audit: log changed properties when updating a connection

The main purpose of audit logging is to understand who did what to the system configuration, so it is useful to log also the list of changed properties when a connection is updated: op="connection-update" uuid="2f3e48fc-5f47-41d9-9278-d2871378df43" name="pppoe1" args="pppoe.username,pppoe.password" <======== pid=9523 uid=1001 result="success"
2026-02-05 15:50:36 +01:00 · 2016-04-20 12:10:55 +02:00 · 2016-04-20 12:10:55 +02:00 · 34964273ee
commit 34964273ee
parent 22c11f8ef1
5 changed files with 78 additions and 20 deletions
--- a/src/nm-audit-manager.c
+++ b/src/nm-audit-manager.c
@ -233,10 +233,10 @@ nm_audit_manager_audit_enabled (NMAuditManager *self)
 void
 _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, guint line,
                                     const char *func, const char *op, NMSettingsConnection *connection,
-                                     gboolean result, gpointer subject_context, const char *reason)
+                                     gboolean result, const char *args, gpointer subject_context, const char *reason)
 {
 	gs_unref_ptrarray GPtrArray *fields = NULL;
-	AuditField uuid_field = { }, name_field = { };
+	AuditField uuid_field = { }, name_field = { }, args_field = { };

 	g_return_if_fail (op);

@ -252,6 +252,11 @@ _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, gui
 		g_ptr_array_add (fields, &name_field);
 	}

+	if (args) {
+		_audit_field_init_string (&args_field, "args", args, FALSE, BACKEND_ALL);
+		g_ptr_array_add (fields, &args_field);
+	}
+
 	_audit_log_helper (self, fields, file, line, func, op, result, subject_context, reason);
 }

--- a/src/nm-audit-manager.h
+++ b/src/nm-audit-manager.h
@ -67,13 +67,13 @@ GType nm_audit_manager_get_type (void);
 NMAuditManager *nm_audit_manager_get (void);
 gboolean nm_audit_manager_audit_enabled (NMAuditManager *self);

-#define nm_audit_log_connection_op(op, connection, result, subject_context, reason) \
+#define nm_audit_log_connection_op(op, connection, result, args, subject_context, reason) \
 	G_STMT_START { \
 		NMAuditManager *_audit = nm_audit_manager_get (); \
 		\
 		if (nm_audit_manager_audit_enabled (_audit)) { \
 			_nm_audit_manager_log_connection_op (_audit, __FILE__, __LINE__, G_STRFUNC, \
-			                                     (op), (connection), (result), (subject_context), \
+			                                     (op), (connection), (result), (args), (subject_context), \
 			                                     (reason)); \
 		} \
 	} G_STMT_END
@ -100,7 +100,8 @@ gboolean nm_audit_manager_audit_enabled (NMAuditManager *self);

 void _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, guint line,
                                          const char *func, const char *op, NMSettingsConnection *connection,
-                                          gboolean result, gpointer subject_context, const char *reason);
+                                          gboolean result, const char *args, gpointer subject_context,
+                                          const char *reason);

 void _nm_audit_manager_log_control_op    (NMAuditManager *self, const char *file, guint line,
                                          const char *func, const char *op, const char *arg,
--- a/src/nm-manager.c
+++ b/src/nm-manager.c
@ -3304,7 +3304,7 @@ _activation_auth_done (NMActiveConnection *active,
 			g_dbus_method_invocation_return_value (context,
 			                                       g_variant_new ("(o)",
 			                                       nm_exported_object_get_path (NM_EXPORTED_OBJECT (active))));
-			nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, TRUE,
+			nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, TRUE, NULL,
 			                            subject, NULL);
 			g_object_unref (active);
 			return;
@ -3316,7 +3316,7 @@ _activation_auth_done (NMActiveConnection *active,
 	}

 	g_assert (error);
-	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE,
+	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, NULL,
 	                            subject, error->message);
 	_internal_activation_failed (self, active, error->message);

@ -3404,7 +3404,7 @@ impl_manager_activate_connection (NMManager *self,

 error:
 	if (connection) {
-		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE,
+		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, NULL,
 		                            subject, error->message);
 	}
 	g_clear_object (&active);
@ -3453,6 +3453,7 @@ activation_add_done (NMSettings *settings,
 			nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE,
 			                            nm_active_connection_get_settings_connection (active),
 			                            TRUE,
+			                            NULL,
 			                            nm_active_connection_get_subject (active),
 			                            NULL);
 			return;
@ -3467,6 +3468,7 @@ activation_add_done (NMSettings *settings,
 	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE,
 	                            NULL,
 	                            FALSE,
+	                            NULL,
 	                            nm_active_connection_get_subject (active),
 	                            error->message);
 	g_clear_error (&local);
@ -3511,6 +3513,7 @@ _add_and_activate_auth_done (NMActiveConnection *active,
 		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE,
 		                            NULL,
 		                            FALSE,
+		                            NULL,
 		                            nm_active_connection_get_subject (active),
 		                            error->message);
 		g_dbus_method_invocation_take_error (context, error);
@ -3612,7 +3615,7 @@ impl_manager_add_and_activate_connection (NMManager *self,
 	return;

 error:
-	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, NULL, FALSE, subject, error->message);
+	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, NULL, FALSE, NULL, subject, error->message);
 	g_clear_object (&connection);
 	g_slist_free (all_connections);
 	g_clear_object (&subject);
@ -3708,6 +3711,7 @@ deactivate_net_auth_done_cb (NMAuthChain *chain,
 		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE,
 		                            nm_active_connection_get_settings_connection (active),
 		                            !error,
+		                            NULL,
 		                            nm_auth_chain_get_subject (chain),
 		                            error ? error->message : NULL);
 	}
@ -3781,7 +3785,7 @@ impl_manager_deactivate_connection (NMManager *self,
 done:
 	if (error) {
 		if (connection) {
-			nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, connection, FALSE,
+			nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, connection, FALSE, NULL,
 			                            subject, error->message);
 		}
 		g_dbus_method_invocation_take_error (context, error);
--- a/src/settings/nm-settings-connection.c
+++ b/src/settings/nm-settings-connection.c
@ -1527,6 +1527,7 @@ typedef struct {
 	NMAuthSubject *subject;
 	NMConnection *new_settings;
 	gboolean save_to_disk;
+	char *audit_args;
 } UpdateInfo;

 typedef struct {
@ -1598,12 +1599,13 @@ update_complete (NMSettingsConnection *self,
 	else
 		g_dbus_method_invocation_return_value (info->context, NULL);

-	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, !error,
+	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, !error, info->audit_args,
 	                            info->subject, error ? error->message : NULL);

 	g_clear_object (&info->subject);
 	g_clear_object (&info->agent_mgr);
 	g_clear_object (&info->new_settings);
+	g_free (info->audit_args);
 	memset (info, 0, sizeof (*info));
 	g_free (info);
 }
@ -1635,6 +1637,49 @@ con_update_cb (NMSettingsConnection *self,
 	update_complete (self, info, error);
 }

+static char *
+con_list_changed_props (NMConnection *old, NMConnection *new)
+{
+	gs_unref_hashtable GHashTable *diff = NULL;
+	GHashTable *setting_diff;
+	char *setting_name, *prop_name;
+	GHashTableIter iter, iter2;
+	gboolean same;
+	GString *str;
+
+	same = nm_connection_diff (old, new,
+	                           NM_SETTING_COMPARE_FLAG_EXACT |
+	                           NM_SETTING_COMPARE_FLAG_DIFF_RESULT_NO_DEFAULT,
+	                           &diff);
+
+	if (same || !diff)
+		return NULL;
+
+	str = g_string_sized_new (32);
+	g_hash_table_iter_init (&iter, diff);
+
+	while (g_hash_table_iter_next (&iter,
+	                               (gpointer *) &setting_name,
+	                               (gpointer *) &setting_diff)) {
+		if (!setting_diff)
+			continue;
+
+		g_hash_table_iter_init (&iter2, setting_diff);
+
+		while (g_hash_table_iter_next (&iter2, (gpointer *) &prop_name, NULL)) {
+			g_string_append (str, setting_name);
+			g_string_append_c (str, '.');
+			g_string_append (str, prop_name);
+			g_string_append_c (str, ',');
+		}
+	}
+
+	if (str->len)
+		str->str[str->len - 1] = '\0';
+
+	return g_string_free (str, FALSE);
+}
+
 static void
 update_auth_cb (NMSettingsConnection *self,
                GDBusMethodInvocation *context,
@ -1664,6 +1709,9 @@ update_auth_cb (NMSettingsConnection *self,
 		update_agent_secrets_cache (self, info->new_settings);
 	}

+	if (nm_audit_manager_audit_enabled (nm_audit_manager_get ()))
+		info->audit_args = con_list_changed_props (NM_CONNECTION (self), info->new_settings);
+
 	if (info->save_to_disk) {
 		nm_settings_connection_replace_and_commit (self,
 		                                           info->new_settings,
@ -1767,7 +1815,7 @@ settings_connection_update_helper (NMSettingsConnection *self,
 	return;

 error:
-	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, FALSE, subject,
+	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, FALSE, NULL, subject,
 	                            error->message);

 	g_clear_object (&tmp);
@ -1816,7 +1864,7 @@ con_delete_cb (NMSettingsConnection *self,
 		g_dbus_method_invocation_return_value (info->context, NULL);

 	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self,
-	                            !error, info->subject, error ? error->message : NULL);
+	                            !error, NULL, info->subject, error ? error->message : NULL);
 	g_free (info);
 }

@ -1830,7 +1878,7 @@ delete_auth_cb (NMSettingsConnection *self,
 	CallbackInfo *info;

 	if (error) {
-		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, subject,
+		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, NULL, subject,
 		                            error->message);
 		g_dbus_method_invocation_return_gerror (context, error);
 		return;
@ -1879,7 +1927,7 @@ impl_settings_connection_delete (NMSettingsConnection *self,

 	return;
 out_err:
-	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, subject, error->message);
+	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, NULL, subject, error->message);
 	g_dbus_method_invocation_take_error (context, error);
 }

@ -1972,7 +2020,7 @@ clear_secrets_cb (NMSettingsConnection *self,
 		g_dbus_method_invocation_return_value (info->context, NULL);

 	nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self,
-	                            !error, info->subject, error ? error->message : NULL);
+	                            !error, NULL, info->subject, error ? error->message : NULL);
 	g_free (info);
 }

@ -1989,7 +2037,7 @@ dbus_clear_secrets_auth_cb (NMSettingsConnection *self,
 	if (error) {
 		g_dbus_method_invocation_return_gerror (context, error);
 		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self,
-		                            FALSE, subject, error->message);
+		                            FALSE, NULL, subject, error->message);
 	} else {
 		/* Clear secrets in connection and caches */
 		nm_connection_clear_secrets (NM_CONNECTION (self));
@ -2029,7 +2077,7 @@ impl_settings_connection_clear_secrets (NMSettingsConnection *self,
 		g_object_unref (subject);
 	} else {
 		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self,
-		                            FALSE, NULL, error->message);
+		                            FALSE, NULL, NULL, error->message);
 		g_dbus_method_invocation_take_error (context, error);
 	}
 }
--- a/src/settings/nm-settings.c
+++ b/src/settings/nm-settings.c
@ -1373,12 +1373,12 @@ impl_settings_add_connection_add_cb (NMSettings *self,
 {
 	if (error) {
 		g_dbus_method_invocation_return_gerror (context, error);
-		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, NULL, FALSE, subject, error->message);
+		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, NULL, FALSE, NULL, subject, error->message);
 	} else {
 		g_dbus_method_invocation_return_value (
 		    context,
 		    g_variant_new ("(o)", nm_connection_get_path (NM_CONNECTION (connection))));
-		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, connection, TRUE,
+		nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, connection, TRUE, NULL,
 		                            subject, NULL);
 	}
 }