Re: [PATCH] Audit filter rule operators (2/2)
On Friday 21 October 2005 18:24, Dustin Kirkland wrote:
This is the kernel space component of this patch.
This patch defines the bitmask values of each of the 6 comparators (and
includes a nice documentation chart explaning how they were chosen).
It also adds a new function, audit_comparator(left, op, right). This
function will perform the specified comparison (op, which defaults to
"==" for backward compatibility) between two values (left and right).
If the negate bit is on, it will negate whatever that result was. This
value is returned.
I just have one nit/comment below, Dustin.
<snip>
diff -urpbBN linux-2.6.14-rc4/include/linux/audit.h
linux-2.6.14-rc4-audit_ops/include/linux/audit.h
--- linux-2.6.14-rc4/include/linux/audit.h 2005-10-19 09:40:27.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops/include/linux/audit.h 2005-10-21 18:05:43.000000000 -0500
@@ -128,8 +128,29 @@
#define AUDIT_ARG2 (AUDIT_ARG0+2)
#define AUDIT_ARG3 (AUDIT_ARG0+3)
-#define AUDIT_NEGATE 0x80000000
+/* These are the supported operators.
+ 4 2 1
+ > < =
+ -------
+ 0 0 0 0 undef
+ 0 0 1 1 =
+ 0 1 0 2 <
+ 0 1 1 3 <=
+ 1 0 0 4 >
+ 1 0 1 5 >=
+ 1 1 0 6 !=
+ 1 1 1 7 range
+ */
+#define AUDIT_OPERATORS 0xF0000000
+#define AUDIT_EQUAL 0x10000000
+#define AUDIT_LESS_THAN 0x20000000
+#define AUDIT_LESS_THAN_OR_EQUAL 0x30000000
+#define AUDIT_GREATER_THAN 0x40000000
+#define AUDIT_GREATER_THAN_OR_EQUAL 0x50000000
+#define AUDIT_NOT_EQUAL 0x60000000
+#define AUDIT_RANGE 0x70000000
+#define AUDIT_NEGATE 0x80000000
/* Status symbols */
/* Mask values */
diff -urpbBN linux-2.6.14-rc4/kernel/auditsc.c
linux-2.6.14-rc4-audit_ops/kernel/auditsc.c
--- linux-2.6.14-rc4/kernel/auditsc.c 2005-10-19 09:40:29.000000000 -0500
+++ linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-21 18:08:32.000000000 -0500
@@ -385,6 +385,36 @@ int audit_receive_filter(int type, int p
return err;
}
+static int audit_comparator(const u32 left, const u32 operator, const u32 right)
+{
+ int rc;
+ switch (operator) {
+ case AUDIT_LESS_THAN:
+ rc = (left < right);
+ break;
+ case AUDIT_LESS_THAN_OR_EQUAL:
+ rc = (left <= right);
+ break;
+ case AUDIT_GREATER_THAN:
+ rc = (left > right);
+ break;
+ case AUDIT_GREATER_THAN_OR_EQUAL:
+ rc = (left >= right);
+ break;
+ case AUDIT_NOT_EQUAL:
+ rc = (left != right);
+ break;
+ case AUDIT_EQUAL:
+ default:
+ rc = (left == right);
+ break;
+ }
Do we really want to default undefined operations to AUDIT_EQUAL. I'd expect an
error.
-tim