From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751993AbcETSZu (ORCPT ); Fri, 20 May 2016 14:25:50 -0400 Received: from mail-qg0-f47.google.com ([209.85.192.47]:34748 "EHLO mail-qg0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750723AbcETSZt (ORCPT ); Fri, 20 May 2016 14:25:49 -0400 From: Paul Moore To: Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com, eparis@redhat.com Subject: Re: [PATCH] audit: add support for session ID user filter Date: Fri, 20 May 2016 14:25:46 -0400 Message-ID: <4994646.5zftiIUaTf@sifl> Organization: Red Hat User-Agent: KMail/4.14.10 (Linux/4.5.2-gentoo; KDE/4.14.19; x86_64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday, May 10, 2016 10:47:23 PM Richard Guy Briggs wrote: > Define AUDIT_SESSIONID in the uapi and add support for specifying user > filters based on the session ID. > > https://github.com/linux-audit/audit-kernel/issues/4 > RFE: add a session ID filter to the kernel's user filter > > Signed-off-by: Richard Guy Briggs > --- > Like loginuid (auid), should this have a seperate field type > (AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this > value should be undefined rather than depending on an in-band value of > -1 (or 4294967295)? If so, now would be the time to fix it. It seems like that would be a good idea, wouldn't it? Although instead of SESSIONID_UNDEFINED I like SESSIONID_SET a bit more so it is consistent with LOGINUID_SET. > --- > > include/uapi/linux/audit.h | 1 + > kernel/auditfilter.c | 2 ++ > kernel/auditsc.c | 5 +++++ > 3 files changed, 8 insertions(+), 0 deletions(-) > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 843540c..b6feaa7 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -251,6 +251,7 @@ > #define AUDIT_OBJ_LEV_LOW 22 > #define AUDIT_OBJ_LEV_HIGH 23 > #define AUDIT_LOGINUID_SET 24 > +#define AUDIT_SESSIONID 25 /* Session ID */ > > /* These are ONLY useful when checking > * at syscall exit time (AUDIT_AT_EXIT). */ > diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c > index b8ff9e1..23d076c 100644 > --- a/kernel/auditfilter.c > +++ b/kernel/auditfilter.c > @@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, > struct audit_field *f) case AUDIT_EXIT: > case AUDIT_SUCCESS: > case AUDIT_INODE: > + case AUDIT_SESSIONID: > /* bit ops are only useful on syscall args */ > if (f->op == Audit_bitmask || f->op == Audit_bittest) > return -EINVAL; > @@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct > audit_rule_data *data, if (!gid_valid(f->gid)) > goto exit_free; > break; > + case AUDIT_SESSIONID: > case AUDIT_ARCH: > entry->rule.arch_f = f; > break; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index b5daaa0..a82b1d9 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk, > const struct cred *cred; > int i, need_sid = 1; > u32 sid; > + unsigned int sessionid; > > cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); > > @@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk, > case AUDIT_FSGID: > result = audit_gid_comparator(cred->fsgid, f->op, f->gid); > break; > + case AUDIT_SESSIONID: > + sessionid = audit_get_sessionid(current); > + result = audit_comparator(sessionid, f->op, f->val); > + break; > case AUDIT_PERS: > result = audit_comparator(tsk->personality, f->op, f->val); > break; -- paul moore security @ redhat