* [PATCH] audit: add support for session ID user filter
@ 2016-05-11 2:47 ` Richard Guy Briggs
0 siblings, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2016-05-11 2:47 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, sgrubb, pmoore, eparis
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
Like loginuid (auid), should this have a seperate field type
(AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this
value should be undefined rather than depending on an in-band value of
-1 (or 4294967295)? If so, now would be the time to fix it.
---
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 2 ++
kernel/auditsc.c | 5 +++++
3 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..b6feaa7 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -251,6 +251,7 @@
#define AUDIT_OBJ_LEV_LOW 22
#define AUDIT_OBJ_LEV_HIGH 23
#define AUDIT_LOGINUID_SET 24
+#define AUDIT_SESSIONID 25 /* Session ID */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b8ff9e1..23d076c 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_EXIT:
case AUDIT_SUCCESS:
case AUDIT_INODE:
+ case AUDIT_SESSIONID:
/* bit ops are only useful on syscall args */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (!gid_valid(f->gid))
goto exit_free;
break;
+ case AUDIT_SESSIONID:
case AUDIT_ARCH:
entry->rule.arch_f = f;
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b5daaa0..a82b1d9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
+ unsigned int sessionid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_FSGID:
result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
break;
+ case AUDIT_SESSIONID:
+ sessionid = audit_get_sessionid(current);
+ result = audit_comparator(sessionid, f->op, f->val);
+ break;
case AUDIT_PERS:
result = audit_comparator(tsk->personality, f->op, f->val);
break;
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH] audit: add support for session ID user filter
@ 2016-05-11 2:47 ` Richard Guy Briggs
0 siblings, 0 replies; 3+ messages in thread
From: Richard Guy Briggs @ 2016-05-11 2:47 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
Like loginuid (auid), should this have a seperate field type
(AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this
value should be undefined rather than depending on an in-band value of
-1 (or 4294967295)? If so, now would be the time to fix it.
---
include/uapi/linux/audit.h | 1 +
kernel/auditfilter.c | 2 ++
kernel/auditsc.c | 5 +++++
3 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..b6feaa7 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -251,6 +251,7 @@
#define AUDIT_OBJ_LEV_LOW 22
#define AUDIT_OBJ_LEV_HIGH 23
#define AUDIT_LOGINUID_SET 24
+#define AUDIT_SESSIONID 25 /* Session ID */
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b8ff9e1..23d076c 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
case AUDIT_EXIT:
case AUDIT_SUCCESS:
case AUDIT_INODE:
+ case AUDIT_SESSIONID:
/* bit ops are only useful on syscall args */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (!gid_valid(f->gid))
goto exit_free;
break;
+ case AUDIT_SESSIONID:
case AUDIT_ARCH:
entry->rule.arch_f = f;
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b5daaa0..a82b1d9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
+ unsigned int sessionid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_FSGID:
result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
break;
+ case AUDIT_SESSIONID:
+ sessionid = audit_get_sessionid(current);
+ result = audit_comparator(sessionid, f->op, f->val);
+ break;
case AUDIT_PERS:
result = audit_comparator(tsk->personality, f->op, f->val);
break;
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] audit: add support for session ID user filter
2016-05-11 2:47 ` Richard Guy Briggs
(?)
@ 2016-05-20 18:25 ` Paul Moore
-1 siblings, 0 replies; 3+ messages in thread
From: Paul Moore @ 2016-05-20 18:25 UTC (permalink / raw)
To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel, sgrubb, eparis
On Tuesday, May 10, 2016 10:47:23 PM Richard Guy Briggs wrote:
> Define AUDIT_SESSIONID in the uapi and add support for specifying user
> filters based on the session ID.
>
> https://github.com/linux-audit/audit-kernel/issues/4
> RFE: add a session ID filter to the kernel's user filter
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> Like loginuid (auid), should this have a seperate field type
> (AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this
> value should be undefined rather than depending on an in-band value of
> -1 (or 4294967295)? If so, now would be the time to fix it.
It seems like that would be a good idea, wouldn't it? Although instead of
SESSIONID_UNDEFINED I like SESSIONID_SET a bit more so it is consistent with
LOGINUID_SET.
> ---
>
> include/uapi/linux/audit.h | 1 +
> kernel/auditfilter.c | 2 ++
> kernel/auditsc.c | 5 +++++
> 3 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 843540c..b6feaa7 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -251,6 +251,7 @@
> #define AUDIT_OBJ_LEV_LOW 22
> #define AUDIT_OBJ_LEV_HIGH 23
> #define AUDIT_LOGINUID_SET 24
> +#define AUDIT_SESSIONID 25 /* Session ID */
>
> /* These are ONLY useful when checking
> * at syscall exit time (AUDIT_AT_EXIT). */
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index b8ff9e1..23d076c 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) case AUDIT_EXIT:
> case AUDIT_SUCCESS:
> case AUDIT_INODE:
> + case AUDIT_SESSIONID:
> /* bit ops are only useful on syscall args */
> if (f->op == Audit_bitmask || f->op == Audit_bittest)
> return -EINVAL;
> @@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct
> audit_rule_data *data, if (!gid_valid(f->gid))
> goto exit_free;
> break;
> + case AUDIT_SESSIONID:
> case AUDIT_ARCH:
> entry->rule.arch_f = f;
> break;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b5daaa0..a82b1d9 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk,
> const struct cred *cred;
> int i, need_sid = 1;
> u32 sid;
> + unsigned int sessionid;
>
> cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
>
> @@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_FSGID:
> result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
> break;
> + case AUDIT_SESSIONID:
> + sessionid = audit_get_sessionid(current);
> + result = audit_comparator(sessionid, f->op, f->val);
> + break;
> case AUDIT_PERS:
> result = audit_comparator(tsk->personality, f->op, f->val);
> break;
--
paul moore
security @ redhat
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-05-20 18:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-11 2:47 [PATCH] audit: add support for session ID user filter Richard Guy Briggs
2016-05-11 2:47 ` Richard Guy Briggs
2016-05-20 18:25 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.