phATo9p9C5+LdMxbNZFYo89n0zRtc1iLZ4x
         ZYovc1po+FJO4iOOlBS40eNuDvMTpqeOHAqotbuM4UXQ9xbvNcEbKKbiIqN1zm1WtAHV
         2XCo2OvH8G6wgFJNSUal/ByBDcIZv6SecMcWFkSBJle5wMoeGPw32TiJDdNrjlcfvGXN
         bZk44sZSQbiLCmSdVloVeJwnzy2RlGm0arAnj0JjvT9hbQdFoLDln+J1NWOThylcn1LL
         IRTg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w11si11495795oic.62.2020.01.16.07.06.59;
        Thu, 16 Jan 2020 07:07:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726587AbgAPPFX (ORCPT <rfc822;luigi.mantellini.ml@gmail.com>
        + 99 others); Thu, 16 Jan 2020 10:05:23 -0500
Received: from correo.us.es ([193.147.175.20]:32970 "EHLO mail.us.es"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726189AbgAPPFX (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Jan 2020 10:05:23 -0500
Received: from antivirus1-rhel7.int (unknown [192.168.2.11])
        by mail.us.es (Postfix) with ESMTP id A2723508CDF
        for <linux-kernel@vger.kernel.org>; Thu, 16 Jan 2020 16:05:21 +0100 (CET)
Received: from antivirus1-rhel7.int (localhost [127.0.0.1])
        by antivirus1-rhel7.int (Postfix) with ESMTP id 93A32DA738
        for <linux-kernel@vger.kernel.org>; Thu, 16 Jan 2020 16:05:21 +0100 (CET)
Received: by antivirus1-rhel7.int (Postfix, from userid 99)
        id 88A74DA791; Thu, 16 Jan 2020 16:05:21 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int
X-Spam-Level: 
X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,
        SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1
Received: from antivirus1-rhel7.int (localhost [127.0.0.1])
        by antivirus1-rhel7.int (Postfix) with ESMTP id 0FDC6DA712;
        Thu, 16 Jan 2020 16:05:19 +0100 (CET)
Received: from 192.168.1.97 (192.168.1.97)
 by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int);
 Thu, 16 Jan 2020 16:05:19 +0100 (CET)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)
Received: from us.es (unknown [90.77.255.23])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        (Authenticated sender: 1984lsi)
        by entrada.int (Postfix) with ESMTPSA id DADC342EF9E1;
        Thu, 16 Jan 2020 16:05:18 +0100 (CET)
Date:   Thu, 16 Jan 2020 16:05:18 +0100
X-SMTPAUTHUS: auth mail.us.es
From:   Pablo Neira Ayuso <pablo@netfilter.org>
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>,
        sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de,
        twoerner@redhat.com, eparis@parisplace.org, ebiederm@xmission.com,
        tgraf@infradead.org
Subject: Re: [PATCH ghak25 v2 0/9] Address NETFILTER_CFG issues
Message-ID: <20200116150518.gfmzixoqagmk77rw@salvia>
References: <cover.1577830902.git.rgb@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cover.1577830902.git.rgb@redhat.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 06, 2020 at 01:54:01PM -0500, Richard Guy Briggs wrote:
> There were questions about the presence and cause of unsolicited syscall events
> in the logs containing NETFILTER_CFG records and sometimes unaccompanied
> NETFILTER_CFG records.
> 
> During testing at least the following list of events trigger NETFILTER_CFG
> records and the syscalls related (There may be more events that will trigger
> this message type.):
> 	init_module, finit_module: modprobe
> 	setsockopt: iptables-restore, ip6tables-restore, ebtables-restore
> 	unshare: (h?)ostnamed
> 	clone: libvirtd
> 
> The syscall events unsolicited by any audit rule were found to be caused by a
> missing !audit_dummy_context() check before creating a NETFILTER_CFG
> record and issuing the record immediately rather than saving the
> information to create the record at syscall exit.
> Check !audit_dummy_context() before creating the NETFILTER_CFG record.
> 
> The vast majority of unaccompanied records are caused by the fedora default
> rule: "-a never,task" and the occasional early startup one is I believe caused
> by the iptables filter table module hard linked into the kernel rather than a
> loadable module. The !audit_dummy_context() check above should avoid them.
> 
> A couple of other factors should help eliminate unaccompanied records
> which include commit cb74ed278f80 ("audit: always enable syscall
> auditing when supported and audit is enabled") which makes sure that
> when audit is enabled, so automatically is syscall auditing, and ghak66
> which addressed initializing audit before PID 1.
> 
> Ebtables module initialization to register tables doesn't generate records
> because it was never hooked in to audit.  Recommend adding audit hooks to log
> this.
> 
> Table unregistration was never logged, which is now covered.
> 
> Seemingly duplicate records are not actually exact duplicates that are caused
> by netfilter table initialization in different network namespaces from the same
> syscall.  Recommend adding the network namespace ID (proc inode and dev)
> to the record to make this obvious (address later with ghak79 after nsid
> patches).
> 
> See: https://github.com/linux-audit/audit-kernel/issues/25
> See: https://github.com/linux-audit/audit-kernel/issues/35
> See: https://github.com/linux-audit/audit-kernel/issues/43
> See: https://github.com/linux-audit/audit-kernel/issues/44

What tree is this batch targeted to?

Thanks.