On Tuesday, May 10, 2016 10:47:23 PM Richard Guy Briggs wrote: > Define AUDIT_SESSIONID in the uapi and add support for specifying user > filters based on the session ID. > > https://github.com/linux-audit/audit-kernel/issues/4 > RFE: add a session ID filter to the kernel's user filter > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > Like loginuid (auid), should this have a seperate field type > (AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this > value should be undefined rather than depending on an in-band value of > -1 (or 4294967295)? If so, now would be the time to fix it.
It seems like that would be a good idea, wouldn't it? Although instead of SESSIONID_UNDEFINED I like SESSIONID_SET a bit more so it is consistent with LOGINUID_SET. > --- > > include/uapi/linux/audit.h | 1 + > kernel/auditfilter.c | 2 ++ > kernel/auditsc.c | 5 +++++ > 3 files changed, 8 insertions(+), 0 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 843540c..b6feaa7 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -251,6 +251,7 @@ > #define AUDIT_OBJ_LEV_LOW 22 > #define AUDIT_OBJ_LEV_HIGH 23 > #define AUDIT_LOGINUID_SET 24 > +#define AUDIT_SESSIONID 25 /* Session ID */ > > /* These are ONLY useful when checking > * at syscall exit time (AUDIT_AT_EXIT). */ > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index b8ff9e1..23d076c 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) case AUDIT_EXIT: > case AUDIT_SUCCESS: > case AUDIT_INODE: > + case AUDIT_SESSIONID: > /* bit ops are only useful on syscall args */ > if (f->op == Audit_bitmask || f->op == Audit_bittest) > return -EINVAL; > @@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct > audit_rule_data *data, if (!gid_valid(f->gid)) > goto exit_free; > break; > + case AUDIT_SESSIONID: > case AUDIT_ARCH: > entry->rule.arch_f = f; > break; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index b5daaa0..a82b1d9 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk, > const struct cred *cred; > int i, need_sid = 1; > u32 sid; > + unsigned int sessionid; > > cred = rcu_dereference_check(tsk->cred, tsk == current || > task_creation); > > @@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk, > case AUDIT_FSGID: > result = audit_gid_comparator(cred->fsgid, f->op, > f->gid); > break; > + case AUDIT_SESSIONID: > + sessionid = audit_get_sessionid(current); > + result = audit_comparator(sessionid, f->op, f->val); > + break; > case AUDIT_PERS: > result = audit_comparator(tsk->personality, f->op, > f->val); > break; -- paul moore security @ redhat
