audit_filter

Name:Compare a task_struct with an audit_rule. Return 1 on match, 0* otherwise.* If task_creation is true, this is an explicit indication that we are* filtering a task rule at task creation time. This and tsk == current are

Proto:static int audit_filter_rules(struct task_struct *tsk, struct audit_krule *rule, struct audit_context *ctx, struct audit_names *name, enum audit_state *state, bool task_creation)

Type:int

Parameter:

Type	Parameter	Name
struct task_struct *	tsk
struct audit_krule *	rule
struct audit_context *	ctx
struct audit_names *	name
enum audit_state *	state
bool	task_creation

446

need_sid = 1

450

cred = cu_dereference_check() - rcu_dereference with debug checking*@p: The pointer to read, prior to dereferencing*@c: The conditions under which the dereference will take place* Do an rcu_dereference(), but check that the conditions under which the( Effective (overridable) subjective task credentials (COW): , tsk == current process || task_creation)

452

When i < field_count cycle

453

f = fields[i]

455

result = 0

459

Case type == These are useful when checking the* task structure at task creation time* (AUDIT_PER_TASK).

460

pid = task_tgid_nr(tsk)

461

result = audit_comparator(pid, op, val)

462

Break

463

Case type == AUDIT_PPID

464

If ctx Then

465

If Not Save things to print about task_struct Then Save things to print about task_struct = task_ppid_nr(tsk)

467

result = audit_comparator(Save things to print about task_struct , op, val)

469

Break

470

Case type == AUDIT_EXE

471

result = audit_exe_compare(tsk, exe)

472

If op == Audit_not_equal Then result = Not result

474

Break

475

Case type == AUDIT_UID

476

result = audit_uid_comparator( real UID of the task , op, uid)

477

Break

478

Case type == AUDIT_EUID

479

result = audit_uid_comparator( effective UID of the task , op, uid)

480

Break

481

Case type == AUDIT_SUID

482

result = audit_uid_comparator( saved UID of the task , op, uid)

483

Break

484

Case type == AUDIT_FSUID

485

result = audit_uid_comparator( UID for VFS ops , op, uid)

486

Break

487

Case type == AUDIT_GID

488

result = audit_gid_comparator( real GID of the task , op, gid)

489

If op == Audit_equal Then

490

If Not result Then result = a simple bsearch

492

Else if op == Audit_not_equal Then

493

If result Then result = Not a simple bsearch

496

Break

497

Case type == AUDIT_EGID

498

result = audit_gid_comparator( effective GID of the task , op, gid)

499

If op == Audit_equal Then

500

If Not result Then result = a simple bsearch

502

Else if op == Audit_not_equal Then

503

If result Then result = Not a simple bsearch

506

Break

507

Case type == AUDIT_SGID

508

result = audit_gid_comparator( saved GID of the task , op, gid)

509

Break

510

Case type == AUDIT_FSGID

511

result = audit_gid_comparator( GID for VFS ops , op, gid)

512

Break

513

Case type == Session ID

514

sessionid = audit_get_sessionid(tsk)

515

result = audit_comparator(sessionid, op, val)

516

Break

517

Case type == AUDIT_PERS

518

result = audit_comparator( Used for emulating ABI behavior of previous Linux versions: , op, val)

519

Break

520

Case type == AUDIT_ARCH

521

If ctx Then result = audit_comparator(arch, op, val)

523

Break

525

Case type == AUDIT_EXIT

526

If ctx && urn code is valid Then result = audit_comparator(syscall return code , op, val)

528

Break

529

Case type == xit >= 0; value ignored

530

If ctx && urn code is valid Then

531

If val Then result = audit_comparator(urn code is valid , op, AUDITSC_SUCCESS)

533

Else result = audit_comparator(urn code is valid , op, AUDITSC_FAILURE)

536

Break

537

Case type == These are ONLY useful when checking* at syscall exit time (AUDIT_AT_EXIT).

538

If name Then

539

If audit_comparator(MAJOR(dev), op, val) || audit_comparator(MAJOR(rdev), op, val) Then ++result

542

Else if ctx Then

544

If audit_comparator(MAJOR(dev), op, val) || audit_comparator(MAJOR(rdev), op, val) Then

546

++result

547

Break

551

Break

552

Case type == AUDIT_DEVMINOR

553

If name Then

554

If audit_comparator(MINOR(dev), op, val) || audit_comparator(MINOR(rdev), op, val) Then ++result

557

Else if ctx Then

559

If audit_comparator(MINOR(dev), op, val) || audit_comparator(MINOR(rdev), op, val) Then

561

++result

562

Break

566

Break

567

Case type == AUDIT_INODE

568

If name Then result = audit_comparator(ino, op, val)

570

Else if ctx Then

572

If audit_comparator(ino, op, val) Then

573

++result

574

Break

578

Break

579

Case type == AUDIT_OBJ_UID

580

If name Then

581

result = audit_uid_comparator(uid, op, uid)

582

Else if ctx Then

584

If audit_uid_comparator(uid, op, uid) Then

585

++result

586

Break

590

Break

591

Case type == AUDIT_OBJ_GID

592

If name Then

593

result = audit_gid_comparator(gid, op, gid)

594

Else if ctx Then

596

If audit_gid_comparator(gid, op, gid) Then

597

++result

598

Break

602

Break

603

Case type == AUDIT_WATCH

604

If name Then

605

result = audit_watch_compare( associated watch , ino, dev)

608

If op == Audit_not_equal Then result = Not result

611

Break

612

Case type == AUDIT_DIR

613

If ctx Then

614

result = match_tree_refs(ctx, associated watched tree )

615

If op == Audit_not_equal Then result = Not result

618

Break

619

Case type == AUDIT_LOGINUID

620

result = audit_uid_comparator(audit_get_loginuid(tsk), op, uid)

622

Break

623

Case type == AUDIT_LOGINUID_SET

624

result = audit_comparator(audit_loginuid_set(tsk), op, val)

625

Break

626

Case type == AUDIT_SADDR_FAM

627

If sockaddr Then result = audit_comparator(address family , op, val)

630

Break

631

Case type == security label user

632

Case type == security label role

633

Case type == security label type

634

Case type == security label sensitivity label

635

Case type == security label clearance label

641

If lsm_rule Then

642

If need_sid Then

643

security_task_getsecid(tsk, & sid)

644

need_sid = 0

646

result = security_audit_rule_match(sid, type, op, lsm_rule)

650

Break

651

Case type == AUDIT_OBJ_USER

652

Case type == AUDIT_OBJ_ROLE

653

Case type == AUDIT_OBJ_TYPE

654

Case type == AUDIT_OBJ_LEV_LOW

655

Case type == AUDIT_OBJ_LEV_HIGH

658

If lsm_rule Then

660

If name Then

661

result = security_audit_rule_match(osid, type, op, lsm_rule)

666

Else if ctx Then

668

If security_audit_rule_match(osid, type, op, lsm_rule) Then

673

++result

674

Break

679

If Not ctx || type != IPC record Then Break

681

If security_audit_rule_match(osid, type, op, lsm_rule) Then ++result

686

Break

687

Case type == AUDIT_ARG0

688

Case type == AUDIT_ARG1

689

Case type == AUDIT_ARG2

690

Case type == AUDIT_ARG3

691

If ctx Then result = audit_comparator(syscall arguments [type - AUDIT_ARG0], op, val)

693

Break

694

Case type == AUDIT_FILTERKEY

696

result = 1

697

Break

698

Case type == AUDIT_PERM

699

result = audit_match_perm(ctx, val)

700

If op == Audit_not_equal Then result = Not result

702

Break

703

Case type == AUDIT_FILETYPE

704

result = audit_match_filetype(ctx, val)

705

If op == Audit_not_equal Then result = Not result

707

Break

708

Case type == AUDIT_FIELD_COMPARE

709

result = audit_field_compare(tsk, cred, f, ctx, name)

710

Break

712

If Not result Then Return 0

716

If ctx Then

717

If prio <= prio Then Return 0

719

If ties events to rules Then

720

kfree(key for rule that triggered record )

721

key for rule that triggered record = kstrdup( ties events to rules , DOC: Useful GFP flag combinations* Useful GFP flag combinations* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~* Useful GFP flag combinations that are commonly used. It is recommended* that subsystems start with one of these combinations and then set/clear)

723

prio = prio

726

Case action == Do not build context if rule matches

727

state = Do not create per-task audit_context.* No syscall-specific audit records can* be generated.

728

Break

729

Case action == Generate audit record if rule matches

730

state = AUDIT_RECORD_CONTEXT

731

Break

733

Return 1

**Caller**
Name	Describe
audit_filter_task	At process creation time, we can determine if system-call auditing is* completely disabled for this task. Since we only have the task* structure at this point, we can only check uid and gid.
audit_filter_syscall	At syscall entry and exit time, this filter is called if the* audit_state is not low enough that auditing cannot take place, but is* also not high enough that we already know we have to write an audit* record (i
audit_filter_inode_name	Given an audit_name check the inode hash table to see if they match.* Called holding the rcu read lock to protect the use of audit_inode_hash

Source code conversion tool public plug-in interface	X
Support c/c++/esqlc/java Oracle/Informix/Mysql Plug-in can realize: logical Report Code generation and batch code conversion

Function report