Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'audit-pr-20260203' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
Pull audit updates from Paul Moore:
- Improve the NETFILTER_PKT audit records
Add source and destination ports to the NETFILTER_PKT audit records
while also consolidating a lot of the code into a new, singular
audit_log_nf_skb() function. This new approach to structuring the
NETFILTER_PKT record generation should eliminate some unnecessary
overhead when audit is not built into the kernel.
- Update the audit syscall classifier code
Add the listxattrat(), getxattrat(), and fchmodat2() syscall to the
audit code which classifies syscalls into categories of operations,
e.g. "read" or "change attributes".
- Move the syscall classifier declarations into audit_arch.h
Shuffle around some header file declarations to resolve some sparse
warnings.
* tag 'audit-pr-20260203' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: move the compat_xxx_class[] extern declarations to audit_arch.h
audit: add missing syscalls to read class
audit: include source and destination ports to NETFILTER_PKT
audit: add audit_log_nf_skb helper function
audit: add fchmodat2() to change attributes class
+185
-120
+3
include/asm-generic/audit_change_attr.h
+3
include/asm-generic/audit_change_attr.h
+6
include/asm-generic/audit_read.h
+6
include/asm-generic/audit_read.h
···
4
4
#endif
5
5
__NR_quotactl,
6
6
__NR_listxattr,
7
+
#ifdef __NR_listxattrat
8
+
__NR_listxattrat,
9
+
#endif
7
10
__NR_llistxattr,
8
11
__NR_flistxattr,
9
12
__NR_getxattr,
13
+
#ifdef __NR_getxattrat
14
+
__NR_getxattrat,
15
+
#endif
10
16
__NR_lgetxattr,
11
17
__NR_fgetxattr,
12
18
#ifdef __NR_readlinkat
+8
-6
include/linux/audit.h
+8
-6
include/linux/audit.h
···
128
128
extern int __init audit_register_class(int class, unsigned *list);
129
129
extern int audit_classify_syscall(int abi, unsigned syscall);
130
130
extern int audit_classify_arch(int arch);
131
-
/* only for compat system calls */
132
-
extern unsigned compat_write_class[];
133
-
extern unsigned compat_read_class[];
134
-
extern unsigned compat_dir_class[];
135
-
extern unsigned compat_chattr_class[];
136
-
extern unsigned compat_signal_class[];
137
131
138
132
/* audit_names->type values */
139
133
#define AUDIT_TYPE_UNKNOWN 0 /* we don't know yet */
···
189
195
extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
190
196
extern int audit_log_task_context(struct audit_buffer *ab);
191
197
extern void audit_log_task_info(struct audit_buffer *ab);
198
+
extern int audit_log_nf_skb(struct audit_buffer *ab,
199
+
const struct sk_buff *skb, u8 nfproto);
192
200
193
201
extern int audit_update_lsm_rules(void);
194
202
···
267
271
}
268
272
static inline void audit_log_task_info(struct audit_buffer *ab)
269
273
{ }
274
+
275
+
static inline int audit_log_nf_skb(struct audit_buffer *ab,
276
+
const struct sk_buff *skb, u8 nfproto)
277
+
{
278
+
return 0;
279
+
}
270
280
271
281
static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
272
282
{
+7
include/linux/audit_arch.h
+7
include/linux/audit_arch.h
···
23
23
24
24
extern int audit_classify_compat_syscall(int abi, unsigned syscall);
25
25
26
+
/* only for compat system calls */
27
+
extern unsigned compat_write_class[];
28
+
extern unsigned compat_read_class[];
29
+
extern unsigned compat_dir_class[];
30
+
extern unsigned compat_chattr_class[];
31
+
extern unsigned compat_signal_class[];
32
+
26
33
#endif
+159
kernel/audit.c
+159
kernel/audit.c
···
58
58
#include <linux/freezer.h>
59
59
#include <linux/pid_namespace.h>
60
60
#include <net/netns/generic.h>
61
+
#include <net/ip.h>
62
+
#include <net/ipv6.h>
63
+
#include <linux/sctp.h>
61
64
62
65
#include "audit.h"
63
66
···
2490
2487
audit_log_format(ab, " res=0");
2491
2488
audit_log_end(ab);
2492
2489
}
2490
+
2491
+
int audit_log_nf_skb(struct audit_buffer *ab,
2492
+
const struct sk_buff *skb, u8 nfproto)
2493
+
{
2494
+
/* find the IP protocol in the case of NFPROTO_BRIDGE */
2495
+
if (nfproto == NFPROTO_BRIDGE) {
2496
+
switch (eth_hdr(skb)->h_proto) {
2497
+
case htons(ETH_P_IP):
2498
+
nfproto = NFPROTO_IPV4;
2499
+
break;
2500
+
case htons(ETH_P_IPV6):
2501
+
nfproto = NFPROTO_IPV6;
2502
+
break;
2503
+
default:
2504
+
goto unknown_proto;
2505
+
}
2506
+
}
2507
+
2508
+
switch (nfproto) {
2509
+
case NFPROTO_IPV4: {
2510
+
struct iphdr iph;
2511
+
const struct iphdr *ih;
2512
+
2513
+
ih = skb_header_pointer(skb, skb_network_offset(skb),
2514
+
sizeof(iph), &iph);
2515
+
if (!ih)
2516
+
return -ENOMEM;
2517
+
2518
+
switch (ih->protocol) {
2519
+
case IPPROTO_TCP: {
2520
+
struct tcphdr _tcph;
2521
+
const struct tcphdr *th;
2522
+
2523
+
th = skb_header_pointer(skb, skb_transport_offset(skb),
2524
+
sizeof(_tcph), &_tcph);
2525
+
if (!th)
2526
+
return -ENOMEM;
2527
+
2528
+
audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
2529
+
&ih->saddr, &ih->daddr, ih->protocol,
2530
+
ntohs(th->source), ntohs(th->dest));
2531
+
break;
2532
+
}
2533
+
case IPPROTO_UDP:
2534
+
case IPPROTO_UDPLITE: {
2535
+
struct udphdr _udph;
2536
+
const struct udphdr *uh;
2537
+
2538
+
uh = skb_header_pointer(skb, skb_transport_offset(skb),
2539
+
sizeof(_udph), &_udph);
2540
+
if (!uh)
2541
+
return -ENOMEM;
2542
+
2543
+
audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
2544
+
&ih->saddr, &ih->daddr, ih->protocol,
2545
+
ntohs(uh->source), ntohs(uh->dest));
2546
+
break;
2547
+
}
2548
+
case IPPROTO_SCTP: {
2549
+
struct sctphdr _sctph;
2550
+
const struct sctphdr *sh;
2551
+
2552
+
sh = skb_header_pointer(skb, skb_transport_offset(skb),
2553
+
sizeof(_sctph), &_sctph);
2554
+
if (!sh)
2555
+
return -ENOMEM;
2556
+
2557
+
audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu sport=%hu dport=%hu",
2558
+
&ih->saddr, &ih->daddr, ih->protocol,
2559
+
ntohs(sh->source), ntohs(sh->dest));
2560
+
break;
2561
+
}
2562
+
default:
2563
+
audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
2564
+
&ih->saddr, &ih->daddr, ih->protocol);
2565
+
}
2566
+
2567
+
break;
2568
+
}
2569
+
case NFPROTO_IPV6: {
2570
+
struct ipv6hdr iph;
2571
+
const struct ipv6hdr *ih;
2572
+
u8 nexthdr;
2573
+
__be16 frag_off;
2574
+
2575
+
ih = skb_header_pointer(skb, skb_network_offset(skb),
2576
+
sizeof(iph), &iph);
2577
+
if (!ih)
2578
+
return -ENOMEM;
2579
+
2580
+
nexthdr = ih->nexthdr;
2581
+
ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph),
2582
+
&nexthdr, &frag_off);
2583
+
2584
+
switch (nexthdr) {
2585
+
case IPPROTO_TCP: {
2586
+
struct tcphdr _tcph;
2587
+
const struct tcphdr *th;
2588
+
2589
+
th = skb_header_pointer(skb, skb_transport_offset(skb),
2590
+
sizeof(_tcph), &_tcph);
2591
+
if (!th)
2592
+
return -ENOMEM;
2593
+
2594
+
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
2595
+
&ih->saddr, &ih->daddr, nexthdr,
2596
+
ntohs(th->source), ntohs(th->dest));
2597
+
break;
2598
+
}
2599
+
case IPPROTO_UDP:
2600
+
case IPPROTO_UDPLITE: {
2601
+
struct udphdr _udph;
2602
+
const struct udphdr *uh;
2603
+
2604
+
uh = skb_header_pointer(skb, skb_transport_offset(skb),
2605
+
sizeof(_udph), &_udph);
2606
+
if (!uh)
2607
+
return -ENOMEM;
2608
+
2609
+
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
2610
+
&ih->saddr, &ih->daddr, nexthdr,
2611
+
ntohs(uh->source), ntohs(uh->dest));
2612
+
break;
2613
+
}
2614
+
case IPPROTO_SCTP: {
2615
+
struct sctphdr _sctph;
2616
+
const struct sctphdr *sh;
2617
+
2618
+
sh = skb_header_pointer(skb, skb_transport_offset(skb),
2619
+
sizeof(_sctph), &_sctph);
2620
+
if (!sh)
2621
+
return -ENOMEM;
2622
+
2623
+
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu sport=%hu dport=%hu",
2624
+
&ih->saddr, &ih->daddr, nexthdr,
2625
+
ntohs(sh->source), ntohs(sh->dest));
2626
+
break;
2627
+
}
2628
+
default:
2629
+
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
2630
+
&ih->saddr, &ih->daddr, nexthdr);
2631
+
}
2632
+
2633
+
break;
2634
+
}
2635
+
default:
2636
+
goto unknown_proto;
2637
+
}
2638
+
2639
+
return 0;
2640
+
2641
+
unknown_proto:
2642
+
audit_log_format(ab, " saddr=? daddr=? proto=?");
2643
+
return -EPFNOSUPPORT;
2644
+
}
2645
+
EXPORT_SYMBOL(audit_log_nf_skb);
2493
2646
2494
2647
/* global counter which is incremented every time something logs in */
2495
2648
static atomic_t session_id = ATOMIC_INIT(0);
+1
-57
net/netfilter/nft_log.c
+1
-57
net/netfilter/nft_log.c
···
26
26
char *prefix;
27
27
};
28
28
29
-
static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
30
-
{
31
-
struct iphdr _iph;
32
-
const struct iphdr *ih;
33
-
34
-
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
35
-
if (!ih)
36
-
return false;
37
-
38
-
audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
39
-
&ih->saddr, &ih->daddr, ih->protocol);
40
-
41
-
return true;
42
-
}
43
-
44
-
static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
45
-
{
46
-
struct ipv6hdr _ip6h;
47
-
const struct ipv6hdr *ih;
48
-
u8 nexthdr;
49
-
__be16 frag_off;
50
-
51
-
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
52
-
if (!ih)
53
-
return false;
54
-
55
-
nexthdr = ih->nexthdr;
56
-
ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
57
-
58
-
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
59
-
&ih->saddr, &ih->daddr, nexthdr);
60
-
61
-
return true;
62
-
}
63
-
64
29
static void nft_log_eval_audit(const struct nft_pktinfo *pkt)
65
30
{
66
31
struct sk_buff *skb = pkt->skb;
67
32
struct audit_buffer *ab;
68
-
int fam = -1;
69
33
70
34
if (!audit_enabled)
71
35
return;
···
40
76
41
77
audit_log_format(ab, "mark=%#x", skb->mark);
42
78
43
-
switch (nft_pf(pkt)) {
44
-
case NFPROTO_BRIDGE:
45
-
switch (eth_hdr(skb)->h_proto) {
46
-
case htons(ETH_P_IP):
47
-
fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
48
-
break;
49
-
case htons(ETH_P_IPV6):
50
-
fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
51
-
break;
52
-
}
53
-
break;
54
-
case NFPROTO_IPV4:
55
-
fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
56
-
break;
57
-
case NFPROTO_IPV6:
58
-
fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
59
-
break;
60
-
}
61
-
62
-
if (fam == -1)
63
-
audit_log_format(ab, " saddr=? daddr=? proto=-1");
79
+
audit_log_nf_skb(ab, skb, nft_pf(pkt));
64
80
65
81
audit_log_end(ab);
66
82
}
+1
-57
net/netfilter/xt_AUDIT.c
+1
-57
net/netfilter/xt_AUDIT.c
···
28
28
MODULE_ALIAS("ebt_AUDIT");
29
29
MODULE_ALIAS("arpt_AUDIT");
30
30
31
-
static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
32
-
{
33
-
struct iphdr _iph;
34
-
const struct iphdr *ih;
35
-
36
-
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
37
-
if (!ih)
38
-
return false;
39
-
40
-
audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
41
-
&ih->saddr, &ih->daddr, ih->protocol);
42
-
43
-
return true;
44
-
}
45
-
46
-
static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
47
-
{
48
-
struct ipv6hdr _ip6h;
49
-
const struct ipv6hdr *ih;
50
-
u8 nexthdr;
51
-
__be16 frag_off;
52
-
53
-
ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
54
-
if (!ih)
55
-
return false;
56
-
57
-
nexthdr = ih->nexthdr;
58
-
ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
59
-
60
-
audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
61
-
&ih->saddr, &ih->daddr, nexthdr);
62
-
63
-
return true;
64
-
}
65
-
66
31
static unsigned int
67
32
audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
68
33
{
69
34
struct audit_buffer *ab;
70
-
int fam = -1;
71
35
72
36
if (audit_enabled == AUDIT_OFF)
73
37
goto errout;
···
41
77
42
78
audit_log_format(ab, "mark=%#x", skb->mark);
43
79
44
-
switch (xt_family(par)) {
45
-
case NFPROTO_BRIDGE:
46
-
switch (eth_hdr(skb)->h_proto) {
47
-
case htons(ETH_P_IP):
48
-
fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
49
-
break;
50
-
case htons(ETH_P_IPV6):
51
-
fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
52
-
break;
53
-
}
54
-
break;
55
-
case NFPROTO_IPV4:
56
-
fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
57
-
break;
58
-
case NFPROTO_IPV6:
59
-
fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
60
-
break;
61
-
}
62
-
63
-
if (fam == -1)
64
-
audit_log_format(ab, " saddr=? daddr=? proto=-1");
80
+
audit_log_nf_skb(ab, skb, xt_family(par));
65
81
66
82
audit_log_end(ab);
67
83