[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] Audit filter rule operators (2/2)



Dustin,

Thanks for this patch!

On Friday 21 October 2005 19:24, Dustin Kirkland wrote:
> This patch defines the bitmask values of each of the 6 comparators (and
> includes a nice documentation chart explaning how they were chosen).

We need to go ahead and take the next 2 upper bits in the same patch and save 
those for future use. For now, if those bits are set, the kernel should 
reject the rule. To support this, we also need some code added to 
audit_add_rule to check that the operators is something the kernel 
understands.

> I didn't add audit_comparator() to audit.h...  Should I?  Might this be
> used elsewhere in the audit system?

Not unless you use it somewhere. Keep it local until the need arise to prevent 
name collisions.

> diff -urpbBN linux-2.6.14-rc4/kernel/auditsc.c
> linux-2.6.14-rc4-audit_ops/kernel/auditsc.c ---
> linux-2.6.14-rc4/kernel/auditsc.c   2005-10-19 09:40:29.000000000 -0500 +++
> linux-2.6.14-rc4-audit_ops/kernel/auditsc.c 2005-10-21 18:08:32.000000000
> -0500 @@ -385,6 +385,36 @@ int audit_receive_filter(int type, int p
>         return err;
>  }
>  
> +static int audit_comparator(const u32 left, const u32 operator, const u32
> right) +{
<snip>
> +       if ( operator & AUDIT_NEGATE )
> +               return !rc;
> +       else
> +               return rc;
> +}

Does this make sense? What does !< mean? I think AUDIT_NEGATE only makes sense 
in relation to AUDIT_EQUAL. It should be moved to that case if not eliminated 
outright.

Thanks,
-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]