Re: [PATCH ghak90 V6 02/10] audit: add container id
On 2019-07-15 16:38, Paul Moore wrote: > On Mon, Jul 8, 2019 at 1:51 PM Richard Guy Briggs wrote: > > On 2019-05-29 11:29, Paul Moore wrote: > > ... > > > > The idea is that only container orchestrators should be able to > > > set/modify the audit container ID, and since setting the audit > > > container ID can have a significant effect on the records captured > > > (and their routing to multiple daemons when we get there) modifying > > > the audit container ID is akin to modifying the audit configuration > > > which is why it is gated by CAP_AUDIT_CONTROL. The current thinking > > > is that you would only change the audit container ID from one > > > set/inherited value to another if you were nesting containers, in > > > which case the nested container orchestrator would need to be granted > > > CAP_AUDIT_CONTROL (which everyone to date seems to agree is a workable > > > compromise). We did consider allowing for a chain of nested audit > > > container IDs, but the implications of doing so are significant > > > (implementation mess, runtime cost, etc.) so we are leaving that out > > > of this effort. > > > > We had previously discussed the idea of restricting > > orchestrators/engines from only being able to set the audit container > > identifier on their own descendants, but it was discarded. I've added a > > check to ensure this is now enforced. > > When we weren't allowing nested orchestrators it wasn't necessary, but > with the move to support nesting I believe this will be a requirement. > We might also need/want to restrict audit container ID changes if a > descendant is acting as a container orchestrator and managing one or > more audit container IDs; although I'm less certain of the need for > this. I was of the opinion it was necessary before with single-layer parallel orchestrators/engines. > > I've also added a check to ensure that a process can't set its own audit > > container identifier ... > > What does this protect against, or what problem does this solve? > Considering how easy it is to fork/exec, it seems like this could be > trivially bypassed. Well, for starters, it would remove one layer of nesting. It would separate the functional layers of processes. Other than that, it seems like a gut feeling that it is just wrong to allow it. It seems like a layer violation that one container orchestrator/engine could set its own audit container identifier and then set its children as well. It would be its own parent. It would make it harder to verify adherance to descendancy and inheritance rules. > > ... and that if the identifier is already set, then the > > orchestrator/engine must be in a descendant user namespace from the > > orchestrator that set the previously inherited audit container > > identifier. > > You lost me here ... although I don't like the idea of relying on X > namespace inheritance for a hard coded policy on setting the audit > container ID; we've worked hard to keep this independent of any > definition of a "container" and it would sadden me greatly if we had > to go back on that. This would seem to be the one concession I'm reluctantly making to try to solve this nested container orchestrator/engine challenge. Would backing off on that descendant user namespace requirement and only require that a nested audit container identifier only be permitted on a descendant task be sufficient? It may for this use case, but I suspect not for additional audit daemons (we're not there yet) and message routing to those daemons. The one difference here is that it does not depend on this if the audit container identifier has not already been set. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH ghak90 (was ghak32) V4 01/10] audit: collect audit task parameters
On 2019-01-03 18:50, Guenter Roeck wrote:
> Hi Richard,
>
> On Tue, Jul 31, 2018 at 04:07:36PM -0400, Richard Guy Briggs wrote:
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
> > Collect the existing loginuid, sessionid and audit_context together in a
> > new struct audit_task_info called "audit" in struct task_struct.
> >
> > Use kmem_cache to manage this pool of memory.
> > Un-inline audit_free() to be able to always recover that memory.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/81
> >
> > Signed-off-by: Richard Guy Briggs
>
> Overall I am not sure if keeping task_struct a bit smaller is worth
> the added complexity, but I guess that is just me.
The motivation was to consolidate all the audit bits into one pointer,
isolating them from the rest of the kernel, restricting access only to
helper functions to prevent abuse by other subsystems and trying to
reduce kABI issues in the future. I agree it is a bit more complex. It
was provoked by the need to add contid which seemed to make the most
sense as a peer to loginuid and sessionid, and adding it to task_struct
would have made it a bit too generic and available.
This is addressed at some length by Paul Moore here in v2:
https://lkml.org/lkml/2018/4/18/759
> Anyway, couple of nitpicks. Please feel free to ignore, and my apologies
> if some of all of the comments are duplicates.
Noted. They all look like reasonable improvements, particulaly the
unnecessary else and default return. Thanks. The double context check
may go away anyways based on the removal of audit_take_context() in
Paul's 2a1fe215e730 ("audit: use current whenever possible") which has
yet to be incorporated.
> Guenter
>
> > ---
> > include/linux/audit.h | 34 --
> > include/linux/sched.h | 5 +
> > init/init_task.c | 3 +--
> > init/main.c | 2 ++
> > kernel/auditsc.c | 51
> > ++-
> > kernel/fork.c | 4 +++-
> > 6 files changed, 73 insertions(+), 26 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 9334fbe..8964332 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -219,8 +219,15 @@ static inline void audit_log_task_info(struct
> > audit_buffer *ab,
> >
> > /* These are defined in auditsc.c */
> > /* Public API */
>
> Not sure if the structure below belongs after "Public API".
> Is it part of the public API ?
>
> > +struct audit_task_info {
> > + kuid_t loginuid;
> > + unsigned intsessionid;
> > + struct audit_context*ctx;
> > +};
>
> Add empty line ?
>
> > +extern struct audit_task_info init_struct_audit;
> > +extern void __init audit_task_init(void);
> > extern int audit_alloc(struct task_struct *task);
> > -extern void __audit_free(struct task_struct *task);
> > +extern void audit_free(struct task_struct *task);
> > extern void __audit_syscall_entry(int major, unsigned long a0, unsigned
> > long a1,
> > unsigned long a2, unsigned long a3);
> > extern void __audit_syscall_exit(int ret_success, long ret_value);
> > @@ -242,12 +249,15 @@ extern void audit_seccomp_actions_logged(const char
> > *names,
> >
> > static inline void audit_set_context(struct task_struct *task, struct
> > audit_context *ctx)
> > {
> > - task->audit_context = ctx;
> > + task->audit->ctx = ctx;
> > }
> >
> > static inline struct audit_context *audit_context(void)
> > {
> > - return current->audit_context;
> > + if (current->audit)
> > + return current->audit->ctx;
> > + else
> > + return NULL;
>
> Unnecessary else (and static checkers may complain).
>
> > }
> >
> > static inline bool audit_dummy_context(void)
> > @@ -255,11 +265,7 @@ static inline bool audit_dummy_context(void)
> > void *p = audit_context();
> > return !p || *(int *)p;
> > }
> > -static inline void audit_free(struct task_struct *task)
> > -{
> > - if (unlikely(task->audit_context))
> > - __audit_free(task);
> > -}
> > +
> > static inline void audit_syscall_entry(int major, unsigned long a0,
> >unsigned long a1, unsigned long a2,
> >
Re: [PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier
On 2019-01-03 10:58, Guenter Roeck wrote: > Hi Richard, > > On Thu, Jan 03, 2019 at 12:36:13PM -0500, Richard Guy Briggs wrote: > > On 2019-01-03 08:15, Guenter Roeck wrote: > > > Hi, > > > > > > On Tue, Jul 31, 2018 at 04:07:35PM -0400, Richard Guy Briggs wrote: > > > > Implement kernel audit container identifier. > > > > > > I don't see a follow-up submission of this patch series. Has it been > > > abandoned, > > > or do I use the wrong search terms ? > > > > Guenter, thanks for your interest in this patchset. I haven't > > abandoned it. I've pushed some updates to my own (ill-publicized) > > public git repo. This effort has been going on more than 5 years with 8 > > Oh man :-(. Not sure if I would be that patient. Patience, subbornness, unjustified optimism, tenacity, inflexibility, who knows... Are you talking about sticking with this particular problem, or delay before checking in on a particular patch review? > Can you point me to your repository ? Sure. It hasn't been squashed and will be rebased. git://toccata2.tricolour.ca/linux-2.6-rgb.git I still have some write locks to check and work on. > > previous revisions trying to document task namespaces and deciding that > > was insufficient. > > My interest is mostly thanks to having some of the patches of your series > in my incoming code review queue: > > https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1379654/3 Ok, interesting. Michael Halcrow had approached me in Vancouver at LSS at the end of August and I regret not having had enough time to talk with him further about it. > As background, some of the patches in the series are needed by GCP (Google > Cloud Platform) as a prerequisite for some security features. Having to > maintain out-of-tree code is always a pain, even more so in a subsystem > related to security. So it would be quite useful to understand if we are > going to be stuck with this forever or if there is a change for the code > to find its way upstream. Also, it would be useful to know if there are > some upcoming changes/improvements which should be included in our version. There are likely more changes coming, but I don't expect them to be that drastic a departure from the original design. There were some changes in the implementation based on unforseen issues raised once coding started (which is part of the process). Upstream patch review would be the most helpful in keeping this stuff moving. David Howells also had some interesting ideas and patches to try to address some of these problems and he's still working on a prerequisite patchset to get it upstream before returning to his container identifier patchset. It is moving slowly. > Thanks, > Guenter > > > For this patchset I waited 11.5 weeks (80 days, Jules Verne anyone?) > > before the primary intended maintainer did the first review, then I > > responded within 2 weeks with further questions and a followup patch > > proposal and then waited another 8 weeks for any response before adding > > another query for that followup patch proposal review at which point I > > got a rude answer saying I had disappointed and exhausted the > > maintainer's goodwill with some hints at how to proceed just before new > > year's. > > > > I'd be delighted with other upstream review to get other angles and to > > take some of the load and responsibility off the primary maintainer. > > > > I expect to submit a v5 within a week without having had those questions > > directly answered, but with some ideas of what to check and verify > > before I resubmit. Most of the changes have been sitting in that branch > > for two months, already rebased one kernel version and will need > > updating again. > > > > > Thanks, > > > Guenter > > > > > > > This patchset is a fourth based on the proposal document (V3) > > > > posted: > > > > > > > > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html > > > > > > > > The first patch is the last patch from ghak81 that is included here as a > > > > convenience. > > > > > > > > The second patch implements the proc fs write to set the audit container > > > > identifier of a process, emitting an AUDIT_CONTAINER_OP record to > > > > announce the > > > > registration of that audit container identifier on that process. This > > > > patch > > > > requires userspace support for record acceptance and proper type > > > > display. > > &g
Re: [PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier
On 2019-01-03 08:15, Guenter Roeck wrote: > Hi, > > On Tue, Jul 31, 2018 at 04:07:35PM -0400, Richard Guy Briggs wrote: > > Implement kernel audit container identifier. > > I don't see a follow-up submission of this patch series. Has it been > abandoned, > or do I use the wrong search terms ? Guenter, thanks for your interest in this patchset. I haven't abandoned it. I've pushed some updates to my own (ill-publicized) public git repo. This effort has been going on more than 5 years with 8 previous revisions trying to document task namespaces and deciding that was insufficient. For this patchset I waited 11.5 weeks (80 days, Jules Verne anyone?) before the primary intended maintainer did the first review, then I responded within 2 weeks with further questions and a followup patch proposal and then waited another 8 weeks for any response before adding another query for that followup patch proposal review at which point I got a rude answer saying I had disappointed and exhausted the maintainer's goodwill with some hints at how to proceed just before new year's. I'd be delighted with other upstream review to get other angles and to take some of the load and responsibility off the primary maintainer. I expect to submit a v5 within a week without having had those questions directly answered, but with some ideas of what to check and verify before I resubmit. Most of the changes have been sitting in that branch for two months, already rebased one kernel version and will need updating again. > Thanks, > Guenter > > > This patchset is a fourth based on the proposal document (V3) > > posted: > > https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html > > > > The first patch is the last patch from ghak81 that is included here as a > > convenience. > > > > The second patch implements the proc fs write to set the audit container > > identifier of a process, emitting an AUDIT_CONTAINER_OP record to announce > > the > > registration of that audit container identifier on that process. This patch > > requires userspace support for record acceptance and proper type > > display. > > > > The third implements the auxiliary record AUDIT_CONTAINER if an > > audit container identifier is identifiable with an event. This patch > > requires userspace support for proper type display. > > > > The 4th adds signal and ptrace support. > > > > The 5th creates a local audit context to be able to bind a standalone > > record with a locally created auxiliary record. > > > > The 6th patch adds audit container identifier records to the tty > > standalone record. > > > > The 7th adds audit container identifier filtering to the exit, > > exclude and user lists. This patch adds the AUDIT_CONTID field and > > requires auditctl userspace support for the --contid option. > > > > The 8th adds network namespace audit container identifier labelling > > based on member tasks' audit container identifier labels. > > > > The 9th adds audit container identifier support to standalone netfilter > > records that don't have a task context and lists each container to which > > that net namespace belongs. > > > > The 10th implements reading the audit container identifier from the proc > > filesystem for debugging. This patch isn't planned for upstream > > inclusion. > > > > > > Example: Set an audit container identifier of 123456 to the "sleep" task: > > > > sleep 2& > > child=$! > > echo 123456 > /proc/$child/audit_containerid; echo $? > > ausearch -ts recent -m container > > echo child:$child contid:$( cat /proc/$child/audit_containerid) > > > > This should produce a record such as: > > > > type=CONTAINER_OP msg=audit(2018-06-06 12:39:29.636:26949) : op=set > > opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root > > uid=root tty=ttyS0 ses=1 > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash > > exe=/usr/bin/bash res=yes > > > > > > Example: Set a filter on an audit container identifier 123459 on > > /tmp/tmpcontainerid: > > > > contid=123459 > > key=tmpcontainerid > > auditctl -a exit,always -F dir=/tmp -F perm=wa -F contid=$contid -F > > key=$key > > perl -e "sleep 1; open(my \$tmpfile, '>', \"/tmp/$key\"); > > close(\$tmpfile);" & > > child=$! > > echo $contid > /proc/$child/audit_containerid > > sleep 2 > > ausearch -i -ts recent -k $key > > audi
Re: [PATCH ghak90 (was ghak32) V4 09/10] audit: NETFILTER_PKT: record each container ID associated with a netNS
On 2018-10-31 15:30, Richard Guy Briggs wrote:
> On 2018-10-19 19:18, Paul Moore wrote:
> > On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs wrote:
> > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> > > event standalone records. Iterate through all potential audit container
> > > identifiers associated with a network namespace.
> > >
> > > Signed-off-by: Richard Guy Briggs
> > > ---
> > > include/linux/audit.h| 5 +
> > > kernel/audit.c | 26 ++
> > > net/netfilter/xt_AUDIT.c | 12 ++--
> > > 3 files changed, 41 insertions(+), 2 deletions(-)
> >
> > ...
> >
> > > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > > index 9a02095..8755f4d 100644
> > > --- a/include/linux/audit.h
> > > +++ b/include/linux/audit.h
> > > @@ -169,6 +169,8 @@ extern int audit_log_contid(struct audit_context
> > > *context,
> > > extern void audit_netns_contid_add(struct net *net, u64 contid);
> > > extern void audit_netns_contid_del(struct net *net, u64 contid);
> > > extern void audit_switch_task_namespaces(struct nsproxy *ns, struct
> > > task_struct *p);
> > > +extern void audit_log_netns_contid_list(struct net *net,
> > > +struct audit_context *context);
> > >
> > > extern int audit_update_lsm_rules(void);
> > >
> > > @@ -228,6 +230,9 @@ static inline void audit_netns_contid_del(struct net
> > > *net, u64 contid)
> > > { }
> > > static inline void audit_switch_task_namespaces(struct nsproxy *ns,
> > > struct task_struct *p)
> > > { }
> > > +static inline void audit_log_netns_contid_list(struct net *net,
> > > + struct audit_context *context)
> > > +{ }
> > >
> > > #define audit_enabled AUDIT_OFF
> > > #endif /* CONFIG_AUDIT */
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index c5fed3b..b23711c 100644
> > > --- a/kernel/audit.c
> > > +++ b/kernel/audit.c
> > > @@ -392,6 +392,32 @@ void audit_switch_task_namespaces(struct nsproxy
> > > *ns, struct task_struct *p)
> > > audit_netns_contid_add(new->net_ns, contid);
> > > }
> > >
> > > +void audit_log_netns_contid_list(struct net *net, struct audit_context
> > > *context)
> > > +{
> > > + spinlock_t *lock = audit_get_netns_contid_list_lock(net);
> > > + struct audit_buffer *ab;
> > > + struct audit_contid *cont;
> > > + bool first = true;
> > > +
> > > + /* Generate AUDIT_CONTAINER record with container ID CSV list */
> > > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_CONTAINER);
> > > + if (!ab) {
> > > + audit_log_lost("out of memory in
> > > audit_log_netns_contid_list");
> > > + return;
> > > + }
> > > + audit_log_format(ab, "contid=");
> > > + spin_lock(lock);
> > > + list_for_each_entry(cont, audit_get_netns_contid_list(net), list)
> > > {
> > > + if (!first)
> > > + audit_log_format(ab, ",");
> > > + audit_log_format(ab, "%llu", cont->id);
> > > + first = false;
> > > + }
> > > + spin_unlock(lock);
> >
> > This is looking like potentially a lot of work to be doing under a
> > spinlock, not to mention a single spinlock that is shared across CPUs.
> > Considering that I expect changes to the list to be somewhat
> > infrequent, this might be a good candidate for a RCU based locking
> > scheme.
>
> Would something like this look reasonable?
> (This is on top of a patch to make contid list lock and unlock
> functions.)
Paul, could I please get your review on this locking approach I proposed
almost two months ago so I can be more reassured that it won't be an
issue in v5? Thanks!
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index be5d6eb..9428fc3 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -92,6 +92,7 @@ struct audit_contid {
> struct list_headlist;
> u64 id;
> refcount_t refcount;
> + struct rcu_head rcu;
> };
>
> extern int is_audit_feature_set(int which);
> diff --git
Re: [PATCH ghak90 (was ghak32) V4 05/10] audit: add support for non-syscall auxiliary records
On 2018-10-19 19:17, Paul Moore wrote:
> On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs wrote:
> > Standalone audit records have the timestamp and serial number generated
> > on the fly and as such are unique, making them standalone. This new
> > function audit_alloc_local() generates a local audit context that will
> > be used only for a standalone record and its auxiliary record(s). The
> > context is discarded immediately after the local associated records are
> > produced.
> >
> > Signed-off-by: Richard Guy Briggs
> > Acked-by: Serge Hallyn
> > ---
> > include/linux/audit.h | 8
> > kernel/audit.h| 1 +
> > kernel/auditsc.c | 33 -
> > 3 files changed, 37 insertions(+), 5 deletions(-)
>
> I'm not in love with the local flag, and the whole local context in
> general, but that's a larger discussion and not something I want to
> force on this patchset; we can fix it later.
I understand your reasoning to combine it so that if one patch gets
backported then both do, or if one gets reverted both do, but I really
prefer them seperate for similar reasons if there is more than one user.
> I think this patch looks fine, but it seems a bit odd standalone; it's
> almost always better to include new capabilities/functions in the same
> patch as the user. Since the only user is the networking bits, it
> might make more sense to fold this patch into that one.
It was kept seperate due to tty_audit usage. See my reasoning for patch
6, but I'm willing to negotiate if that merits an exception like the
USER records do.
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 4f514ed..1f340ad 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -234,7 +234,9 @@ struct audit_task_info {
> > extern struct audit_task_info init_struct_audit;
> > extern void __init audit_task_init(void);
> > extern int audit_alloc(struct task_struct *task);
> > +extern struct audit_context *audit_alloc_local(gfp_t gfpflags);
> > extern void audit_free(struct task_struct *task);
> > +extern void audit_free_context(struct audit_context *context);
> > extern void __audit_syscall_entry(int major, unsigned long a0, unsigned
> > long a1,
> > unsigned long a2, unsigned long a3);
> > extern void __audit_syscall_exit(int ret_success, long ret_value);
> > @@ -495,6 +497,12 @@ static inline int audit_alloc(struct task_struct *task)
> > {
> > return 0;
> > }
> > +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
> > +{
> > + return NULL;
> > +}
> > +static inline void audit_free_context(struct audit_context *context)
> > +{ }
> > static inline void audit_free(struct task_struct *task)
> > { }
> > static inline void audit_syscall_entry(int major, unsigned long a0,
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index 1cf1c35..a6d00a5 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -110,6 +110,7 @@ struct audit_proctitle {
> > struct audit_context {
> > int dummy; /* must be the first element */
> > int in_syscall; /* 1 if task is in a syscall */
> > + boollocal; /* local context needed */
> > enum audit_statestate, current_state;
> > unsigned intserial; /* serial number for record */
> > int major; /* syscall number */
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index cdb24cf..7627f21 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -913,11 +913,13 @@ static inline void audit_free_aux(struct
> > audit_context *context)
> > }
> > }
> >
> > -static inline struct audit_context *audit_alloc_context(enum audit_state
> > state)
> > +static inline struct audit_context *audit_alloc_context(enum audit_state
> > state,
> > + gfp_t gfpflags)
> > {
> > struct audit_context *context;
> >
> > - context = kzalloc(sizeof(*context), GFP_KERNEL);
> > + /* We can be called in atomic context via audit_tg() */
> > + context = kzalloc(sizeof(*context), gfpflags);
> > if (!context)
> > return NULL;
> > context->state = state;
> > @@ -970,7 +972,8 @@ int audit_alloc(struct task_struct *tsk)
> > return 0;
> >
Re: [PATCH ghak90 (was ghak32) V4 09/10] audit: NETFILTER_PKT: record each container ID associated with a netNS
On 2018-10-19 19:18, Paul Moore wrote:
> On Sun, Aug 5, 2018 at 4:33 AM Richard Guy Briggs wrote:
> > Add audit container identifier auxiliary record(s) to NETFILTER_PKT
> > event standalone records. Iterate through all potential audit container
> > identifiers associated with a network namespace.
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > include/linux/audit.h| 5 +
> > kernel/audit.c | 26 ++
> > net/netfilter/xt_AUDIT.c | 12 ++--
> > 3 files changed, 41 insertions(+), 2 deletions(-)
>
> ...
>
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 9a02095..8755f4d 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -169,6 +169,8 @@ extern int audit_log_contid(struct audit_context
> > *context,
> > extern void audit_netns_contid_add(struct net *net, u64 contid);
> > extern void audit_netns_contid_del(struct net *net, u64 contid);
> > extern void audit_switch_task_namespaces(struct nsproxy *ns, struct
> > task_struct *p);
> > +extern void audit_log_netns_contid_list(struct net *net,
> > +struct audit_context *context);
> >
> > extern int audit_update_lsm_rules(void);
> >
> > @@ -228,6 +230,9 @@ static inline void audit_netns_contid_del(struct net
> > *net, u64 contid)
> > { }
> > static inline void audit_switch_task_namespaces(struct nsproxy *ns, struct
> > task_struct *p)
> > { }
> > +static inline void audit_log_netns_contid_list(struct net *net,
> > + struct audit_context *context)
> > +{ }
> >
> > #define audit_enabled AUDIT_OFF
> > #endif /* CONFIG_AUDIT */
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index c5fed3b..b23711c 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -392,6 +392,32 @@ void audit_switch_task_namespaces(struct nsproxy *ns,
> > struct task_struct *p)
> > audit_netns_contid_add(new->net_ns, contid);
> > }
> >
> > +void audit_log_netns_contid_list(struct net *net, struct audit_context
> > *context)
> > +{
> > + spinlock_t *lock = audit_get_netns_contid_list_lock(net);
> > + struct audit_buffer *ab;
> > + struct audit_contid *cont;
> > + bool first = true;
> > +
> > + /* Generate AUDIT_CONTAINER record with container ID CSV list */
> > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_CONTAINER);
> > + if (!ab) {
> > + audit_log_lost("out of memory in
> > audit_log_netns_contid_list");
> > + return;
> > + }
> > + audit_log_format(ab, "contid=");
> > + spin_lock(lock);
> > + list_for_each_entry(cont, audit_get_netns_contid_list(net), list) {
> > + if (!first)
> > + audit_log_format(ab, ",");
> > + audit_log_format(ab, "%llu", cont->id);
> > + first = false;
> > + }
> > + spin_unlock(lock);
>
> This is looking like potentially a lot of work to be doing under a
> spinlock, not to mention a single spinlock that is shared across CPUs.
> Considering that I expect changes to the list to be somewhat
> infrequent, this might be a good candidate for a RCU based locking
> scheme.
Would something like this look reasonable?
(This is on top of a patch to make contid list lock and unlock
functions.)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index be5d6eb..9428fc3 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -92,6 +92,7 @@ struct audit_contid {
struct list_headlist;
u64 id;
refcount_t refcount;
+ struct rcu_head rcu;
};
extern int is_audit_feature_set(int which);
diff --git a/kernel/audit.c b/kernel/audit.c
index d5b58163..6f84c25 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -106,7 +106,6 @@
struct audit_net {
struct sock *sk;
struct list_head contid_list;
- spinlock_t contid_list_lock;
};
/**
@@ -327,26 +326,6 @@ struct list_head *audit_get_netns_contid_list(const struct
net *net)
return &aunet->contid_list;
}
-static int audit_netns_contid_lock(const struct net *net)
-{
- struct audit_net *aunet = net_generic(net, audit_net_id);
-
- if (!aunet)
- return -EINVAL;
- spin_lock(aunet->contid_list_lock);
- return 0;
-}
-
-static int audit_netns_contid_unlock(const struct net *net)
-{
-
Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
On 2018-10-25 17:57, Steve Grubb wrote:
> On Thu, 25 Oct 2018 08:27:32 -0400
> Richard Guy Briggs wrote:
>
> > On 2018-10-25 06:49, Paul Moore wrote:
> > > On Thu, Oct 25, 2018 at 2:06 AM Steve Grubb
> > > wrote:
> > > > On Wed, 24 Oct 2018 20:42:55 -0400
> > > > Richard Guy Briggs wrote:
> > > > > On 2018-10-24 16:55, Paul Moore wrote:
> > > > > > On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs
> > > > > > wrote:
> > > > > > > On 2018-10-19 19:16, Paul Moore wrote:
> > > > > > > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs
> > > > > > > > wrote:
> > >
> > > ...
> > >
> > > > > > > > > +/*
> > > > > > > > > + * audit_log_contid - report container info
> > > > > > > > > + * @tsk: task to be recorded
> > > > > > > > > + * @context: task or local context for record
> > > > > > > > > + * @op: contid string description
> > > > > > > > > + */
> > > > > > > > > +int audit_log_contid(struct task_struct *tsk,
> > > > > > > > > +struct audit_context
> > > > > > > > > *context, char *op) +{
> > > > > > > > > + struct audit_buffer *ab;
> > > > > > > > > +
> > > > > > > > > + if (!audit_contid_set(tsk))
> > > > > > > > > + return 0;
> > > > > > > > > + /* Generate AUDIT_CONTAINER record with
> > > > > > > > > container ID */
> > > > > > > > > + ab = audit_log_start(context, GFP_KERNEL,
> > > > > > > > > AUDIT_CONTAINER);
> > > > > > > > > + if (!ab)
> > > > > > > > > + return -ENOMEM;
> > > > > > > > > + audit_log_format(ab, "op=%s contid=%llu",
> > > > > > > > > +op, audit_get_contid(tsk));
> > > > > > > > > + audit_log_end(ab);
> > > > > > > > > + return 0;
> > > > > > > > > +}
> > > > > > > > > +EXPORT_SYMBOL(audit_log_contid);
> > > > > > > >
> > > > > > > > As discussed in the previous iteration of the patch, I
> > > > > > > > prefer AUDIT_CONTAINER_ID here over AUDIT_CONTAINER. If
> > > > > > > > you feel strongly about keeping it as-is with
> > > > > > > > AUDIT_CONTAINER I suppose I could live with that, but it
> > > > > > > > is isn't my first choice.
> > > > > > >
> > > > > > > I don't have a strong opinion on this one, mildly
> > > > > > > preferring the shorter one only because it is shorter.
> > > > > >
> > > > > > We already have multiple AUDIT_CONTAINER* record types, so it
> > > > > > seems as though we should use "AUDIT_CONTAINER" as a prefix
> > > > > > of sorts, rather than a type itself.
> > > > >
> > > > > I'm fine with that. I'd still like to hear Steve's input. He
> > > > > had stronger opinions than me.
> > > >
> > > > The creation event should be separate and distinct from the
> > > > continuing use when its used as a supplemental record. IOW,
> > > > binding the ID to a container is part of the lifecycle and needs
> > > > to be kept distinct.
> > >
> > > Steve's comment is pretty ambiguous when it comes to AUDIT_CONTAINER
> > > vs AUDIT_CONTAINER_ID, but one could argue that AUDIT_CONTAINER_ID
> > > helps distinguish the audit container id marking record and gets to
> > > what I believe is the spirit of Steve's comment. Taking this in
> > > context with my previous remarks, let's switch to using
> > > AUDIT_CONTAINER_ID.
> >
> > I suspect Steve is mixing up AUDIT_CONTAINER_OP with
> > AUDIT_CONTAINER_ID, confusing the fact that they are two seperate
> > records. As a summary, the suggested records are:
> > CONTAINER_OPaudit container identifier creation
> > CONTAINER audit container identifier aux rec
Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
On 2018-10-25 06:49, Paul Moore wrote:
> On Thu, Oct 25, 2018 at 2:06 AM Steve Grubb wrote:
> > On Wed, 24 Oct 2018 20:42:55 -0400
> > Richard Guy Briggs wrote:
> > > On 2018-10-24 16:55, Paul Moore wrote:
> > > > On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs
> > > > wrote:
> > > > > On 2018-10-19 19:16, Paul Moore wrote:
> > > > > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs
> > > > > > wrote:
>
> ...
>
> > > > > > > +/*
> > > > > > > + * audit_log_contid - report container info
> > > > > > > + * @tsk: task to be recorded
> > > > > > > + * @context: task or local context for record
> > > > > > > + * @op: contid string description
> > > > > > > + */
> > > > > > > +int audit_log_contid(struct task_struct *tsk,
> > > > > > > +struct audit_context *context,
> > > > > > > char *op) +{
> > > > > > > + struct audit_buffer *ab;
> > > > > > > +
> > > > > > > + if (!audit_contid_set(tsk))
> > > > > > > + return 0;
> > > > > > > + /* Generate AUDIT_CONTAINER record with container ID
> > > > > > > */
> > > > > > > + ab = audit_log_start(context, GFP_KERNEL,
> > > > > > > AUDIT_CONTAINER);
> > > > > > > + if (!ab)
> > > > > > > + return -ENOMEM;
> > > > > > > + audit_log_format(ab, "op=%s contid=%llu",
> > > > > > > +op, audit_get_contid(tsk));
> > > > > > > + audit_log_end(ab);
> > > > > > > + return 0;
> > > > > > > +}
> > > > > > > +EXPORT_SYMBOL(audit_log_contid);
> > > > > >
> > > > > > As discussed in the previous iteration of the patch, I prefer
> > > > > > AUDIT_CONTAINER_ID here over AUDIT_CONTAINER. If you feel
> > > > > > strongly about keeping it as-is with AUDIT_CONTAINER I suppose
> > > > > > I could live with that, but it is isn't my first choice.
> > > > >
> > > > > I don't have a strong opinion on this one, mildly preferring the
> > > > > shorter one only because it is shorter.
> > > >
> > > > We already have multiple AUDIT_CONTAINER* record types, so it seems
> > > > as though we should use "AUDIT_CONTAINER" as a prefix of sorts,
> > > > rather than a type itself.
> > >
> > > I'm fine with that. I'd still like to hear Steve's input. He had
> > > stronger opinions than me.
> >
> > The creation event should be separate and distinct from the continuing
> > use when its used as a supplemental record. IOW, binding the ID to a
> > container is part of the lifecycle and needs to be kept distinct.
>
> Steve's comment is pretty ambiguous when it comes to AUDIT_CONTAINER
> vs AUDIT_CONTAINER_ID, but one could argue that AUDIT_CONTAINER_ID
> helps distinguish the audit container id marking record and gets to
> what I believe is the spirit of Steve's comment. Taking this in
> context with my previous remarks, let's switch to using
> AUDIT_CONTAINER_ID.
I suspect Steve is mixing up AUDIT_CONTAINER_OP with AUDIT_CONTAINER_ID,
confusing the fact that they are two seperate records. As a summary,
the suggested records are:
CONTAINER_OPaudit container identifier creation
CONTAINER audit container identifier aux record to an event
and what Paul is suggesting (which is fine by me) is:
CONTAINER_OPaudit container identifier creation event
CONTAINER_IDaudit container identifier aux record to an event
Steve, please indicate you are fine with this.
> paul moore
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
On 2018-10-25 07:13, Paul Moore wrote: > On October 25, 2018 1:43:16 AM Richard Guy Briggs wrote: > > On 2018-10-24 16:55, Paul Moore wrote: > >> On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs > >> wrote: > >>> On 2018-10-19 19:16, Paul Moore wrote: > >>>> On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs > >>>> wrote: > > > > ... > > > > >>>> However, I do care about the "op" field in this record. It just > >>>> doesn't make any sense; the way you are using it it is more of a > >>>> context field than an operations field, and even then why is the > >>>> context important from a logging and/or security perspective? Drop it > >>>> please. > >>> > >>> I'll rename it to whatever you like. I'd suggest "ref=". The reason I > >>> think it is important is there are multiple sources that aren't always > >>> obvious from the other records to which it is associated. In the case > >>> of ptrace and signals, there can be many target tasks listed (OBJ_PID) > >>> with no other way to distinguish the matching audit container identifier > >>> records all for one event. This is in addition to the default syscall > >>> container identifier record. I'm not currently happy with the text > >>> content to link the two, but that should be solvable (most obvious is > >>> taret PID). Throwing away this information seems shortsighted. > >> > >> It would be helpful if you could generate real audit events > >> demonstrating the problems you are describing, as well as a more > >> standard syscall event, so we can discuss some possible solutions. > > > > If the auditted process is in a container and it ptraces or signals > > another process in a container, there will be two AUDIT_CONTAINER > > records for the same event that won't be identified as to which record > > belongs to which process or other record (SYSCALL vs 1+ OBJ_PID > > records). There could be many signals recorded, each with their own > > OBJ_PID record. The first is stored in the audit context and additional > > ones are stored in a chained struct that can accommodate 16 entries each. > > > > (See audit_signal_info(), __audit_ptrace().) > > > > (As a side note, on code inspection it appears that a signal target > > would get overwritten by a ptrace action if they were to happen in that > > order.) > > As requested above, please respond with real audit events generated by > this patchset so that we can discuss possible solutions. Ok, then we should be developping a test to test ptrace and signal auditting in general since we don't have current experience/evidence that those even work (or rip them out if not). > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
On 2018-10-24 16:55, Paul Moore wrote:
> On Wed, Oct 24, 2018 at 11:15 AM Richard Guy Briggs wrote:
> > On 2018-10-19 19:16, Paul Moore wrote:
> > > On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs wrote:
> > > > Create a new audit record AUDIT_CONTAINER to document the audit
> > > > container identifier of a process if it is present.
> > > >
> > > > Called from audit_log_exit(), syscalls are covered.
> > > >
> > > > A sample raw event:
> > > > type=SYSCALL msg=audit(1519924845.499:257): arch=c03e syscall=257
> > > > success=yes exit=3 a0=ff9c a1=56374e1cef30 a2=241 a3=1b6 items=2
> > > > ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > > fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash"
> > > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > > > key="tmpcontainerid"
> > > > type=CWD msg=audit(1519924845.499:257): cwd="/root"
> > > > type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/"
> > > > inode=13863 dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00
> > > > obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=
> > > > cap_fi= cap_fe=0 cap_fver=0
> > > > type=PATH msg=audit(1519924845.499:257): item=1
> > > > name="/tmp/tmpcontainerid" inode=17729 dev=00:27 mode=0100644 ouid=0
> > > > ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
> > > > nametype=CREATE cap_fp= cap_fi=
> > > > cap_fe=0 cap_fver=0
> > > > type=PROCTITLE msg=audit(1519924845.499:257):
> > > > proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
> > > > type=CONTAINER msg=audit(1519924845.499:257): op=task contid=123458
> > > >
> > > > See: https://github.com/linux-audit/audit-kernel/issues/90
> > > > See: https://github.com/linux-audit/audit-userspace/issues/51
> > > > See: https://github.com/linux-audit/audit-testsuite/issues/64
> > > > See:
> > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> > > > Signed-off-by: Richard Guy Briggs
> > > > Acked-by: Serge Hallyn
> > > > Acked-by: Steve Grubb
> > > > ---
> > > > include/linux/audit.h | 7 +++
> > > > include/uapi/linux/audit.h | 1 +
> > > > kernel/audit.c | 24
> > > > kernel/auditsc.c | 3 +++
> > > > 4 files changed, 35 insertions(+)
> > >
> > > ...
> > >
> > > > @@ -2045,6 +2045,30 @@ void audit_log_session_info(struct audit_buffer
> > > > *ab)
> > > > audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
> > > > }
> > > >
> > > > +/*
> > > > + * audit_log_contid - report container info
> > > > + * @tsk: task to be recorded
> > > > + * @context: task or local context for record
> > > > + * @op: contid string description
> > > > + */
> > > > +int audit_log_contid(struct task_struct *tsk,
> > > > +struct audit_context *context, char *op)
> > > > +{
> > > > + struct audit_buffer *ab;
> > > > +
> > > > + if (!audit_contid_set(tsk))
> > > > + return 0;
> > > > + /* Generate AUDIT_CONTAINER record with container ID */
> > > > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER);
> > > > + if (!ab)
> > > > + return -ENOMEM;
> > > > + audit_log_format(ab, "op=%s contid=%llu",
> > > > +op, audit_get_contid(tsk));
> > > > + audit_log_end(ab);
> > > > + return 0;
> > > > +}
> > > > +EXPORT_SYMBOL(audit_log_contid);
> > >
> > > As discussed in the previous iteration of the patch, I prefer
> > > AUDIT_CONTAINER_ID here over AUDIT_CONTAINER. If you feel strongly
> > > about keeping it as-is with AUDIT_CONTAINER I suppose I could live
> > > with that, but it is isn't my first choice.
> >
> > I don't have a strong opinion on this one, mildly preferring the shorter
> > one only because it is shorter.
>
> We already have multiple AUDIT_CONTAINER*
Re: [PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
On 2018-10-19 19:16, Paul Moore wrote:
> On Sun, Aug 5, 2018 at 4:32 AM Richard Guy Briggs wrote:
> > Create a new audit record AUDIT_CONTAINER to document the audit
> > container identifier of a process if it is present.
> >
> > Called from audit_log_exit(), syscalls are covered.
> >
> > A sample raw event:
> > type=SYSCALL msg=audit(1519924845.499:257): arch=c03e syscall=257
> > success=yes exit=3 a0=ff9c a1=56374e1cef30 a2=241 a3=1b6 items=2
> > ppid=606 pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts0 ses=3 comm="bash" exe="/usr/bin/bash"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key="tmpcontainerid"
> > type=CWD msg=audit(1519924845.499:257): cwd="/root"
> > type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863
> > dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00
> > obj=system_u:object_r:tmp_t:s0 nametype= PARENT cap_fp=
> > cap_fi= cap_fe=0 cap_fver=0
> > type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid"
> > inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00
> > obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
> > cap_fp= cap_fi= cap_fe=0 cap_fver=0
> > type=PROCTITLE msg=audit(1519924845.499:257):
> > proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
> > type=CONTAINER msg=audit(1519924845.499:257): op=task contid=123458
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/90
> > See: https://github.com/linux-audit/audit-userspace/issues/51
> > See: https://github.com/linux-audit/audit-testsuite/issues/64
> > See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> > Signed-off-by: Richard Guy Briggs
> > Acked-by: Serge Hallyn
> > Acked-by: Steve Grubb
> > ---
> > include/linux/audit.h | 7 +++
> > include/uapi/linux/audit.h | 1 +
> > kernel/audit.c | 24
> > kernel/auditsc.c | 3 +++
> > 4 files changed, 35 insertions(+)
>
> ...
>
> > @@ -2045,6 +2045,30 @@ void audit_log_session_info(struct audit_buffer *ab)
> > audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
> > }
> >
> > +/*
> > + * audit_log_contid - report container info
> > + * @tsk: task to be recorded
> > + * @context: task or local context for record
> > + * @op: contid string description
> > + */
> > +int audit_log_contid(struct task_struct *tsk,
> > +struct audit_context *context, char *op)
> > +{
> > + struct audit_buffer *ab;
> > +
> > + if (!audit_contid_set(tsk))
> > + return 0;
> > + /* Generate AUDIT_CONTAINER record with container ID */
> > + ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER);
> > + if (!ab)
> > + return -ENOMEM;
> > + audit_log_format(ab, "op=%s contid=%llu",
> > +op, audit_get_contid(tsk));
> > + audit_log_end(ab);
> > + return 0;
> > +}
> > +EXPORT_SYMBOL(audit_log_contid);
>
> As discussed in the previous iteration of the patch, I prefer
> AUDIT_CONTAINER_ID here over AUDIT_CONTAINER. If you feel strongly
> about keeping it as-is with AUDIT_CONTAINER I suppose I could live
> with that, but it is isn't my first choice.
I don't have a strong opinion on this one, mildly preferring the shorter
one only because it is shorter.
Steve? Can you comment on this one way or the other?
> However, I do care about the "op" field in this record. It just
> doesn't make any sense; the way you are using it it is more of a
> context field than an operations field, and even then why is the
> context important from a logging and/or security perspective? Drop it
> please.
I'll rename it to whatever you like. I'd suggest "ref=". The reason I
think it is important is there are multiple sources that aren't always
obvious from the other records to which it is associated. In the case
of ptrace and signals, there can be many target tasks listed (OBJ_PID)
with no other way to distinguish the matching audit container identifier
records all for one event. This is in addition to the default syscall
container identifier record. I'm not currently happy with the text
content to link the two, but that should be solvable (most obvious is
taret PID). Throwing away this information seems shortsighted.
> paul moore
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH ghak90 (was ghak32) V4 02/10] audit: add container id
On 2018-10-19 15:38, Paul Moore wrote:
> On Tue, Jul 31, 2018 at 4:11 PM Richard Guy Briggs wrote:
> >
> > Implement the proc fs write to set the audit container identifier of a
> > process, emitting an AUDIT_CONTAINER_OP record to document the event.
> >
> > This is a write from the container orchestrator task to a proc entry of
> > the form /proc/PID/audit_containerid where PID is the process ID of the
> > newly created task that is to become the first task in a container, or
> > an additional task added to a container.
> >
> > The write expects up to a u64 value (unset: 18446744073709551615).
> >
> > The writer must have capability CAP_AUDIT_CONTROL.
> >
> > This will produce a record such as this:
> > type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set
> > opid=2209 old-contid=18446744073709551615 contid=123456 pid=628 auid=root
> > uid=root tty=ttyS0 ses=1
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm=bash
> > exe=/usr/bin/bash res=yes
>
> You need to update the record type in the example above.
Yup, thanks.
> > The "op" field indicates an initial set. The "pid" to "ses" fields are
> > the orchestrator while the "opid" field is the object's PID, the process
> > being "contained". Old and new audit container identifier values are
> > given in the "contid" fields, while res indicates its success.
>
> I understand Steve's concern around the "op" field, but I think it
> might be a bit premature to think we might not need to do some sort of
> audit container ID management in the future that would want to make
> use of the CONTAINER_OP message type. I would like to see the "op"
> field preserved.
I strongly agree.
> > It is not permitted to unset the audit container identifier.
> > A child inherits its parent's audit container identifier.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/90
> > See: https://github.com/linux-audit/audit-userspace/issues/51
> > See: https://github.com/linux-audit/audit-testsuite/issues/64
> > See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
> >
> > Signed-off-by: Richard Guy Briggs
> > Acked-by: Serge Hallyn
> > Acked-by: Steve Grubb
> > ---
> > fs/proc/base.c | 37 +
> > include/linux/audit.h | 24
> > include/uapi/linux/audit.h | 2 ++
> > kernel/auditsc.c | 68
> > ++
> > 4 files changed, 131 insertions(+)
>
> ...
>
> > @@ -2112,6 +2114,72 @@ int audit_set_loginuid(kuid_t loginuid)
> > }
> >
> > /**
> > + * audit_set_contid - set current task's audit_context contid
> > + * @contid: contid value
> > + *
> > + * Returns 0 on success, -EPERM on permission failure.
> > + *
> > + * Called (set) from fs/proc/base.c::proc_contid_write().
> > + */
> > +int audit_set_contid(struct task_struct *task, u64 contid)
> > +{
> > + u64 oldcontid;
> > + int rc = 0;
> > + struct audit_buffer *ab;
> > + uid_t uid;
> > + struct tty_struct *tty;
> > + char comm[sizeof(current->comm)];
> > +
> > + task_lock(task);
> > + /* Can't set if audit disabled */
> > + if (!task->audit) {
> > + task_unlock(task);
> > + return -ENOPROTOOPT;
> > + }
> > + oldcontid = audit_get_contid(task);
> > + read_lock(&tasklist_lock);
>
> I assume lockdep was happy with nesting the tasklist_lock inside the task
> lock?
Yup, I had gone through the logic and at first I had doubts, but the
function comments and other usage reassured me (as well as in-kernel
lock checks on boot) that this was the right order and approach.
> > + /* Don't allow the audit containerid to be unset */
> > + if (!audit_contid_valid(contid))
> > + rc = -EINVAL;
> > + /* if we don't have caps, reject */
> > + else if (!capable(CAP_AUDIT_CONTROL))
> > + rc = -EPERM;
> > + /* if task has children or is not single-threaded, deny */
> > + else if (!list_empty(&task->children))
> > + rc = -EBUSY;
> > + else if (!(thread_group_leader(task) && thread_group_empty(task)))
> > + rc = -EALREADY;
> > + read_unlock(&tasklist_lock);
> > + if (!rc)
> >
[PATCH ghak90 (was ghak32) V4 03/10] audit: log container info of syscalls
Create a new audit record AUDIT_CONTAINER to document the audit
container identifier of a process if it is present.
Called from audit_log_exit(), syscalls are covered.
A sample raw event:
type=SYSCALL msg=audit(1519924845.499:257): arch=c03e syscall=257
success=yes exit=3 a0=ff9c a1=56374e1cef30 a2=241 a3=1b6 items=2 ppid=606
pid=635 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=3 comm="bash" exe="/usr/bin/bash"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="tmpcontainerid"
type=CWD msg=audit(1519924845.499:257): cwd="/root"
type=PATH msg=audit(1519924845.499:257): item=0 name="/tmp/" inode=13863
dev=00:27 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
nametype= PARENT cap_fp= cap_fi= cap_fe=0
cap_fver=0
type=PATH msg=audit(1519924845.499:257): item=1 name="/tmp/tmpcontainerid"
inode=17729 dev=00:27 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=
cap_fi= cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1519924845.499:257):
proctitle=62617368002D6300736C65657020313B206563686F2074657374203E202F746D702F746D70636F6E7461696E65726964
type=CONTAINER msg=audit(1519924845.499:257): op=task contid=123458
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Steve Grubb
---
include/linux/audit.h | 7 +++
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 24
kernel/auditsc.c | 3 +++
4 files changed, 35 insertions(+)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 71a6fc6..d5a48dc 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -155,6 +155,9 @@ extern void audit_log_key(struct audit_buffer
*ab,
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
+extern int audit_log_contid(struct task_struct *tsk,
+ struct audit_context *context,
+ char *op);
extern int audit_update_lsm_rules(void);
@@ -205,6 +208,10 @@ static inline int audit_log_task_context(struct
audit_buffer *ab)
static inline void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk)
{ }
+static inline int audit_log_contid(struct task_struct *tsk,
+ struct audit_context *context,
+ char *op)
+{ }
#define audit_enabled AUDIT_OFF
#endif /* CONFIG_AUDIT */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 3474f57..dc259c7 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -115,6 +115,7 @@
#define AUDIT_REPLACE 1329/* Replace auditd if this packet
unanswerd */
#define AUDIT_KERN_MODULE 1330/* Kernel Module events */
#define AUDIT_FANOTIFY 1331/* Fanotify access decision */
+#define AUDIT_CONTAINER1332/* Container ID */
#define AUDIT_AVC 1400/* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401/* Internal SE Linux Errors */
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a80587..15f54c7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2045,6 +2045,30 @@ void audit_log_session_info(struct audit_buffer *ab)
audit_log_format(ab, " auid=%u ses=%u", auid, sessionid);
}
+/*
+ * audit_log_contid - report container info
+ * @tsk: task to be recorded
+ * @context: task or local context for record
+ * @op: contid string description
+ */
+int audit_log_contid(struct task_struct *tsk,
+struct audit_context *context, char *op)
+{
+ struct audit_buffer *ab;
+
+ if (!audit_contid_set(tsk))
+ return 0;
+ /* Generate AUDIT_CONTAINER record with container ID */
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER);
+ if (!ab)
+ return -ENOMEM;
+ audit_log_format(ab, "op=%s contid=%llu",
+op, audit_get_contid(tsk));
+ audit_log_end(ab);
+ return 0;
+}
+EXPORT_SYMBOL(audit_log_contid);
+
void audit_log_key(struct audit_buffer *ab, char *key)
{
audit_log_format(ab, " key=");
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6125cef..39e5633 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1488,10 +1488,13 @@ static void audit_log_exit(struct
[PATCH ghak90 (was ghak32) V4 02/10] audit: add container id
Implement the proc fs write to set the audit container identifier of a
process, emitting an AUDIT_CONTAINER_OP record to document the event.
This is a write from the container orchestrator task to a proc entry of
the form /proc/PID/audit_containerid where PID is the process ID of the
newly created task that is to become the first task in a container, or
an additional task added to a container.
The write expects up to a u64 value (unset: 18446744073709551615).
The writer must have capability CAP_AUDIT_CONTROL.
This will produce a record such as this:
type=CONTAINER_ID msg=audit(2018-06-06 12:39:29.636:26949) : op=set opid=2209
old-contid=18446744073709551615 contid=123456 pid=628 auid=root uid=root
tty=ttyS0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
comm=bash exe=/usr/bin/bash res=yes
The "op" field indicates an initial set. The "pid" to "ses" fields are
the orchestrator while the "opid" field is the object's PID, the process
being "contained". Old and new audit container identifier values are
given in the "contid" fields, while res indicates its success.
It is not permitted to unset the audit container identifier.
A child inherits its parent's audit container identifier.
See: https://github.com/linux-audit/audit-kernel/issues/90
See: https://github.com/linux-audit/audit-userspace/issues/51
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
Acked-by: Steve Grubb
---
fs/proc/base.c | 37 +
include/linux/audit.h | 24
include/uapi/linux/audit.h | 2 ++
kernel/auditsc.c | 68 ++
4 files changed, 131 insertions(+)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index b657294..1b3cda1 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1260,6 +1260,41 @@ static ssize_t proc_sessionid_read(struct file * file,
char __user * buf,
.read = proc_sessionid_read,
.llseek = generic_file_llseek,
};
+
+static ssize_t proc_contid_write(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ struct inode *inode = file_inode(file);
+ u64 contid;
+ int rv;
+ struct task_struct *task = get_proc_task(inode);
+
+ if (!task)
+ return -ESRCH;
+ if (*ppos != 0) {
+ /* No partial writes. */
+ put_task_struct(task);
+ return -EINVAL;
+ }
+
+ rv = kstrtou64_from_user(buf, count, 10, &contid);
+ if (rv < 0) {
+ put_task_struct(task);
+ return rv;
+ }
+
+ rv = audit_set_contid(task, contid);
+ put_task_struct(task);
+ if (rv < 0)
+ return rv;
+ return count;
+}
+
+static const struct file_operations proc_contid_operations = {
+ .write = proc_contid_write,
+ .llseek = generic_file_llseek,
+};
+
#endif
#ifdef CONFIG_FAULT_INJECTION
@@ -2952,6 +2987,7 @@ static int proc_pid_patch_state(struct seq_file *m,
struct pid_namespace *ns,
#ifdef CONFIG_AUDITSYSCALL
REG("loginuid", S_IWUSR|S_IRUGO, proc_loginuid_operations),
REG("sessionid", S_IRUGO, proc_sessionid_operations),
+ REG("audit_containerid", S_IWUSR, proc_contid_operations),
#endif
#ifdef CONFIG_FAULT_INJECTION
REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
@@ -3337,6 +3373,7 @@ static int proc_tid_comm_permission(struct inode *inode,
int mask)
#ifdef CONFIG_AUDITSYSCALL
REG("loginuid", S_IWUSR|S_IRUGO, proc_loginuid_operations),
REG("sessionid", S_IRUGO, proc_sessionid_operations),
+ REG("audit_containerid", S_IWUSR, proc_contid_operations),
#endif
#ifdef CONFIG_FAULT_INJECTION
REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 8964332..71a6fc6 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -222,6 +222,7 @@ static inline void audit_log_task_info(struct audit_buffer
*ab,
struct audit_task_info {
kuid_t loginuid;
unsigned intsessionid;
+ u64 contid;
struct audit_context*ctx;
};
extern struct audit_task_info init_struct_audit;
@@ -334,6 +335,7 @@ static inline void audit_ptrace(struct task_struct *t)
extern int auditsc_get_stamp(struct audit_context *ctx,
struct timespec64 *t, unsigned int *serial);
extern int audit_set_loginuid(kuid_t loginuid);
+extern int audit_set_contid(struct task_struct *tsk, u64 contid);
[PATCH ghak90 (was ghak32) V4 00/10] audit: implement container identifier
n lieu of abusing in_syscall for auditsc_get_stamp() - read_lock(&tasklist_lock) around children and thread check - task_lock(tsk) should be taken before first check of tsk->audit - add spin lock to contid list in aunet - restrict /proc read to CAP_AUDIT_CONTROL - remove set again prohibition and inherited flag - delete contidion spelling fix from patchset, send to netdev/linux-wireless v3 - switched from containerid in task_struct to audit_task_info (depends on ghak81) - drop INVALID_CID in favour of only AUDIT_CID_UNSET - check for !audit_task_info, throw -ENOPROTOOPT on set - changed -EPERM to -EEXIST for parent check - return AUDIT_CID_UNSET if !audit_enabled - squash child/thread check patch into AUDIT_CONTAINER_ID patch - changed -EPERM to -EBUSY for child check - separate child and thread checks, use -EALREADY for latter - move addition of op= from ptrace/signal patch to AUDIT_CONTAINER patch - fix && to || bashism in ptrace/signal patch - uninline and export function for audit_free_context() - drop CONFIG_CHANGE, FEATURE_CHANGE, ANOM_ABEND, ANOM_SECCOMP patches - move audit_enabled check (xt_AUDIT) - switched from containerid list in struct net to net_generic's struct audit_net - move containerid list iteration into audit (xt_AUDIT) - create function to move namespace switch into audit - switched /proc/PID/ entry from containerid to audit_containerid - call kzalloc with GFP_ATOMIC on in_atomic() in audit_alloc_context() - call kzalloc with GFP_ATOMIC on in_atomic() in audit_log_container_info() - use xt_net(par) instead of sock_net(skb->sk) to get net - switched record and field names: initial CONTAINER_ID, aux CONTAINER, field CONTID - allow to set own contid - open code audit_set_containerid - add contid inherited flag - ccontainerid and pcontainerid eliminated due to inherited flag - change name of container list funcitons - rename containerid to contid - convert initial container record to syscall aux - fix spelling mistake of contidion in net/rfkill/core.c to avoid contid name collision v2 - add check for children and threads - add network namespace container identifier list - add NETFILTER_PKT audit container identifier logging - patch description and documentation clean-up and example - reap unused ppid Richard Guy Briggs (10): audit: collect audit task parameters audit: add container id audit: log container info of syscalls audit: add containerid support for ptrace and signals audit: add support for non-syscall auxiliary records audit: add containerid support for tty_audit audit: add containerid filtering audit: add support for containerid to network namespaces audit: NETFILTER_PKT: record each container ID associated with a netNS debug audit: read container ID of a process drivers/tty/tty_audit.c| 5 +- fs/proc/base.c | 56 ++ include/linux/audit.h | 95 --- include/linux/sched.h | 5 +- include/uapi/linux/audit.h | 8 +- init/init_task.c | 3 +- init/main.c| 2 + kernel/audit.c | 137 + kernel/audit.h | 4 + kernel/auditfilter.c | 47 kernel/auditsc.c | 183 - kernel/fork.c | 4 +- kernel/nsproxy.c | 4 + net/netfilter/xt_AUDIT.c | 12 ++- 14 files changed, 526 insertions(+), 39 deletions(-) -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak90 (was ghak32) V4 01/10] audit: collect audit task parameters
The audit-related parameters in struct task_struct should ideally be
collected together and accessed through a standard audit API.
Collect the existing loginuid, sessionid and audit_context together in a
new struct audit_task_info called "audit" in struct task_struct.
Use kmem_cache to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
See: https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 34 --
include/linux/sched.h | 5 +
init/init_task.c | 3 +--
init/main.c | 2 ++
kernel/auditsc.c | 51 ++-
kernel/fork.c | 4 +++-
6 files changed, 73 insertions(+), 26 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9334fbe..8964332 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -219,8 +219,15 @@ static inline void audit_log_task_info(struct audit_buffer
*ab,
/* These are defined in auditsc.c */
/* Public API */
+struct audit_task_info {
+ kuid_t loginuid;
+ unsigned intsessionid;
+ struct audit_context*ctx;
+};
+extern struct audit_task_info init_struct_audit;
+extern void __init audit_task_init(void);
extern int audit_alloc(struct task_struct *task);
-extern void __audit_free(struct task_struct *task);
+extern void audit_free(struct task_struct *task);
extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long
a1,
unsigned long a2, unsigned long a3);
extern void __audit_syscall_exit(int ret_success, long ret_value);
@@ -242,12 +249,15 @@ extern void audit_seccomp_actions_logged(const char
*names,
static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
{
- task->audit_context = ctx;
+ task->audit->ctx = ctx;
}
static inline struct audit_context *audit_context(void)
{
- return current->audit_context;
+ if (current->audit)
+ return current->audit->ctx;
+ else
+ return NULL;
}
static inline bool audit_dummy_context(void)
@@ -255,11 +265,7 @@ static inline bool audit_dummy_context(void)
void *p = audit_context();
return !p || *(int *)p;
}
-static inline void audit_free(struct task_struct *task)
-{
- if (unlikely(task->audit_context))
- __audit_free(task);
-}
+
static inline void audit_syscall_entry(int major, unsigned long a0,
unsigned long a1, unsigned long a2,
unsigned long a3)
@@ -331,12 +337,18 @@ extern int auditsc_get_stamp(struct audit_context *ctx,
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
{
- return tsk->loginuid;
+ if (tsk->audit)
+ return tsk->audit->loginuid;
+ else
+ return INVALID_UID;
}
static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
- return tsk->sessionid;
+ if (tsk->audit)
+ return tsk->audit->sessionid;
+ else
+ return AUDIT_SID_UNSET;
}
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
@@ -461,6 +473,8 @@ static inline void audit_fanotify(unsigned int response)
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
+static inline void __init audit_task_init(void)
+{ }
static inline int audit_alloc(struct task_struct *task)
{
return 0;
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 87bf02d..e117272 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -30,7 +30,6 @@
#include
/* task_struct member predeclarations (sorted alphabetically): */
-struct audit_context;
struct backing_dev_info;
struct bio_list;
struct blk_plug;
@@ -873,10 +872,8 @@ struct task_struct {
struct callback_head*task_works;
- struct audit_context*audit_context;
#ifdef CONFIG_AUDITSYSCALL
- kuid_t loginuid;
- unsigned intsessionid;
+ struct audit_task_info *audit;
#endif
struct seccomp seccomp;
diff --git a/init/init_task.c b/init/init_task.c
index 74f60ba..4058840 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -119,8 +119,7 @@ struct task_struct init_task
.thread_group = LIST_HEAD_INIT(init_task.thread_group),
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
#ifdef CONFIG_AUDITSYSCALL
- .loginuid = INVALID_UID,
- .sessionid = AUDIT_SID_UNSET,
+ .audit = &init_struct_audit,
#endif
#ifdef CONFIG_PERF_EVENTS
.perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
[PATCH ghak90 (was ghak32) V4 04/10] audit: add containerid support for ptrace and signals
Add audit container identifier support to ptrace and signals. In
particular, the "op" field provides a way to label the auxiliary record
to which it is associated.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h | 11 +--
kernel/audit.c| 13 +++--
kernel/audit.h| 2 ++
kernel/auditsc.c | 21 -
4 files changed, 30 insertions(+), 17 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index d5a48dc..4f514ed 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -34,6 +34,7 @@ struct audit_sig_info {
uid_t uid;
pid_t pid;
charctx[0];
+ u64 cid;
};
struct audit_buffer;
@@ -155,9 +156,8 @@ extern void audit_log_key(struct audit_buffer
*ab,
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
-extern int audit_log_contid(struct task_struct *tsk,
- struct audit_context *context,
- char *op);
+extern int audit_log_contid(struct audit_context *context,
+char *op, u64 contid);
extern int audit_update_lsm_rules(void);
@@ -208,9 +208,8 @@ static inline int audit_log_task_context(struct
audit_buffer *ab)
static inline void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk)
{ }
-static inline int audit_log_contid(struct task_struct *tsk,
- struct audit_context *context,
- char *op)
+static inline int audit_log_contid(struct audit_context *context,
+ char *op, u64 contid)
{ }
#define audit_enabled AUDIT_OFF
#endif /* CONFIG_AUDIT */
diff --git a/kernel/audit.c b/kernel/audit.c
index 15f54c7..fc9f026f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -139,6 +139,7 @@ struct audit_net {
kuid_t audit_sig_uid = INVALID_UID;
pid_t audit_sig_pid = -1;
u32audit_sig_sid = 0;
+u64audit_sig_cid = AUDIT_CID_UNSET;
/* Records can be lost in several ways:
0) [suppressed in audit_alloc]
@@ -1434,6 +1435,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct
nlmsghdr *nlh)
memcpy(sig_data->ctx, ctx, len);
security_release_secctx(ctx, len);
}
+ sig_data->cid = audit_sig_cid;
audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
sig_data, sizeof(*sig_data) + len);
kfree(sig_data);
@@ -2047,23 +2049,22 @@ void audit_log_session_info(struct audit_buffer *ab)
/*
* audit_log_contid - report container info
- * @tsk: task to be recorded
* @context: task or local context for record
* @op: contid string description
+ * @contid: container ID to report
*/
-int audit_log_contid(struct task_struct *tsk,
-struct audit_context *context, char *op)
+int audit_log_contid(struct audit_context *context,
+ char *op, u64 contid)
{
struct audit_buffer *ab;
- if (!audit_contid_set(tsk))
+ if (!audit_contid_valid(contid))
return 0;
/* Generate AUDIT_CONTAINER record with container ID */
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CONTAINER);
if (!ab)
return -ENOMEM;
- audit_log_format(ab, "op=%s contid=%llu",
-op, audit_get_contid(tsk));
+ audit_log_format(ab, "op=%s contid=%llu", op, contid);
audit_log_end(ab);
return 0;
}
diff --git a/kernel/audit.h b/kernel/audit.h
index 214e149..1cf1c35 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -147,6 +147,7 @@ struct audit_context {
kuid_t target_uid;
unsigned inttarget_sessionid;
u32 target_sid;
+ u64 target_cid;
chartarget_comm[TASK_COMM_LEN];
struct audit_tree_refs *trees, *first_trees;
@@ -329,6 +330,7 @@ extern void audit_log_d_path_exe(struct audit_buffer *ab,
extern pid_t audit_sig_pid;
extern kuid_t audit_sig_uid;
extern u32 audit_sig_sid;
+extern u64 audit_sig_cid;
extern int audit_filter(int msgtype, unsigned int listtype);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 39e5633..cdb24cf 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -113,6 +113,7 @@ struct audit_aux_data_pids {
kuid_t target_uid[AUDIT_AUX_PIDS];
unsigned inttarget_sessionid[AUDIT_AUX_PIDS];
u32 target_sid[AUDIT_AUX_PIDS];
+ u64
[PATCH ghak90 (was ghak32) V4 06/10] audit: add containerid support for tty_audit
Add audit container identifier auxiliary record to tty logging rule
event standalone records.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
drivers/tty/tty_audit.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c
index 50f567b..3e21477 100644
--- a/drivers/tty/tty_audit.c
+++ b/drivers/tty/tty_audit.c
@@ -66,8 +66,9 @@ static void tty_audit_log(const char *description, dev_t dev,
uid_t uid = from_kuid(&init_user_ns, task_uid(tsk));
uid_t loginuid = from_kuid(&init_user_ns, audit_get_loginuid(tsk));
unsigned int sessionid = audit_get_sessionid(tsk);
+ struct audit_context *context = audit_alloc_local(GFP_KERNEL);
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY);
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_TTY);
if (ab) {
char name[sizeof(tsk->comm)];
@@ -80,6 +81,8 @@ static void tty_audit_log(const char *description, dev_t dev,
audit_log_n_hex(ab, data, size);
audit_log_end(ab);
}
+ audit_log_contid(context, "tty", audit_get_contid(tsk));
+ audit_free_context(context);
}
/**
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak90 (was ghak32) V4 09/10] audit: NETFILTER_PKT: record each container ID associated with a netNS
Add audit container identifier auxiliary record(s) to NETFILTER_PKT
event standalone records. Iterate through all potential audit container
identifiers associated with a network namespace.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h| 5 +
kernel/audit.c | 26 ++
net/netfilter/xt_AUDIT.c | 12 ++--
3 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9a02095..8755f4d 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -169,6 +169,8 @@ extern int audit_log_contid(struct audit_context *context,
extern void audit_netns_contid_add(struct net *net, u64 contid);
extern void audit_netns_contid_del(struct net *net, u64 contid);
extern void audit_switch_task_namespaces(struct nsproxy *ns, struct
task_struct *p);
+extern void audit_log_netns_contid_list(struct net *net,
+struct audit_context *context);
extern int audit_update_lsm_rules(void);
@@ -228,6 +230,9 @@ static inline void audit_netns_contid_del(struct net *net,
u64 contid)
{ }
static inline void audit_switch_task_namespaces(struct nsproxy *ns, struct
task_struct *p)
{ }
+static inline void audit_log_netns_contid_list(struct net *net,
+ struct audit_context *context)
+{ }
#define audit_enabled AUDIT_OFF
#endif /* CONFIG_AUDIT */
diff --git a/kernel/audit.c b/kernel/audit.c
index c5fed3b..b23711c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -392,6 +392,32 @@ void audit_switch_task_namespaces(struct nsproxy *ns,
struct task_struct *p)
audit_netns_contid_add(new->net_ns, contid);
}
+void audit_log_netns_contid_list(struct net *net, struct audit_context
*context)
+{
+ spinlock_t *lock = audit_get_netns_contid_list_lock(net);
+ struct audit_buffer *ab;
+ struct audit_contid *cont;
+ bool first = true;
+
+ /* Generate AUDIT_CONTAINER record with container ID CSV list */
+ ab = audit_log_start(context, GFP_ATOMIC, AUDIT_CONTAINER);
+ if (!ab) {
+ audit_log_lost("out of memory in audit_log_netns_contid_list");
+ return;
+ }
+ audit_log_format(ab, "contid=");
+ spin_lock(lock);
+ list_for_each_entry(cont, audit_get_netns_contid_list(net), list) {
+ if (!first)
+ audit_log_format(ab, ",");
+ audit_log_format(ab, "%llu", cont->id);
+ first = false;
+ }
+ spin_unlock(lock);
+ audit_log_end(ab);
+}
+EXPORT_SYMBOL(audit_log_netns_contid_list);
+
void audit_panic(const char *message)
{
switch (audit_failure) {
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index af883f1..44fac3f 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -71,10 +71,13 @@ static bool audit_ip6(struct audit_buffer *ab, struct
sk_buff *skb)
{
struct audit_buffer *ab;
int fam = -1;
+ struct audit_context *context;
+ struct net *net;
if (audit_enabled == AUDIT_OFF)
- goto errout;
- ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
+ goto out;
+ context = audit_alloc_local(GFP_ATOMIC);
+ ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
if (ab == NULL)
goto errout;
@@ -104,7 +107,12 @@ static bool audit_ip6(struct audit_buffer *ab, struct
sk_buff *skb)
audit_log_end(ab);
+ net = xt_net(par);
+ audit_log_netns_contid_list(net, context);
+
errout:
+ audit_free_context(context);
+out:
return XT_CONTINUE;
}
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak90 (was ghak32) V4 08/10] audit: add support for containerid to network namespaces
Audit events could happen in a network namespace outside of a task
context due to packets received from the net that trigger an auditing
rule prior to being associated with a running task. The network
namespace could in use by multiple containers by association to the
tasks in that network namespace. We still want a way to attribute
these events to any potential containers. Keep a list per network
namespace to track these audit container identifiiers.
Add/increment the audit container identifier on:
- initial setting of the audit container identifier via /proc
- clone/fork call that inherits an audit container identifier
- unshare call that inherits an audit container identifier
- setns call that inherits an audit container identifier
Delete/decrement the audit container identifier on:
- an inherited audit container identifier dropped when child set
- process exit
- unshare call that drops a net namespace
- setns call that drops a net namespace
See: https://github.com/linux-audit/audit-kernel/issues/92
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 17 ++
kernel/audit.c| 86 +++
kernel/auditsc.c | 8 -
kernel/nsproxy.c | 4 +++
4 files changed, 114 insertions(+), 1 deletion(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 5580c25..9a02095 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#define AUDIT_INO_UNSET ((unsigned long)-1)
#define AUDIT_DEV_UNSET ((dev_t)-1)
@@ -87,6 +88,12 @@ struct audit_field {
u32 op;
};
+struct audit_contid {
+ struct list_headlist;
+ u64 id;
+ refcount_t refcount;
+};
+
extern int is_audit_feature_set(int which);
extern int __init audit_register_class(int class, unsigned *list);
@@ -159,6 +166,9 @@ extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
extern int audit_log_contid(struct audit_context *context,
char *op, u64 contid);
+extern void audit_netns_contid_add(struct net *net, u64 contid);
+extern void audit_netns_contid_del(struct net *net, u64 contid);
+extern void audit_switch_task_namespaces(struct nsproxy *ns, struct
task_struct *p);
extern int audit_update_lsm_rules(void);
@@ -212,6 +222,13 @@ static inline void audit_log_task_info(struct audit_buffer
*ab,
static inline int audit_log_contid(struct audit_context *context,
char *op, u64 contid)
{ }
+static inline void audit_netns_contid_add(struct net *net, u64 contid)
+{ }
+static inline void audit_netns_contid_del(struct net *net, u64 contid)
+{ }
+static inline void audit_switch_task_namespaces(struct nsproxy *ns, struct
task_struct *p)
+{ }
+
#define audit_enabled AUDIT_OFF
#endif /* CONFIG_AUDIT */
diff --git a/kernel/audit.c b/kernel/audit.c
index fc9f026f..c5fed3b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -100,9 +100,13 @@
/**
* struct audit_net - audit private network namespace data
* @sk: communication socket
+ * @contid_list: audit container identifier list
+ * @contid_list_lock audit container identifier list lock
*/
struct audit_net {
struct sock *sk;
+ struct list_head contid_list;
+ spinlock_t contid_list_lock;
};
/**
@@ -308,6 +312,86 @@ static struct sock *audit_get_sk(const struct net *net)
return aunet->sk;
}
+/**
+ * audit_get_netns_contid_list - Return the audit container ID list for the
given network namespace
+ * @net: the destination network namespace
+ *
+ * Description:
+ * Returns the list pointer if valid, NULL otherwise. The caller must ensure
+ * that a reference is held for the network namespace while the sock is in use.
+ */
+struct list_head *audit_get_netns_contid_list(const struct net *net)
+{
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+
+ return &aunet->contid_list;
+}
+
+spinlock_t *audit_get_netns_contid_list_lock(const struct net *net)
+{
+ struct audit_net *aunet = net_generic(net, audit_net_id);
+
+ return &aunet->contid_list_lock;
+}
+
+void audit_netns_contid_add(struct net *net, u64 contid)
+{
+ spinlock_t *lock = audit_get_netns_contid_list_lock(net);
+ struct list_head *contid_list = audit_get_netns_contid_list(net);
+ struct audit_contid *cont;
+
+ if (!audit_contid_valid(contid))
+ return;
+ spin_lock(lock);
+ if (!list_empty(contid_list))
+ list_for_each_entry(cont, contid_list, list)
+ if (cont->id == contid) {
+ refcount
[PATCH ghak90 (was ghak32) V4 07/10] audit: add containerid filtering
Implement audit container identifier filtering using the AUDIT_CONTID
field name to send an 8-character string representing a u64 since the
value field is only u32.
Sending it as two u32 was considered, but gathering and comparing two
fields was more complex.
The feature indicator is AUDIT_FEATURE_BITMAP_CONTAINERID.
See: https://github.com/linux-audit/audit-kernel/issues/91
See: https://github.com/linux-audit/audit-userspace/issues/40
See: https://github.com/linux-audit/audit-testsuite/issues/64
See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 5 -
kernel/audit.h | 1 +
kernel/auditfilter.c | 47 ++
kernel/auditsc.c | 3 +++
5 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 1f340ad..5580c25 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -76,6 +76,7 @@ struct audit_field {
u32 type;
union {
u32 val;
+ u64 val64;
kuid_t uid;
kgid_t gid;
struct {
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index dc259c7..8bd2498 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -264,6 +264,7 @@
#define AUDIT_LOGINUID_SET 24
#define AUDIT_SESSIONID25 /* Session ID */
#define AUDIT_FSTYPE 26 /* FileSystem Type */
+#define AUDIT_CONTID 27 /* Container ID */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
@@ -344,6 +345,7 @@ enum {
#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x0010
#define AUDIT_FEATURE_BITMAP_LOST_RESET0x0020
#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x0040
+#define AUDIT_FEATURE_BITMAP_CONTAINERID 0x0080
#define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
@@ -351,7 +353,8 @@ enum {
AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND | \
AUDIT_FEATURE_BITMAP_SESSIONID_FILTER | \
AUDIT_FEATURE_BITMAP_LOST_RESET | \
- AUDIT_FEATURE_BITMAP_FILTER_FS)
+ AUDIT_FEATURE_BITMAP_FILTER_FS | \
+ AUDIT_FEATURE_BITMAP_CONTAINERID)
/* deprecated: AUDIT_VERSION_* */
#define AUDIT_VERSION_LATEST AUDIT_FEATURE_BITMAP_ALL
diff --git a/kernel/audit.h b/kernel/audit.h
index a6d00a5..7feaa1f 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -236,6 +236,7 @@ static inline int audit_hash_ino(u32 ino)
extern int audit_match_class(int class, unsigned syscall);
extern int audit_comparator(const u32 left, const u32 op, const u32 right);
+extern int audit_comparator64(const u64 left, const u32 op, const u64 right);
extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
extern int parent_len(const char *path);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index bf309f2..31a6733 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -410,6 +410,7 @@ static int audit_field_valid(struct audit_entry *entry,
struct audit_field *f)
/* FALL THROUGH */
case AUDIT_ARCH:
case AUDIT_FSTYPE:
+ case AUDIT_CONTID:
if (f->op != Audit_not_equal && f->op != Audit_equal)
return -EINVAL;
break;
@@ -582,6 +583,14 @@ static struct audit_entry *audit_data_to_entry(struct
audit_rule_data *data,
}
entry->rule.exe = audit_mark;
break;
+ case AUDIT_CONTID:
+ if (f->val != sizeof(u64))
+ goto exit_free;
+ str = audit_unpack_string(&bufp, &remain, f->val);
+ if (IS_ERR(str))
+ goto exit_free;
+ f->val64 = ((u64 *)str)[0];
+ break;
}
}
@@ -664,6 +673,11 @@ static struct audit_rule_data *audit_krule_to_data(struct
audit_krule *krule)
data->buflen += data->values[i] =
audit_pack_string(&bufp,
audit_mark_path(krule->exe));
break;
+ case AUDIT_CONTID:
+ data->buflen += data->values[i] = sizeof(u64);
+
[PATCH ghak90 (was ghak32) V4 10/10] debug audit: read container ID of a process
Add support for reading the audit container identifier from the proc
filesystem.
This is a read from the proc entry of the form
/proc/PID/audit_containerid where PID is the process ID of the task
whose audit container identifier is sought.
The read expects up to a u64 value (unset: 18446744073709551615).
This read requires CAP_AUDIT_CONTROL.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
fs/proc/base.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 1b3cda1..95fc64a 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1261,6 +1261,24 @@ static ssize_t proc_sessionid_read(struct file * file,
char __user * buf,
.llseek = generic_file_llseek,
};
+static ssize_t proc_contid_read(struct file *file, char __user *buf,
+ size_t count, loff_t *ppos)
+{
+ struct inode *inode = file_inode(file);
+ struct task_struct *task = get_proc_task(inode);
+ ssize_t length;
+ char tmpbuf[TMPBUFLEN*2];
+
+ if (!task)
+ return -ESRCH;
+ /* if we don't have caps, reject */
+ if (!capable(CAP_AUDIT_CONTROL))
+ return -EPERM;
+ length = scnprintf(tmpbuf, TMPBUFLEN*2, "%llu", audit_get_contid(task));
+ put_task_struct(task);
+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
+}
+
static ssize_t proc_contid_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
@@ -1291,6 +1309,7 @@ static ssize_t proc_contid_write(struct file *file, const
char __user *buf,
}
static const struct file_operations proc_contid_operations = {
+ .read = proc_contid_read,
.write = proc_contid_write,
.llseek = generic_file_llseek,
};
@@ -2987,7 +3006,7 @@ static int proc_pid_patch_state(struct seq_file *m,
struct pid_namespace *ns,
#ifdef CONFIG_AUDITSYSCALL
REG("loginuid", S_IWUSR|S_IRUGO, proc_loginuid_operations),
REG("sessionid", S_IRUGO, proc_sessionid_operations),
- REG("audit_containerid", S_IWUSR, proc_contid_operations),
+ REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
#endif
#ifdef CONFIG_FAULT_INJECTION
REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
@@ -3373,7 +3392,7 @@ static int proc_tid_comm_permission(struct inode *inode,
int mask)
#ifdef CONFIG_AUDITSYSCALL
REG("loginuid", S_IWUSR|S_IRUGO, proc_loginuid_operations),
REG("sessionid", S_IRUGO, proc_sessionid_operations),
- REG("audit_containerid", S_IWUSR, proc_contid_operations),
+ REG("audit_containerid", S_IWUSR|S_IRUSR, proc_contid_operations),
#endif
#ifdef CONFIG_FAULT_INJECTION
REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak90 (was ghak32) V4 05/10] audit: add support for non-syscall auxiliary records
Standalone audit records have the timestamp and serial number generated
on the fly and as such are unique, making them standalone. This new
function audit_alloc_local() generates a local audit context that will
be used only for a standalone record and its auxiliary record(s). The
context is discarded immediately after the local associated records are
produced.
Signed-off-by: Richard Guy Briggs
Acked-by: Serge Hallyn
---
include/linux/audit.h | 8
kernel/audit.h| 1 +
kernel/auditsc.c | 33 -
3 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 4f514ed..1f340ad 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -234,7 +234,9 @@ struct audit_task_info {
extern struct audit_task_info init_struct_audit;
extern void __init audit_task_init(void);
extern int audit_alloc(struct task_struct *task);
+extern struct audit_context *audit_alloc_local(gfp_t gfpflags);
extern void audit_free(struct task_struct *task);
+extern void audit_free_context(struct audit_context *context);
extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long
a1,
unsigned long a2, unsigned long a3);
extern void __audit_syscall_exit(int ret_success, long ret_value);
@@ -495,6 +497,12 @@ static inline int audit_alloc(struct task_struct *task)
{
return 0;
}
+static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
+{
+ return NULL;
+}
+static inline void audit_free_context(struct audit_context *context)
+{ }
static inline void audit_free(struct task_struct *task)
{ }
static inline void audit_syscall_entry(int major, unsigned long a0,
diff --git a/kernel/audit.h b/kernel/audit.h
index 1cf1c35..a6d00a5 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -110,6 +110,7 @@ struct audit_proctitle {
struct audit_context {
int dummy; /* must be the first element */
int in_syscall; /* 1 if task is in a syscall */
+ boollocal; /* local context needed */
enum audit_statestate, current_state;
unsigned intserial; /* serial number for record */
int major; /* syscall number */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cdb24cf..7627f21 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -913,11 +913,13 @@ static inline void audit_free_aux(struct audit_context
*context)
}
}
-static inline struct audit_context *audit_alloc_context(enum audit_state state)
+static inline struct audit_context *audit_alloc_context(enum audit_state state,
+ gfp_t gfpflags)
{
struct audit_context *context;
- context = kzalloc(sizeof(*context), GFP_KERNEL);
+ /* We can be called in atomic context via audit_tg() */
+ context = kzalloc(sizeof(*context), gfpflags);
if (!context)
return NULL;
context->state = state;
@@ -970,7 +972,8 @@ int audit_alloc(struct task_struct *tsk)
return 0;
}
- if (!(context = audit_alloc_context(state))) {
+ context = audit_alloc_context(state, GFP_KERNEL);
+ if (!(context)) {
tsk->audit = NULL;
kmem_cache_free(audit_task_cache, info);
kfree(key);
@@ -991,8 +994,27 @@ struct audit_task_info init_struct_audit = {
.ctx = NULL,
};
-static inline void audit_free_context(struct audit_context *context)
+struct audit_context *audit_alloc_local(gfp_t gfpflags)
{
+ struct audit_context *context;
+
+ if (!audit_ever_enabled)
+ return NULL; /* Return if not auditing. */
+
+ context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags);
+ if (!context)
+ return NULL;
+ context->serial = audit_serial();
+ context->ctime = current_kernel_time64();
+ context->local = true;
+ return context;
+}
+EXPORT_SYMBOL(audit_alloc_local);
+
+void audit_free_context(struct audit_context *context)
+{
+ if (!context)
+ return;
audit_free_names(context);
unroll_tree_refs(context, NULL, 0);
free_tree_refs(context);
@@ -1002,6 +1024,7 @@ static inline void audit_free_context(struct
audit_context *context)
audit_proctitle_free(context);
kfree(context);
}
+EXPORT_SYMBOL(audit_free_context);
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
kuid_t auid, kuid_t uid, unsigned int
sessionid,
@@ -2024,7 +2047,7 @@ void __audit_inode_child(struct inode *parent,
int auditsc_get_stamp(struct audit_context *ctx,
struct timespec64 *t, unsigned int *serial)
{
- if (!ctx->in_syscall)
+ if (!ctx->in_syscall && !ctx->local)
[PATCH ghak81 V3 1/3] audit: use new audit_context access funciton for seccomp_actions_logged
On the rebase of the following commit on the new seccomp actions_logged
function, one audit_context access was missed.
commit cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5
("audit: use inline function to get audit context")
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cbab0da..f3d3dc6 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2497,7 +2497,7 @@ void audit_seccomp_actions_logged(const char *names,
const char *old_names,
if (!audit_enabled)
return;
- ab = audit_log_start(current->audit_context, GFP_KERNEL,
+ ab = audit_log_start(audit_context(), GFP_KERNEL,
AUDIT_CONFIG_CHANGE);
if (unlikely(!ab))
return;
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 V3 2/3] audit: normalize loginuid read access
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 24 +++-
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f3d3dc6..ef3e189 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk,
case AUDIT_COMPARE_EGID_TO_OBJ_GID:
return audit_compare_gid(cred->egid, name, f, ctx);
case AUDIT_COMPARE_AUID_TO_OBJ_UID:
- return audit_compare_uid(tsk->loginuid, name, f, ctx);
+ return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
case AUDIT_COMPARE_SUID_TO_OBJ_UID:
return audit_compare_uid(cred->suid, name, f, ctx);
case AUDIT_COMPARE_SGID_TO_OBJ_GID:
@@ -385,7 +385,8 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_compare_gid(cred->fsgid, name, f, ctx);
/* uid comparisons */
case AUDIT_COMPARE_UID_TO_AUID:
- return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
+ return audit_uid_comparator(cred->uid, f->op,
+ audit_get_loginuid(tsk));
case AUDIT_COMPARE_UID_TO_EUID:
return audit_uid_comparator(cred->uid, f->op, cred->euid);
case AUDIT_COMPARE_UID_TO_SUID:
@@ -394,11 +395,14 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
/* auid comparisons */
case AUDIT_COMPARE_AUID_TO_EUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
+ cred->euid);
case AUDIT_COMPARE_AUID_TO_SUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
+ cred->suid);
case AUDIT_COMPARE_AUID_TO_FSUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
+ cred->fsuid);
/* euid comparisons */
case AUDIT_COMPARE_EUID_TO_SUID:
return audit_uid_comparator(cred->euid, f->op, cred->suid);
@@ -611,7 +615,8 @@ static int audit_filter_rules(struct task_struct *tsk,
result = match_tree_refs(ctx, rule->tree);
break;
case AUDIT_LOGINUID:
- result = audit_uid_comparator(tsk->loginuid, f->op,
f->uid);
+ result = audit_uid_comparator(audit_get_loginuid(tsk),
+ f->op, f->uid);
break;
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk),
f->op, f->val);
@@ -2278,14 +2283,15 @@ int audit_signal_info(int sig, struct task_struct *t)
{
struct audit_aux_data_pids *axp;
struct audit_context *ctx = audit_context();
- kuid_t uid = current_uid(), t_uid = task_uid(t);
+ kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
if (auditd_test_task(t) &&
(sig == SIGTERM || sig == SIGHUP ||
sig == SIGUSR1 || sig == SIGUSR2)) {
audit_sig_pid = task_tgid_nr(current);
- if (uid_valid(current->loginuid))
- audit_sig_uid = current->loginuid;
+ auid = audit_get_loginuid(current);
+ if (uid_valid(auid))
+ audit_sig_uid = auid;
else
audit_sig_uid = uid;
security_task_getsecid(current, &audit_sig_sid);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 V3 3/3] audit: collect audit task parameters
The audit-related parameters in struct task_struct should ideally be
collected together and accessed through a standard audit API.
Collect the existing loginuid, sessionid and audit_context together in a
new struct audit_task_info called "audit" in struct task_struct.
Use kmem_cache to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
See: https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 34 --
include/linux/sched.h | 5 +
init/init_task.c | 3 +--
init/main.c | 2 ++
kernel/auditsc.c | 51 ++-
kernel/fork.c | 2 +-
6 files changed, 71 insertions(+), 26 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 69c7847..4f824c4 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -216,8 +216,15 @@ static inline void audit_log_task_info(struct audit_buffer
*ab,
/* These are defined in auditsc.c */
/* Public API */
+struct audit_task_info {
+ kuid_t loginuid;
+ unsigned intsessionid;
+ struct audit_context*ctx;
+};
+extern struct audit_task_info init_struct_audit;
+extern void __init audit_task_init(void);
extern int audit_alloc(struct task_struct *task);
-extern void __audit_free(struct task_struct *task);
+extern void audit_free(struct task_struct *task);
extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long
a1,
unsigned long a2, unsigned long a3);
extern void __audit_syscall_exit(int ret_success, long ret_value);
@@ -239,12 +246,15 @@ extern void audit_seccomp_actions_logged(const char
*names,
static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
{
- task->audit_context = ctx;
+ task->audit->ctx = ctx;
}
static inline struct audit_context *audit_context(void)
{
- return current->audit_context;
+ if (current->audit)
+ return current->audit->ctx;
+ else
+ return NULL;
}
static inline bool audit_dummy_context(void)
@@ -252,11 +262,7 @@ static inline bool audit_dummy_context(void)
void *p = audit_context();
return !p || *(int *)p;
}
-static inline void audit_free(struct task_struct *task)
-{
- if (unlikely(task->audit_context))
- __audit_free(task);
-}
+
static inline void audit_syscall_entry(int major, unsigned long a0,
unsigned long a1, unsigned long a2,
unsigned long a3)
@@ -328,12 +334,18 @@ extern int auditsc_get_stamp(struct audit_context *ctx,
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
{
- return tsk->loginuid;
+ if (tsk->audit)
+ return tsk->audit->loginuid;
+ else
+ return INVALID_UID;
}
static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
- return tsk->sessionid;
+ if (tsk->audit)
+ return tsk->audit->sessionid;
+ else
+ return AUDIT_SID_UNSET;
}
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
@@ -458,6 +470,8 @@ static inline void audit_fanotify(unsigned int response)
extern int audit_n_rules;
extern int audit_signals;
#else /* CONFIG_AUDITSYSCALL */
+static inline void __init audit_task_init(void)
+{ }
static inline int audit_alloc(struct task_struct *task)
{
return 0;
diff --git a/include/linux/sched.h b/include/linux/sched.h
index b3d697f..6a5db0e 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -29,7 +29,6 @@
#include
/* task_struct member predeclarations (sorted alphabetically): */
-struct audit_context;
struct backing_dev_info;
struct bio_list;
struct blk_plug;
@@ -832,10 +831,8 @@ struct task_struct {
struct callback_head*task_works;
- struct audit_context*audit_context;
#ifdef CONFIG_AUDITSYSCALL
- kuid_t loginuid;
- unsigned intsessionid;
+ struct audit_task_info *audit;
#endif
struct seccomp seccomp;
diff --git a/init/init_task.c b/init/init_task.c
index 74f60ba..4058840 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -119,8 +119,7 @@ struct task_struct init_task
.thread_group = LIST_HEAD_INIT(init_task.thread_group),
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
#ifdef CONFIG_AUDITSYSCALL
- .loginuid = INVALID_UID,
- .sessionid = AUDIT_SID_UNSET,
+ .audit = &init_struct_audit,
#endif
#ifdef CONFIG_PERF_EVENTS
.perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
[PATCH ghak81 V3 0/3] audit: group task params
Group the audit parameters for each task into one structure. In particular, remove the loginuid and sessionid values and the audit context pointer from the task structure, replacing them with an audit task information structure to contain them. Use access functions to access audit values. Use dynamic allocation of the audit task information structure employing kmem_cache. Static allocation has the limitation that future audit task information structure changes would cause a visible change to the rest of the kernel, whereas dynamic allocation would mostly hide any future changes. Passes audit-testsuite. Changelog: v3 - drop patches 2, 3, 4 already merged. - fix for previous v2 patch 3 (seccomp get audit_context) - dynamic audit_task_info allocation from kmem_cache - fix assignment in if statement v2 patch 1 (normalize loginuid read) - fix a number of merge conflicts/checkpatch v2 - p2/5: add audit header to init/init_task.c to quiet kbuildbot - audit_signal_info(): fetch loginuid once - remove task_struct from audit_context() param list - remove extra task_struct local vars - do nothing on request to set audit context when audit is disabled Richard Guy Briggs (3): audit: use new audit_context access funciton for seccomp_actions_logged audit: normalize loginuid read access audit: collect audit task parameters include/linux/audit.h | 34 --- include/linux/sched.h | 5 +--- init/init_task.c | 3 +- init/main.c | 2 ++ kernel/auditsc.c | 77 ++- kernel/fork.c | 2 +- 6 files changed, 87 insertions(+), 36 deletions(-) -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH ghak81 RFC V2 3/5] audit: use inline function to get audit context
On 2018-05-14 23:05, Richard Guy Briggs wrote: > On 2018-05-14 17:44, Paul Moore wrote: > > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > > > Recognizing that the audit context is an internal audit value, use an > > > access function to retrieve the audit context pointer for the task > > > rather than reaching directly into the task struct to get it. > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > include/linux/audit.h| 14 ++-- > > > include/net/xfrm.h | 2 +- > > > kernel/audit.c | 6 ++-- > > > kernel/audit_watch.c | 2 +- > > > kernel/auditsc.c | 64 > > > +--- > > > net/bridge/netfilter/ebtables.c | 2 +- > > > net/core/dev.c | 2 +- > > > net/netfilter/x_tables.c | 2 +- > > > net/netlabel/netlabel_user.c | 2 +- > > > security/integrity/ima/ima_api.c | 2 +- > > > security/integrity/integrity_audit.c | 2 +- > > > security/lsm_audit.c | 2 +- > > > security/selinux/hooks.c | 4 +-- > > > security/selinux/selinuxfs.c | 6 ++-- > > > security/selinux/ss/services.c | 12 +++ > > > 15 files changed, 64 insertions(+), 60 deletions(-) > > > > Merged, but there was some fuzz due to the missing 1/5 patch and a > > handfull of checkpatch.pl fixes. Please take a look at the commit in > > the audit/next branch and if anything looks awry please send a patch > > to fix it. > > Some of that fuzz was due to the two patches (ghak46/47) that went > through the xelinux tree... There will be a merge conflict. > > Otherwise, looks ok. Spoke too soon, missed one from the new seccomp actions_logged... Patch pending... > > paul moore > > - RGB - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH ghak81 RFC V2 3/5] audit: use inline function to get audit context
On 2018-05-14 17:44, Paul Moore wrote: > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > > Recognizing that the audit context is an internal audit value, use an > > access function to retrieve the audit context pointer for the task > > rather than reaching directly into the task struct to get it. > > > > Signed-off-by: Richard Guy Briggs > > --- > > include/linux/audit.h| 14 ++-- > > include/net/xfrm.h | 2 +- > > kernel/audit.c | 6 ++-- > > kernel/audit_watch.c | 2 +- > > kernel/auditsc.c | 64 > > +--- > > net/bridge/netfilter/ebtables.c | 2 +- > > net/core/dev.c | 2 +- > > net/netfilter/x_tables.c | 2 +- > > net/netlabel/netlabel_user.c | 2 +- > > security/integrity/ima/ima_api.c | 2 +- > > security/integrity/integrity_audit.c | 2 +- > > security/lsm_audit.c | 2 +- > > security/selinux/hooks.c | 4 +-- > > security/selinux/selinuxfs.c | 6 ++-- > > security/selinux/ss/services.c | 12 +++ > > 15 files changed, 64 insertions(+), 60 deletions(-) > > Merged, but there was some fuzz due to the missing 1/5 patch and a > handfull of checkpatch.pl fixes. Please take a look at the commit in > the audit/next branch and if anything looks awry please send a patch > to fix it. Some of that fuzz was due to the two patches (ghak46/47) that went through the xelinux tree... There will be a merge conflict. Otherwise, looks ok. > paul moore - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V2 1/5] audit: normalize loginuid read access
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 479c031..0d4e269 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk,
case AUDIT_COMPARE_EGID_TO_OBJ_GID:
return audit_compare_gid(cred->egid, name, f, ctx);
case AUDIT_COMPARE_AUID_TO_OBJ_UID:
- return audit_compare_uid(tsk->loginuid, name, f, ctx);
+ return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
case AUDIT_COMPARE_SUID_TO_OBJ_UID:
return audit_compare_uid(cred->suid, name, f, ctx);
case AUDIT_COMPARE_SGID_TO_OBJ_GID:
@@ -385,7 +385,7 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_compare_gid(cred->fsgid, name, f, ctx);
/* uid comparisons */
case AUDIT_COMPARE_UID_TO_AUID:
- return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
+ return audit_uid_comparator(cred->uid, f->op,
audit_get_loginuid(tsk));
case AUDIT_COMPARE_UID_TO_EUID:
return audit_uid_comparator(cred->uid, f->op, cred->euid);
case AUDIT_COMPARE_UID_TO_SUID:
@@ -394,11 +394,11 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
/* auid comparisons */
case AUDIT_COMPARE_AUID_TO_EUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
cred->euid);
case AUDIT_COMPARE_AUID_TO_SUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
cred->suid);
case AUDIT_COMPARE_AUID_TO_FSUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
cred->fsuid);
/* euid comparisons */
case AUDIT_COMPARE_EUID_TO_SUID:
return audit_uid_comparator(cred->euid, f->op, cred->suid);
@@ -611,7 +611,7 @@ static int audit_filter_rules(struct task_struct *tsk,
result = match_tree_refs(ctx, rule->tree);
break;
case AUDIT_LOGINUID:
- result = audit_uid_comparator(tsk->loginuid, f->op,
f->uid);
+ result = audit_uid_comparator(audit_get_loginuid(tsk),
f->op, f->uid);
break;
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk),
f->op, f->val);
@@ -2281,14 +2281,14 @@ int audit_signal_info(int sig, struct task_struct *t)
struct audit_aux_data_pids *axp;
struct task_struct *tsk = current;
struct audit_context *ctx = tsk->audit_context;
- kuid_t uid = current_uid(), t_uid = task_uid(t);
+ kuid_t uid = current_uid(), auid, t_uid = task_uid(t);
if (auditd_test_task(t) &&
(sig == SIGTERM || sig == SIGHUP ||
sig == SIGUSR1 || sig == SIGUSR2)) {
audit_sig_pid = task_tgid_nr(tsk);
- if (uid_valid(tsk->loginuid))
- audit_sig_uid = tsk->loginuid;
+ if (uid_valid(auid = audit_get_loginuid(tsk)))
+ audit_sig_uid = auid;
else
audit_sig_uid = uid;
security_task_getsecid(tsk, &audit_sig_sid);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V2 4/5] audit: use inline function to set audit context
Recognizing that the audit context is an internal audit value, use an
access function to set the audit context pointer for the task
rather than reaching directly into the task struct to set it.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 6 ++
kernel/auditsc.c | 7 +++
kernel/fork.c | 2 +-
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 786aa8e..f7973e4 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -235,6 +235,10 @@ extern void __audit_inode_child(struct inode *parent,
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
extern void __audit_ptrace(struct task_struct *t);
+static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
+{
+ task->audit_context = ctx;
+}
static inline struct audit_context *audit_context(void)
{
return current->audit_context;
@@ -472,6 +476,8 @@ static inline bool audit_dummy_context(void)
{
return true;
}
+static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
+{ }
static inline struct audit_context *audit_context(void)
{
return NULL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ecc0c23..d441d68 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -865,7 +865,7 @@ static inline struct audit_context
*audit_take_context(struct task_struct *tsk,
audit_filter_inodes(tsk, context);
}
- tsk->audit_context = NULL;
+ audit_set_context(tsk, NULL);
return context;
}
@@ -952,7 +952,7 @@ int audit_alloc(struct task_struct *tsk)
}
context->filterkey = key;
- tsk->audit_context = context;
+ audit_set_context(tsk, context);
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
return 0;
}
@@ -1554,7 +1554,6 @@ void __audit_syscall_entry(int major, unsigned long a1,
unsigned long a2,
*/
void __audit_syscall_exit(int success, long return_code)
{
- struct task_struct *tsk = current;
struct audit_context *context;
if (success)
@@ -1589,7 +1588,7 @@ void __audit_syscall_exit(int success, long return_code)
kfree(context->filterkey);
context->filterkey = NULL;
}
- tsk->audit_context = context;
+ audit_set_context(current, context);
}
static inline void handle_one(const struct inode *inode)
diff --git a/kernel/fork.c b/kernel/fork.c
index 242c8c9..cd18448 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1713,7 +1713,7 @@ static __latent_entropy struct task_struct *copy_process(
p->start_time = ktime_get_ns();
p->real_start_time = ktime_get_boot_ns();
p->io_context = NULL;
- p->audit_context = NULL;
+ audit_set_context(p, NULL);
cgroup_fork(p);
#ifdef CONFIG_NUMA
p->mempolicy = mpol_dup(p->mempolicy);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V2 2/5] audit: convert sessionid unset to a macro
Use a macro, "AUDIT_SID_UNSET", to replace each instance of
initialization and comparison to an audit session ID.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 2 +-
include/net/xfrm.h | 2 +-
include/uapi/linux/audit.h | 1 +
init/init_task.c | 3 ++-
kernel/auditsc.c | 4 ++--
5 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 75d5b03..5f86f7c 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -513,7 +513,7 @@ static inline kuid_t audit_get_loginuid(struct task_struct
*tsk)
}
static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
- return -1;
+ return AUDIT_SID_UNSET;
}
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{ }
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a872379..fcce8ee 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -751,7 +751,7 @@ static inline void xfrm_audit_helper_usrinfo(bool
task_valid,
audit_get_loginuid(current) :
INVALID_UID);
const unsigned int ses = task_valid ? audit_get_sessionid(current) :
- (unsigned int) -1;
+ AUDIT_SID_UNSET;
audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
audit_log_task_context(audit_buf);
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e..04f9bd2 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -465,6 +465,7 @@ struct audit_tty_status {
};
#define AUDIT_UID_UNSET (unsigned int)-1
+#define AUDIT_SID_UNSET ((unsigned int)-1)
/* audit_rule_data supports filter rules with both integer and string
* fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
diff --git a/init/init_task.c b/init/init_task.c
index 3ac6e75..74f60ba 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -9,6 +9,7 @@
#include
#include
#include
+#include
#include
#include
@@ -119,7 +120,7 @@ struct task_struct init_task
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
#ifdef CONFIG_AUDITSYSCALL
.loginuid = INVALID_UID,
- .sessionid = (unsigned int)-1,
+ .sessionid = AUDIT_SID_UNSET,
#endif
#ifdef CONFIG_PERF_EVENTS
.perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 0d4e269..e157595 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2050,7 +2050,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid,
kuid_t kloginuid,
int audit_set_loginuid(kuid_t loginuid)
{
struct task_struct *task = current;
- unsigned int oldsessionid, sessionid = (unsigned int)-1;
+ unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
kuid_t oldloginuid;
int rc;
@@ -2064,7 +2064,7 @@ int audit_set_loginuid(kuid_t loginuid)
/* are we setting or clearing? */
if (uid_valid(loginuid)) {
sessionid = (unsigned int)atomic_inc_return(&session_id);
- if (unlikely(sessionid == (unsigned int)-1))
+ if (unlikely(sessionid == AUDIT_SID_UNSET))
sessionid = (unsigned
int)atomic_inc_return(&session_id);
}
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V2 3/5] audit: use inline function to get audit context
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h| 14 ++--
include/net/xfrm.h | 2 +-
kernel/audit.c | 6 ++--
kernel/audit_watch.c | 2 +-
kernel/auditsc.c | 64 +---
net/bridge/netfilter/ebtables.c | 2 +-
net/core/dev.c | 2 +-
net/netfilter/x_tables.c | 2 +-
net/netlabel/netlabel_user.c | 2 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/integrity_audit.c | 2 +-
security/lsm_audit.c | 2 +-
security/selinux/hooks.c | 4 +--
security/selinux/selinuxfs.c | 6 ++--
security/selinux/ss/services.c | 12 +++
15 files changed, 64 insertions(+), 60 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 5f86f7c..786aa8e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -235,9 +235,13 @@ extern void __audit_inode_child(struct inode *parent,
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
extern void __audit_ptrace(struct task_struct *t);
+static inline struct audit_context *audit_context(void)
+{
+ return current->audit_context;
+}
static inline bool audit_dummy_context(void)
{
- void *p = current->audit_context;
+ void *p = audit_context();
return !p || *(int *)p;
}
static inline void audit_free(struct task_struct *task)
@@ -249,12 +253,12 @@ static inline void audit_syscall_entry(int major,
unsigned long a0,
unsigned long a1, unsigned long a2,
unsigned long a3)
{
- if (unlikely(current->audit_context))
+ if (unlikely(audit_context()))
__audit_syscall_entry(major, a0, a1, a2, a3);
}
static inline void audit_syscall_exit(void *pt_regs)
{
- if (unlikely(current->audit_context)) {
+ if (unlikely(audit_context())) {
int success = is_syscall_success(pt_regs);
long return_code = regs_return_value(pt_regs);
@@ -468,6 +472,10 @@ static inline bool audit_dummy_context(void)
{
return true;
}
+static inline struct audit_context *audit_context(void)
+{
+ return NULL;
+}
static inline struct filename *audit_reusename(const __user char *name)
{
return NULL;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index fcce8ee..7f2e31a 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -736,7 +736,7 @@ static inline struct audit_buffer *xfrm_audit_start(const
char *op)
if (audit_enabled == 0)
return NULL;
- audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
+ audit_buf = audit_log_start(audit_context(), GFP_ATOMIC,
AUDIT_MAC_IPSEC_EVENT);
if (audit_buf == NULL)
return NULL;
diff --git a/kernel/audit.c b/kernel/audit.c
index e9f9a90..e7478cb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1099,8 +1099,7 @@ static void audit_log_feature_change(int which, u32
old_feature, u32 new_feature
if (audit_enabled == AUDIT_OFF)
return;
- ab = audit_log_start(current->audit_context,
-GFP_KERNEL, AUDIT_FEATURE_CHANGE);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_FEATURE_CHANGE);
if (!ab)
return;
audit_log_task_info(ab, current);
@@ -2317,8 +2316,7 @@ void audit_log_link_denied(const char *operation)
return;
/* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
- ab = audit_log_start(current->audit_context, GFP_KERNEL,
-AUDIT_ANOM_LINK);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_LINK);
if (!ab)
return;
audit_log_format(ab, "op=%s", operation);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9eb8b35..f1ba889 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -274,7 +274,7 @@ static void audit_update_watch(struct audit_parent *parent,
/* If the update involves invalidating rules, do the inode-based
* filtering now, so we don't omit records. */
if (invalidating && !audit_dummy_context())
- audit_filter_inodes(current, current->audit_context);
+ audit_filter_inodes(current, audit_context());
/* updating ino will likely change which audit_hash_list we
* are on so we need a new watch for the new list */
diff --git a/kernel/auditsc.c b/kernel/audit
[PATCH ghak81 RFC V2 0/5] audit: group task params
Group the audit parameters for each task into one structure. In particular, remove the loginuid and sessionid values and the audit context pointer from the task structure, replacing them with an audit task information structure to contain them. Use access functions to access audit values. Note: Use static allocation of the audit task information structure initially. Dynamic allocation was considered and attempted, but isn't ready yet. Static allocation has the limitation that future audit task information structure changes would cause a visible change to the rest of the kernel, whereas dynamic allocation would mostly hide any future changes. The first four access normalization patches could stand alone. Passes audit-testsuite. Changelog: v2 - p2/5: add audit header to init/init_task.c to quiet kbuildbot - audit_signal_info(): fetch loginuid once - remove task_struct from audit_context() param list - remove extra task_struct local vars - do nothing on request to set audit context when audit is disabled Richard Guy Briggs (5): audit: normalize loginuid read access audit: convert sessionid unset to a macro audit: use inline function to get audit context audit: use inline function to set audit context audit: collect audit task parameters MAINTAINERS | 2 +- include/linux/audit.h| 28 --- include/linux/audit_task.h | 31 include/linux/sched.h| 6 +-- include/net/xfrm.h | 4 +- include/uapi/linux/audit.h | 1 + init/init_task.c | 8 ++- kernel/audit.c | 6 +-- kernel/audit_watch.c | 2 +- kernel/auditsc.c | 97 +--- kernel/fork.c| 2 +- net/bridge/netfilter/ebtables.c | 2 +- net/core/dev.c | 2 +- net/netfilter/x_tables.c | 2 +- net/netlabel/netlabel_user.c | 2 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/integrity_audit.c | 2 +- security/lsm_audit.c | 2 +- security/selinux/hooks.c | 4 +- security/selinux/selinuxfs.c | 6 +-- security/selinux/ss/services.c | 12 ++--- 21 files changed, 133 insertions(+), 90 deletions(-) create mode 100644 include/linux/audit_task.h -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V2 5/5] audit: collect audit task parameters
The audit-related parameters in struct task_struct should ideally be
collected together and accessed through a standard audit API.
Collect the existing loginuid, sessionid and audit_context together in a
new struct audit_task_info called "audit" in struct task_struct.
See: https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
---
MAINTAINERS| 2 +-
include/linux/audit.h | 10 +-
include/linux/audit_task.h | 31 +++
include/linux/sched.h | 6 ++
init/init_task.c | 7 +--
kernel/auditsc.c | 6 +++---
6 files changed, 47 insertions(+), 15 deletions(-)
create mode 100644 include/linux/audit_task.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 0a1410d..8c7992d 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2510,7 +2510,7 @@ L:linux-au...@redhat.com (moderated for
non-subscribers)
W: https://github.com/linux-audit
T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
S: Supported
-F: include/linux/audit.h
+F: include/linux/audit*.h
F: include/uapi/linux/audit.h
F: kernel/audit*
diff --git a/include/linux/audit.h b/include/linux/audit.h
index f7973e4..6d599b6 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -237,11 +237,11 @@ extern void __audit_inode_child(struct inode *parent,
static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
{
- task->audit_context = ctx;
+ task->audit.ctx = ctx;
}
static inline struct audit_context *audit_context(void)
{
- return current->audit_context;
+ return current->audit.ctx;
}
static inline bool audit_dummy_context(void)
{
@@ -250,7 +250,7 @@ static inline bool audit_dummy_context(void)
}
static inline void audit_free(struct task_struct *task)
{
- if (unlikely(task->audit_context))
+ if (unlikely(task->audit.ctx))
__audit_free(task);
}
static inline void audit_syscall_entry(int major, unsigned long a0,
@@ -330,12 +330,12 @@ extern int auditsc_get_stamp(struct audit_context *ctx,
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
{
- return tsk->loginuid;
+ return tsk->audit.loginuid;
}
static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
- return tsk->sessionid;
+ return tsk->audit.sessionid;
}
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
diff --git a/include/linux/audit_task.h b/include/linux/audit_task.h
new file mode 100644
index 000..d4b3a20
--- /dev/null
+++ b/include/linux/audit_task.h
@@ -0,0 +1,31 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/* audit_task.h -- definition of audit_task_info structure
+ *
+ * Copyright 2018 Red Hat Inc., Raleigh, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * Written by Richard Guy Briggs
+ *
+ */
+
+#ifndef _LINUX_AUDIT_TASK_H_
+#define _LINUX_AUDIT_TASK_H_
+
+struct audit_context;
+struct audit_task_info {
+ kuid_t loginuid;
+ unsigned intsessionid;
+ struct audit_context*ctx;
+};
+
+#endif
diff --git a/include/linux/sched.h b/include/linux/sched.h
index b3d697f..b58eca0 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -27,9 +27,9 @@
#include
#include
#include
+#include
/* task_struct member predeclarations (sorted alphabetically): */
-struct audit_context;
struct backing_dev_info;
struct bio_list;
struct blk_plug;
@@ -832,10 +832,8 @@ struct task_struct {
struct callback_head*task_works;
- struct audit_context*audit_context;
#ifdef CONFIG_AUDITSYSCALL
- kuid_t loginuid;
- unsigned intsessionid;
+ struct audit_task_info audit;
#endif
struct seccomp seccomp;
diff --git a/init/init_task.c b/init/init_task.c
index 74f60ba..d33260d 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -119,8 +119,11 @@ struct task_struct init_task
.thread_group = LIST_HEAD_INIT(init_task.thread_group),
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
#ifdef CONFIG_AUDITSYSCALL
- .loginuid = INVALID_UID,
- .sessionid = AUDIT_SID_UNSET,
+ .audit = {
+ .loginuid = INVALID_UID,
+ .sessionid
Re: [PATCH ghak81 RFC V1 1/5] audit: normalize loginuid read access
On 2018-05-10 17:21, Richard Guy Briggs wrote:
> On 2018-05-09 11:13, Paul Moore wrote:
> > On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > > Recognizing that the loginuid is an internal audit value, use an access
> > > function to retrieve the audit loginuid value for the task rather than
> > > reaching directly into the task struct to get it.
> > >
> > > Signed-off-by: Richard Guy Briggs
> > > ---
> > > kernel/auditsc.c | 16
> > > 1 file changed, 8 insertions(+), 8 deletions(-)
> > >
> > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > > index 479c031..f3817d0 100644
> > > --- a/kernel/auditsc.c
> > > +++ b/kernel/auditsc.c
> > > @@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct
> > > *tsk,
> > > case AUDIT_COMPARE_EGID_TO_OBJ_GID:
> > > return audit_compare_gid(cred->egid, name, f, ctx);
> > > case AUDIT_COMPARE_AUID_TO_OBJ_UID:
> > > - return audit_compare_uid(tsk->loginuid, name, f, ctx);
> > > + return audit_compare_uid(audit_get_loginuid(tsk), name,
> > > f, ctx);
> > > case AUDIT_COMPARE_SUID_TO_OBJ_UID:
> > > return audit_compare_uid(cred->suid, name, f, ctx);
> > > case AUDIT_COMPARE_SGID_TO_OBJ_GID:
> > > @@ -385,7 +385,7 @@ static int audit_field_compare(struct task_struct
> > > *tsk,
> > > return audit_compare_gid(cred->fsgid, name, f, ctx);
> > > /* uid comparisons */
> > > case AUDIT_COMPARE_UID_TO_AUID:
> > > - return audit_uid_comparator(cred->uid, f->op,
> > > tsk->loginuid);
> > > + return audit_uid_comparator(cred->uid, f->op,
> > > audit_get_loginuid(tsk));
> > > case AUDIT_COMPARE_UID_TO_EUID:
> > > return audit_uid_comparator(cred->uid, f->op, cred->euid);
> > > case AUDIT_COMPARE_UID_TO_SUID:
> > > @@ -394,11 +394,11 @@ static int audit_field_compare(struct task_struct
> > > *tsk,
> > > return audit_uid_comparator(cred->uid, f->op,
> > > cred->fsuid);
> > > /* auid comparisons */
> > > case AUDIT_COMPARE_AUID_TO_EUID:
> > > - return audit_uid_comparator(tsk->loginuid, f->op,
> > > cred->euid);
> > > + return audit_uid_comparator(audit_get_loginuid(tsk),
> > > f->op, cred->euid);
> > > case AUDIT_COMPARE_AUID_TO_SUID:
> > > - return audit_uid_comparator(tsk->loginuid, f->op,
> > > cred->suid);
> > > + return audit_uid_comparator(audit_get_loginuid(tsk),
> > > f->op, cred->suid);
> > > case AUDIT_COMPARE_AUID_TO_FSUID:
> > > - return audit_uid_comparator(tsk->loginuid, f->op,
> > > cred->fsuid);
> > > + return audit_uid_comparator(audit_get_loginuid(tsk),
> > > f->op, cred->fsuid);
> > > /* euid comparisons */
> > > case AUDIT_COMPARE_EUID_TO_SUID:
> > > return audit_uid_comparator(cred->euid, f->op,
> > > cred->suid);
> > > @@ -611,7 +611,7 @@ static int audit_filter_rules(struct task_struct *tsk,
> > > result = match_tree_refs(ctx, rule->tree);
> > > break;
> > > case AUDIT_LOGINUID:
> > > - result = audit_uid_comparator(tsk->loginuid,
> > > f->op, f->uid);
> > > + result =
> > > audit_uid_comparator(audit_get_loginuid(tsk), f->op, f->uid);
> > > break;
> > > case AUDIT_LOGINUID_SET:
> > > result =
> > > audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
> > > @@ -2287,8 +2287,8 @@ int audit_signal_info(int sig, struct task_struct
> > > *t)
> > > (sig == SIGTERM || sig == SIGHUP ||
> > > sig == SIGUSR1 || sig == SIGUSR2)) {
> > > audit_sig_pid = task_tgid_nr(tsk);
> > > - if (uid_valid(tsk->loginuid))
> > > - audit_sig_uid = tsk->loginuid;
> > > + if (uid_valid(audit_get_loginuid(tsk)))
> > > + audit_sig_uid = audit
Re: [PATCH ghak81 RFC V1 5/5] audit: collect audit task parameters
On 2018-05-09 11:46, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > The audit-related parameters in struct task_struct should ideally be
> > collected together and accessed through a standard audit API.
> >
> > Collect the existing loginuid, sessionid and audit_context together in a
> > new struct audit_task_info pointer called "audit" in struct task_struct.
> >
> > Use kmem_cache to manage this pool of memory.
> > Un-inline audit_free() to be able to always recover that memory.
> >
> > See: https://github.com/linux-audit/audit-kernel/issues/81
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > MAINTAINERS| 2 +-
> > include/linux/audit.h | 8
> > include/linux/audit_task.h | 31 +++
> > include/linux/sched.h | 6 ++
> > init/init_task.c | 8 ++--
> > kernel/auditsc.c | 4 ++--
> > 6 files changed, 46 insertions(+), 13 deletions(-)
> > create mode 100644 include/linux/audit_task.h
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 0a1410d..8c7992d 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -2510,7 +2510,7 @@ L:linux-au...@redhat.com (moderated for
> > non-subscribers)
> > W: https://github.com/linux-audit
> > T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
> > S: Supported
> > -F: include/linux/audit.h
> > +F: include/linux/audit*.h
> > F: include/uapi/linux/audit.h
> > F: kernel/audit*
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index dba0d45..1324969 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -237,11 +237,11 @@ extern void __audit_inode_child(struct inode *parent,
> >
> > static inline void audit_set_context(struct task_struct *task, struct
> > audit_context *ctx)
> > {
> > - task->audit_context = ctx;
> > + task->audit.ctx = ctx;
> > }
> > static inline struct audit_context *audit_context(struct task_struct *task)
> > {
> > - return task->audit_context;
> > + return task->audit.ctx;
> > }
> > static inline bool audit_dummy_context(void)
> > {
> > @@ -330,12 +330,12 @@ extern int auditsc_get_stamp(struct audit_context
> > *ctx,
> >
> > static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
> > {
> > - return tsk->loginuid;
> > + return tsk->audit.loginuid;
> > }
> >
> > static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> > {
> > - return tsk->sessionid;
> > + return tsk->audit.sessionid;
> > }
> >
> > extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
> > diff --git a/include/linux/audit_task.h b/include/linux/audit_task.h
> > new file mode 100644
> > index 000..d4b3a20
> > --- /dev/null
> > +++ b/include/linux/audit_task.h
> > @@ -0,0 +1,31 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +/* audit_task.h -- definition of audit_task_info structure
> > + *
> > + * Copyright 2018 Red Hat Inc., Raleigh, North Carolina.
> > + * All Rights Reserved.
> > + *
> > + * This program is free software; you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License as published by
> > + * the Free Software Foundation; either version 2 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * This program is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > + * GNU General Public License for more details.
> > + *
> > + * Written by Richard Guy Briggs
> > + *
> > + */
> > +
> > +#ifndef _LINUX_AUDIT_TASK_H_
> > +#define _LINUX_AUDIT_TASK_H_
> > +
> > +struct audit_context;
> > +struct audit_task_info {
> > + kuid_t loginuid;
> > + unsigned intsessionid;
> > + struct audit_context*ctx;
> > +};
> > +
> > +#endif
> > diff --git a/include/linux/sched.h b/include/linux/sched.h
> > index b3d697f..b58eca0 100644
> > --- a/include/linux/sched.h
> > +++ b/include/linux/sched.h
> > @@ -27,9 +27,9 @@
> > #include
> > #include
> > #include
> > +#include
&
Re: [PATCH ghak81 RFC V1 1/5] audit: normalize loginuid read access
On 2018-05-09 11:13, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > Recognizing that the loginuid is an internal audit value, use an access
> > function to retrieve the audit loginuid value for the task rather than
> > reaching directly into the task struct to get it.
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > kernel/auditsc.c | 16
> > 1 file changed, 8 insertions(+), 8 deletions(-)
> >
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 479c031..f3817d0 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk,
> > case AUDIT_COMPARE_EGID_TO_OBJ_GID:
> > return audit_compare_gid(cred->egid, name, f, ctx);
> > case AUDIT_COMPARE_AUID_TO_OBJ_UID:
> > - return audit_compare_uid(tsk->loginuid, name, f, ctx);
> > + return audit_compare_uid(audit_get_loginuid(tsk), name, f,
> > ctx);
> > case AUDIT_COMPARE_SUID_TO_OBJ_UID:
> > return audit_compare_uid(cred->suid, name, f, ctx);
> > case AUDIT_COMPARE_SGID_TO_OBJ_GID:
> > @@ -385,7 +385,7 @@ static int audit_field_compare(struct task_struct *tsk,
> > return audit_compare_gid(cred->fsgid, name, f, ctx);
> > /* uid comparisons */
> > case AUDIT_COMPARE_UID_TO_AUID:
> > - return audit_uid_comparator(cred->uid, f->op,
> > tsk->loginuid);
> > + return audit_uid_comparator(cred->uid, f->op,
> > audit_get_loginuid(tsk));
> > case AUDIT_COMPARE_UID_TO_EUID:
> > return audit_uid_comparator(cred->uid, f->op, cred->euid);
> > case AUDIT_COMPARE_UID_TO_SUID:
> > @@ -394,11 +394,11 @@ static int audit_field_compare(struct task_struct
> > *tsk,
> > return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
> > /* auid comparisons */
> > case AUDIT_COMPARE_AUID_TO_EUID:
> > - return audit_uid_comparator(tsk->loginuid, f->op,
> > cred->euid);
> > + return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
> > cred->euid);
> > case AUDIT_COMPARE_AUID_TO_SUID:
> > - return audit_uid_comparator(tsk->loginuid, f->op,
> > cred->suid);
> > + return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
> > cred->suid);
> > case AUDIT_COMPARE_AUID_TO_FSUID:
> > - return audit_uid_comparator(tsk->loginuid, f->op,
> > cred->fsuid);
> > + return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
> > cred->fsuid);
> > /* euid comparisons */
> > case AUDIT_COMPARE_EUID_TO_SUID:
> > return audit_uid_comparator(cred->euid, f->op, cred->suid);
> > @@ -611,7 +611,7 @@ static int audit_filter_rules(struct task_struct *tsk,
> > result = match_tree_refs(ctx, rule->tree);
> > break;
> > case AUDIT_LOGINUID:
> > - result = audit_uid_comparator(tsk->loginuid, f->op,
> > f->uid);
> > + result =
> > audit_uid_comparator(audit_get_loginuid(tsk), f->op, f->uid);
> > break;
> > case AUDIT_LOGINUID_SET:
> > result = audit_comparator(audit_loginuid_set(tsk),
> > f->op, f->val);
> > @@ -2287,8 +2287,8 @@ int audit_signal_info(int sig, struct task_struct *t)
> > (sig == SIGTERM || sig == SIGHUP ||
> > sig == SIGUSR1 || sig == SIGUSR2)) {
> > audit_sig_pid = task_tgid_nr(tsk);
> > - if (uid_valid(tsk->loginuid))
> > - audit_sig_uid = tsk->loginuid;
> > + if (uid_valid(audit_get_loginuid(tsk)))
> > + audit_sig_uid = audit_get_loginuid(tsk);
>
> I realize this comment is a little silly given the nature of loginuid,
> but if we are going to abstract away loginuid accesses (which I think
> is good), we should probably access it once, store it in a local
> variable, perform the validity check on the local variable, then
> commit the local variable to audit_sig_uid. I realize a TOCTOU
> problem is unlikely here, but with this new layer of abstraction it
> seems that some additional safety might be a good thing.
Re: [PATCH ghak81 RFC V1 3/5] audit: use inline function to get audit context
On 2018-05-09 11:28, Paul Moore wrote:
> On Fri, May 4, 2018 at 4:54 PM, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > rather than reaching directly into the task struct to get it.
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > include/linux/audit.h| 16 ---
> > include/net/xfrm.h | 2 +-
> > kernel/audit.c | 4 +--
> > kernel/audit_watch.c | 2 +-
> > kernel/auditsc.c | 52
> > ++--
> > net/bridge/netfilter/ebtables.c | 2 +-
> > net/core/dev.c | 2 +-
> > net/netfilter/x_tables.c | 2 +-
> > net/netlabel/netlabel_user.c | 2 +-
> > security/integrity/ima/ima_api.c | 2 +-
> > security/integrity/integrity_audit.c | 2 +-
> > security/lsm_audit.c | 2 +-
> > security/selinux/hooks.c | 4 +--
> > security/selinux/selinuxfs.c | 6 ++---
> > security/selinux/ss/services.c | 12 -
> > 15 files changed, 60 insertions(+), 52 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 5f86f7c..93e4c61 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -235,26 +235,30 @@ extern void __audit_inode_child(struct inode *parent,
> > extern void __audit_seccomp(unsigned long syscall, long signr, int code);
> > extern void __audit_ptrace(struct task_struct *t);
> >
> > +static inline struct audit_context *audit_context(struct task_struct *task)
> > +{
> > + return task->audit_context;
> > +}
>
> Another case where I think I agree with everything here on principle,
> especially when one considers it in the larger context of the audit
> container ID work. However, I think we might be able to somply this a
> bit by eliminating the parameter to the new audit_context() helper and
> making it always reference the current task_struct. Based on this
> patch it would appear that this change would work for all callers
> except for audit_take_context() and __audit_syscall_entry(), both of
> which are contained within the core audit code and are enough of a
> special case that I think it is acceptable for them to access the
> context directly. I'm trying to think of reasons why a non-audit
> kernel subsystem would ever need to access the audit context of a
> process other than current and I can't think of any ... removing the
> task_struct pointer might help prevent mistakes/abuse in the future.
As for __audit_syscall_{entry,exit}() and audit_signal_info(), they are
using current. current is assigned to local variable tsk only to be
used as the LHS in assignments and for locking.
But, audit_take_context() and audit_log_exit() are both called also from
__audit_free() which can have non-current handed to it by copy_process()
cleaning up, while do_exit() appears to still be in current.
So, Ok, ditch the parameter to audit_context() and use local access when
needed.
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 6e3ceb9..a4bbdcc 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -836,7 +836,7 @@ static inline struct audit_context
> > *audit_take_context(struct task_struct *tsk,
> > int return_valid,
> > long return_code)
> > {
> > - struct audit_context *context = tsk->audit_context;
> > + struct audit_context *context = audit_context(tsk);
> >
> > if (!context)
> > return NULL;
> > @@ -1510,7 +1510,7 @@ void __audit_syscall_entry(int major, unsigned long
> > a1, unsigned long a2,
> > unsigned long a3, unsigned long a4)
> > {
> > struct task_struct *tsk = current;
> > - struct audit_context *context = tsk->audit_context;
> > + struct audit_context *context = audit_context(tsk);
> > enum audit_state state;
> >
> > if (!audit_enabled || !context)
>
> --
> paul moore
> www.paul-moore.com
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH ghak81 RFC V1 4/5] audit: use inline function to set audit context
On 2018-05-09 12:07, Tobin C. Harding wrote:
> On Fri, May 04, 2018 at 04:54:37PM -0400, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to set the audit context pointer for the task
> > rather than reaching directly into the task struct to set it.
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > include/linux/audit.h | 8
> > kernel/auditsc.c | 6 +++---
> > kernel/fork.c | 2 +-
> > 3 files changed, 12 insertions(+), 4 deletions(-)
> >
> > diff --git a/include/linux/audit.h b/include/linux/audit.h
> > index 93e4c61..dba0d45 100644
> > --- a/include/linux/audit.h
> > +++ b/include/linux/audit.h
> > @@ -235,6 +235,10 @@ extern void __audit_inode_child(struct inode *parent,
> > extern void __audit_seccomp(unsigned long syscall, long signr, int code);
> > extern void __audit_ptrace(struct task_struct *t);
> >
> > +static inline void audit_set_context(struct task_struct *task, struct
> > audit_context *ctx)
> > +{
> > + task->audit_context = ctx;
> > +}
> > static inline struct audit_context *audit_context(struct task_struct *task)
> > {
> > return task->audit_context;
> > @@ -472,6 +476,10 @@ static inline bool audit_dummy_context(void)
> > {
> > return true;
> > }
> > +static inline void audit_set_context(struct task_struct *task, struct
> > audit_context *ctx)
> > +{
> > + task->audit_context = ctx;
> > +}
>
> If audit_context is an internal audit value why do we set it when
> CONFIG_AUDITSYSCALL is not set?
Agreed, that is unnecessary, but harmless since it won't be called, or
will be called with a value of NULL. That has been fixed in my dynamic
allocation patchset since not even the audit_task_info struct is
available to assign the value. It is now an empty function like the
rest.
> Tobin.
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH ghak81 RFC V1 2/5] audit: convert sessionid unset to a macro
On 2018-05-04 16:54, Richard Guy Briggs wrote:
> Use a macro, "AUDIT_SID_UNSET", to replace each instance of
> initialization and comparison to an audit session ID.
>
> Signed-off-by: Richard Guy Briggs
There's a minor issue with this patch, adding a header include to
init/init_task.c in this patch and removing it from patch 5. That'll be
in the next revision.
I have dynamic allocation working, so that has a good chance of
appearing too.
> ---
> include/linux/audit.h | 2 +-
> include/net/xfrm.h | 2 +-
> include/uapi/linux/audit.h | 1 +
> init/init_task.c | 2 +-
> kernel/auditsc.c | 4 ++--
> 5 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 75d5b03..5f86f7c 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -513,7 +513,7 @@ static inline kuid_t audit_get_loginuid(struct
> task_struct *tsk)
> }
> static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
> {
> - return -1;
> + return AUDIT_SID_UNSET;
> }
> static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
> { }
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index a872379..fcce8ee 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -751,7 +751,7 @@ static inline void xfrm_audit_helper_usrinfo(bool
> task_valid,
> audit_get_loginuid(current) :
> INVALID_UID);
> const unsigned int ses = task_valid ? audit_get_sessionid(current) :
> - (unsigned int) -1;
> + AUDIT_SID_UNSET;
>
> audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
> audit_log_task_context(audit_buf);
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 4e61a9e..04f9bd2 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -465,6 +465,7 @@ struct audit_tty_status {
> };
>
> #define AUDIT_UID_UNSET (unsigned int)-1
> +#define AUDIT_SID_UNSET ((unsigned int)-1)
>
> /* audit_rule_data supports filter rules with both integer and string
> * fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
> diff --git a/init/init_task.c b/init/init_task.c
> index 3ac6e75..c788f91 100644
> --- a/init/init_task.c
> +++ b/init/init_task.c
> @@ -119,7 +119,7 @@ struct task_struct init_task
> .thread_node= LIST_HEAD_INIT(init_signals.thread_head),
> #ifdef CONFIG_AUDITSYSCALL
> .loginuid = INVALID_UID,
> - .sessionid = (unsigned int)-1,
> + .sessionid = AUDIT_SID_UNSET,
> #endif
> #ifdef CONFIG_PERF_EVENTS
> .perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f3817d0..6e3ceb9 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2050,7 +2050,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid,
> kuid_t kloginuid,
> int audit_set_loginuid(kuid_t loginuid)
> {
> struct task_struct *task = current;
> - unsigned int oldsessionid, sessionid = (unsigned int)-1;
> + unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
> kuid_t oldloginuid;
> int rc;
>
> @@ -2064,7 +2064,7 @@ int audit_set_loginuid(kuid_t loginuid)
> /* are we setting or clearing? */
> if (uid_valid(loginuid)) {
> sessionid = (unsigned int)atomic_inc_return(&session_id);
> - if (unlikely(sessionid == (unsigned int)-1))
> + if (unlikely(sessionid == AUDIT_SID_UNSET))
> sessionid = (unsigned
> int)atomic_inc_return(&session_id);
> }
>
> --
> 1.8.3.1
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 1/5] audit: normalize loginuid read access
Recognizing that the loginuid is an internal audit value, use an access
function to retrieve the audit loginuid value for the task rather than
reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
kernel/auditsc.c | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 479c031..f3817d0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -374,7 +374,7 @@ static int audit_field_compare(struct task_struct *tsk,
case AUDIT_COMPARE_EGID_TO_OBJ_GID:
return audit_compare_gid(cred->egid, name, f, ctx);
case AUDIT_COMPARE_AUID_TO_OBJ_UID:
- return audit_compare_uid(tsk->loginuid, name, f, ctx);
+ return audit_compare_uid(audit_get_loginuid(tsk), name, f, ctx);
case AUDIT_COMPARE_SUID_TO_OBJ_UID:
return audit_compare_uid(cred->suid, name, f, ctx);
case AUDIT_COMPARE_SGID_TO_OBJ_GID:
@@ -385,7 +385,7 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_compare_gid(cred->fsgid, name, f, ctx);
/* uid comparisons */
case AUDIT_COMPARE_UID_TO_AUID:
- return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
+ return audit_uid_comparator(cred->uid, f->op,
audit_get_loginuid(tsk));
case AUDIT_COMPARE_UID_TO_EUID:
return audit_uid_comparator(cred->uid, f->op, cred->euid);
case AUDIT_COMPARE_UID_TO_SUID:
@@ -394,11 +394,11 @@ static int audit_field_compare(struct task_struct *tsk,
return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
/* auid comparisons */
case AUDIT_COMPARE_AUID_TO_EUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
cred->euid);
case AUDIT_COMPARE_AUID_TO_SUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
cred->suid);
case AUDIT_COMPARE_AUID_TO_FSUID:
- return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
+ return audit_uid_comparator(audit_get_loginuid(tsk), f->op,
cred->fsuid);
/* euid comparisons */
case AUDIT_COMPARE_EUID_TO_SUID:
return audit_uid_comparator(cred->euid, f->op, cred->suid);
@@ -611,7 +611,7 @@ static int audit_filter_rules(struct task_struct *tsk,
result = match_tree_refs(ctx, rule->tree);
break;
case AUDIT_LOGINUID:
- result = audit_uid_comparator(tsk->loginuid, f->op,
f->uid);
+ result = audit_uid_comparator(audit_get_loginuid(tsk),
f->op, f->uid);
break;
case AUDIT_LOGINUID_SET:
result = audit_comparator(audit_loginuid_set(tsk),
f->op, f->val);
@@ -2287,8 +2287,8 @@ int audit_signal_info(int sig, struct task_struct *t)
(sig == SIGTERM || sig == SIGHUP ||
sig == SIGUSR1 || sig == SIGUSR2)) {
audit_sig_pid = task_tgid_nr(tsk);
- if (uid_valid(tsk->loginuid))
- audit_sig_uid = tsk->loginuid;
+ if (uid_valid(audit_get_loginuid(tsk)))
+ audit_sig_uid = audit_get_loginuid(tsk);
else
audit_sig_uid = uid;
security_task_getsecid(tsk, &audit_sig_sid);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 2/5] audit: convert sessionid unset to a macro
Use a macro, "AUDIT_SID_UNSET", to replace each instance of
initialization and comparison to an audit session ID.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 2 +-
include/net/xfrm.h | 2 +-
include/uapi/linux/audit.h | 1 +
init/init_task.c | 2 +-
kernel/auditsc.c | 4 ++--
5 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 75d5b03..5f86f7c 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -513,7 +513,7 @@ static inline kuid_t audit_get_loginuid(struct task_struct
*tsk)
}
static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
- return -1;
+ return AUDIT_SID_UNSET;
}
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{ }
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a872379..fcce8ee 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -751,7 +751,7 @@ static inline void xfrm_audit_helper_usrinfo(bool
task_valid,
audit_get_loginuid(current) :
INVALID_UID);
const unsigned int ses = task_valid ? audit_get_sessionid(current) :
- (unsigned int) -1;
+ AUDIT_SID_UNSET;
audit_log_format(audit_buf, " auid=%u ses=%u", auid, ses);
audit_log_task_context(audit_buf);
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4e61a9e..04f9bd2 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -465,6 +465,7 @@ struct audit_tty_status {
};
#define AUDIT_UID_UNSET (unsigned int)-1
+#define AUDIT_SID_UNSET ((unsigned int)-1)
/* audit_rule_data supports filter rules with both integer and string
* fields. It corresponds with AUDIT_ADD_RULE, AUDIT_DEL_RULE and
diff --git a/init/init_task.c b/init/init_task.c
index 3ac6e75..c788f91 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -119,7 +119,7 @@ struct task_struct init_task
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
#ifdef CONFIG_AUDITSYSCALL
.loginuid = INVALID_UID,
- .sessionid = (unsigned int)-1,
+ .sessionid = AUDIT_SID_UNSET,
#endif
#ifdef CONFIG_PERF_EVENTS
.perf_event_mutex = __MUTEX_INITIALIZER(init_task.perf_event_mutex),
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index f3817d0..6e3ceb9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2050,7 +2050,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid,
kuid_t kloginuid,
int audit_set_loginuid(kuid_t loginuid)
{
struct task_struct *task = current;
- unsigned int oldsessionid, sessionid = (unsigned int)-1;
+ unsigned int oldsessionid, sessionid = AUDIT_SID_UNSET;
kuid_t oldloginuid;
int rc;
@@ -2064,7 +2064,7 @@ int audit_set_loginuid(kuid_t loginuid)
/* are we setting or clearing? */
if (uid_valid(loginuid)) {
sessionid = (unsigned int)atomic_inc_return(&session_id);
- if (unlikely(sessionid == (unsigned int)-1))
+ if (unlikely(sessionid == AUDIT_SID_UNSET))
sessionid = (unsigned
int)atomic_inc_return(&session_id);
}
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 0/5] audit: group task params
Group the audit parameters for each task into one structure. In particular, remove the loginuid and sessionid values and the audit context pointer from the task structure, replacing them with an audit task information structure to contain them. Use access functions to access audit values. Note: Use static allocation of the audit task information structure initially. Dynamic allocation was considered and attempted, but isn't ready yet. Static allocation has the limitation that future audit task information structure changes would cause a visible change to the rest of the kernel, whereas dynamic allocation would mostly hide any future changes. The first four access normalization patches could stand alone. Passes audit-testsuite. Richard Guy Briggs (5): audit: normalize loginuid read access audit: convert sessionid unset to a macro audit: use inline function to get audit context audit: use inline function to set audit context audit: collect audit task parameters MAINTAINERS | 2 +- include/linux/audit.h| 30 ++--- include/linux/audit_task.h | 31 ++ include/linux/sched.h| 6 +-- include/net/xfrm.h | 4 +- include/uapi/linux/audit.h | 1 + init/init_task.c | 8 +++- kernel/audit.c | 4 +- kernel/audit_watch.c | 2 +- kernel/auditsc.c | 82 ++-- kernel/fork.c| 2 +- net/bridge/netfilter/ebtables.c | 2 +- net/core/dev.c | 2 +- net/netfilter/x_tables.c | 2 +- net/netlabel/netlabel_user.c | 2 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/integrity_audit.c | 2 +- security/lsm_audit.c | 2 +- security/selinux/hooks.c | 4 +- security/selinux/selinuxfs.c | 6 +-- security/selinux/ss/services.c | 12 +++--- 21 files changed, 129 insertions(+), 79 deletions(-) create mode 100644 include/linux/audit_task.h -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 4/5] audit: use inline function to set audit context
Recognizing that the audit context is an internal audit value, use an
access function to set the audit context pointer for the task
rather than reaching directly into the task struct to set it.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 8
kernel/auditsc.c | 6 +++---
kernel/fork.c | 2 +-
3 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 93e4c61..dba0d45 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -235,6 +235,10 @@ extern void __audit_inode_child(struct inode *parent,
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
extern void __audit_ptrace(struct task_struct *t);
+static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
+{
+ task->audit_context = ctx;
+}
static inline struct audit_context *audit_context(struct task_struct *task)
{
return task->audit_context;
@@ -472,6 +476,10 @@ static inline bool audit_dummy_context(void)
{
return true;
}
+static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
+{
+ task->audit_context = ctx;
+}
static inline struct audit_context *audit_context(struct task_struct *task)
{
return NULL;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index a4bbdcc..f294e4a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -865,7 +865,7 @@ static inline struct audit_context
*audit_take_context(struct task_struct *tsk,
audit_filter_inodes(tsk, context);
}
- tsk->audit_context = NULL;
+ audit_set_context(tsk, NULL);
return context;
}
@@ -952,7 +952,7 @@ int audit_alloc(struct task_struct *tsk)
}
context->filterkey = key;
- tsk->audit_context = context;
+ audit_set_context(tsk, context);
set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
return 0;
}
@@ -1590,7 +1590,7 @@ void __audit_syscall_exit(int success, long return_code)
kfree(context->filterkey);
context->filterkey = NULL;
}
- tsk->audit_context = context;
+ audit_set_context(tsk, context);
}
static inline void handle_one(const struct inode *inode)
diff --git a/kernel/fork.c b/kernel/fork.c
index 242c8c9..cd18448 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1713,7 +1713,7 @@ static __latent_entropy struct task_struct *copy_process(
p->start_time = ktime_get_ns();
p->real_start_time = ktime_get_boot_ns();
p->io_context = NULL;
- p->audit_context = NULL;
+ audit_set_context(p, NULL);
cgroup_fork(p);
#ifdef CONFIG_NUMA
p->mempolicy = mpol_dup(p->mempolicy);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH ghak81 RFC V1 3/5] audit: use inline function to get audit context
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h| 16 ---
include/net/xfrm.h | 2 +-
kernel/audit.c | 4 +--
kernel/audit_watch.c | 2 +-
kernel/auditsc.c | 52 ++--
net/bridge/netfilter/ebtables.c | 2 +-
net/core/dev.c | 2 +-
net/netfilter/x_tables.c | 2 +-
net/netlabel/netlabel_user.c | 2 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/integrity_audit.c | 2 +-
security/lsm_audit.c | 2 +-
security/selinux/hooks.c | 4 +--
security/selinux/selinuxfs.c | 6 ++---
security/selinux/ss/services.c | 12 -
15 files changed, 60 insertions(+), 52 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 5f86f7c..93e4c61 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -235,26 +235,30 @@ extern void __audit_inode_child(struct inode *parent,
extern void __audit_seccomp(unsigned long syscall, long signr, int code);
extern void __audit_ptrace(struct task_struct *t);
+static inline struct audit_context *audit_context(struct task_struct *task)
+{
+ return task->audit_context;
+}
static inline bool audit_dummy_context(void)
{
- void *p = current->audit_context;
+ void *p = audit_context(current);
return !p || *(int *)p;
}
static inline void audit_free(struct task_struct *task)
{
- if (unlikely(task->audit_context))
+ if (unlikely(audit_context(task)))
__audit_free(task);
}
static inline void audit_syscall_entry(int major, unsigned long a0,
unsigned long a1, unsigned long a2,
unsigned long a3)
{
- if (unlikely(current->audit_context))
+ if (unlikely(audit_context(current)))
__audit_syscall_entry(major, a0, a1, a2, a3);
}
static inline void audit_syscall_exit(void *pt_regs)
{
- if (unlikely(current->audit_context)) {
+ if (unlikely(audit_context(current))) {
int success = is_syscall_success(pt_regs);
long return_code = regs_return_value(pt_regs);
@@ -468,6 +472,10 @@ static inline bool audit_dummy_context(void)
{
return true;
}
+static inline struct audit_context *audit_context(struct task_struct *task)
+{
+ return NULL;
+}
static inline struct filename *audit_reusename(const __user char *name)
{
return NULL;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index fcce8ee..2788332 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -736,7 +736,7 @@ static inline struct audit_buffer *xfrm_audit_start(const
char *op)
if (audit_enabled == 0)
return NULL;
- audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
+ audit_buf = audit_log_start(audit_context(current), GFP_ATOMIC,
AUDIT_MAC_IPSEC_EVENT);
if (audit_buf == NULL)
return NULL;
diff --git a/kernel/audit.c b/kernel/audit.c
index e9f9a90..9a03603 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1099,7 +1099,7 @@ static void audit_log_feature_change(int which, u32
old_feature, u32 new_feature
if (audit_enabled == AUDIT_OFF)
return;
- ab = audit_log_start(current->audit_context,
+ ab = audit_log_start(audit_context(current),
GFP_KERNEL, AUDIT_FEATURE_CHANGE);
if (!ab)
return;
@@ -2317,7 +2317,7 @@ void audit_log_link_denied(const char *operation)
return;
/* Generate AUDIT_ANOM_LINK with subject, operation, outcome. */
- ab = audit_log_start(current->audit_context, GFP_KERNEL,
+ ab = audit_log_start(audit_context(current), GFP_KERNEL,
AUDIT_ANOM_LINK);
if (!ab)
return;
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 9eb8b35..8b596c4 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -274,7 +274,7 @@ static void audit_update_watch(struct audit_parent *parent,
/* If the update involves invalidating rules, do the inode-based
* filtering now, so we don't omit records. */
if (invalidating && !audit_dummy_context())
- audit_filter_inodes(current, current->audit_context);
+ audit_filter_inodes(current, audit_context(current));
/* updating ino will likely change which audit_hash_list we
* are on so we need a new watch for the new list *
[PATCH ghak81 RFC V1 5/5] audit: collect audit task parameters
The audit-related parameters in struct task_struct should ideally be
collected together and accessed through a standard audit API.
Collect the existing loginuid, sessionid and audit_context together in a
new struct audit_task_info pointer called "audit" in struct task_struct.
Use kmem_cache to manage this pool of memory.
Un-inline audit_free() to be able to always recover that memory.
See: https://github.com/linux-audit/audit-kernel/issues/81
Signed-off-by: Richard Guy Briggs
---
MAINTAINERS| 2 +-
include/linux/audit.h | 8
include/linux/audit_task.h | 31 +++
include/linux/sched.h | 6 ++
init/init_task.c | 8 ++--
kernel/auditsc.c | 4 ++--
6 files changed, 46 insertions(+), 13 deletions(-)
create mode 100644 include/linux/audit_task.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 0a1410d..8c7992d 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2510,7 +2510,7 @@ L:linux-au...@redhat.com (moderated for
non-subscribers)
W: https://github.com/linux-audit
T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
S: Supported
-F: include/linux/audit.h
+F: include/linux/audit*.h
F: include/uapi/linux/audit.h
F: kernel/audit*
diff --git a/include/linux/audit.h b/include/linux/audit.h
index dba0d45..1324969 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -237,11 +237,11 @@ extern void __audit_inode_child(struct inode *parent,
static inline void audit_set_context(struct task_struct *task, struct
audit_context *ctx)
{
- task->audit_context = ctx;
+ task->audit.ctx = ctx;
}
static inline struct audit_context *audit_context(struct task_struct *task)
{
- return task->audit_context;
+ return task->audit.ctx;
}
static inline bool audit_dummy_context(void)
{
@@ -330,12 +330,12 @@ extern int auditsc_get_stamp(struct audit_context *ctx,
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
{
- return tsk->loginuid;
+ return tsk->audit.loginuid;
}
static inline unsigned int audit_get_sessionid(struct task_struct *tsk)
{
- return tsk->sessionid;
+ return tsk->audit.sessionid;
}
extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
diff --git a/include/linux/audit_task.h b/include/linux/audit_task.h
new file mode 100644
index 000..d4b3a20
--- /dev/null
+++ b/include/linux/audit_task.h
@@ -0,0 +1,31 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/* audit_task.h -- definition of audit_task_info structure
+ *
+ * Copyright 2018 Red Hat Inc., Raleigh, North Carolina.
+ * All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * Written by Richard Guy Briggs
+ *
+ */
+
+#ifndef _LINUX_AUDIT_TASK_H_
+#define _LINUX_AUDIT_TASK_H_
+
+struct audit_context;
+struct audit_task_info {
+ kuid_t loginuid;
+ unsigned intsessionid;
+ struct audit_context*ctx;
+};
+
+#endif
diff --git a/include/linux/sched.h b/include/linux/sched.h
index b3d697f..b58eca0 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -27,9 +27,9 @@
#include
#include
#include
+#include
/* task_struct member predeclarations (sorted alphabetically): */
-struct audit_context;
struct backing_dev_info;
struct bio_list;
struct blk_plug;
@@ -832,10 +832,8 @@ struct task_struct {
struct callback_head*task_works;
- struct audit_context*audit_context;
#ifdef CONFIG_AUDITSYSCALL
- kuid_t loginuid;
- unsigned intsessionid;
+ struct audit_task_info audit;
#endif
struct seccomp seccomp;
diff --git a/init/init_task.c b/init/init_task.c
index c788f91..d33260d 100644
--- a/init/init_task.c
+++ b/init/init_task.c
@@ -9,6 +9,7 @@
#include
#include
#include
+#include
#include
#include
@@ -118,8 +119,11 @@ struct task_struct init_task
.thread_group = LIST_HEAD_INIT(init_task.thread_group),
.thread_node= LIST_HEAD_INIT(init_signals.thread_head),
#ifdef CONFIG_AUDITSYSCALL
- .loginuid = INVALID_UID,
- .sessionid = AUDIT_SID_UNSET,
+ .audit = {
+ .loginuid = INVALID_UID,
+ .sessionid = AUDIT_SID_UNSET,
+ .ctx= NULL,
+ },
#endif
#ifdef CONFIG_PER
Re: [PATCH 1/6 RFC] netfilter: normalize x_table function declarations
On 2017-05-24 19:37, Pablo Neira Ayuso wrote: > On Thu, May 18, 2017 at 01:21:47PM -0400, Richard Guy Briggs wrote: > > Git context diffs were being produced with unhelpful declaration types in > > the > > place of function names to help identify the funciton in which changes were > > made. > > > > Normalize x_table function declarations so that git context diff function > > labels work as expected. > > I know of people that usually complain on this cleanups, since they > just add extra work to backports. Arguably all cleanups add work on backports, including spelling fixes. ;-) > But I have no major objection to this if you want to push it forward. Thanks. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 3/6 RFC] netfilter: audit only on xtables and ebtables syscall rule or standalone
On 2017-05-24 19:36, Pablo Neira Ayuso wrote:
> On Thu, May 18, 2017 at 01:21:49PM -0400, Richard Guy Briggs wrote:
> > There were syscall events unsolicited by any audit rule caused by a missing
> > !audit_dummy_context() check before creating an
> > iptables/ip6tables/arptables/ebtables NETFILTER_CFG record. Check
> > !audit_dummy_context() before creating the NETFILTER_CFG record.
> >
> > The vast majority of observed unaccompanied records are caused by the fedora
> > default rule: "-a never,task" and the occasional early startup one is I
> > believe
> > caused by the iptables filter table module hard linked into the kernel
> > rather
> > than a loadable module. The !audit_dummy_context() check above should avoid
> > them. Audit only when there is an existing syscall audit rule, otherwise
> > issue
> > a standalone record only on table modification rather than empty table
> > creation.
> >
> > Add subject attributes to the new standalone NETFILTER_CFGSOLO record using
> > a newly exported audit_log_task().
>
> This new NETFILTER_CFGSOLO looks like audit infra is missing some way
> to export a revision / context to userspace? It's duplicating quite a
> bit of the code from what I can see in this patch.
Interesting you brought that up. I did another revision that stores
this information in a struct audit_context and greatly simplifies the
code in netfilter and re-uses code in audit itself, which may be a
better way to go, but that idea needed to settle a bit more before
seeing peer review.
>
I'm also having doubts about two record types.
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 0714a66..8bee3f5 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -112,6 +112,7 @@
> > #define AUDIT_FEATURE_CHANGE 1328/* audit log listing feature
> > changes */
> > #define AUDIT_REPLACE 1329/* Replace auditd if this
> > packet unanswerd */
> > #define AUDIT_KERN_MODULE 1330/* Kernel Module events */
> > +#define AUDIT_NETFILTER_CFGSOLO1331/* Netfilter chain
> > modifications standalone */
> >
> > #define AUDIT_AVC 1400/* SE Linux avc denial or grant */
> > #define AUDIT_SELINUX_ERR 1401/* Internal SE Linux Errors */
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index b2dcbe6..8ac38e6 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -2383,7 +2383,7 @@ void __audit_log_kern_module(char *name)
> > context->type = AUDIT_KERN_MODULE;
> > }
> >
> > -static void audit_log_task(struct audit_buffer *ab)
> > +void audit_log_task(struct audit_buffer *ab)
> > {
> > kuid_t auid, uid;
> > kgid_t gid;
> > @@ -2404,6 +2404,7 @@ static void audit_log_task(struct audit_buffer *ab)
> > audit_log_untrustedstring(ab, get_task_comm(comm, current));
> > audit_log_d_path_exe(ab, current->mm);
> > }
> > +EXPORT_SYMBOL_GPL(audit_log_task);
> >
> > /**
> > * audit_core_dumps - record information about processes that end
> > abnormally
> > diff --git a/net/bridge/netfilter/ebtables.c
> > b/net/bridge/netfilter/ebtables.c
> > index 13d7fe2..743f9e6 100644
> > --- a/net/bridge/netfilter/ebtables.c
> > +++ b/net/bridge/netfilter/ebtables.c
> > @@ -1071,12 +1071,25 @@ static int do_replace_finish(struct net *net,
> > struct ebt_replace *repl,
> > if (audit_enabled) {
> > struct audit_buffer *ab;
> >
> > - ab = audit_log_start(current->audit_context, GFP_KERNEL,
> > -AUDIT_NETFILTER_CFG);
> > - if (ab) {
> > - audit_log_format(ab, "table=%s family=%u entries=%u",
> > -repl->name, AF_BRIDGE, repl->nentries);
> > - audit_log_end(ab);
> > + if(!audit_dummy_context()) {
> > + ab = audit_log_start(current->audit_context, GFP_KERNEL,
> > +AUDIT_NETFILTER_CFG);
> > + if (ab) {
> > + audit_log_format(ab, "family=%u table=%s
> > entries=%u",
> > +AF_BRIDGE, repl->name,
> > +repl->nentries);
> > + audit_log_end(ab);
> > + }
> > + } else if(repl->nentries) {
> > + ab = au
Re: [PATCH 6/6 RFC] netfilter: add audit netns ID
On 2017-05-24 19:31, Pablo Neira Ayuso wrote:
> Cc'ing Eric Biederman.
>
> On Thu, May 18, 2017 at 01:21:52PM -0400, Richard Guy Briggs wrote:
> > diff --git a/net/bridge/netfilter/ebtables.c
> > b/net/bridge/netfilter/ebtables.c
> > index 59b63a8..0f77b2a 100644
> > --- a/net/bridge/netfilter/ebtables.c
> > +++ b/net/bridge/netfilter/ebtables.c
> > @@ -27,6 +27,7 @@
> > #include
> > #include
> > #include
> > +#define PROC_DYNAMIC_FIRST 0xF000U
> > #include
> > /* needed for logical [in,out]-dev filtering */
> > #include "../br_private.h"
> > @@ -1075,7 +1076,8 @@ static int do_replace_finish(struct net *net, struct
> > ebt_replace *repl,
> > ab = audit_log_start(current->audit_context, GFP_KERNEL,
> > AUDIT_NETFILTER_CFG);
> > if (ab) {
> > - audit_log_format(ab, "op=replace family=%u
> > table=%s entries=%u",
> > + audit_log_format(ab, "op=replace net=%u
> > family=%u table=%s entries=%u",
> > +net->ns.inum -
> > PROC_DYNAMIC_FIRST,
>
> IIRC, there was a discussion on exposing netns i-node number to
> userspace time ago on netdev and Eric Biederman was not happy about
> this?
He was not happy about it being exposed in the /proc filesystem. We've
been talking since then and while we've not come to a definitive
conclusion there is a communication channel open.
This is more of an RFC patch than the rest of this set and I didn't
seriously expect this one to be accepted, I did want to present the idea
to see if there were concerns or better ideas generated how to
differentiate this record from a seemingly identical one. The only
other ID would be the network namespace' struct pointer.
At this stage, one thing that is missing is a device number to qualify
this namespace ID.
Once I started printing the namespace proc inode number (minus the
starting offset) in decimal, it was very clear what was happenning and
seemed worth sharing that debugging tool patch.
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 6/6 RFC] netfilter: add audit netns ID
Seemingly duplicate NETFILTER_CFG records are not actually exact duplicates
that are caused by netfilter table initialization in different network
namespaces from the same syscall. To differentiate the NETFILTER_CFG records,
the network namespace ID (proc inode) was added to the record to make this
source evident.
Here is a sample event with accompanied records:
time->Sun May 14 22:40:26 2017
type=PROCTITLE msg=audit(1494816026.072:248):
proctitle=2F7362696E2F6D6F6470726F6265002D71002D2D0065627461626C655F6E6174
type=KERN_MODULE msg=audit(1494816026.072:248): name="ebtable_nat"
type=SYSCALL msg=audit(1494816026.072:248): arch=c03e syscall=313
success=yes exit=0 a0=0 a1=55c4648d4106 a2=0 a3=0 items=0 ppid=84 pid=431
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod"
subj=system_u:system_r:insmod_t:s0 key="mod-load"
type=NETFILTER_CFG msg=audit(1494816026.072:248): op=register net=324
family=7 table=nat entries=0
type=NETFILTER_CFG msg=audit(1494816026.072:248): op=register net=121
family=7 table=nat entries=0
and unaccompanied cases:
type=UNKNOWN[1331] msg=audit(1494815998.178:167): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=598
comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" op=replace net=121
family=10 table=filter entries=4
See: https://github.com/linux-audit/audit-kernel/issues/25
Signed-off-by: Richard Guy Briggs
---
include/linux/netfilter/x_tables.h |1 +
net/bridge/netfilter/ebtables.c| 13 +
net/ipv4/netfilter/arp_tables.c|2 +-
net/ipv4/netfilter/ip_tables.c |2 +-
net/ipv6/netfilter/ip6_tables.c|2 +-
net/netfilter/x_tables.c | 10 +++---
6 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h
b/include/linux/netfilter/x_tables.h
index be378cf..6be4a04 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -308,6 +308,7 @@ struct xt_table *xt_register_table(struct net *net,
struct xt_table_info *xt_replace_table(struct xt_table *table,
unsigned int num_counters,
struct xt_table_info *newinfo,
+ struct net *net,
int *error);
struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 59b63a8..0f77b2a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#define PROC_DYNAMIC_FIRST 0xF000U
#include
/* needed for logical [in,out]-dev filtering */
#include "../br_private.h"
@@ -1075,7 +1076,8 @@ static int do_replace_finish(struct net *net, struct
ebt_replace *repl,
ab = audit_log_start(current->audit_context, GFP_KERNEL,
AUDIT_NETFILTER_CFG);
if (ab) {
- audit_log_format(ab, "op=replace family=%u
table=%s entries=%u",
+ audit_log_format(ab, "op=replace net=%u
family=%u table=%s entries=%u",
+net->ns.inum -
PROC_DYNAMIC_FIRST,
AF_BRIDGE, repl->name,
repl->nentries);
audit_log_end(ab);
@@ -1085,7 +1087,8 @@ static int do_replace_finish(struct net *net, struct
ebt_replace *repl,
AUDIT_NETFILTER_CFGSOLO);
if (ab) {
audit_log_task(ab);
- audit_log_format(ab, " op=replace family=%u
table=%s entries=%u",
+ audit_log_format(ab, " op=replace net=%u
family=%u table=%s entries=%u",
+net->ns.inum -
PROC_DYNAMIC_FIRST,
AF_BRIDGE, repl->name,
repl->nentries);
audit_log_end(ab);
@@ -1259,7 +1262,8 @@ struct ebt_table * ebt_register_table(struct net *net,
ab = audit_log_start(current->audit_context, GFP_KERNEL,
AUDIT_NETFILTER_CFG);
if (ab) {
- audit_log_format(ab, "op=register family=%u
table=%s entries=%u",
+ audit_log_format(ab, "op=register net=%u
family=%u table=%s entries=%u"
[PATCH 5/6 RFC] netfilter: add audit operation field
Add the operation performed (register or replace) to the NETFILTER_CFG and
NETFILTER_CFGSOLO records.
Here are sample records for accompanied:
type=NETFILTER_CFG msg=audit(1494981627.248:9764): op=replace family=7
table=broute entries=0
and unaccompanied cases:
type=UNKNOWN[1331] msg=audit(1494815998.178:167): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=598
comm="ip6tables-resto" exe="/usr/sbin/xtables-multi" op=replace family=10
table=filter entries=4
See: https://github.com/linux-audit/audit-kernel/issues/25
Signed-off-by: Richard Guy Briggs
---
net/bridge/netfilter/ebtables.c |8
net/netfilter/x_tables.c|5 +++--
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 7499232..59b63a8 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1075,7 +1075,7 @@ static int do_replace_finish(struct net *net, struct
ebt_replace *repl,
ab = audit_log_start(current->audit_context, GFP_KERNEL,
AUDIT_NETFILTER_CFG);
if (ab) {
- audit_log_format(ab, "family=%u table=%s
entries=%u",
+ audit_log_format(ab, "op=replace family=%u
table=%s entries=%u",
AF_BRIDGE, repl->name,
repl->nentries);
audit_log_end(ab);
@@ -1085,7 +1085,7 @@ static int do_replace_finish(struct net *net, struct
ebt_replace *repl,
AUDIT_NETFILTER_CFGSOLO);
if (ab) {
audit_log_task(ab);
- audit_log_format(ab, " family=%u table=%s
entries=%u",
+ audit_log_format(ab, " op=replace family=%u
table=%s entries=%u",
AF_BRIDGE, repl->name,
repl->nentries);
audit_log_end(ab);
@@ -1259,7 +1259,7 @@ struct ebt_table * ebt_register_table(struct net *net,
ab = audit_log_start(current->audit_context, GFP_KERNEL,
AUDIT_NETFILTER_CFG);
if (ab) {
- audit_log_format(ab, "family=%u table=%s
entries=%u",
+ audit_log_format(ab, "op=register family=%u
table=%s entries=%u",
AF_BRIDGE, repl->name,
repl->nentries);
audit_log_end(ab);
@@ -1269,7 +1269,7 @@ struct ebt_table * ebt_register_table(struct net *net,
AUDIT_NETFILTER_CFGSOLO);
if (ab) {
audit_log_task(ab);
- audit_log_format(ab, " family=%u table=%s
entries=%u",
+ audit_log_format(ab, " op=register family=%u
table=%s entries=%u",
AF_BRIDGE, repl->name,
repl->nentries);
audit_log_end(ab);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8d28fff..395ebd3 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1199,7 +1199,8 @@ struct xt_table_info *xt_replace_table(struct xt_table
*table,
ab = audit_log_start(current->audit_context, GFP_KERNEL,
AUDIT_NETFILTER_CFG);
if (ab) {
- audit_log_format(ab, "family=%u table=%s
entries=%u",
+ audit_log_format(ab, "op=%s family=%u table=%s
entries=%u",
+private->number ? "replace" :
"register",
table->af, table->name,
private->number);
audit_log_end(ab);
@@ -1209,7 +1210,7 @@ struct xt_table_info *xt_replace_table(struct xt_table
*table,
AUDIT_NETFILTER_CFGSOLO);
if (ab) {
audit_log_task(ab);
- audit_log_format(ab, " family=%u table=%s
entries=%u",
+ audit_log_format(ab, " op=replace family=%u
table=%s entries=%u",
[PATCH 4/6 RFC] netfilter: ebtables: audit table registration
Generate audit NETFILTER_CFG records on ebtables table registration.
Previously this was only being done for all x_tables operations and ebtables
table replacement.
Audit only when there is an existing syscall audit rule, otherwise issue a
standalone record only on table modification rather than empty table creation.
Include subject attributes to the new standalone NETFILTER_CFGSOLO record using
audit_log_task().
Here is a sample accompanied record:
type=NETFILTER_CFG msg=audit(1494907217.558:5403): family=7 table=filter
entries=0
and unaccompanied case:
type=UNKNOWN[1331] msg=audit(1494723394.832:111): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=556
comm="ebtables-restor" exe="/usr/sbin/ebtables-restore" family=7 table=broute
entries=1
See: https://github.com/linux-audit/audit-kernel/issues/43
Signed-off-by: Richard Guy Briggs
---
net/bridge/netfilter/ebtables.c | 26 ++
1 files changed, 26 insertions(+), 0 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 743f9e6..7499232 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1251,6 +1251,32 @@ struct ebt_table * ebt_register_table(struct net *net,
}
list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
mutex_unlock(&ebt_mutex);
+#ifdef CONFIG_AUDIT
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+
+ if(!audit_dummy_context()) {
+ ab = audit_log_start(current->audit_context, GFP_KERNEL,
+AUDIT_NETFILTER_CFG);
+ if (ab) {
+ audit_log_format(ab, "family=%u table=%s
entries=%u",
+AF_BRIDGE, repl->name,
+repl->nentries);
+ audit_log_end(ab);
+ }
+ } else if(repl->nentries) {
+ ab = audit_log_start(NULL, GFP_KERNEL,
+AUDIT_NETFILTER_CFGSOLO);
+ if (ab) {
+ audit_log_task(ab);
+ audit_log_format(ab, " family=%u table=%s
entries=%u",
+AF_BRIDGE, repl->name,
+repl->nentries);
+ audit_log_end(ab);
+ }
+ }
+ }
+#endif
return table;
free_unlock:
mutex_unlock(&ebt_mutex);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/6 RFC] netfilter: normalize ebtables function declarations
Git context diffs were being produced with unhelpful declaration types in the
place of function names to help identify the funciton in which changes were
made.
Normalize ebtables function declarations so that git context diff function
labels work as expected.
Signed-off-by: Richard Guy Briggs
---
net/bridge/netfilter/ebtables.c | 92 +++---
1 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 79b6991..13d7fe2 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -84,9 +84,9 @@ static int ebt_standard_compat_to_user(void __user *dst,
const void *src)
#endif
};
-static inline int
-ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
- struct xt_action_param *par)
+static inline int ebt_do_watcher(const struct ebt_entry_watcher *w,
+struct sk_buff *skb,
+struct xt_action_param *par)
{
par->target = w->u.watcher;
par->targinfo = w->data;
@@ -95,17 +95,17 @@ static int ebt_standard_compat_to_user(void __user *dst,
const void *src)
return 0;
}
-static inline int
-ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
-struct xt_action_param *par)
+static inline int ebt_do_match(struct ebt_entry_match *m,
+ const struct sk_buff *skb,
+ struct xt_action_param *par)
{
par->match = m->u.match;
par->matchinfo = m->data;
return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
}
-static inline int
-ebt_dev_check(const char *entry, const struct net_device *device)
+static inline int ebt_dev_check(const char *entry,
+ const struct net_device *device)
{
int i = 0;
const char *devname;
@@ -122,9 +122,10 @@ static int ebt_standard_compat_to_user(void __user *dst,
const void *src)
}
/* process standard matches */
-static inline int
-ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
- const struct net_device *in, const struct net_device *out)
+static inline int ebt_basic_match(const struct ebt_entry *e,
+ const struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out)
{
const struct ethhdr *h = eth_hdr(skb);
const struct net_bridge_port *p;
@@ -171,8 +172,7 @@ static int ebt_standard_compat_to_user(void __user *dst,
const void *src)
return 0;
}
-static inline
-struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
+static inline struct ebt_entry *ebt_next_entry(const struct ebt_entry *entry)
{
return (void *)entry + entry->next_offset;
}
@@ -313,9 +313,9 @@ unsigned int ebt_do_table(struct sk_buff *skb,
}
/* If it succeeds, returns element and locks mutex */
-static inline void *
-find_inlist_lock_noload(struct list_head *head, const char *name, int *error,
- struct mutex *mutex)
+static inline void * find_inlist_lock_noload(struct list_head *head,
+const char *name, int *error,
+struct mutex *mutex)
{
struct {
struct list_head list;
@@ -332,26 +332,26 @@ unsigned int ebt_do_table(struct sk_buff *skb,
return NULL;
}
-static void *
-find_inlist_lock(struct list_head *head, const char *name, const char *prefix,
-int *error, struct mutex *mutex)
+static void * find_inlist_lock(struct list_head *head, const char *name,
+ const char *prefix, int *error,
+ struct mutex *mutex)
{
return try_then_request_module(
find_inlist_lock_noload(head, name, error, mutex),
"%s%s", prefix, name);
}
-static inline struct ebt_table *
-find_table_lock(struct net *net, const char *name, int *error,
- struct mutex *mutex)
+static inline struct ebt_table * find_table_lock(struct net *net,
+const char *name, int *error,
+struct mutex *mutex)
{
return find_inlist_lock(&net->xt.tables[NFPROTO_BRIDGE], name,
"ebtable_", error, mutex);
}
-static inline int
-ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
- unsigned int *cnt)
+static inline int ebt_check_match(struct ebt_entry_match *m,
+ struct xt_mtchk_param *par,
+ unsigned int *cnt)
{
const struct ebt_entry *e = par->entryinfo;
struct xt_mat
[PATCH 1/6 RFC] netfilter: normalize x_table function declarations
Git context diffs were being produced with unhelpful declaration types in the
place of function names to help identify the funciton in which changes were
made.
Normalize x_table function declarations so that git context diff function
labels work as expected.
Signed-off-by: Richard Guy Briggs
---
net/netfilter/x_tables.c | 43 ++-
1 files changed, 18 insertions(+), 25 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 14857af..99c27ed 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -81,8 +81,7 @@ int xt_register_target(struct xt_target *target)
}
EXPORT_SYMBOL(xt_register_target);
-void
-xt_unregister_target(struct xt_target *target)
+void xt_unregister_target(struct xt_target *target)
{
u_int8_t af = target->family;
@@ -92,8 +91,7 @@ int xt_register_target(struct xt_target *target)
}
EXPORT_SYMBOL(xt_unregister_target);
-int
-xt_register_targets(struct xt_target *target, unsigned int n)
+int xt_register_targets(struct xt_target *target, unsigned int n)
{
unsigned int i;
int err = 0;
@@ -112,8 +110,7 @@ int xt_register_target(struct xt_target *target)
}
EXPORT_SYMBOL(xt_register_targets);
-void
-xt_unregister_targets(struct xt_target *target, unsigned int n)
+void xt_unregister_targets(struct xt_target *target, unsigned int n)
{
while (n-- > 0)
xt_unregister_target(&target[n]);
@@ -131,8 +128,7 @@ int xt_register_match(struct xt_match *match)
}
EXPORT_SYMBOL(xt_register_match);
-void
-xt_unregister_match(struct xt_match *match)
+void xt_unregister_match(struct xt_match *match)
{
u_int8_t af = match->family;
@@ -142,8 +138,7 @@ int xt_register_match(struct xt_match *match)
}
EXPORT_SYMBOL(xt_unregister_match);
-int
-xt_register_matches(struct xt_match *match, unsigned int n)
+int xt_register_matches(struct xt_match *match, unsigned int n)
{
unsigned int i;
int err = 0;
@@ -162,8 +157,7 @@ int xt_register_match(struct xt_match *match)
}
EXPORT_SYMBOL(xt_register_matches);
-void
-xt_unregister_matches(struct xt_match *match, unsigned int n)
+void xt_unregister_matches(struct xt_match *match, unsigned int n)
{
while (n-- > 0)
xt_unregister_match(&match[n]);
@@ -205,8 +199,8 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8
revision)
}
EXPORT_SYMBOL(xt_find_match);
-struct xt_match *
-xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
+struct xt_match *xt_request_find_match(uint8_t nfproto, const char *name,
+ uint8_t revision)
{
struct xt_match *match;
@@ -382,8 +376,8 @@ int xt_find_revision(u8 af, const char *name, u8 revision,
int target,
}
EXPORT_SYMBOL_GPL(xt_find_revision);
-static char *
-textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
+static char *textify_hooks(char *buf, size_t size, unsigned int mask,
+ uint8_t nfproto)
{
static const char *const inetbr_names[] = {
"PREROUTING", "INPUT", "FORWARD",
@@ -1154,11 +1148,10 @@ static int xt_jumpstack_alloc(struct xt_table_info *i)
return 0;
}
-struct xt_table_info *
-xt_replace_table(struct xt_table *table,
- unsigned int num_counters,
- struct xt_table_info *newinfo,
- int *error)
+struct xt_table_info *xt_replace_table(struct xt_table *table,
+ unsigned int num_counters,
+ struct xt_table_info *newinfo,
+ int *error)
{
struct xt_table_info *private;
int ret;
@@ -1367,7 +1360,7 @@ enum {
};
static void *xt_mttg_seq_next(struct seq_file *seq, void *v, loff_t *ppos,
-bool is_target)
+ bool is_target)
{
static const uint8_t next_class[] = {
[MTTG_TRAV_NFP_UNSPEC] = MTTG_TRAV_NFP_SPEC,
@@ -1407,7 +1400,7 @@ enum {
}
static void *xt_mttg_seq_start(struct seq_file *seq, loff_t *pos,
-bool is_target)
+ bool is_target)
{
struct nf_mttg_trav *trav = seq->private;
unsigned int j;
@@ -1553,8 +1546,8 @@ static int xt_target_open(struct inode *inode, struct
file *file)
* This function will create the nf_hook_ops that the x_table needs
* to hand to xt_hook_link_net().
*/
-struct nf_hook_ops *
-xt_hook_ops_alloc(const struct xt_table *table, nf_hookfn *fn)
+struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *table,
+ nf_hookfn *fn)
{
unsigned int hook_mask = table->valid_hooks;
uint8_t i, num_hooks = hweight32(hook_mask);
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.k
[PATCH 3/6 RFC] netfilter: audit only on xtables and ebtables syscall rule or standalone
There were syscall events unsolicited by any audit rule caused by a missing
!audit_dummy_context() check before creating an
iptables/ip6tables/arptables/ebtables NETFILTER_CFG record. Check
!audit_dummy_context() before creating the NETFILTER_CFG record.
The vast majority of observed unaccompanied records are caused by the fedora
default rule: "-a never,task" and the occasional early startup one is I believe
caused by the iptables filter table module hard linked into the kernel rather
than a loadable module. The !audit_dummy_context() check above should avoid
them. Audit only when there is an existing syscall audit rule, otherwise issue
a standalone record only on table modification rather than empty table
creation.
Add subject attributes to the new standalone NETFILTER_CFGSOLO record using
a newly exported audit_log_task().
Since the record format will change anyways, this seemed like the right time to
change the order of the fields to put the protocol family before the table
name.
Here is a new sample accompanied record:
type=NETFILTER_CFG msg=audit(1494977049.375:9418): family=2 table=filter
entries=84
and unaccompanied case:
type=UNKNOWN[1331] msg=audit(1494815998.168:163): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=597
comm="iptables-restor" exe="/usr/sbin/xtables-multi" family=2 table=filter
entries=4
See: https://github.com/linux-audit/audit-kernel/issues/25
See: https://github.com/linux-audit/audit-kernel/issues/35
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h |4 +++-
include/uapi/linux/audit.h |1 +
kernel/auditsc.c|3 ++-
net/bridge/netfilter/ebtables.c | 25 +++--
net/netfilter/x_tables.c| 26 +++---
5 files changed, 44 insertions(+), 15 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2150bdc..b6fcab1 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -155,7 +155,7 @@ extern void audit_log_link_denied(const char
*operation,
static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
{ }
#endif
-
+extern void audit_log_task(struct audit_buffer *ab);
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab,
struct task_struct *tsk);
@@ -205,6 +205,8 @@ static inline void audit_log_link_denied(const char *string,
{ }
static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
{ }
+static inline void audit_log_task(struct audit_buffer *ab)
+{ }
static inline int audit_log_task_context(struct audit_buffer *ab)
{
return 0;
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 0714a66..8bee3f5 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -112,6 +112,7 @@
#define AUDIT_FEATURE_CHANGE 1328/* audit log listing feature changes */
#define AUDIT_REPLACE 1329/* Replace auditd if this packet
unanswerd */
#define AUDIT_KERN_MODULE 1330/* Kernel Module events */
+#define AUDIT_NETFILTER_CFGSOLO1331/* Netfilter chain
modifications standalone */
#define AUDIT_AVC 1400/* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401/* Internal SE Linux Errors */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b2dcbe6..8ac38e6 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2383,7 +2383,7 @@ void __audit_log_kern_module(char *name)
context->type = AUDIT_KERN_MODULE;
}
-static void audit_log_task(struct audit_buffer *ab)
+void audit_log_task(struct audit_buffer *ab)
{
kuid_t auid, uid;
kgid_t gid;
@@ -2404,6 +2404,7 @@ static void audit_log_task(struct audit_buffer *ab)
audit_log_untrustedstring(ab, get_task_comm(comm, current));
audit_log_d_path_exe(ab, current->mm);
}
+EXPORT_SYMBOL_GPL(audit_log_task);
/**
* audit_core_dumps - record information about processes that end abnormally
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 13d7fe2..743f9e6 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1071,12 +1071,25 @@ static int do_replace_finish(struct net *net, struct
ebt_replace *repl,
if (audit_enabled) {
struct audit_buffer *ab;
- ab = audit_log_start(current->audit_context, GFP_KERNEL,
-AUDIT_NETFILTER_CFG);
- if (ab) {
- audit_log_format(ab, "table=%s family=%u entries=%u",
-repl->name, AF_BRIDGE, repl->nentries);
- audit_log_end(ab);
+ if(!audit_dummy_context()) {
+
[PATCH 0/6 RFC] Address NETFILTER_CFG issues
There were questions about the presence and cause of unsolicited syscall events in the logs containing NETFILTER_CFG records and sometimes unaccompanied NETFILTER_CFG records. During testing at least the following list of events trigger NETFILTER_CFG records and the syscalls related (There may be more events that will trigger this message type.): init_module, finit_module: modprobe setsockopt: iptables-restore, ip6tables-restore, ebtables-restore unshare: (h?)ostnamed clone: libvirtd The syscall events unsolicited by any audit rule were found to be caused by a missing !audit_dummy_context() check before creating a NETFILTER_CFG record. Check !audit_dummy_context() before creating the NETFILTER_CFG record. The vast majority of unaccompanied records are caused by the fedora default rule: "-a never,task" and the occasional early startup one is I believe caused by the iptables filter table module hard linked into the kernel rather than a loadable module. The !audit_dummy_context() check above should avoid them. Seemingly duplicate records are not actually exact duplicates that are caused by netfilter table initialization in different network namespaces from the same syscall. Recommend adding the network namespace ID (proc inode) to the record to make this obvious. Ebtables module initialization to register tables doesn't generate records because it was never hooked in to audit. Recommend adding audit hooks to log this. See: https://github.com/linux-audit/audit-kernel/issues/25 See: https://github.com/linux-audit/audit-kernel/issues/35 See: https://github.com/linux-audit/audit-kernel/issues/43 Richard Guy Briggs (6): netfilter: normalize x_table function declarations netfilter: normalize ebtables function declarations netfilter: audit only on xtables and ebtables syscall rule or standalone netfilter: ebtables: audit table registration netfilter: add audit operation field netfilter: add audit netns ID include/linux/audit.h |4 +- include/linux/netfilter/x_tables.h |1 + include/uapi/linux/audit.h |1 + kernel/auditsc.c |3 +- net/bridge/netfilter/ebtables.c| 148 +++- net/ipv4/netfilter/arp_tables.c|2 +- net/ipv4/netfilter/ip_tables.c |2 +- net/ipv6/netfilter/ip6_tables.c|2 +- net/netfilter/x_tables.c | 76 +++ 9 files changed, 149 insertions(+), 90 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V4 1/2] netfilter: xt_AUDIT: use consistent ipv4 network offset
On 2017-03-22 12:11, Pablo Neira Ayuso wrote: > On Wed, Mar 22, 2017 at 03:05:36AM -0400, Richard Guy Briggs wrote: > > Even though the skb->data pointer has been moved from the link layer > > header to the network layer header, use the same method to calculate the > > offset in ipv4 and ipv6 routines. > > > > Signed-off-by: Richard Guy Briggs > > --- > > net/netfilter/xt_AUDIT.c |2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c > > index 4973cbd..cdb7cee 100644 > > --- a/net/netfilter/xt_AUDIT.c > > +++ b/net/netfilter/xt_AUDIT.c > > @@ -76,7 +76,7 @@ static void audit_ip4(struct audit_buffer *ab, struct > > sk_buff *skb) > > struct iphdr _iph; > > const struct iphdr *ih; > > > > - ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); > > + ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), > > &_iph); > > This update is completely pointless. Its point is to be consistent with audit_ip6() and to prevent further time consumed by confusion and head-scratching. I know it is slightly slower with an identical result. > If you want I can place it in nf-next, your call. I'd prefer to bring it through the audit-next tree to avoid the merge conflict. - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH V4 2/2] audit: normalize NETFILTER_PKT
Eliminate flipping in and out of message fields, dropping fields in the
process.
Sample raw message format IPv4 UDP:
type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
Sample raw message format IPv6 ICMP6:
type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1
daddr=::1 proto=58^]
Issue: https://github.com/linux-audit/audit-kernel/issues/11
Test case: https://github.com/linux-audit/audit-testsuite/issues/43
Signed-off-by: Richard Guy Briggs
---
v4:
Write out nfmark unmodified rather than trying to indicate "unset".
Collapse/simplify switch/case statements.
v3:
Don't store interim values, but print immediately.
v2:
Trim down to 4 fields. Add raw samples.
net/netfilter/xt_AUDIT.c | 124 ++
1 files changed, 27 insertions(+), 97 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index cdb7cee..582ee54 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,146 +31,76 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
-static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
- unsigned int proto, unsigned int offset)
-{
- switch (proto) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_UDPLITE: {
- const __be16 *pptr;
- __be16 _ports[2];
-
- pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
- if (pptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " sport=%hu dport=%hu",
-ntohs(pptr[0]), ntohs(pptr[1]));
- }
- break;
-
- case IPPROTO_ICMP:
- case IPPROTO_ICMPV6: {
- const u8 *iptr;
- u8 _ih[2];
-
- iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
- if (iptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
-iptr[0], iptr[1]);
-
- }
- break;
- }
-}
-
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
{
struct iphdr _iph;
const struct iphdr *ih;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph),
&_iph);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
- &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+&ih->saddr, &ih->daddr, ih->protocol);
- if (ntohs(ih->frag_off) & IP_OFFSET) {
- audit_log_format(ab, " frag=1");
- return;
- }
-
- audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+ return true;
}
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
{
struct ipv6hdr _ip6h;
const struct ipv6hdr *ih;
u8 nexthdr;
__be16 frag_off;
- int offset;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h),
&_ip6h);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
nexthdr = ih->nexthdr;
- offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
- &nexthdr, &frag_off);
+ ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
&nexthdr, &frag_off);
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
&ih->saddr, &ih->daddr, nexthdr);
- if (offset)
- audit_proto(ab, skb, nexthdr, offset);
+ return true;
}
static unsigned int
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
- const struct xt_audit_info *info = par->targinfo;
struct audit_buffer *ab;
+ int fam = -1;
if (audit_enabled == 0)
goto errout;
-
ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
if (ab == NULL)
goto erro
[PATCH V4 1/2] netfilter: xt_AUDIT: use consistent ipv4 network offset
Even though the skb->data pointer has been moved from the link layer
header to the network layer header, use the same method to calculate the
offset in ipv4 and ipv6 routines.
Signed-off-by: Richard Guy Briggs
---
net/netfilter/xt_AUDIT.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 4973cbd..cdb7cee 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -76,7 +76,7 @@ static void audit_ip4(struct audit_buffer *ab, struct sk_buff
*skb)
struct iphdr _iph;
const struct iphdr *ih;
- ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
+ ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph),
&_iph);
if (!ih) {
audit_log_format(ab, " truncated=1");
return;
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V3] audit: normalize NETFILTER_PKT
On 2017-03-03 13:45, Florian Westphal wrote: > Richard Guy Briggs wrote: > > > Perhaps I'm missing something here, but let me ask again, how does > > > userspace distinguish between an unset nfmark and a nfmark of > > > 0x? > > > > It can't. > > It can if you log it as 0, as I asked in patch 1 review. I'd be inclined to do that, since it will always have a value even if its default is zero. The proto field would actually be unset if it was a protocol family that did not have a protocol field. > (You wouldn't log sk uid of 0 as -1 either, would you?) No, but you would log auid and session id as -1 if it were unset. - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V3] audit: normalize NETFILTER_PKT
On 2017-03-03 14:22, Florian Westphal wrote: > Paul Moore wrote: > > On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal wrote: > > > Richard Guy Briggs wrote: > > >> > Perhaps I'm missing something here, but let me ask again, how does > > >> > userspace distinguish between an unset nfmark and a nfmark of > > >> > 0x? > > >> > > >> It can't. > > > > > > It can if you log it as 0, as I asked in patch 1 review. > > > > > > (You wouldn't log sk uid of 0 as -1 either, would you?) > > > > I want to see the code able to handle the full range of nfmark values > > as well as the unset case; if that means we need to tweak userspace a > > bit, please work with Steve on that. > > There is no 'unset nfmark'. Its just a 32bit integer. I was going to say, we'd need an out of band indicator. - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V3] audit: normalize NETFILTER_PKT
On 2017-03-03 08:56, Paul Moore wrote: > On Fri, Mar 3, 2017 at 8:22 AM, Florian Westphal wrote: > > Paul Moore wrote: > >> On Fri, Mar 3, 2017 at 7:45 AM, Florian Westphal wrote: > >> > Richard Guy Briggs wrote: > >> >> > Perhaps I'm missing something here, but let me ask again, how does > >> >> > userspace distinguish between an unset nfmark and a nfmark of > >> >> > 0x? > >> >> > >> >> It can't. > >> > > >> > It can if you log it as 0, as I asked in patch 1 review. > >> > > >> > (You wouldn't log sk uid of 0 as -1 either, would you?) > >> > >> I want to see the code able to handle the full range of nfmark values > >> as well as the unset case; if that means we need to tweak userspace a > >> bit, please work with Steve on that. > > > > There is no 'unset nfmark'. Its just a 32bit integer. > > Yes, my apologies, this thread has dragged on so long I muddled the > details in my mind ... here is what I'm trying to get at, Richard's > latest patch (unless I've missed one in my inbox) has the following > line: > > audit_log_format(ab, "mark=%#x", skb->mark ?: -1); > > ... which I believe to be incorrect. I was trying to lead Richard > along to that same realization, but it would appear I'm not having > much success, so to put it bluntly, here is what I want that line to > look like: > > audit_log_format(ab, "mark=%#x", skb->mark); Then just say that. Given the arguments presented, I agree. Done. > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V3] audit: normalize NETFILTER_PKT
On 2017-03-02 21:54, Paul Moore wrote:
> On Thu, Mar 2, 2017 at 9:00 PM, Richard Guy Briggs wrote:
> > On 2017-03-02 19:16, Paul Moore wrote:
> >> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote:
> >> > On 2017-03-01 17:19, Paul Moore wrote:
> >> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs
> >> >> wrote:
> >> >> > On 2017-02-28 17:22, Paul Moore wrote:
> >> >> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs
> >> >> >> wrote:
> >> >> >> > Eliminate flipping in and out of message fields, dropping fields
> >> >> >> > in the process.
> >> >> >> >
> >> >> >> > Sample raw message format IPv4 UDP:
> >> >> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
> >> >> >> > saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> >> >> >> > Sample raw message format IPv6 ICMP6:
> >> >> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7
> >> >> >> > saddr=::1 daddr=::1 proto=58^]
> >> >> >> >
> >> >> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> >> >> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >> >> >> >
> >> >> >> > Signed-off-by: Richard Guy Briggs
> >> >> >> > ---
> >> >> >> > net/netfilter/xt_AUDIT.c | 122
> >> >> >> > ++---
> >> >> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >> >> >> >
> >> >> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> >> >> >> > index 4973cbd..945fa29 100644
> >> >> >> > --- a/net/netfilter/xt_AUDIT.c
> >> >> >> > +++ b/net/netfilter/xt_AUDIT.c
> >> >> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
>
> ...
>
> >> >> >> > static unsigned int
> >> >> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> >> >> >> > {
> >> >> >> > - const struct xt_audit_info *info = par->targinfo;
> >> >> >> > struct audit_buffer *ab;
> >> >> >> > + int fam = -1;
> >> >> >> >
> >> >> >> > if (audit_enabled == 0)
> >> >> >> > goto errout;
> >> >> >> > -
> >> >> >> > ab = audit_log_start(NULL, GFP_ATOMIC,
> >> >> >> > AUDIT_NETFILTER_PKT);
> >> >> >> > if (ab == NULL)
> >> >> >> > goto errout;
> >> >> >> >
> >> >> >> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s
> >> >> >> > outif=%s",
> >> >> >> > -info->type, par->hooknum, skb->len,
> >> >> >> > -par->in ? par->in->name : "?",
> >> >> >> > -par->out ? par->out->name : "?");
> >> >> >> > -
> >> >> >> > - if (skb->mark)
> >> >> >> > - audit_log_format(ab, " mark=%#x", skb->mark);
> >> >> >> > -
> >> >> >> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> >> >> >> > - audit_log_format(ab, " smac=%pM dmac=%pM
> >> >> >> > macproto=0x%04x",
> >> >> >> > - eth_hdr(skb)->h_source,
> >> >> >> > eth_hdr(skb)->h_dest,
> >> >> >> > -ntohs(eth_hdr(skb)->h_proto));
> >> >> >> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
> >> >> >>
> >> >> >> How do Steve's userspace tools like the unset/-1 value represented
> >> >> >> when it is a hex value: -1 or 0x?
> >> >> >
> >> >> > My understanding is they are set up to cope with this.
> >> >>
> >> >> How does userspace distinguish between an unset nfmark and a nfmark of
> >> >> 0x?
> >> >
> >> > It never had to deal specifically with nfmark previously because it
> >> > wasn't included if it was blank. Generally other values that are -1 are
> >> > interpreted by the audit userspace tools as unset (session id, auid,
> >> > etc...)
> >>
> >> Yes, I know, let me get straight to the point: should we use "mark=-1"
> >> when the nfmark is unset instead of "mark=0x"?
> >
> > I'd prefer to keep the format as it was, explicitly labelled hex. The
> > other fields that are printed as unset, -1, come out in the logs as
> > MAX_UINT: "auid=4294967295 ses=4294967295", so I don't see any reason to
> > change that convention. Once that field is known by userspace tools,
> > they can interpret (-i) that as -1.
>
> Perhaps I'm missing something here, but let me ask again, how does
> userspace distinguish between an unset nfmark and a nfmark of
> 0x?
It can't.
> paul moore
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V3] audit: normalize NETFILTER_PKT
On 2017-03-02 19:16, Paul Moore wrote:
> On Wed, Mar 1, 2017 at 5:34 PM, Richard Guy Briggs wrote:
> > On 2017-03-01 17:19, Paul Moore wrote:
> >> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs
> >> wrote:
> >> > On 2017-02-28 17:22, Paul Moore wrote:
> >> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs
> >> >> wrote:
> >> >> > Eliminate flipping in and out of message fields, dropping fields in
> >> >> > the process.
> >> >> >
> >> >> > Sample raw message format IPv4 UDP:
> >> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
> >> >> > saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> >> >> > Sample raw message format IPv6 ICMP6:
> >> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7
> >> >> > saddr=::1 daddr=::1 proto=58^]
> >> >> >
> >> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> >> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >> >> >
> >> >> > Signed-off-by: Richard Guy Briggs
> >> >> > ---
> >> >> > net/netfilter/xt_AUDIT.c | 122
> >> >> > ++---
> >> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >> >> >
> >> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> >> >> > index 4973cbd..945fa29 100644
> >> >> > --- a/net/netfilter/xt_AUDIT.c
> >> >> > +++ b/net/netfilter/xt_AUDIT.c
> >> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
> >> >>
> >> >> ...
> >> >>
> >> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> >> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> >> > {
> >> >> > struct iphdr _iph;
> >> >> > const struct iphdr *ih;
> >> >> >
> >> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >> >>
> >> >> It seems like we should be using skb_network_offset(skb) instead of 0
> >> >> above, yes? Granted, this isn't new, but let's fix it.
> >> >
> >> > Yes, I agree. How does this even work now? Maybe the MAC header hasn't
> >> > been added yet (or has already been processed and stripped off) so that
> >> > skb->data is already pointing at the network header and hence has an
> >> > offset of 0. Can you be more explicit and elaborate to say if this what
> >> > you were thinking?
> >>
> >> Unfortunately, not really, I haven't thought through of all the
> >> situations and it has been a long time since I've had to worry about
> >> things like this. I think we are in agreement that it needs to
> >> change, so let's just make the change.
> >
> > Given Pablo's assurances, this could go either way, fix audit_ip4 to use
> > skb_network_offset() or fix audit_ip6 to use zero. I don't have a
> > strong opinion, but using zero would be more efficient while using
> > skb_network_offset() would remove the doubt. Either way, the
> > consistency will avoid raising doubt in the future as you have
> > (rightfully) done.
>
> Just use skb_network_offset() as it is the safer option and there is
> plenty of precedence. Considering that we expect NETFILTER_PKT to see
> limited use, I'm more concerned about it not breaking than some small
> loss of performance.
Agreed.
> >> >> > static unsigned int
> >> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> >> >> > {
> >> >> > - const struct xt_audit_info *info = par->targinfo;
> >> >> > struct audit_buffer *ab;
> >> >> > + int fam = -1;
> >> >> >
> >> >> > if (audit_enabled == 0)
> >> >> > goto errout;
> >> >> > -
> >> >> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> >> >> > if (ab == NULL)
> >> >> > goto errout;
> >> >> >
> >> >> > - audit_log_format(ab, &qu
Re: [PATCH V3] audit: normalize NETFILTER_PKT
On 2017-03-01 17:19, Paul Moore wrote:
> On Wed, Mar 1, 2017 at 11:28 AM, Richard Guy Briggs wrote:
> > On 2017-02-28 17:22, Paul Moore wrote:
> >> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs
> >> wrote:
> >> > Eliminate flipping in and out of message fields, dropping fields in the
> >> > process.
> >> >
> >> > Sample raw message format IPv4 UDP:
> >> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
> >> > saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> >> > Sample raw message format IPv6 ICMP6:
> >> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7
> >> > saddr=::1 daddr=::1 proto=58^]
> >> >
> >> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> >> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >> >
> >> > Signed-off-by: Richard Guy Briggs
> >> > ---
> >> > net/netfilter/xt_AUDIT.c | 122
> >> > ++---
> >> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >> >
> >> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> >> > index 4973cbd..945fa29 100644
> >> > --- a/net/netfilter/xt_AUDIT.c
> >> > +++ b/net/netfilter/xt_AUDIT.c
> >> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
> >>
> >> ...
> >>
> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> > {
> >> > struct iphdr _iph;
> >> > const struct iphdr *ih;
> >> >
> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >>
> >> It seems like we should be using skb_network_offset(skb) instead of 0
> >> above, yes? Granted, this isn't new, but let's fix it.
> >
> > Yes, I agree. How does this even work now? Maybe the MAC header hasn't
> > been added yet (or has already been processed and stripped off) so that
> > skb->data is already pointing at the network header and hence has an
> > offset of 0. Can you be more explicit and elaborate to say if this what
> > you were thinking?
>
> Unfortunately, not really, I haven't thought through of all the
> situations and it has been a long time since I've had to worry about
> things like this. I think we are in agreement that it needs to
> change, so let's just make the change.
Given Pablo's assurances, this could go either way, fix audit_ip4 to use
skb_network_offset() or fix audit_ip6 to use zero. I don't have a
strong opinion, but using zero would be more efficient while using
skb_network_offset() would remove the doubt. Either way, the
consistency will avoid raising doubt in the future as you have
(rightfully) done.
> > This should be a seperate bug fix patch rather than fixing it in the
> > noise of this substantial re-arrangement.
>
> That's fine, but please send it as one patchset. Also, to get ahead
> of the next likely question, no I don't think the skb_network_offset()
> fix is -stable worthy at the moment.
It didn't look like a concern given Pablo's assurance.
> >> > - if (!ih) {
> >> > - audit_log_format(ab, " truncated=1");
> >> > - return;
> >> > - }
> >> > + if (!ih)
> >> > + return false;
> >> >
> >> > - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu
> >> > proto=%hhu",
> >> > - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
> >> > + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
> >> > +&ih->saddr, &ih->daddr, ih->protocol);
> >> >
> >> > - if (ntohs(ih->frag_off) & IP_OFFSET) {
> >> > - audit_log_format(ab, " frag=1");
> >> > - return;
> >> > - }
> >> > -
> >> > - audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
> >> > + return true;
> >> > }
> >>
> >> ...
> >>
> >> > static unsigned int
> >> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> >> > {
> >> >
Re: [PATCH V3] audit: normalize NETFILTER_PKT
On 2017-02-28 17:22, Paul Moore wrote:
> On Sun, Feb 26, 2017 at 3:49 PM, Richard Guy Briggs wrote:
> > Eliminate flipping in and out of message fields, dropping fields in the
> > process.
> >
> > Sample raw message format IPv4 UDP:
> > type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
> > saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
> > Sample raw message format IPv6 ICMP6:
> > type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7
> > saddr=::1 daddr=::1 proto=58^]
> >
> > Issue: https://github.com/linux-audit/audit-kernel/issues/11
> > Test case: https://github.com/linux-audit/audit-testsuite/issues/43
> >
> > Signed-off-by: Richard Guy Briggs
> > ---
> > net/netfilter/xt_AUDIT.c | 122
> > ++---
> > 1 files changed, 27 insertions(+), 95 deletions(-)
> >
> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> > index 4973cbd..945fa29 100644
> > --- a/net/netfilter/xt_AUDIT.c
> > +++ b/net/netfilter/xt_AUDIT.c
> > @@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
>
> ...
>
> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > +static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > {
> > struct iphdr _iph;
> > const struct iphdr *ih;
> >
> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
>
> It seems like we should be using skb_network_offset(skb) instead of 0
> above, yes? Granted, this isn't new, but let's fix it.
Yes, I agree. How does this even work now? Maybe the MAC header hasn't
been added yet (or has already been processed and stripped off) so that
skb->data is already pointing at the network header and hence has an
offset of 0. Can you be more explicit and elaborate to say if this what
you were thinking?
This should be a seperate bug fix patch rather than fixing it in the
noise of this substantial re-arrangement.
> > - if (!ih) {
> > - audit_log_format(ab, " truncated=1");
> > - return;
> > - }
> > + if (!ih)
> > + return false;
> >
> > - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
> > - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
> > + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
> > +&ih->saddr, &ih->daddr, ih->protocol);
> >
> > - if (ntohs(ih->frag_off) & IP_OFFSET) {
> > - audit_log_format(ab, " frag=1");
> > - return;
> > - }
> > -
> > - audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
> > + return true;
> > }
>
> ...
>
> > static unsigned int
> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> > {
> > - const struct xt_audit_info *info = par->targinfo;
> > struct audit_buffer *ab;
> > + int fam = -1;
> >
> > if (audit_enabled == 0)
> > goto errout;
> > -
> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> > if (ab == NULL)
> > goto errout;
> >
> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
> > -info->type, par->hooknum, skb->len,
> > -par->in ? par->in->name : "?",
> > -par->out ? par->out->name : "?");
> > -
> > - if (skb->mark)
> > - audit_log_format(ab, " mark=%#x", skb->mark);
> > -
> > - if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> > - audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
> > -eth_hdr(skb)->h_source,
> > eth_hdr(skb)->h_dest,
> > -ntohs(eth_hdr(skb)->h_proto));
> > + audit_log_format(ab, "mark=%#x", skb->mark ?: -1);
>
> How do Steve's userspace tools like the unset/-1 value represented
> when it is a hex value: -1 or 0x?
My understanding is they are set up to cope with this.
> paul moore
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-13 19:24, Richard Guy Briggs wrote: > On 2017-02-13 18:50, Paul Moore wrote: > > On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote: > > > useless?smac, dmac, macproto > > > > Probably useless in the majority of use cases. > > How do we deal with the minority of cases where it could be quite useful? It turns out this was required for ebtables support. https://bugzilla.redhat.com/show_bug.cgi?id=642391#c6 > > > - RGB > > > > paul moore > > - RGB - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH V3] audit: normalize NETFILTER_PKT
Eliminate flipping in and out of message fields, dropping fields in the process.
Sample raw message format IPv4 UDP:
type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732
saddr=127.0.0.1 daddr=127.0.0.1 proto=17^]
Sample raw message format IPv6 ICMP6:
type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1
daddr=::1 proto=58^]
Issue: https://github.com/linux-audit/audit-kernel/issues/11
Test case: https://github.com/linux-audit/audit-testsuite/issues/43
Signed-off-by: Richard Guy Briggs
---
net/netfilter/xt_AUDIT.c | 122 ++---
1 files changed, 27 insertions(+), 95 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 4973cbd..945fa29 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,146 +31,78 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
-static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
- unsigned int proto, unsigned int offset)
-{
- switch (proto) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_UDPLITE: {
- const __be16 *pptr;
- __be16 _ports[2];
-
- pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
- if (pptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " sport=%hu dport=%hu",
-ntohs(pptr[0]), ntohs(pptr[1]));
- }
- break;
-
- case IPPROTO_ICMP:
- case IPPROTO_ICMPV6: {
- const u8 *iptr;
- u8 _ih[2];
-
- iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
- if (iptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
-iptr[0], iptr[1]);
-
- }
- break;
- }
-}
-
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
{
struct iphdr _iph;
const struct iphdr *ih;
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
- &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+ audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+&ih->saddr, &ih->daddr, ih->protocol);
- if (ntohs(ih->frag_off) & IP_OFFSET) {
- audit_log_format(ab, " frag=1");
- return;
- }
-
- audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+ return true;
}
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
{
struct ipv6hdr _ip6h;
const struct ipv6hdr *ih;
u8 nexthdr;
__be16 frag_off;
- int offset;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h),
&_ip6h);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
- return;
- }
+ if (!ih)
+ return false;
nexthdr = ih->nexthdr;
- offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
- &nexthdr, &frag_off);
+ ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
&nexthdr, &frag_off);
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
&ih->saddr, &ih->daddr, nexthdr);
- if (offset)
- audit_proto(ab, skb, nexthdr, offset);
+ return true;
}
static unsigned int
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
- const struct xt_audit_info *info = par->targinfo;
struct audit_buffer *ab;
+ int fam = -1;
if (audit_enabled == 0)
goto errout;
-
ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
if (ab == NULL)
goto errout;
- audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
-info->type, par->hooknum, skb->len,
-par->in ? par->in->name : "?",
-
Re: [PATCH V2] audit: normalize NETFILTER_PKT
On 2017-02-23 12:14, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 12:13 PM, Richard Guy Briggs wrote:
> > On 2017-02-23 12:06, Paul Moore wrote:
> >> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs
> >> wrote:
> >> > On 2017-02-23 11:57, Paul Moore wrote:
> >> >> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
> >> >> wrote:
> >> >> > On 2017-02-23 06:20, Florian Westphal wrote:
> >> >> >> Richard Guy Briggs wrote:
> >> >> >> > Simplify and eliminate flipping in and out of message fields,
> >> >> >> > relying on nfmark
> >> >> >> > the way we do for audit_key.
> >> >> >> >
> >> >> >> > +struct nfpkt_par {
> >> >> >> > + int ipv;
> >> >> >> > + const void *saddr;
> >> >> >> > + const void *daddr;
> >> >> >> > + u8 proto;
> >> >> >> > +};
> >> >> >>
> >> >> >> This is problematic, see below for why.
> >> >> >>
> >> >> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff
> >> >> >> > *skb)
> >> >> >> > +static void audit_ip4(struct audit_buffer *ab, struct sk_buff
> >> >> >> > *skb, struct nfpkt_par *apar)
> >> >> >> > {
> >> >> >> > struct iphdr _iph;
> >> >> >> > const struct iphdr *ih;
> >> >> >> >
> >> >> >> > + apar->ipv = 4;
> >> >> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >> >> >> > - if (!ih) {
> >> >> >> > - audit_log_format(ab, " truncated=1");
> >> >> >> > + if (!ih)
> >> >> >> > return;
> >> >> >>
> >> >> >> Removing this "truncated" has the consequence that this can later log
> >> >> >> "saddr=0.0.0.0 daddr=0.0.0.0" if we return here.
> >> >> >>
> >> >> >> This cannot happen for ip(6)tables because ip stack discards broken
> >> >> >> l3 headers
> >> >> >> before the netfilter hooks get called, but its possible with
> >> >> >> NFPROTO_BRIDGE.
> >> >> >>
> >> >> >> Perhaps you will need to change audit_ip4/6 to return "false" when
> >> >> >> it can't
> >> >> >> get the l3 information now so we only log zero addresses when the
> >> >> >> packet
> >> >> >> really did contain them.
> >> >> >
> >> >> > Ok, to clarify the implications, are you saying that handing a NULL
> >> >> > pointer to "saddr=%pI4" will print "0.0.0.0" rather than "(none)" or
> >> >> > "?"
> >> >>
> >> >> My initial reaction is that if the packet is so badly
> >> >> truncated/malformed that we don't have a full IP header than we should
> >> >> just refrain from logging the packet; it's too malformed/garbage to
> >> >> offer any useful information and the normal packet processing should
> >> >> result in the packet being discarded anyway.
> >> >
> >> > Which is why I wanted the ethertype, but that can be coded into the
> >> > nfmark.
> >>
> >> If the packet is garbage (garbage without any payload in this case),
> >> what does it matter? It's noise.
> >
> > It could be an indicator that either the logging rules or the filter
> > rules need honing, or even that there is a bug in the network code.
>
> Elaborate on this please, I still don't see how logging the ethertype
> is helpful for a malformed packet.
Well, since we can encode it in the nfmark, it could be helpful, but not
necessary.
Each bit of information we can include in the audit log message removes
something we need to code in the nf mark. That's why things like ifin,
ifout, action, hook are easy to include and help reduce the amount of
nf mark coding needed when devising netfilter rules.
I had another idea on how to include the sport and dport and that was to
use the same identifier for sport/icmptype and also for dport/icmpcode,
but you've already said you are not interested.
> paul moore
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V2] audit: normalize NETFILTER_PKT
On 2017-02-23 12:20, Steve Grubb wrote: > On Wednesday, February 22, 2017 9:50:54 PM EST Richard Guy Briggs wrote: > > Simplify and eliminate flipping in and out of message fields, relying on > > nfmark the way we do for audit_key. > > > > https://github.com/linux-audit/audit-kernel/issues/11 > > > > Signed-off-by: Richard Guy Briggs > > If this is reworked, do you mind including a raw log event in the explanation > part of the patch? I need to see the resulting event to see how user space > needs to adapt. Yes, I'll make a note to remember to add that. > -Steve - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V2] audit: normalize NETFILTER_PKT
On 2017-02-23 18:06, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > On 2017-02-23 11:57, Paul Moore wrote:
> > > On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
> > > wrote:
> > > > On 2017-02-23 06:20, Florian Westphal wrote:
> > > >> Richard Guy Briggs wrote:
> > > >> > Simplify and eliminate flipping in and out of message fields,
> > > >> > relying on nfmark
> > > >> > the way we do for audit_key.
> > > >> >
> > > >> > +struct nfpkt_par {
> > > >> > + int ipv;
> > > >> > + const void *saddr;
> > > >> > + const void *daddr;
> > > >> > + u8 proto;
> > > >> > +};
> > > >>
> > > >> This is problematic, see below for why.
> > > >>
> > > >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > > >> > +static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb,
> > > >> > struct nfpkt_par *apar)
> > > >> > {
> > > >> > struct iphdr _iph;
> > > >> > const struct iphdr *ih;
> > > >> >
> > > >> > + apar->ipv = 4;
> > > >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> > > >> > - if (!ih) {
> > > >> > - audit_log_format(ab, " truncated=1");
> > > >> > + if (!ih)
> > > >> > return;
> > > >>
> > > >> Removing this "truncated" has the consequence that this can later log
> > > >> "saddr=0.0.0.0 daddr=0.0.0.0" if we return here.
> > > >>
> > > >> This cannot happen for ip(6)tables because ip stack discards broken l3
> > > >> headers
> > > >> before the netfilter hooks get called, but its possible with
> > > >> NFPROTO_BRIDGE.
> > > >>
> > > >> Perhaps you will need to change audit_ip4/6 to return "false" when it
> > > >> can't
> > > >> get the l3 information now so we only log zero addresses when the
> > > >> packet
> > > >> really did contain them.
> > > >
> > > > Ok, to clarify the implications, are you saying that handing a NULL
> > > > pointer to "saddr=%pI4" will print "0.0.0.0" rather than "(none)" or "?"
>
> No, if you pass pointers that would indeed log NULL.
>
> > > My initial reaction is that if the packet is so badly
> > > truncated/malformed that we don't have a full IP header than we should
> > > just refrain from logging the packet; it's too malformed/garbage to
> > > offer any useful information and the normal packet processing should
> > > result in the packet being discarded anyway.
>
> True for ip/ipv6, not sure about bridge though.
>
> > Which is why I wanted the ethertype, but that can be coded into the nfmark.
>
> Not following, sorry, are you saying users can/should use -j MARK
> somehow?
Part of the discussed design and rationale for stripping many of the
vanishing fields is that when setting up netfilter rules to invoke the
AUDIT target, an accompanying nf mark should be used to indicate which
rule caught that packet, since the chain name and rule number aren't
available to the audit target. We would use the nf mark similarly to
the way we use a rule key in the audit rules (see man auditctl).
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V2] audit: normalize NETFILTER_PKT
On 2017-02-23 12:06, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 12:04 PM, Richard Guy Briggs wrote:
> > On 2017-02-23 11:57, Paul Moore wrote:
> >> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs
> >> wrote:
> >> > On 2017-02-23 06:20, Florian Westphal wrote:
> >> >> Richard Guy Briggs wrote:
> >> >> > Simplify and eliminate flipping in and out of message fields, relying
> >> >> > on nfmark
> >> >> > the way we do for audit_key.
> >> >> >
> >> >> > +struct nfpkt_par {
> >> >> > + int ipv;
> >> >> > + const void *saddr;
> >> >> > + const void *daddr;
> >> >> > + u8 proto;
> >> >> > +};
> >> >>
> >> >> This is problematic, see below for why.
> >> >>
> >> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> >> > +static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb,
> >> >> > struct nfpkt_par *apar)
> >> >> > {
> >> >> > struct iphdr _iph;
> >> >> > const struct iphdr *ih;
> >> >> >
> >> >> > + apar->ipv = 4;
> >> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >> >> > - if (!ih) {
> >> >> > - audit_log_format(ab, " truncated=1");
> >> >> > + if (!ih)
> >> >> > return;
> >> >>
> >> >> Removing this "truncated" has the consequence that this can later log
> >> >> "saddr=0.0.0.0 daddr=0.0.0.0" if we return here.
> >> >>
> >> >> This cannot happen for ip(6)tables because ip stack discards broken l3
> >> >> headers
> >> >> before the netfilter hooks get called, but its possible with
> >> >> NFPROTO_BRIDGE.
> >> >>
> >> >> Perhaps you will need to change audit_ip4/6 to return "false" when it
> >> >> can't
> >> >> get the l3 information now so we only log zero addresses when the packet
> >> >> really did contain them.
> >> >
> >> > Ok, to clarify the implications, are you saying that handing a NULL
> >> > pointer to "saddr=%pI4" will print "0.0.0.0" rather than "(none)" or "?"
> >>
> >> My initial reaction is that if the packet is so badly
> >> truncated/malformed that we don't have a full IP header than we should
> >> just refrain from logging the packet; it's too malformed/garbage to
> >> offer any useful information and the normal packet processing should
> >> result in the packet being discarded anyway.
> >
> > Which is why I wanted the ethertype, but that can be coded into the nfmark.
>
> If the packet is garbage (garbage without any payload in this case),
> what does it matter? It's noise.
It could be an indicator that either the logging rules or the filter
rules need honing, or even that there is a bug in the network code.
> paul moore
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V2] audit: normalize NETFILTER_PKT
On 2017-02-23 11:57, Paul Moore wrote:
> On Thu, Feb 23, 2017 at 10:51 AM, Richard Guy Briggs wrote:
> > On 2017-02-23 06:20, Florian Westphal wrote:
> >> Richard Guy Briggs wrote:
> >> > Simplify and eliminate flipping in and out of message fields, relying on
> >> > nfmark
> >> > the way we do for audit_key.
> >> >
> >> > +struct nfpkt_par {
> >> > + int ipv;
> >> > + const void *saddr;
> >> > + const void *daddr;
> >> > + u8 proto;
> >> > +};
> >>
> >> This is problematic, see below for why.
> >>
> >> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> >> > +static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb,
> >> > struct nfpkt_par *apar)
> >> > {
> >> > struct iphdr _iph;
> >> > const struct iphdr *ih;
> >> >
> >> > + apar->ipv = 4;
> >> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> >> > - if (!ih) {
> >> > - audit_log_format(ab, " truncated=1");
> >> > + if (!ih)
> >> > return;
> >>
> >> Removing this "truncated" has the consequence that this can later log
> >> "saddr=0.0.0.0 daddr=0.0.0.0" if we return here.
> >>
> >> This cannot happen for ip(6)tables because ip stack discards broken l3
> >> headers
> >> before the netfilter hooks get called, but its possible with
> >> NFPROTO_BRIDGE.
> >>
> >> Perhaps you will need to change audit_ip4/6 to return "false" when it can't
> >> get the l3 information now so we only log zero addresses when the packet
> >> really did contain them.
> >
> > Ok, to clarify the implications, are you saying that handing a NULL
> > pointer to "saddr=%pI4" will print "0.0.0.0" rather than "(none)" or "?"
>
> My initial reaction is that if the packet is so badly
> truncated/malformed that we don't have a full IP header than we should
> just refrain from logging the packet; it's too malformed/garbage to
> offer any useful information and the normal packet processing should
> result in the packet being discarded anyway.
Which is why I wanted the ethertype, but that can be coded into the nfmark.
> paul moore
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH V2] audit: normalize NETFILTER_PKT
On 2017-02-23 06:20, Florian Westphal wrote:
> Richard Guy Briggs wrote:
> > Simplify and eliminate flipping in and out of message fields, relying on
> > nfmark
> > the way we do for audit_key.
> >
> > +struct nfpkt_par {
> > + int ipv;
> > + const void *saddr;
> > + const void *daddr;
> > + u8 proto;
> > +};
>
> This is problematic, see below for why.
>
> > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
> > +static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb, struct
> > nfpkt_par *apar)
> > {
> > struct iphdr _iph;
> > const struct iphdr *ih;
> >
> > + apar->ipv = 4;
> > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
> > - if (!ih) {
> > - audit_log_format(ab, " truncated=1");
> > + if (!ih)
> > return;
>
> Removing this "truncated" has the consequence that this can later log
> "saddr=0.0.0.0 daddr=0.0.0.0" if we return here.
>
> This cannot happen for ip(6)tables because ip stack discards broken l3 headers
> before the netfilter hooks get called, but its possible with NFPROTO_BRIDGE.
>
> Perhaps you will need to change audit_ip4/6 to return "false" when it can't
> get the l3 information now so we only log zero addresses when the packet
> really did contain them.
Ok, to clarify the implications, are you saying that handing a NULL
pointer to "saddr=%pI4" will print "0.0.0.0" rather than "(none)" or "?"
> > - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
> > - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
>
> Alternatively, one could keep this around. In fact, why is this (re)moved
> in first place? This move of audit_log_format() seems to only reason
> why *apar struct is required.
>
> AFAICS this now does:
> ab = new()
> log(ab, mark);
> audit_ip4(&apar);
> log(&apar);
>
> so might as well keep the log() call within the audit_ip4/6 function.
Understood. The apar parameter was conceived for the previous patch
with 20 fields and made more sense then.
> > - audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
> > + apar->saddr = &ih->saddr;
> > + apar->daddr = &ih->daddr;
> > + apar->proto = ih->protocol;
> > }
>
> Caution. skb_header_pointer() may copy from non-linear skb part
> into _iph, which is on stack, so apar->saddr may be stale once
> function returns. So if you really want to remove the audit_log_format()
> of the saddr/daddr then you need to copy the ip addresses here.
>
> (We guarantee its linear for ip stack but not for NFPROTO_BRIDGE and this
> function
> is also called for the bridge version of the target).
Ok, all the more reason to keep the log call in the protocol family function
call.
> > static unsigned int
> > audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
> > {
> > - const struct xt_audit_info *info = par->targinfo;
> > struct audit_buffer *ab;
> > + struct nfpkt_par apar = {
> > + -1, NULL, NULL, -1,
> > + };
>
> I suggest to use
> struct nfpkt_par apar = {
> .family = par->family,
> };
>
> if apar is required for some reason.
I did look at this originally, then realized that netfilter doesn't use
the same protocol family identifiers as standard ethernet headers that
are used in the bridge case or IP protocol or IPv6 next header. If I
were to pick one, I might use the ethernet header conventions for next
protocol (ethertype, except they are 16 bits instead of 8).
> > ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
> > if (ab == NULL)
> > goto errout;
> >
> > - audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
> > -info->type, par->hooknum, skb->len,
> > -par->in ? par->in->name : "?",
> > -par->out ? par->out->name : "?");
> > -
> > - if (skb->mark)
> > - audit_log_format(ab, " mark=%#x", skb->mark);
> > + audit_log_format(ab, " mark=%#x", skb->mark ?: -1);
>
> -1 will be logged as 0x, no? whats wrong with
> audit_log_format(ab, " mark=%#x", skb->mark); ?
You are correct, this was hasty.
> > if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
> > - audit_log_
Re: [PATCH V2] audit: normalize NETFILTER_PKT (fwd)
On 2017-02-23 08:12, Julia Lawall wrote:
> Hello,
>
> It looks like the switch starting on line 106 should be indented more if
> it is expected to be under the if in line 105. I believe that there
> should also be braces around the switch. It is a single statement, but it
> is a complex one.
Yes, that switch statement should be indented, brace-to-brace. If the
entire switch is indented including its own braces, the external braces
around the switch should be unnecessary.
Thanks.
> thanks,
> julia
>
> -- Forwarded message --
> Date: Thu, 23 Feb 2017 12:43:05 +0800
> From: kbuild test robot
> To: kbu...@01.org
> Cc: Julia Lawall
> Subject: Re: [PATCH V2] audit: normalize NETFILTER_PKT
>
> CC: kbuild-...@01.org
> In-Reply-To:
> <9504740e9333a0b7074abe0dddfc487aeeae6cff.1487813996.git@redhat.com>
>
> Hi Richard,
>
> [auto build test WARNING on v4.9-rc8]
> [cannot apply to nf-next/master next-20170222]
> [if your patch is applied to the wrong git tree, please drop us a note to
> help improve the system]
>
> url:
> https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-normalize-NETFILTER_PKT/20170223-110223
> :: branch date: 2 hours ago
> :: commit date: 2 hours ago
>
> >> net/netfilter/xt_AUDIT.c:106:1-2: code aligned with following code on line
> >> 116
>
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 8f27486f1987d344c4d9b0de556dfd4209c524bf
> vim +106 net/netfilter/xt_AUDIT.c
>
> 8f27486f Richard Guy Briggs 2017-02-22 100
> audit_ip6(ab, skb, &apar);
> 43f393ca Thomas Graf2011-01-16 101 break;
> 43f393ca Thomas Graf2011-01-16 102 }
> 43f393ca Thomas Graf2011-01-16 103 }
> 43f393ca Thomas Graf2011-01-16 104 }
> 8f27486f Richard Guy Briggs 2017-02-22 105 if (apar.ipv == -1)
> 43f393ca Thomas Graf2011-01-16 @106 switch (par->family) {
> 43f393ca Thomas Graf2011-01-16 107 case NFPROTO_IPV4:
> 8f27486f Richard Guy Briggs 2017-02-22 108 audit_ip4(ab, skb,
> &apar);
> 43f393ca Thomas Graf2011-01-16 109 break;
> 43f393ca Thomas Graf2011-01-16 110
> 43f393ca Thomas Graf2011-01-16 111 case NFPROTO_IPV6:
> 8f27486f Richard Guy Briggs 2017-02-22 112 audit_ip6(ab, skb,
> &apar);
> 43f393ca Thomas Graf2011-01-16 113 break;
> 43f393ca Thomas Graf 2011-01-16 114 }
> 43f393ca Thomas Graf2011-01-16 115
> 8f27486f Richard Guy Briggs 2017-02-22 @116 switch (apar.ipv) {
> 8f27486f Richard Guy Briggs 2017-02-22 117 case 4:
> 8f27486f Richard Guy Briggs 2017-02-22 118 audit_log_format(ab, "
> saddr=%pI4 daddr=%pI4 proto=%hhu",
> 8f27486f Richard Guy Briggs 2017-02-22 119apar.saddr,
> apar.daddr, apar.proto);
>
> :: The code at line 106 was first introduced by commit
> :: 43f393caec0362abe03c72799d3f342af3973070 netfilter: audit target to
> record accepted/dropped packets
>
> :: TO: Thomas Graf
> :: CC: Patrick McHardy
>
> ---
> 0-DAY kernel test infrastructureOpen Source Technology Center
> https://lists.01.org/pipermail/kbuild-all Intel Corporation
- RGB
--
Richard Guy Briggs
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH V2] audit: normalize NETFILTER_PKT
Simplify and eliminate flipping in and out of message fields, relying on nfmark
the way we do for audit_key.
https://github.com/linux-audit/audit-kernel/issues/11
Signed-off-by: Richard Guy Briggs
---
net/netfilter/xt_AUDIT.c | 128 +++---
1 files changed, 41 insertions(+), 87 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 4973cbd..05f7f25 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,146 +31,100 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
-static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
- unsigned int proto, unsigned int offset)
-{
- switch (proto) {
- case IPPROTO_TCP:
- case IPPROTO_UDP:
- case IPPROTO_UDPLITE: {
- const __be16 *pptr;
- __be16 _ports[2];
-
- pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
- if (pptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " sport=%hu dport=%hu",
-ntohs(pptr[0]), ntohs(pptr[1]));
- }
- break;
-
- case IPPROTO_ICMP:
- case IPPROTO_ICMPV6: {
- const u8 *iptr;
- u8 _ih[2];
-
- iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
- if (iptr == NULL) {
- audit_log_format(ab, " truncated=1");
- return;
- }
-
- audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
-iptr[0], iptr[1]);
-
- }
- break;
- }
-}
+struct nfpkt_par {
+ int ipv;
+ const void *saddr;
+ const void *daddr;
+ u8 proto;
+};
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb, struct
nfpkt_par *apar)
{
struct iphdr _iph;
const struct iphdr *ih;
+ apar->ipv = 4;
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
+ if (!ih)
return;
- }
-
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
- &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
-
- if (ntohs(ih->frag_off) & IP_OFFSET) {
- audit_log_format(ab, " frag=1");
- return;
- }
- audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+ apar->saddr = &ih->saddr;
+ apar->daddr = &ih->daddr;
+ apar->proto = ih->protocol;
}
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb, struct
nfpkt_par *apar)
{
struct ipv6hdr _ip6h;
const struct ipv6hdr *ih;
u8 nexthdr;
__be16 frag_off;
- int offset;
+ apar->ipv = 6;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h),
&_ip6h);
- if (!ih) {
- audit_log_format(ab, " truncated=1");
+ if (!ih)
return;
- }
nexthdr = ih->nexthdr;
- offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
- &nexthdr, &frag_off);
+ ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
&nexthdr, &frag_off);
- audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-&ih->saddr, &ih->daddr, nexthdr);
-
- if (offset)
- audit_proto(ab, skb, nexthdr, offset);
+ apar->saddr = &ih->saddr;
+ apar->daddr = &ih->daddr;
+ apar->proto = nexthdr;
}
static unsigned int
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
- const struct xt_audit_info *info = par->targinfo;
struct audit_buffer *ab;
+ struct nfpkt_par apar = {
+ -1, NULL, NULL, -1,
+ };
if (audit_enabled == 0)
goto errout;
-
ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
if (ab == NULL)
goto errout;
- audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
-info->type, par->hooknum, skb->len,
-par->in ? par->in->name : "?",
-par->out ? par->out->name : "?");
-
- if (skb->mark)
-
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-16 20:57, Paul Moore wrote: > [NOTE: I'll respond back to the other part of your email later but I'm > running out of time in the day and this was a quick but important > response] > > On Thu, Feb 16, 2017 at 5:36 PM, Richard Guy Briggs wrote: > > Steve has requested the subject attributes which prefixes 7 fields. > > I already commented on this earlier in this thread - or some other > related thread, I've lost track, but both you and Steve were on the > To/CC line - last time I checked, you can't reliably link packets to > the sender/subject in the netfilter hooks (I'll be shocked if this has > changed). The best you can do in some cases is to link the packet to > the socket, and that isn't going to help you. Ok, thanks for this clarification. Maybe I'm mis-remembering what user information is available in software interrupts rather than user context. This will need more investigation... > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-14 16:06, Paul Moore wrote: > On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs wrote: > > On 2017-02-13 18:50, Paul Moore wrote: > >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs > >> wrote: > > ... > > >> > useless?smac, dmac, macproto > >> > >> Probably useless in the majority of use cases. > > > > How do we deal with the minority of cases where it could be quite useful? > > First you first need to show me why I should care about this, in other > words, why *must* you have the fields in the audit record. Well, as I've just argued in my other reply, the only fields that are a *must* are the subject attributes and the nfmark. You've jettisoned the ports while keeping the addresses, which puzzles me other than for expediancy. MAC, IP and ports can all be spoofed, each layer easier as you get higher, but it is all potentially useful information. > >> > helpful secmark (I forgot to change it from "obj" to "secmark" > >> > in my patch). > >> > >> We may also want to log the peer label if we are going to log the secmark. > > > > Ok, noted. > > Please note well the "*if*" portion in the above statement. I'm not > overly convinced that either field is all that useful in the majority > of cases. Thank you for that reminder to link the two. > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-15 19:32, Paul Moore wrote: > On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs wrote: > > On 2017-02-13 18:50, Paul Moore wrote: > >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs > >> wrote: > > ... > > >> > helpful action, hook > >> > >> I haven't checked, but do we allow setting of an audit key in > >> NETFILTER_PKT records? It seems like that might be a good thing for > >> the userspace tools and would likely make logging the action/hook > >> unncessary. > > > > Not that I am aware of. That would be way useful if it were possible. > > "AUDIT" is a netfilter target and you can set the type to "accept", > > "drop" or "reject". Similarly, having the sub-chain name would be > > useful but that doesn't appear to be available either. This is why I > > used a "mark" in the testsuite to track packets. > > I've been thinking about this off and on and I think you are on to > something here ... the netfilter mark is very similar to what we do > with the audit keys and the audit-folk on this thread already know how > helpful audit keys can be for associating records with a specific [set > of] audit rules; I'm thinking we should treat the netfilter mark the > same way, after all, this is very much in keeping with how > netfilter/iptables uses the mark data. I felt like I was kind of cheating to use it, but no other fine-grained method was evident to me when I wrote that test script. In a test script it is a controlled environment with no other conflicting users. My thoughts were that use of it as a key for tracking audit events itself might not be as viable due to other uses of the nfmark. What it comes down to is simply spending a bit more careful design effort to have the uses of nfmark co-exist since I don't see any inherent conflicts. > In an effort to simplify > things greatly for the NETFILTER_PKT record I'm going to offer the > following suggestion: > > * Limit NETFILTER_PKT fields to only those present in the IPv4/IPv6 > header, e.g. src/dest addresses and next level protocol, and the > netfilter mark. (I'd start with: mark, saddr, daddr, proto) That seems a bit oversimplified, requiring a lot more effort and lists of rules to track down different application-layer protocols (ports). This reminds me of Rusty's sig a while back "Premature optmztion is rt of all evl." ;-) There are a limited number of actions, hooks, interfaces and protocol families, so this seems plausibly reasonable to ditch in favour of nfmark, but all of these would just need to be re-coded in the nfmark if needed, although the typical assumption about number of interfaces may be naive for those users who may find this sort of auditing very useful. (I'm thinking of network appliances.) It would be tempting to just keep the reports of data packets (TCP/UDP...) and forego the control packets (ICMP) but that somehow seems like cheating and irresponsible. I'm still inclined to keep the 4 message types proposed, minimum data and control, then the other two as more general catchers. > * Teach ausearch and the other relevant audit userspace tools to > search on the netfilter mark much like they currently search on the > audit key. That sounds potentially useful, and until that happens, a user could pull together a perl or python script to deal with them. > This puts a reasonable bound on the fields in the NETFILTER_PKT record > and insulates us from protocol specifics (both very desirable things); Steve has requested the subject attributes which prefixes 7 fields. If you are ditching port numbers, then it seems reasonable to ditch IP addresses too, at which point all we keep is the subject attributes and the nfmark which could be argued should be enough. What's the point in keeping the protocol if we don't keep the source and destination ports? > I also think we should be able to do this without having to introduce > a new record, e.g. NETFILTER_PKT2 (another big win). Any additional > packet information can be conveyed by the netfilter mark and careful > netfilter rule construction. I'm sure sure either way if we are absolved from introducing a new record type since we are changing the existing one. > What do you think Richard? There's my thoughts. I'd love to get some from users. > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-14 16:31, Steve Grubb wrote: > On Monday, February 13, 2017 3:50:05 PM EST Richard Guy Briggs wrote: > > > > > > The alternatives that I currently see are to drop packets for which > > > > > > there is no local process ownership, or to leave the ownership > > > > > > fields unset. > > > > > > > > > > What ownership fields are we talking about? > > > > > > > > The ones you want, auid, pid, ses. Perhaps I'm using the wrong > > > > terminology. What technical term is there for the collection of subject > > > > identifiers? > > > > > > Subject attributes. > > > > Ah ok, I'll try to remember to use that term... > > > > Now that you know what I'm talking about, can you go back and answer the > > questions I had about packet "ownership" (which is really packet subject > > attributes)? > > The format for subject attributes would be: > pid, uid, auid, ses, subj, comm, exe, ...then whatever else you want to add > > This also goes for the netfilter_cfg events. Ok, this I can deal with. Thank you. > > If we have that information, how to we include it in the > > message format? And if we don't have it, do we ignore the packet, or do > > we swing fields out, or do we set those fields to "unset" or do we use > > an auxiliary record? > > If you have this for the majority of events, I'd say leave it unset when you > don't. We really don't care about packets that simply transit through the > system. Also, I suppose it depends on what kind of packet it is. For example, > a icmp echo sent to the machine that is blocked is obviously not going to > have > an owner. But one originating in the machine heading out should. I'll add them to the message format and leave them unset if we have no information. The way that the AUDIT target is used by users is going to determine what is the majority of events. The user has complete freedom to set up rules such that all of them only log packets transiting the system, but this is clearly not the intent of this record. This sounds like it deserves a blog post to clarify the intent and the limitations and/or an update to the xt_AUDIT manpage. > -Steve - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-13 18:50, Paul Moore wrote: > On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote: > > On 2017-02-13 12:57, Steve Grubb wrote: > >> On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote: > >> > On 2017-02-10 17:39, Steve Grubb wrote: > >> > > > The alternatives that I currently see are to drop packets for which > >> > > > there is no local process ownership, or to leave the ownership fields > >> > > > unset.> > >> > > >> > > What ownership fields are we talking about? > >> > > >> > The ones you want, auid, pid, ses. Perhaps I'm using the wrong > >> > terminology. What technical term is there for the collection of subject > >> > identifiers? > >> > >> Subject attributes. > > > > Ah ok, I'll try to remember to use that term... > > > > Now that you know what I'm talking about, can you go back and answer the > > questions I had about packet "ownership" (which is really packet subject > > attributes)? If we have that information, how to we include it in the > > message format? And if we don't have it, do we ignore the packet, or do > > we swing fields out, or do we set those fields to "unset" or do we use > > an auxiliary record? > > Packet "ownership" is likely going to be impossible to determine > reliably since in some cases you can't even match a packet to a > socket, let alone a process. To back up a few messages in this > thread, to Richard's list of things to potentially log: > > > helpful action, hook > > I haven't checked, but do we allow setting of an audit key in > NETFILTER_PKT records? It seems like that might be a good thing for > the userspace tools and would likely make logging the action/hook > unncessary. Not that I am aware of. That would be way useful if it were possible. "AUDIT" is a netfilter target and you can set the type to "accept", "drop" or "reject". Similarly, having the sub-chain name would be useful but that doesn't appear to be available either. This is why I used a "mark" in the testsuite to track packets. > > useless?len > > I don't see much point in this. > > > helpful inif, outif, mark > > Let's split this into two things: the interfaces and the mark. I > don't see much value in logging the mark, but I could see some value > in logging the interface. In fact, the mark I found to be a useful way to track which rule was involved and I'd be pretty surprised if others don't try to do the same. > > useless?smac, dmac, macproto > > Probably useless in the majority of use cases. How do we deal with the minority of cases where it could be quite useful? > > helpful protocol family > > I think we need some clarity on protocol logging; we've got "macproto" > (I assume this is the ethertype, or similar), "protocol family" (I > assume this to be a duplicate of ethertype, e.g. AF_INET), and "proto" > (see below, I assume this to be TCP/UDP/etc.). Sorry, you are right. I know that field as "ethertype" which defines the "protocol family" (network layer protocol, IPv4/6, etc...). "proto" is the transport layer protocol. For some reason, I was thinking "macproto" was the link layer type, but that's obvious from the media. > > useless?truncated > > Definitely useless. Only keep this if we need it for some backwards > compatibility. > > > helpful saddr, daddr > > Helpful. > > > useless? ipid > > Useless. > > > helpful proto > > helpful sport, dport > > Assuming "proto" means the TCP/UDP/etc. then we should treat the > proto/ports as one block; you can't log the ports without logging > "proto". > > > useless?frag > > useless?truncated > > Yes, useless. > > > helpful icmptype, icmpcode > > Similar to proto/port above. > > > helpful secmark (I forgot to change it from "obj" to "secmark" in > > my patch). > > We may also want to log the peer label if we are going to log the secmark. Ok, noted. > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-13 12:57, Steve Grubb wrote: > On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote: > > On 2017-02-10 17:39, Steve Grubb wrote: > > > > The alternatives that I currently see are to drop packets for which > > > > there is no local process ownership, or to leave the ownership fields > > > > unset.> > > > > > What ownership fields are we talking about? > > > > The ones you want, auid, pid, ses. Perhaps I'm using the wrong > > terminology. What technical term is there for the collection of subject > > identifiers? > > Subject attributes. Ah ok, I'll try to remember to use that term... Now that you know what I'm talking about, can you go back and answer the questions I had about packet "ownership" (which is really packet subject attributes)? If we have that information, how to we include it in the message format? And if we don't have it, do we ignore the packet, or do we swing fields out, or do we set those fields to "unset" or do we use an auxiliary record? > > > > > I don't think audit should worry about spoofing. Yes it can be done, > > > > > but we should accurately record what was presented to the system. > > > > > Other tools can be employed to watch for arp spoofing and source > > > > > routed > > > > > packets. Its a bigger problem than just the audit logs. > > > > > > > > I find this statement a bit surprising given we're trying to find out > > > > who's doing what where. > > > > > > We're just recording what's presented to the system that meets the rules > > > programmed in. > > > > I don't quite understand. Are you saying only display the fields that > > were specifically used in the netfilter rule to trigger the target that > > records a packet? > > No. I'm saying we shouldn't do any processing to figure out if we have a > spoofed or source routed packet. There are other tools that do that kind of > thing. I never suggested that. I only suggested including that information so that some other tool actually has the information to work with. > > I don't think that's what you want and it isn't easy > > to get without being more invasive in netfilter and swinging fields. > > I'd record the MAC header since it is part of the packet that tells us > > where it came from and where it's going. > > Do we really need the MAC header for every event? I really don't think so. It certainly makes my job simpler to just ignore the MAC header and avoid complicating things, but if I were a network admin and a packet came in that I wasn't expecting because of other network rules that had been set up to prevent it, I'd want more information to figure out why. > -Steve - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-10 17:39, Steve Grubb wrote: > On Thursday, February 9, 2017 8:12:47 PM EST Richard Guy Briggs wrote: > > On 2017-02-09 19:09, Steve Grubb wrote: > > > On Thursday, February 9, 2017 6:49:38 PM EST Richard Guy Briggs wrote: > > > > On 2017-02-08 18:09, Paul Moore wrote: > > > > > On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb > wrote: > > > > > > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: > > > > > >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs > > > > > >> > > > > > > wrote: > > > > > >> > So while I'm not advocating this is what should be done and I'm > > > > > >> > trying > > > > > >> > to establish bounds to the scope of this feature, but would it be > > > > > >> > reasonable to simply not log packets that were transiting this > > > > > >> > machine > > > > > >> > without a local endpoint? > > > > > >> > > > > > >> I'm still waiting on more detailed requirements information from > > > > > >> Steve, but based on what we've heard so far, it seems that ignoring > > > > > >> forwarded traffic is a reasonable thing to do. > > > > > > > > > > > > OK, I have done the analysis to see where things stand on this ... > > > > > > > > > > ... > > > > > > > > > > > At this point, I would say there is no purpose for xt_AUDIT.c based > > > > > > on > > > > > > Common Criteria. It looks like its built in response to the > > > > > > CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be > > > > > > cleanly > > > > > > deprecated. > > > > > > > > > > Based on some off-list discussions with Richard it would appear that > > > > > there are several users of the NETFILTER_PKT record so I am in no > > > > > hurry to deprecate it. Considering that there are no CC requirements > > > > > on the record, I think we can focus on simply providing a basic record > > > > > that satisfies the whims of the userspace tools without adding any > > > > > pain to the kernel. I believe Richard is currently working on a > > > > > proposal to do that, let's discuss it further in that thread. > > > > > > > > If there is no strict rule about turning any other type of record other > > > > than SYSCALLs into compound records, we could add the user credentials > > > > if they are identifyable without having a number of unset fields by > > > > using an auxilliary record. If this isn't possible or desirable, we'd > > > > need to include those fields as unset in every message unless we > > > > discard messages for which there is no identifying information. > > > > > > There's no actual rule on this, but its not expected and I'd have to check > > > to see what this would do to the parsers. The main drawback is that just > > > setting up an auxiliary record is going to eat 40 bytes without the > > > record name. That will also make processing them more difficult because > > > information is on multiple lines. And we'd need clear rules about what > > > the last record is to know when the event is complete if they are > > > interlaced. > > > > I agree it is not ideal. So could you please commit to an alternative > > that works so we can move forward? > > I am trying to strongly discourage adding auxiliary records like we do for > syscalls. I get that. I'm trying to figure out other ways of approaching the issue. > > The alternatives that I currently see are to drop packets for which there is > > no local process ownership, or to leave the ownership fields unset. > > What ownership fields are we talking about? The ones you want, auid, pid, ses. Perhaps I'm using the wrong terminology. What technical term is there for the collection of subject identifiers? > > > > We probably don't want to trot out all the fields in a packet like > > > > tcpdump does, since many of them won't be of interest to us. We want > > > > protocol family, end points, type of packet. The ones that would be > > > > quite useful but may be hard to get are pid, auid, sessionid. > > > > > > > > There is no packet for which all fi
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-09 19:09, Steve Grubb wrote: > On Thursday, February 9, 2017 6:49:38 PM EST Richard Guy Briggs wrote: > > On 2017-02-08 18:09, Paul Moore wrote: > > > On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote: > > > > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: > > > >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs > wrote: > > > >> > So while I'm not advocating this is what should be done and I'm > > > >> > trying > > > >> > to establish bounds to the scope of this feature, but would it be > > > >> > reasonable to simply not log packets that were transiting this > > > >> > machine > > > >> > without a local endpoint? > > > >> > > > >> I'm still waiting on more detailed requirements information from > > > >> Steve, but based on what we've heard so far, it seems that ignoring > > > >> forwarded traffic is a reasonable thing to do. > > > > > > > > OK, I have done the analysis to see where things stand on this ... > > > > > > ... > > > > > > > At this point, I would say there is no purpose for xt_AUDIT.c based on > > > > Common Criteria. It looks like its built in response to the > > > > CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be cleanly > > > > deprecated. > > > > > > Based on some off-list discussions with Richard it would appear that > > > there are several users of the NETFILTER_PKT record so I am in no > > > hurry to deprecate it. Considering that there are no CC requirements > > > on the record, I think we can focus on simply providing a basic record > > > that satisfies the whims of the userspace tools without adding any > > > pain to the kernel. I believe Richard is currently working on a > > > proposal to do that, let's discuss it further in that thread. > > > > If there is no strict rule about turning any other type of record other than > > SYSCALLs into compound records, we could add the user credentials if they > > are identifyable without having a number of unset fields by using an > > auxilliary record. If this isn't possible or desirable, we'd need to > > include those fields as unset in every message unless we discard > > messages for which there is no identifying information. > > There's no actual rule on this, but its not expected and I'd have to check to > see what this would do to the parsers. The main drawback is that just setting > up an auxiliary record is going to eat 40 bytes without the record name. That > will also make processing them more difficult because information is on > multiple > lines. And we'd need clear rules about what the last record is to know when > the event is complete if they are interlaced. I agree it is not ideal. So could you please commit to an alternative that works so we can move forward? The alternatives that I currently see are to drop packets for which there is no local process ownership, or to leave the ownership fields unset. > > > We probably don't want to trot out all the fields in a packet like > > tcpdump does, since many of them won't be of interest to us. We want > > protocol family, end points, type of packet. The ones that would be > > quite useful but may be hard to get are pid, auid, sessionid. > > > > There is no packet for which all fields are valid. This is why using > > "unset" values in those fields was suggested. > > > > I'd start by splitting data from control protocols if we even need > > source/destination ports or icmp* details. Those seem like pretty > > important details, so I think we need to start there. > > > > I'd be inclined to use the same message type for IPv4 and IPv6 and just > > drop the IPv4-specific fields, or include them with the IPv6 record and > > set them to "unset" (ipid, frag). > > > > As for the MAC (Media Access Control) addresses I'm not sure what to > > recommend. We could fill them in with the outer MAC, we could leave them as > > unset or could just delete them entirely. > > > > Source IP addresses can be easily spoofed, particularly for UDP, so they > > are not particularly useful and a MAC may have more useful information > > if there are multiple potential local sources. Depending on the local > > hardware there is usually a MAC address, but may have been stripped by > > the time we see that packet, but I think it is worth adding, bu
Re: AUDIT_NETFILTER_PKT message format
On 2017-02-08 18:09, Paul Moore wrote: > On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote: > > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: > >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote: > >> > So while I'm not advocating this is what should be done and I'm trying > >> > to establish bounds to the scope of this feature, but would it be > >> > reasonable to simply not log packets that were transiting this machine > >> > without a local endpoint? > >> > >> I'm still waiting on more detailed requirements information from > >> Steve, but based on what we've heard so far, it seems that ignoring > >> forwarded traffic is a reasonable thing to do. > > > > OK, I have done the analysis to see where things stand on this ... > > ... > > > At this point, I would say there is no purpose for xt_AUDIT.c based on > > Common > > Criteria. It looks like its built in response to the > > CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be cleanly > > deprecated. > > Based on some off-list discussions with Richard it would appear that > there are several users of the NETFILTER_PKT record so I am in no > hurry to deprecate it. Considering that there are no CC requirements > on the record, I think we can focus on simply providing a basic record > that satisfies the whims of the userspace tools without adding any > pain to the kernel. I believe Richard is currently working on a > proposal to do that, let's discuss it further in that thread. If there is no strict rule about turning any other type of record other than SYSCALLs into compound records, we could add the user credentials if they are identifyable without having a number of unset fields by using an auxilliary record. If this isn't possible or desirable, we'd need to include those fields as unset in every message unless we discard messages for which there is no identifying information. We probably don't want to trot out all the fields in a packet like tcpdump does, since many of them won't be of interest to us. We want protocol family, end points, type of packet. The ones that would be quite useful but may be hard to get are pid, auid, sessionid. There is no packet for which all fields are valid. This is why using "unset" values in those fields was suggested. I'd start by splitting data from control protocols if we even need source/destination ports or icmp* details. Those seem like pretty important details, so I think we need to start there. I'd be inclined to use the same message type for IPv4 and IPv6 and just drop the IPv4-specific fields, or include them with the IPv6 record and set them to "unset" (ipid, frag). As for the MAC (Media Access Control) addresses I'm not sure what to recommend. We could fill them in with the outer MAC, we could leave them as unset or could just delete them entirely. Source IP addresses can be easily spoofed, particularly for UDP, so they are not particularly useful and a MAC may have more useful information if there are multiple potential local sources. Depending on the local hardware there is usually a MAC address, but may have been stripped by the time we see that packet, but I think it is worth adding, but not sure the best way to do this if there is a second MAC for tunnelling, etc... Ok, with that guidance... from the start of the message: helpful action, hook useless?len helpful inif, outif, mark useless?smac, dmac, macproto helpful protocol family useless?truncated helpful saddr, daddr useless?ipid helpful proto useless?frag useless?truncated helpful sport, dport helpful icmptype, icmpcode helpful secmark (I forgot to change it from "obj" to "secmark" in my patch). I agree truncate is not helpful, neither is ipid or frag I'm guessing. I'm not sure what the 3 MAC fields give us, other than some idea of routing information (which might actually be useful in this context due to the ease of IP addr and port spoofing). I'd be tempted to add a network protocol field between mark and saddr. That could potentially bring us down to 4 distinct messages with no useless fields: -IP data-action, hook, inif, outif, mark, pfam, saddr, daddr, proto, sport, dport[, secmark] -IP control -action, hook, inif, outif, mark, pfam, saddr, daddr, proto, icmptype, icmpcode[, secmark] -other IP -action, hook, inif, outif, mark, pfam, saddr, daddr, proto[, secmark] -other non-IP -action, hook, inif, outif, mark, pfam[, secmark] I'd like to see a CHAIN name in there, but that doesn't appear to be available, so we'd have to make do with the "
Re: [RFC PATCH] audit: normalize NETFILTER_PKT
On 2017-02-08 18:11, Paul Moore wrote: > On Wed, Feb 8, 2017 at 7:32 AM, Richard Guy Briggs wrote: > > On 2017-02-07 23:02, Paul Moore wrote: > >> On Tue, Feb 7, 2017 at 4:22 PM, Richard Guy Briggs wrote: > >> > On 2017-02-06 14:41, Paul Moore wrote: > >> >> On Sat, Feb 4, 2017 at 8:25 AM, Steve Grubb wrote: > >> >> > On Friday, February 3, 2017 6:44:16 PM EST Paul Moore wrote: > >> >> >> I'm still trying to understand what purpose this record actually > >> >> >> serves, and what requirements may exist. In an earlier thread > >> >> >> somewhere Steve mentioned some broad requirements around data > >> >> >> import/export, and I really wonder if the NETFILTER_PKT record > >> >> >> provides anything useful here when it really isn't connecting the > >> >> >> traffic to the sender/receiver without a lot of additional logging > >> >> >> and > >> >> >> post-processing smarts. If you were interested in data import/export > >> >> >> I think auditing the socket syscalls would provide a much more useful > >> >> >> set of records in the audit log. > >> >> > > >> >> > The problem here is we cannot be selective enough through the syscall > >> >> > interface to get exactly what we want. For example, any auditing of > >> >> > connect > >> >> > and accept will also get af_unix traffic which is likely to be > >> >> > uid/gid lookups > >> >> > through sssd or glibc. Typically we want the IPv4/6 traffic. The > >> >> > netfilter rules > >> >> > are better suited to describing which packets are of interest. > >> >> > >> >> Okay, but how useful are these NETFILTER_PKT records, really? The > >> >> only linkage you have back to the process on the local machine is via > >> >> the addr/proto/port tuple and that seems far from ideal. > >> > > >> > And even that could be spoofed easily and gathering more corroborating > >> > information would seem useful. > >> > > >> > Would the presence of the SOCKADDR record in any SYSCALL record be > >> > useful for somehow tagging a class of fd as being of interest? > >> > >> I don't think we want to create a SOCKADDR record for every syscall, > >> but it seems reasonable that we may want to include it for targeted > >> syscalls. Right now it looks like we create a SOCKADDR record > >> whenever we copy a sockaddr struct across the kernel/userspace > >> boundary, that should be sufficient, yes? > > > > Yes, we certainly don't need it for every syscall. Since the sockaddr > > record is only created if it is available we could further flag or check > > the protocol to further process only the network-based sockaddrs and > > ignore the unix sockaddrs for this purpose. I'm picturing adding a flag > > to the fd, but that is making me a bit nervous about overstepping our > > usual code area. > > Let's keep it as-is, I would think there are other cases where having > the address info for AF_UNIX (and others) might be helpful. I wasn't suggesting removing the existing AUDIT_SOCKADDR support for AF_UNIX or other types of sockets, but rather when they are encountered by the audit subsystem flag the fd (if it isn't already identified as a network socket) as having more interesting information for network auditing. > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC PATCH] audit: normalize NETFILTER_PKT
On 2017-02-07 23:02, Paul Moore wrote: > On Tue, Feb 7, 2017 at 4:22 PM, Richard Guy Briggs wrote: > > On 2017-02-06 14:41, Paul Moore wrote: > >> On Sat, Feb 4, 2017 at 8:25 AM, Steve Grubb wrote: > >> > On Friday, February 3, 2017 6:44:16 PM EST Paul Moore wrote: > >> >> I'm still trying to understand what purpose this record actually > >> >> serves, and what requirements may exist. In an earlier thread > >> >> somewhere Steve mentioned some broad requirements around data > >> >> import/export, and I really wonder if the NETFILTER_PKT record > >> >> provides anything useful here when it really isn't connecting the > >> >> traffic to the sender/receiver without a lot of additional logging and > >> >> post-processing smarts. If you were interested in data import/export > >> >> I think auditing the socket syscalls would provide a much more useful > >> >> set of records in the audit log. > >> > > >> > The problem here is we cannot be selective enough through the syscall > >> > interface to get exactly what we want. For example, any auditing of > >> > connect > >> > and accept will also get af_unix traffic which is likely to be uid/gid > >> > lookups > >> > through sssd or glibc. Typically we want the IPv4/6 traffic. The > >> > netfilter rules > >> > are better suited to describing which packets are of interest. > >> > >> Okay, but how useful are these NETFILTER_PKT records, really? The > >> only linkage you have back to the process on the local machine is via > >> the addr/proto/port tuple and that seems far from ideal. > > > > And even that could be spoofed easily and gathering more corroborating > > information would seem useful. > > > > Would the presence of the SOCKADDR record in any SYSCALL record be > > useful for somehow tagging a class of fd as being of interest? > > I don't think we want to create a SOCKADDR record for every syscall, > but it seems reasonable that we may want to include it for targeted > syscalls. Right now it looks like we create a SOCKADDR record > whenever we copy a sockaddr struct across the kernel/userspace > boundary, that should be sufficient, yes? Yes, we certainly don't need it for every syscall. Since the sockaddr record is only created if it is available we could further flag or check the protocol to further process only the network-based sockaddrs and ignore the unix sockaddrs for this purpose. I'm picturing adding a flag to the fd, but that is making me a bit nervous about overstepping our usual code area. > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC PATCH] audit: normalize NETFILTER_PKT
On 2017-02-06 14:41, Paul Moore wrote: > On Sat, Feb 4, 2017 at 8:25 AM, Steve Grubb wrote: > > On Friday, February 3, 2017 6:44:16 PM EST Paul Moore wrote: > >> I'm still trying to understand what purpose this record actually > >> serves, and what requirements may exist. In an earlier thread > >> somewhere Steve mentioned some broad requirements around data > >> import/export, and I really wonder if the NETFILTER_PKT record > >> provides anything useful here when it really isn't connecting the > >> traffic to the sender/receiver without a lot of additional logging and > >> post-processing smarts. If you were interested in data import/export > >> I think auditing the socket syscalls would provide a much more useful > >> set of records in the audit log. > > > > The problem here is we cannot be selective enough through the syscall > > interface to get exactly what we want. For example, any auditing of connect > > and accept will also get af_unix traffic which is likely to be uid/gid > > lookups > > through sssd or glibc. Typically we want the IPv4/6 traffic. The netfilter > > rules > > are better suited to describing which packets are of interest. > > Okay, but how useful are these NETFILTER_PKT records, really? The > only linkage you have back to the process on the local machine is via > the addr/proto/port tuple and that seems far from ideal. And even that could be spoofed easily and gathering more corroborating information would seem useful. Would the presence of the SOCKADDR record in any SYSCALL record be useful for somehow tagging a class of fd as being of interest? > >> Considering that one of the primary motivations for the audit > >> subsystem is to enable compliance with various security > >> specifications, let's get the ones we know about listed in this thread > >> and then figure out how best to meet those requirements. > > > > Common Criteria calls out for the ability to detect any attempt at > > information > > flow. Everything else leverages the CC requirements. > > Yes, you've mentioned this previously. This is good, but we need to > make these requirements a bit more concrete; we need something we can > use to arrive at a working implementation that satisfies these > requirements. > > If this is purely about information flowing from A to B, would the > source and destination addr/proto/port for TCP and UDP suffice? Do we > need anything else? > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-01-20 09:49, Steve Grubb wrote: > On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: > > On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs > > wrote: > > > On 2017-01-18 07:32, Paul Moore wrote: > > >> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs > wrote: > > >> > On 2017-01-17 21:34, Richard Guy Briggs wrote: > > >> >> On 2017-01-17 15:17, Paul Moore wrote: > > >> >> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs > wrote: > > >> >> > > On 2017-01-17 08:55, Steve Grubb wrote: > > >> >> > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs > wrote: > > >> >> > ... > > >> >> > > > >> >> > >> > Ones that are not so straightforward: > > >> >> > >> > - "secmark" depends on a kernel config setting, so should it > > >> >> > >> > always be > > >> >> > >> > > > >> >> > >> > present but "(none)" if that kernel feature is compiled out? > > >> >> > >> > > >> >> > >> If this is selinux related, I'd treat it the same way that we do > > >> >> > >> subj > > >> >> > >> everywhere else. > > >> >> > > > > >> >> > > Ok. > > >> >> > > > >> >> > To be clear, a packet's secmark should be recorded via a dedicated > > >> >> > field, e.g. "secmark", and not use the "subj" field (it isn't a > > >> >> > subject label in the traditional sense). > > >> >> > > >> >> I think Steve was talking about if, when or where to include that > > >> >> field, > > >> >> not what its label is. > > >> > > > >> > In this case it is an "obj=" field, but since it is part of the LSM, > > >> > each one has its own fields. > > >> > > >> As I said above, use a "secmark" field and not the subject or object > > >> fields; packet labeling is rather complex and there is value in > > >> differentiating between secmark labels and network peer labels. > > > > > > Ok, I'll change it from the existing "obj=" to "secmark=". Since it is > > > an LSM-dependent field, it will go away when that LSM module does. It > > > is the very last item in the list of fields, so I don't see this as a > > > problem. > > > > > > > > > I have more questions and observations: > > > > > > Do we care if the rest of the record's fields are there if the packet is > > > truncated? In other words, can I omit all the following fields (that > > > will end up being set to (none) or -1 since there is no data for them)? > > > I'd prefer to complete the record, but Steve may not care and might > > > prefer to save the bandwidth. > > > > > > Can I truncate the field name "truncated" to "trunc" (since I don't see > > > it yet in the audit field dictionary) if we do include all the fields? > > > > > > I observe that support for IPPROTO_DCCP and IPPROTO_SCTP can be added > > > virtually for free since the source and desination ports in their packet > > > formats is identical to TCP and UDP (and UDPLITE). > > > > > > > > > At this point, it looks like having one record for IP/IPv6 with > > > TCP/UDP/DCCP/SCTP makes sense. Whether or not to add ethernet bridge > > > headers and ICMP* is a more difficult question. Ethernet bridge adds 40 > > > chars if it isn't used, up to 62 if it is. ICMP* adds 26 max. > > > > > > It is an independent record, but it would be nice to be able to reuse > > > the message ID with a new record type to list sub-parts of the packet, > > > for example, reuse the existing record type (AUDIT_NETFILTER_PKT) for > > > the first 5 fields, mark and secmark, then another record type > > > (AUDIT_NETFILTER_PKT_ETH) for ethernet header, a record > > > (AUDIT_NETFILTER_PKT_IP) for IP/IPv6 header, then another > > > (AUDIT_NETFILTER_PKT_PROTO) for transport layer protocol. This way, the > > > absence of an ethernet bridge header won't swing out three fields, or > > > waste 40 chars. IPv4 adds
Re: [RFC PATCH] audit: normalize NETFILTER_PKT
On 2017-01-31 17:13, Steve Grubb wrote: > On Tue, 31 Jan 2017 07:57:23 -0500 > Richard Guy Briggs wrote: > > > On 2017-01-30 10:13, Richard Guy Briggs wrote: > > > On 2017-01-30 15:53, Steve Grubb wrote: > > > > On Fri, 27 Jan 2017 08:11:06 -0500 > > > > Richard Guy Briggs wrote: > > > > > Eliminate flipping in and out of message fields. > > > > > > > > > > https://github.com/linux-audit/audit-kernel/issues/11 > > > > > > > > Do you have sample events that shows how this changes the record > > > > format? I like to review how the event looks when a patch changes > > > > or adds a record. > > > > > > I used the format that was proposed. Here are several samples from > > > running this RFC patch through the RFC test script: > > > > > > ausearch --start 01/27/2017 -i -m netfilter_pkt > > > > > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.649:183) : > > > action=ACCEPT hook=OUTPUT len=84 inif=? outif=lo mark=0xa044a1d4 > > > smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 > > > daddr=127.0.0.1 ipid=26581 proto=icmp frag=255 trunc=-1 sport=65535 > > > dport=65535 icmptype=echo icmpcode=0 type=NETFILTER_PKT > > > msg=audit(01/27/2017 08:03:35.649:184) : action=ACCEPT hook=INPUT > > > len=84 inif=lo outif=? mark=0xbadeac28 smac=? dmac=? > > > macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 > > > ipid=26581 proto=icmp frag=255 trunc=-1 sport=65535 dport=65535 > > > icmptype=echo icmpcode=0 type=NETFILTER_PKT > > > msg=audit(01/27/2017 08:03:35.652:185) : action=ACCEPT hook=INPUT > > > len=104 inif=lo outif=? mark=0xb404724 smac=? dmac=? > > > macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 > > > proto=ipv6-icmp frag=-1 trunc=-1 sport=65535 dport=65535 > > > icmptype=unknown icmp type (128) icmpcode=0 type=NETFILTER_PKT > > > msg=audit(01/27/2017 08:03:35.655:186) : action=ACCEPT hook=INPUT > > > len=60 inif=lo outif=? mark=0xe2bd8098 smac=? dmac=? > > > macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 > > > ipid=29381 proto=tcp frag=255 trunc=-1 sport=51064 dport=42424 > > > icmptype=unknown icmp type (255) icmpcode=255 > > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.657:187) : > > > action=ACCEPT hook=INPUT len=80 inif=lo outif=? mark=0xf80a9dd7 > > > smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 > > > proto=tcp frag=-1 trunc=-1 sport=38188 dport=42424 icmptype=unknown > > > icmp type (255) icmpcode=255 type=NETFILTER_PKT > > > msg=audit(01/27/2017 08:03:35.659:188) : action=ACCEPT hook=INPUT > > > len=31 inif=lo outif=? mark=0xa6d8d4ac smac=? dmac=? > > > macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 > > > ipid=46304 proto=udp frag=255 trunc=-1 sport=60095 dport=42424 > > > icmptype=unknown icmp type (255) icmpcode=255 > > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.661:189) : > > > action=ACCEPT hook=INPUT len=51 inif=lo outif=? mark=0x3f0d6054 > > > smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 > > > proto=udp frag=-1 trunc=-1 sport=43818 dport=42424 icmptype=unknown > > > icmp type (255) icmpcode=255 > > > > Here are the raw messages: > > > > > > time->Fri Jan 27 08:03:35 2017 > > type=NETFILTER_PKT msg=audit(1485522215.649:183): action=0 hook=3 > > len=84 inif=? outif=lo mark=0xa044a1d4 smac=? dmac=? macproto=0x > > trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=1 frag=255 > > trunc=-1 sport=65535 dport=65535 icmptype=8 icmpcode=0 time->Fri > > Jan 27 08:03:35 2017 type=NETFILTER_PKT > > msg=audit(1485522215.649:184): action=0 hook=1 len=84 inif=lo outif=? > > mark=0xbadeac28 smac=? dmac=? macproto=0x trunc=-1 > > saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=1 frag=255 trunc=-1 > > sport=65535 dport=65535 icmptype=8 icmpcode=0 time->Fri Jan 27 > > 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.652:185): > > action=0 hook=1 len=104 inif=lo outif=? mark=0xb404724 smac=? dmac=? > > macproto=0x trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=58 frag=-1 > > trunc=-1 sport=65535 dport=65535 icmptype=128 icmpcode=0 > > time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT > > msg=audit(1485522215.655:186): action=0 hook=1 len=60 inif=lo outif=? > > mark=0xe2bd8098 smac=? dmac=? macproto=0x trunc=-1 > > saddr=127.0.0.1 daddr=127.0.0.1 ipid=29381 proto=6 frag
Re: [RFC PATCH] audit: normalize NETFILTER_PKT
On 2017-01-30 10:13, Richard Guy Briggs wrote: > On 2017-01-30 15:53, Steve Grubb wrote: > > On Fri, 27 Jan 2017 08:11:06 -0500 > > Richard Guy Briggs wrote: > > > Eliminate flipping in and out of message fields. > > > > > > https://github.com/linux-audit/audit-kernel/issues/11 > > > > Do you have sample events that shows how this changes the record > > format? I like to review how the event looks when a patch changes or > > adds a record. > > I used the format that was proposed. Here are several samples from > running this RFC patch through the RFC test script: > > ausearch --start 01/27/2017 -i -m netfilter_pkt > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.649:183) : action=ACCEPT > hook=OUTPUT len=84 inif=? outif=lo mark=0xa044a1d4 smac=? dmac=? > macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 > proto=icmp frag=255 trunc=-1 sport=65535 dport=65535 icmptype=echo icmpcode=0 > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.649:184) : action=ACCEPT > hook=INPUT len=84 inif=lo outif=? mark=0xbadeac28 smac=? dmac=? > macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 > proto=icmp frag=255 trunc=-1 sport=65535 dport=65535 icmptype=echo icmpcode=0 > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.652:185) : action=ACCEPT > hook=INPUT len=104 inif=lo outif=? mark=0xb404724 smac=? dmac=? > macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=ipv6-icmp frag=-1 > trunc=-1 sport=65535 dport=65535 icmptype=unknown icmp type (128) icmpcode=0 > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.655:186) : action=ACCEPT > hook=INPUT len=60 inif=lo outif=? mark=0xe2bd8098 smac=? dmac=? > macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=29381 > proto=tcp frag=255 trunc=-1 sport=51064 dport=42424 icmptype=unknown icmp > type (255) icmpcode=255 > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.657:187) : action=ACCEPT > hook=INPUT len=80 inif=lo outif=? mark=0xf80a9dd7 smac=? dmac=? > macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=tcp frag=-1 > trunc=-1 sport=38188 dport=42424 icmptype=unknown icmp type (255) > icmpcode=255 > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.659:188) : action=ACCEPT > hook=INPUT len=31 inif=lo outif=? mark=0xa6d8d4ac smac=? dmac=? > macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=46304 > proto=udp frag=255 trunc=-1 sport=60095 dport=42424 icmptype=unknown icmp > type (255) icmpcode=255 > > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.661:189) : action=ACCEPT > hook=INPUT len=51 inif=lo outif=? mark=0x3f0d6054 smac=? dmac=? > macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=udp frag=-1 > trunc=-1 sport=43818 dport=42424 icmptype=unknown icmp type (255) > icmpcode=255 > Here are the raw messages: time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.649:183): action=0 hook=3 len=84 inif=? outif=lo mark=0xa044a1d4 smac=? dmac=? macproto=0x trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=1 frag=255 trunc=-1 sport=65535 dport=65535 icmptype=8 icmpcode=0 time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.649:184): action=0 hook=1 len=84 inif=lo outif=? mark=0xbadeac28 smac=? dmac=? macproto=0x trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=1 frag=255 trunc=-1 sport=65535 dport=65535 icmptype=8 icmpcode=0 time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.652:185): action=0 hook=1 len=104 inif=lo outif=? mark=0xb404724 smac=? dmac=? macproto=0x trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=58 frag=-1 trunc=-1 sport=65535 dport=65535 icmptype=128 icmpcode=0 time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.655:186): action=0 hook=1 len=60 inif=lo outif=? mark=0xe2bd8098 smac=? dmac=? macproto=0x trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=29381 proto=6 frag=255 trunc=-1 sport=51064 dport=42424 icmptype=255 icmpcode=255 time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.657:187): action=0 hook=1 len=80 inif=lo outif=? mark=0xf80a9dd7 smac=? dmac=? macproto=0x trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=6 frag=-1 trunc=-1 sport=38188 dport=42424 icmptype=255 icmpcode=255 time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.659:188): action=0 hook=1 len=31 inif=lo outif=? mark=0xa6d8d4ac smac=? dmac=? macproto=0x trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=46304 proto=17 frag=255 trunc=-1 sport=60095 dport=42424 icmptype=255 icmpcode=255 time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.661:189): action=0 hook=1 len=51 inif=lo outif=? mark=
Re: [RFC PATCH] audit: normalize NETFILTER_PKT
On 2017-01-30 15:53, Steve Grubb wrote:
> On Fri, 27 Jan 2017 08:11:06 -0500
> Richard Guy Briggs wrote:
> > Eliminate flipping in and out of message fields.
> >
> > https://github.com/linux-audit/audit-kernel/issues/11
>
> Do you have sample events that shows how this changes the record
> format? I like to review how the event looks when a patch changes or
> adds a record.
I used the format that was proposed. Here are several samples from
running this RFC patch through the RFC test script:
ausearch --start 01/27/2017 -i -m netfilter_pkt
type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.649:183) : action=ACCEPT
hook=OUTPUT len=84 inif=? outif=lo mark=0xa044a1d4 smac=? dmac=?
macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=icmp
frag=255 trunc=-1 sport=65535 dport=65535 icmptype=echo icmpcode=0
type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.649:184) : action=ACCEPT
hook=INPUT len=84 inif=lo outif=? mark=0xbadeac28 smac=? dmac=?
macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=icmp
frag=255 trunc=-1 sport=65535 dport=65535 icmptype=echo icmpcode=0
type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.652:185) : action=ACCEPT
hook=INPUT len=104 inif=lo outif=? mark=0xb404724 smac=? dmac=?
macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=ipv6-icmp frag=-1
trunc=-1 sport=65535 dport=65535 icmptype=unknown icmp type (128) icmpcode=0
type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.655:186) : action=ACCEPT
hook=INPUT len=60 inif=lo outif=? mark=0xe2bd8098 smac=? dmac=?
macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=29381 proto=tcp
frag=255 trunc=-1 sport=51064 dport=42424 icmptype=unknown icmp type (255)
icmpcode=255
type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.657:187) : action=ACCEPT
hook=INPUT len=80 inif=lo outif=? mark=0xf80a9dd7 smac=? dmac=?
macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=tcp frag=-1
trunc=-1 sport=38188 dport=42424 icmptype=unknown icmp type (255) icmpcode=255
type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.659:188) : action=ACCEPT
hook=INPUT len=31 inif=lo outif=? mark=0xa6d8d4ac smac=? dmac=?
macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=46304 proto=udp
frag=255 trunc=-1 sport=60095 dport=42424 icmptype=unknown icmp type (255)
icmpcode=255
type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.661:189) : action=ACCEPT
hook=INPUT len=51 inif=lo outif=? mark=0x3f0d6054 smac=? dmac=?
macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=udp frag=-1
trunc=-1 sport=43818 dport=42424 icmptype=unknown icmp type (255) icmpcode=255
> -Steve
>
>
> > Signed-off-by: Richard Guy Briggs
> > ---
> > net/netfilter/xt_AUDIT.c | 92
> > +- 1 files changed, 66
> > insertions(+), 26 deletions(-)
> >
> > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> > index 4973cbd..8089ec2 100644
> > --- a/net/netfilter/xt_AUDIT.c
> > +++ b/net/netfilter/xt_AUDIT.c
> > @@ -31,24 +31,41 @@ MODULE_ALIAS("ip6t_AUDIT");
> > MODULE_ALIAS("ebt_AUDIT");
> > MODULE_ALIAS("arpt_AUDIT");
> >
> > +struct nfpkt_par {
> > + int ipv;
> > + int iptrunc;
> > + const void *saddr;
> > + const void *daddr;
> > + u16 ipid;
> > + u8 proto;
> > + u8 frag;
> > + int ptrunc;
> > + u16 sport;
> > + u16 dport;
> > + u8 icmpt;
> > + u8 icmpc;
> > +};
> > +
> > static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
> > - unsigned int proto, unsigned int offset)
> > + unsigned int proto, unsigned int offset,
> > struct nfpkt_par *apar) {
> > switch (proto) {
> > case IPPROTO_TCP:
> > case IPPROTO_UDP:
> > - case IPPROTO_UDPLITE: {
> > + case IPPROTO_UDPLITE:
> > + case IPPROTO_DCCP:
> > + case IPPROTO_SCTP: {
> > const __be16 *pptr;
> > __be16 _ports[2];
> >
> > pptr = skb_header_pointer(skb, offset,
> > sizeof(_ports), _ports); if (pptr == NULL) {
> > - audit_log_format(ab, " truncated=1");
> > + apar->ptrunc = 1;
> > return;
> > }
> > + apar->sport = ntohs(pptr[0]);
> > + apar->dport = ntohs(pptr[1]);
> >
> > - audit_log_format(ab, " sport=%hu dport=%hu",
> > -ntohs(pptr[0]), ntohs(pptr[1]));
> > }
> > break;
> >
> > @@ -59,41 +76,43 @@
[RFC PATCH] audit: normalize NETFILTER_PKT
Eliminate flipping in and out of message fields.
https://github.com/linux-audit/audit-kernel/issues/11
Signed-off-by: Richard Guy Briggs
---
net/netfilter/xt_AUDIT.c | 92 +-
1 files changed, 66 insertions(+), 26 deletions(-)
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 4973cbd..8089ec2 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,24 +31,41 @@ MODULE_ALIAS("ip6t_AUDIT");
MODULE_ALIAS("ebt_AUDIT");
MODULE_ALIAS("arpt_AUDIT");
+struct nfpkt_par {
+ int ipv;
+ int iptrunc;
+ const void *saddr;
+ const void *daddr;
+ u16 ipid;
+ u8 proto;
+ u8 frag;
+ int ptrunc;
+ u16 sport;
+ u16 dport;
+ u8 icmpt;
+ u8 icmpc;
+};
+
static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
- unsigned int proto, unsigned int offset)
+ unsigned int proto, unsigned int offset, struct
nfpkt_par *apar)
{
switch (proto) {
case IPPROTO_TCP:
case IPPROTO_UDP:
- case IPPROTO_UDPLITE: {
+ case IPPROTO_UDPLITE:
+ case IPPROTO_DCCP:
+ case IPPROTO_SCTP: {
const __be16 *pptr;
__be16 _ports[2];
pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
if (pptr == NULL) {
- audit_log_format(ab, " truncated=1");
+ apar->ptrunc = 1;
return;
}
+ apar->sport = ntohs(pptr[0]);
+ apar->dport = ntohs(pptr[1]);
- audit_log_format(ab, " sport=%hu dport=%hu",
-ntohs(pptr[0]), ntohs(pptr[1]));
}
break;
@@ -59,41 +76,43 @@ static void audit_proto(struct audit_buffer *ab, struct
sk_buff *skb,
iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
if (iptr == NULL) {
- audit_log_format(ab, " truncated=1");
+ apar->ptrunc = 1;
return;
}
-
- audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
-iptr[0], iptr[1]);
+ apar->icmpt = iptr[0];
+ apar->icmpc = iptr[1];
}
break;
}
}
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb, struct
nfpkt_par *apar)
{
struct iphdr _iph;
const struct iphdr *ih;
+ apar->ipv = 4;
ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (!ih) {
- audit_log_format(ab, " truncated=1");
+ apar->iptrunc = 1;
return;
}
- audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
- &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+ apar->saddr = &ih->saddr;
+ apar->daddr = &ih->daddr;
+ apar->ipid = ntohs(ih->id);
+ apar->proto = ih->protocol;
if (ntohs(ih->frag_off) & IP_OFFSET) {
- audit_log_format(ab, " frag=1");
+ apar->frag = 1;
return;
}
- audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+ audit_proto(ab, skb, ih->protocol, ih->ihl * 4, apar);
}
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb, struct
nfpkt_par *apar)
{
struct ipv6hdr _ip6h;
const struct ipv6hdr *ih;
@@ -101,9 +120,10 @@ static void audit_ip6(struct audit_buffer *ab, struct
sk_buff *skb)
__be16 frag_off;
int offset;
+ apar->ipv = 6;
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h),
&_ip6h);
if (!ih) {
- audit_log_format(ab, " truncated=1");
+ apar->iptrunc = 1;
return;
}
@@ -111,11 +131,12 @@ static void audit_ip6(struct audit_buffer *ab, struct
sk_buff *skb)
offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
&nexthdr, &frag_off);
- audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
-&ih->saddr, &ih->daddr, nexthdr);
+ apar->saddr = &ih->saddr;
+ apar->daddr = &ih->daddr;
+ apar->proto = nexthdr;
if (offset)
- audit_proto(ab, skb, nexthdr, offset);
+ audit_proto(ab, skb, nexthdr, offset, apar);
}
static unsi
Re: AUDIT_NETFILTER_PKT message format
On 2017-01-21 20:12, Patrick PIGNOL wrote: > Hi all, > > I just writen that because I read > > " > > Determining the pid/subj of a packet is notoriously > difficult/impossible in netfilter so let's drop that; with proper > policy/rules you should be able to match proto/port with a given > process so this shouldn't be that critical. The source/destination > addresses and proto/port (assuming IP) should be easy enough. > > " > > OK you explain me you talk about "Linux audit" sub-system. Cool I > didn't read it like that ! (I'm waiting for netfilter-dev ml). > > Don't tell me that windows is better than linux on that point (see > ZoneAlarm). I know ZoneAlarm is a Firewall. But if Linux could trace > it from netfilter you should integrate it in your audit sub system. > > I think it should be good to have to know witch application ask for > send/receive packet on witch protocol and on witch port and for > witch IP target(from/to) at a given level of verbosity(debug) and > how many time for a given time-unit (minute-hour). > > At this level content of packet is not really useful, I think > wire-shark is better for that. > > Sorry for the noise but it still important for me as a user to can > trace who have access to an from my computer. As Paul points out, there are things we know about all packets that we can put into that report. There are things we don't know that can't be a MUST, but can be a SHOULD if we know them to be able to record them and would be useful. The challenge here is that if we add a number of fields from the SHOULD list that are unknown for some use cases (FORWARD, userless in-kernel targets, ...) they will consume bandwidth to report empty values, and we are trying to normalize this audit record type so that fields don't swing in and out needlessly. > Best regards, > > Patrick PIGNOL > > > Le 21/01/2017 à 18:37, Paul Moore a écrit : > >On Sat, Jan 21, 2017 at 6:27 AM, Patrick PIGNOL > > wrote: > >>Hi all, > >> > >>I disagree ! > >> > >>Many people in the world would like to allow an software A to go to internet > >>through OUTPUT TCP port 80 but disallow software B to go to the internet > >>through this same OUTPUT TCP port 80. Don't you know about viruses on linux > >>? Viruses ALWAYS use HTTP/HTTPS ports to get payloads on internet and OUTPUT > >>TCP port 443 COULD NOT be CLOSED for ALL SOFTWARE if you want to access > >>internet services (via internet browsers for example). > >The Linux audit subsystem simply logs system events, it does not > >enforce security policy. I suggest you investigate the different > >Linux firewall tools and LSMs, e.g. SELinux, as they should help you > >accomplish what you describe. > > > - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-01-18 07:32, Paul Moore wrote: > On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote: > > On 2017-01-17 21:34, Richard Guy Briggs wrote: > >> On 2017-01-17 15:17, Paul Moore wrote: > >> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs > >> > wrote: > >> > > On 2017-01-17 08:55, Steve Grubb wrote: > >> > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > >> > > >> > ... > >> > > >> > >> > Ones that are not so straightforward: > >> > >> > - "secmark" depends on a kernel config setting, so should it always > >> > >> > be > >> > >> > present but "(none)" if that kernel feature is compiled out? > >> > >> > >> > >> If this is selinux related, I'd treat it the same way that we do subj > >> > >> everywhere else. > >> > > > >> > > Ok. > >> > > >> > To be clear, a packet's secmark should be recorded via a dedicated > >> > field, e.g. "secmark", and not use the "subj" field (it isn't a > >> > subject label in the traditional sense). > >> > >> I think Steve was talking about if, when or where to include that field, > >> not what its label is. > > > > In this case it is an "obj=" field, but since it is part of the LSM, > > each one has its own fields. > > As I said above, use a "secmark" field and not the subject or object > fields; packet labeling is rather complex and there is value in > differentiating between secmark labels and network peer labels. Ok, I'll change it from the existing "obj=" to "secmark=". Since it is an LSM-dependent field, it will go away when that LSM module does. It is the very last item in the list of fields, so I don't see this as a problem. I have more questions and observations: Do we care if the rest of the record's fields are there if the packet is truncated? In other words, can I omit all the following fields (that will end up being set to (none) or -1 since there is no data for them)? I'd prefer to complete the record, but Steve may not care and might prefer to save the bandwidth. Can I truncate the field name "truncated" to "trunc" (since I don't see it yet in the audit field dictionary) if we do include all the fields? I observe that support for IPPROTO_DCCP and IPPROTO_SCTP can be added virtually for free since the source and desination ports in their packet formats is identical to TCP and UDP (and UDPLITE). At this point, it looks like having one record for IP/IPv6 with TCP/UDP/DCCP/SCTP makes sense. Whether or not to add ethernet bridge headers and ICMP* is a more difficult question. Ethernet bridge adds 40 chars if it isn't used, up to 62 if it is. ICMP* adds 26 max. It is an independent record, but it would be nice to be able to reuse the message ID with a new record type to list sub-parts of the packet, for example, reuse the existing record type (AUDIT_NETFILTER_PKT) for the first 5 fields, mark and secmark, then another record type (AUDIT_NETFILTER_PKT_ETH) for ethernet header, a record (AUDIT_NETFILTER_PKT_IP) for IP/IPv6 header, then another (AUDIT_NETFILTER_PKT_PROTO) for transport layer protocol. This way, the absence of an ethernet bridge header won't swing out three fields, or waste 40 chars. IPv4 adds about 20 chars not used by IPv6. TCP/UDP/DCCP/SCTP vs ICMP* is about 25 chars each. The max message is 322 chars (eth bridge, IPv6). A non-ethernet-bridge non-IP* message would be as little as 76 without the extra fields, but as much as 219 with the extra fields filled with unset values. A full message could look like (I've left off secmark, which would go at the end): action=9 hook=99 len=99 inif= outif= mark=0x smac=FF:FF:FF:FF:FF:FF dmac=FF:FF:FF:FF:FF:FF macproto=0x trunc=9 saddr=::::::: daddr=::::::: ipid=-1 proto=255 frag=-1 trunc=9 sport=9 dport=9 icmptype=999 icmpcode=999 > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-01-17 21:34, Richard Guy Briggs wrote: > On 2017-01-17 15:17, Paul Moore wrote: > > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs > > wrote: > > > On 2017-01-17 08:55, Steve Grubb wrote: > > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > > > ... > > > > >> > Ones that are not so straightforward: > > >> > - "secmark" depends on a kernel config setting, so should it always be > > >> > present but "(none)" if that kernel feature is compiled out? > > >> > > >> If this is selinux related, I'd treat it the same way that we do subj > > >> everywhere else. > > > > > > Ok. > > > > To be clear, a packet's secmark should be recorded via a dedicated > > field, e.g. "secmark", and not use the "subj" field (it isn't a > > subject label in the traditional sense). > > I think Steve was talking about if, when or where to include that field, > not what its label is. In this case it is an "obj=" field, but since it is part of the LSM, each one has its own fields. > > paul moore > > - RGB - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-01-17 15:17, Paul Moore wrote: > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs wrote: > > On 2017-01-17 08:55, Steve Grubb wrote: > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > ... > > >> > Ones that are not so straightforward: > >> > - "secmark" depends on a kernel config setting, so should it always be > >> > present but "(none)" if that kernel feature is compiled out? > >> > >> If this is selinux related, I'd treat it the same way that we do subj > >> everywhere else. > > > > Ok. > > To be clear, a packet's secmark should be recorded via a dedicated > field, e.g. "secmark", and not use the "subj" field (it isn't a > subject label in the traditional sense). I think Steve was talking about if, when or where to include that field, not what its label is. > paul moore - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AUDIT_NETFILTER_PKT message format
On 2017-01-17 11:12, Richard Guy Briggs wrote: > On 2017-01-17 08:55, Steve Grubb wrote: > > On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT > > > event messages and it is not quite as straightforward as I had expected. > > > > > > It is being tracked here: > > > https://github.com/linux-audit/audit-kernel/issues/11 > > > and refers to a previous posting from Mr. Dash Four from four years ago > > > to which there was no reply. > > > > > > The example given in the tracker above for "frag=" is fairly > > > straightforward, but digging more, there are a number of others that are > > > not quite so obvious. > > > > > > How many different combinations of fields is acceptable? Can we create > > > new message types for each one, or is there a preferred way to indicate > > > which sub-type it is other than implicit from the arguments given? > > > > That would be preferential to swinging fields in and out. But we also don't > > want to add too many new types. If two protocols look almost identical, I'd > > try to coerce them to be the same. If adding 2 new types solves the problem > > just do it. If it takes 10, then maybe we should understand why. > > Ok, I'll have a go at mapping some out and see where we end up... > > > > Others that are straightforward: > > > - The first "truncated=" gets pulled in with "0". > > > > > > - "mark=" gets pulled in with "0". > > > > > > Ones that are not so straightforward: > > > - "secmark" depends on a kernel config setting, so should it always be > > > present but "(none)" if that kernel feature is compiled out? > > > > If this is selinux related, I'd treat it the same way that we do subj > > everywhere else. > > Ok. > > > > - ARPHRD_ETHER pulls in 3 fields, I would pull them all in and set them > > > to "(none)" to indicate that type isn't present. > > > > "(none)" is for character fields that have nothing. Typically we set -1 for > > numeric fields that are unset. If numbers are expected, its going to get > > the > > strtol() treatment and "(none)" will cause a conversion error. > > Ah, ok. I certainly don't want to break the parser, so I'll use -1 or > find another way to indicate it. > > > > - audit_ip4() and audit_ip6 share "saddr=", "daddr=", proto=", but ip4 > > > adds "ipid=", which would be set to "(none)" for ip6. I assume that v4, v6 and mac address fields count as text? > > That is numeric. -1? > > Yup, 16-bit. I'll make it -1. > > > -Steve > > > > > - audit_proto() pulls in "truncated=" again, then either "sport=" and > > > "dport=" OR "icmptype=" and "icmpcode=". > > > > > > If all fields are pulled in, we end up adding 10 fields beyond a > > > standard well-formed packet, and 15 beyond a truncated packet. > > > > > > Note: In the cases of "mark" and "secmark" both are unions. In the case > > > of > > > "mark", I don't see a problem since it isn't conditionally compiled out > > > and won't be mis-interpreted. In the case of "secmark=", it could be > > > mis-interpreted as offload_fwd_mark if that field is even compiled in, > > > but that would be addressed in the compiler directive... > > > > > > > > > One last question: Does anyone have a test suite that can generate any > > > or all of these types of packets? > > > > > > > > > Thanks! > > > > > > > > > - RGB > > - RGB > > -- > Richard Guy Briggs > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
