In libaudit, add support for rules using sessionid

git-svn-id: http://svn.fedorahosted.org/svn/audit/trunk@1407 03a675c2-f56d-4096-908f-63dba836b7e4

Author: sgrubb

ChangeLog

@@ -7,6 +7,7 @@
 - In libaudit, allow filtering on new exclude filter fields (Richard Guy Briggs)
 - In auditd, fix looping when checking active connections
 - In auparse, the auparse_state_t pointer to keep escape_mode information
+- In libaudit, add support for rules using sessionid (Richard Guy Briggs)
 
 2.6.7
 - Non-active log files should be read only

TODO

@@ -1,13 +1,13 @@
 Things that need to be done:
 ===========================
 2.7
-* Fix audit.pc.in to use Requires.private
 * Add sockaddr accessor functions in auparse
-* Add a realpath variant accessor that resolves whole path
+* Add ability to suppress types of records (drop_records)
 * Add metadata in auparse for subj,obj,action,results
 * Formats for ausearch output
 * Selectable escaping for ausearch/report output
-* Add ability to suppress types of records (drop_records)
+* Fix audit.pc.in to use Requires.private
+* Add a realpath variant accessor that resolves whole path
 
 2.7.1
 * Look at pulling audispd into auditd

lib/errormsg.h

@@ -66,5 +66,6 @@ static const struct msg_tab err_msgtab[] = {
     { -28,    2,    "Too many fields in rule:" },
     { -29,    1,    "only takes = operator" },
     { -30,    2,    "Field option not supported by kernel:" },
+    { -31,    1,    "must be used with exclude, user, or exit filter" },
 };
 #endif

lib/fieldtab.h

@@ -1,5 +1,5 @@
 /* fieldtab.h --
- * Copyright 2005-07 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2005-07,2015-16 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -45,6 +45,7 @@ _S(AUDIT_OBJ_ROLE,     "obj_role"     )
 _S(AUDIT_OBJ_TYPE,     "obj_type"     )
 _S(AUDIT_OBJ_LEV_LOW,  "obj_lev_low"  )
 _S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" )
+_S(AUDIT_SESSIONID,    "sessionid"    )
 
 _S(AUDIT_DEVMAJOR,     "devmajor"     )
 _S(AUDIT_DEVMINOR,     "devminor"     )

lib/libaudit.c

@@ -1648,6 +1648,26 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
 			else 
 				return -21;
 			break;
+		case AUDIT_SESSIONID:
+			if ((audit_get_features() &
+				AUDIT_FEATURE_BITMAP_SESSIONID_FILTER) == 0)
+				return -30;
+			if (flags != AUDIT_FILTER_EXCLUDE &&
+			    flags != AUDIT_FILTER_USER &&
+			    flags != AUDIT_FILTER_EXIT)
+				return -31;
+			// Do positive & negative separate for 32 bit systems
+			vlen = strlen(v);
+			if (isdigit((char)*(v))) 
+				rule->values[rule->field_count] = 
+					strtoul(v, NULL, 0);
+			else if (vlen >= 2 && *(v)=='-' &&
+						(isdigit((char)*(v+1))))
+				rule->values[rule->field_count] =
+					strtol(v, NULL, 0);
+			else if (strcmp(v, "unset") == 0)
+				rule->values[rule->field_count] = 4294967295;
+			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)

lib/libaudit.h

@@ -281,6 +281,9 @@ extern "C" {
 #ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
 #define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND     0x00000008
 #endif
+#ifndef AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
+#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER   0x00000010
+#endif
 
 /* Defines for interfield comparison update */
 #ifndef AUDIT_OBJ_UID
@@ -296,6 +299,10 @@ extern "C" {
 #define AUDIT_EXE 112
 #endif
 
+#ifndef AUDIT_SESSIONID
+#define AUDIT_SESSIONID 25
+#endif
+
 #ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
 #define AUDIT_COMPARE_UID_TO_OBJ_UID   1
 #endif