Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\auditsc.c Create Date:2022-07-28 11:27:03
Last Modify:2020-03-17 16:31:21 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:At syscall entry and exit time, this filter is called if the* audit_state is not low enough that auditing cannot take place, but is* also not high enough that we already know we have to write an audit* record (i

Proto:static enum audit_state audit_filter_syscall(struct task_struct *tsk, struct audit_context *ctx, struct list_head *list)

Type:enum audit_state

Parameter:

TypeParameterName
struct task_struct *tsk
struct audit_context *ctx
struct list_head *list
787  If auditd_test_task - Check to see if a given task is an audit daemon*@task: the task to check* Description:* Return 1 if the task is a registered audit daemon, 0 otherwise. Then Return Do not create per-task audit_context.* No syscall-specific audit records can* be generated.
790  _read_lock() - mark the beginning of an RCU read-side critical section* When synchronize_rcu() is invoked on one CPU while other CPUs* are within RCU read-side critical sections, then the* synchronize_rcu() is guaranteed to block until after all the other
792  If audit_in_mask( & rule, syscall number ) && Compare a task_struct with an audit_rule. Return 1 on match, 0* otherwise.* If task_creation is true, this is an explicit indication that we are* filtering a task rule at task creation time. This and tsk == current are Then
795  _read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()
796  current_state = state
797  Return state
800  _read_unlock() - marks the end of an RCU read-side critical section.* In most situations, rcu_read_unlock() is immune from deadlock.* However, in kernels built with CONFIG_RCU_BOOST, rcu_read_unlock()
801  Return Create the per-task audit_context,* and fill it in at syscall* entry time. This makes a full* syscall record available if some* other part of the kernel decides it* should be recorded.
Caller
NameDescribe
__audit_free__audit_free - free a per-task audit context*@tsk: task whose audit context block to free* Called from copy_process and do_exit
__audit_syscall_exit__audit_syscall_exit - deallocate audit context after a system call*@success: success value of the syscall*@return_code: return value of the syscall* Tear down after system call