From: Richard Guy Briggs <rgb@redhat.com> To: Linux-Audit Mailing List <linux-audit@redhat.com>, LKML <linux-kernel@vger.kernel.org>, netfilter-devel@vger.kernel.org Cc: Paul Moore <paul@paul-moore.com>, sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org, Richard Guy Briggs <rgb@redhat.com> Subject: [PATCH ghak25 v5] audit: add subj creds to NETFILTER_CFG record to cover async unregister Date: Tue, 19 May 2020 11:30:42 -0400 [thread overview] Message-ID: <2794b22c0b88637a4270b346e52aeb8db7f59457.1589853445.git.rgb@redhat.com> (raw) Some table unregister actions seem to be initiated by the kernel to garbage collect unused tables that are not initiated by any userspace actions. It was found to be necessary to add the subject credentials to cover this case to reveal the source of these actions. A sample record: The tty, ses and exe fields have not been included since they are in the SYSCALL record and contain nothing useful in the non-user context. type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 uid=root auid=unset subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- Changelog: v5 - rebase on upstreamed ghak28 on audit/next v5.7-rc1 - remove tty, ses and exe fields as duplicates or unset - drop upstreamed patches 1&2 from set v4 - rebase on audit/next v5.7-rc1 - fix checkpatch.pl errors/warnings in 1/3 and 2/3 v3 - rebase on v5.6-rc1 audit/next - change audit_nf_cfg to audit_log_nfcfg - squash 2,3,4,5 to 1 and update patch descriptions - add subject credentials to cover garbage collecting kernel threads v2 - Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code - Split x_tables and ebtables updates - Check audit_dummy_context - Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call - Restore back to "table, family, entries" from "family, table, entries" - Log unregistration of tables - Add "op=" at the end of the AUDIT_NETFILTER_CFG record - Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32) - Add ghak refs - Ditch NETFILTER_CFGSOLO record kernel/auditsc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index cfe3486e5f31..a07ca529ede9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2557,12 +2557,24 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, enum audit_nfcfgop op) { struct audit_buffer *ab; + const struct cred *cred; + struct tty_struct *tty; + char comm[sizeof(current->comm)]; ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG); if (!ab) return; audit_log_format(ab, "table=%s family=%u entries=%u op=%s", name, af, nentries, audit_nfcfgs[op].s); + + cred = current_cred(); + audit_log_format(ab, " pid=%u uid=%u auid=%u", + task_pid_nr(current), + from_kuid(&init_user_ns, cred->uid), + from_kuid(&init_user_ns, audit_get_loginuid(current))); + audit_log_task_context(ab); /* subj= */ + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); audit_log_end(ab); } EXPORT_SYMBOL_GPL(__audit_log_nfcfg); -- 1.8.3.1
WARNING: multiple messages have this Message-ID (diff)
From: Richard Guy Briggs <rgb@redhat.com> To: Linux-Audit Mailing List <linux-audit@redhat.com>, LKML <linux-kernel@vger.kernel.org>, netfilter-devel@vger.kernel.org Cc: Richard Guy Briggs <rgb@redhat.com>, fw@strlen.de, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org Subject: [PATCH ghak25 v5] audit: add subj creds to NETFILTER_CFG record to cover async unregister Date: Tue, 19 May 2020 11:30:42 -0400 [thread overview] Message-ID: <2794b22c0b88637a4270b346e52aeb8db7f59457.1589853445.git.rgb@redhat.com> (raw) Some table unregister actions seem to be initiated by the kernel to garbage collect unused tables that are not initiated by any userspace actions. It was found to be necessary to add the subject credentials to cover this case to reveal the source of these actions. A sample record: The tty, ses and exe fields have not been included since they are in the SYSCALL record and contain nothing useful in the non-user context. type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 uid=root auid=unset subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- Changelog: v5 - rebase on upstreamed ghak28 on audit/next v5.7-rc1 - remove tty, ses and exe fields as duplicates or unset - drop upstreamed patches 1&2 from set v4 - rebase on audit/next v5.7-rc1 - fix checkpatch.pl errors/warnings in 1/3 and 2/3 v3 - rebase on v5.6-rc1 audit/next - change audit_nf_cfg to audit_log_nfcfg - squash 2,3,4,5 to 1 and update patch descriptions - add subject credentials to cover garbage collecting kernel threads v2 - Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code - Split x_tables and ebtables updates - Check audit_dummy_context - Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call - Restore back to "table, family, entries" from "family, table, entries" - Log unregistration of tables - Add "op=" at the end of the AUDIT_NETFILTER_CFG record - Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32) - Add ghak refs - Ditch NETFILTER_CFGSOLO record kernel/auditsc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index cfe3486e5f31..a07ca529ede9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2557,12 +2557,24 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries, enum audit_nfcfgop op) { struct audit_buffer *ab; + const struct cred *cred; + struct tty_struct *tty; + char comm[sizeof(current->comm)]; ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG); if (!ab) return; audit_log_format(ab, "table=%s family=%u entries=%u op=%s", name, af, nentries, audit_nfcfgs[op].s); + + cred = current_cred(); + audit_log_format(ab, " pid=%u uid=%u auid=%u", + task_pid_nr(current), + from_kuid(&init_user_ns, cred->uid), + from_kuid(&init_user_ns, audit_get_loginuid(current))); + audit_log_task_context(ab); /* subj= */ + audit_log_format(ab, " comm="); + audit_log_untrustedstring(ab, get_task_comm(comm, current)); audit_log_end(ab); } EXPORT_SYMBOL_GPL(__audit_log_nfcfg); -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
next reply other threads:[~2020-05-19 15:31 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-05-19 15:30 Richard Guy Briggs [this message] 2020-05-19 15:30 ` [PATCH ghak25 v5] audit: add subj creds to NETFILTER_CFG record to cover async unregister Richard Guy Briggs 2020-05-19 19:18 ` Paul Moore 2020-05-19 19:18 ` Paul Moore 2020-05-19 19:44 ` Richard Guy Briggs 2020-05-19 19:44 ` Richard Guy Briggs 2020-05-19 19:59 ` Paul Moore 2020-05-19 19:59 ` Paul Moore
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=2794b22c0b88637a4270b346e52aeb8db7f59457.1589853445.git.rgb@redhat.com \ --to=rgb@redhat.com \ --cc=eparis@parisplace.org \ --cc=fw@strlen.de \ --cc=linux-audit@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=netfilter-devel@vger.kernel.org \ --cc=omosnace@redhat.com \ --cc=paul@paul-moore.com \ --cc=sgrubb@redhat.com \ --cc=tgraf@infradead.org \ --cc=twoerner@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.