[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] new audit rule interface

On Thu, Dec 15, 2005 at 02:34:32PM -0600, Dustin Kirkland wrote:
> On Thu, 2005-12-15 at 10:40 -0500, Amy Griffis wrote: 
> > 1) struct audit_rule_xprt
> > 
> >     Introducing a new data structure for specifying audit rules via
> >     netlink provides a good opportunity to revisit the data structure
> >     design and determine if we want to make any other changes, e.g.
> >     adding a structure version field, reserving fields, etc.  At
> >     present, I've only added the empty buf[] array.
> nit: It also adds a buflen integer field.
> You touch on this a bit later...  Ideally, I think it would be nice not
> to bitmask into the upper bits of each field[] entry.  I would prefer
> another integer array fieldflags[] where things such as the
> audit_operator and whatever else might live.  That would give us a full
> 32 bits to mask against per field, and not cut into the total bits
> available for field[] values.

How about this?

struct audit_rule_xprt {
	__u32		flags;	/* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
	__u32		field_count;
	__u32		mask[AUDIT_BITMASK_SIZE];
	__u32		fields[AUDIT_MAX_FIELDS];
	__u32		values[AUDIT_MAX_FIELDS];
	__u32		flags[AUDIT_MAX_FIELDS];
	__u32		version; /* data structure version */
	__u32		pad[4];	 /* reserved for future use */
	__u32		buflen;	 /* total length of string fields */
	char		buf[0];  /* string fields buffer */

In addition to the fields needed for passing strings, I added a
per-field flags array, version, and padding for future fields.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]