[PATCH] Audit filter rule operators (2/2)
Steve Grubb
sgrubb at redhat.com
Mon Oct 24 12:41:48 UTC 2005
Dustin,
Thanks for this patch!
On Friday 21 October 2005 19:24, Dustin Kirkland wrote:
> This patch defines the bitmask values of each of the 6 comparators (and
> includes a nice documentation chart explaning how they were chosen).
We need to go ahead and take the next 2 upper bits in the same patch and save
those for future use. For now, if those bits are set, the kernel should
reject the rule. To support this, we also need some code added to
audit_add_rule to check that the operators is something the kernel
understands.
> I didn't add audit_comparator() to audit.h... Should I? Might this be
> used elsewhere in the audit system?
Not unless you use it somewhere. Keep it local until the need arise to prevent
name collisions.
> diff -urpbBN linux-2.6.14-rc4/kernel/auditsc.c
> linux-2.6.14-rc4-audit_ops/kernel/auditsc.c ---
> linux-2.6.14-rc4/kernel/auditsc.c 2005-10-19 09:40:29.000000000 -0500 +++
> linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-21 18:08:32.000000000
> -0500 @@ -385,6 +385,36 @@ int audit_receive_filter(int type, int p
> return err;
> }
>
> +static int audit_comparator(const u32 left, const u32 operator, const u32
> right) +{
<snip>
> + if ( operator & AUDIT_NEGATE )
> + return !rc;
> + else
> + return rc;
> +}
Does this make sense? What does !< mean? I think AUDIT_NEGATE only makes sense
in relation to AUDIT_EQUAL. It should be moved to that case if not eliminated
outright.
Thanks,
-Steve
More information about the Linux-audit
mailing list