Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1046520ybz; Fri, 17 Apr 2020 14:55:24 -0700 (PDT) X-Google-Smtp-Source: APiQypKLxh/857ir0V9EZ644eyXfd8zYtWQYByaze1w8GizyX+hrpBcel6TC8iF4GZ0CpT8A6zc2 X-Received: by 2002:a50:a1e6:: with SMTP id 93mr5322217edk.172.1587160524634; Fri, 17 Apr 2020 14:55:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587160524; cv=none; d=google.com; s=arc-20160816; b=x/X49Mq5b1iU5o1BTKxTq9GBzM/r17o1grjZJ9H9+3OzZ+KP8PkCLM0cg6uL/oqDjb isa8Ete9P2EgnCLrf7202rs0KNeYVUl4TFHvj2eRKwZWlGaVYuN5I5TLlEY3KJUqEgSK VrSpDu1AZPqeX/Wlfcea9FO5TiCqnCuNqdSqb2RxgfEWLD0jxjz55qXqRd6g5RHKFgcl bqcht7/ceUfGTLqsARLkqRLAyMzm/XU98+w8PXhuq5Q43jRzPHHHoCX1iTZDkfGA+ava oR4YYjMj7ZkhAOSc6kvkpqz4wt+ULVXC2UTVUh67qP9AF43Cla4xnuYmAQ5tcZBsBqMY yGbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Bl0pa+hbUKTXV3E8yhfZmk+igw1QNCwVFqR4CtMCNtE=; b=khRYKHcPum9DYFic34U0o0Q3IgZpo1OuNX6qFn1Laxr5eLu5Mvtn0X1QM8Hbmg8Wd8 5WmV/KZKM45Mfv5e5gBGrduFhezB7SlRm8XBN2qmdwhZd2r+vzwwKxkqtdGjByL7GaVh bock1nFUchOQjrnaNI67WNOHJIFDC95uVqd2mDpExuSqNktSrOpxcl9XhDgH7ODhHWjo cUqdGKs+WYRxCLoqEXNGIrsABXhgW/4GuUGxFXrFZYB6L9IclHGhblCWm4jUaIF0OikP uJuH90t58GubVMnsoiKYyekIzYXgFRQRHbiJI7vYepTm6oRIIvvh56eJgz5tV2zMfcf8 S1lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=p5mlizDn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id nh5si7226774ejb.352.2020.04.17.14.55.01; Fri, 17 Apr 2020 14:55:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=p5mlizDn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728470AbgDQVyB (ORCPT + 99 others); Fri, 17 Apr 2020 17:54:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47794 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1728202AbgDQVyA (ORCPT ); Fri, 17 Apr 2020 17:54:00 -0400 Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5D8D6C061A0C for ; Fri, 17 Apr 2020 14:54:00 -0700 (PDT) Received: by mail-ej1-x642.google.com with SMTP id x1so2656744ejd.8 for ; Fri, 17 Apr 2020 14:54:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bl0pa+hbUKTXV3E8yhfZmk+igw1QNCwVFqR4CtMCNtE=; b=p5mlizDnCc6Smzeerr+47ThU1VtYAcCdc4Har7cwXXeRHLpqG3rirDQ6+LlBZuOJyP GwrQFNk1vQ45HD348VApKz5GTRL/X1psqK6RBdD+GENF4rQwP1sfQhilmuZnkp5we2SI uo7TM92Ktmx51GV7huHA5vroZ1thy738vLX7EuDAAzrscTktsDwkpbPxyOsKezlytqCo HbpGfkw61ya15BWPT/BqPfhwOsgl8uxV37GX3xqEc1WC6us4jCtorA9ncOIaVtJhWFp3 RFvDCE65Rc86FZoBebdAF7RMOlbuZETqOEgpSOZXfrHqUU57olayACExlZQVFjwaRYLl gM7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bl0pa+hbUKTXV3E8yhfZmk+igw1QNCwVFqR4CtMCNtE=; b=XY0V+XNEqpbdk4DuA0lGIhUaA9ch1n5YHgQf/QTM/7keXrL/rCinHj7808RxF9nNmQ FRuw0SnJHRjFbicelxvMXrHDA6EJ7/5lLSEfUXG5HQnmqw848Vl8K3gUIbPJ3iTKOc37 mY0X2CQwMdWof+5wm5g4qxtlrrjEeuIcryTrT8G7e3pGE/QjJGaT5/JmJ1xTKv0a9CDA VBsXfRnI5w8FPWHQ1MlkQEqcIwtn9+2/iuhaafKDHPJVFXXn/GSwQU8olURMeg6zxa1L cPkXuPJGh+Bm1zFmuAbz+TKrmoaFbUocNbgbzUOvGTfIIs/woeJEac/HXK/vFTwyEKpG 9Ydw== X-Gm-Message-State: AGi0PuZ6MaBfq3wtAe054br3KXdG4Ibts0UK8YJUbZZIIxX7VT7JX7vO cMDBj5n2daGCwlvGEpXXpMQvwHnW1kHQwTFSliDS X-Received: by 2002:a17:906:4cd2:: with SMTP id q18mr5203442ejt.70.1587160438885; Fri, 17 Apr 2020 14:53:58 -0700 (PDT) MIME-Version: 1.0 References: <13ef49b2f111723106d71c1bdeedae09d9b300d8.1584480281.git.rgb@redhat.com> <20200318131128.axyddgotzck7cit2@madcap2.tricolour.ca> <20200318213327.ow22q6nnjn3ijq6v@madcap2.tricolour.ca> In-Reply-To: <20200318213327.ow22q6nnjn3ijq6v@madcap2.tricolour.ca> From: Paul Moore Date: Fri, 17 Apr 2020 17:53:47 -0400 Message-ID: Subject: Re: [PATCH ghak25 v3 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, twoerner@redhat.com, Eric Paris , fw@strlen.de, ebiederm@xmission.com, tgraf@infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 18, 2020 at 5:33 PM Richard Guy Briggs wrote: > On 2020-03-18 17:22, Paul Moore wrote: > > On Wed, Mar 18, 2020 at 9:12 AM Richard Guy Briggs wrote: > > > On 2020-03-17 17:30, Richard Guy Briggs wrote: > > > > Some table unregister actions seem to be initiated by the kernel to > > > > garbage collect unused tables that are not initiated by any userspace > > > > actions. It was found to be necessary to add the subject credentials to > > > > cover this case to reveal the source of these actions. A sample record: > > > > > > > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 uid=root auid=unset tty=(none) ses=unset subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 exe=(null) > > > > > > Given the precedent set by bpf unload, I'd really rather drop this patch > > > that adds subject credentials. > > > > > > Similarly with ghak25's subject credentials, but they were already > > > present and that would change an existing record format, so it isn't > > > quite as justifiable in that case. > > > > Your comments have me confused - do you want this patch (v3 3/3) > > considered for merging or no? > > I would like it considered for merging if you think it will be required > to provide enough information about the event that happenned. In the > bpf unload case, there is a program number to provide a link to a > previous load action. In this case, we won't know for sure what caused > the table to be unloaded if the number of entries was empty. I'm still > trying to decide if it matters. For the sake of caution I think it > should be included. I don't like it, but I think it needs to be > included. I'm in the middle of building patches 1/3 and 2/3, assuming all goes well I'll merge them into audit/next (expect mail soon), however I'm going back and forth on this patch. Like you I kinda don't like it, and with both of us not in love with this patch I have to ask if there is certification requirement for this? I know about the generic subj/obj requirements, but in the case where there is no associated task/syscall/etc. information it isn't like the extra fields supplied in this patch are going to have much information in that regard; it's really the *absence* of that information which is telling. Which brings me to wonder if simply the lack of any associated records in this event is enough? Before when we weren't associating records into a single event it would have been a problem, but the way things currently are, if there are no other records (and you have configured that) then I think you have everything you need to know. Thoughts? -- paul moore www.paul-moore.com