[PATCH 2nd revision] Add SELinux context support to AUDIT target

Pablo Neira Ayuso pablo at netfilter.org
Sun Jun 5 23:06:41 UTC 2011 

On 04/06/11 17:12, Mr Dash Four wrote:
> Add SELinux context support to AUDIT target (2nd revision). Typical (raw auditd) output after applying this patch would be:
> 
> type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_packet_t:s0
> type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=3561 dport=22 obj=system_u:object_r:ssh_packet_t:s0
> 
> 
> Signed-off-by: Mr Dash Four <mr.dash.four at googlemail.com>
> ---
>  net/netfilter/xt_AUDIT.c |   15 +++++++++++++++
>  1 files changed, 15 insertions(+), 0 deletions(-)
> 
> diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
> index 363a99e..616cadc 100644
> --- a/net/netfilter/xt_AUDIT.c
> +++ b/net/netfilter/xt_AUDIT.c
> @@ -20,6 +20,9 @@
>  #include <linux/netfilter/x_tables.h>
>  #include <linux/netfilter/xt_AUDIT.h>
>  #include <linux/netfilter_bridge/ebtables.h>
> +#ifdef CONFIG_NF_CONNTRACK_SECMARK
> +#include <linux/security.h>
> +#endif
>  #include <net/ipv6.h>
>  #include <net/ip.h>
>  
> @@ -122,6 +125,10 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
>  {
>  	const struct xt_audit_info *info = par->targinfo;
>  	struct audit_buffer *ab;
> +#ifdef CONFIG_NF_CONNTRACK_SECMARK
> +	u32 len;
> +	char *secctx;
> +#endif
>  
>  	ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
>  	if (ab == NULL)
> @@ -163,6 +170,14 @@ audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
>  		break;
>  	}
>  
> +#ifdef CONFIG_NF_CONNTRACK_SECMARK
> +	if (skb->secmark)

Minor nitpick. This 'if' needs one {

> +	  	if (!security_secid_to_secctx(skb->secmark, &secctx, &len)) {
> +			audit_log_format(ab, " obj=%s", secctx);
> +			security_release_secctx(secctx, len);
> +		}

}

More information about the Linux-audit mailing list