audit: add support for session ID user filter
authorRichard Guy Briggs <rgb@redhat.com>
Sun, 20 Nov 2016 21:47:55 +0000 (16:47 -0500)
committerPaul Moore <paul@paul-moore.com>
Tue, 29 Nov 2016 20:10:12 +0000 (15:10 -0500)
Define AUDIT_SESSIONID in the uapi and add support for specifying user
filters based on the session ID.  Also add the new session ID filter
to the feature bitmap so userspace knows it is available.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: combine multiple patches from Richard into this one]
Signed-off-by: Paul Moore <paul@paul-moore.com>
include/uapi/linux/audit.h
kernel/auditfilter.c
kernel/auditsc.c

index 82e8aa59446b18cb1cc0dd5c0d79a2fe8454221e..c8dc97bc2c1bb19c71f3422a0df437f63488b2b9 100644 (file)
 #define AUDIT_OBJ_LEV_LOW      22
 #define AUDIT_OBJ_LEV_HIGH     23
 #define AUDIT_LOGINUID_SET     24
+#define AUDIT_SESSIONID        25      /* Session ID */
 
                                /* These are ONLY useful when checking
                                 * at syscall exit time (AUDIT_AT_EXIT). */
@@ -329,9 +330,11 @@ enum {
 #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT     0x00000001
 #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
 #define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH   0x00000004
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER  0x00000010
 #define AUDIT_FEATURE_BITMAP_ALL (AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT | \
                                  AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME | \
-                                 AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH)
+                                 AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH | \
+                                 AUDIT_FEATURE_BITMAP_SESSIONID_FILTER)
 
 /* deprecated: AUDIT_VERSION_* */
 #define AUDIT_VERSION_LATEST           AUDIT_FEATURE_BITMAP_ALL
index 632e90d1005f741afebeeb9b176aa3e7ff0890e9..880519d6cf2ad00fbb15a23e545a629f580ae6f8 100644 (file)
@@ -363,6 +363,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f)
        case AUDIT_EXIT:
        case AUDIT_SUCCESS:
        case AUDIT_INODE:
+       case AUDIT_SESSIONID:
                /* bit ops are only useful on syscall args */
                if (f->op == Audit_bitmask || f->op == Audit_bittest)
                        return -EINVAL;
@@ -476,6 +477,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                        if (!gid_valid(f->gid))
                                goto exit_free;
                        break;
+               case AUDIT_SESSIONID:
                case AUDIT_ARCH:
                        entry->rule.arch_f = f;
                        break;
index d161b17ce8cef04029c211b2f29f8e188643f8a4..f78cb1b3fa7432f405bb85c76ec19188d819c325 100644 (file)
@@ -446,6 +446,7 @@ static int audit_filter_rules(struct task_struct *tsk,
        const struct cred *cred;
        int i, need_sid = 1;
        u32 sid;
+       unsigned int sessionid;
 
        cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
 
@@ -508,6 +509,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                case AUDIT_FSGID:
                        result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
                        break;
+               case AUDIT_SESSIONID:
+                       sessionid = audit_get_sessionid(current);
+                       result = audit_comparator(sessionid, f->op, f->val);
+                       break;
                case AUDIT_PERS:
                        result = audit_comparator(tsk->personality, f->op, f->val);
                        break;