[PATCH] audit: add support for session ID user filter

Richard Guy Briggs Tue, 10 May 2016 19:49:20 -0700

Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.


https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
Like loginuid (auid), should this have a seperate field type
(AUDIT_SESSIONID_UNDEFINED maybe?) to explicitly indicate that this
value should be undefined rather than depending on an in-band value of
-1 (or 4294967295)?  If so, now would be the time to fix it.
---

 include/uapi/linux/audit.h |    1 +
 kernel/auditfilter.c       |    2 ++
 kernel/auditsc.c           |    5 +++++
 3 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 843540c..b6feaa7 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -251,6 +251,7 @@
 #define AUDIT_OBJ_LEV_LOW      22
 #define AUDIT_OBJ_LEV_HIGH     23
 #define AUDIT_LOGINUID_SET     24
+#define AUDIT_SESSIONID        25      /* Session ID */
 
                                /* These are ONLY useful when checking
                                 * at syscall exit time (AUDIT_AT_EXIT). */
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b8ff9e1..23d076c 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, 
struct audit_field *f)
        case AUDIT_EXIT:
        case AUDIT_SUCCESS:
        case AUDIT_INODE:
+       case AUDIT_SESSIONID:
                /* bit ops are only useful on syscall args */
                if (f->op == Audit_bitmask || f->op == Audit_bittest)
                        return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct 
audit_rule_data *data,
                        if (!gid_valid(f->gid))
                                goto exit_free;
                        break;
+               case AUDIT_SESSIONID:
                case AUDIT_ARCH:
                        entry->rule.arch_f = f;
                        break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b5daaa0..a82b1d9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -445,6 +445,7 @@ static int audit_filter_rules(struct task_struct *tsk,
        const struct cred *cred;
        int i, need_sid = 1;
        u32 sid;
+       unsigned int sessionid;
 
        cred = rcu_dereference_check(tsk->cred, tsk == current || 
task_creation);
 
@@ -507,6 +508,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                case AUDIT_FSGID:
                        result = audit_gid_comparator(cred->fsgid, f->op, 
f->gid);
                        break;
+               case AUDIT_SESSIONID:
+                       sessionid = audit_get_sessionid(current);
+                       result = audit_comparator(sessionid, f->op, f->val);
+                       break;
                case AUDIT_PERS:
                        result = audit_comparator(tsk->personality, f->op, 
f->val);
                        break;
-- 
1.7.1

[PATCH] audit: add support for session ID user filter

Reply via email to