Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp6322609ybv; Tue, 18 Feb 2020 14:36:26 -0800 (PST) X-Google-Smtp-Source: APXvYqzIR5n8pcPlqLIfWFygz2mKnu9ANIkXPIbbgd++NFg0a8gQ/D2993AufVWadTQyxdjjtoXv X-Received: by 2002:a05:6830:1db3:: with SMTP id z19mr17702466oti.292.1582065386627; Tue, 18 Feb 2020 14:36:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582065386; cv=none; d=google.com; s=arc-20160816; b=ItXhiK6aejYc7Mro52/TppsPWbxV6NmL9pVGAstjGtQtIOZqyami4qd56TEb7p2yVO q6ryBIcfHFg9FWEoRYkuX1jHHdfIw4Khti9hMVq42vjlFbZY4ivZR9FUU11oR4MxQ2F1 chdzrC+zUm4Gv9BeStwwhMjzmhsXxtkVqF9lrxKtEZk/Y8+fOHeE53Zg1u294vOSMDpV OH9s0Ffg0KR+42NgxrFi8UGgkFAj+GWW74hT78YIRujcBhCOJSZ5Wk928rZS/QGMQzQI sRdNbaGJc2E+F57JXErXrAUfGDXDItnE5Es15mt2xlmJ5W1dbNf4k6Ev34/Jioj/eISZ PVoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=6XYHKylbYwWbwgVI0oUf0RytWHiUiJpTboStfvZsvNo=; b=iC+8u4EgJfMIsUkQUlUMNVhS3Xc4UpS/fcna63Xtc8lWG26T28tEmERJ2bsJTux2Uy KaL327iGEVdJlusirb3EFC7XTuoe9eLGgKEvHCzlA1EiE7P9qaPJygkSCZhKJP2uVPMQ BFlz2iG8K4Zy44VpersRTKqgrI25eLqp9+lqnv+Bk1dl1fw2qX1OJAFh0qmhjnCPi+AU prO1noPXwGHe4SbF86lAp3PRcf7yD5TbswZfjR0SHlj5tRhGz0A6Qep4onFyebfumnmI W5xeG4znN6TSUuj8HKymnalW+J94je4KMuEdUKo6iSxXsggbaVdtcIXHnfAwUkpTv+06 cPkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="Ihx4EYf/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i19si8933394oik.272.2020.02.18.14.36.14; Tue, 18 Feb 2020 14:36:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="Ihx4EYf/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726652AbgBRWgB (ORCPT + 99 others); Tue, 18 Feb 2020 17:36:01 -0500 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:22836 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726427AbgBRWgA (ORCPT ); Tue, 18 Feb 2020 17:36:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1582065359; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6XYHKylbYwWbwgVI0oUf0RytWHiUiJpTboStfvZsvNo=; b=Ihx4EYf/U2zxBAUisdA4HErCki/POnF9CEsfH4dEiBa5AYhU0fuPpEfIAGy2aquD727xcq Q4J8M4InLCQIOn71rBaSj8eSJ4K2ogj4mqU/IRfdbyBPGxBm7WC0ffL/8rEAdMwls9chkA PZUHgxGUIN2z0Ekq0Mz/z5wnzUtUXpw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-3-4PVG-_cgM5azTwe8uV8i-A-1; Tue, 18 Feb 2020 17:35:53 -0500 X-MC-Unique: 4PVG-_cgM5azTwe8uV8i-A-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CF18A18A8C80; Tue, 18 Feb 2020 22:35:51 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-16.rdu2.redhat.com [10.10.112.16]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6C0D785735; Tue, 18 Feb 2020 22:35:43 +0000 (UTC) Date: Tue, 18 Feb 2020 17:35:40 -0500 From: Richard Guy Briggs To: Paul Moore Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, Eric Paris , ebiederm@xmission.com, tgraf@infradead.org Subject: Re: [PATCH ghak25 v2 7/9] netfilter: ebtables audit table registration Message-ID: <20200218223540.2apm7spat3z3yyif@madcap2.tricolour.ca> References: <9f16dee52bac9a3068939283a0122a632ee0438d.1577830902.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-01-30 22:18, Paul Moore wrote: > On Mon, Jan 6, 2020 at 1:56 PM Richard Guy Briggs wrote: > > > > Generate audit NETFILTER_CFG records on ebtables table registration. > > > > Previously this was only being done for all x_tables operations and > > ebtables table replacement. > > > > Call new audit_nf_cfg() to store table parameters for later use with > > syscall records. > > > > Here is a sample accompanied record: > > type=NETFILTER_CFG msg=audit(1494907217.558:5403): table=filter family=7 entries=0 > > Wait a minute ... in patch 4 you have code that explicitly checks for > "entries=0" and doesn't generate a record in that case; is the example > a lie or is the code a lie? ;) The example was stale once the entries check was added. The entries check has now been removed due to the source of registration records being orphanned from their syscall record being found and solved in the ghak120 (norule missing accompanying) issue. However, there are ebtables nat and filter tables being added that are being automatically reaped if there are no entries and there is no syscall accompanying them. I don't yet know if it is being reaped by userspace with an async drop, or if it is the kernel that is deciding to garbage collect that table after a period of disuse. Some quick instrumentation says it is kernel thread [kworker/u4:2-events_unbound] pid=153 uid=0 auid=4294967295 tty=(none) ses=4294967295 subj=system_u:system_r:kernel_t:s0 comm="kworker/u4:2" exe=(null) > > See: https://github.com/linux-audit/audit-kernel/issues/43 > > Signed-off-by: Richard Guy Briggs > > --- > > net/bridge/netfilter/ebtables.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c > > index 57dc11c0f349..58126547b175 100644 > > --- a/net/bridge/netfilter/ebtables.c > > +++ b/net/bridge/netfilter/ebtables.c > > @@ -1219,6 +1219,8 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table, > > *res = NULL; > > } > > > > + if (audit_enabled) > > + audit_nf_cfg(repl->name, AF_BRIDGE, repl->nentries); > > return ret; > > free_unlock: > > mutex_unlock(&ebt_mutex); > > -- > > 1.8.3.1 > > -- > paul moore > www.paul-moore.com > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635