Re: [PATCH v4] audit: log nftables configuration change events once per table
Hi Richard, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on nf/master] [also build test WARNING on nf-next/master pcmoore-audit/next v5.12-rc4 next-20210324] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Richard-Guy-Briggs/audit-log-nftables-configuration-change-events-once-per-table/20210325-115438 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master config: arc-allyesconfig (attached as .config) compiler: arceb-elf-gcc (GCC) 9.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/e2632994acb2553a22a739b3a876a091d04f446c git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Richard-Guy-Briggs/audit-log-nftables-configuration-change-events-once-per-table/20210325-115438 git checkout e2632994acb2553a22a739b3a876a091d04f446c # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=arc If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot All warnings (new ones prefixed by >>): >> net/netfilter/nf_tables_api.c:7993:5: warning: no previous prototype for >> 'nf_tables_commit_audit_alloc' [-Wmissing-prototypes] 7993 | int nf_tables_commit_audit_alloc(struct list_head *adl, | ^~~~ >> net/netfilter/nf_tables_api.c:8011:6: warning: no previous prototype for >> 'nf_tables_commit_audit_collect' [-Wmissing-prototypes] 8011 | void nf_tables_commit_audit_collect(struct list_head *adl, | ^~ >> net/netfilter/nf_tables_api.c:8030:6: warning: no previous prototype for >> 'nf_tables_commit_audit_log' [-Wmissing-prototypes] 8030 | void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) | ^~ vim +/nf_tables_commit_audit_alloc +7993 net/netfilter/nf_tables_api.c 7992 > 7993 int nf_tables_commit_audit_alloc(struct list_head *adl, 7994 struct nft_table *table) 7995 { 7996 struct nft_audit_data *adp; 7997 7998 list_for_each_entry(adp, adl, list) { 7999 if (adp->table == table) 8000 return 0; 8001 } 8002 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 8003 if (!adp) 8004 return -ENOMEM; 8005 adp->table = table; 8006 INIT_LIST_HEAD(&adp->list); 8007 list_add(&adp->list, adl); 8008 return 0; 8009 } 8010 > 8011 void nf_tables_commit_audit_collect(struct list_head *adl, 8012 struct nft_table *table, u32 op) 8013 { 8014 struct nft_audit_data *adp; 8015 8016 list_for_each_entry(adp, adl, list) { 8017 if (adp->table == table) 8018 goto found; 8019 } 8020 WARN_ONCE("table=%s not expected in commit list", table->name); 8021 return; 8022 found: 8023 adp->entries++; 8024 if (!adp->op || adp->op > op) 8025 adp->op = op; 8026 } 8027 8028 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 8029 > 8030 void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 8031 { 8032 struct nft_audit_data *adp, *adn; 8033 char aubuf[AUNFTABLENAMELEN]; 8034 8035 list_for_each_entry_safe(adp, adn, adl, list) { 8036 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 8037 generation); 8038 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 8039 nft2audit_op[adp->op], GFP_KERNEL); 8040 list_del(&adp->list); 8041 kfree(adp); 8042 } 8043 } 8044 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org .config.gz Description: application/gzip
[PATCH v4] audit: log nftables configuration change events once per table
Reduce logging of nftables events to a level similar to iptables. Restore the table field to list the table, adding the generation. Indicate the op as the most significant operation in the event. A couple of sample events: type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=roo t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=r oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld The issue was originally documented in https://github.com/linux-audit/audit-kernel/issues/124 Signed-off-by: Richard Guy Briggs --- Changelog: v4: - move nf_tables_commit_audit_log() before nf_tables_commit_release() [fw] - move nft2audit_op[] from audit.h to nf_tables_api.c v3: - fix function braces, reduce parameter scope [pna] - pre-allocate nft_audit_data per table in step 1, bail on ENOMEM [pna] v2: - convert NFT ops to array indicies in nft2audit_op[] [ps] - use linux lists [pna] - use functions for each of collection and logging of audit data [pna] --- net/netfilter/nf_tables_api.c | 187 +++--- 1 file changed, 104 insertions(+), 83 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c1eb5cdb3033..9c930fe72005 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -66,6 +66,41 @@ static const struct rhashtable_params nft_objname_ht_params = { .automatic_shrinking= true, }; +struct nft_audit_data { + struct nft_table *table; + int entries; + int op; + struct list_head list; +}; + +static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types + [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, + [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, + [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, + [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, + [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, + [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, + [NFT_MSG_NEWSET]= AUDIT_NFT_OP_SET_REGISTER, + [NFT_MSG_GETSET]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELSET]= AUDIT_NFT_OP_SET_UNREGISTER, + [NFT_MSG_NEWSETELEM]= AUDIT_NFT_OP_SETELEM_REGISTER, + [NFT_MSG_GETSETELEM]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELSETELEM]= AUDIT_NFT_OP_SETELEM_UNREGISTER, + [NFT_MSG_NEWGEN]= AUDIT_NFT_OP_GEN_REGISTER, + [NFT_MSG_GETGEN]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, + [NFT_MSG_NEWOBJ]= AUDIT_NFT_OP_OBJ_REGISTER, + [NFT_MSG_GETOBJ]= AUDIT_NFT_OP_INVALID, + [NFT_MSG_DELOBJ]= AUDIT_NFT_OP_OBJ_UNREGISTER, + [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, + [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, + [NFT_MSG_GETFLOWTABLE]