Re: [RFC][PATCH] new audit rule interface
On Thu, Dec 15, 2005 at 02:34:32PM -0600, Dustin Kirkland wrote:
On Thu, 2005-12-15 at 10:40 -0500, Amy Griffis wrote:
> 1) struct audit_rule_xprt
>
> Introducing a new data structure for specifying audit rules via
> netlink provides a good opportunity to revisit the data structure
> design and determine if we want to make any other changes, e.g.
> adding a structure version field, reserving fields, etc. At
> present, I've only added the empty buf[] array.
nit: It also adds a buflen integer field.
You touch on this a bit later... Ideally, I think it would be nice not
to bitmask into the upper bits of each field[] entry. I would prefer
another integer array fieldflags[] where things such as the
audit_operator and whatever else might live. That would give us a full
32 bits to mask against per field, and not cut into the total bits
available for field[] values.
How about this?
struct audit_rule_xprt {
__u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
__u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
__u32 field_count;
__u32 mask[AUDIT_BITMASK_SIZE];
__u32 fields[AUDIT_MAX_FIELDS];
__u32 values[AUDIT_MAX_FIELDS];
__u32 flags[AUDIT_MAX_FIELDS];
__u32 version; /* data structure version */
__u32 pad[4]; /* reserved for future use */
__u32 buflen; /* total length of string fields */
char buf[0]; /* string fields buffer */
};
In addition to the fields needed for passing strings, I added a
per-field flags array, version, and padding for future fields.