Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp622711ybh; Wed, 18 Mar 2020 06:14:43 -0700 (PDT) X-Google-Smtp-Source: ADFU+vv85FgvVbM60oOEUfAJlJls1lhZT7QxYVY/DSF0EcQUIOhUHIqxinc1CR0X/Ulmfb6zu06Q X-Received: by 2002:a9d:2c64:: with SMTP id f91mr3910679otb.17.1584537283408; Wed, 18 Mar 2020 06:14:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584537283; cv=none; d=google.com; s=arc-20160816; b=BSbTsXlkgVQw7nYmJy6NDtweyh66dlCwGQaIakMPflP9y+yCw7OQnXlx73xlzES6nY l7W4BxPCMENAinVGHapLbbIdq8+18CPCdJUIScuBwYWVkpYhkji2m97EA6Rbes5AMrGs +c7JmPHmuebq9wFUaolaJnQvLoPoMCZZireZPh9spnnkbVP6RzmdUzR6G2y1gjs6hJSB jo6AskUKjpylymKArfh7okK2/aPjd0KG5+9pL26cVSI40fZECOI3nYcSITo//CIvVeoG fWv424/C6Jaix7tG9j1WrPM911MhXAZUdtYkIyrv+tq2DXGTxmHp/xwy1mBR9oobXwX1 xHiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=xlChmMy4SLafuKQTGlyJ3sDvLZdWy+MYwHrLdWFHRXE=; b=ZQNqoF0sAVxsDG2dCkoac6CKe3XvnDMgBnuYX5lHzl8wj+gZjasg0Pzu91dejB4Qb8 /kkm8sE2fWufYUByMWNlH+j5zlBIVG8LgAJjZS3FI19sYXVGrMJVoKj+u9B8ugpak94T qK+lwt7Sb9Zv+yRCHFWOzUEdlHD4iEnULbblfUn5yJ2X8L2LfTWAmPlEYFmZFhMhJwNI vUhF7pVvt1eMOxJnTHQl4Qzr9D39IkotnJOHz1xAAMCFcoj8uUqzBOXAi9xSdkB/2jfZ SVlN3Y0i4A3pMITWVMbEu6rqR21NPVh9AZ05IHNYuvn8syfl9APS8Cgwir+o3m9wDn/b FgHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="J5xD/o01"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a7si3092611oia.120.2020.03.18.06.14.32; Wed, 18 Mar 2020 06:14:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="J5xD/o01"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727044AbgCRNLt (ORCPT + 99 others); Wed, 18 Mar 2020 09:11:49 -0400 Received: from us-smtp-delivery-74.mimecast.com ([63.128.21.74]:52067 "EHLO us-smtp-delivery-74.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726821AbgCRNLt (ORCPT ); Wed, 18 Mar 2020 09:11:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1584537108; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=xlChmMy4SLafuKQTGlyJ3sDvLZdWy+MYwHrLdWFHRXE=; b=J5xD/o01nwW6XbfHWaTSAq3k+rsMOOgL4ikiUv6BEV8iVrLq+YzFiaCdewtrR10/ccBsZX ZqRHFws7lwpX1jl7aOH/8UKdeuFmvpCDfHo3sLS3EHBnfgzGA1xXlItGUwUD65n15Ay1/K zFkge/+OL+7drpX1GCyTKp04Z+ht4JU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-448-5utA3yAaM5-5gQspvcypOg-1; Wed, 18 Mar 2020 09:11:44 -0400 X-MC-Unique: 5utA3yAaM5-5gQspvcypOg-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 26F7218A5502; Wed, 18 Mar 2020 13:11:43 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.36.110.5]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E94AC19C6A; Wed, 18 Mar 2020 13:11:33 +0000 (UTC) Date: Wed, 18 Mar 2020 09:11:28 -0400 From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org Cc: fw@strlen.de, ebiederm@xmission.com, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org Subject: Re: [PATCH ghak25 v3 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister Message-ID: <20200318131128.axyddgotzck7cit2@madcap2.tricolour.ca> References: <13ef49b2f111723106d71c1bdeedae09d9b300d8.1584480281.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <13ef49b2f111723106d71c1bdeedae09d9b300d8.1584480281.git.rgb@redhat.com> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-03-17 17:30, Richard Guy Briggs wrote: > Some table unregister actions seem to be initiated by the kernel to > garbage collect unused tables that are not initiated by any userspace > actions. It was found to be necessary to add the subject credentials to > cover this case to reveal the source of these actions. A sample record: > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 uid=root auid=unset tty=(none) ses=unset subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 exe=(null) Given the precedent set by bpf unload, I'd really rather drop this patch that adds subject credentials. Similarly with ghak25's subject credentials, but they were already present and that would change an existing record format, so it isn't quite as justifiable in that case. > Signed-off-by: Richard Guy Briggs > --- > kernel/auditsc.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index dbb056feccb9..6c233076dfb7 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2557,12 +2557,30 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, > enum audit_nfcfgop op) > { > struct audit_buffer *ab; > + const struct cred *cred; > + struct tty_struct *tty; > + char comm[sizeof(current->comm)]; > > ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG); > if (!ab) > return; > audit_log_format(ab, "table=%s family=%u entries=%u op=%s", > name, af, nentries, audit_nfcfgs[op].s); > + > + cred = current_cred(); > + tty = audit_get_tty(); > + audit_log_format(ab, " pid=%u uid=%u auid=%u tty=%s ses=%u", > + task_pid_nr(current), > + from_kuid(&init_user_ns, cred->uid), > + from_kuid(&init_user_ns, audit_get_loginuid(current)), > + tty ? tty_name(tty) : "(none)", > + audit_get_sessionid(current)); > + audit_put_tty(tty); > + audit_log_task_context(ab); /* subj= */ > + audit_log_format(ab, " comm="); > + audit_log_untrustedstring(ab, get_task_comm(comm, current)); > + audit_log_d_path_exe(ab, current->mm); /* exe= */ > + > audit_log_end(ab); > } > EXPORT_SYMBOL_GPL(__audit_log_nfcfg); > -- > 1.8.3.1 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635