Re: [PATCH] Audit filter rule operators (2/2)
Dustin,
Thanks for this patch!
On Friday 21 October 2005 19:24, Dustin Kirkland wrote:
This patch defines the bitmask values of each of the 6 comparators
(and
includes a nice documentation chart explaning how they were chosen).
We need to go ahead and take the next 2 upper bits in the same patch and save
those for future use. For now, if those bits are set, the kernel should
reject the rule. To support this, we also need some code added to
audit_add_rule to check that the operators is something the kernel
understands.
I didn't add audit_comparator() to audit.h... Should I? Might
this be
used elsewhere in the audit system?
Not unless you use it somewhere. Keep it local until the need arise to prevent
name collisions.
diff -urpbBN linux-2.6.14-rc4/kernel/auditsc.c
linux-2.6.14-rc4-audit_ops/kernel/auditsc.c ---
linux-2.6.14-rc4/kernel/auditsc.c 2005-10-19 09:40:29.000000000 -0500 +++
linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-21 18:08:32.000000000
-0500 @@ -385,6 +385,36 @@ int audit_receive_filter(int type, int p
return err;
}
+static int audit_comparator(const u32 left, const u32 operator, const u32
right) +{
<snip>
+ if ( operator & AUDIT_NEGATE )
+ return !rc;
+ else
+ return rc;
+}
Does this make sense? What does !< mean? I think AUDIT_NEGATE only makes sense
in relation to AUDIT_EQUAL. It should be moved to that case if not eliminated
outright.
Thanks,
-Steve