New operators for rules

[Steve Grubb]

Hello,

Dustin and I were talking about how to represent some new operators for 
writing audit rules. I am interested in seeing >, <, and range added at a 
minimum. The question came up as to how to fit this into the existing 
audit_rule structure. This is what we currently have:

struct audit_rule {          /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */
      __u32           flags;  /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
      __u32           action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
      __u32           field_count;
      __u32           mask[AUDIT_BITMASK_SIZE];
      __u32           fields[AUDIT_MAX_FIELDS];
      __u32           values[AUDIT_MAX_FIELDS];
};


The fields member currently uses the msb to determine whether its = or !=.

#define AUDIT_NEGATE    0x80000000

I was wondering if we should go ahead and map the other operators into the 
other high bits. We are currently only using the lower 4 bits of the u32 word 
so we have plenty of room. We have to do this in a way that is backward 
compatible for old kernels. Any ideas? Any preferred bit patterns?

Also, we have the issue of needing to send 2 values for a range operator. How 
should we make the kernel understand this? Or should we create a new message 
type for adding, listing, and deleting rules that we can expand the idea of 
operators for and use the current one for legacy compatibility?

Need some ideas from the kernel hackers....

-Steve