Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\auditfilter.c Create Date:2022-07-28 11:25:09
Last Modify:2020-03-12 14:18:49 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:Duplicate an audit rule. This will be a deep copy with the exception* of the watch - that pointer is carried over. The LSM specific fields* will be updated in the copy. The point is to be able to replace the old

Proto:struct audit_entry *audit_dupe_rule(struct audit_krule *old)

Type:struct audit_entry

Parameter:

TypeParameterName
struct audit_krule *old
813  fcount = field_count
817  err = 0
819  entry = Initialize an audit filterlist entry.
820  If Value for the false possibility is greater at compile time(!entry) Then Return ERR_PTR( - ENOMEM)
823  new = rule
824  flags = flags
825  pflags = pflags
826  listnr = listnr
827  action = action
828  When i < AUDIT_BITMASK_SIZE cycle mask[i] = mask[i]
830  prio = prio
831  for data alloc on list rules = for data alloc on list rules
832  quick access to an inode field = quick access to an inode field
833  field_count = field_count
842  associated watched tree = associated watched tree
843  No 3D Now!(fields, fields, sizeof(structaudit_field) * fcount)
847  When i < fcount cycle
849  Case type == security label user
850  Case type == security label role
851  Case type == security label type
852  Case type == security label sensitivity label
853  Case type == security label clearance label
854  Case type == AUDIT_OBJ_USER
855  Case type == AUDIT_OBJ_ROLE
856  Case type == AUDIT_OBJ_TYPE
857  Case type == AUDIT_OBJ_LEV_LOW
858  Case type == AUDIT_OBJ_LEV_HIGH
859  err = Duplicate LSM field information. The lsm_rule is opaque, so must be* re-initialized.
861  Break
862  Case type == AUDIT_FILTERKEY
863  fk = kstrdup( ties events to rules , GFP_KERNEL)
864  If Value for the false possibility is greater at compile time(!fk) Then err = -ENOMEM
866  Else ties events to rules = fk
868  Break
869  Case type == AUDIT_EXE
870  err = audit_dupe_exe(new, old)
871  Break
873  If err Then
874  If exe Then
876  audit_free_rule(entry)
877  Return ERR_PTR(err)
881  If associated watch Then
883  associated watch = associated watch
886  Return entry
Caller
NameDescribe
update_lsm_rule
audit_update_watchUpdate inode info in audit rules based on filesystem event.