Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote: > On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote: > > On 2016-08-02 08:16, Steve Grubb wrote: > > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote: > > > > Add support for sessionid, sessionid_set (first two patches) and > > > > loginuid_set (and auid_set) (third patch) in user filters. The first > > > > > > > > two are directly related to issue "ghak4": > > > > https://github.com/linux-audit/audit-kernel/issues/4 > > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> > > > > > > User-Filter > > > > > > > > The third is to support a kernel change from 3.10 and 3.19 to avoid > > > > using in-band values to indicate the loginuid is unset. > > > > > > Have the above three patches been tested on old kernels? > > > > Not yet. How do you usually add new features to userspace to guard > > against missing features from old kernels? Time to add a bit to the > > kenrel audit status feature field? > > Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is > wrong with the rule. Before you get too far...I just looked at the support being added in the first three patches. There is no code changing auditctl. Is there something missing?

-Steve