Re: [PATCH v4] audit: log nftables configuration change events once per table

2021-03-24 Thread kernel test robot 
Hi Richard,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on nf/master]
[also build test WARNING on nf-next/master pcmoore-audit/next v5.12-rc4 
next-20210324]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:
https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-log-nftables-configuration-change-events-once-per-table/20210325-115438
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: arc-allyesconfig (attached as .config)
compiler: arceb-elf-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
# 
https://github.com/0day-ci/linux/commit/e2632994acb2553a22a739b3a876a091d04f446c
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review 
Richard-Guy-Briggs/audit-log-nftables-configuration-change-events-once-per-table/20210325-115438
git checkout e2632994acb2553a22a739b3a876a091d04f446c
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=arc 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot 

All warnings (new ones prefixed by >>):

>> net/netfilter/nf_tables_api.c:7993:5: warning: no previous prototype for 
>> 'nf_tables_commit_audit_alloc' [-Wmissing-prototypes]
7993 | int nf_tables_commit_audit_alloc(struct list_head *adl,
 | ^~~~
>> net/netfilter/nf_tables_api.c:8011:6: warning: no previous prototype for 
>> 'nf_tables_commit_audit_collect' [-Wmissing-prototypes]
8011 | void nf_tables_commit_audit_collect(struct list_head *adl,
 |  ^~
>> net/netfilter/nf_tables_api.c:8030:6: warning: no previous prototype for 
>> 'nf_tables_commit_audit_log' [-Wmissing-prototypes]
8030 | void nf_tables_commit_audit_log(struct list_head *adl, u32 
generation)
 |  ^~


vim +/nf_tables_commit_audit_alloc +7993 net/netfilter/nf_tables_api.c

  7992  
> 7993  int nf_tables_commit_audit_alloc(struct list_head *adl,
  7994   struct nft_table *table)
  7995  {
  7996  struct nft_audit_data *adp;
  7997  
  7998  list_for_each_entry(adp, adl, list) {
  7999  if (adp->table == table)
  8000  return 0;
  8001  }
  8002  adp = kzalloc(sizeof(*adp), GFP_KERNEL);
  8003  if (!adp)
  8004  return -ENOMEM;
  8005  adp->table = table;
  8006  INIT_LIST_HEAD(&adp->list);
  8007  list_add(&adp->list, adl);
  8008  return 0;
  8009  }
  8010  
> 8011  void nf_tables_commit_audit_collect(struct list_head *adl,
  8012  struct nft_table *table, u32 op)
  8013  {
  8014  struct nft_audit_data *adp;
  8015  
  8016  list_for_each_entry(adp, adl, list) {
  8017  if (adp->table == table)
  8018  goto found;
  8019  }
  8020  WARN_ONCE("table=%s not expected in commit list", table->name);
  8021  return;
  8022  found:
  8023  adp->entries++;
  8024  if (!adp->op || adp->op > op)
  8025  adp->op = op;
  8026  }
  8027  
  8028  #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
  8029  
> 8030  void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
  8031  {
  8032  struct nft_audit_data *adp, *adn;
  8033  char aubuf[AUNFTABLENAMELEN];
  8034  
  8035  list_for_each_entry_safe(adp, adn, adl, list) {
  8036  snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", 
adp->table->name,
  8037   generation);
  8038  audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
  8039  nft2audit_op[adp->op], GFP_KERNEL);
  8040  list_del(&adp->list);
  8041  kfree(adp);
  8042  }
  8043  }
  8044  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org


.config.gz
Description: application/gzip

[PATCH v4] audit: log nftables configuration change events once per table

2021-03-24 Thread Richard Guy Briggs 
Reduce logging of nftables events to a level similar to iptables.
Restore the table field to list the table, adding the generation.

Indicate the op as the most significant operation in the event.

A couple of sample events:

type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : 
proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 
syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 
a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root 
suid=root fsuid=root egid=roo
t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld 
exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 
family=ipv6 entries=1 op=nft_register_table pid=367 
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 
family=ipv4 entries=1 op=nft_register_table pid=367 
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 
family=inet entries=1 op=nft_register_table pid=367 
subj=system_u:system_r:firewalld_t:s0 comm=firewalld

type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : 
proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 
syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 
a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root 
suid=root fsuid=root egid=r
oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld 
exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 
family=ipv6 entries=30 op=nft_register_chain pid=367 
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 
family=ipv4 entries=30 op=nft_register_chain pid=367 
subj=system_u:system_r:firewalld_t:s0 comm=firewalld
type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 
family=inet entries=165 op=nft_register_chain pid=367 
subj=system_u:system_r:firewalld_t:s0 comm=firewalld

The issue was originally documented in
https://github.com/linux-audit/audit-kernel/issues/124

Signed-off-by: Richard Guy Briggs 
---
Changelog:
v4:
- move nf_tables_commit_audit_log() before nf_tables_commit_release() [fw]
- move nft2audit_op[] from audit.h to nf_tables_api.c

v3:
- fix function braces, reduce parameter scope [pna]
- pre-allocate nft_audit_data per table in step 1, bail on ENOMEM [pna]

v2:
- convert NFT ops to array indicies in nft2audit_op[] [ps]
- use linux lists [pna]
- use functions for each of collection and logging of audit data [pna]
---
 net/netfilter/nf_tables_api.c | 187 +++---
 1 file changed, 104 insertions(+), 83 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c1eb5cdb3033..9c930fe72005 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -66,6 +66,41 @@ static const struct rhashtable_params nft_objname_ht_params 
= {
.automatic_shrinking= true,
 };
 
+struct nft_audit_data {
+   struct nft_table *table;
+   int entries;
+   int op;
+   struct list_head list;
+};
+
+static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
+   [NFT_MSG_NEWTABLE]  = AUDIT_NFT_OP_TABLE_REGISTER,
+   [NFT_MSG_GETTABLE]  = AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_DELTABLE]  = AUDIT_NFT_OP_TABLE_UNREGISTER,
+   [NFT_MSG_NEWCHAIN]  = AUDIT_NFT_OP_CHAIN_REGISTER,
+   [NFT_MSG_GETCHAIN]  = AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_DELCHAIN]  = AUDIT_NFT_OP_CHAIN_UNREGISTER,
+   [NFT_MSG_NEWRULE]   = AUDIT_NFT_OP_RULE_REGISTER,
+   [NFT_MSG_GETRULE]   = AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_DELRULE]   = AUDIT_NFT_OP_RULE_UNREGISTER,
+   [NFT_MSG_NEWSET]= AUDIT_NFT_OP_SET_REGISTER,
+   [NFT_MSG_GETSET]= AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_DELSET]= AUDIT_NFT_OP_SET_UNREGISTER,
+   [NFT_MSG_NEWSETELEM]= AUDIT_NFT_OP_SETELEM_REGISTER,
+   [NFT_MSG_GETSETELEM]= AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_DELSETELEM]= AUDIT_NFT_OP_SETELEM_UNREGISTER,
+   [NFT_MSG_NEWGEN]= AUDIT_NFT_OP_GEN_REGISTER,
+   [NFT_MSG_GETGEN]= AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_NEWOBJ]= AUDIT_NFT_OP_OBJ_REGISTER,
+   [NFT_MSG_GETOBJ]= AUDIT_NFT_OP_INVALID,
+   [NFT_MSG_DELOBJ]= AUDIT_NFT_OP_OBJ_UNREGISTER,
+   [NFT_MSG_GETOBJ_RESET]  = AUDIT_NFT_OP_OBJ_RESET,
+   [NFT_MSG_NEWFLOWTABLE]  = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
+   [NFT_MSG_GETFLOWTABLE]