Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp778977ybk; Wed, 20 May 2020 11:43:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwUCyaIgQo1A8fwo+fHjWL2fkOHFJzufU2FGGJ6C2AJxTq1tCE9KIYMZgAJyGNDDJ4hITT/ X-Received: by 2002:a17:906:55c3:: with SMTP id z3mr418334ejp.180.1590000209228; Wed, 20 May 2020 11:43:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590000209; cv=none; d=google.com; s=arc-20160816; b=IQQwsMiaYeUiEr5jHMspba6ivj5R4BSmAR9vI75riG5Gu1zQNyHW+qCF8LVytoNWb7 8hSPKnXR4cwfxDP4gN/Lhgw1oiC0g0eZDRRYib6eBTDKBsCXlEGP16YiyQ9YLjpsQRcj 6niQBr1GICugX/mLVtsITwhDYhkRH42vnpoj2hu8rfFchV8bv516T7Ywsz4bWg4XJ+1D pv21DJkTPdOscUyChna/FOXgFC6spu6pUBsAlPRa4jbKjBK+LUJzLP74MAqI4fbmC0YF D3Vmb/vaTVTewbT6KwTCIaVEhgcfnkQ1lfa/Vte9IymTU6A8kfk4S9aliKfpHFnSezzB wzEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=gu04BwxFLehQzkmABOcTDiBulPEzSlONSfMwZQcVMtk=; b=hC6sJ6eqXxi3d1tTB+/x5D4sdMW1INJJGrgS10hkVEGszS32A8lWfdFf1tqdJ9uL05 gRlfgBvY7zYBCZqkEwnGaIu7XNLXtv//8j2Ns9Guy6pYKLUHnGJmSb4clLGo9WzLYVoJ I47pGYDv3ZwADiyC1PGT4yAe4VMNVmebb9Hk4ICzFX7PCsTtR4WPLQ60Ixz/7cPhlDLg ljmy5Xz7L9HhTUN9aNCruhSd/MHgYHN33U9BckVNoEZqkkp3FxO1OODfld2Y38ZTgUdT FKAEbgcHWmhgRZNAsKeHsCWBiCZo2wCJi5X4tGOthGaMe/VSn7mfT6cgOxYPB/aySNV2 C7fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=u3zvcyI7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k15si2126699eji.493.2020.05.20.11.43.04; Wed, 20 May 2020 11:43:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=u3zvcyI7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726827AbgETSk7 (ORCPT + 99 others); Wed, 20 May 2020 14:40:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726510AbgETSk6 (ORCPT ); Wed, 20 May 2020 14:40:58 -0400 Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51A17C061A0E for ; Wed, 20 May 2020 11:40:58 -0700 (PDT) Received: by mail-ej1-x642.google.com with SMTP id yc10so5270921ejb.12 for ; Wed, 20 May 2020 11:40:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gu04BwxFLehQzkmABOcTDiBulPEzSlONSfMwZQcVMtk=; b=u3zvcyI7Q++6Mrg+MmoeQfMunW0bnvUUcFgUODN/jYgRJ37WBF4+miKSCA8fdvC/1g GUP10vCDN4Z1KSoQoUQDdvUbxLDVG2GPuPrHlZ/3SWU7DPAgvVQ95YtU24hCtcH/xnZH MM3FZwWjQ254/VEpuag7ghWygCITtaeuOhAUpLzfmNJnz4Nlpotw/Wr+mUUpmKnnXsO2 ls9zpoKVCSckhXYfeBugn3yVWwE5hEyKaiE0T4vRXZt5biF7zVJWlWxCZmJUn66vm8k8 F3vQ7okR866Ttnsg0lXKLFLkEr32xD5v5CcV+zZ0awhI5brIsS9d5FI28DaRnamMCeHt +19Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gu04BwxFLehQzkmABOcTDiBulPEzSlONSfMwZQcVMtk=; b=J9CAMtkt3q/27x31+jo5iHdt72Sx7x71ZkM+gGdJf4VaJq52AWW5XMAXGw/+mCxZ/I EZOCLQHZo3r7G+rFbtS50W5kAu+cG5tgQL+FrrMjO/rOcxxElvaYup7zD6dKEXlRDCt2 TXOPaL1iuBlmujem1CBuWk+P8VrV9UXmp6lDeQwuRiiDSeMmBTdnTuuGrqFHqkRzIJKY 11zyNGlUytyinpy0Fh7SvgaS78rvoa/6v7bQbApnkYbgeJdVOaX2oQocQjctRLRtI0Il 7vo8MjOTravuYTN8CvdxBYV9hmeYKi87Hv/dBxegY2hek3n5Bb2nu+/2vuKbWH3tWLUK CWMg== X-Gm-Message-State: AOAM532yzymZiR5+3PGjyM5jpHSjEnAwBuM8MFQ5wzgFd5zBpdi4gGQY KxbGR84mAgJEVq/VBVfzh1rnIsGuOYDTXa3HRZjw X-Received: by 2002:a17:906:4d82:: with SMTP id s2mr387133eju.542.1590000056930; Wed, 20 May 2020 11:40:56 -0700 (PDT) MIME-Version: 1.0 References: <20200520165510.4l4q47vq6fyx7hh6@madcap2.tricolour.ca> In-Reply-To: <20200520165510.4l4q47vq6fyx7hh6@madcap2.tricolour.ca> From: Paul Moore Date: Wed, 20 May 2020 14:40:45 -0400 Message-ID: Subject: Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, twoerner@redhat.com, Eric Paris , fw@strlen.de, tgraf@infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs wrote: > On 2020-05-20 12:51, Richard Guy Briggs wrote: > > Some table unregister actions seem to be initiated by the kernel to > > garbage collect unused tables that are not initiated by any userspace > > actions. It was found to be necessary to add the subject credentials to > > cover this case to reveal the source of these actions. A sample record: > > > > The uid, auid, tty, ses and exe fields have not been included since they > > are in the SYSCALL record and contain nothing useful in the non-user > > context. > > > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 FWIW, that record looks good. > > Signed-off-by: Richard Guy Briggs > > Self-NACK. I forgot to remove cred and tty declarations. -- paul moore www.paul-moore.com