Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp4214413ybh;
        Tue, 17 Mar 2020 14:34:30 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsbEsIpYgGSp06Gcaxtggi7rwCwxVPDQJ6hcUt17EarPcsURxReP2ZHFGaWOTd0FvXP1gfd
X-Received: by 2002:a05:6830:23a3:: with SMTP id m3mr1104433ots.265.1584480870674;
        Tue, 17 Mar 2020 14:34:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584480870; cv=none;
        d=google.com; s=arc-20160816;
        b=k9wd4Qw3jFIF26RCK0SHRBiN2o3cc7EEjNV5yho9VWre3x6r8qp467JJ17ze/p6apT
         PcYAlYLoB2BfbADjEtRh4NK4dLdgb2RU6JYwFWbnuQjYNhWEy+gt9Brt0ljLj92kIk1N
         10EixYw9ypYfiiqEQigOUdzRVej4zaH6iQ11hbbyUS3vVQeUFzTBgLyuDa85YfjXPQL8
         0gw95nxopFtr3QFTA60bcUKYRN09WTdZG7xL8EeE3r6ucxY75JotC793fdwZ79rMBVMH
         UELCRrSYJxdN2XhVZ7q5pAJI8tT6cXhxJ4aNBXoRanX//Arop3I4noo4hgU9F5ls53fH
         zejw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=Dn6sIsdtAuch7CTmAzfJGMEaJ+gns0OrsWF3VvHlKAg=;
        b=oT28X+Nv69A1rrr7IYIPkbpLndGN9J90VCVLl6986btlTqo79mX09rLqaP7zXUBpww
         HctyY4Ihcj0zy7iqkx3mbodAO9TTk3lU7uMwZDtcLIxbPmyU+8pJnAP7DcWvHukiVTHC
         GMZGZnzt2cleOQ3qRw1i5hhF5pZWEiv7S/XNKhQwcgA1rOPs5NOiYgnbQQEhLMLYENvN
         IdD/AMh6PSQfssY2+chQz6rN5dJ/n8DecAMbZ3QqqVKn3GXaYX058dn7LK83lvSb1rqF
         1ZngS6QisUE59KxxjucJHOhDi7aDcSW9K7H/qL2wDvQBtXoX9rhcQRSghVVHgavREnhb
         88Lg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WGANP3qx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 18si2466528oie.242.2020.03.17.14.34.15;
        Tue, 17 Mar 2020 14:34:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WGANP3qx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727046AbgCQVbp (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Tue, 17 Mar 2020 17:31:45 -0400
Received: from us-smtp-delivery-74.mimecast.com ([63.128.21.74]:30505 "EHLO
        us-smtp-delivery-74.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726998AbgCQVbp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Mar 2020 17:31:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1584480704;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:in-reply-to:in-reply-to:in-reply-to:
         references:references:references;
        bh=Dn6sIsdtAuch7CTmAzfJGMEaJ+gns0OrsWF3VvHlKAg=;
        b=WGANP3qx6lMZVdd5RUtSWoYTgO9CHWzpn7NI3Gy6Ha6HlkhnZI/H2bpcnFqTVFUD4AgwX7
        MXoiV622LD3bmyeuGcHmjjl0ULTHULRquTPjzEtAxnNkbMSJnl74V5ANqiRXKkVNIil+eL
        NaGF9xrafScIaq/pYDLhF2OtB86EQ68=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-90-_Yj3YFsHPAyodqWv-jgGdA-1; Tue, 17 Mar 2020 17:31:41 -0400
X-MC-Unique: _Yj3YFsHPAyodqWv-jgGdA-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A60DFDB22;
        Tue, 17 Mar 2020 21:31:39 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.36.110.5])
        by smtp.corp.redhat.com (Postfix) with ESMTP id D506F19C4F;
        Tue, 17 Mar 2020 21:31:33 +0000 (UTC)
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        netfilter-devel@vger.kernel.org
Cc:     Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com,
        omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com,
        eparis@parisplace.org, ebiederm@xmission.com, tgraf@infradead.org,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak25 v3 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister
Date:   Tue, 17 Mar 2020 17:30:24 -0400
Message-Id: <13ef49b2f111723106d71c1bdeedae09d9b300d8.1584480281.git.rgb@redhat.com>
In-Reply-To: <cover.1584480281.git.rgb@redhat.com>
References: <cover.1584480281.git.rgb@redhat.com>
In-Reply-To: <cover.1584480281.git.rgb@redhat.com>
References: <cover.1584480281.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Some table unregister actions seem to be initiated by the kernel to
garbage collect unused tables that are not initiated by any userspace
actions.  It was found to be necessary to add the subject credentials to
cover this case to reveal the source of these actions.  A sample record:

  type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 uid=root auid=unset tty=(none) ses=unset subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 exe=(null)

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/auditsc.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index dbb056feccb9..6c233076dfb7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2557,12 +2557,30 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
 		       enum audit_nfcfgop op)
 {
 	struct audit_buffer *ab;
+	const struct cred *cred;
+	struct tty_struct *tty;
+	char comm[sizeof(current->comm)];
 
 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG);
 	if (!ab)
 		return;
 	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
 			 name, af, nentries, audit_nfcfgs[op].s);
+
+	cred = current_cred();
+	tty = audit_get_tty();
+	audit_log_format(ab, " pid=%u uid=%u auid=%u tty=%s ses=%u",
+			 task_pid_nr(current),
+			 from_kuid(&init_user_ns, cred->uid),
+			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
+			 tty ? tty_name(tty) : "(none)",
+			 audit_get_sessionid(current));
+	audit_put_tty(tty);
+	audit_log_task_context(ab); /* subj= */
+	audit_log_format(ab, " comm=");
+	audit_log_untrustedstring(ab, get_task_comm(comm, current));
+	audit_log_d_path_exe(ab, current->mm); /* exe= */
+
 	audit_log_end(ab);
 }
 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
-- 
1.8.3.1