audit_filter

函数名称：At syscall entry and exit time, this filter is called if the* audit_state is not low enough that auditing cannot take place, but is* also not high enough that we already know we have to write an audit* record (i

函数原型：static enum audit_state audit_filter_syscall(struct task_struct *tsk, struct audit_context *ctx, struct list_head *list)

返回类型：enum audit_state

参数：

类型	参数	名称
struct task_struct *	tsk
struct audit_context *	ctx
struct list_head *	list

787

如果auditd_test_task - Check to see if a given task is an audit daemon*@task: the task to check* Description:* Return 1 if the task is a registered audit daemon, 0 otherwise.则返回:不审计

790

_read_lock() - mark the beginning of an RCU read-side critical section* When synchronize_rcu() is invoked on one CPU while other CPUs* are within RCU read-side critical sections, then the* synchronize_rcu() is guaranteed to block until after all the other

792

如果audit_in_mask( & rule, 系统调用进程)且Compare a task_struct with an audit_rule. Return 1 on match, 0* otherwise.* If task_creation is true, this is an explicit indication that we are* filtering a task rule at task creation time. This and tsk == current are则

795

_read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()

796

当前状态等于state

797

返回:state

800

801

返回:创建时审计

**调用者**
名称	描述
__audit_free	__audit_free - free a per-task audit context@tsk: task whose audit context block to free Called from copy_process and do_exit
__audit_syscall_exit	__audit_syscall_exit - deallocate audit context after a system call@success: success value of the syscall@return_code: return value of the syscall* Tear down after system call

源代码转换工具开放的插件接口	X
支持：c/c++/esqlc/java Oracle/Informix/Mysql 插件可实现：逻辑报告代码生成和批量转换代码

函数逻辑报告