diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-05-03 12:21:59 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-05-03 12:21:59 -0400 |
| commit | 46f0537b1ecf672052007c97f102a7e6bf0791e4 (patch) | |
| tree | 3ce7838fc32b762319bc7a0ffbc5fabbaba1cf69 /net | |
| parent | 0302e28dee643932ee7b3c112ebccdbb9f8ec32c (diff) | |
| parent | 48d0e023af9799cd7220335baf8e3ba61eeafbeb (diff) | |
Merge branch 'stable-4.12' of git://git.infradead.org/users/pcmoore/audit
Pull audit updates from Paul Moore:
"Fourteen audit patches for v4.12 that span the full range of fixes,
new features, and internal cleanups.
We have a patches to move to 64-bit timestamps, convert refcounts from
atomic_t to refcount_t, track PIDs using the pid struct instead of
pid_t, convert our own private audit buffer cache to a standard
kmem_cache, log kernel module names when they are unloaded, and
normalize the NETFILTER_PKT to make the userspace folks happier.
From a fixes perspective, the most important is likely the auditd
connection tracking RCU fix; it was a rather brain dead bug that I'll
take the blame for, but thankfully it didn't seem to affect many
people (only one report).
I think the patch subject lines and commit descriptions do a pretty
good job of explaining the details and why the changes are important
so I'll point you there instead of duplicating it here; as usual, if
you have any questions you know where to find us.
We also manage to take out more code than we put in this time, that
always makes me happy :)"
* 'stable-4.12' of git://git.infradead.org/users/pcmoore/audit:
audit: fix the RCU locking for the auditd_connection structure
audit: use kmem_cache to manage the audit_buffer cache
audit: Use timespec64 to represent audit timestamps
audit: store the auditd PID as a pid struct instead of pid_t
audit: kernel generated netlink traffic should have a portid of 0
audit: combine audit_receive() and audit_receive_skb()
audit: convert audit_watch.count from atomic_t to refcount_t
audit: convert audit_tree.count from atomic_t to refcount_t
audit: normalize NETFILTER_PKT
netfilter: use consistent ipv4 network offset in xt_AUDIT
audit: log module name on delete_module
audit: remove unnecessary semicolon in audit_watch_handle_event()
audit: remove unnecessary semicolon in audit_mark_handle_event()
audit: remove unnecessary semicolon in audit_field_valid()
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/xt_AUDIT.c | 126 |
1 files changed, 28 insertions, 98 deletions
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c index 19247a17e511..c502419d6306 100644 --- a/net/netfilter/xt_AUDIT.c +++ b/net/netfilter/xt_AUDIT.c | |||
| @@ -31,146 +31,76 @@ MODULE_ALIAS("ip6t_AUDIT"); | |||
| 31 | MODULE_ALIAS("ebt_AUDIT"); | 31 | MODULE_ALIAS("ebt_AUDIT"); |
| 32 | MODULE_ALIAS("arpt_AUDIT"); | 32 | MODULE_ALIAS("arpt_AUDIT"); |
| 33 | 33 | ||
| 34 | static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb, | 34 | static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) |
| 35 | unsigned int proto, unsigned int offset) | ||
| 36 | { | ||
| 37 | switch (proto) { | ||
| 38 | case IPPROTO_TCP: | ||
| 39 | case IPPROTO_UDP: | ||
| 40 | case IPPROTO_UDPLITE: { | ||
| 41 | const __be16 *pptr; | ||
| 42 | __be16 _ports[2]; | ||
| 43 | |||
| 44 | pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports); | ||
| 45 | if (pptr == NULL) { | ||
| 46 | audit_log_format(ab, " truncated=1"); | ||
| 47 | return; | ||
| 48 | } | ||
| 49 | |||
| 50 | audit_log_format(ab, " sport=%hu dport=%hu", | ||
| 51 | ntohs(pptr[0]), ntohs(pptr[1])); | ||
| 52 | } | ||
| 53 | break; | ||
| 54 | |||
| 55 | case IPPROTO_ICMP: | ||
| 56 | case IPPROTO_ICMPV6: { | ||
| 57 | const u8 *iptr; | ||
| 58 | u8 _ih[2]; | ||
| 59 | |||
| 60 | iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih); | ||
| 61 | if (iptr == NULL) { | ||
| 62 | audit_log_format(ab, " truncated=1"); | ||
| 63 | return; | ||
| 64 | } | ||
| 65 | |||
| 66 | audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu", | ||
| 67 | iptr[0], iptr[1]); | ||
| 68 | |||
| 69 | } | ||
| 70 | break; | ||
| 71 | } | ||
| 72 | } | ||
| 73 | |||
| 74 | static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) | ||
| 75 | { | 35 | { |
| 76 | struct iphdr _iph; | 36 | struct iphdr _iph; |
| 77 | const struct iphdr *ih; | 37 | const struct iphdr *ih; |
| 78 | 38 | ||
| 79 | ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); | 39 | ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph); |
| 80 | if (!ih) { | 40 | if (!ih) |
| 81 | audit_log_format(ab, " truncated=1"); | 41 | return false; |
| 82 | return; | ||
| 83 | } | ||
| 84 | 42 | ||
| 85 | audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu", | 43 | audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu", |
| 86 | &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol); | 44 | &ih->saddr, &ih->daddr, ih->protocol); |
| 87 | 45 | ||
| 88 | if (ntohs(ih->frag_off) & IP_OFFSET) { | 46 | return true; |
| 89 | audit_log_format(ab, " frag=1"); | ||
| 90 | return; | ||
| 91 | } | ||
| 92 | |||
| 93 | audit_proto(ab, skb, ih->protocol, ih->ihl * 4); | ||
| 94 | } | 47 | } |
| 95 | 48 | ||
| 96 | static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) | 49 | static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) |
| 97 | { | 50 | { |
| 98 | struct ipv6hdr _ip6h; | 51 | struct ipv6hdr _ip6h; |
| 99 | const struct ipv6hdr *ih; | 52 | const struct ipv6hdr *ih; |
| 100 | u8 nexthdr; | 53 | u8 nexthdr; |
| 101 | __be16 frag_off; | 54 | __be16 frag_off; |
| 102 | int offset; | ||
| 103 | 55 | ||
| 104 | ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h); | 56 | ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h); |
| 105 | if (!ih) { | 57 | if (!ih) |
| 106 | audit_log_format(ab, " truncated=1"); | 58 | return false; |
| 107 | return; | ||
| 108 | } | ||
| 109 | 59 | ||
| 110 | nexthdr = ih->nexthdr; | 60 | nexthdr = ih->nexthdr; |
| 111 | offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), | 61 | ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off); |
| 112 | &nexthdr, &frag_off); | ||
| 113 | 62 | ||
| 114 | audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", | 63 | audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", |
| 115 | &ih->saddr, &ih->daddr, nexthdr); | 64 | &ih->saddr, &ih->daddr, nexthdr); |
| 116 | 65 | ||
| 117 | if (offset) | 66 | return true; |
| 118 | audit_proto(ab, skb, nexthdr, offset); | ||
| 119 | } | 67 | } |
| 120 | 68 | ||
| 121 | static unsigned int | 69 | static unsigned int |
| 122 | audit_tg(struct sk_buff *skb, const struct xt_action_param *par) | 70 | audit_tg(struct sk_buff *skb, const struct xt_action_param *par) |
| 123 | { | 71 | { |
| 124 | const struct xt_audit_info *info = par->targinfo; | ||
| 125 | struct audit_buffer *ab; | 72 | struct audit_buffer *ab; |
| 73 | int fam = -1; | ||
| 126 | 74 | ||
| 127 | if (audit_enabled == 0) | 75 | if (audit_enabled == 0) |
| 128 | goto errout; | 76 | goto errout; |
| 129 | |||
| 130 | ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); | 77 | ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT); |
| 131 | if (ab == NULL) | 78 | if (ab == NULL) |
| 132 | goto errout; | 79 | goto errout; |
| 133 | 80 | ||
| 134 | audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s", | 81 | audit_log_format(ab, "mark=%#x", skb->mark); |
| 135 | info->type, xt_hooknum(par), skb->len, | ||
| 136 | xt_in(par) ? xt_inname(par) : "?", | ||
| 137 | xt_out(par) ? xt_outname(par) : "?"); | ||
| 138 | |||
| 139 | if (skb->mark) | ||
| 140 | audit_log_format(ab, " mark=%#x", skb->mark); | ||
| 141 | |||
| 142 | if (skb->dev && skb->dev->type == ARPHRD_ETHER) { | ||
| 143 | audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x", | ||
| 144 | eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest, | ||
| 145 | ntohs(eth_hdr(skb)->h_proto)); | ||
| 146 | |||
| 147 | if (xt_family(par) == NFPROTO_BRIDGE) { | ||
| 148 | switch (eth_hdr(skb)->h_proto) { | ||
| 149 | case htons(ETH_P_IP): | ||
| 150 | audit_ip4(ab, skb); | ||
| 151 | break; | ||
| 152 | |||
| 153 | case htons(ETH_P_IPV6): | ||
| 154 | audit_ip6(ab, skb); | ||
| 155 | break; | ||
| 156 | } | ||
| 157 | } | ||
| 158 | } | ||
| 159 | 82 | ||
| 160 | switch (xt_family(par)) { | 83 | switch (xt_family(par)) { |
| 84 | case NFPROTO_BRIDGE: | ||
| 85 | switch (eth_hdr(skb)->h_proto) { | ||
| 86 | case htons(ETH_P_IP): | ||
| 87 | fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; | ||
| 88 | break; | ||
| 89 | case htons(ETH_P_IPV6): | ||
| 90 | fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; | ||
| 91 | break; | ||
| 92 | } | ||
| 93 | break; | ||
| 161 | case NFPROTO_IPV4: | 94 | case NFPROTO_IPV4: |
| 162 | audit_ip4(ab, skb); | 95 | fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; |
| 163 | break; | 96 | break; |
| 164 | |||
| 165 | case NFPROTO_IPV6: | 97 | case NFPROTO_IPV6: |
| 166 | audit_ip6(ab, skb); | 98 | fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; |
| 167 | break; | 99 | break; |
| 168 | } | 100 | } |
| 169 | 101 | ||
| 170 | #ifdef CONFIG_NETWORK_SECMARK | 102 | if (fam == -1) |
| 171 | if (skb->secmark) | 103 | audit_log_format(ab, " saddr=? daddr=? proto=-1"); |
| 172 | audit_log_secctx(ab, skb->secmark); | ||
| 173 | #endif | ||
| 174 | 104 | ||
| 175 | audit_log_end(ab); | 105 | audit_log_end(ab); |
| 176 | 106 | ||