kernel/audit_watch.c
Source file repositories/reference/linux-study-clean/kernel/audit_watch.c
File Facts
- System
- Linux kernel
- Corpus path
kernel/audit_watch.c- Extension
.c- Size
- 14287 bytes
- Lines
- 557
- Domain
- Core OS
- Bucket
- Scheduler, Processes, Timers, Sync, And Syscalls
- Inferred role
- Core OS: exported/initcall integration point
- Status
- integration implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Exports symbols or registers init work; inspect boot/module ordering and who consumes the exported contract.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/file.hlinux/kernel.hlinux/audit.hlinux/kthread.hlinux/mutex.hlinux/fs.hlinux/fsnotify_backend.hlinux/namei.hlinux/netlink.hlinux/refcount.hlinux/sched.hlinux/slab.hlinux/security.haudit.h
Detected Declarations
struct audit_watchstruct audit_parentfunction audit_free_parentfunction audit_watch_free_markfunction audit_get_parentfunction audit_put_parentfunction audit_get_watchfunction audit_put_watchfunction audit_remove_watchfunction audit_watch_comparefunction audit_to_watchfunction audit_watch_log_rule_changefunction audit_update_watchfunction list_for_each_entry_safefunction audit_remove_parent_watchesfunction list_for_each_entry_safefunction audit_get_ndfunction audit_add_to_parentfunction list_for_each_entryfunction audit_add_watchfunction audit_remove_watch_rulefunction audit_watch_handle_eventfunction audit_watch_initfunction audit_dupe_exefunction audit_exe_comparemodule init audit_watch_init
Annotated Snippet
device_initcall(audit_watch_init);
int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old,
struct audit_watch_ctx *ctx)
{
struct audit_fsnotify_mark *audit_mark;
char *pathname;
pathname = kstrdup(audit_mark_path(old->exe), GFP_KERNEL);
if (!pathname)
return -ENOMEM;
audit_mark = audit_alloc_mark(new, pathname, strlen(pathname), ctx);
if (IS_ERR(audit_mark)) {
kfree(pathname);
return PTR_ERR(audit_mark);
}
new->exe = audit_mark;
return 0;
}
int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
{
struct file *exe_file;
u64 ino;
dev_t dev;
/* only do exe filtering if we are recording @current events/records */
if (tsk != current)
return 0;
if (!current->mm)
return 0;
exe_file = get_mm_exe_file(current->mm);
if (!exe_file)
return 0;
ino = file_inode(exe_file)->i_ino;
dev = file_inode(exe_file)->i_sb->s_dev;
fput(exe_file);
return audit_mark_compare(mark, ino, dev);
}
Annotation
- Immediate include surface: `linux/file.h`, `linux/kernel.h`, `linux/audit.h`, `linux/kthread.h`, `linux/mutex.h`, `linux/fs.h`, `linux/fsnotify_backend.h`, `linux/namei.h`.
- Detected declarations: `struct audit_watch`, `struct audit_parent`, `function audit_free_parent`, `function audit_watch_free_mark`, `function audit_get_parent`, `function audit_put_parent`, `function audit_get_watch`, `function audit_put_watch`, `function audit_remove_watch`, `function audit_watch_compare`.
- Atlas domain: Core OS / Scheduler, Processes, Timers, Sync, And Syscalls.
- Implementation status: integration implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.