tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

audit: add audit_log_nf_skb helper function

Netfilter code (net/netfilter/nft_log.c and net/netfilter/xt_AUDIT.c)
have to be kept in sync. Both source files had duplicated versions of
audit_ip4() and audit_ip6() functions, which can result in lack of
consistency and/or duplicated work.

This patch adds a helper function in audit.c that can be called by
netfilter code commonly, aiming to improve maintainability and
consistency.

Suggested-by: Florian Westphal <fw@strlen.de>
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ricardo Robaina <rrobaina@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Ricardo Robaina and committed by
Paul Moore f19590b0 4f493a60

+74 -114
+8
include/linux/audit.h
··· 195 195 extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop); 196 196 extern int audit_log_task_context(struct audit_buffer *ab); 197 197 extern void audit_log_task_info(struct audit_buffer *ab); 198 + extern int audit_log_nf_skb(struct audit_buffer *ab, 199 + const struct sk_buff *skb, u8 nfproto); 198 200 199 201 extern int audit_update_lsm_rules(void); 200 202 ··· 273 271 } 274 272 static inline void audit_log_task_info(struct audit_buffer *ab) 275 273 { } 274 + 275 + static inline int audit_log_nf_skb(struct audit_buffer *ab, 276 + const struct sk_buff *skb, u8 nfproto) 277 + { 278 + return 0; 279 + } 276 280 277 281 static inline kuid_t audit_get_loginuid(struct task_struct *tsk) 278 282 {
+64
kernel/audit.c
··· 58 58 #include <linux/freezer.h> 59 59 #include <linux/pid_namespace.h> 60 60 #include <net/netns/generic.h> 61 + #include <net/ip.h> 62 + #include <net/ipv6.h> 61 63 62 64 #include "audit.h" 63 65 ··· 2489 2487 audit_log_format(ab, " res=0"); 2490 2488 audit_log_end(ab); 2491 2489 } 2490 + 2491 + int audit_log_nf_skb(struct audit_buffer *ab, 2492 + const struct sk_buff *skb, u8 nfproto) 2493 + { 2494 + /* find the IP protocol in the case of NFPROTO_BRIDGE */ 2495 + if (nfproto == NFPROTO_BRIDGE) { 2496 + switch (eth_hdr(skb)->h_proto) { 2497 + case htons(ETH_P_IP): 2498 + nfproto = NFPROTO_IPV4; 2499 + break; 2500 + case htons(ETH_P_IPV6): 2501 + nfproto = NFPROTO_IPV6; 2502 + break; 2503 + default: 2504 + goto unknown_proto; 2505 + } 2506 + } 2507 + 2508 + switch (nfproto) { 2509 + case NFPROTO_IPV4: { 2510 + struct iphdr iph; 2511 + const struct iphdr *ih; 2512 + 2513 + ih = skb_header_pointer(skb, skb_network_offset(skb), 2514 + sizeof(iph), &iph); 2515 + if (!ih) 2516 + return -ENOMEM; 2517 + 2518 + audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu", 2519 + &ih->saddr, &ih->daddr, ih->protocol); 2520 + break; 2521 + } 2522 + case NFPROTO_IPV6: { 2523 + struct ipv6hdr iph; 2524 + const struct ipv6hdr *ih; 2525 + u8 nexthdr; 2526 + __be16 frag_off; 2527 + 2528 + ih = skb_header_pointer(skb, skb_network_offset(skb), 2529 + sizeof(iph), &iph); 2530 + if (!ih) 2531 + return -ENOMEM; 2532 + 2533 + nexthdr = ih->nexthdr; 2534 + ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(iph), 2535 + &nexthdr, &frag_off); 2536 + 2537 + audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", 2538 + &ih->saddr, &ih->daddr, nexthdr); 2539 + break; 2540 + } 2541 + default: 2542 + goto unknown_proto; 2543 + } 2544 + 2545 + return 0; 2546 + 2547 + unknown_proto: 2548 + audit_log_format(ab, " saddr=? daddr=? proto=?"); 2549 + return -EPFNOSUPPORT; 2550 + } 2551 + EXPORT_SYMBOL(audit_log_nf_skb); 2492 2552 2493 2553 /* global counter which is incremented every time something logs in */ 2494 2554 static atomic_t session_id = ATOMIC_INIT(0);
+1 -57
net/netfilter/nft_log.c
··· 26 26 char *prefix; 27 27 }; 28 28 29 - static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) 30 - { 31 - struct iphdr _iph; 32 - const struct iphdr *ih; 33 - 34 - ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph); 35 - if (!ih) 36 - return false; 37 - 38 - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu", 39 - &ih->saddr, &ih->daddr, ih->protocol); 40 - 41 - return true; 42 - } 43 - 44 - static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) 45 - { 46 - struct ipv6hdr _ip6h; 47 - const struct ipv6hdr *ih; 48 - u8 nexthdr; 49 - __be16 frag_off; 50 - 51 - ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h); 52 - if (!ih) 53 - return false; 54 - 55 - nexthdr = ih->nexthdr; 56 - ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off); 57 - 58 - audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", 59 - &ih->saddr, &ih->daddr, nexthdr); 60 - 61 - return true; 62 - } 63 - 64 29 static void nft_log_eval_audit(const struct nft_pktinfo *pkt) 65 30 { 66 31 struct sk_buff *skb = pkt->skb; 67 32 struct audit_buffer *ab; 68 - int fam = -1; 69 33 70 34 if (!audit_enabled) 71 35 return; ··· 40 76 41 77 audit_log_format(ab, "mark=%#x", skb->mark); 42 78 43 - switch (nft_pf(pkt)) { 44 - case NFPROTO_BRIDGE: 45 - switch (eth_hdr(skb)->h_proto) { 46 - case htons(ETH_P_IP): 47 - fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; 48 - break; 49 - case htons(ETH_P_IPV6): 50 - fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; 51 - break; 52 - } 53 - break; 54 - case NFPROTO_IPV4: 55 - fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; 56 - break; 57 - case NFPROTO_IPV6: 58 - fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; 59 - break; 60 - } 61 - 62 - if (fam == -1) 63 - audit_log_format(ab, " saddr=? daddr=? proto=-1"); 79 + audit_log_nf_skb(ab, skb, nft_pf(pkt)); 64 80 65 81 audit_log_end(ab); 66 82 }
+1 -57
net/netfilter/xt_AUDIT.c
··· 28 28 MODULE_ALIAS("ebt_AUDIT"); 29 29 MODULE_ALIAS("arpt_AUDIT"); 30 30 31 - static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) 32 - { 33 - struct iphdr _iph; 34 - const struct iphdr *ih; 35 - 36 - ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph); 37 - if (!ih) 38 - return false; 39 - 40 - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu", 41 - &ih->saddr, &ih->daddr, ih->protocol); 42 - 43 - return true; 44 - } 45 - 46 - static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) 47 - { 48 - struct ipv6hdr _ip6h; 49 - const struct ipv6hdr *ih; 50 - u8 nexthdr; 51 - __be16 frag_off; 52 - 53 - ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h); 54 - if (!ih) 55 - return false; 56 - 57 - nexthdr = ih->nexthdr; 58 - ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off); 59 - 60 - audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", 61 - &ih->saddr, &ih->daddr, nexthdr); 62 - 63 - return true; 64 - } 65 - 66 31 static unsigned int 67 32 audit_tg(struct sk_buff *skb, const struct xt_action_param *par) 68 33 { 69 34 struct audit_buffer *ab; 70 - int fam = -1; 71 35 72 36 if (audit_enabled == AUDIT_OFF) 73 37 goto errout; ··· 41 77 42 78 audit_log_format(ab, "mark=%#x", skb->mark); 43 79 44 - switch (xt_family(par)) { 45 - case NFPROTO_BRIDGE: 46 - switch (eth_hdr(skb)->h_proto) { 47 - case htons(ETH_P_IP): 48 - fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; 49 - break; 50 - case htons(ETH_P_IPV6): 51 - fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; 52 - break; 53 - } 54 - break; 55 - case NFPROTO_IPV4: 56 - fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1; 57 - break; 58 - case NFPROTO_IPV6: 59 - fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1; 60 - break; 61 - } 62 - 63 - if (fam == -1) 64 - audit_log_format(ab, " saddr=? daddr=? proto=-1"); 80 + audit_log_nf_skb(ab, skb, xt_family(par)); 65 81 66 82 audit_log_end(ab); 67 83