Re: [PATCH ghak25 v2 7/9] netfilter: ebtables audit table registration

From: Richard Guy Briggs
Date: Tue Feb 18 2020 - 17:36:05 EST

Next message: Wei Yang: "Re: [PATCH] mm/vmscan.c: remove cpu online notification for now"
Previous message: Andrei Vagin: "Re: [PATCH AUTOSEL 5.5 542/542] pipe: use exclusive waits when reading or writing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2020-01-30 22:18, Paul Moore wrote:
> On Mon, Jan 6, 2020 at 1:56 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> >
> > Generate audit NETFILTER_CFG records on ebtables table registration.
> >
> > Previously this was only being done for all x_tables operations and
> > ebtables table replacement.
> >
> > Call new audit_nf_cfg() to store table parameters for later use with
> > syscall records.
> >
> > Here is a sample accompanied record:
> > type=NETFILTER_CFG msg=audit(1494907217.558:5403): table=filter family=7 entries=0
>
> Wait a minute ... in patch 4 you have code that explicitly checks for
> "entries=0" and doesn't generate a record in that case; is the example
> a lie or is the code a lie? ;)

The example was stale once the entries check was added. The entries
check has now been removed due to the source of registration records
being orphanned from their syscall record being found and solved in the
ghak120 (norule missing accompanying) issue.

However, there are ebtables nat and filter tables being added that are
being automatically reaped if there are no entries and there is no
syscall accompanying them. I don't yet know if it is being reaped by
userspace with an async drop, or if it is the kernel that is deciding to
garbage collect that table after a period of disuse.

Some quick instrumentation says it is kernel thread [kworker/u4:2-events_unbound]

pid=153 uid=0 auid=4294967295 tty=(none) ses=4294967295 subj=system_u:system_r:kernel_t:s0 comm="kworker/u4:2" exe=(null)

> > See: https://github.com/linux-audit/audit-kernel/issues/43
> > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx>
> > ---
> > net/bridge/netfilter/ebtables.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> > index 57dc11c0f349..58126547b175 100644
> > --- a/net/bridge/netfilter/ebtables.c
> > +++ b/net/bridge/netfilter/ebtables.c
> > @@ -1219,6 +1219,8 @@ int ebt_register_table(struct net *net, const struct ebt_table *input_table,
> > *res = NULL;
> > }
> >
> > + if (audit_enabled)
> > + audit_nf_cfg(repl->name, AF_BRIDGE, repl->nentries);
> > return ret;
> > free_unlock:
> > mutex_unlock(&ebt_mutex);
> > --
> > 1.8.3.1
>
> --
> paul moore
> www.paul-moore.com
>

- RGB

--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Next message: Wei Yang: "Re: [PATCH] mm/vmscan.c: remove cpu online notification for now"
Previous message: Andrei Vagin: "Re: [PATCH AUTOSEL 5.5 542/542] pipe: use exclusive waits when reading or writing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]