* [PATCH V3] audit: normalize NETFILTER_PKT
@ 2017-02-26 20:49 Richard Guy Briggs
2017-02-28 22:22 ` Paul Moore
0 siblings, 1 reply; 17+ messages in thread
From: Richard Guy Briggs @ 2017-02-26 20:49 UTC (permalink / raw)
To: Netfilter Developer Mailing List, linux-audit
Cc: Richard Guy Briggs, Thomas Woerner, Thomas Graf, Eric Paris,
Paul Moore, Steve Grubb
Eliminate flipping in and out of message fields, dropping fields in the process.
Sample raw message format IPv4 UDP:
type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
Sample raw message format IPv6 ICMP6:
type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
Issue: https://github.com/linux-audit/audit-kernel/issues/11
Test case: https://github.com/linux-audit/audit-testsuite/issues/43
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
1 files changed, 27 insertions(+), 95 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 4973cbd..945fa29 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
-static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
- unsigned int proto, unsigned int offset)
-{
- switch (proto) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_UDPLITE: {
- const __be16 *pptr;
- __be16 _ports[2];
-
- pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
- if (pptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " sport=%hu dport=%hu",
- ntohs(pptr[0]), ntohs(pptr[1]));
- }
- break;
-
- case IPPROTO_ICMP:
- case IPPROTO_ICMPV6: {
- const u8 *iptr;
- u8 _ih[2];
-
- iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
- if (iptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
- iptr[0], iptr[1]);
-
- }
- break;
- }
-}
-
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
{
struct iphdr _iph;
const struct iphdr *ih;
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
- &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+ &ih->saddr, &ih->daddr, ih->protocol);
- if (ntohs(ih->frag_off) & IP_OFFSET) {
- audit_log_format(ab, " frag=1");
- return;
- }
-
- audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+ return true;
}
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
{
struct ipv6hdr _ip6h;
const struct ipv6hdr *ih;
u8 nexthdr;
__be16 frag_off;
- int offset;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
nexthdr = ih->nexthdr;
- offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
- &nexthdr, &frag_off);
+ ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
&ih->saddr, &ih->daddr, nexthdr);
- if (offset)
- audit_proto(ab, skb, nexthdr, offset);
+ return true;
}
static unsigned int
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
- const struct xt_audit_info *info = par->targinfo;
struct audit_buffer *ab;
+ int fam = -1;
if (audit_enabled == 0)
goto errout;
-
ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
if (ab == NULL)
goto errout;
- audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
- info->type, par->hooknum, skb->len,
- par->in ? par->in->name : "?",
- par->out ? par->out->name : "?");
-
- if (skb->mark)
- audit_log_format(ab, " mark=%#x", skb->mark);
-
- if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
- audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
- ntohs(eth_hdr(skb)->h_proto));
+ audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
- if (par->family == NFPROTO_BRIDGE) {
+ switch (par->family) {
+ case NFPROTO_BRIDGE: {
switch (eth_hdr(skb)->h_proto) {
case htons(ETH_P_IP):
- audit_ip4(ab, skb);
+ fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
break;
-
case htons(ETH_P_IPV6):
- audit_ip6(ab, skb);
+ fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
break;
}
+ break;
}
+ case NFPROTO_IPV4:
+ fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+ break;
+
+ case NFPROTO_IPV6:
+ fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+ break;
}
- switch (par->family) {
- case NFPROTO_IPV4:
- audit_ip4(ab, skb);
- break;
-
- case NFPROTO_IPV6:
- audit_ip6(ab, skb);
- break;
- }
-
-#ifdef CONFIG_NETWORK_SECMARK
- if (skb->secmark)
- audit_log_secctx(ab, skb->secmark);
-#endif
+ if (fam == -1)
+ audit_log_format(ab, " saddr=? daddr=? proto=-1");
audit_log_end(ab);
--
1.7.1
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-02-26 20:49 [PATCH V3] audit: normalize NETFILTER_PKT Richard Guy Briggs
@ 2017-02-28 22:22 ` Paul Moore
2017-03-01 16:28 ` Richard Guy Briggs
0 siblings, 1 reply; 17+ messages in thread
From: Paul Moore @ 2017-02-28 22:22 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Eliminate flipping in and out of message fields, dropping fields in the process.
>
> Sample raw message format IPv4 UDP:
> type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> Sample raw message format IPv6 ICMP6:
> type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
>
> Issue: https://github.com/linux-audit/audit-kernel/issues/11
> Test case: https://github.com/linux-audit/audit-testsuite/issues/43
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
> 1 files changed, 27 insertions(+), 95 deletions(-)
>
> diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> index 4973cbd..945fa29 100644
> --- a/net/netfilter/xt_AUDIT.c
> +++ b/net/netfilter/xt_AUDIT.c
> @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
...
> -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> {
> struct iphdr _iph;
> const struct iphdr *ih;
>
> ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
It seems like we should be using skb_network_offset(skb) instead of 0
above, yes? Granted, this isn't new, but let's fix it.
> - if (!ih) {
> - audit_log_format(ab, " truncated=1");
> - return;
> - }
> + if (!ih)
> + return false;
>
> - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
> - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
> + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
> + &ih->saddr, &ih->daddr, ih->protocol);
>
> - if (ntohs(ih->frag_off) & IP_OFFSET) {
> - audit_log_format(ab, " frag=1");
> - return;
> - }
> -
> - audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
> + return true;
> }
...
> static unsigned int
> audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> {
> - const struct xt_audit_info *info = par->targinfo;
> struct audit_buffer *ab;
> + int fam = -1;
>
> if (audit_enabled == 0)
> goto errout;
> -
> ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> if (ab == NULL)
> goto errout;
>
> - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
> - info->type, par->hooknum, skb->len,
> - par->in ? par->in->name : "?",
> - par->out ? par->out->name : "?");
> -
> - if (skb->mark)
> - audit_log_format(ab, " mark=%#x", skb->mark);
> -
> - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
> - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
> - ntohs(eth_hdr(skb)->h_proto));
> + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
How do Steve's userspace tools like the unset/-1 value represented
when it is a hex value: -1 or 0xffffffff?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-02-28 22:22 ` Paul Moore
@ 2017-03-01 16:28 ` Richard Guy Briggs
2017-03-01 16:45 ` Pablo Neira Ayuso
2017-03-01 22:19 ` Paul Moore
0 siblings, 2 replies; 17+ messages in thread
From: Richard Guy Briggs @ 2017-03-01 16:28 UTC (permalink / raw)
To: Paul Moore
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On 2017-02-28 17:22, Paul Moore wrote:
> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > Eliminate flipping in and out of message fields, dropping fields in the process.
> >
> > Sample raw message format IPv4 UDP:
> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> > Sample raw message format IPv6 ICMP6:
> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
> >
> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >
> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> > index 4973cbd..945fa29 100644
> > --- a/net/netfilter/xt_AUDIT.c
> > +++ b/net/netfilter/xt_AUDIT.c
> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
>
> ...
>
> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > {
> > struct iphdr _iph;
> > const struct iphdr *ih;
> >
> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
>
> It seems like we should be using skb_network_offset(skb) instead of 0
> above, yes? Granted, this isn't new, but let's fix it.
Yes, I agree. How does this even work now? Maybe the MAC header hasn't
been added yet (or has already been processed and stripped off) so that
skb->data is already pointing at the network header and hence has an
offset of 0. Can you be more explicit and elaborate to say if this what
you were thinking?
This should be a seperate bug fix patch rather than fixing it in the
noise of this substantial re-arrangement.
> > - if (!ih) {
> > - audit_log_format(ab, " truncated=1");
> > - return;
> > - }
> > + if (!ih)
> > + return false;
> >
> > - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
> > - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
> > + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
> > + &ih->saddr, &ih->daddr, ih->protocol);
> >
> > - if (ntohs(ih->frag_off) & IP_OFFSET) {
> > - audit_log_format(ab, " frag=1");
> > - return;
> > - }
> > -
> > - audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
> > + return true;
> > }
>
> ...
>
> > static unsigned int
> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> > {
> > - const struct xt_audit_info *info = par->targinfo;
> > struct audit_buffer *ab;
> > + int fam = -1;
> >
> > if (audit_enabled == 0)
> > goto errout;
> > -
> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> > if (ab == NULL)
> > goto errout;
> >
> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
> > - info->type, par->hooknum, skb->len,
> > - par->in ? par->in->name : "?",
> > - par->out ? par->out->name : "?");
> > -
> > - if (skb->mark)
> > - audit_log_format(ab, " mark=%#x", skb->mark);
> > -
> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
> > - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
> > - ntohs(eth_hdr(skb)->h_proto));
> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
>
> How do Steve's userspace tools like the unset/-1 value represented
> when it is a hex value: -1 or 0xffffffff?
My understanding is they are set up to cope with this.
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-01 16:28 ` Richard Guy Briggs
@ 2017-03-01 16:45 ` Pablo Neira Ayuso
2017-03-01 22:19 ` Paul Moore
1 sibling, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2017-03-01 16:45 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Paul Moore, Netfilter Developer Mailing List, linux-audit,
Thomas Woerner, Thomas Graf
On Wed, Mar 01, 2017 at 11:28:02AM -0500, Richard Guy Briggs wrote:
> On 2017-02-28 17:22, Paul Moore wrote:
> > On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > > Eliminate flipping in and out of message fields, dropping fields in the process.
> > >
> > > Sample raw message format IPv4 UDP:
> > > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> > > Sample raw message format IPv6 ICMP6:
> > > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
> > >
> > > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> > > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> > >
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > ---
> > > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
> > > 1 files changed, 27 insertions(+), 95 deletions(-)
> > >
> > > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> > > index 4973cbd..945fa29 100644
> > > --- a/net/netfilter/xt_AUDIT.c
> > > +++ b/net/netfilter/xt_AUDIT.c
> > > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
> >
> > ...
> >
> > > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > > {
> > > struct iphdr _iph;
> > > const struct iphdr *ih;
> > >
> > > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >
> > It seems like we should be using skb_network_offset(skb) instead of 0
> > above, yes? Granted, this isn't new, but let's fix it.
>
> Yes, I agree. How does this even work now? Maybe the MAC header hasn't
> been added yet (or has already been processed and stripped off) so that
> skb->data is already pointing at the network header and hence has an
> offset of 0. Can you be more explicit and elaborate to say if this what
> you were thinking?
skb_header_pointer() takes data from skb->data and packet flowing
through netfilter are guaranteed to find the network header at
skb->data.
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-01 16:28 ` Richard Guy Briggs
2017-03-01 16:45 ` Pablo Neira Ayuso
@ 2017-03-01 22:19 ` Paul Moore
2017-03-01 22:34 ` Richard Guy Briggs
1 sibling, 1 reply; 17+ messages in thread
From: Paul Moore @ 2017-03-01 22:19 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-02-28 17:22, Paul Moore wrote:
>> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > Eliminate flipping in and out of message fields, dropping fields in the process.
>> >
>> > Sample raw message format IPv4 UDP:
>> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
>> > Sample raw message format IPv6 ICMP6:
>> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
>> >
>> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
>> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
>> >
>> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> > ---
>> > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
>> > 1 files changed, 27 insertions(+), 95 deletions(-)
>> >
>> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
>> > index 4973cbd..945fa29 100644
>> > --- a/net/netfilter/xt_AUDIT.c
>> > +++ b/net/netfilter/xt_AUDIT.c
>> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
>>
>> ...
>>
>> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
>> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
>> > {
>> > struct iphdr _iph;
>> > const struct iphdr *ih;
>> >
>> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
>>
>> It seems like we should be using skb_network_offset(skb) instead of 0
>> above, yes? Granted, this isn't new, but let's fix it.
>
> Yes, I agree. How does this even work now? Maybe the MAC header hasn't
> been added yet (or has already been processed and stripped off) so that
> skb->data is already pointing at the network header and hence has an
> offset of 0. Can you be more explicit and elaborate to say if this what
> you were thinking?
Unfortunately, not really, I haven't thought through of all the
situations and it has been a long time since I've had to worry about
things like this. I think we are in agreement that it needs to
change, so let's just make the change.
> This should be a seperate bug fix patch rather than fixing it in the
> noise of this substantial re-arrangement.
That's fine, but please send it as one patchset. Also, to get ahead
of the next likely question, no I don't think the skb_network_offset()
fix is -stable worthy at the moment.
>> > - if (!ih) {
>> > - audit_log_format(ab, " truncated=1");
>> > - return;
>> > - }
>> > + if (!ih)
>> > + return false;
>> >
>> > - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
>> > - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
>> > + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
>> > + &ih->saddr, &ih->daddr, ih->protocol);
>> >
>> > - if (ntohs(ih->frag_off) & IP_OFFSET) {
>> > - audit_log_format(ab, " frag=1");
>> > - return;
>> > - }
>> > -
>> > - audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
>> > + return true;
>> > }
>>
>> ...
>>
>> > static unsigned int
>> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
>> > {
>> > - const struct xt_audit_info *info = par->targinfo;
>> > struct audit_buffer *ab;
>> > + int fam = -1;
>> >
>> > if (audit_enabled == 0)
>> > goto errout;
>> > -
>> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
>> > if (ab == NULL)
>> > goto errout;
>> >
>> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
>> > - info->type, par->hooknum, skb->len,
>> > - par->in ? par->in->name : "?",
>> > - par->out ? par->out->name : "?");
>> > -
>> > - if (skb->mark)
>> > - audit_log_format(ab, " mark=%#x", skb->mark);
>> > -
>> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
>> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
>> > - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
>> > - ntohs(eth_hdr(skb)->h_proto));
>> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
>>
>> How do Steve's userspace tools like the unset/-1 value represented
>> when it is a hex value: -1 or 0xffffffff?
>
> My understanding is they are set up to cope with this.
How does userspace distinguish between an unset nfmark and a nfmark of
0xffffffff?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-01 22:19 ` Paul Moore
@ 2017-03-01 22:34 ` Richard Guy Briggs
2017-03-03 0:16 ` Paul Moore
0 siblings, 1 reply; 17+ messages in thread
From: Richard Guy Briggs @ 2017-03-01 22:34 UTC (permalink / raw)
To: Paul Moore
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On 2017-03-01 17:19, Paul Moore wrote:
> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-02-28 17:22, Paul Moore wrote:
> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> >> > Eliminate flipping in and out of message fields, dropping fields in the process.
> >> >
> >> > Sample raw message format IPv4 UDP:
> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> >> > Sample raw message format IPv6 ICMP6:
> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
> >> >
> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >> >
> >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >> > ---
> >> > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >> >
> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> >> > index 4973cbd..945fa29 100644
> >> > --- a/net/netfilter/xt_AUDIT.c
> >> > +++ b/net/netfilter/xt_AUDIT.c
> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
> >>
> >> ...
> >>
> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> > {
> >> > struct iphdr _iph;
> >> > const struct iphdr *ih;
> >> >
> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >>
> >> It seems like we should be using skb_network_offset(skb) instead of 0
> >> above, yes? Granted, this isn't new, but let's fix it.
> >
> > Yes, I agree. How does this even work now? Maybe the MAC header hasn't
> > been added yet (or has already been processed and stripped off) so that
> > skb->data is already pointing at the network header and hence has an
> > offset of 0. Can you be more explicit and elaborate to say if this what
> > you were thinking?
>
> Unfortunately, not really, I haven't thought through of all the
> situations and it has been a long time since I've had to worry about
> things like this. I think we are in agreement that it needs to
> change, so let's just make the change.
Given Pablo's assurances, this could go either way, fix audit_ip4 to use
skb_network_offset() or fix audit_ip6 to use zero. I don't have a
strong opinion, but using zero would be more efficient while using
skb_network_offset() would remove the doubt. Either way, the
consistency will avoid raising doubt in the future as you have
(rightfully) done.
> > This should be a seperate bug fix patch rather than fixing it in the
> > noise of this substantial re-arrangement.
>
> That's fine, but please send it as one patchset. Also, to get ahead
> of the next likely question, no I don't think the skb_network_offset()
> fix is -stable worthy at the moment.
It didn't look like a concern given Pablo's assurance.
> >> > - if (!ih) {
> >> > - audit_log_format(ab, " truncated=1");
> >> > - return;
> >> > - }
> >> > + if (!ih)
> >> > + return false;
> >> >
> >> > - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
> >> > - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
> >> > + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
> >> > + &ih->saddr, &ih->daddr, ih->protocol);
> >> >
> >> > - if (ntohs(ih->frag_off) & IP_OFFSET) {
> >> > - audit_log_format(ab, " frag=1");
> >> > - return;
> >> > - }
> >> > -
> >> > - audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
> >> > + return true;
> >> > }
> >>
> >> ...
> >>
> >> > static unsigned int
> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> >> > {
> >> > - const struct xt_audit_info *info = par->targinfo;
> >> > struct audit_buffer *ab;
> >> > + int fam = -1;
> >> >
> >> > if (audit_enabled == 0)
> >> > goto errout;
> >> > -
> >> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> >> > if (ab == NULL)
> >> > goto errout;
> >> >
> >> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
> >> > - info->type, par->hooknum, skb->len,
> >> > - par->in ? par->in->name : "?",
> >> > - par->out ? par->out->name : "?");
> >> > -
> >> > - if (skb->mark)
> >> > - audit_log_format(ab, " mark=%#x", skb->mark);
> >> > -
> >> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> >> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
> >> > - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
> >> > - ntohs(eth_hdr(skb)->h_proto));
> >> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
> >>
> >> How do Steve's userspace tools like the unset/-1 value represented
> >> when it is a hex value: -1 or 0xffffffff?
> >
> > My understanding is they are set up to cope with this.
>
> How does userspace distinguish between an unset nfmark and a nfmark of
> 0xffffffff?
It never had to deal specifically with nfmark previously because it
wasn't included if it was blank. Generally other values that are -1 are
interpreted by the audit userspace tools as unset (session id, auid,
etc...)
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-01 22:34 ` Richard Guy Briggs
@ 2017-03-03 0:16 ` Paul Moore
2017-03-03 2:00 ` Richard Guy Briggs
0 siblings, 1 reply; 17+ messages in thread
From: Paul Moore @ 2017-03-03 0:16 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-03-01 17:19, Paul Moore wrote:
>> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > On 2017-02-28 17:22, Paul Moore wrote:
>> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> >> > Eliminate flipping in and out of message fields, dropping fields in the process.
>> >> >
>> >> > Sample raw message format IPv4 UDP:
>> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
>> >> > Sample raw message format IPv6 ICMP6:
>> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
>> >> >
>> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
>> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
>> >> >
>> >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> >> > ---
>> >> > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
>> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
>> >> >
>> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
>> >> > index 4973cbd..945fa29 100644
>> >> > --- a/net/netfilter/xt_AUDIT.c
>> >> > +++ b/net/netfilter/xt_AUDIT.c
>> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
>> >>
>> >> ...
>> >>
>> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
>> >> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
>> >> > {
>> >> > struct iphdr _iph;
>> >> > const struct iphdr *ih;
>> >> >
>> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
>> >>
>> >> It seems like we should be using skb_network_offset(skb) instead of 0
>> >> above, yes? Granted, this isn't new, but let's fix it.
>> >
>> > Yes, I agree. How does this even work now? Maybe the MAC header hasn't
>> > been added yet (or has already been processed and stripped off) so that
>> > skb->data is already pointing at the network header and hence has an
>> > offset of 0. Can you be more explicit and elaborate to say if this what
>> > you were thinking?
>>
>> Unfortunately, not really, I haven't thought through of all the
>> situations and it has been a long time since I've had to worry about
>> things like this. I think we are in agreement that it needs to
>> change, so let's just make the change.
>
> Given Pablo's assurances, this could go either way, fix audit_ip4 to use
> skb_network_offset() or fix audit_ip6 to use zero. I don't have a
> strong opinion, but using zero would be more efficient while using
> skb_network_offset() would remove the doubt. Either way, the
> consistency will avoid raising doubt in the future as you have
> (rightfully) done.
Just use skb_network_offset() as it is the safer option and there is
plenty of precedence. Considering that we expect NETFILTER_PKT to see
limited use, I'm more concerned about it not breaking than some small
loss of performance.
>> >> > static unsigned int
>> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
>> >> > {
>> >> > - const struct xt_audit_info *info = par->targinfo;
>> >> > struct audit_buffer *ab;
>> >> > + int fam = -1;
>> >> >
>> >> > if (audit_enabled == 0)
>> >> > goto errout;
>> >> > -
>> >> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
>> >> > if (ab == NULL)
>> >> > goto errout;
>> >> >
>> >> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
>> >> > - info->type, par->hooknum, skb->len,
>> >> > - par->in ? par->in->name : "?",
>> >> > - par->out ? par->out->name : "?");
>> >> > -
>> >> > - if (skb->mark)
>> >> > - audit_log_format(ab, " mark=%#x", skb->mark);
>> >> > -
>> >> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
>> >> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
>> >> > - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
>> >> > - ntohs(eth_hdr(skb)->h_proto));
>> >> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
>> >>
>> >> How do Steve's userspace tools like the unset/-1 value represented
>> >> when it is a hex value: -1 or 0xffffffff?
>> >
>> > My understanding is they are set up to cope with this.
>>
>> How does userspace distinguish between an unset nfmark and a nfmark of
>> 0xffffffff?
>
> It never had to deal specifically with nfmark previously because it
> wasn't included if it was blank. Generally other values that are -1 are
> interpreted by the audit userspace tools as unset (session id, auid,
> etc...)
Yes, I know, let me get straight to the point: should we use "mark=-1"
when the nfmark is unset instead of "mark=0xffffffff"?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 0:16 ` Paul Moore
@ 2017-03-03 2:00 ` Richard Guy Briggs
2017-03-03 2:54 ` Paul Moore
0 siblings, 1 reply; 17+ messages in thread
From: Richard Guy Briggs @ 2017-03-03 2:00 UTC (permalink / raw)
To: Paul Moore
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On 2017-03-02 19:16, Paul Moore wrote:
> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-03-01 17:19, Paul Moore wrote:
> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> >> > On 2017-02-28 17:22, Paul Moore wrote:
> >> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> >> >> > Eliminate flipping in and out of message fields, dropping fields in the process.
> >> >> >
> >> >> > Sample raw message format IPv4 UDP:
> >> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> >> >> > Sample raw message format IPv6 ICMP6:
> >> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
> >> >> >
> >> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> >> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >> >> >
> >> >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >> >> > ---
> >> >> > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
> >> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >> >> >
> >> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> >> >> > index 4973cbd..945fa29 100644
> >> >> > --- a/net/netfilter/xt_AUDIT.c
> >> >> > +++ b/net/netfilter/xt_AUDIT.c
> >> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
> >> >>
> >> >> ...
> >> >>
> >> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> >> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> >> > {
> >> >> > struct iphdr _iph;
> >> >> > const struct iphdr *ih;
> >> >> >
> >> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >> >>
> >> >> It seems like we should be using skb_network_offset(skb) instead of 0
> >> >> above, yes? Granted, this isn't new, but let's fix it.
> >> >
> >> > Yes, I agree. How does this even work now? Maybe the MAC header hasn't
> >> > been added yet (or has already been processed and stripped off) so that
> >> > skb->data is already pointing at the network header and hence has an
> >> > offset of 0. Can you be more explicit and elaborate to say if this what
> >> > you were thinking?
> >>
> >> Unfortunately, not really, I haven't thought through of all the
> >> situations and it has been a long time since I've had to worry about
> >> things like this. I think we are in agreement that it needs to
> >> change, so let's just make the change.
> >
> > Given Pablo's assurances, this could go either way, fix audit_ip4 to use
> > skb_network_offset() or fix audit_ip6 to use zero. I don't have a
> > strong opinion, but using zero would be more efficient while using
> > skb_network_offset() would remove the doubt. Either way, the
> > consistency will avoid raising doubt in the future as you have
> > (rightfully) done.
>
> Just use skb_network_offset() as it is the safer option and there is
> plenty of precedence. Considering that we expect NETFILTER_PKT to see
> limited use, I'm more concerned about it not breaking than some small
> loss of performance.
Agreed.
> >> >> > static unsigned int
> >> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> >> >> > {
> >> >> > - const struct xt_audit_info *info = par->targinfo;
> >> >> > struct audit_buffer *ab;
> >> >> > + int fam = -1;
> >> >> >
> >> >> > if (audit_enabled == 0)
> >> >> > goto errout;
> >> >> > -
> >> >> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> >> >> > if (ab == NULL)
> >> >> > goto errout;
> >> >> >
> >> >> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
> >> >> > - info->type, par->hooknum, skb->len,
> >> >> > - par->in ? par->in->name : "?",
> >> >> > - par->out ? par->out->name : "?");
> >> >> > -
> >> >> > - if (skb->mark)
> >> >> > - audit_log_format(ab, " mark=%#x", skb->mark);
> >> >> > -
> >> >> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> >> >> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
> >> >> > - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
> >> >> > - ntohs(eth_hdr(skb)->h_proto));
> >> >> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
> >> >>
> >> >> How do Steve's userspace tools like the unset/-1 value represented
> >> >> when it is a hex value: -1 or 0xffffffff?
> >> >
> >> > My understanding is they are set up to cope with this.
> >>
> >> How does userspace distinguish between an unset nfmark and a nfmark of
> >> 0xffffffff?
> >
> > It never had to deal specifically with nfmark previously because it
> > wasn't included if it was blank. Generally other values that are -1 are
> > interpreted by the audit userspace tools as unset (session id, auid,
> > etc...)
>
> Yes, I know, let me get straight to the point: should we use "mark=-1"
> when the nfmark is unset instead of "mark=0xffffffff"?
I'd prefer to keep the format as it was, explicitly labelled hex. The
other fields that are printed as unset, -1, come out in the logs as
MAX_UINT: "auid=4294967295 ses=4294967295", so I don't see any reason to
change that convention. Once that field is known by userspace tools,
they can interpret (-i) that as -1.
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 2:00 ` Richard Guy Briggs
@ 2017-03-03 2:54 ` Paul Moore
2017-03-03 11:54 ` Richard Guy Briggs
0 siblings, 1 reply; 17+ messages in thread
From: Paul Moore @ 2017-03-03 2:54 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-03-02 19:16, Paul Moore wrote:
>> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> > On 2017-03-01 17:19, Paul Moore wrote:
>> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> >> > On 2017-02-28 17:22, Paul Moore wrote:
>> >> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> >> >> > Eliminate flipping in and out of message fields, dropping fields in the process.
>> >> >> >
>> >> >> > Sample raw message format IPv4 UDP:
>> >> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
>> >> >> > Sample raw message format IPv6 ICMP6:
>> >> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
>> >> >> >
>> >> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
>> >> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
>> >> >> >
>> >> >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>> >> >> > ---
>> >> >> > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
>> >> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
>> >> >> >
>> >> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
>> >> >> > index 4973cbd..945fa29 100644
>> >> >> > --- a/net/netfilter/xt_AUDIT.c
>> >> >> > +++ b/net/netfilter/xt_AUDIT.c
>> >> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
...
>> >> >> > static unsigned int
>> >> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
>> >> >> > {
>> >> >> > - const struct xt_audit_info *info = par->targinfo;
>> >> >> > struct audit_buffer *ab;
>> >> >> > + int fam = -1;
>> >> >> >
>> >> >> > if (audit_enabled == 0)
>> >> >> > goto errout;
>> >> >> > -
>> >> >> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
>> >> >> > if (ab == NULL)
>> >> >> > goto errout;
>> >> >> >
>> >> >> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
>> >> >> > - info->type, par->hooknum, skb->len,
>> >> >> > - par->in ? par->in->name : "?",
>> >> >> > - par->out ? par->out->name : "?");
>> >> >> > -
>> >> >> > - if (skb->mark)
>> >> >> > - audit_log_format(ab, " mark=%#x", skb->mark);
>> >> >> > -
>> >> >> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
>> >> >> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
>> >> >> > - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
>> >> >> > - ntohs(eth_hdr(skb)->h_proto));
>> >> >> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
>> >> >>
>> >> >> How do Steve's userspace tools like the unset/-1 value represented
>> >> >> when it is a hex value: -1 or 0xffffffff?
>> >> >
>> >> > My understanding is they are set up to cope with this.
>> >>
>> >> How does userspace distinguish between an unset nfmark and a nfmark of
>> >> 0xffffffff?
>> >
>> > It never had to deal specifically with nfmark previously because it
>> > wasn't included if it was blank. Generally other values that are -1 are
>> > interpreted by the audit userspace tools as unset (session id, auid,
>> > etc...)
>>
>> Yes, I know, let me get straight to the point: should we use "mark=-1"
>> when the nfmark is unset instead of "mark=0xffffffff"?
>
> I'd prefer to keep the format as it was, explicitly labelled hex. The
> other fields that are printed as unset, -1, come out in the logs as
> MAX_UINT: "auid=4294967295 ses=4294967295", so I don't see any reason to
> change that convention. Once that field is known by userspace tools,
> they can interpret (-i) that as -1.
Perhaps I'm missing something here, but let me ask again, how does
userspace distinguish between an unset nfmark and a nfmark of
0xffffffff?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 2:54 ` Paul Moore
@ 2017-03-03 11:54 ` Richard Guy Briggs
2017-03-03 12:45 ` Florian Westphal
0 siblings, 1 reply; 17+ messages in thread
From: Richard Guy Briggs @ 2017-03-03 11:54 UTC (permalink / raw)
To: Paul Moore
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On 2017-03-02 21:54, Paul Moore wrote:
> On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-03-02 19:16, Paul Moore wrote:
> >> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> >> > On 2017-03-01 17:19, Paul Moore wrote:
> >> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> >> >> > On 2017-02-28 17:22, Paul Moore wrote:
> >> >> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> >> >> >> > Eliminate flipping in and out of message fields, dropping fields in the process.
> >> >> >> >
> >> >> >> > Sample raw message format IPv4 UDP:
> >> >> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> >> >> >> > Sample raw message format IPv6 ICMP6:
> >> >> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58^]
> >> >> >> >
> >> >> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> >> >> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >> >> >> >
> >> >> >> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >> >> >> > ---
> >> >> >> > net/netfilter/xt_AUDIT.c | 122 ++++++++++-----------------------------------
> >> >> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >> >> >> >
> >> >> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> >> >> >> > index 4973cbd..945fa29 100644
> >> >> >> > --- a/net/netfilter/xt_AUDIT.c
> >> >> >> > +++ b/net/netfilter/xt_AUDIT.c
> >> >> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
>
> ...
>
> >> >> >> > static unsigned int
> >> >> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> >> >> >> > {
> >> >> >> > - const struct xt_audit_info *info = par->targinfo;
> >> >> >> > struct audit_buffer *ab;
> >> >> >> > + int fam = -1;
> >> >> >> >
> >> >> >> > if (audit_enabled == 0)
> >> >> >> > goto errout;
> >> >> >> > -
> >> >> >> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> >> >> >> > if (ab == NULL)
> >> >> >> > goto errout;
> >> >> >> >
> >> >> >> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
> >> >> >> > - info->type, par->hooknum, skb->len,
> >> >> >> > - par->in ? par->in->name : "?",
> >> >> >> > - par->out ? par->out->name : "?");
> >> >> >> > -
> >> >> >> > - if (skb->mark)
> >> >> >> > - audit_log_format(ab, " mark=%#x", skb->mark);
> >> >> >> > -
> >> >> >> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> >> >> >> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
> >> >> >> > - eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
> >> >> >> > - ntohs(eth_hdr(skb)->h_proto));
> >> >> >> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
> >> >> >>
> >> >> >> How do Steve's userspace tools like the unset/-1 value represented
> >> >> >> when it is a hex value: -1 or 0xffffffff?
> >> >> >
> >> >> > My understanding is they are set up to cope with this.
> >> >>
> >> >> How does userspace distinguish between an unset nfmark and a nfmark of
> >> >> 0xffffffff?
> >> >
> >> > It never had to deal specifically with nfmark previously because it
> >> > wasn't included if it was blank. Generally other values that are -1 are
> >> > interpreted by the audit userspace tools as unset (session id, auid,
> >> > etc...)
> >>
> >> Yes, I know, let me get straight to the point: should we use "mark=-1"
> >> when the nfmark is unset instead of "mark=0xffffffff"?
> >
> > I'd prefer to keep the format as it was, explicitly labelled hex. The
> > other fields that are printed as unset, -1, come out in the logs as
> > MAX_UINT: "auid=4294967295 ses=4294967295", so I don't see any reason to
> > change that convention. Once that field is known by userspace tools,
> > they can interpret (-i) that as -1.
>
> Perhaps I'm missing something here, but let me ask again, how does
> userspace distinguish between an unset nfmark and a nfmark of
> 0xffffffff?
It can't.
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 11:54 ` Richard Guy Briggs
@ 2017-03-03 12:45 ` Florian Westphal
2017-03-03 13:12 ` Paul Moore
2017-03-03 17:08 ` Richard Guy Briggs
0 siblings, 2 replies; 17+ messages in thread
From: Florian Westphal @ 2017-03-03 12:45 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
Richard Guy Briggs <rgb@redhat.com> wrote:
> > Perhaps I'm missing something here, but let me ask again, how does
> > userspace distinguish between an unset nfmark and a nfmark of
> > 0xffffffff?
>
> It can't.
It can if you log it as 0, as I asked in patch 1 review.
(You wouldn't log sk uid of 0 as -1 either, would you?)
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 12:45 ` Florian Westphal
@ 2017-03-03 13:12 ` Paul Moore
2017-03-03 13:22 ` Florian Westphal
2017-03-03 17:08 ` Richard Guy Briggs
1 sibling, 1 reply; 17+ messages in thread
From: Paul Moore @ 2017-03-03 13:12 UTC (permalink / raw)
To: Florian Westphal
Cc: Richard Guy Briggs, Thomas Woerner, linux-audit,
Netfilter Developer Mailing List, Thomas Graf
On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal <fw@strlen.de> wrote:
> Richard Guy Briggs <rgb@redhat.com> wrote:
>> > Perhaps I'm missing something here, but let me ask again, how does
>> > userspace distinguish between an unset nfmark and a nfmark of
>> > 0xffffffff?
>>
>> It can't.
>
> It can if you log it as 0, as I asked in patch 1 review.
>
> (You wouldn't log sk uid of 0 as -1 either, would you?)
I want to see the code able to handle the full range of nfmark values
as well as the unset case; if that means we need to tweak userspace a
bit, please work with Steve on that.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 13:12 ` Paul Moore
@ 2017-03-03 13:22 ` Florian Westphal
2017-03-03 13:56 ` Paul Moore
2017-03-03 17:03 ` Richard Guy Briggs
0 siblings, 2 replies; 17+ messages in thread
From: Florian Westphal @ 2017-03-03 13:22 UTC (permalink / raw)
To: Paul Moore
Cc: Richard Guy Briggs, Florian Westphal, linux-audit,
Netfilter Developer Mailing List, Thomas Woerner, Thomas Graf
Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal <fw@strlen.de> wrote:
> > Richard Guy Briggs <rgb@redhat.com> wrote:
> >> > Perhaps I'm missing something here, but let me ask again, how does
> >> > userspace distinguish between an unset nfmark and a nfmark of
> >> > 0xffffffff?
> >>
> >> It can't.
> >
> > It can if you log it as 0, as I asked in patch 1 review.
> >
> > (You wouldn't log sk uid of 0 as -1 either, would you?)
>
> I want to see the code able to handle the full range of nfmark values
> as well as the unset case; if that means we need to tweak userspace a
> bit, please work with Steve on that.
There is no 'unset nfmark'. Its just a 32bit integer.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 13:22 ` Florian Westphal
@ 2017-03-03 13:56 ` Paul Moore
2017-03-03 17:11 ` Richard Guy Briggs
2017-03-03 17:03 ` Richard Guy Briggs
1 sibling, 1 reply; 17+ messages in thread
From: Paul Moore @ 2017-03-03 13:56 UTC (permalink / raw)
To: Florian Westphal
Cc: Richard Guy Briggs, Netfilter Developer Mailing List,
linux-audit, Thomas Woerner, Thomas Graf
On Fri, Mar 3, 2017 at 8:22 AM, Florian Westphal <fw@strlen.de> wrote:
> Paul Moore <paul@paul-moore.com> wrote:
>> On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal <fw@strlen.de> wrote:
>> > Richard Guy Briggs <rgb@redhat.com> wrote:
>> >> > Perhaps I'm missing something here, but let me ask again, how does
>> >> > userspace distinguish between an unset nfmark and a nfmark of
>> >> > 0xffffffff?
>> >>
>> >> It can't.
>> >
>> > It can if you log it as 0, as I asked in patch 1 review.
>> >
>> > (You wouldn't log sk uid of 0 as -1 either, would you?)
>>
>> I want to see the code able to handle the full range of nfmark values
>> as well as the unset case; if that means we need to tweak userspace a
>> bit, please work with Steve on that.
>
> There is no 'unset nfmark'. Its just a 32bit integer.
Yes, my apologies, this thread has dragged on so long I muddled the
details in my mind ... here is what I'm trying to get at, Richard's
latest patch (unless I've missed one in my inbox) has the following
line:
audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
... which I believe to be incorrect. I was trying to lead Richard
along to that same realization, but it would appear I'm not having
much success, so to put it bluntly, here is what I want that line to
look like:
audit_log_format(ab, "mark=%#x", skb->mark);
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 13:56 ` Paul Moore
@ 2017-03-03 17:11 ` Richard Guy Briggs
0 siblings, 0 replies; 17+ messages in thread
From: Richard Guy Briggs @ 2017-03-03 17:11 UTC (permalink / raw)
To: Paul Moore
Cc: Florian Westphal, Netfilter Developer Mailing List, linux-audit,
Thomas Woerner, Thomas Graf
On 2017-03-03 08:56, Paul Moore wrote:
> On Fri, Mar 3, 2017 at 8:22 AM, Florian Westphal <fw@strlen.de> wrote:
> > Paul Moore <paul@paul-moore.com> wrote:
> >> On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal <fw@strlen.de> wrote:
> >> > Richard Guy Briggs <rgb@redhat.com> wrote:
> >> >> > Perhaps I'm missing something here, but let me ask again, how does
> >> >> > userspace distinguish between an unset nfmark and a nfmark of
> >> >> > 0xffffffff?
> >> >>
> >> >> It can't.
> >> >
> >> > It can if you log it as 0, as I asked in patch 1 review.
> >> >
> >> > (You wouldn't log sk uid of 0 as -1 either, would you?)
> >>
> >> I want to see the code able to handle the full range of nfmark values
> >> as well as the unset case; if that means we need to tweak userspace a
> >> bit, please work with Steve on that.
> >
> > There is no 'unset nfmark'. Its just a 32bit integer.
>
> Yes, my apologies, this thread has dragged on so long I muddled the
> details in my mind ... here is what I'm trying to get at, Richard's
> latest patch (unless I've missed one in my inbox) has the following
> line:
>
> audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
>
> ... which I believe to be incorrect. I was trying to lead Richard
> along to that same realization, but it would appear I'm not having
> much success, so to put it bluntly, here is what I want that line to
> look like:
>
> audit_log_format(ab, "mark=%#x", skb->mark);
Then just say that. Given the arguments presented, I agree. Done.
> paul moore
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 13:22 ` Florian Westphal
2017-03-03 13:56 ` Paul Moore
@ 2017-03-03 17:03 ` Richard Guy Briggs
1 sibling, 0 replies; 17+ messages in thread
From: Richard Guy Briggs @ 2017-03-03 17:03 UTC (permalink / raw)
To: Florian Westphal
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On 2017-03-03 14:22, Florian Westphal wrote:
> Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal <fw@strlen.de> wrote:
> > > Richard Guy Briggs <rgb@redhat.com> wrote:
> > >> > Perhaps I'm missing something here, but let me ask again, how does
> > >> > userspace distinguish between an unset nfmark and a nfmark of
> > >> > 0xffffffff?
> > >>
> > >> It can't.
> > >
> > > It can if you log it as 0, as I asked in patch 1 review.
> > >
> > > (You wouldn't log sk uid of 0 as -1 either, would you?)
> >
> > I want to see the code able to handle the full range of nfmark values
> > as well as the unset case; if that means we need to tweak userspace a
> > bit, please work with Steve on that.
>
> There is no 'unset nfmark'. Its just a 32bit integer.
I was going to say, we'd need an out of band indicator.
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH V3] audit: normalize NETFILTER_PKT
2017-03-03 12:45 ` Florian Westphal
2017-03-03 13:12 ` Paul Moore
@ 2017-03-03 17:08 ` Richard Guy Briggs
1 sibling, 0 replies; 17+ messages in thread
From: Richard Guy Briggs @ 2017-03-03 17:08 UTC (permalink / raw)
To: Florian Westphal
Cc: Thomas Woerner, linux-audit, Netfilter Developer Mailing List,
Thomas Graf
On 2017-03-03 13:45, Florian Westphal wrote:
> Richard Guy Briggs <rgb@redhat.com> wrote:
> > > Perhaps I'm missing something here, but let me ask again, how does
> > > userspace distinguish between an unset nfmark and a nfmark of
> > > 0xffffffff?
> >
> > It can't.
>
> It can if you log it as 0, as I asked in patch 1 review.
I'd be inclined to do that, since it will always have a value even if
its default is zero.
The proto field would actually be unset if it was a protocol family that
did not have a protocol field.
> (You wouldn't log sk uid of 0 as -1 either, would you?)
No, but you would log auid and session id as -1 if it were unset.
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2017-03-03 17:11 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-26 20:49 [PATCH V3] audit: normalize NETFILTER_PKT Richard Guy Briggs
2017-02-28 22:22 ` Paul Moore
2017-03-01 16:28 ` Richard Guy Briggs
2017-03-01 16:45 ` Pablo Neira Ayuso
2017-03-01 22:19 ` Paul Moore
2017-03-01 22:34 ` Richard Guy Briggs
2017-03-03 0:16 ` Paul Moore
2017-03-03 2:00 ` Richard Guy Briggs
2017-03-03 2:54 ` Paul Moore
2017-03-03 11:54 ` Richard Guy Briggs
2017-03-03 12:45 ` Florian Westphal
2017-03-03 13:12 ` Paul Moore
2017-03-03 13:22 ` Florian Westphal
2017-03-03 13:56 ` Paul Moore
2017-03-03 17:11 ` Richard Guy Briggs
2017-03-03 17:03 ` Richard Guy Briggs
2017-03-03 17:08 ` Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.