* [PATCH V2 0/2] Add support for session ID user filtering @ 2016-08-02 9:42 ` Richard Guy Briggs 0 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw) To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter RFE Session ID User Filter https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter See also the set of userspace suport patches: Add support for sessionid user filters, sessionid_set and loginuid_set https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html and the test case: https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter Richard Guy Briggs (2): audit: add support for session ID user filter audit: add AUDIT_SESSIONID_SET support include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 2 ++ kernel/auditfilter.c | 5 +++++ kernel/auditsc.c | 6 ++++++ 4 files changed, 23 insertions(+), 0 deletions(-) ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH V2 0/2] Add support for session ID user filtering @ 2016-08-02 9:42 ` Richard Guy Briggs 0 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw) To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, sgrubb, pmoore, eparis https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter RFE Session ID User Filter https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter See also the set of userspace suport patches: Add support for sessionid user filters, sessionid_set and loginuid_set https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html and the test case: https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter Richard Guy Briggs (2): audit: add support for session ID user filter audit: add AUDIT_SESSIONID_SET support include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 2 ++ kernel/auditfilter.c | 5 +++++ kernel/auditsc.c | 6 ++++++ 4 files changed, 23 insertions(+), 0 deletions(-) ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH V2 1/2] audit: add support for session ID user filter 2016-08-02 9:42 ` Richard Guy Briggs @ 2016-08-02 9:42 ` Richard Guy Briggs -1 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw) To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs Define AUDIT_SESSIONID in the uapi and add support for specifying user filters based on the session ID. https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/uapi/linux/audit.h | 1 + kernel/auditfilter.c | 2 ++ kernel/auditsc.c | 5 +++++ 3 files changed, 8 insertions(+), 0 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index d820aa9..b3140eb 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -252,6 +252,7 @@ #define AUDIT_OBJ_LEV_LOW 22 #define AUDIT_OBJ_LEV_HIGH 23 #define AUDIT_LOGINUID_SET 24 +#define AUDIT_SESSIONID 25 /* Session ID */ /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 85d9cac..1c60fcf 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_EXIT: case AUDIT_SUCCESS: case AUDIT_INODE: + case AUDIT_SESSIONID: /* bit ops are only useful on syscall args */ if (f->op == Audit_bitmask || f->op == Audit_bittest) return -EINVAL; @@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if (!gid_valid(f->gid)) goto exit_free; break; + case AUDIT_SESSIONID: case AUDIT_ARCH: entry->rule.arch_f = f; break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c65af21..52f7a61 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_FSGID: result = audit_gid_comparator(cred->fsgid, f->op, f->gid); break; + case AUDIT_SESSIONID: + sessionid = audit_get_sessionid(current); + result = audit_comparator(sessionid, f->op, f->val); + break; case AUDIT_PERS: result = audit_comparator(tsk->personality, f->op, f->val); break; -- 1.7.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH V2 1/2] audit: add support for session ID user filter @ 2016-08-02 9:42 ` Richard Guy Briggs 0 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw) To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, sgrubb, pmoore, eparis Define AUDIT_SESSIONID in the uapi and add support for specifying user filters based on the session ID. https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/uapi/linux/audit.h | 1 + kernel/auditfilter.c | 2 ++ kernel/auditsc.c | 5 +++++ 3 files changed, 8 insertions(+), 0 deletions(-) diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index d820aa9..b3140eb 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -252,6 +252,7 @@ #define AUDIT_OBJ_LEV_LOW 22 #define AUDIT_OBJ_LEV_HIGH 23 #define AUDIT_LOGINUID_SET 24 +#define AUDIT_SESSIONID 25 /* Session ID */ /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 85d9cac..1c60fcf 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_EXIT: case AUDIT_SUCCESS: case AUDIT_INODE: + case AUDIT_SESSIONID: /* bit ops are only useful on syscall args */ if (f->op == Audit_bitmask || f->op == Audit_bittest) return -EINVAL; @@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, if (!gid_valid(f->gid)) goto exit_free; break; + case AUDIT_SESSIONID: case AUDIT_ARCH: entry->rule.arch_f = f; break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c65af21..52f7a61 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; + unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_FSGID: result = audit_gid_comparator(cred->fsgid, f->op, f->gid); break; + case AUDIT_SESSIONID: + sessionid = audit_get_sessionid(current); + result = audit_comparator(sessionid, f->op, f->val); + break; case AUDIT_PERS: result = audit_comparator(tsk->personality, f->op, f->val); break; -- 1.7.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH V2 2/2] audit: add AUDIT_SESSIONID_SET support 2016-08-02 9:42 ` Richard Guy Briggs @ 2016-08-02 9:42 ` Richard Guy Briggs -1 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw) To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in filters rather than depending on an in-band signal to indicate it. https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter RFE Session ID User Filter https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 1 + kernel/auditfilter.c | 3 +++ kernel/auditsc.c | 7 ++++--- 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9d4443f..2392442 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk) return uid_valid(audit_get_loginuid(tsk)); } +static inline bool sessionid_valid(unsigned int sessionid) +{ + return sessionid != (unsigned int) -1; +} + +static inline bool audit_sessionid_set(struct task_struct *tsk) +{ + return sessionid_valid(audit_get_sessionid(tsk)); +} + static inline void audit_log_string(struct audit_buffer *ab, const char *buf) { audit_log_n_string(ab, buf, strlen(buf)); diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index b3140eb..a4048bc 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -253,6 +253,7 @@ #define AUDIT_OBJ_LEV_HIGH 23 #define AUDIT_LOGINUID_SET 24 #define AUDIT_SESSIONID 25 /* Session ID */ +#define AUDIT_SESSIONID_SET 26 /* Session ID set or not */ /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 1c60fcf..47eaaba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_FILTERKEY: break; case AUDIT_LOGINUID_SET: + case AUDIT_SESSIONID_SET: if ((f->val != 0) && (f->val != 1)) return -EINVAL; /* FALL THROUGH */ @@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, goto exit_free; break; case AUDIT_SESSIONID: + if (!sessionid_valid(f->val)) + goto exit_free; case AUDIT_ARCH: entry->rule.arch_f = f; break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 52f7a61..4df536b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; - unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk, result = audit_gid_comparator(cred->fsgid, f->op, f->gid); break; case AUDIT_SESSIONID: - sessionid = audit_get_sessionid(current); - result = audit_comparator(sessionid, f->op, f->val); + result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val); break; case AUDIT_PERS: result = audit_comparator(tsk->personality, f->op, f->val); @@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_LOGINUID_SET: result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); break; + case AUDIT_SESSIONID_SET: + result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val); + break; case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: -- 1.7.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH V2 2/2] audit: add AUDIT_SESSIONID_SET support @ 2016-08-02 9:42 ` Richard Guy Briggs 0 siblings, 0 replies; 6+ messages in thread From: Richard Guy Briggs @ 2016-08-02 9:42 UTC (permalink / raw) To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, sgrubb, pmoore, eparis Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in filters rather than depending on an in-band signal to indicate it. https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter RFE Session ID User Filter https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter Signed-off-by: Richard Guy Briggs <rgb@redhat.com> --- include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 1 + kernel/auditfilter.c | 3 +++ kernel/auditsc.c | 7 ++++--- 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9d4443f..2392442 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk) return uid_valid(audit_get_loginuid(tsk)); } +static inline bool sessionid_valid(unsigned int sessionid) +{ + return sessionid != (unsigned int) -1; +} + +static inline bool audit_sessionid_set(struct task_struct *tsk) +{ + return sessionid_valid(audit_get_sessionid(tsk)); +} + static inline void audit_log_string(struct audit_buffer *ab, const char *buf) { audit_log_n_string(ab, buf, strlen(buf)); diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index b3140eb..a4048bc 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -253,6 +253,7 @@ #define AUDIT_OBJ_LEV_HIGH 23 #define AUDIT_LOGINUID_SET 24 #define AUDIT_SESSIONID 25 /* Session ID */ +#define AUDIT_SESSIONID_SET 26 /* Session ID set or not */ /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 1c60fcf..47eaaba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_FILTERKEY: break; case AUDIT_LOGINUID_SET: + case AUDIT_SESSIONID_SET: if ((f->val != 0) && (f->val != 1)) return -EINVAL; /* FALL THROUGH */ @@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, goto exit_free; break; case AUDIT_SESSIONID: + if (!sessionid_valid(f->val)) + goto exit_free; case AUDIT_ARCH: entry->rule.arch_f = f; break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 52f7a61..4df536b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; - unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk, result = audit_gid_comparator(cred->fsgid, f->op, f->gid); break; case AUDIT_SESSIONID: - sessionid = audit_get_sessionid(current); - result = audit_comparator(sessionid, f->op, f->val); + result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val); break; case AUDIT_PERS: result = audit_comparator(tsk->personality, f->op, f->val); @@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_LOGINUID_SET: result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); break; + case AUDIT_SESSIONID_SET: + result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val); + break; case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: -- 1.7.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-08-02 10:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-08-02 9:42 [PATCH V2 0/2] Add support for session ID user filtering Richard Guy Briggs 2016-08-02 9:42 ` Richard Guy Briggs 2016-08-02 9:42 ` [PATCH V2 1/2] audit: add support for session ID user filter Richard Guy Briggs 2016-08-02 9:42 ` Richard Guy Briggs 2016-08-02 9:42 ` [PATCH V2 2/2] audit: add AUDIT_SESSIONID_SET support Richard Guy Briggs 2016-08-02 9:42 ` Richard Guy Briggs
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.