Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1153969ybz;
        Wed, 22 Apr 2020 14:43:33 -0700 (PDT)
X-Google-Smtp-Source: APiQypKQkiLtzGZ6O44AqZsww8PWC5Q73mZ6w5Vkh8MeoiM+0ZMLYUpUfjJNZlLbSw/w4VX13npC
X-Received: by 2002:a05:6402:1d1c:: with SMTP id dg28mr492448edb.315.1587591812868;
        Wed, 22 Apr 2020 14:43:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587591812; cv=none;
        d=google.com; s=arc-20160816;
        b=P6Eag3T/vcoy35yl6BnhfmS6KGfUGwrh/nhJaAyg+1a9Pp5EOefqswfmmBhJeKPUmh
         EFXUBX28vg7/7xQ9471kTOoJTa48ULOJwsKzkBzNIG1meqZYtBCNM3/+FjzBNUvr/CNY
         8sm2APr9YXlKQ6ROZhrjpYg+JYHnDGAA7cJFqcsKF7u3u3Tx12AfsoGCLA7Db597OTcR
         oB8Ve3Cbb9a+mj/7mQRJGdlMIrpcDhRf22VtCVoEZmgCvaMDqe6rJ4gqB69/s6aHLJy5
         YaLGKTfeLPJxGvDYbDI+rp9GuAC8j9uVmbTcnnBLisUThTFjINiFQ6sp/zU6EWD4Ws8j
         JL5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=/kIA4+QZqqISnPEbYYsZEJA0KgGrqNOmJL/9H2ArNGo=;
        b=IXTMhnbRIrDi/jkjmVsqoY5u32jMR2yyLhA8+NZu6MVJ1/pxaYxVKBLG8V5t9HAFxx
         UFJG6Ni2AYHCqft1zvV1AIE/ky411ZF23j77Ouf5wtTZmLEmTI/r+ZMn1eC5XnoLSVV6
         xQvUE3fqzVRq9yHKrpZCL6jiSiBQqPz9DcpKNgddVPEkM98YXoLVlvFG5u76rWlZw0I1
         3u6wpbj0FXMksbZTXn8xkJ055NfDSZFiYl7gllY9axgRWFvlEUUX/C08alHpSp8yIgFj
         jD4myeEwMGsR/PFSv2dKdCVGHFxm58auSum00Zn+OoWb3h5+ALBU9SBlCatatZfqYFWT
         iJ1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MN8Wqi0V;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o9si243303ejr.224.2020.04.22.14.43.10;
        Wed, 22 Apr 2020 14:43:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=MN8Wqi0V;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726584AbgDVVkm (ORCPT <rfc822;sunnyliangjy@gmail.com>
        + 99 others); Wed, 22 Apr 2020 17:40:42 -0400
Received: from us-smtp-2.mimecast.com ([207.211.31.81]:42098 "EHLO
        us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726562AbgDVVkl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Apr 2020 17:40:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1587591639;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:in-reply-to:in-reply-to:in-reply-to:
         references:references:references;
        bh=/kIA4+QZqqISnPEbYYsZEJA0KgGrqNOmJL/9H2ArNGo=;
        b=MN8Wqi0VG1eI2DHN+f6aEdhWA48vp2qfgYKuG210M8NMCWAy0LKrjZBbmAtreP3pspFl0l
        sTxp+2pLJmWvi2hVuKFgtltpWpP5IsLlbc4KbBUD+o6TH4T14pbAViKn4im6otTAq5QLrn
        SJJYBIZOzLpDgMOWMsEYkmzxEbIb3BE=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-347-y7nOhjMyNWuZrfkUKTEwgg-1; Wed, 22 Apr 2020 17:40:36 -0400
X-MC-Unique: y7nOhjMyNWuZrfkUKTEwgg-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AF90D8017FD;
        Wed, 22 Apr 2020 21:40:34 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.3.128.9])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 95E115D70A;
        Wed, 22 Apr 2020 21:40:31 +0000 (UTC)
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        netfilter-devel@vger.kernel.org
Cc:     Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com,
        omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com,
        eparis@parisplace.org, ebiederm@xmission.com, tgraf@infradead.org,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak25 v4 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister
Date:   Wed, 22 Apr 2020 17:39:30 -0400
Message-Id: <b8ba40255978a73ea15e3859d5c945ecd5fede8e.1587500467.git.rgb@redhat.com>
In-Reply-To: <cover.1587500467.git.rgb@redhat.com>
References: <cover.1587500467.git.rgb@redhat.com>
In-Reply-To: <cover.1587500467.git.rgb@redhat.com>
References: <cover.1587500467.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Some table unregister actions seem to be initiated by the kernel to
garbage collect unused tables that are not initiated by any userspace
actions.  It was found to be necessary to add the subject credentials to
cover this case to reveal the source of these actions.  A sample record:

  type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 uid=root auid=unset tty=(none) ses=unset subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 exe=(null)

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/auditsc.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d281c18d1771..d7a45b181be0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2557,12 +2557,30 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
 		       enum audit_nfcfgop op)
 {
 	struct audit_buffer *ab;
+	const struct cred *cred;
+	struct tty_struct *tty;
+	char comm[sizeof(current->comm)];
 
 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG);
 	if (!ab)
 		return;
 	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
 			 name, af, nentries, audit_nfcfgs[op].s);
+
+	cred = current_cred();
+	tty = audit_get_tty();
+	audit_log_format(ab, " pid=%u uid=%u auid=%u tty=%s ses=%u",
+			 task_pid_nr(current),
+			 from_kuid(&init_user_ns, cred->uid),
+			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
+			 tty ? tty_name(tty) : "(none)",
+			 audit_get_sessionid(current));
+	audit_put_tty(tty);
+	audit_log_task_context(ab); /* subj= */
+	audit_log_format(ab, " comm=");
+	audit_log_untrustedstring(ab, get_task_comm(comm, current));
+	audit_log_d_path_exe(ab, current->mm); /* exe= */
+
 	audit_log_end(ab);
 }
 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
-- 
1.8.3.1