Add AUDIT_SESSIONID_SET field to indicate the sessionID is set in filters rather than depending on an in-band signal to indicate it.
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter RFE Session ID User Filter https://github.com/linux-audit/audit-kernel/issues/4 RFE: add a session ID filter to the kernel's user filter Signed-off-by: Richard Guy Briggs <[email protected]> --- include/linux/audit.h | 10 ++++++++++ include/uapi/linux/audit.h | 1 + kernel/auditfilter.c | 3 +++ kernel/auditsc.c | 7 ++++--- 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9d4443f..2392442 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -552,6 +552,16 @@ static inline bool audit_loginuid_set(struct task_struct *tsk) return uid_valid(audit_get_loginuid(tsk)); } +static inline bool sessionid_valid(unsigned int sessionid) +{ + return sessionid != (unsigned int) -1; +} + +static inline bool audit_sessionid_set(struct task_struct *tsk) +{ + return sessionid_valid(audit_get_sessionid(tsk)); +} + static inline void audit_log_string(struct audit_buffer *ab, const char *buf) { audit_log_n_string(ab, buf, strlen(buf)); diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index b3140eb..a4048bc 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -253,6 +253,7 @@ #define AUDIT_OBJ_LEV_HIGH 23 #define AUDIT_LOGINUID_SET 24 #define AUDIT_SESSIONID 25 /* Session ID */ +#define AUDIT_SESSIONID_SET 26 /* Session ID set or not */ /* These are ONLY useful when checking * at syscall exit time (AUDIT_AT_EXIT). */ diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 1c60fcf..47eaaba 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -387,6 +387,7 @@ static int audit_field_valid(struct audit_entry *entry, struct audit_field *f) case AUDIT_FILTERKEY: break; case AUDIT_LOGINUID_SET: + case AUDIT_SESSIONID_SET: if ((f->val != 0) && (f->val != 1)) return -EINVAL; /* FALL THROUGH */ @@ -478,6 +479,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, goto exit_free; break; case AUDIT_SESSIONID: + if (!sessionid_valid(f->val)) + goto exit_free; case AUDIT_ARCH: entry->rule.arch_f = f; break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 52f7a61..4df536b 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -447,7 +447,6 @@ static int audit_filter_rules(struct task_struct *tsk, const struct cred *cred; int i, need_sid = 1; u32 sid; - unsigned int sessionid; cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation); @@ -511,8 +510,7 @@ static int audit_filter_rules(struct task_struct *tsk, result = audit_gid_comparator(cred->fsgid, f->op, f->gid); break; case AUDIT_SESSIONID: - sessionid = audit_get_sessionid(current); - result = audit_comparator(sessionid, f->op, f->val); + result = audit_comparator(audit_get_sessionid(tsk), f->op, f->val); break; case AUDIT_PERS: result = audit_comparator(tsk->personality, f->op, f->val); @@ -614,6 +612,9 @@ static int audit_filter_rules(struct task_struct *tsk, case AUDIT_LOGINUID_SET: result = audit_comparator(audit_loginuid_set(tsk), f->op, f->val); break; + case AUDIT_SESSIONID_SET: + result = audit_comparator(audit_sessionid_set(tsk), f->op, f->val); + break; case AUDIT_SUBJ_USER: case AUDIT_SUBJ_ROLE: case AUDIT_SUBJ_TYPE: -- 1.7.1
