[PATCH V2 0/2] Add support for session ID user filtering

[PATCH V2 0/2] Add support for session ID user filtering

[Richard Guy Briggs]

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter
 
https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

See also the set of userspace suport patches:
	Add support for sessionid user filters, sessionid_set and loginuid_set
	https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
and the test case:
	https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter

Richard Guy Briggs (2):
  audit: add support for session ID user filter
  audit: add AUDIT_SESSIONID_SET support

 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    2 ++
 kernel/auditfilter.c       |    5 +++++
 kernel/auditsc.c           |    6 ++++++
 4 files changed, 23 insertions(+), 0 deletions(-)

[PATCH V2 1/2] audit: add support for session ID user filter

[Richard Guy Briggs]

Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    2 ++
 kernel/auditsc.c           |    5 +++++
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d820aa9..b3140eb 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -252,6 +252,7 @@
 #define AUDIT_OBJ_LEV_LOW	22
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
+#define AUDIT_SESSIONID	25	/* Session ID */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 85d9cac..1c60fcf 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_EXIT:
 	case AUDIT_SUCCESS:
 	case AUDIT_INODE:
+	case AUDIT_SESSIONID:
 		/* bit ops are only useful on syscall args */
 		if (f->op == Audit_bitmask || f->op == Audit_bittest)
 			return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 			if (!gid_valid(f->gid))
 				goto exit_free;
 			break;
+		case AUDIT_SESSIONID:
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c65af21..52f7a61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,6 +447,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -509,6 +510,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_FSGID:
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
+		case AUDIT_SESSIONID:
+			sessionid = audit_get_sessionid(current);
+			result = audit_comparator(sessionid, f->op, f->val);
+			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
 			break;
-- 
1.7.1

[PATCH V2 2/2] audit: add AUDIT_SESSIONID_SET support

[Richard Guy Briggs]

Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in
filters rather than depending on an in-band signal to indicate it.

https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
RFE Session ID User Filter

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 include/linux/audit.h      |   10 ++++++++++
 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    3 +++
 kernel/auditsc.c           |    7 ++++---
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d4443f..2392442 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk)
 	return uid_valid(audit_get_loginuid(tsk));
 }
 
+static inline bool sessionid_valid(unsigned int sessionid)
+{
+	return sessionid != (unsigned int) -1;
+}
+
+static inline bool audit_sessionid_set(struct task_struct *tsk)
+{
+	return sessionid_valid(audit_get_sessionid(tsk));
+}
+
 static inline void audit_log_string(struct audit_buffer *ab, const char *buf)
 {
 	audit_log_n_string(ab, buf, strlen(buf));
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index b3140eb..a4048bc 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -253,6 +253,7 @@
 #define AUDIT_OBJ_LEV_HIGH	23
 #define AUDIT_LOGINUID_SET	24
 #define AUDIT_SESSIONID	25	/* Session ID */
+#define AUDIT_SESSIONID_SET	26	/* Session ID set or not */
 
 				/* These are ONLY useful when checking
 				 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 1c60fcf..47eaaba 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
 	case AUDIT_FILTERKEY:
 		break;
 	case AUDIT_LOGINUID_SET:
+	case AUDIT_SESSIONID_SET:
 		if ((f->val != 0) && (f->val != 1))
 			return -EINVAL;
 	/* FALL THROUGH */
@@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 				goto exit_free;
 			break;
 		case AUDIT_SESSIONID:
+			if (!sessionid_valid(f->val))
+				goto exit_free;
 		case AUDIT_ARCH:
 			entry->rule.arch_f = f;
 			break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52f7a61..4df536b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
-	unsigned int sessionid;
 
 	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
 			break;
 		case AUDIT_SESSIONID:
-			sessionid = audit_get_sessionid(current);
-			result = audit_comparator(sessionid, f->op, f->val);
+			result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val);
 			break;
 		case AUDIT_PERS:
 			result = audit_comparator(tsk->personality, f->op, f->val);
@@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk,
 		case AUDIT_LOGINUID_SET:
 			result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val);
 			break;
+		case AUDIT_SESSIONID_SET:
+			result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val);
+			break;
 		case AUDIT_SUBJ_USER:
 		case AUDIT_SUBJ_ROLE:
 		case AUDIT_SUBJ_TYPE:
-- 
1.7.1