Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
@ 2020-05-20 16:51 Richard Guy Briggs
  2020-05-20 16:55 ` Richard Guy Briggs
  0 siblings, 1 reply; 6+ messages in thread
From: Richard Guy Briggs @ 2020-05-20 16:51 UTC (permalink / raw)
  To: Linux-Audit Mailing List, LKML, netfilter-devel
  Cc: Richard Guy Briggs, fw, twoerner, eparis, tgraf

Some table unregister actions seem to be initiated by the kernel to
garbage collect unused tables that are not initiated by any userspace
actions.  It was found to be necessary to add the subject credentials to
cover this case to reveal the source of these actions.  A sample record:

The uid, auid, tty, ses and exe fields have not been included since they
are in the SYSCALL record and contain nothing useful in the non-user
context.

  type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
Changelog:
v6
- remove uid, auid fields as duplicates or unset

v5
- rebase on upstreamed ghak28 on audit/next v5.7-rc1
- remove tty, ses and exe fields as duplicates or unset
- drop upstreamed patches 1&2 from set

v4
- rebase on audit/next v5.7-rc1
- fix checkpatch.pl errors/warnings in 1/3 and 2/3

v3
- rebase on v5.6-rc1 audit/next
- change audit_nf_cfg to audit_log_nfcfg
- squash 2,3,4,5 to 1 and update patch descriptions
- add subject credentials to cover garbage collecting kernel threads

v2
- Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code
- Split x_tables and ebtables updates
- Check audit_dummy_context
- Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call
- Restore back to "table, family, entries" from "family, table, entries"
- Log unregistration of tables
- Add "op=" at the end of the AUDIT_NETFILTER_CFG record
- Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32)
- Add ghak refs
- Ditch NETFILTER_CFGSOLO record

 kernel/auditsc.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cfe3486e5f31..e646055adb0b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2557,12 +2557,21 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
 		       enum audit_nfcfgop op)
 {
 	struct audit_buffer *ab;
+	const struct cred *cred;
+	struct tty_struct *tty;
+	char comm[sizeof(current->comm)];
 
 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG);
 	if (!ab)
 		return;
 	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
 			 name, af, nentries, audit_nfcfgs[op].s);
+
+	cred = current_cred();
+	audit_log_format(ab, " pid=%u", task_pid_nr(current));
+	audit_log_task_context(ab); /* subj= */
+	audit_log_format(ab, " comm=");
+	audit_log_untrustedstring(ab, get_task_comm(comm, current));
 	audit_log_end(ab);
 }
 EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
-- 
1.8.3.1

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
  2020-05-20 16:51 [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister Richard Guy Briggs
@ 2020-05-20 16:55 ` Richard Guy Briggs
  2020-05-20 18:40   ` Paul Moore
  0 siblings, 1 reply; 6+ messages in thread
From: Richard Guy Briggs @ 2020-05-20 16:55 UTC (permalink / raw)
  To: Linux-Audit Mailing List, LKML, netfilter-devel
  Cc: twoerner, eparis, fw, tgraf

On 2020-05-20 12:51, Richard Guy Briggs wrote:
> Some table unregister actions seem to be initiated by the kernel to
> garbage collect unused tables that are not initiated by any userspace
> actions.  It was found to be necessary to add the subject credentials to
> cover this case to reveal the source of these actions.  A sample record:
> 
> The uid, auid, tty, ses and exe fields have not been included since they
> are in the SYSCALL record and contain nothing useful in the non-user
> context.
> 
>   type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>

Self-NACK.  I forgot to remove cred and tty declarations.

> ---
> Changelog:
> v6
> - remove uid, auid fields as duplicates or unset
> 
> v5
> - rebase on upstreamed ghak28 on audit/next v5.7-rc1
> - remove tty, ses and exe fields as duplicates or unset
> - drop upstreamed patches 1&2 from set
> 
> v4
> - rebase on audit/next v5.7-rc1
> - fix checkpatch.pl errors/warnings in 1/3 and 2/3
> 
> v3
> - rebase on v5.6-rc1 audit/next
> - change audit_nf_cfg to audit_log_nfcfg
> - squash 2,3,4,5 to 1 and update patch descriptions
> - add subject credentials to cover garbage collecting kernel threads
> 
> v2
> - Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code
> - Split x_tables and ebtables updates
> - Check audit_dummy_context
> - Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call
> - Restore back to "table, family, entries" from "family, table, entries"
> - Log unregistration of tables
> - Add "op=" at the end of the AUDIT_NETFILTER_CFG record
> - Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32)
> - Add ghak refs
> - Ditch NETFILTER_CFGSOLO record
> 
>  kernel/auditsc.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index cfe3486e5f31..e646055adb0b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2557,12 +2557,21 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
>  		       enum audit_nfcfgop op)
>  {
>  	struct audit_buffer *ab;
> +	const struct cred *cred;
> +	struct tty_struct *tty;
> +	char comm[sizeof(current->comm)];
>  
>  	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG);
>  	if (!ab)
>  		return;
>  	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
>  			 name, af, nentries, audit_nfcfgs[op].s);
> +
> +	cred = current_cred();
> +	audit_log_format(ab, " pid=%u", task_pid_nr(current));
> +	audit_log_task_context(ab); /* subj= */
> +	audit_log_format(ab, " comm=");
> +	audit_log_untrustedstring(ab, get_task_comm(comm, current));
>  	audit_log_end(ab);
>  }
>  EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
> -- 
> 1.8.3.1
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
  2020-05-20 16:55 ` Richard Guy Briggs
@ 2020-05-20 18:40   ` Paul Moore
  2020-05-20 18:51     ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: Paul Moore @ 2020-05-20 18:40 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: fw, LKML, Linux-Audit Mailing List, netfilter-devel, twoerner,
	Eric Paris, tgraf

On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > Some table unregister actions seem to be initiated by the kernel to
> > garbage collect unused tables that are not initiated by any userspace
> > actions.  It was found to be necessary to add the subject credentials to
> > cover this case to reveal the source of these actions.  A sample record:
> >
> > The uid, auid, tty, ses and exe fields have not been included since they
> > are in the SYSCALL record and contain nothing useful in the non-user
> > context.
> >
> >   type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2

FWIW, that record looks good.

> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
>
> Self-NACK.  I forgot to remove cred and tty declarations.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
  2020-05-20 18:40   ` Paul Moore
@ 2020-05-20 18:51     ` Steve Grubb
  2020-05-20 18:59       ` Richard Guy Briggs
  0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2020-05-20 18:51 UTC (permalink / raw)
  To: linux-audit
  Cc: Richard Guy Briggs, fw, LKML, netfilter-devel, twoerner,
	Eric Paris, tgraf

On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > Some table unregister actions seem to be initiated by the kernel to
> > > garbage collect unused tables that are not initiated by any userspace
> > > actions.  It was found to be necessary to add the subject credentials
> > > to cover this case to reveal the source of these actions.  A sample
> > > record:
> > > 
> > > The uid, auid, tty, ses and exe fields have not been included since
> > > they
> > > are in the SYSCALL record and contain nothing useful in the non-user
> > > context.
> > > 
> > >   type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > >   family=bridge entries=0 op=unregister pid=153
> > >   subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
>
> FWIW, that record looks good.

It's severely broken

cat log.file
type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat 
family=bridge entries=0 op=unregister pid=153 
subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2

ausearch -if log.file --format text
At 19:33:40 12/31/1969  did-unknown 

ausearch -if log.file --format csv
NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
error normalizing NETFILTER_CFG
,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,

This is unusable. This is why the bug was filed in the first place.

-Steve

> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > 
> > Self-NACK.  I forgot to remove cred and tty declarations.




--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
  2020-05-20 18:51     ` Steve Grubb
@ 2020-05-20 18:59       ` Richard Guy Briggs
  2020-05-20 19:06         ` Richard Guy Briggs
  0 siblings, 1 reply; 6+ messages in thread
From: Richard Guy Briggs @ 2020-05-20 18:59 UTC (permalink / raw)
  To: Steve Grubb
  Cc: fw, LKML, linux-audit, netfilter-devel, twoerner, Eric Paris, tgraf

On 2020-05-20 14:51, Steve Grubb wrote:
> On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> > On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > > Some table unregister actions seem to be initiated by the kernel to
> > > > garbage collect unused tables that are not initiated by any userspace
> > > > actions.  It was found to be necessary to add the subject credentials
> > > > to cover this case to reveal the source of these actions.  A sample
> > > > record:
> > > > 
> > > > The uid, auid, tty, ses and exe fields have not been included since
> > > > they
> > > > are in the SYSCALL record and contain nothing useful in the non-user
> > > > context.
> > > > 
> > > >   type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > > >   family=bridge entries=0 op=unregister pid=153
> > > >   subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> >
> > FWIW, that record looks good.
> 
> It's severely broken
> 
> cat log.file
> type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat 
> family=bridge entries=0 op=unregister pid=153 
> subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> 
> ausearch -if log.file --format text
> At 19:33:40 12/31/1969  did-unknown 
> 
> ausearch -if log.file --format csv
> NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
> error normalizing NETFILTER_CFG
> ,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,
> 
> This is unusable. This is why the bug was filed in the first place.

Have you applied this patchset?
	https://www.redhat.com/archives/linux-audit/2020-May/msg00072.html

AUDIT_EVENT_LISTENER is also broken without this first patch.

> -Steve
> 
> > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > 
> > > Self-NACK.  I forgot to remove cred and tty declarations.

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
  2020-05-20 18:59       ` Richard Guy Briggs
@ 2020-05-20 19:06         ` Richard Guy Briggs
  0 siblings, 0 replies; 6+ messages in thread
From: Richard Guy Briggs @ 2020-05-20 19:06 UTC (permalink / raw)
  To: Steve Grubb
  Cc: fw, LKML, linux-audit, netfilter-devel, twoerner, Eric Paris, tgraf

On 2020-05-20 14:59, Richard Guy Briggs wrote:
> On 2020-05-20 14:51, Steve Grubb wrote:
> > On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> > > On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > > > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > > > Some table unregister actions seem to be initiated by the kernel to
> > > > > garbage collect unused tables that are not initiated by any userspace
> > > > > actions.  It was found to be necessary to add the subject credentials
> > > > > to cover this case to reveal the source of these actions.  A sample
> > > > > record:
> > > > > 
> > > > > The uid, auid, tty, ses and exe fields have not been included since
> > > > > they
> > > > > are in the SYSCALL record and contain nothing useful in the non-user
> > > > > context.
> > > > > 
> > > > >   type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > > > >   family=bridge entries=0 op=unregister pid=153
> > > > >   subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> > >
> > > FWIW, that record looks good.
> > 
> > It's severely broken
> > 
> > cat log.file
> > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat 
> > family=bridge entries=0 op=unregister pid=153 
> > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
> > 
> > ausearch -if log.file --format text
> > At 19:33:40 12/31/1969  did-unknown 
> > 
> > ausearch -if log.file --format csv
> > NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
> > error normalizing NETFILTER_CFG
> > ,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,
> > 
> > This is unusable. This is why the bug was filed in the first place.
> 
> Have you applied this patchset?
> 	https://www.redhat.com/archives/linux-audit/2020-May/msg00072.html
> 
> AUDIT_EVENT_LISTENER is also broken without this first patch.

And EVENT_LISTENER also needs this patch:
	https://github.com/linux-audit/audit-userspace/pull/114/commits/27daa6fca534b30199040d0ad05420a8331ab421

> > -Steve
> > 
> > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > > > 
> > > > Self-NACK.  I forgot to remove cred and tty declarations.
> 
> - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-20 16:51 [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister Richard Guy Briggs
2020-05-20 16:55 ` Richard Guy Briggs
2020-05-20 18:40   ` Paul Moore
2020-05-20 18:51     ` Steve Grubb
2020-05-20 18:59       ` Richard Guy Briggs
2020-05-20 19:06         ` Richard Guy Briggs

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git