audit_watch_handle_event

Name:Update watch data in audit rules based on fsnotify events.

Proto:static int audit_watch_handle_event(struct fsnotify_group *group, struct inode *to_tell, unsigned int mask, const void *data, int data_type, const struct qstr *dname, unsigned int cookie, struct fsnotify_iter_info *iter_info)

Type:int

Parameter:

Type	Parameter	Name
struct fsnotify_group *	group
struct inode *	to_tell
unsigned int	mask
const void *	data
int	data_type
const struct qstr *	dname
unsigned int	cookie
struct fsnotify_iter_info *	iter_info

475

inode_mark = fsnotify_iter_inode_mark(iter_info)

479

parent = container_of - cast a member of a structure out to the containing structure*@ptr: the pointer to the member.*@type: the type of the container struct this is embedded in.*@member: the name of the member within the struct.(inode_mark, structaudit_parent, mark)

481

BUG_ON(group != snotify handle. )

484

Case data_type == FSNOTIFY_EVENT_PATH

485

inode = d_backing_inode - Get upper or lower inode we should be using*@upper: The upper layer* This is the helper that should be used to get at the inode that will be used* if this dentry were to be opened as a file. The inode may be on the upper

486

Break

487

Case data_type == FSNOTIFY_EVENT_INODE

488

489

Break

490

Default

491

BUG()

492

inode = NULL

493

Break

496

If mask & (Subfile was created | File was moved to Y ) && inode Then Update inode info in audit rules based on filesystem event.

498

Else if mask & (Subfile was deleted | File was moved from X ) Then Update inode info in audit rules based on filesystem event.

500

Else if mask & ( Self was deleted | de on umount fs | Self was moved ) Then Remove all watches & rules associated with a parent that is going away.

503

Return 0

Source code conversion tool public plug-in interface	X
Support c/c++/esqlc/java Oracle/Informix/Mysql Plug-in can realize: logical Report Code generation and batch code conversion