[4/6,RFC] netfilter: ebtables: audit table registration

Generate audit NETFILTER_CFG records on ebtables table registration.

Previously this was only being done for all x_tables operations and ebtables
table replacement.

Audit only when there is an existing syscall audit rule, otherwise issue a
standalone record only on table modification rather than empty table creation.
Include subject attributes to the new standalone NETFILTER_CFGSOLO record using
audit_log_task().

Here is a sample accompanied record:
  type=NETFILTER_CFG msg=audit(1494907217.558:5403): family=7 table=filter entries=0

and unaccompanied case:
  type=UNKNOWN[1331] msg=audit(1494723394.832:111): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=556 comm="ebtables-restor" exe="/usr/sbin/ebtables-restore" family=7 table=broute entries=1

See: https://github.com/linux-audit/audit-kernel/issues/43

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 net/bridge/netfilter/ebtables.c |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

On Thu, May 18, 2017 at 1:21 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> Generate audit NETFILTER_CFG records on ebtables table registration.
>
> Previously this was only being done for all x_tables operations and ebtables
> table replacement.
>
> Audit only when there is an existing syscall audit rule, otherwise issue a
> standalone record only on table modification rather than empty table creation.
> Include subject attributes to the new standalone NETFILTER_CFGSOLO record using
> audit_log_task().
>
> Here is a sample accompanied record:
>   type=NETFILTER_CFG msg=audit(1494907217.558:5403): family=7 table=filter entries=0
>
> and unaccompanied case:
>   type=UNKNOWN[1331] msg=audit(1494723394.832:111): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=556 comm="ebtables-restor" exe="/usr/sbin/ebtables-restore" family=7 table=broute entries=1
>
> See: https://github.com/linux-audit/audit-kernel/issues/43
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  net/bridge/netfilter/ebtables.c |   26 ++++++++++++++++++++++++++
>  1 files changed, 26 insertions(+), 0 deletions(-)
>
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 743f9e6..7499232 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -1251,6 +1251,32 @@ struct ebt_table * ebt_register_table(struct net *net,
>         }
>         list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
>         mutex_unlock(&ebt_mutex);
> +#ifdef CONFIG_AUDIT
> +       if (audit_enabled) {
> +               struct audit_buffer *ab;
> +
> +               if(!audit_dummy_context()) {
> +                       ab = audit_log_start(current->audit_context, GFP_KERNEL,
> +                                            AUDIT_NETFILTER_CFG);
> +                       if (ab) {
> +                               audit_log_format(ab, "family=%u table=%s entries=%u",
> +                                                AF_BRIDGE, repl->name,
> +                                                repl->nentries);
> +                               audit_log_end(ab);
> +                       }
> +               } else if(repl->nentries) {
> +                       ab = audit_log_start(NULL, GFP_KERNEL,
> +                                            AUDIT_NETFILTER_CFGSOLO);
> +                       if (ab) {
> +                               audit_log_task(ab);
> +                               audit_log_format(ab, " family=%u table=%s entries=%u",
> +                                                AF_BRIDGE, repl->name,
> +                                                repl->nentries);
> +                               audit_log_end(ab);
> +                       }
> +               }
> +       }
> +#endif

Similar comments from patch 3/6 apply here, let's stick with a single
audit record type.