[RFC][PATCH] new audit rule interface
Amy Griffis
amy.griffis at hp.com
Mon Dec 19 16:41:23 UTC 2005
On Thu, Dec 15, 2005 at 02:34:32PM -0600, Dustin Kirkland wrote:
> On Thu, 2005-12-15 at 10:40 -0500, Amy Griffis wrote:
> > 1) struct audit_rule_xprt
> >
> > Introducing a new data structure for specifying audit rules via
> > netlink provides a good opportunity to revisit the data structure
> > design and determine if we want to make any other changes, e.g.
> > adding a structure version field, reserving fields, etc. At
> > present, I've only added the empty buf[] array.
>
> nit: It also adds a buflen integer field.
>
> You touch on this a bit later... Ideally, I think it would be nice not
> to bitmask into the upper bits of each field[] entry. I would prefer
> another integer array fieldflags[] where things such as the
> audit_operator and whatever else might live. That would give us a full
> 32 bits to mask against per field, and not cut into the total bits
> available for field[] values.
How about this?
struct audit_rule_xprt {
__u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */
__u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */
__u32 field_count;
__u32 mask[AUDIT_BITMASK_SIZE];
__u32 fields[AUDIT_MAX_FIELDS];
__u32 values[AUDIT_MAX_FIELDS];
__u32 flags[AUDIT_MAX_FIELDS];
__u32 version; /* data structure version */
__u32 pad[4]; /* reserved for future use */
__u32 buflen; /* total length of string fields */
char buf[0]; /* string fields buffer */
};
In addition to the fields needed for passing strings, I added a
per-field flags array, version, and padding for future fields.
More information about the Linux-audit
mailing list