From: Richard Guy Briggs <rgb@redhat.com> To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Linux-Audit Mailing List <linux-audit@redhat.com>, LKML <linux-kernel@vger.kernel.org>, netfilter-devel@vger.kernel.org, Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org Subject: Re: [PATCH ghak124 v3] audit: log nftables configuration change events Date: Wed, 24 Jun 2020 09:26:12 -0400 [thread overview] Message-ID: <20200624132612.fj36hwgom7qryvn7@madcap2.tricolour.ca> (raw) In-Reply-To: <20200624130304.GA549@salvia> On 2020-06-24 15:03, Pablo Neira Ayuso wrote: > On Wed, Jun 24, 2020 at 08:34:23AM -0400, Richard Guy Briggs wrote: > > On 2020-06-24 12:03, Pablo Neira Ayuso wrote: > > > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote: > [...] > > > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > > > > index 3558e76e2733..b9e7440cc87d 100644 > > > > --- a/net/netfilter/nf_tables_api.c > > > > +++ b/net/netfilter/nf_tables_api.c > > > > @@ -12,6 +12,7 @@ > > > > #include <linux/netlink.h> > > > > #include <linux/vmalloc.h> > > > > #include <linux/rhashtable.h> > > > > +#include <linux/audit.h> > > > > #include <linux/netfilter.h> > > > > #include <linux/netfilter/nfnetlink.h> > > > > #include <linux/netfilter/nf_tables.h> > > > > @@ -693,6 +694,16 @@ static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) > > > > { > > > > struct sk_buff *skb; > > > > int err; > > > > + char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0", > > > > + ctx->table->name, ctx->table->handle); > > > > + > > > > + audit_log_nfcfg(buf, > > > > + ctx->family, > > > > + ctx->table->use, > > > > + event == NFT_MSG_NEWTABLE ? > > > > + AUDIT_NFT_OP_TABLE_REGISTER : > > > > + AUDIT_NFT_OP_TABLE_UNREGISTER); > > > > + kfree(buf); > > > > > > As a follow up: Would you wrap this code into a function? > > > > > > nft_table_audit() > > > > > > Same thing for other pieces of code below. > > > > If I'm guessing right, you are asking for a supplementary follow-up > > cleanup patch to this one (or are you nacking this patch)? > > No nack, it's just that I'd prefer to see this wrapped in a function. > I think your patch is already in the audit tree. > > > Also, I gather you would like to see the kasprintf and kfree hidden in > > nft_table_audit(), handing this function at least 8 parameters? This > > sounds pretty messy given the format of the table field. > > I think you can pass ctx and the specific object, e.g. table, in most > cases? There is also event and the gfp_flags. That counts 4 here, but > maybe I'm overlooking something. Since every event is sufficiently different, it isn't as simple as passing ctx, unfortunately, and the table field I've overloaded with 4 bits of information for tracking the chain as well, some of which are ? that would need an in-band representation (such as -1? that might already be valid). So 4 right there, family, nentries, event, gfp for 8. I did try in the first patch to make it just one call keyed on event, but there was enough variety of information available for each message type that it became necessary to break it out. > Thanks. - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com> To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: fw@strlen.de, LKML <linux-kernel@vger.kernel.org>, Linux-Audit Mailing List <linux-audit@redhat.com>, netfilter-devel@vger.kernel.org, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org Subject: Re: [PATCH ghak124 v3] audit: log nftables configuration change events Date: Wed, 24 Jun 2020 09:26:12 -0400 [thread overview] Message-ID: <20200624132612.fj36hwgom7qryvn7@madcap2.tricolour.ca> (raw) In-Reply-To: <20200624130304.GA549@salvia> On 2020-06-24 15:03, Pablo Neira Ayuso wrote: > On Wed, Jun 24, 2020 at 08:34:23AM -0400, Richard Guy Briggs wrote: > > On 2020-06-24 12:03, Pablo Neira Ayuso wrote: > > > On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote: > [...] > > > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > > > > index 3558e76e2733..b9e7440cc87d 100644 > > > > --- a/net/netfilter/nf_tables_api.c > > > > +++ b/net/netfilter/nf_tables_api.c > > > > @@ -12,6 +12,7 @@ > > > > #include <linux/netlink.h> > > > > #include <linux/vmalloc.h> > > > > #include <linux/rhashtable.h> > > > > +#include <linux/audit.h> > > > > #include <linux/netfilter.h> > > > > #include <linux/netfilter/nfnetlink.h> > > > > #include <linux/netfilter/nf_tables.h> > > > > @@ -693,6 +694,16 @@ static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) > > > > { > > > > struct sk_buff *skb; > > > > int err; > > > > + char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0", > > > > + ctx->table->name, ctx->table->handle); > > > > + > > > > + audit_log_nfcfg(buf, > > > > + ctx->family, > > > > + ctx->table->use, > > > > + event == NFT_MSG_NEWTABLE ? > > > > + AUDIT_NFT_OP_TABLE_REGISTER : > > > > + AUDIT_NFT_OP_TABLE_UNREGISTER); > > > > + kfree(buf); > > > > > > As a follow up: Would you wrap this code into a function? > > > > > > nft_table_audit() > > > > > > Same thing for other pieces of code below. > > > > If I'm guessing right, you are asking for a supplementary follow-up > > cleanup patch to this one (or are you nacking this patch)? > > No nack, it's just that I'd prefer to see this wrapped in a function. > I think your patch is already in the audit tree. > > > Also, I gather you would like to see the kasprintf and kfree hidden in > > nft_table_audit(), handing this function at least 8 parameters? This > > sounds pretty messy given the format of the table field. > > I think you can pass ctx and the specific object, e.g. table, in most > cases? There is also event and the gfp_flags. That counts 4 here, but > maybe I'm overlooking something. Since every event is sufficiently different, it isn't as simple as passing ctx, unfortunately, and the table field I've overloaded with 4 bits of information for tracking the chain as well, some of which are ? that would need an in-band representation (such as -1? that might already be valid). So 4 right there, family, nentries, event, gfp for 8. I did try in the first patch to make it just one call keyed on event, but there was enough variety of information available for each message type that it became necessary to break it out. > Thanks. - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-06-24 13:26 UTC|newest] Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-06-04 13:20 [PATCH ghak124 v3] audit: log nftables configuration change events Richard Guy Briggs 2020-06-04 13:20 ` Richard Guy Briggs 2020-06-04 17:03 ` Steve Grubb 2020-06-04 17:03 ` Steve Grubb 2020-06-04 17:57 ` Richard Guy Briggs 2020-06-04 17:57 ` Richard Guy Briggs 2020-06-04 18:51 ` Steve Grubb 2020-06-04 18:51 ` Steve Grubb 2020-06-24 0:34 ` Paul Moore 2020-06-24 0:34 ` Paul Moore 2020-06-24 10:03 ` Pablo Neira Ayuso 2020-06-24 10:03 ` Pablo Neira Ayuso 2020-06-24 12:34 ` Richard Guy Briggs 2020-06-24 12:34 ` Richard Guy Briggs 2020-06-24 13:03 ` Pablo Neira Ayuso 2020-06-24 13:03 ` Pablo Neira Ayuso 2020-06-24 13:26 ` Richard Guy Briggs [this message] 2020-06-24 13:26 ` Richard Guy Briggs 2021-02-11 15:16 ` Phil Sutter 2021-02-11 16:29 ` Paul Moore 2021-02-11 16:29 ` Paul Moore 2021-02-11 20:26 ` Richard Guy Briggs 2021-02-11 20:26 ` Richard Guy Briggs 2021-02-11 22:09 ` Florian Westphal 2021-02-17 23:41 ` Richard Guy Briggs 2021-02-17 23:41 ` Richard Guy Briggs 2021-02-18 8:22 ` Florian Westphal 2021-02-18 8:22 ` Florian Westphal 2021-02-18 12:42 ` Richard Guy Briggs 2021-02-18 12:42 ` Richard Guy Briggs 2021-02-18 12:52 ` Florian Westphal 2021-02-18 12:52 ` Florian Westphal 2021-02-18 13:28 ` Richard Guy Briggs 2021-02-18 13:28 ` Richard Guy Briggs 2021-02-18 13:41 ` Florian Westphal 2021-02-18 13:41 ` Florian Westphal 2021-02-18 21:20 ` Richard Guy Briggs 2021-02-18 21:20 ` Richard Guy Briggs 2021-02-18 22:42 ` Florian Westphal 2021-02-18 22:42 ` Florian Westphal 2021-02-19 6:26 ` Richard Guy Briggs 2021-02-19 6:26 ` Richard Guy Briggs 2021-02-19 19:25 ` Richard Guy Briggs 2021-02-19 19:25 ` Richard Guy Briggs 2021-02-12 20:48 ` Richard Guy Briggs 2021-02-12 20:48 ` Richard Guy Briggs 2021-02-11 21:02 ` Steve Grubb 2021-02-11 21:02 ` Steve Grubb 2021-02-12 12:11 ` Phil Sutter 2021-02-12 20:54 ` Richard Guy Briggs 2021-02-12 20:54 ` Richard Guy Briggs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200624132612.fj36hwgom7qryvn7@madcap2.tricolour.ca \ --to=rgb@redhat.com \ --cc=eparis@parisplace.org \ --cc=fw@strlen.de \ --cc=linux-audit@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=omosnace@redhat.com \ --cc=pablo@netfilter.org \ --cc=paul@paul-moore.com \ --cc=sgrubb@redhat.com \ --cc=tgraf@infradead.org \ --cc=twoerner@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.