lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20241009203218.26329-1-richard@nod.at>
Date: Wed,  9 Oct 2024 22:32:18 +0200
From: Richard Weinberger <richard@....at>
To: netfilter-devel@...r.kernel.org
Cc: coreteam@...filter.org,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	pabeni@...hat.com,
	kuba@...nel.org,
	edumazet@...gle.com,
	davem@...emloft.net,
	kadlec@...filter.org,
	pablo@...filter.org,
	rgb@...hat.com,
	paul@...l-moore.com,
	upstream+net@...ma-star.at,
	Richard Weinberger <richard@....at>
Subject: [PATCH] netfilter: Record uid and gid in xt_AUDIT

When recording audit events for new outgoing connections,
it is helpful to log the user info of the associated socket,
if available.
Therefore, check if the skb has a socket, and if it does,
log the owning fsuid/fsgid.

Signed-off-by: Richard Weinberger <richard@....at>
---
 net/netfilter/xt_AUDIT.c | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index b6a015aee0cec..d88b5442beaa6 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -9,16 +9,19 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/audit.h>
+#include <linux/cred.h>
+#include <linux/file.h>
+#include <linux/if_arp.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
-#include <linux/if_arp.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_AUDIT.h>
 #include <linux/netfilter_bridge/ebtables.h>
-#include <net/ipv6.h>
 #include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/sock.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Thomas Graf <tgraf@...hat.com>");
@@ -66,7 +69,9 @@ static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
 static unsigned int
 audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
+	struct sock *sk = skb->sk;
 	struct audit_buffer *ab;
+	bool got_uidgid = false;
 	int fam = -1;
 
 	if (audit_enabled == AUDIT_OFF)
@@ -99,6 +104,24 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	if (fam == -1)
 		audit_log_format(ab, " saddr=? daddr=? proto=-1");
 
+	if (sk && sk_fullsock(sk)) {
+		read_lock_bh(&sk->sk_callback_lock);
+		if (sk->sk_socket && sk->sk_socket->file) {
+			const struct file *file = sk->sk_socket->file;
+			const struct cred *cred = file->f_cred;
+
+			audit_log_format(ab, " uid=%u gid=%u",
+					 from_kuid(&init_user_ns, cred->fsuid),
+					 from_kgid(&init_user_ns, cred->fsgid));
+
+			got_uidgid = true;
+		}
+		read_unlock_bh(&sk->sk_callback_lock);
+	}
+
+	if (!got_uidgid)
+		audit_log_format(ab, " uid=? gid=?");
+
 	audit_log_end(ab);
 
 errout:
-- 
2.35.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ