Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp876374ybg; Mon, 1 Jun 2020 17:17:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzzuP5a56gWot0TXlBeK/jVTZQvWgG2PlzMsd6VMHcn4yLLxVjtxl2dqZ72b/WtAZpwJgYR X-Received: by 2002:a17:906:cd03:: with SMTP id oz3mr22754987ejb.391.1591057044768; Mon, 01 Jun 2020 17:17:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591057044; cv=none; d=google.com; s=arc-20160816; b=EKLxXhMU8u27DXvXtUnAtIUH+Om43uPi3JHfy+/ySkGiKNvcl7xIbog75AulLtWY+J YiJxwP2ATm7UTgvxB7TBVoY+dxGp104ySRslRufhzTR9QTvQjWcMAjMP5id/ev7PSAg4 nhxJTgLACr2VpsN5lmYR/jt4m2AK7f1ULwVdD6MtuI2oTTCAZz5/bbVc4/vD7HEi/Fzs r5Q5eKkXzTkeBT0Z5biehopzEJcawDCA1N4Jn31+lt26/wXX7gAqTSuwtknV9uZy/J6W vMv7vz0jKJXXN8tlJthNATY8x7jddjs5c/6dGebvtnPqcmWaCxgwpA/V4YTxS0NBTcEz Tsww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=qqqITfqOQD5z9QhmRX7NCWEf7tf1iSMF39hGZx9DvEM=; b=xxokbjmv15DZYkxdkpYgG7kTqqSMgRqLsELFw5KxgZFbsyrm4Bd1W/aEWV2XjNhUI+ Z8iIgpNMtdB9ixVA+SFtvbTjAql595o2hGTpjRgN5SCsbE1MNZy8ZVm9kaR/HJsI8Qe9 pdDiVN+IdtfTkuheOF3wT0N97wMsG4ClTmMH8Kcab2nWITgExKq2/v3XYli7Sh8eWuat J/D+eESpT9CJLBAl0Q2T0GawQDsrmkboBDlTOvSzCtQNLr4UeTyB0arorcb/xKWZfKRD BsWQPkFpnMGhNQHonVlwxnSutp+0Wn/bhZqDME8mtg0xG+RE43ocGZ27+2G+J/0lMMK2 agNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=r3F0Yufx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bi7si585770edb.32.2020.06.01.17.16.55; Mon, 01 Jun 2020 17:17:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=r3F0Yufx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728552AbgFBANH (ORCPT + 99 others); Mon, 1 Jun 2020 20:13:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725927AbgFBANG (ORCPT ); Mon, 1 Jun 2020 20:13:06 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40675C05BD43 for ; Mon, 1 Jun 2020 17:13:06 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id n24so10983343ejd.0 for ; Mon, 01 Jun 2020 17:13:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qqqITfqOQD5z9QhmRX7NCWEf7tf1iSMF39hGZx9DvEM=; b=r3F0YufxGWPJG3Bj5yD80LnnxmvODvTth47rwr7Mk83GwfRJujDbphRXr7xNzT4Sq0 T1Zmr/DY1olPuV7VBx89UIBY8MaNiVFSNR3m5Hu67Y/iGeH1QeygsND2HS+K4EQH0F6S lqhpOl+mOZYOBey6sxiZv9SIUaIaWzmPtLu+PzNyPN1hnDCiahCxBP4kkJdep0nWqxwi 7nXLqw+O1Bwh4/wMR74z1mnBksFXiOCNb7HvbifC6BuZJ0FtfV2kJr112P2ILhybgYRr c7J/M7wRLuevhK57vy/egZ5qqRPi3VXBpObPWow2F5hz4TmcOx5UWr39nyMM6LexRzAq PqNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qqqITfqOQD5z9QhmRX7NCWEf7tf1iSMF39hGZx9DvEM=; b=i7avk9/mBrSyh5DX2SnGw6VuO8Zmsj3NBoIpBISk13oQFtP02x1GUmsIynSmeed6Lm yMxcEcj4BNmg7bI9NF8jtf5Pu08E0sGj8Ol9d4VL3mvB7l/lqS2O0uSHLj9MNjgbjp32 0uTB1a8xrZDejfeEe3jkPeV4Uyl8y/u11dYHlIltRSSwgM9J+LwROcwiqIkIjfuAOBVu sH2mpVBqF/5L7lTX4d0QFIkhu8OshRA5ZiI/STGbPgAn8ypVI0vonEXcDANjzOlJfJkr io8quPei45+94nW+yphkso6z8t7JNbhoWwPhBgM/9zIkreFL2HayHZEMJ28hyH/X7bDQ yBXQ== X-Gm-Message-State: AOAM5331bM6saULgcHJfbASJg7fiM3eS5npGdM/F+UfKDswuh4jF9EcZ Ney77XWyQdel8IrsfaG2MORGCn1Bgrnc0psIAUVR4PU= X-Received: by 2002:a17:906:e257:: with SMTP id gq23mr2187872ejb.398.1591056784766; Mon, 01 Jun 2020 17:13:04 -0700 (PDT) MIME-Version: 1.0 References: <20200601225833.ut2wayc6xqefwveo@madcap2.tricolour.ca> In-Reply-To: <20200601225833.ut2wayc6xqefwveo@madcap2.tricolour.ca> From: Paul Moore Date: Mon, 1 Jun 2020 20:12:52 -0400 Message-ID: Subject: Re: [PATCH ghak124 v2] audit: log nftables configuration change events To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, sgrubb@redhat.com, Ondrej Mosnacek , fw@strlen.de, twoerner@redhat.com, Eric Paris , tgraf@infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 1, 2020 at 6:58 PM Richard Guy Briggs wrote: > On 2020-06-01 12:10, Paul Moore wrote: > > On Thu, May 28, 2020 at 9:44 PM Richard Guy Briggs wrote: ... > > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > > > index 4471393da6d8..7a386eca6e04 100644 > > > --- a/net/netfilter/nf_tables_api.c > > > +++ b/net/netfilter/nf_tables_api.c > > > @@ -12,6 +12,7 @@ > > > #include > > > #include > > > #include > > > +#include > > > #include > > > #include > > > #include > > > @@ -693,6 +694,14 @@ static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) > > > { > > > struct sk_buff *skb; > > > int err; > > > + char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0", > > > + ctx->table->name, ctx->table->handle); > > > + > > > + audit_log_nfcfg(buf, > > > + ctx->family, > > > + ctx->table->use, > > > + audit_nftcfgs[event].op); > > > > As an example, the below would work, yes? > > > > audit_log_nfcfg(..., > > (event == NFT_MSG_NEWTABLE ? > > AUDIT_NFT_OP_TABLE_REGISTER : > > AUDIT_NFT_OP_TABLE_UNREGISTER) > > Ok, I see what you are getting at now... Yes, it could be done this > way, but it seems noisier to me. I'll admit it is not as clean, but it doesn't hide the mapping between the netfilter operation and the audit operation which hopefully makes it clear to those modifying the netfilter/nf_tables/etc. code that there is an audit impact. I'm basically trying to make sure the code is as robust as possible in the face of subsystem changes beyond the audit subsystem. -- paul moore www.paul-moore.com