audit_filter_rules

函数名称：Compare a task_struct with an audit_rule. Return 1 on match, 0* otherwise.* If task_creation is true, this is an explicit indication that we are* filtering a task rule at task creation time. This and tsk == current are

函数原型：static int audit_filter_rules(struct task_struct *tsk, struct audit_krule *rule, struct audit_context *ctx, struct audit_names *name, enum audit_state *state, bool task_creation)

返回类型：int

参数：

类型	参数	名称
struct task_struct *	tsk
struct audit_krule *	rule
struct audit_context *	ctx
struct audit_names *	name
enum audit_state *	state
bool	task_creation

446

need_sid等于1

450

cred等于cu_dereference_check() - rcu_dereference with debug checking*@p: The pointer to read, prior to dereferencing*@c: The conditions under which the dereference will take place* Do an rcu_dereference(), but check that the conditions under which the(安全管理凭证, tsk == 当前进程 || task_creation)

452

以i小于field_count 循环

453

f等于fields[i]

455

result等于0

459

当:type恒等于These are useful when checking the* task structure at task creation time* (AUDIT_PER_TASK).

460

pid等于task_tgid_nr(tsk)

461

result等于audit_comparator(pid, op, val)

462

463

当:type恒等于AUDIT_PPID

464

如果ctx则

465

如果非Save things to print about task_struct 则Save things to print about task_struct 等于task_ppid_nr(tsk)

467

result等于audit_comparator(Save things to print about task_struct , op, val)

469

470

当:type恒等于AUDIT_EXE

471

result等于audit_exe_compare(tsk, exe)

472

如果op恒等于Audit_not_equal则result等于非result

474

475

当:type恒等于AUDIT_UID

476

result等于audit_uid_comparator(进程uid, op, uid)

477

478

当:type恒等于AUDIT_EUID

479

result等于audit_uid_comparator(有效uid, op, uid)

480

481

当:type恒等于AUDIT_SUID

482

result等于audit_uid_comparator(保留uid, op, uid)

483

484

当:type恒等于AUDIT_FSUID

485

result等于audit_uid_comparator( UID for VFS ops , op, uid)

486

487

当:type恒等于AUDIT_GID

488

result等于audit_gid_comparator(进程gid, op, gid)

489

如果op恒等于Audit_equal则

490

如果非result则result等于a simple bsearch

492

否则如果op恒等于Audit_not_equal则

493

如果result则result等于非a simple bsearch

496

497

当:type恒等于AUDIT_EGID

498

result等于audit_gid_comparator(有效gid, op, gid)

499

如果op恒等于Audit_equal则

500

如果非result则result等于a simple bsearch

502

否则如果op恒等于Audit_not_equal则

503

如果result则result等于非a simple bsearch

506

507

当:type恒等于AUDIT_SGID

508

result等于audit_gid_comparator(保留gid, op, gid)

509

510

当:type恒等于AUDIT_FSGID

511

result等于audit_gid_comparator( GID for VFS ops , op, gid)

512

513

当:type恒等于Session ID

514

sessionid等于audit_get_sessionid(tsk)

515

result等于audit_comparator(sessionid, op, val)

516

517

当:type恒等于AUDIT_PERS

518

result等于audit_comparator(进程个性标志, op, val)

519

520

当:type恒等于AUDIT_ARCH

521

如果ctx则result等于audit_comparator(arch, op, val)

523

525

当:type恒等于AUDIT_EXIT

526

如果ctx且返回值则result等于audit_comparator(返回码, op, val)

528

529

当:type恒等于xit >= 0; value ignored

530

如果ctx且返回值则

531

如果val则result等于audit_comparator(返回值, op, AUDITSC_SUCCESS)

533

否则result等于audit_comparator(返回值, op, AUDITSC_FAILURE)

536

537

当:type恒等于These are ONLY useful when checking* at syscall exit time (AUDIT_AT_EXIT).

538

如果name则

539

如果audit_comparator(MAJOR(dev), op, val)或audit_comparator(MAJOR(rdev), op, val)则result先自加

542

否则如果ctx则

544

如果audit_comparator(MAJOR(dev), op, val)或audit_comparator(MAJOR(rdev), op, val)则

546

result先自加

547

551

552

当:type恒等于AUDIT_DEVMINOR

553

如果name则

554

如果audit_comparator(MINOR(dev), op, val)或audit_comparator(MINOR(rdev), op, val)则result先自加

557

否则如果ctx则

559

如果audit_comparator(MINOR(dev), op, val)或audit_comparator(MINOR(rdev), op, val)则

561

result先自加

562

566

567

当:type恒等于AUDIT_INODE

568

如果name则result等于audit_comparator(ino, op, val)

570

否则如果ctx则

572

如果audit_comparator(ino, op, val)则

573

result先自加

574

578

579

当:type恒等于AUDIT_OBJ_UID

580

如果name则

581

result等于audit_uid_comparator(uid, op, uid)

582

否则如果ctx则

584

如果audit_uid_comparator(uid, op, uid)则

585

result先自加

586

590

591

当:type恒等于AUDIT_OBJ_GID

592

如果name则

593

result等于audit_gid_comparator(gid, op, gid)

594

否则如果ctx则

596

如果audit_gid_comparator(gid, op, gid)则

597

result先自加

598

602

603

当:type恒等于AUDIT_WATCH

604

如果name则

605

result等于audit_watch_compare( associated watch , ino, dev)

608

如果op恒等于Audit_not_equal则result等于非result

611

612

当:type恒等于AUDIT_DIR

613

如果ctx则

614

result等于match_tree_refs(ctx, associated watched tree )

615

如果op恒等于Audit_not_equal则result等于非result

618

619

当:type恒等于AUDIT_LOGINUID

620

result等于audit_uid_comparator(audit_get_loginuid(tsk), op, uid)

622

623

当:type恒等于AUDIT_LOGINUID_SET

624

result等于audit_comparator(audit_loginuid_set(tsk), op, val)

625

626

当:type恒等于AUDIT_SADDR_FAM

627

如果sockaddr则result等于audit_comparator(address family , op, val)

630

631

当:type恒等于security label user

632

当:type恒等于security label role

633

当:type恒等于security label type

634

当:type恒等于security label sensitivity label

635

当:type恒等于security label clearance label

641

如果lsm_rule则

642

如果need_sid则

643

security_task_getsecid(tsk, & sid)

644

need_sid等于0

646

result等于security_audit_rule_match(sid, type, op, lsm_rule)

650

651

当:type恒等于AUDIT_OBJ_USER

652

当:type恒等于AUDIT_OBJ_ROLE

653

当:type恒等于AUDIT_OBJ_TYPE

654

当:type恒等于AUDIT_OBJ_LEV_LOW

655

当:type恒等于AUDIT_OBJ_LEV_HIGH

658

如果lsm_rule则

660

如果name则

661

result等于security_audit_rule_match(osid, type, op, lsm_rule)

666

否则如果ctx则

668

如果security_audit_rule_match(osid, type, op, lsm_rule)则

673

result先自加

674

679

如果非ctx或type不等于IPC record 则退出

681

如果security_audit_rule_match(osid, type, op, lsm_rule)则result先自加

686

687

当:type恒等于AUDIT_ARG0

688

当:type恒等于AUDIT_ARG1

689

当:type恒等于AUDIT_ARG2

690

当:type恒等于AUDIT_ARG3

691

如果ctx则result等于audit_comparator(调用参数[type - AUDIT_ARG0], op, val)

693

694

当:type恒等于AUDIT_FILTERKEY

696

result等于1

697

698

当:type恒等于AUDIT_PERM

699

result等于audit_match_perm(ctx, val)

700

如果op恒等于Audit_not_equal则result等于非result

702

703

当:type恒等于AUDIT_FILETYPE

704

result等于audit_match_filetype(ctx, val)

705

如果op恒等于Audit_not_equal则result等于非result

707

708

当:type恒等于AUDIT_FIELD_COMPARE

709

result等于audit_field_compare(tsk, cred, f, ctx, name)

710

712

如果非result则返回:0

716

如果ctx则

717

如果prio小于等于prio则返回:0

719

如果 ties events to rules 则

720

kfree(过滤规则)

721

过滤规则等于kstrdup( ties events to rules , DOC: Useful GFP flag combinations* Useful GFP flag combinations* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~* Useful GFP flag combinations that are commonly used. It is recommended* that subsystems start with one of these combinations and then set/clear)

723

prio等于prio

726

当:action恒等于Do not build context if rule matches

727

state等于不审计

728

729

当:action恒等于Generate audit record if rule matches

730

state等于全程审计

731

733

返回:1

**调用者**
名称	描述
audit_filter_task	At process creation time, we can determine if system-call auditing is* completely disabled for this task. Since we only have the task* structure at this point, we can only check uid and gid.
audit_filter_syscall	At syscall entry and exit time, this filter is called if the* audit_state is not low enough that auditing cannot take place, but is* also not high enough that we already know we have to write an audit* record (i
audit_filter_inode_name	Given an audit_name check the inode hash table to see if they match.* Called holding the rcu read lock to protect the use of audit_inode_hash

源代码转换工具开放的插件接口	X
支持：c/c++/esqlc/java Oracle/Informix/Mysql 插件可实现：逻辑报告代码生成和批量转换代码