kernel/audit_tree.c
Source file repositories/reference/linux-study-clean/kernel/audit_tree.c
File Facts
- System
- Linux kernel
- Corpus path
kernel/audit_tree.c- Extension
.c- Size
- 26346 bytes
- Lines
- 1094
- Domain
- Core OS
- Bucket
- Scheduler, Processes, Timers, Sync, And Syscalls
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
audit.hlinux/fsnotify_backend.hlinux/namei.hlinux/mount.hlinux/kthread.hlinux/refcount.hlinux/slab.h
Detected Declarations
struct audit_treestruct audit_chunkstruct audit_treestruct audit_chunkstruct audit_nodestruct audit_tree_markfunction get_treefunction put_treefunction free_chunkfunction audit_put_chunkfunction __put_chunkfunction audit_mark_put_chunkfunction audit_tree_destroy_watchfunction inode_to_keyfunction insert_hashfunction list_for_each_entry_rcufunction audit_tree_matchfunction replace_mark_chunkfunction replace_chunkfunction remove_chunk_nodefunction chunk_count_treesfunction untag_chunkfunction create_chunkfunction tag_chunkfunction audit_tree_log_remove_rulefunction kill_rulesfunction list_for_each_entry_safefunction prune_tree_chunksfunction prune_onefunction trim_markedfunction audit_remove_tree_rulefunction audit_trim_treesfunction list_for_each_entryfunction audit_make_treefunction audit_put_treefunction tag_mountsfunction evict_chunkfunction audit_launch_prunefunction audit_add_tree_rulefunction audit_tag_treefunction audit_schedule_prunefunction audit_kill_treesfunction evict_chunkfunction audit_tree_handle_eventfunction audit_tree_freeing_markfunction audit_tree_init
Annotated Snippet
struct audit_tree {
refcount_t count;
int goner;
struct audit_chunk *root;
struct list_head chunks;
struct list_head rules;
struct list_head list;
struct list_head same_root;
struct rcu_head head;
char pathname[];
};
struct audit_chunk {
struct list_head hash;
unsigned long key;
struct fsnotify_mark *mark;
struct list_head trees; /* with root here */
int count;
atomic_long_t refs;
struct rcu_head head;
struct audit_node {
struct list_head list;
struct audit_tree *owner;
unsigned int index; /* index; upper bit indicates 'will prune' */
} owners[] __counted_by(count);
};
struct audit_tree_mark {
struct fsnotify_mark mark;
struct audit_chunk *chunk;
};
static LIST_HEAD(tree_list);
static LIST_HEAD(prune_list);
static struct task_struct *prune_thread;
/*
* One struct chunk is attached to each inode of interest through
* audit_tree_mark (fsnotify mark). We replace struct chunk on tagging /
* untagging, the mark is stable as long as there is chunk attached. The
* association between mark and chunk is protected by hash_lock and
* audit_tree_group->mark_mutex. Thus as long as we hold
* audit_tree_group->mark_mutex and check that the mark is alive by
* FSNOTIFY_MARK_FLAG_ATTACHED flag check, we are sure the mark points to
* the current chunk.
*
* Rules have pointer to struct audit_tree.
* Rules have struct list_head rlist forming a list of rules over
* the same tree.
* References to struct chunk are collected at audit_inode{,_child}()
* time and used in AUDIT_TREE rule matching.
* These references are dropped at the same time we are calling
* audit_free_names(), etc.
*
* Cyclic lists galore:
* tree.chunks anchors chunk.owners[].list hash_lock
* tree.rules anchors rule.rlist audit_filter_mutex
* chunk.trees anchors tree.same_root hash_lock
* chunk.hash is a hash with middle bits of watch.inode as
* a hash function. RCU, hash_lock
*
* tree is refcounted; one reference for "some rules on rules_list refer to
* it", one for each chunk with pointer to it.
*
* chunk is refcounted by embedded .refs. Mark associated with the chunk holds
* one chunk reference. This reference is dropped either when a mark is going
* to be freed (corresponding inode goes away) or when chunk attached to the
* mark gets replaced. This reference must be dropped using
* audit_mark_put_chunk() to make sure the reference is dropped only after RCU
* grace period as it protects RCU readers of the hash table.
*
* node.index allows to get from node.list to containing chunk.
* MSB of that sucker is stolen to mark taggings that we might have to
* revert - several operations have very unpleasant cleanup logics and
* that makes a difference. Some.
*/
static struct fsnotify_group *audit_tree_group __ro_after_init;
static struct kmem_cache *audit_tree_mark_cachep __ro_after_init;
static struct audit_tree *alloc_tree(const char *s)
{
struct audit_tree *tree;
size_t sz;
sz = strlen(s) + 1;
tree = kmalloc_flex(*tree, pathname, sz);
if (tree) {
refcount_set(&tree->count, 1);
tree->goner = 0;
Annotation
- Immediate include surface: `audit.h`, `linux/fsnotify_backend.h`, `linux/namei.h`, `linux/mount.h`, `linux/kthread.h`, `linux/refcount.h`, `linux/slab.h`.
- Detected declarations: `struct audit_tree`, `struct audit_chunk`, `struct audit_tree`, `struct audit_chunk`, `struct audit_node`, `struct audit_tree_mark`, `function get_tree`, `function put_tree`, `function free_chunk`, `function audit_put_chunk`.
- Atlas domain: Core OS / Scheduler, Processes, Timers, Sync, And Syscalls.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.