Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp608044ybv;
        Thu, 13 Feb 2020 06:30:22 -0800 (PST)
X-Google-Smtp-Source: APXvYqwaUKaqAYoI1QfSHaGQ350p3iKz2hpB9ee28A3uoKGiD1v0KEmjejsdSKf6wt6gX+JVQf5j
X-Received: by 2002:a9d:7f11:: with SMTP id j17mr14199433otq.281.1581604222176;
        Thu, 13 Feb 2020 06:30:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581604222; cv=none;
        d=google.com; s=arc-20160816;
        b=IvykyLuIBh13CcY+3Al02OvU7USK3K1B3VYduuXi8SJPf3LAFvYgZ779v79iQmu3F0
         f20QUjlVcYTt6dLZOB+qOpic7S6V7cweQJ1DtOgsn5SZ9SYZJe2qxTxoxPEQS1qsVnOy
         a3N+7fVtCo/+GTVkX9O0uh4QoXzCXSmsz9z1b8EEnciPi8yn1m9kDBusWePAzgtHmtSL
         GegpUYBRs09AAgaEKdMTSeLNJuaqzk1URdkucIoDZpo5F26mQ2W/UP4ZFvdHGY+iF7c1
         a2FO6Hm33IP+h0D8dORWz0qo09qX51h3cCQLbm22apf/ZrqeE7Hactgbwpz7+pAacEjn
         49bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=0l9nlLtv0/bHXNek1lDCBUaE0lHasr+bBc4jA0BaTh0=;
        b=aPOJqgCGTzGROg2toPBe21c1QX3z0lNRexA4YydyZDOYcLK/w5UmiPHjFcS4nbLPlL
         HT57Rj6hEaw/uRu0GofMNS3k1tDzsAJ7pPAIEQEqx3b+Bu+bTd2IH1CC7eyYL3Xlqd6c
         9X16/GCG1ugkXc2a63gIpcgdDoGyZe4QBOZCkKjau8dcjv01tXuCUOZR4rnKTpKDftt5
         yWNdoseesTmrAEPsgG+tUGoIGFbgjr8xwLzoexy9/tel+sWjFXIg73Gsq4VAYp8dfdhC
         ZQOjwE67piOgtbJa39K0mxrW4L7FZlwGXB4rdD5VCs05lTf/iLI6ESxtyMNqfVpwqYDt
         GBtQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UtItgN4q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j70si1331325oib.219.2020.02.13.06.30.08;
        Thu, 13 Feb 2020 06:30:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UtItgN4q;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727458AbgBMO36 (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Thu, 13 Feb 2020 09:29:58 -0500
Received: from us-smtp-1.mimecast.com ([205.139.110.61]:47179 "EHLO
        us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726780AbgBMO35 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Feb 2020 09:29:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1581604196;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=0l9nlLtv0/bHXNek1lDCBUaE0lHasr+bBc4jA0BaTh0=;
        b=UtItgN4qy+/zNskX/eV6DepOXEYEJdRbrfcWZC82YvMyCEY2q3l+dYczJmuorFcfDWDoTx
        SY7uruJ7+At+snYlvSyq7oYrqpsWnr5xRzonYnubzZPqOILFcfiCTkih4oXg6DpPUr2ekN
        fFmXRye7zdbNNrvYgFzyoFPGDrEetK4=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-258-PjoBI8_dNuKbyHfpVocn9A-1; Thu, 13 Feb 2020 09:29:54 -0500
X-MC-Unique: PjoBI8_dNuKbyHfpVocn9A-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 68441DBAE;
        Thu, 13 Feb 2020 14:29:53 +0000 (UTC)
Received: from madcap2.tricolour.ca (ovpn-112-16.rdu2.redhat.com [10.10.112.16])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 294495DA85;
        Thu, 13 Feb 2020 14:29:45 +0000 (UTC)
Date:   Thu, 13 Feb 2020 09:29:43 -0500
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Florian Westphal <fw@strlen.de>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        netfilter-devel@vger.kernel.org, ebiederm@xmission.com,
        twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org
Subject: Re: [PATCH ghak25 v2 8/9] netfilter: add audit operation field
Message-ID: <20200213142943.zxa6vwvl45q36zu6@madcap2.tricolour.ca>
References: <cover.1577830902.git.rgb@redhat.com>
 <6768f7c7d9804216853e6e9c59e44f8a10f46b99.1577830902.git.rgb@redhat.com>
 <20200106202306.GO795@breakpoint.cc>
 <20200213121410.b2dsh2kwg3k7xg7e@madcap2.tricolour.ca>
 <20200213123457.GO2991@breakpoint.cc>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200213123457.GO2991@breakpoint.cc>
User-Agent: NeoMutt/20180716
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2020-02-13 13:34, Florian Westphal wrote:
> Richard Guy Briggs <rgb@redhat.com> wrote:
> > The default policy is NF_ACCEPT (because Rusty didn't want
> > more email, go figure...).  It occurred to me later that some table
> > loads took a command line parameter to be able to change the default
> > policy verdict from NF_ACCEPT to NF_DROP.  In particular, filter FORWARD
> > hook tables.  Is there a straightforward way to be able to detect this
> > in all the audit_nf_cfg() callers to be able to log it?  In particular,
> > in:
> > 	net/bridge/netfilter/ebtables.c: ebt_register_table()
> > 	net/bridge/netfilter/ebtables.c: do_replace_finish()
> > 	net/bridge/netfilter/ebtables.c: __ebt_unregister_table()
> > 	net/netfilter/x_tables.c: xt_replace_table()
> > 	net/netfilter/x_tables.c: xt_unregister_table()
> 
> The module parameter or the policy?
> 
> The poliy can be changed via the xtables tools.
> Given you can have:
> 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A FORWARD -j ACCEPT
> COMMIT
> 
> ... which effectily gives a FORWARD ACCEPT policy I'm not sure logging
> the policy is useful.
> 
> Furthermore, ebtables has polices even for user-defined chains.
> 
> > Both potential solutions are awkward, adding a parameter to pass that
> > value in, but also trying to reach into the protocol-specific entry
> > table to find that value.  Would you have a recommendation?  This
> > assumes that reporting that default policy value is even desired or
> > required.
> 
> See above, I don't think its useful.  If it is needed, its probably best
> to define an informational struct containing the policy (accept/drop)
> value for the each hook points (prerouting to postrouting),  fill
> that from the backend specific code (as thats the only place that
> exposes the backend specific structs ...) and then pass that to
> the audit logging functions.

Ok, for this set, I'll drop the idea.  If it becomes apparent later than
it is necessary, it can be added as a field at the end of the record.

Thanks for looking at this.

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635