[PATCH V3 0/3] Add support for session ID user filtering

[PATCH V3 0/3] Add support for session ID user filtering

[Richard Guy Briggs]

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
 
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

See also the set of userspace suport patches:
	Add support for sessionid user filters, sessionid_set and loginuid_set
	https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
	(userspace update expected to be posted 2016-08-18)
and the test case:
	https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter

This third patch is expected to have a merge conflict with:
	"audit: add exclude filter extension to feature bitmap"
posted on 2016-08-18.

Richard Guy Briggs (3):
  audit: add support for session ID user filter
  audit: add AUDIT_SESSIONID_SET support
  audit: add sessionid filter extension to feature bitmap

 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    6 +++++-
 kernel/auditfilter.c       |    5 +++++
 kernel/auditsc.c           |    6 ++++++
 4 files changed, 26 insertions(+), 1 deletions(-)

[PATCH V3 0/3] Add support for session ID user filtering

[Richard Guy Briggs]

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
 
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

See also the set of userspace suport patches:
	Add support for sessionid user filters, sessionid_set and loginuid_set
	https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
	(userspace update expected to be posted 2016-08-18)
and the test case:
	https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter

This third patch is expected to have a merge conflict with:
	"audit: add exclude filter extension to feature bitmap"
posted on 2016-08-18.

Richard Guy Briggs (3):
  audit: add support for session ID user filter
  audit: add AUDIT_SESSIONID_SET support
  audit: add sessionid filter extension to feature bitmap

 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    6 +++++-
 kernel/auditfilter.c       |    5 +++++
 kernel/auditsc.c           |    6 ++++++
 4 files changed, 26 insertions(+), 1 deletions(-)

[PATCH V3 1/3] audit: add support for session ID user filter

[Richard Guy Briggs]

Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    2 ++
 kernel/auditsc.c           |    5 +++++
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..b3140eb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -252,6 +252,7 @@
 #define AUDIT_OBJ_LEV_LOW	22
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
+#define AUDIT_SESSIONID	25	/* Session ID */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..1c60fcf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_EXIT:
 	case AUDIT_SUCCESS:
 	case AUDIT_INODE:
+	case AUDIT_SESSIONID:
 		/* bit ops are only useful on syscall args */
 		if (f->op == Audit_bitmask || f->op == Audit_bittest)
 			return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 			if (!gid_valid(f->gid))
 				goto exit_free;
 			break;
+		case AUDIT_SESSIONID:
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c65af21..52f7a61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_FSGID:
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
+		case AUDIT_SESSIONID:
+			sessionid = audit_get_sessionid(current);
+			result = audit_comparator(sessionid, f->op, f->val);
+			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
 			break;
-- 
1.7.1

[PATCH V3 1/3] audit: add support for session ID user filter

[Richard Guy Briggs]

Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    2 ++
 kernel/auditsc.c           |    5 +++++
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..b3140eb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -252,6 +252,7 @@
 #define AUDIT_OBJ_LEV_LOW	22
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
+#define AUDIT_SESSIONID	25	/* Session ID */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..1c60fcf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_EXIT:
 	case AUDIT_SUCCESS:
 	case AUDIT_INODE:
+	case AUDIT_SESSIONID:
 		/* bit ops are only useful on syscall args */
 		if (f->op == Audit_bitmask || f->op == Audit_bittest)
 			return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 			if (!gid_valid(f->gid))
 				goto exit_free;
 			break;
+		case AUDIT_SESSIONID:
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c65af21..52f7a61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_FSGID:
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
+		case AUDIT_SESSIONID:
+			sessionid = audit_get_sessionid(current);
+			result = audit_comparator(sessionid, f->op, f->val);
+			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
 			break;
-- 
1.7.1

[PATCH V3 2/3] audit: add AUDIT_SESSIONID_SET support

[Richard Guy Briggs]

Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in
filters rather than depending on an in-band signal to indicate it.

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    3 +++
 kernel/auditsc.c           |    7 ++++---
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2392442 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
 	return uid_valid(audit_get_loginuid(tsk));
 }
 
+static inline bool sessionid_valid(unsigned int sessionid)
+{
+	return sessionid != (unsigned int) -1;
+}
+
+static inline bool audit_sessionid_set(struct task_struct *tsk)
+{
+	return sessionid_valid(audit_get_sessionid(tsk));
+}
+
 static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 {
 	audit_log_n_string(ab, buf, strlen(buf));
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b3140eb..a4048bc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -253,6 +253,7 @@
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
 #define AUDIT_SESSIONID	25	/* Session ID */
+#define AUDIT_SESSIONID_SET	26	/* Session ID set or not */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1c60fcf..47eaaba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_FILTERKEY:
 		break;
 	case AUDIT_LOGINUID_SET:
+	case AUDIT_SESSIONID_SET:
 		if ((f->val != 0) && (f->val != 1))
 			return -EINVAL;
 	/* FALL THROUGH */
@@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 				goto exit_free;
 			break;
 		case AUDIT_SESSIONID:
+			if (!sessionid_valid(f->val))
+				goto exit_free;
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52f7a61..4df536b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
-	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
 		case AUDIT_SESSIONID:
-			sessionid = audit_get_sessionid(current);
-			result = audit_comparator(sessionid, f->op, f->val);
+			result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val);
 			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
@@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_LOGINUID_SET:
 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 			break;
+		case AUDIT_SESSIONID_SET:
+			result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val);
+			break;
 		case AUDIT_SUBJ_USER:
 		case AUDIT_SUBJ_ROLE:
 		case AUDIT_SUBJ_TYPE:
-- 
1.7.1

[PATCH V3 2/3] audit: add AUDIT_SESSIONID_SET support

[Richard Guy Briggs]

Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in
filters rather than depending on an in-band signal to indicate it.

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    3 +++
 kernel/auditsc.c           |    7 ++++---
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2392442 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
 	return uid_valid(audit_get_loginuid(tsk));
 }
 
+static inline bool sessionid_valid(unsigned int sessionid)
+{
+	return sessionid != (unsigned int) -1;
+}
+
+static inline bool audit_sessionid_set(struct task_struct *tsk)
+{
+	return sessionid_valid(audit_get_sessionid(tsk));
+}
+
 static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 {
 	audit_log_n_string(ab, buf, strlen(buf));
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b3140eb..a4048bc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -253,6 +253,7 @@
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
 #define AUDIT_SESSIONID	25	/* Session ID */
+#define AUDIT_SESSIONID_SET	26	/* Session ID set or not */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1c60fcf..47eaaba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_FILTERKEY:
 		break;
 	case AUDIT_LOGINUID_SET:
+	case AUDIT_SESSIONID_SET:
 		if ((f->val != 0) && (f->val != 1))
 			return -EINVAL;
 	/* FALL THROUGH */
@@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 				goto exit_free;
 			break;
 		case AUDIT_SESSIONID:
+			if (!sessionid_valid(f->val))
+				goto exit_free;
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52f7a61..4df536b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
-	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
 		case AUDIT_SESSIONID:
-			sessionid = audit_get_sessionid(current);
-			result = audit_comparator(sessionid, f->op, f->val);
+			result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val);
 			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
@@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_LOGINUID_SET:
 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 			break;
+		case AUDIT_SESSIONID_SET:
+			result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val);
+			break;
 		case AUDIT_SUBJ_USER:
 		case AUDIT_SUBJ_ROLE:
 		case AUDIT_SUBJ_TYPE:
-- 
1.7.1

[PATCH V3 3/3] audit: add sessionid filter extension to feature bitmap

[Richard Guy Briggs]

Add to the audit feature bitmap to indicate availability of the
extension of the exclude and user filters to include sessionID.

RFE: add a session ID filter to the kernel's user filter
https://github.com/linux-audit/audit-kernel/issues/4

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a4048bc..d4a9589 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -329,9 +329,11 @@ enum {
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
 				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
-				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
+				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
+				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
-- 
1.7.1

[PATCH V3 3/3] audit: add sessionid filter extension to feature bitmap

[Richard Guy Briggs]

Add to the audit feature bitmap to indicate availability of the
extension of the exclude and user filters to include sessionID.

RFE: add a session ID filter to the kernel's user filter
https://github.com/linux-audit/audit-kernel/issues/4

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index a4048bc..d4a9589 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -329,9 +329,11 @@ enum {
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT	0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME	0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH	0x00000004
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER	0x00000010
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
 				  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
-				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
+				  AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
+				  AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST 		AUDIT_FEATURE_BITMAP_ALL
-- 
1.7.1

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Paul Moore]

On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> RFE Session ID User Filter
>
> https://github.com/linux-audit/audit-kernel/issues/4
> RFE: add a session ID filter to the kernel's user filter
>
> See also the set of userspace suport patches:
>         Add support for sessionid user filters, sessionid_set and loginuid_set
>         https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
>         (userspace update expected to be posted 2016-08-18)
> and the test case:
>         https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
>
> This third patch is expected to have a merge conflict with:
>         "audit: add exclude filter extension to feature bitmap"
> posted on 2016-08-18.
>
> Richard Guy Briggs (3):
>   audit: add support for session ID user filter
>   audit: add AUDIT_SESSIONID_SET support
>   audit: add sessionid filter extension to feature bitmap
>
>  include/linux/audit.h      |   10 ++++++++++
>  include/uapi/linux/audit.h |    6 +++++-
>  kernel/auditfilter.c       |    5 +++++
>  kernel/auditsc.c           |    6 ++++++
>  4 files changed, 26 insertions(+), 1 deletions(-)

These patches look fine to me; the only comment I have is that these
should probably be combined into a single patch to avoid
cherry-picking of individual pieces, e.g. skipping the feature bitmap
or AUDIT_SESSION_SET support.  I can do that when I merge the patches,
no need to resend unless you really want to ...

However, the bigger issue is coordination with the userspace patches.
I really don't like merging kernel patches until Steve OK's the
corresponding userspace patches.

-- 
paul moore
www.paul-moore.com

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Richard Guy Briggs]

On 2016-08-18 19:53, Paul Moore wrote:
> On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> > RFE Session ID User Filter
> >
> > https://github.com/linux-audit/audit-kernel/issues/4
> > RFE: add a session ID filter to the kernel's user filter
> >
> > See also the set of userspace suport patches:
> >         Add support for sessionid user filters, sessionid_set and loginuid_set
> >         https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
> >         (userspace update expected to be posted 2016-08-18)
> > and the test case:
> >         https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
> >
> > This third patch is expected to have a merge conflict with:
> >         "audit: add exclude filter extension to feature bitmap"
> > posted on 2016-08-18.
> >
> > Richard Guy Briggs (3):
> >   audit: add support for session ID user filter
> >   audit: add AUDIT_SESSIONID_SET support
> >   audit: add sessionid filter extension to feature bitmap
> >
> >  include/linux/audit.h      |   10 ++++++++++
> >  include/uapi/linux/audit.h |    6 +++++-
> >  kernel/auditfilter.c       |    5 +++++
> >  kernel/auditsc.c           |    6 ++++++
> >  4 files changed, 26 insertions(+), 1 deletions(-)
> 
> These patches look fine to me; the only comment I have is that these
> should probably be combined into a single patch to avoid
> cherry-picking of individual pieces, e.g. skipping the feature bitmap
> or AUDIT_SESSION_SET support.  I can do that when I merge the patches,
> no need to resend unless you really want to ...
> 
> However, the bigger issue is coordination with the userspace patches.
> I really don't like merging kernel patches until Steve OK's the
> corresponding userspace patches.

Well, some thought went in to making the two behave properly in the
absence of an update of the other.  This was the primary reason for the
re-spin.  That part of the process is working, since it was Steve's
feedback that provoked the respin.

> paul moore

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Paul Moore]

On Fri, Aug 19, 2016 at 12:36 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2016-08-18 19:53, Paul Moore wrote:
>> These patches look fine to me; the only comment I have is that these
>> should probably be combined into a single patch to avoid
>> cherry-picking of individual pieces, e.g. skipping the feature bitmap
>> or AUDIT_SESSION_SET support.  I can do that when I merge the patches,
>> no need to resend unless you really want to ...
>>
>> However, the bigger issue is coordination with the userspace patches.
>> I really don't like merging kernel patches until Steve OK's the
>> corresponding userspace patches.
>
> Well, some thought went in to making the two behave properly in the
> absence of an update of the other.  This was the primary reason for the
> re-spin.  That part of the process is working, since it was Steve's
> feedback that provoked the respin.

The issues isn't so much in making the different bits behave under
different circumstances - they need to do that period - the issue is
that I don't want to include new functionality in the kernel that
doesn't have a user (or one on the horizon).

-- 
paul moore
www.paul-moore.com

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Paul Moore]

On Thu, Aug 18, 2016 at 7:53 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
>> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
>> RFE Session ID User Filter
>>
>> https://github.com/linux-audit/audit-kernel/issues/4
>> RFE: add a session ID filter to the kernel's user filter
>>
>> See also the set of userspace suport patches:
>>         Add support for sessionid user filters, sessionid_set and loginuid_set
>>         https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
>>         (userspace update expected to be posted 2016-08-18)
>> and the test case:
>>         https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
>>
>> This third patch is expected to have a merge conflict with:
>>         "audit: add exclude filter extension to feature bitmap"
>> posted on 2016-08-18.
>>
>> Richard Guy Briggs (3):
>>   audit: add support for session ID user filter
>>   audit: add AUDIT_SESSIONID_SET support
>>   audit: add sessionid filter extension to feature bitmap
>>
>>  include/linux/audit.h      |   10 ++++++++++
>>  include/uapi/linux/audit.h |    6 +++++-
>>  kernel/auditfilter.c       |    5 +++++
>>  kernel/auditsc.c           |    6 ++++++
>>  4 files changed, 26 insertions(+), 1 deletions(-)
>
> These patches look fine to me; the only comment I have is that these
> should probably be combined into a single patch to avoid
> cherry-picking of individual pieces, e.g. skipping the feature bitmap
> or AUDIT_SESSION_SET support.  I can do that when I merge the patches,
> no need to resend unless you really want to ...
>
> However, the bigger issue is coordination with the userspace patches.
> I really don't like merging kernel patches until Steve OK's the
> corresponding userspace patches.

I went ahead and squashed the patches into one and merged it into the
audit#working-session_filter-v3 branch.  Take a look and if anything
looks awry let me know.

I'm also going to start including this patch/branch in my
pcmoore/kernel-secnext Copr builds so it is easier for you/sgrubb to
test the userspace support; once Steve OK's the userspace code I'll
merge this patch(set) into audit#next properly.

* https://github.com/linux-audit/audit-kernel/issues/4
* https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-secnext

-- 
paul moore
www.paul-moore.com

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Paul Moore]

On Thursday, August 18, 2016 01:43:12 PM Richard Guy Briggs wrote:
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> RFE Session ID User Filter
> 
> https://github.com/linux-audit/audit-kernel/issues/4
> RFE: add a session ID filter to the kernel's user filter
> 
> See also the set of userspace suport patches:
> 	Add support for sessionid user filters, sessionid_set and loginuid_set
> 	https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
> 	(userspace update expected to be posted 2016-08-18)
> and the test case:
> 	https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-u
> ser-filter
> 
> This third patch is expected to have a merge conflict with:
> 	"audit: add exclude filter extension to feature bitmap"
> posted on 2016-08-18.
> 
> Richard Guy Briggs (3):
>   audit: add support for session ID user filter
>   audit: add AUDIT_SESSIONID_SET support
>   audit: add sessionid filter extension to feature bitmap
> 
>  include/linux/audit.h      |   10 ++++++++++
>  include/uapi/linux/audit.h |    6 +++++-
>  kernel/auditfilter.c       |    5 +++++
>  kernel/auditsc.c           |    6 ++++++
>  4 files changed, 26 insertions(+), 1 deletions(-)

In light of our current decision to drop the session ID "set" filter, I'm 
taking another look at these patches and Richard's comment to simply drop 
patch 2/3 and apply 1/3 and 3/3.

Richard, as I mentioned earlier, perhaps not clearly enough, I think we should 
put a check in audit_set_loginuid() to skip the (int)-1 value from appearing 
in session_id during normal operation.  In other words, roll/reset the value 
in session_id one value early so we don't run into problems with the (int)-1 
unset sentinel value.

-- 
paul moore
security @ redhat

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Richard Guy Briggs]

On 2016-10-20 15:27, Paul Moore wrote:
> On Thursday, August 18, 2016 01:43:12 PM Richard Guy Briggs wrote:
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> > RFE Session ID User Filter
> > 
> > https://github.com/linux-audit/audit-kernel/issues/4
> > RFE: add a session ID filter to the kernel's user filter
> > 
> > See also the set of userspace suport patches:
> > 	Add support for sessionid user filters, sessionid_set and loginuid_set
> > 	https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
> > 	(userspace update expected to be posted 2016-08-18)
> > and the test case:
> > 	https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-u
> > ser-filter
> > 
> > This third patch is expected to have a merge conflict with:
> > 	"audit: add exclude filter extension to feature bitmap"
> > posted on 2016-08-18.
> > 
> > Richard Guy Briggs (3):
> >   audit: add support for session ID user filter
> >   audit: add AUDIT_SESSIONID_SET support
> >   audit: add sessionid filter extension to feature bitmap
> > 
> >  include/linux/audit.h      |   10 ++++++++++
> >  include/uapi/linux/audit.h |    6 +++++-
> >  kernel/auditfilter.c       |    5 +++++
> >  kernel/auditsc.c           |    6 ++++++
> >  4 files changed, 26 insertions(+), 1 deletions(-)
> 
> In light of our current decision to drop the session ID "set" filter, I'm 
> taking another look at these patches and Richard's comment to simply drop 
> patch 2/3 and apply 1/3 and 3/3.
> 
> Richard, as I mentioned earlier, perhaps not clearly enough, I think we should 
> put a check in audit_set_loginuid() to skip the (int)-1 value from appearing 
> in session_id during normal operation.  In other words, roll/reset the value 
> in session_id one value early so we don't run into problems with the (int)-1 
> unset sentinel value.

I noted your comment earlier and I agree skipping the sentinel is
required, but if we are rolling this counter, we have bigger issues
unless there is a way to determine if a sessionID value is still in use
by at least one task.

> paul moore

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Paul Moore]

On Fri, Oct 21, 2016 at 2:46 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2016-10-20 15:27, Paul Moore wrote:
>> On Thursday, August 18, 2016 01:43:12 PM Richard Guy Briggs wrote:
>> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
>> > RFE Session ID User Filter
>> >
>> > https://github.com/linux-audit/audit-kernel/issues/4
>> > RFE: add a session ID filter to the kernel's user filter
>> >
>> > See also the set of userspace suport patches:
>> >     Add support for sessionid user filters, sessionid_set and loginuid_set
>> >     https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
>> >     (userspace update expected to be posted 2016-08-18)
>> > and the test case:
>> >     https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-u
>> > ser-filter
>> >
>> > This third patch is expected to have a merge conflict with:
>> >     "audit: add exclude filter extension to feature bitmap"
>> > posted on 2016-08-18.
>> >
>> > Richard Guy Briggs (3):
>> >   audit: add support for session ID user filter
>> >   audit: add AUDIT_SESSIONID_SET support
>> >   audit: add sessionid filter extension to feature bitmap
>> >
>> >  include/linux/audit.h      |   10 ++++++++++
>> >  include/uapi/linux/audit.h |    6 +++++-
>> >  kernel/auditfilter.c       |    5 +++++
>> >  kernel/auditsc.c           |    6 ++++++
>> >  4 files changed, 26 insertions(+), 1 deletions(-)
>>
>> In light of our current decision to drop the session ID "set" filter, I'm
>> taking another look at these patches and Richard's comment to simply drop
>> patch 2/3 and apply 1/3 and 3/3.
>>
>> Richard, as I mentioned earlier, perhaps not clearly enough, I think we should
>> put a check in audit_set_loginuid() to skip the (int)-1 value from appearing
>> in session_id during normal operation.  In other words, roll/reset the value
>> in session_id one value early so we don't run into problems with the (int)-1
>> unset sentinel value.
>
> I noted your comment earlier and I agree skipping the sentinel is
> required, but if we are rolling this counter, we have bigger issues
> unless there is a way to determine if a sessionID value is still in use
> by at least one task.

The session ID reuse problem is independent of the rollover problem;
the session ID value is going to roll at some point, regardless of if
we skip one value or not.  I guess if there is any comfort in the
value rolling, it is only bumped on a new interactive user session and
given that systemd is now taking to killing all user processes on
logout (no more nohup'ing things) it is unlikely that this will be an
issue on a modern Linux system (it would appear that most everyone is
moving to systemd, for better or worse).  For those truly paranoid
admins, they don't have to filter on it - problem solved - for
everyone else, it can be a useful tool.

-- 
paul moore
www.paul-moore.com

Re: [PATCH V3 0/3] Add support for session ID user filtering

[Paul Moore]

On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
> RFE Session ID User Filter
>
> https://github.com/linux-audit/audit-kernel/issues/4
> RFE: add a session ID filter to the kernel's user filter
>
> See also the set of userspace suport patches:
>         Add support for sessionid user filters, sessionid_set and loginuid_set
>         https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
>         (userspace update expected to be posted 2016-08-18)
> and the test case:
>         https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
>
> This third patch is expected to have a merge conflict with:
>         "audit: add exclude filter extension to feature bitmap"
> posted on 2016-08-18.
>
> Richard Guy Briggs (3):
>   audit: add support for session ID user filter
>   audit: add AUDIT_SESSIONID_SET support
>   audit: add sessionid filter extension to feature bitmap
>
>  include/linux/audit.h      |   10 ++++++++++
>  include/uapi/linux/audit.h |    6 +++++-
>  kernel/auditfilter.c       |    5 +++++
>  kernel/auditsc.c           |    6 ++++++
>  4 files changed, 26 insertions(+), 1 deletions(-)

I just combined and merged patches 1/3 and 3/3 into the audit#next
branch, skipping the AUDIT_SESSIONID_SET patch as we already discussed
on list.  I included the patches into the next branch because the
userspace support has already been merged, but if the session ID tests
and wiki feature page aren't ready by the time the next merge window
opens I'm going to drop them from the pull request I send Linus.

-- 
paul moore
www.paul-moore.com