[PATCH] audit: add support for session ID user filter

Paul Moore pmoore at redhat.com
Fri May 20 18:25:46 UTC 2016 

On Tuesday, May 10, 2016 10:47:23 PM Richard Guy Briggs wrote:
> Define AUDIT_SESSIONID in the uapi and add support for specifying user
> filters based on the session ID.
> 
> https://github.com/linux-audit/audit-kernel/issues/4
> RFE: add a session ID filter to the kernel's user filter
> 
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> Like loginuid (auid), should this have a seperate field type
> (AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this
> value should be undefined rather than depending on an in-band value of
> -1 (or 4294967295)?  If so, now would be the time to fix it.

It seems like that would be a good idea, wouldn't it?  Although instead of 
SESSIONID_UNDEFINED I like SESSIONID_SET a bit more so it is consistent with 
LOGINUID_SET.

> ---
> 
>  include/uapi/linux/audit.h |    1 +
>  kernel/auditfilter.c       |    2 ++
>  kernel/auditsc.c           |    5 +++++
>  3 files changed, 8 insertions(+), 0 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 843540c..b6feaa7 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -251,6 +251,7 @@
>  #define AUDIT_OBJ_LEV_LOW	22
>  #define AUDIT_OBJ_LEV_HIGH	23
>  #define AUDIT_LOGINUID_SET	24
> +#define AUDIT_SESSIONID	25	/* Session ID */
> 
>  				/* These are ONLY useful when checking
>  				 * at syscall exit time (AUDIT_AT_EXIT). */
> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
> index b8ff9e1..23d076c 100644
> --- a/kernel/auditfilter.c
> +++ b/kernel/auditfilter.c
> @@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry,
> struct audit_field *f) case AUDIT_EXIT:
>  	case AUDIT_SUCCESS:
>  	case AUDIT_INODE:
> +	case AUDIT_SESSIONID:
>  		/* bit ops are only useful on syscall args */
>  		if (f->op == Audit_bitmask || f->op == Audit_bittest)
>  			return -EINVAL;
> @@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct
> audit_rule_data *data, if (!gid_valid(f->gid))
>  				goto exit_free;
>  			break;
> +		case AUDIT_SESSIONID:
>  		case AUDIT_ARCH:
>  			entry->rule.arch_f = f;
>  			break;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index b5daaa0..a82b1d9 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk,
>  	const struct cred *cred;
>  	int i, need_sid = 1;
>  	u32 sid;
> +	unsigned int sessionid;
> 
>  	cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
> 
> @@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk,
>  		case AUDIT_FSGID:
>  			result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
>  			break;
> +		case AUDIT_SESSIONID:
> +			sessionid = audit_get_sessionid(current);
> +			result = audit_comparator(sessionid, f->op, f->val);
> +			break;
>  		case AUDIT_PERS:
>  			result = audit_comparator(tsk->personality, f->op, f->val);
>  			break;

-- 
paul moore
security @ redhat

More information about the Linux-audit mailing list