Re: [PATCH V3 0/3] Add support for session ID user filtering

From: Paul Moore
Date: Fri Aug 19 2016 - 15:09:46 EST


On Thu, Aug 18, 2016 at 7:53 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Thu, Aug 18, 2016 at 1:43 PM, Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
>> https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter
>> RFE Session ID User Filter
>>
>> https://github.com/linux-audit/audit-kernel/issues/4
>> RFE: add a session ID filter to the kernel's user filter
>>
>> See also the set of userspace suport patches:
>> Add support for sessionid user filters, sessionid_set and loginuid_set
>> https://www.redhat.com/archives/linux-audit/2016-August/msg00005.html
>> (userspace update expected to be posted 2016-08-18)
>> and the test case:
>> https://github.com/rgbriggs/audit-testsuite/tree/ghak4-test-for-sessionID-user-filter
>>
>> This third patch is expected to have a merge conflict with:
>> "audit: add exclude filter extension to feature bitmap"
>> posted on 2016-08-18.
>>
>> Richard Guy Briggs (3):
>> audit: add support for session ID user filter
>> audit: add AUDIT_SESSIONID_SET support
>> audit: add sessionid filter extension to feature bitmap
>>
>> include/linux/audit.h | 10 ++++++++++
>> include/uapi/linux/audit.h | 6 +++++-
>> kernel/auditfilter.c | 5 +++++
>> kernel/auditsc.c | 6 ++++++
>> 4 files changed, 26 insertions(+), 1 deletions(-)
>
> These patches look fine to me; the only comment I have is that these
> should probably be combined into a single patch to avoid
> cherry-picking of individual pieces, e.g. skipping the feature bitmap
> or AUDIT_SESSION_SET support. I can do that when I merge the patches,
> no need to resend unless you really want to ...
>
> However, the bigger issue is coordination with the userspace patches.
> I really don't like merging kernel patches until Steve OK's the
> corresponding userspace patches.

I went ahead and squashed the patches into one and merged it into the
audit#working-session_filter-v3 branch. Take a look and if anything
looks awry let me know.

I'm also going to start including this patch/branch in my
pcmoore/kernel-secnext Copr builds so it is easier for you/sgrubb to
test the userspace support; once Steve OK's the userspace code I'll
merge this patch(set) into audit#next properly.

* https://github.com/linux-audit/audit-kernel/issues/4
* https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-secnext

--
paul moore
www.paul-moore.com