[PATCH] netfilter: Record uid and gid in xt_AUDIT

Richard Weinberger richard at sigma-star.at
Thu Oct 10 06:24:28 UTC 2024


Am Donnerstag, 10. Oktober 2024, 00:02:44 CEST schrieb Paul Moore:
> [CC'ing the audit and LSM lists for obvious reasons]
> 
> If we're logging the subjective credentials of the skb's associated
> socket, we really should also log the socket's LSM secctx similar to
> what we do with audit_log_task() and audit_log_task_context().
> Unfortunately, I don't believe we currently have a LSM interface that
> return the secctx from a sock/socket, although we do have
> security_inode_getsecctx() which *should* yield the same result using
> SOCK_INODE(sk->sk_socket).

Hm, I thought about that but saw 2173c519d5e91 ("audit: normalize NETFILTER_PKT").
It removed usage of audit_log_secctx() and many other, IMHO, useful fields.
What about skb->secctx?

> 
> I should also mention that I'm currently reviewing a patchset which is
> going to add proper support for multiple LSMs in audit which will
> likely impact this work.
> 
> https://lore.kernel.org/linux-security-module/20241009173222.12219-1-casey@schaufler-ca.com/

Ok!

Thanks,
//richard
 
-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y





More information about the Linux-security-module-archive mailing list