Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp595314ybg;
        Mon, 1 Jun 2020 09:15:39 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyReXv+xMvjj59VVUjgNPa3K18naW2STZe53fthxXQS6YW/5TFDQngk3uNhkjbsxEerls5g
X-Received: by 2002:aa7:db45:: with SMTP id n5mr21564479edt.147.1591028138908;
        Mon, 01 Jun 2020 09:15:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1591028138; cv=none;
        d=google.com; s=arc-20160816;
        b=R+L5mgm+xpZA5QU+hNRx9RJNXwycdY9G+XF3GHokXuqK2AP7RRofd2gFn2Z67RQzCK
         Z+B0ZKtVGxDw1JS5/FRzLggRN/TcS+sz3UJMvsgMhJ1hV5FPY0sJ349kpLCLjPH37KLs
         zFnDvX/ziEEOHXSVyKvU5G074rjMGQ7pnx1fnIeh9fkLglm8smMdnDADBKHK04/E2mWd
         3rIQxQAfVVdaYLt36fwyjm7LMiKu9dKi8uf6vwqN9RUt20Rrc3mhhe5IoJ3DsLpurMRh
         FdytQnzFpsXELF7k9OuSiffHDqo2eWTfxF8ky+wun7lP02uY8oJGlSybYu23Ze+UwAUy
         LsiA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=Dn6K/A6SOW5qp++Ne9R7n/L/wKzu+p7tdfVTCOgRLg4=;
        b=aAvYND0M33puzG+8aghXWHuhLKPAtd6T53vgsonNYIm/V8US6S+5mKcU9cBs0p4bw3
         +y2IXBDBVuh40yd3l+61CWbnO+Dfgx47mHjI62fNlMHnj3jUgodffM/WHalCie29/xOt
         Vp4+p/H9EgzdvxrcfjDzHHVi1XFVTx83OI11SbicddmqJz/2YHT/GJyhO5zIIF5IEPIk
         rPM/hQwvU5yc460tqYia2ecFz44qdaONz+e0iljebVdFNGNl5VQ0uMNCS5gJ2KiIblAK
         ENXfoRGgTzioPsUy/rtep6iHiIuBaNYBKvDmJL/7z5Q0yWGA3fvdYuKaXhIJZip3i1va
         js0A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iNo2+TLX;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j6si11178897ejn.479.2020.06.01.09.15.15;
        Mon, 01 Jun 2020 09:15:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=iNo2+TLX;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727815AbgFAQK6 (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Mon, 1 Jun 2020 12:10:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47832 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726067AbgFAQK6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 1 Jun 2020 12:10:58 -0400
Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D406C03E97C
        for <linux-kernel@vger.kernel.org>; Mon,  1 Jun 2020 09:10:57 -0700 (PDT)
Received: by mail-ed1-x543.google.com with SMTP id g1so6811757edv.6
        for <linux-kernel@vger.kernel.org>; Mon, 01 Jun 2020 09:10:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Dn6K/A6SOW5qp++Ne9R7n/L/wKzu+p7tdfVTCOgRLg4=;
        b=iNo2+TLXyLsLzohYb3nteIZEsBmslYy8Tgfy9sQGufapm+7lMl6IQHn7zi2eX7jFFP
         3atAkaOij5BbhRzszhtinK1eHQW1UXJnx7jhZnTqUNU54G8d59XWqCpaNur8V/mCK74D
         FgQZSebaIbeeFLiZwYuX447C1dcMP4LHq9l+Nak5up99YdGJPNG7KWwbspMiqrl+xBgE
         P5dCBQNHz38zhQVGkjoptQoLfx+u+1n9nbzOjBCGk49g3LiWO4wAO1xFHG5AzFCekpvy
         vQwWD8x7Dtsln1k263K2kZ15qLNFLSYvyApvp88XrwctuU2h/nAVmhqOi6gZfJqC8e7f
         2AMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Dn6K/A6SOW5qp++Ne9R7n/L/wKzu+p7tdfVTCOgRLg4=;
        b=H7cOxHSvITtGmrBVzYVXxoDBRYuXwqHKz4kW8xEwzgzUfCY5+/EyAqlhaG0kGFyYlv
         l4UydDcHgS7nTc05H0cuzqqicjgPllD03lDgBmfMZUxNv0/vjJE7MpKeTB17t1QSrslI
         FRCN2rqM7+D3D+oBgvD/Cr8gLIBHK2li+dV2Wkp4xTXUAN6fQfni3tphD0AbyMKubl5h
         mMK+pQs97mKPDHbDxesg1mwpXe8uqePNrvk+8dsQkXtenB8PjRiYeeFqPBsFtm/90hen
         hFAjZgwXCMCwLjORbqsGAUKbPqc/JwcMzvk5zjcLtI1UpKnBeTg7kEXosCzxVLyzYgEi
         +z2A==
X-Gm-Message-State: AOAM532dPlYfsVqN7KLXoYtI5iUwYl8dQPg65r326Je/6ivny8ZJEHAt
        zMQMbVVcI4XXXSFZHGvlYouGz1Y5klIeijuIHKtY
X-Received: by 2002:aa7:de08:: with SMTP id h8mr21832614edv.164.1591027855515;
 Mon, 01 Jun 2020 09:10:55 -0700 (PDT)
MIME-Version: 1.0
References: <d45d23ba6d58b1513c641dfb24f009cbc1b7aad6.1590716354.git.rgb@redhat.com>
In-Reply-To: <d45d23ba6d58b1513c641dfb24f009cbc1b7aad6.1590716354.git.rgb@redhat.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 1 Jun 2020 12:10:44 -0400
Message-ID: <CAHC9VhTuUdc565fPU=P1sXEM8hFm5P+ESm3Bv=kyebb19EsQuQ@mail.gmail.com>
Subject: Re: [PATCH ghak124 v2] audit: log nftables configuration change events
To:     Richard Guy Briggs <rgb@redhat.com>
Cc:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        netfilter-devel@vger.kernel.org, sgrubb@redhat.com,
        Ondrej Mosnacek <omosnace@redhat.com>, fw@strlen.de,
        twoerner@redhat.com, Eric Paris <eparis@parisplace.org>,
        tgraf@infradead.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, May 28, 2020 at 9:44 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> iptables, ip6tables, arptables and ebtables table registration,
> replacement and unregistration configuration events are logged for the
> native (legacy) iptables setsockopt api, but not for the
> nftables netlink api which is used by the nft-variant of iptables in
> addition to nftables itself.
>
> Add calls to log the configuration actions in the nftables netlink api.
>
> This uses the same NETFILTER_CFG record format but overloads the table
> field.
>
>   type=NETFILTER_CFG msg=audit(2020-05-28 17:46:41.878:162) : table=?:0;?:0 family=unspecified entries=2 op=nft_register_gen pid=396 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>   ...
>   type=NETFILTER_CFG msg=audit(2020-05-28 17:46:41.878:162) : table=firewalld:1;?:0 family=inet entries=0 op=nft_register_table pid=396 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>   ...
>   type=NETFILTER_CFG msg=audit(2020-05-28 17:46:41.911:163) : table=firewalld:1;filter_FORWARD:85 family=inet entries=8 op=nft_register_chain pid=396 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>   ...
>   type=NETFILTER_CFG msg=audit(2020-05-28 17:46:41.911:163) : table=firewalld:1;filter_FORWARD:85 family=inet entries=101 op=nft_register_rule pid=396 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>   ...
>   type=NETFILTER_CFG msg=audit(2020-05-28 17:46:41.911:163) : table=firewalld:1;__set0:87 family=inet entries=87 op=nft_register_setelem pid=396 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>   ...
>   type=NETFILTER_CFG msg=audit(2020-05-28 17:46:41.911:163) : table=firewalld:1;__set0:87 family=inet entries=0 op=nft_register_set pid=396 subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>
> For further information please see issue
> https://github.com/linux-audit/audit-kernel/issues/124
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> Changelog:
> v2:
> - differentiate between xtables and nftables
> - add set, setelem, obj, flowtable, gen
> - use nentries field as appropriate per type
> - overload the "tables" field with table handle and chain/set/flowtable
>
>  include/linux/audit.h         | 52 +++++++++++++++++++++++++
>  kernel/auditsc.c              | 24 ++++++++++--
>  net/netfilter/nf_tables_api.c | 89 +++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 162 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 3fcd9ee49734..d79866a38505 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -12,6 +12,7 @@
>  #include <linux/sched.h>
>  #include <linux/ptrace.h>
>  #include <uapi/linux/audit.h>
> +#include <uapi/linux/netfilter/nf_tables.h>
>
>  #define AUDIT_INO_UNSET ((unsigned long)-1)
>  #define AUDIT_DEV_UNSET ((dev_t)-1)
> @@ -98,6 +99,57 @@ enum audit_nfcfgop {
>         AUDIT_XT_OP_REGISTER,
>         AUDIT_XT_OP_REPLACE,
>         AUDIT_XT_OP_UNREGISTER,
> +       AUDIT_NFT_OP_TABLE_REGISTER,
> +       AUDIT_NFT_OP_TABLE_UNREGISTER,
> +       AUDIT_NFT_OP_CHAIN_REGISTER,
> +       AUDIT_NFT_OP_CHAIN_UNREGISTER,
> +       AUDIT_NFT_OP_RULE_REGISTER,
> +       AUDIT_NFT_OP_RULE_UNREGISTER,
> +       AUDIT_NFT_OP_SET_REGISTER,
> +       AUDIT_NFT_OP_SET_UNREGISTER,
> +       AUDIT_NFT_OP_SETELEM_REGISTER,
> +       AUDIT_NFT_OP_SETELEM_UNREGISTER,
> +       AUDIT_NFT_OP_GEN_REGISTER,
> +       AUDIT_NFT_OP_OBJ_REGISTER,
> +       AUDIT_NFT_OP_OBJ_UNREGISTER,
> +       AUDIT_NFT_OP_OBJ_RESET,
> +       AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> +       AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> +       AUDIT_NFT_OP_INVALID,
> +};
> +
> +struct audit_nftcfgop_tab {
> +       enum nf_tables_msg_types        nftop;
> +       enum audit_nfcfgop              op;
> +};
> +
> +static const struct audit_nftcfgop_tab audit_nftcfgs[] = {
> +       { NFT_MSG_NEWTABLE,     AUDIT_NFT_OP_TABLE_REGISTER             },
> +       { NFT_MSG_GETTABLE,     AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_DELTABLE,     AUDIT_NFT_OP_TABLE_UNREGISTER           },
> +       { NFT_MSG_NEWCHAIN,     AUDIT_NFT_OP_CHAIN_REGISTER             },
> +       { NFT_MSG_GETCHAIN,     AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_DELCHAIN,     AUDIT_NFT_OP_CHAIN_UNREGISTER           },
> +       { NFT_MSG_NEWRULE,      AUDIT_NFT_OP_RULE_REGISTER              },
> +       { NFT_MSG_GETRULE,      AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_DELRULE,      AUDIT_NFT_OP_RULE_UNREGISTER            },
> +       { NFT_MSG_NEWSET,       AUDIT_NFT_OP_SET_REGISTER               },
> +       { NFT_MSG_GETSET,       AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_DELSET,       AUDIT_NFT_OP_SET_UNREGISTER             },
> +       { NFT_MSG_NEWSETELEM,   AUDIT_NFT_OP_SETELEM_REGISTER           },
> +       { NFT_MSG_GETSETELEM,   AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_DELSETELEM,   AUDIT_NFT_OP_SETELEM_UNREGISTER         },
> +       { NFT_MSG_NEWGEN,       AUDIT_NFT_OP_GEN_REGISTER               },
> +       { NFT_MSG_GETGEN,       AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_TRACE,        AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_NEWOBJ,       AUDIT_NFT_OP_OBJ_REGISTER               },
> +       { NFT_MSG_GETOBJ,       AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_DELOBJ,       AUDIT_NFT_OP_OBJ_UNREGISTER             },
> +       { NFT_MSG_GETOBJ_RESET, AUDIT_NFT_OP_OBJ_RESET                  },
> +       { NFT_MSG_NEWFLOWTABLE, AUDIT_NFT_OP_FLOWTABLE_REGISTER         },
> +       { NFT_MSG_GETFLOWTABLE, AUDIT_NFT_OP_INVALID                    },
> +       { NFT_MSG_DELFLOWTABLE, AUDIT_NFT_OP_FLOWTABLE_UNREGISTER       },
> +       { NFT_MSG_MAX,          AUDIT_NFT_OP_INVALID                    },
>  };

I didn't check every "op" defined above to match with the changes in
nf_tables_api.c, but is there a reason why we can't simply hardcode
the AUDIT_NFT_OP_* values in the audit_log_nfcfg() calls in
nf_tables_api.c?  If we can, let's do that.

If we can't do that, we need to add some build-time protection to
catch if NFT_MSG_MAX increases without this table being updated.

>  static int audit_match_perm(struct audit_context *ctx, int mask)
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 4471393da6d8..7a386eca6e04 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -12,6 +12,7 @@
>  #include <linux/netlink.h>
>  #include <linux/vmalloc.h>
>  #include <linux/rhashtable.h>
> +#include <linux/audit.h>
>  #include <linux/netfilter.h>
>  #include <linux/netfilter/nfnetlink.h>
>  #include <linux/netfilter/nf_tables.h>
> @@ -693,6 +694,14 @@ static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
>  {
>         struct sk_buff *skb;
>         int err;
> +       char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
> +                             ctx->table->name, ctx->table->handle);
> +
> +       audit_log_nfcfg(buf,
> +                       ctx->family,
> +                       ctx->table->use,
> +                       audit_nftcfgs[event].op);

As an example, the below would work, yes?

audit_log_nfcfg(...,
 (event == NFT_MSG_NEWTABLE ?
  AUDIT_NFT_OP_TABLE_REGISTER :
  AUDIT_NFT_OP_TABLE_UNREGISTER)

> +       kfree(buf);
>
>         if (!ctx->report &&
>             !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))

-- 
paul moore
www.paul-moore.com