Re: [RFC][PATCH] new audit rule interface

On Thu, Dec 15, 2005 at 02:34:32PM -0600, Dustin Kirkland wrote: > You touch on this a bit later... Ideally, I think it would be nice not > to bitmask into the upper bits of each field[] entry. I would prefer > another integer array fieldflags[] where things such as the > audit_operator and whatever else might live. That would give us a full > 32 bits to mask against per field, and not cut into the total bits > available for field[] values. How about this? struct audit_rule_xprt { __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ __u32 field_count; __u32 mask[AUDIT_BITMASK_SIZE]; __u32 fields[AUDIT_MAX_FIELDS]; __u32 values[AUDIT_MAX_FIELDS]; __u32 flags[AUDIT_MAX_FIELDS]; __u32 version; /* data structure version */ __u32 pad[4]; /* reserved for future use */ __u32 buflen; /* total length of string fields */ char buf[0]; /* string fields buffer */ }; In addition to the fields needed for passing strings, I added a per-field flags array, version, and padding for future fields.