[PATCH v2] audit: log nftables configuration change events once per table
Richard Guy Briggs
rgb at redhat.com
Tue Mar 23 19:41:15 UTC 2021
On 2021-03-22 23:57, Pablo Neira Ayuso wrote:
> On Mon, Mar 22, 2021 at 04:49:04PM -0400, Richard Guy Briggs wrote:
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index c1eb5cdb3033..42ba44890523 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> [...]
> > @@ -8006,12 +7938,47 @@ static void nft_commit_notify(struct net *net, u32 portid)
> > WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
> > }
> >
> > +void nf_tables_commit_audit_collect(struct list_head *adl,
> > + struct nft_trans *trans) {
>
> nitpick: curly brace starts in the line.
Duh, whoops! Brain fart. Too much muckin' in other codebases...
> > + struct nft_audit_data *adp;
> > +
> > + list_for_each_entry(adp, adl, list) {
> > + if (adp->table == trans->ctx.table)
> > + goto found;
> > + }
> > + adp = kzalloc(sizeof(*adp), GFP_KERNEL);
>
> if (!adp)
> ...
This will need a bit more work since by the time this is called,
nf_tables_commit() is not prepared to accept any errors, so I'll need to
either ignore the error and continue, or allocate the table entries
before step 3.
> > + adp->table = trans->ctx.table;
> > + INIT_LIST_HEAD(&adp->list);
> > + list_add(&adp->list, adl);
> > +found:
> > + adp->entries++;
> > + if (!adp->op || adp->op > trans->msg_type)
> > + adp->op = trans->msg_type;
> > +}
> > +
> > +#define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
> > +
> > +void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) {
> ^
> same thing here
>
> > + struct nft_audit_data *adp, *adn;
> > + char aubuf[AUNFTABLENAMELEN];
> > +
> > + list_for_each_entry_safe(adp, adn, adl, list) {
> > + snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
> > + generation);
> > + audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
> > + nft2audit_op[adp->op], GFP_KERNEL);
> > + list_del(&adp->list);
> > + kfree(adp);
> > + }
> > +}
> > +
> > static int nf_tables_commit(struct net *net, struct sk_buff *skb)
> > {
> > struct nft_trans *trans, *next;
> > struct nft_trans_elem *te;
> > struct nft_chain *chain;
> > struct nft_table *table;
> > + LIST_HEAD(adl);
> > int err;
> >
> > if (list_empty(&net->nft.commit_list)) {
> > @@ -8206,12 +8173,15 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
> > }
> > break;
> > }
> > + nf_tables_commit_audit_collect(&adl, trans);
> > }
> >
> > nft_commit_notify(net, NETLINK_CB(skb).portid);
> > nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
> > nf_tables_commit_release(net);
> >
> > + nf_tables_commit_audit_log(&adl, net->nft.base_seq);
> > +
>
> This looks more self-contained and nicer, thanks.
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list