Re: [PATCH] audit: log nftables configuration change events once per table
On 2021-03-19 13:52, Phil Sutter wrote: > On Thu, Mar 18, 2021 at 02:37:03PM -0400, Richard Guy Briggs wrote: > > On 2021-03-18 17:30, Phil Sutter wrote: > [...] > > > Why did you leave the object-related logs in place? They should reappear > > > at commit time just like chains and sets for instance, no? > > > > There are other paths that can trigger these messages that don't go > > through nf_tables_commit() that affect the configuration data. The > > counters are considered config data for auditing purposes and the act of > > resetting them is audittable. And the only time we want to emit a > > record is when they are being reset. > > Oh, I see. I wasn't aware 'nft reset' bypasses the transaction logic, > thanks for clarifying! That's my current understanding. If someone else has a better understanding I'd be grateful if they could correct me. > Cheers, Phil - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH] audit: log nftables configuration change events once per table
On Thu, Mar 18, 2021 at 02:37:03PM -0400, Richard Guy Briggs wrote: > On 2021-03-18 17:30, Phil Sutter wrote: [...] > > Why did you leave the object-related logs in place? They should reappear > > at commit time just like chains and sets for instance, no? > > There are other paths that can trigger these messages that don't go > through nf_tables_commit() that affect the configuration data. The > counters are considered config data for auditing purposes and the act of > resetting them is audittable. And the only time we want to emit a > record is when they are being reset. Oh, I see. I wasn't aware 'nft reset' bypasses the transaction logic, thanks for clarifying! Cheers, Phil
Re: [PATCH] audit: log nftables configuration change events once per table
Hi Richard,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on nf/master nf-next/master linux/master linus/master
v5.12-rc3 next-20210318]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url:
https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-log-nftables-configuration-change-events-once-per-table/20210318-234408
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
config: sparc64-randconfig-p002-20210318 (attached as .config)
compiler: sparc64-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
#
https://github.com/0day-ci/linux/commit/6c3d6ac0f39a29e8474b0ff59609e3c3168339c0
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review
Richard-Guy-Briggs/audit-log-nftables-configuration-change-events-once-per-table/20210318-234408
git checkout 6c3d6ac0f39a29e8474b0ff59609e3c3168339c0
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross
ARCH=sparc64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot
All errors (new ones prefixed by >>):
In file included from arch/sparc/kernel/ptrace_64.c:25:
>> include/linux/audit.h:121:17: error: 'nft2audit_op' defined but not used
>> [-Werror=unused-const-variable=]
121 | static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
| ^~~~
cc1: all warnings being treated as errors
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for FRAME_POINTER
Depends on DEBUG_KERNEL && (M68K || UML || SUPERH) ||
ARCH_WANT_FRAME_POINTERS || MCOUNT
Selected by
- LOCKDEP && DEBUG_KERNEL && LOCK_DEBUGGING_SUPPORT && !MIPS && !PPC && !ARM
&& !S390 && !MICROBLAZE && !ARC && !X86
vim +/nft2audit_op +121 include/linux/audit.h
120
> 121 static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
122 /* NFT_MSG_NEWTABLE */ AUDIT_NFT_OP_TABLE_REGISTER,
123 /* NFT_MSG_GETTABLE */ AUDIT_NFT_OP_INVALID,
124 /* NFT_MSG_DELTABLE */ AUDIT_NFT_OP_TABLE_UNREGISTER,
125 /* NFT_MSG_NEWCHAIN */ AUDIT_NFT_OP_CHAIN_REGISTER,
126 /* NFT_MSG_GETCHAIN */ AUDIT_NFT_OP_INVALID,
127 /* NFT_MSG_DELCHAIN */ AUDIT_NFT_OP_CHAIN_UNREGISTER,
128 /* NFT_MSG_NEWRULE */ AUDIT_NFT_OP_RULE_REGISTER,
129 /* NFT_MSG_GETRULE */ AUDIT_NFT_OP_INVALID,
130 /* NFT_MSG_DELRULE */ AUDIT_NFT_OP_RULE_UNREGISTER,
131 /* NFT_MSG_NEWSET */ AUDIT_NFT_OP_SET_REGISTER,
132 /* NFT_MSG_GETSET */ AUDIT_NFT_OP_INVALID,
133 /* NFT_MSG_DELSET */ AUDIT_NFT_OP_SET_UNREGISTER,
134 /* NFT_MSG_NEWSETELEM */ AUDIT_NFT_OP_SETELEM_REGISTER,
135 /* NFT_MSG_GETSETELEM */ AUDIT_NFT_OP_INVALID,
136 /* NFT_MSG_DELSETELEM */ AUDIT_NFT_OP_SETELEM_UNREGISTER,
137 /* NFT_MSG_NEWGEN */ AUDIT_NFT_OP_GEN_REGISTER,
138 /* NFT_MSG_GETGEN */ AUDIT_NFT_OP_INVALID,
139 /* NFT_MSG_TRACE*/ AUDIT_NFT_OP_INVALID,
140 /* NFT_MSG_NEWOBJ */ AUDIT_NFT_OP_OBJ_REGISTER,
141 /* NFT_MSG_GETOBJ */ AUDIT_NFT_OP_INVALID,
142 /* NFT_MSG_DELOBJ */ AUDIT_NFT_OP_OBJ_UNREGISTER,
143 /* NFT_MSG_GETOBJ_RESET */ AUDIT_NFT_OP_OBJ_RESET,
144 /* NFT_MSG_NEWFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_REGISTER,
145 /* NFT_MSG_GETFLOWTABLE */ AUDIT_NFT_OP_INVALID,
146 /* NFT_MSG_DELFLOWTABLE */
AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
147 /* NFT_MSG_MAX */ AUDIT_NFT_OP_INVALID,
148 };
149
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
Re: [PATCH] audit: log nftables configuration change events once per table
On 2021-03-18 17:30, Phil Sutter wrote:
> Hi,
>
> On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> > Reduce logging of nftables events to a level similar to iptables.
> > Restore the table field to list the table, adding the generation.
>
> This looks much better, a few remarks below:
>
> [...]
> > +static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
> > + /* NFT_MSG_NEWTABLE */ AUDIT_NFT_OP_TABLE_REGISTER,
> > + /* NFT_MSG_GETTABLE */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELTABLE */ AUDIT_NFT_OP_TABLE_UNREGISTER,
> > + /* NFT_MSG_NEWCHAIN */ AUDIT_NFT_OP_CHAIN_REGISTER,
> > + /* NFT_MSG_GETCHAIN */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELCHAIN */ AUDIT_NFT_OP_CHAIN_UNREGISTER,
> > + /* NFT_MSG_NEWRULE */ AUDIT_NFT_OP_RULE_REGISTER,
> > + /* NFT_MSG_GETRULE */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELRULE */ AUDIT_NFT_OP_RULE_UNREGISTER,
> > + /* NFT_MSG_NEWSET */ AUDIT_NFT_OP_SET_REGISTER,
> > + /* NFT_MSG_GETSET */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELSET */ AUDIT_NFT_OP_SET_UNREGISTER,
> > + /* NFT_MSG_NEWSETELEM */ AUDIT_NFT_OP_SETELEM_REGISTER,
> > + /* NFT_MSG_GETSETELEM */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELSETELEM */ AUDIT_NFT_OP_SETELEM_UNREGISTER,
> > + /* NFT_MSG_NEWGEN */ AUDIT_NFT_OP_GEN_REGISTER,
> > + /* NFT_MSG_GETGEN */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_TRACE*/ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_NEWOBJ */ AUDIT_NFT_OP_OBJ_REGISTER,
> > + /* NFT_MSG_GETOBJ */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELOBJ */ AUDIT_NFT_OP_OBJ_UNREGISTER,
> > + /* NFT_MSG_GETOBJ_RESET */ AUDIT_NFT_OP_OBJ_RESET,
> > + /* NFT_MSG_NEWFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> > + /* NFT_MSG_GETFLOWTABLE */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> > + /* NFT_MSG_MAX */ AUDIT_NFT_OP_INVALID,
> > +};
>
> NFT_MSG_MAX is itself not a valid message, it serves merely as an upper
> bound for arrays, loops or sanity checks. You will never see it in
> trans->msg_type.
>
> Since enum nf_tables_msg_types contains consecutive values from 0 to
> NFT_MSG_MAX, you could write the above more explicitly:
>
> | static const u8 nft2audit_op[NFT_MSG_MAX] = {
> | [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
> | [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
> | [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
> (And so forth.)
>
> Not a must, but it clarifies the 1:1 mapping between index and said
> enum. Sadly, AUDIT_NFT_OP_INVALID is non-zero. Otherwise one could skip
> all uninteresting ones.
Yes, ok, I prefer your suggested way of listing them.
Yeah, the fact the values for op= already have a precedent in xtables
limits us.
> [...]
> > @@ -6278,12 +6219,11 @@ static int nf_tables_dump_obj(struct sk_buff *skb,
> > struct netlink_callback *cb)
> > filter->type != NFT_OBJECT_UNSPEC &&
> > obj->ops->type->type != filter->type)
> > goto cont;
> > -
> > if (reset) {
> > char *buf = kasprintf(GFP_ATOMIC,
> > - "%s:%llu;?:0",
> > + "%s:%u",
> > table->name,
> > - table->handle);
> > + net->nft.base_seq);
> >
> > audit_log_nfcfg(buf,
> > family,
>
> Why did you leave the object-related logs in place? They should reappear
> at commit time just like chains and sets for instance, no?
There are other paths that can trigger these messages that don't go
through nf_tables_commit() that affect the configuration data. The
counters are considered config data for auditing purposes and the act of
resetting them is audittable. And the only time we want to emit a
record is when they are being reset.
> Thanks, Phil
- RGB
--
Richard Guy Briggs
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH] audit: log nftables configuration change events once per table
Hi,
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
This looks much better, a few remarks below:
[...]
> +static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
> + /* NFT_MSG_NEWTABLE */ AUDIT_NFT_OP_TABLE_REGISTER,
> + /* NFT_MSG_GETTABLE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELTABLE */ AUDIT_NFT_OP_TABLE_UNREGISTER,
> + /* NFT_MSG_NEWCHAIN */ AUDIT_NFT_OP_CHAIN_REGISTER,
> + /* NFT_MSG_GETCHAIN */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELCHAIN */ AUDIT_NFT_OP_CHAIN_UNREGISTER,
> + /* NFT_MSG_NEWRULE */ AUDIT_NFT_OP_RULE_REGISTER,
> + /* NFT_MSG_GETRULE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELRULE */ AUDIT_NFT_OP_RULE_UNREGISTER,
> + /* NFT_MSG_NEWSET */ AUDIT_NFT_OP_SET_REGISTER,
> + /* NFT_MSG_GETSET */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELSET */ AUDIT_NFT_OP_SET_UNREGISTER,
> + /* NFT_MSG_NEWSETELEM */ AUDIT_NFT_OP_SETELEM_REGISTER,
> + /* NFT_MSG_GETSETELEM */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELSETELEM */ AUDIT_NFT_OP_SETELEM_UNREGISTER,
> + /* NFT_MSG_NEWGEN */ AUDIT_NFT_OP_GEN_REGISTER,
> + /* NFT_MSG_GETGEN */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_TRACE*/ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_NEWOBJ */ AUDIT_NFT_OP_OBJ_REGISTER,
> + /* NFT_MSG_GETOBJ */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELOBJ */ AUDIT_NFT_OP_OBJ_UNREGISTER,
> + /* NFT_MSG_GETOBJ_RESET */ AUDIT_NFT_OP_OBJ_RESET,
> + /* NFT_MSG_NEWFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> + /* NFT_MSG_GETFLOWTABLE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> + /* NFT_MSG_MAX */ AUDIT_NFT_OP_INVALID,
> +};
NFT_MSG_MAX is itself not a valid message, it serves merely as an upper
bound for arrays, loops or sanity checks. You will never see it in
trans->msg_type.
Since enum nf_tables_msg_types contains consecutive values from 0 to
NFT_MSG_MAX, you could write the above more explicitly:
| static const u8 nft2audit_op[NFT_MSG_MAX] = {
| [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
| [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
| [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
(And so forth.)
Not a must, but it clarifies the 1:1 mapping between index and said
enum. Sadly, AUDIT_NFT_OP_INVALID is non-zero. Otherwise one could skip
all uninteresting ones.
[...]
> @@ -6278,12 +6219,11 @@ static int nf_tables_dump_obj(struct sk_buff *skb,
> struct netlink_callback *cb)
> filter->type != NFT_OBJECT_UNSPEC &&
> obj->ops->type->type != filter->type)
> goto cont;
> -
> if (reset) {
> char *buf = kasprintf(GFP_ATOMIC,
> - "%s:%llu;?:0",
> + "%s:%u",
> table->name,
> - table->handle);
> + net->nft.base_seq);
>
> audit_log_nfcfg(buf,
> family,
Why did you leave the object-related logs in place? They should reappear
at commit time just like chains and sets for instance, no?
Thanks, Phil
Re: [PATCH] audit: log nftables configuration change events once per table
On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> Reduce logging of nftables events to a level similar to iptables.
> Restore the table field to list the table, adding the generation.
>
> Indicate the op as the most significant operation in the event.
>
> A couple of sample events:
>
> type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) :
> proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
> type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64
> syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
> a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=roo
> t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
> exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
> family=ipv6 entries=1 op=nft_register_table pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
> family=ipv4 entries=1 op=nft_register_table pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
> family=inet entries=1 op=nft_register_table pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>
> type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) :
> proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
> type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64
> syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
> a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=r
> oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
> exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
> family=ipv6 entries=30 op=nft_register_chain pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
> family=ipv4 entries=30 op=nft_register_chain pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
> type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
> family=inet entries=165 op=nft_register_chain pid=367
> subj=system_u:system_r:firewalld_t:s0 comm=firewalld
>
> The issue was originally documented in
> https://github.com/linux-audit/audit-kernel/issues/124
>
> Signed-off-by: Richard Guy Briggs
> ---
> include/linux/audit.h | 29
> net/netfilter/nf_tables_api.c | 132 +-
> 2 files changed, 78 insertions(+), 83 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 82b7c1116a85..bba6a0386742 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -118,6 +118,35 @@ enum audit_nfcfgop {
> AUDIT_NFT_OP_INVALID,
> };
>
> +static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
> + /* NFT_MSG_NEWTABLE */ AUDIT_NFT_OP_TABLE_REGISTER,
> + /* NFT_MSG_GETTABLE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELTABLE */ AUDIT_NFT_OP_TABLE_UNREGISTER,
> + /* NFT_MSG_NEWCHAIN */ AUDIT_NFT_OP_CHAIN_REGISTER,
> + /* NFT_MSG_GETCHAIN */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELCHAIN */ AUDIT_NFT_OP_CHAIN_UNREGISTER,
> + /* NFT_MSG_NEWRULE */ AUDIT_NFT_OP_RULE_REGISTER,
> + /* NFT_MSG_GETRULE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELRULE */ AUDIT_NFT_OP_RULE_UNREGISTER,
> + /* NFT_MSG_NEWSET */ AUDIT_NFT_OP_SET_REGISTER,
> + /* NFT_MSG_GETSET */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELSET */ AUDIT_NFT_OP_SET_UNREGISTER,
> + /* NFT_MSG_NEWSETELEM */ AUDIT_NFT_OP_SETELEM_REGISTER,
> + /* NFT_MSG_GETSETELEM */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELSETELEM */ AUDIT_NFT_OP_SETELEM_UNREGISTER,
> + /* NFT_MSG_NEWGEN */ AUDIT_NFT_OP_GEN_REGISTER,
> + /* NFT_MSG_GETGEN */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_TRACE*/ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_NEWOBJ */ AUDIT_NFT_OP_OBJ_REGISTER,
> + /* NFT_MSG_GETOBJ */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELOBJ */ AUDIT_NFT_OP_OBJ_UNREGISTER,
> + /* NFT_MSG_GETOBJ_RESET */ AUDIT_NFT_OP_OBJ_RESET,
> + /* NFT_MSG_NEWFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> + /* NFT_MSG_GETFLOWTABLE */ AUDIT_NFT_OP_INVALID,
> + /* NFT_MSG_DELFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> + /* NFT_MSG_MAX */ AUDIT_NFT_OP_INVALID,
> +};
> +
> extern int is_audit_feature_set(int which);
>
> extern int __init audit_register_class(int class, unsigned
[PATCH] audit: log nftables configuration change events once per table
Reduce logging of nftables events to a level similar to iptables.
Restore the table field to list the table, adding the generation.
Indicate the op as the most significant operation in the event.
A couple of sample events:
type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) :
proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64
syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=roo
t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
family=ipv6 entries=1 op=nft_register_table pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
family=ipv4 entries=1 op=nft_register_table pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2
family=inet entries=1 op=nft_register_table pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) :
proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64
syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0
a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=r
oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld
exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
family=ipv6 entries=30 op=nft_register_chain pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
family=ipv4 entries=30 op=nft_register_chain pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3
family=inet entries=165 op=nft_register_chain pid=367
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
The issue was originally documented in
https://github.com/linux-audit/audit-kernel/issues/124
Signed-off-by: Richard Guy Briggs
---
include/linux/audit.h | 29
net/netfilter/nf_tables_api.c | 132 +-
2 files changed, 78 insertions(+), 83 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 82b7c1116a85..bba6a0386742 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -118,6 +118,35 @@ enum audit_nfcfgop {
AUDIT_NFT_OP_INVALID,
};
+static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
+ /* NFT_MSG_NEWTABLE */ AUDIT_NFT_OP_TABLE_REGISTER,
+ /* NFT_MSG_GETTABLE */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_DELTABLE */ AUDIT_NFT_OP_TABLE_UNREGISTER,
+ /* NFT_MSG_NEWCHAIN */ AUDIT_NFT_OP_CHAIN_REGISTER,
+ /* NFT_MSG_GETCHAIN */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_DELCHAIN */ AUDIT_NFT_OP_CHAIN_UNREGISTER,
+ /* NFT_MSG_NEWRULE */ AUDIT_NFT_OP_RULE_REGISTER,
+ /* NFT_MSG_GETRULE */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_DELRULE */ AUDIT_NFT_OP_RULE_UNREGISTER,
+ /* NFT_MSG_NEWSET */ AUDIT_NFT_OP_SET_REGISTER,
+ /* NFT_MSG_GETSET */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_DELSET */ AUDIT_NFT_OP_SET_UNREGISTER,
+ /* NFT_MSG_NEWSETELEM */ AUDIT_NFT_OP_SETELEM_REGISTER,
+ /* NFT_MSG_GETSETELEM */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_DELSETELEM */ AUDIT_NFT_OP_SETELEM_UNREGISTER,
+ /* NFT_MSG_NEWGEN */ AUDIT_NFT_OP_GEN_REGISTER,
+ /* NFT_MSG_GETGEN */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_TRACE*/ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_NEWOBJ */ AUDIT_NFT_OP_OBJ_REGISTER,
+ /* NFT_MSG_GETOBJ */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_DELOBJ */ AUDIT_NFT_OP_OBJ_UNREGISTER,
+ /* NFT_MSG_GETOBJ_RESET */ AUDIT_NFT_OP_OBJ_RESET,
+ /* NFT_MSG_NEWFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_REGISTER,
+ /* NFT_MSG_GETFLOWTABLE */ AUDIT_NFT_OP_INVALID,
+ /* NFT_MSG_DELFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
+ /* NFT_MSG_MAX */ AUDIT_NFT_OP_INVALID,
+};
+
extern int is_audit_feature_set(int which);
extern int __init audit_register_class(int class, unsigned *list);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8d5aa0ac45f4..ad31d8876169 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@
