Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\auditfilter.c Create Date:2022-07-28 11:24:51
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:Translate struct audit_rule_data to kernel's rule representation.

Proto:static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, size_t datasz)

Type:struct audit_entry

Parameter:

TypeParameterName
struct audit_rule_data *data
size_tdatasz
444  err = 0
447  remain = datasz - sizeof(structaudit_rule_data)
452  entry = Common user-space to kernel rule translation.
453  If IS_ERR(entry) Then Go to exit_nofree
456  bufp = string fields buffer
457  When i < field_count cycle
458  f = fields[i]
461  err = -EINVAL
463  op = audit_to_op(fieldflags[i])
464  If op == Audit_bad Then Go to exit_free
467  type = fields[i]
468  f_val = values[i]
471  If type == AUDIT_LOGINUID && f_val == AUDIT_UID_UNSET Then
472  type = AUDIT_LOGINUID_SET
473  f_val = 0
474  pflags |= Flag to indicate legacy AUDIT_LOGINUID unset usage
477  err = heck if an audit field is valid
478  If err Then Go to exit_free
481  err = -EINVAL
483  Case type == AUDIT_LOGINUID
484  Case type == AUDIT_UID
485  Case type == AUDIT_EUID
486  Case type == AUDIT_SUID
487  Case type == AUDIT_FSUID
488  Case type == AUDIT_OBJ_UID
489  uid = make_kuid - Map a user-namespace uid pair into a kuid
490  If Not uid_valid(uid) Then Go to exit_free
492  Break
493  Case type == AUDIT_GID
494  Case type == AUDIT_EGID
495  Case type == AUDIT_SGID
496  Case type == AUDIT_FSGID
497  Case type == AUDIT_OBJ_GID
498  gid = make_kgid - Map a user-namespace gid pair into a kgid
499  If Not gid_valid(gid) Then Go to exit_free
501  Break
502  Case type == AUDIT_ARCH
503  val = f_val
504  quick access to arch field = f
505  Break
506  Case type == security label user
507  Case type == security label role
508  Case type == security label type
509  Case type == security label sensitivity label
510  Case type == security label clearance label
511  Case type == AUDIT_OBJ_USER
512  Case type == AUDIT_OBJ_ROLE
513  Case type == AUDIT_OBJ_TYPE
514  Case type == AUDIT_OBJ_LEV_LOW
515  Case type == AUDIT_OBJ_LEV_HIGH
516  str = Unpack a filter field's string representation from user-space* buffer.
517  If IS_ERR(str) Then
518  err = PTR_ERR(str)
519  Go to exit_free
521  for data alloc on list rules += f_val
522  lsm_str = str
523  err = security_audit_rule_init(type, op, str, (void * * ) & lsm_rule)
527  If err == -EINVAL Then
528  pr_warn("audit rule for LSM \'%s\' is invalid\n", str)
530  err = 0
531  Else if err Then Go to exit_free
533  Break
534  Case type == AUDIT_WATCH
535  str = Unpack a filter field's string representation from user-space* buffer.
536  If IS_ERR(str) Then
537  err = PTR_ERR(str)
538  Go to exit_free
540  err = audit_to_watch( & rule, str, f_val, op)
541  If err Then
542  kfree(str)
543  Go to exit_free
545  for data alloc on list rules += f_val
546  Break
547  Case type == AUDIT_DIR
548  str = Unpack a filter field's string representation from user-space* buffer.
549  If IS_ERR(str) Then
550  err = PTR_ERR(str)
551  Go to exit_free
553  err = audit_make_tree( & rule, str, op)
554  kfree(str)
555  If err Then Go to exit_free
557  for data alloc on list rules += f_val
558  Break
559  Case type == AUDIT_INODE
560  val = f_val
561  err = Translate an inode field to kernel representation.
562  If err Then Go to exit_free
564  Break
565  Case type == AUDIT_FILTERKEY
566  If ties events to rules || f_val > AUDIT_MAX_KEY_LEN Then Go to exit_free
568  str = Unpack a filter field's string representation from user-space* buffer.
569  If IS_ERR(str) Then
570  err = PTR_ERR(str)
571  Go to exit_free
573  for data alloc on list rules += f_val
574  ties events to rules = str
575  Break
576  Case type == AUDIT_EXE
577  If exe || f_val > # chars in a path name including nul Then Go to exit_free
579  str = Unpack a filter field's string representation from user-space* buffer.
580  If IS_ERR(str) Then
581  err = PTR_ERR(str)
582  Go to exit_free
584  audit_mark = audit_alloc_mark( & rule, str, f_val)
585  If IS_ERR(audit_mark) Then
586  kfree(str)
587  err = PTR_ERR(audit_mark)
588  Go to exit_free
590  for data alloc on list rules += f_val
591  exe = audit_mark
592  Break
593  Default
594  val = f_val
595  Break
599  If quick access to an inode field && op == Audit_not_equal Then quick access to an inode field = NULL
602  exit_nofree :
603  Return entry
605  exit_free :
606  If associated watched tree Then audit_put_tree( associated watched tree )
608  If exe Then
610  audit_free_rule(entry)
611  Return ERR_PTR(err)
Caller
NameDescribe
audit_rule_changeaudit_rule_change - apply all rules to the specified message type*@type: audit message type*@seq: netlink audit message sequence (serial) number*@data: payload data*@datasz: size of payload data