On 2020-05-20 12:51, Richard Guy Briggs wrote:
> Some table unregister actions seem to be initiated by the kernel to
> garbage collect unused tables that are not initiated by any userspace
> actions. It was found to be necessary to add the subject credentials to
> cover this case to reveal the source of these actions. A sample record:
>
> The uid, auid, tty, ses and exe fields have not been included since they
> are in the SYSCALL record and contain nothing useful in the non-user
> context.
>
> type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge entries=0 op=unregister pid=153 subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
>
> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
Self-NACK. I forgot to remove cred and tty declarations.
> ---
> Changelog:
> v6
> - remove uid, auid fields as duplicates or unset
>
> v5
> - rebase on upstreamed ghak28 on audit/next v5.7-rc1
> - remove tty, ses and exe fields as duplicates or unset
> - drop upstreamed patches 1&2 from set
>
> v4
> - rebase on audit/next v5.7-rc1
> - fix checkpatch.pl errors/warnings in 1/3 and 2/3
>
> v3
> - rebase on v5.6-rc1 audit/next
> - change audit_nf_cfg to audit_log_nfcfg
> - squash 2,3,4,5 to 1 and update patch descriptions
> - add subject credentials to cover garbage collecting kernel threads
>
> v2
> - Rebase (audit/next 5.5-rc1) to get audit_context access and ebt_register_table ret code
> - Split x_tables and ebtables updates
> - Check audit_dummy_context
> - Store struct audit_nfcfg params in audit_context, abstract to audit_nf_cfg() call
> - Restore back to "table, family, entries" from "family, table, entries"
> - Log unregistration of tables
> - Add "op=" at the end of the AUDIT_NETFILTER_CFG record
> - Defer nsid patch (ghak79) to once nsid patchset upstreamed (ghak32)
> - Add ghak refs
> - Ditch NETFILTER_CFGSOLO record
>
> kernel/auditsc.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index cfe3486e5f31..e646055adb0b 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2557,12 +2557,21 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
> enum audit_nfcfgop op)
> {
> struct audit_buffer *ab;
> + const struct cred *cred;
> + struct tty_struct *tty;
> + char comm[sizeof(current->comm)];
>
> ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_NETFILTER_CFG);
> if (!ab)
> return;
> audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
> name, af, nentries, audit_nfcfgs[op].s);
> +
> + cred = current_cred();
> + audit_log_format(ab, " pid=%u", task_pid_nr(current));
> + audit_log_task_context(ab); /* subj= */
> + audit_log_format(ab, " comm=");
> + audit_log_untrustedstring(ab, get_task_comm(comm, current));
> audit_log_end(ab);
> }
> EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
> --
> 1.8.3.1
>
> --
> Linux-audit mailing list
> Linux-audit@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
