| Message ID | 56127b2a5b82f15cb0d0f040502c2e3bb6945f30.1552665316.git.rgb@redhat.com |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | audit: implement container identifier | expand |
On Fri, Mar 15, 2019 at 02:29:58PM -0400, Richard Guy Briggs wrote: > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > event standalone records. Iterate through all potential audit container > identifiers associated with a network namespace. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > include/linux/audit.h | 5 +++++ > kernel/audit.c | 41 +++++++++++++++++++++++++++++++++++++++++ > net/netfilter/nft_log.c | 11 +++++++++-- > net/netfilter/xt_AUDIT.c | 11 +++++++++-- > 4 files changed, 64 insertions(+), 4 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 70255c2dfb9f..723e2d020228 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -214,6 +214,8 @@ static inline u64 audit_get_contid(struct task_struct *tsk) > extern void audit_netns_contid_del(struct net *net, u64 contid); > extern void audit_switch_task_namespaces(struct nsproxy *ns, > struct task_struct *p); > +extern void audit_log_netns_contid_list(struct net *net, > + struct audit_context *context); > > extern u32 audit_enabled; > #else /* CONFIG_AUDIT */ > @@ -290,6 +292,9 @@ static inline void audit_netns_contid_del(struct net *net, u64 contid) > static inline void audit_switch_task_namespaces(struct nsproxy *ns, > struct task_struct *p) > { } > +static inline void audit_log_netns_contid_list(struct net *net, > + struct audit_context *context) > +{ } > > #define audit_enabled AUDIT_OFF > #endif /* CONFIG_AUDIT */ > diff --git a/kernel/audit.c b/kernel/audit.c > index 7fa3194f5342..80ed323feeb5 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -451,6 +451,47 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) > audit_netns_contid_add(new->net_ns, contid); > } > > +/** > + * audit_log_netns_contid_list - List contids for the given network namespace > + * @net: the network namespace of interest > + * @context: the audit context to use > + * > + * Description: > + * Issues a CONTAINER_ID record with a CSV list of contids associated > + * with a network namespace to accompany a NETFILTER_PKT record. > + */ > +void audit_log_netns_contid_list(struct net *net, struct audit_context *context) > +{ > + struct audit_buffer *ab = NULL; > + struct audit_contid *cont; > + bool first = true; > + struct audit_net *aunet; > + > + /* Generate AUDIT_CONTAINER_ID record with container ID CSV list */ > + rcu_read_lock(); > + aunet = net_generic(net, audit_net_id); > + if (!aunet) > + goto out; > + list_for_each_entry_rcu(cont, &aunet->contid_list, list) { > + if (first) { > + ab = audit_log_start(context, GFP_ATOMIC, > + AUDIT_CONTAINER_ID); > + if (!ab) { > + audit_log_lost("out of memory in audit_log_netns_contid_list"); > + goto out; > + } > + audit_log_format(ab, "contid="); > + } else > + audit_log_format(ab, ","); > + audit_log_format(ab, "%llu", cont->id); > + first = false; > + } > + audit_log_end(ab); > +out: > + rcu_read_unlock(); > +} > +EXPORT_SYMBOL(audit_log_netns_contid_list); > + > void audit_panic(const char *message) > { > switch (audit_failure) { > diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c > index 655187bed5d8..bdb1ec2368a7 100644 > --- a/net/netfilter/nft_log.c > +++ b/net/netfilter/nft_log.c > @@ -69,13 +69,16 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt) > struct sk_buff *skb = pkt->skb; > struct audit_buffer *ab; > int fam = -1; > + struct audit_context *context; > + struct net *net; > > if (!audit_enabled) > return; > > - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > + context = audit_alloc_local(GFP_ATOMIC); > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > if (!ab) > - return; > + goto errout; > > audit_log_format(ab, "mark=%#x", skb->mark); > > @@ -102,6 +105,10 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt) > audit_log_format(ab, " saddr=? daddr=? proto=-1"); > > audit_log_end(ab); > + net = xt_net(&pkt->xt); > + audit_log_netns_contid_list(net, context); > +errout: > + audit_free_context(context); > } > > static void nft_log_eval(const struct nft_expr *expr, > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c > index af883f1b64f9..a3e547435f13 100644 > --- a/net/netfilter/xt_AUDIT.c > +++ b/net/netfilter/xt_AUDIT.c > @@ -71,10 +71,13 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) > { > struct audit_buffer *ab; > int fam = -1; > + struct audit_context *context; > + struct net *net; > > if (audit_enabled == AUDIT_OFF) > - goto errout; > - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > + goto out; > + context = audit_alloc_local(GFP_ATOMIC); > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > if (ab == NULL) > goto errout; > > @@ -104,7 +107,11 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) > > audit_log_end(ab); > > + net = xt_net(par); > + audit_log_netns_contid_list(net, context); > errout: > + audit_free_context(context); > +out: > return XT_CONTINUE; > } > > -- > 1.8.3.1 > > minus the whitespace fix Acked-by: Neil Horman <nhorman@tuxdriver.com>
On Fri, Mar 15, 2019 at 7:35 PM Richard Guy Briggs <rgb@redhat.com> wrote: > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > event standalone records. Iterate through all potential audit container > identifiers associated with a network namespace. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> (Just note another "%llu"/u64 occurence, in case you plan to add the casts.) > --- > include/linux/audit.h | 5 +++++ > kernel/audit.c | 41 +++++++++++++++++++++++++++++++++++++++++ > net/netfilter/nft_log.c | 11 +++++++++-- > net/netfilter/xt_AUDIT.c | 11 +++++++++-- > 4 files changed, 64 insertions(+), 4 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 70255c2dfb9f..723e2d020228 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -214,6 +214,8 @@ static inline u64 audit_get_contid(struct task_struct *tsk) > extern void audit_netns_contid_del(struct net *net, u64 contid); > extern void audit_switch_task_namespaces(struct nsproxy *ns, > struct task_struct *p); > +extern void audit_log_netns_contid_list(struct net *net, > + struct audit_context *context); > > extern u32 audit_enabled; > #else /* CONFIG_AUDIT */ > @@ -290,6 +292,9 @@ static inline void audit_netns_contid_del(struct net *net, u64 contid) > static inline void audit_switch_task_namespaces(struct nsproxy *ns, > struct task_struct *p) > { } > +static inline void audit_log_netns_contid_list(struct net *net, > + struct audit_context *context) > +{ } > > #define audit_enabled AUDIT_OFF > #endif /* CONFIG_AUDIT */ > diff --git a/kernel/audit.c b/kernel/audit.c > index 7fa3194f5342..80ed323feeb5 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -451,6 +451,47 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) > audit_netns_contid_add(new->net_ns, contid); > } > > +/** > + * audit_log_netns_contid_list - List contids for the given network namespace > + * @net: the network namespace of interest > + * @context: the audit context to use > + * > + * Description: > + * Issues a CONTAINER_ID record with a CSV list of contids associated > + * with a network namespace to accompany a NETFILTER_PKT record. > + */ > +void audit_log_netns_contid_list(struct net *net, struct audit_context *context) > +{ > + struct audit_buffer *ab = NULL; > + struct audit_contid *cont; > + bool first = true; > + struct audit_net *aunet; > + > + /* Generate AUDIT_CONTAINER_ID record with container ID CSV list */ > + rcu_read_lock(); > + aunet = net_generic(net, audit_net_id); > + if (!aunet) > + goto out; > + list_for_each_entry_rcu(cont, &aunet->contid_list, list) { > + if (first) { > + ab = audit_log_start(context, GFP_ATOMIC, > + AUDIT_CONTAINER_ID); > + if (!ab) { > + audit_log_lost("out of memory in audit_log_netns_contid_list"); > + goto out; > + } > + audit_log_format(ab, "contid="); > + } else > + audit_log_format(ab, ","); > + audit_log_format(ab, "%llu", cont->id); > + first = false; > + } > + audit_log_end(ab); > +out: > + rcu_read_unlock(); > +} > +EXPORT_SYMBOL(audit_log_netns_contid_list); > + > void audit_panic(const char *message) > { > switch (audit_failure) { > diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c > index 655187bed5d8..bdb1ec2368a7 100644 > --- a/net/netfilter/nft_log.c > +++ b/net/netfilter/nft_log.c > @@ -69,13 +69,16 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt) > struct sk_buff *skb = pkt->skb; > struct audit_buffer *ab; > int fam = -1; > + struct audit_context *context; > + struct net *net; > > if (!audit_enabled) > return; > > - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > + context = audit_alloc_local(GFP_ATOMIC); > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > if (!ab) > - return; > + goto errout; > > audit_log_format(ab, "mark=%#x", skb->mark); > > @@ -102,6 +105,10 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt) > audit_log_format(ab, " saddr=? daddr=? proto=-1"); > > audit_log_end(ab); > + net = xt_net(&pkt->xt); > + audit_log_netns_contid_list(net, context); > +errout: > + audit_free_context(context); > } > > static void nft_log_eval(const struct nft_expr *expr, > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c > index af883f1b64f9..a3e547435f13 100644 > --- a/net/netfilter/xt_AUDIT.c > +++ b/net/netfilter/xt_AUDIT.c > @@ -71,10 +71,13 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) > { > struct audit_buffer *ab; > int fam = -1; > + struct audit_context *context; > + struct net *net; > > if (audit_enabled == AUDIT_OFF) > - goto errout; > - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > + goto out; > + context = audit_alloc_local(GFP_ATOMIC); > + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); > if (ab == NULL) > goto errout; > > @@ -104,7 +107,11 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) > > audit_log_end(ab); > > + net = xt_net(par); > + audit_log_netns_contid_list(net, context); > errout: > + audit_free_context(context); > +out: > return XT_CONTINUE; > } > > -- > 1.8.3.1 >
On Fri, Mar 15, 2019 at 2:35 PM Richard Guy Briggs <rgb@redhat.com> wrote: > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > event standalone records. Iterate through all potential audit container > identifiers associated with a network namespace. > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > --- > include/linux/audit.h | 5 +++++ > kernel/audit.c | 41 +++++++++++++++++++++++++++++++++++++++++ > net/netfilter/nft_log.c | 11 +++++++++-- > net/netfilter/xt_AUDIT.c | 11 +++++++++-- > 4 files changed, 64 insertions(+), 4 deletions(-) ... > diff --git a/kernel/audit.c b/kernel/audit.c > index 7fa3194f5342..80ed323feeb5 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -451,6 +451,47 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) > audit_netns_contid_add(new->net_ns, contid); > } > > +/** > + * audit_log_netns_contid_list - List contids for the given network namespace > + * @net: the network namespace of interest > + * @context: the audit context to use > + * > + * Description: > + * Issues a CONTAINER_ID record with a CSV list of contids associated > + * with a network namespace to accompany a NETFILTER_PKT record. > + */ > +void audit_log_netns_contid_list(struct net *net, struct audit_context *context) > +{ > + struct audit_buffer *ab = NULL; > + struct audit_contid *cont; > + bool first = true; > + struct audit_net *aunet; > + > + /* Generate AUDIT_CONTAINER_ID record with container ID CSV list */ > + rcu_read_lock(); > + aunet = net_generic(net, audit_net_id); > + if (!aunet) > + goto out; > + list_for_each_entry_rcu(cont, &aunet->contid_list, list) { > + if (first) { This is borderline nit-picky, but it seems like we could get rid of "first" and just check to see if "ab" is still NULL. > + ab = audit_log_start(context, GFP_ATOMIC, > + AUDIT_CONTAINER_ID); > + if (!ab) { > + audit_log_lost("out of memory in audit_log_netns_contid_list"); > + goto out; > + } > + audit_log_format(ab, "contid="); > + } else > + audit_log_format(ab, ","); > + audit_log_format(ab, "%llu", cont->id); > + first = false; > + } > + audit_log_end(ab); > +out: > + rcu_read_unlock(); > +} > +EXPORT_SYMBOL(audit_log_netns_contid_list);
On 2019-04-01 10:50, Paul Moore wrote: > On Fri, Mar 15, 2019 at 2:35 PM Richard Guy Briggs <rgb@redhat.com> wrote: > > Add audit container identifier auxiliary record(s) to NETFILTER_PKT > > event standalone records. Iterate through all potential audit container > > identifiers associated with a network namespace. > > > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com> > > --- > > include/linux/audit.h | 5 +++++ > > kernel/audit.c | 41 +++++++++++++++++++++++++++++++++++++++++ > > net/netfilter/nft_log.c | 11 +++++++++-- > > net/netfilter/xt_AUDIT.c | 11 +++++++++-- > > 4 files changed, 64 insertions(+), 4 deletions(-) > > ... > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 7fa3194f5342..80ed323feeb5 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -451,6 +451,47 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) > > audit_netns_contid_add(new->net_ns, contid); > > } > > > > +/** > > + * audit_log_netns_contid_list - List contids for the given network namespace > > + * @net: the network namespace of interest > > + * @context: the audit context to use > > + * > > + * Description: > > + * Issues a CONTAINER_ID record with a CSV list of contids associated > > + * with a network namespace to accompany a NETFILTER_PKT record. > > + */ > > +void audit_log_netns_contid_list(struct net *net, struct audit_context *context) > > +{ > > + struct audit_buffer *ab = NULL; > > + struct audit_contid *cont; > > + bool first = true; > > + struct audit_net *aunet; > > + > > + /* Generate AUDIT_CONTAINER_ID record with container ID CSV list */ > > + rcu_read_lock(); > > + aunet = net_generic(net, audit_net_id); > > + if (!aunet) > > + goto out; > > + list_for_each_entry_rcu(cont, &aunet->contid_list, list) { > > + if (first) { > > This is borderline nit-picky, but it seems like we could get rid of > "first" and just check to see if "ab" is still NULL. Yes, this is a better way, thank you. > > + ab = audit_log_start(context, GFP_ATOMIC, > > + AUDIT_CONTAINER_ID); > > + if (!ab) { > > + audit_log_lost("out of memory in audit_log_netns_contid_list"); > > + goto out; > > + } > > + audit_log_format(ab, "contid="); > > + } else > > + audit_log_format(ab, ","); > > + audit_log_format(ab, "%llu", cont->id); > > + first = false; > > + } > > + audit_log_end(ab); > > +out: > > + rcu_read_unlock(); > > +} > > +EXPORT_SYMBOL(audit_log_netns_contid_list); > > paul moore - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
diff --git a/include/linux/audit.h b/include/linux/audit.h index 70255c2dfb9f..723e2d020228 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -214,6 +214,8 @@ static inline u64 audit_get_contid(struct task_struct *tsk) extern void audit_netns_contid_del(struct net *net, u64 contid); extern void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p); +extern void audit_log_netns_contid_list(struct net *net, + struct audit_context *context); extern u32 audit_enabled; #else /* CONFIG_AUDIT */ @@ -290,6 +292,9 @@ static inline void audit_netns_contid_del(struct net *net, u64 contid) static inline void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) { } +static inline void audit_log_netns_contid_list(struct net *net, + struct audit_context *context) +{ } #define audit_enabled AUDIT_OFF #endif /* CONFIG_AUDIT */ diff --git a/kernel/audit.c b/kernel/audit.c index 7fa3194f5342..80ed323feeb5 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -451,6 +451,47 @@ void audit_switch_task_namespaces(struct nsproxy *ns, struct task_struct *p) audit_netns_contid_add(new->net_ns, contid); } +/** + * audit_log_netns_contid_list - List contids for the given network namespace + * @net: the network namespace of interest + * @context: the audit context to use + * + * Description: + * Issues a CONTAINER_ID record with a CSV list of contids associated + * with a network namespace to accompany a NETFILTER_PKT record. + */ +void audit_log_netns_contid_list(struct net *net, struct audit_context *context) +{ + struct audit_buffer *ab = NULL; + struct audit_contid *cont; + bool first = true; + struct audit_net *aunet; + + /* Generate AUDIT_CONTAINER_ID record with container ID CSV list */ + rcu_read_lock(); + aunet = net_generic(net, audit_net_id); + if (!aunet) + goto out; + list_for_each_entry_rcu(cont, &aunet->contid_list, list) { + if (first) { + ab = audit_log_start(context, GFP_ATOMIC, + AUDIT_CONTAINER_ID); + if (!ab) { + audit_log_lost("out of memory in audit_log_netns_contid_list"); + goto out; + } + audit_log_format(ab, "contid="); + } else + audit_log_format(ab, ","); + audit_log_format(ab, "%llu", cont->id); + first = false; + } + audit_log_end(ab); +out: + rcu_read_unlock(); +} +EXPORT_SYMBOL(audit_log_netns_contid_list); + void audit_panic(const char *message) { switch (audit_failure) { diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c index 655187bed5d8..bdb1ec2368a7 100644 --- a/net/netfilter/nft_log.c +++ b/net/netfilter/nft_log.c @@ -69,13 +69,16 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt) struct sk_buff *skb = pkt->skb; struct audit_buffer *ab; int fam = -1; + struct audit_context *context; + struct net *net; if (!audit_enabled) return; - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); + context = audit_alloc_local(GFP_ATOMIC); + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); if (!ab) - return; + goto errout; audit_log_format(ab, "mark=%#x", skb->mark); @@ -102,6 +105,10 @@ static void nft_log_eval_audit(const struct nft_pktinfo *pkt) audit_log_format(ab, " saddr=? daddr=? proto=-1"); audit_log_end(ab); + net = xt_net(&pkt->xt); + audit_log_netns_contid_list(net, context); +errout: + audit_free_context(context); } static void nft_log_eval(const struct nft_expr *expr, diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c index af883f1b64f9..a3e547435f13 100644 --- a/net/netfilter/xt_AUDIT.c +++ b/net/netfilter/xt_AUDIT.c @@ -71,10 +71,13 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) { struct audit_buffer *ab; int fam = -1; + struct audit_context *context; + struct net *net; if (audit_enabled == AUDIT_OFF) - goto errout; - ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); + goto out; + context = audit_alloc_local(GFP_ATOMIC); + ab = audit_log_start(context, GFP_ATOMIC, AUDIT_NETFILTER_PKT); if (ab == NULL) goto errout; @@ -104,7 +107,11 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) audit_log_end(ab); + net = xt_net(par); + audit_log_netns_contid_list(net, context); errout: + audit_free_context(context); +out: return XT_CONTINUE; }
Add audit container identifier auxiliary record(s) to NETFILTER_PKT event standalone records. Iterate through all potential audit container identifiers associated with a network namespace. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/linux/audit.h | 5 +++++ kernel/audit.c | 41 +++++++++++++++++++++++++++++++++++++++++ net/netfilter/nft_log.c | 11 +++++++++-- net/netfilter/xt_AUDIT.c | 11 +++++++++-- 4 files changed, 64 insertions(+), 4 deletions(-)