[PATCH] allow audit filtering on bit & operations

 * are currently used in an audit field constant understood by the kernel.

 * If you are adding a new #define AUDIT_<whatever>, please ensure that

 * AUDIT_UNUSED_BITS is updated if need be. */

#define AUDIT_UNUSED_BITS	0x0FFFFC00

#define AUDIT_UNUSED_BITS	0x07FFFC00

/* Rule fields */

#define AUDIT_NEGATE			0x80000000

/* These are the supported operators.

 *	4  2  1

 *	=  >  <

 *	-------

 *	0  0  0		0	nonsense

 *	0  0  1		1	<

 *	0  1  0		2	>

 *	0  1  1		3	!=

 *	1  0  0		4	=

 *	1  0  1		5	<=

 *	1  1  0		6	>=

 *	1  1  1		7	all operators

 *	4  2  1  8

 *	=  >  <  ?

 *	----------

 *	0  0  0	 0	00	nonsense

 *	0  0  0	 1	08	&  bit mask

 *	0  0  1	 0	10	<

 *	0  1  0	 0	20	>

 *	0  1  1	 0	30	!=

 *	1  0  0	 0	40	=

 *	1  0  0	 1	48	&=  bit test

 *	1  0  1	 0	50	<=

 *	1  1  0	 0	60	>=

 *	1  1  1	 1	78	all operators

 */

#define AUDIT_BIT_MASK			0x08000000

#define AUDIT_LESS_THAN			0x10000000

#define AUDIT_GREATER_THAN		0x20000000

#define AUDIT_NOT_EQUAL			0x30000000

#define AUDIT_EQUAL			0x40000000

#define AUDIT_BIT_TEST			(AUDIT_BIT_MASK|AUDIT_EQUAL)

#define AUDIT_LESS_THAN_OR_EQUAL	(AUDIT_LESS_THAN|AUDIT_EQUAL)

#define AUDIT_GREATER_THAN_OR_EQUAL	(AUDIT_GREATER_THAN|AUDIT_EQUAL)

#define AUDIT_OPERATORS			(AUDIT_EQUAL|AUDIT_NOT_EQUAL)

#define AUDIT_OPERATORS			(AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)

/* Status symbols */

				/* Mask values */

		case AUDIT_DEVMINOR:

		case AUDIT_EXIT:

		case AUDIT_SUCCESS:

			/* bit ops are only useful on syscall args */

			if (f->op == AUDIT_BIT_MASK ||

						f->op == AUDIT_BIT_TEST) {

				err = -EINVAL;

				goto exit_free;

			}

			break;

		case AUDIT_ARG0:

		case AUDIT_ARG1:

		case AUDIT_ARG2:

		return (left > right);

	case AUDIT_GREATER_THAN_OR_EQUAL:

		return (left >= right);

	case AUDIT_BIT_MASK:

		return (left & right);

	case AUDIT_BIT_TEST:

		return ((left & right) == right);

	}

	BUG();

	return 0;