Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp705185ybk;
        Wed, 20 May 2020 09:54:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzmoGtQPexNTOz0nznIfCz7Uqq1TSaDl1Q6BZAvXUUo9EvPpFFHGtpSs6CYGC43lPS3bANH
X-Received: by 2002:a50:fc0c:: with SMTP id i12mr4474761edr.174.1589993649943;
        Wed, 20 May 2020 09:54:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589993649; cv=none;
        d=google.com; s=arc-20160816;
        b=lrFIv6sDgW5rmX8KcgMG+LyCT9OkONsi7tHUIHZ60kVQ7IEHaomHmPJotZHW8mLC/m
         cj4NF2o7QPXC9haZ4cn8wxVcC+3Lw3MNEuA+/1WlY5l6bIFICsztB8yW8Rz3Dy4GbO+r
         fKZ6ETlmG7m2F+0fQ0e1e69kg86D+/CygpuX52fYFMJE7GmJtttS/T9iZpOYOeZ3JnEM
         OZ6BVJ4xedPYGfTqi5Nkjj2gvHqSzFf7nLYU4RUKTzHMEepD+g5d51+9ZpgERk8t/TP1
         FcAgKGsahuVqJevpMqCjOZryIHebRdIJH5cL3LyTdAUV5Pr42PPzkMjy7oE+EskGuhxq
         08Ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=rM7hZmpECL8qLEqrdjdyQimVaHtfW73QhKyl/FZ1pAI=;
        b=bCmiT0kkei2xkX42CMctEeFNvz+1VOokCd2MkP3Te70CmM8XzK1+XE6dNFIZoHGmGz
         FTWVUp/jR9pr/g4byVVZSmBFOZwbn5ciNHt2JnP+MbNz/k8AIpNZwD0TxHeZbeiPSg70
         6kziD47PqKAq5KJ3SbnuyEMnDSUyJokVjNX+X5Kv4369I2LK1W7Ug914OED6DWqpDwDY
         e89njB7460ONXqwQ1zW8a9aNI84wgrk3zEqJOamJm8qLj8WrVVdcG3kK0y7ez9SDahTF
         LBkR5teN1mow+F6XpFwXjoLO77w6sidtJXI+9888mXK4+1s0gwf7sO6Qxhfs5gYEO919
         FOiQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iRwmCRCd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q12si1893643edc.413.2020.05.20.09.53.46;
        Wed, 20 May 2020 09:54:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=iRwmCRCd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727777AbgETQwO (ORCPT <rfc822;sunnyliangjy@gmail.com>
        + 99 others); Wed, 20 May 2020 12:52:14 -0400
Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:44544 "EHLO
        us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1726829AbgETQwN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 May 2020 12:52:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1589993532;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc; bh=rM7hZmpECL8qLEqrdjdyQimVaHtfW73QhKyl/FZ1pAI=;
        b=iRwmCRCdzBv61gfNOvtzs6LgT0zC0wZwobiw/UElbzykhCpHKbrXmGqaEy8UkjqY/uV8x7
        rKUBkycaxGNspBa3T1tMaiEyfKbJicPyViKXlAZ1X5sY7LOVsq0dAyLEmR6oKpdNWHQ9z6
        1U0qUYc7cVhEjQfLEeKlZbq9Ql5/t6c=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-320-dPQRfS6aNfCV1XUTUYVImA-1; Wed, 20 May 2020 12:52:07 -0400
X-MC-Unique: dPQRfS6aNfCV1XUTUYVImA-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4DF008015CF;
        Wed, 20 May 2020 16:52:05 +0000 (UTC)
Received: from madcap2.tricolour.ca (unknown [10.10.110.46])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 31E3B60BEC;
        Wed, 20 May 2020 16:51:56 +0000 (UTC)
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        netfilter-devel@vger.kernel.org
Cc:     Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com,
        omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com,
        eparis@parisplace.org, tgraf@infradead.org,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
Date:   Wed, 20 May 2020 12:51:32 -0400
Message-Id: <a585b9933896bc542347d8f3f26b08005344dd84.1589920939.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Some table unregister actions seem to be initiated by the kernel to
garbage collect unused tables that are not initiated by any userspace
actions.  It was found to be necessary to add the subject credentials to
cover this case to reveal the source of these actions.  A sample record:

The uid, auid, tty, ses and exe fields have not been included since they
are in the SYSCALL record and contain nothing useful in the non-user
context.

  type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
Changelog:
v6
- remove uid, auid fields as duplicates or unset

v5
- rebase on upstreamed ghak28 on audit/next v5.7-rc1
- remove tty, ses and exe fields as duplicates or unset
- drop upstreamed patches 1&2 from set

v4
- rebase on audit/next v5.7-rc1
- fix checkpatch.pl errors/warnings in 1/3 and 2/3

v3
- rebase on v5.6-rc1 audit/next
- change audit_nf_cfg to audit_log_nfcfg
- squash 2,3,4,5 to 1 and update patch descriptions
- add subject credentials to cover garbage collecting kernel threads

v2
- Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code
- Split x_tables and ebtables updates
- Check audit_dummy_context
- Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call
- Restore back to "table, family, entries" from "family, table, entries"
- Log unregistration of tables
- Add "op=" at the end of the AUDIT_NETFILTER_CFG record
- Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32)
- Add ghak refs
- Ditch NETFILTER_CFGSOLO record

 kernel/auditsc.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cfe3486e5f31..e646055adb0b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2557,12 +2557,21 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
 		       enum audit_nfcfgop op)
 {
 	struct audit_buffer *ab;
+	const struct cred *cred;
+	struct tty_struct *tty;
+	char comm[sizeof(current->comm)];
 
 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG);
 	if (!ab)
 		return;
 	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
 			 name, af, nentries, audit_nfcfgs[op].s);
+
+	cred = current_cred();
+	audit_log_format(ab, " pid=%u", task_pid_nr(current));
+	audit_log_task_context(ab); /* subj= */
+	audit_log_format(ab, " comm=");
+	audit_log_untrustedstring(ab, get_task_comm(comm, current));
 	audit_log_end(ab);
 }
 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
-- 
1.8.3.1