Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp122249pxf; Wed, 24 Mar 2021 00:25:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZ8SEPMBkBzia3aRHspOElb2AQejOZudZsI0IMH0RpCuibBmgtBH+abI0xFlrMKKOOjII9 X-Received: by 2002:a17:907:2bd7:: with SMTP id gv23mr2191494ejc.351.1616570719490; Wed, 24 Mar 2021 00:25:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616570719; cv=none; d=google.com; s=arc-20160816; b=bH1mbA64xVJDIampO7cvpVb/GcSYADjVgIexkvYIcauIxd9Qonb9pvSVlQRsc1bRVF wwqWa5rcLOKyOZNtrVxto+SCBA95TWoc/N3R/QlcjRq4VEhGzwyRKQi1xlLbAfTTdXhJ JTiJx7ZTQQVRQTuGF3Idl8VxMd/b4BNXhyjglDa+5hVyk7IQcK2PJAPenLxkO7WOkIgD 81sIonCaxSaUB0M7RYYKAPnBA8VK5AGqKnbLUgL/BxoJJlDkXZAWYUCMH7i/KNBBdCtz lGLp9J4PuBNs9EzOg9b3HQY9fg0IYimbGJjyNiocR6tMtWmQwNTTv/+lwOvoofpy6jWh ShgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=GkZdetnJ/RGn+Z4pPWWz4Ny+F5nvWflbHDocWOrBQ3Y=; b=sduVpiH5vzRLn7PvAxbgvowadQXKWaFSr4blgo0qC2OHb3sg1yMDv+P3N4F4gWDplP G+r0DhBvZGSrpTOdAuigj1mF0jhWUvMFVSPfsM+/k5JuYK2OohdhJS8aQUa3T/nevWxX 577iFSVduii/td3w2uWwCiYbYVl1lKOUg8OxeUf9DiebdB9j01Fiw5NMqgONvx4pS2u4 ieei324iS+Bx1C++/nz4LC0KKHFjhL8t0al3RE+WgLqAWm3VsyFBfKr7fjTocPFmmAws DOXIlj5TyR0Gf1T4I0p3/XW7N0xpNbcU+fZ9RRuW6qvbSe1koJjxvHGd1ZprDLCIpX16 DYMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=a05VLcJV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a9si1130887ejk.421.2021.03.24.00.24.57; Wed, 24 Mar 2021 00:25:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=a05VLcJV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231433AbhCWTmD (ORCPT + 99 others); Tue, 23 Mar 2021 15:42:03 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:60765 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231319AbhCWTla (ORCPT ); Tue, 23 Mar 2021 15:41:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1616528489; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=GkZdetnJ/RGn+Z4pPWWz4Ny+F5nvWflbHDocWOrBQ3Y=; b=a05VLcJVX3Hbf7laemX1mTcR8IzqE5JNnVbjhco8h6k8sd9pA+jY+FaqfBUdu8Y4fSvRN0 8VWmv7hXUbWRu+uLU8rEhF5ZvXHylGtXGu67ZWXkR5X8Dl29dxCfSiF6oQOaMtgNoQ7Hg/ J6hyMeCSw/dR1F1r3MMJhRZrK6jyXt4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-393-FOOEddgPPD6lvPahttzEEQ-1; Tue, 23 Mar 2021 15:41:27 -0400 X-MC-Unique: FOOEddgPPD6lvPahttzEEQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9746B84BA40; Tue, 23 Mar 2021 19:41:25 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.27]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2C5FD60BE5; Tue, 23 Mar 2021 19:41:17 +0000 (UTC) Date: Tue, 23 Mar 2021 15:41:15 -0400 From: Richard Guy Briggs To: Pablo Neira Ayuso Cc: Jones Desougi , Phil Sutter , Florian Westphal , LKML , Linux-Audit Mailing List , netfilter-devel@vger.kernel.org, twoerner@redhat.com, Eric Paris , tgraf@infradead.org, dan.carpenter@oracle.com Subject: Re: [PATCH v2] audit: log nftables configuration change events once per table Message-ID: <20210323194115.GA3112383@madcap2.tricolour.ca> References: <2a6d8eb6058a6961cfb6439b31dcfadcce9596a8.1616445965.git.rgb@redhat.com> <20210322225747.GA24562@salvia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210322225747.GA24562@salvia> User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-03-22 23:57, Pablo Neira Ayuso wrote: > On Mon, Mar 22, 2021 at 04:49:04PM -0400, Richard Guy Briggs wrote: > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > > index c1eb5cdb3033..42ba44890523 100644 > > --- a/net/netfilter/nf_tables_api.c > > +++ b/net/netfilter/nf_tables_api.c > [...] > > @@ -8006,12 +7938,47 @@ static void nft_commit_notify(struct net *net, u32 portid) > > WARN_ON_ONCE(!list_empty(&net->nft.notify_list)); > > } > > > > +void nf_tables_commit_audit_collect(struct list_head *adl, > > + struct nft_trans *trans) { > > nitpick: curly brace starts in the line. Duh, whoops! Brain fart. Too much muckin' in other codebases... > > + struct nft_audit_data *adp; > > + > > + list_for_each_entry(adp, adl, list) { > > + if (adp->table == trans->ctx.table) > > + goto found; > > + } > > + adp = kzalloc(sizeof(*adp), GFP_KERNEL); > > if (!adp) > ... This will need a bit more work since by the time this is called, nf_tables_commit() is not prepared to accept any errors, so I'll need to either ignore the error and continue, or allocate the table entries before step 3. > > + adp->table = trans->ctx.table; > > + INIT_LIST_HEAD(&adp->list); > > + list_add(&adp->list, adl); > > +found: > > + adp->entries++; > > + if (!adp->op || adp->op > trans->msg_type) > > + adp->op = trans->msg_type; > > +} > > + > > +#define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) > > + > > +void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) { > ^ > same thing here > > > + struct nft_audit_data *adp, *adn; > > + char aubuf[AUNFTABLENAMELEN]; > > + > > + list_for_each_entry_safe(adp, adn, adl, list) { > > + snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, > > + generation); > > + audit_log_nfcfg(aubuf, adp->table->family, adp->entries, > > + nft2audit_op[adp->op], GFP_KERNEL); > > + list_del(&adp->list); > > + kfree(adp); > > + } > > +} > > + > > static int nf_tables_commit(struct net *net, struct sk_buff *skb) > > { > > struct nft_trans *trans, *next; > > struct nft_trans_elem *te; > > struct nft_chain *chain; > > struct nft_table *table; > > + LIST_HEAD(adl); > > int err; > > > > if (list_empty(&net->nft.commit_list)) { > > @@ -8206,12 +8173,15 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) > > } > > break; > > } > > + nf_tables_commit_audit_collect(&adl, trans); > > } > > > > nft_commit_notify(net, NETLINK_CB(skb).portid); > > nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); > > nf_tables_commit_release(net); > > > > + nf_tables_commit_audit_log(&adl, net->nft.base_seq); > > + > > This looks more self-contained and nicer, thanks. > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635