netfilter: create audit records for x_tables replaces

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The setsockopt() syscall to replace tables is already recorded
in the audit logs. This patch stores additional information
such as table name and netfilter protocol.

Cc: Patrick McHardy <kaber@trash.net>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

Thomas Graf and committed by

Patrick McHardy 15 years ago fbabf31e 43f393ca

+17

2 changed files

expand all

include

linux

audit.h

net

netfilter

x_tables.c

include/linux/audit.h

··· 104 104 #define AUDIT_CAPSET 1322 /* Record showing argument to sys_capset */ 105 105 #define AUDIT_MMAP 1323 /* Record showing descriptor and flags in mmap */ 106 106 #define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */ 107 + #define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */ 107 108 108 109 #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 109 110 #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */

+16

net/netfilter/x_tables.c

··· 23 23 #include <linux/mutex.h> 24 24 #include <linux/mm.h> 25 25 #include <linux/slab.h> 26 + #include <linux/audit.h> 26 27 #include <net/net_namespace.h> 27 28 28 29 #include <linux/netfilter/x_tables.h> ··· 834 833 * during the get_counters() routine. 835 834 */ 836 835 local_bh_enable(); 836 + 837 + #ifdef CONFIG_AUDIT 838 + if (audit_enabled) { 839 + struct audit_buffer *ab; 840 + 841 + ab = audit_log_start(current->audit_context, GFP_KERNEL, 842 + AUDIT_NETFILTER_CFG); 843 + if (ab) { 844 + audit_log_format(ab, "table=%s family=%u entries=%u", 845 + table->name, table->af, 846 + private->number); 847 + audit_log_end(ab); 848 + } 849 + } 850 + #endif 837 851 838 852 return private; 839 853 }