Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp581073ybt; Wed, 24 Jun 2020 06:28:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRqWOiEWjtDc1UhRtLepcMgQnFUV4NPbliRZGeYR8N4DhGdGs8x6IIRdiMLn5Q1qV4LS9r X-Received: by 2002:a17:906:7712:: with SMTP id q18mr24642955ejm.140.1593005281984; Wed, 24 Jun 2020 06:28:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593005281; cv=none; d=google.com; s=arc-20160816; b=nz6F1MwAShsKmqb2kzqjHFkqwdwWo+XeepFXaH6tJnWZAGubrLk0CdOas0Z4cC5iQ7 l2Bg1QSUsHVhWvQTgFln7WvCmA6DjrPqXfWioBpzfHw/8txl9Q1KQz1RJTfD8nlVVgDb 9rI+QRnFcWKA0ZJFmrHi80XIMJ3AatWEOVt8Ga3a6nq4G9kyKLLj/ZHxknWF4gbC6tIT pyvcqydbEWjAjWe40wCfD9PD53AchUobQtoh1IOMtGhblPFiKGn0kJUmGkBAuogbLTZr AdBDu9V7zQDYnvjw24dkR4dIOxlgRxb8NlR6qtLzmad+nNEFGumNEU89zK9z7x0kxlHx rZPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=wIjlutJVnQ4JyLVWV0SJbJ1KwaR2ltVhkWmEFPhP4jw=; b=Ji0ZpqtfK+MYmgekF6Tf3Bw1w1UwVYPzRsrHhxYQbSPMZ8ctY36eU+ZTpl8aR31ZwZ MA+P0a0Z4HuMduDSs9coyGlM50HgzVpNdPJJYa4jXfN6JZjSLpSovf6Gcg1mCGjvjPtk ZhtoK7Rm2AD1/jZ+tQfLFsLQhFp0sqdbm3BrAx83aKZ2BBV8jftOs++ZtYsiBECkhs3d 2rc5rTQslaJCDyzOHEagII1QKvB0JYC1EczKY6Vh4gZYvf4K6YxJNzvERSsSPgYTAVRe IaY910nyX6WX4hBE9bngV8auNir59K2SesancDRowyxTXpxxtTpdpeQPWq68Z/a++z96 Ny4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fy389RdI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o10si4513648edr.168.2020.06.24.06.27.38; Wed, 24 Jun 2020 06:28:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=fy389RdI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390611AbgFXN0g (ORCPT + 99 others); Wed, 24 Jun 2020 09:26:36 -0400 Received: from us-smtp-1.mimecast.com ([207.211.31.81]:27394 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2390427AbgFXN0f (ORCPT ); Wed, 24 Jun 2020 09:26:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1593005194; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=wIjlutJVnQ4JyLVWV0SJbJ1KwaR2ltVhkWmEFPhP4jw=; b=fy389RdIZsXarqCUb0wtdNG+u/OYt45OzOo3r7c2LtHgZ/bMk+VIUkAuIevVMI7Os9dpvj tMn8AuGNkTvZ/xDdzOujheP09RbM0NIVWZ8S7ltKKaIanX+NhH992tkl7YZ9x2BipcyAIR 35prSJpe5d41HjaP4vVbNiaghufRBc4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-71-5o7VNEWsOf6D9biLQcYOvg-1; Wed, 24 Jun 2020 09:26:30 -0400 X-MC-Unique: 5o7VNEWsOf6D9biLQcYOvg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 229B6EC1A3; Wed, 24 Jun 2020 13:26:29 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.28]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3CF5060C80; Wed, 24 Jun 2020 13:26:15 +0000 (UTC) Date: Wed, 24 Jun 2020 09:26:12 -0400 From: Richard Guy Briggs To: Pablo Neira Ayuso Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org Subject: Re: [PATCH ghak124 v3] audit: log nftables configuration change events Message-ID: <20200624132612.fj36hwgom7qryvn7@madcap2.tricolour.ca> References: <20200624100346.GA11986@salvia> <20200624123423.r2gypsdii6xgiywy@madcap2.tricolour.ca> <20200624130304.GA549@salvia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200624130304.GA549@salvia> User-Agent: NeoMutt/20180716 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-06-24 15:03, Pablo Neira Ayuso wrote: > On Wed, Jun 24, 2020 at 08:34:23AM -0400, Richard Guy Briggs wrote: > > On 2020-06-24 12:03, Pablo Neira Ayuso wrote: > > > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote: > [...] > > > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > > > > index 3558e76e2733..b9e7440cc87d 100644 > > > > --- a/net/netfilter/nf_tables_api.c > > > > +++ b/net/netfilter/nf_tables_api.c > > > > @@ -12,6 +12,7 @@ > > > > #include > > > > #include > > > > #include > > > > +#include > > > > #include > > > > #include > > > > #include > > > > @@ -693,6 +694,16 @@ static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) > > > > { > > > > struct sk_buff *skb; > > > > int err; > > > > + char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0", > > > > + ctx->table->name, ctx->table->handle); > > > > + > > > > + audit_log_nfcfg(buf, > > > > + ctx->family, > > > > + ctx->table->use, > > > > + event == NFT_MSG_NEWTABLE ? > > > > + AUDIT_NFT_OP_TABLE_REGISTER : > > > > + AUDIT_NFT_OP_TABLE_UNREGISTER); > > > > + kfree(buf); > > > > > > As a follow up: Would you wrap this code into a function? > > > > > > nft_table_audit() > > > > > > Same thing for other pieces of code below. > > > > If I'm guessing right, you are asking for a supplementary follow-up > > cleanup patch to this one (or are you nacking this patch)? > > No nack, it's just that I'd prefer to see this wrapped in a function. > I think your patch is already in the audit tree. > > > Also, I gather you would like to see the kasprintf and kfree hidden in > > nft_table_audit(), handing this function at least 8 parameters? This > > sounds pretty messy given the format of the table field. > > I think you can pass ctx and the specific object, e.g. table, in most > cases? There is also event and the gfp_flags. That counts 4 here, but > maybe I'm overlooking something. Since every event is sufficiently different, it isn't as simple as passing ctx, unfortunately, and the table field I've overloaded with 4 bits of information for tracking the chain as well, some of which are ? that would need an in-band representation (such as -1? that might already be valid). So 4 right there, family, nentries, event, gfp for 8. I did try in the first patch to make it just one call keyed on event, but there was enough variety of information available for each message type that it became necessary to break it out. > Thanks. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635