Commit c4dad0aa authored by Richard Guy Briggs's avatar Richard Guy Briggs Committed by Paul Moore
Browse files

audit: tidy and extend netfilter_cfg x_tables 

NETFILTER_CFG record generation was inconsistent for x_tables and
ebtables configuration changes.  The call was needlessly messy and there
were supporting records missing at times while they were produced when
not requested.  Simplify the logging call into a new audit_log_nfcfg
call.  Honour the audit_enabled setting while more consistently
recording information including supporting records by tidying up dummy
checks.

Add an op= field that indicates the operation being performed (register
or replace).

Here is the enhanced sample record:
  type=NETFILTER_CFG msg=audit(1580905834.919:82970): table=filter family=2 entries=83 op=replace

Generate audit NETFILTER_CFG records on ebtables table registration.
Previously this was being done for x_tables registration and replacement
operations and ebtables table replacement only.

See: https://github.com/linux-audit/audit-kernel/issues/25
See: https://github.com/linux-audit/audit-kernel/issues/35
See: https://github.com/linux-audit/audit-kernel/issues/43



Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 9d2161be

include/linux/audit.h

+21 −0
Original line number Diff line number Diff line
@@ -94,6 +94,11 @@ struct audit_ntp_data { 
struct audit_ntp_data {};

#endif



enum audit_nfcfgop {

	AUDIT_XT_OP_REGISTER,

	AUDIT_XT_OP_REPLACE,

};



extern int is_audit_feature_set(int which);



extern int __init audit_register_class(int class, unsigned *list);
@@ -379,6 +384,8 @@ extern void __audit_log_kern_module(char *name); 
extern void __audit_fanotify(unsigned int response);

extern void __audit_tk_injoffset(struct timespec64 offset);

extern void __audit_ntp_log(const struct audit_ntp_data *ad);

extern void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,

			      enum audit_nfcfgop op);



static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)

{
@@ -514,6 +521,14 @@ static inline void audit_ntp_log(const struct audit_ntp_data *ad) 
		__audit_ntp_log(ad);

}



static inline void audit_log_nfcfg(const char *name, u8 af,

				   unsigned int nentries,

				   enum audit_nfcfgop op)

{

	if (audit_enabled)

		__audit_log_nfcfg(name, af, nentries, op);

}



extern int audit_n_rules;

extern int audit_signals;

#else /* CONFIG_AUDITSYSCALL */
@@ -646,6 +661,12 @@ static inline void audit_ntp_log(const struct audit_ntp_data *ad) 


static inline void audit_ptrace(struct task_struct *t)

{ }



static inline void audit_log_nfcfg(const char *name, u8 af,

				   unsigned int nentries,

				   enum audit_nfcfgop op)

{ }



#define audit_n_rules 0

#define audit_signals 0

#endif /* CONFIG_AUDITSYSCALL */

kernel/auditsc.c

+24 −0
Original line number Diff line number Diff line
@@ -130,6 +130,16 @@ struct audit_tree_refs { 
	struct audit_chunk *c[31];

};



struct audit_nfcfgop_tab {

	enum audit_nfcfgop	op;

	const char		*s;

};



const struct audit_nfcfgop_tab audit_nfcfgs[] = {

	{ AUDIT_XT_OP_REGISTER,	"register"	},

	{ AUDIT_XT_OP_REPLACE,	"replace"	},

};



static int audit_match_perm(struct audit_context *ctx, int mask)

{

	unsigned n;
@@ -2542,6 +2552,20 @@ void __audit_ntp_log(const struct audit_ntp_data *ad) 
	audit_log_ntp_val(ad, "adjust",	AUDIT_NTP_ADJUST);

}



void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,

		       enum audit_nfcfgop op)

{

	struct audit_buffer *ab;



	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG);

	if (!ab)

		return;

	audit_log_format(ab, "table=%s family=%u entries=%u op=%s",

			 name, af, nentries, audit_nfcfgs[op].s);

	audit_log_end(ab);

}

EXPORT_SYMBOL_GPL(__audit_log_nfcfg);



static void audit_log_task(struct audit_buffer *ab)

{

	kuid_t auid, uid;

net/bridge/netfilter/ebtables.c

+4 −8
Original line number Diff line number Diff line
@@ -1046,14 +1046,8 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, 
	vfree(table);

	vfree(counterstmp);



#ifdef CONFIG_AUDIT

	if (audit_enabled) {

		audit_log(audit_context(), GFP_KERNEL,

			  AUDIT_NETFILTER_CFG,

			  "table=%s family=%u entries=%u",

			  repl->name, AF_BRIDGE, repl->nentries);

	}

#endif

	audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,

			AUDIT_XT_OP_REPLACE);

	return ret;



free_unlock:
@@ -1223,6 +1217,8 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table, 
		*res = NULL;

	}



	audit_log_nfcfg(repl->name, AF_BRIDGE, repl->nentries,

			AUDIT_XT_OP_REGISTER);

	return ret;

free_unlock:

	mutex_unlock(&ebt_mutex);

net/netfilter/x_tables.c

+3 −9
Original line number Diff line number Diff line
@@ -1408,15 +1408,9 @@ xt_replace_table(struct xt_table *table, 
		}

	}



#ifdef CONFIG_AUDIT

	if (audit_enabled) {

		audit_log(audit_context(), GFP_KERNEL,

			  AUDIT_NETFILTER_CFG,

			  "table=%s family=%u entries=%u",

			  table->name, table->af, private->number);

	}

#endif



	audit_log_nfcfg(table->name, table->af, private->number,

			!private->number ? AUDIT_XT_OP_REGISTER :

					   AUDIT_XT_OP_REPLACE);

	return private;

}

EXPORT_SYMBOL_GPL(xt_replace_table);

CRA Git | Maintained and supported by SUSTech CRA and CCSE