kernel/auditfilter.c
Source file repositories/reference/linux-study-clean/kernel/auditfilter.c
File Facts
- System
- Linux kernel
- Corpus path
kernel/auditfilter.c- Extension
.c- Size
- 35355 bytes
- Lines
- 1465
- Domain
- Core OS
- Bucket
- Scheduler, Processes, Timers, Sync, And Syscalls
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/kernel.hlinux/audit.hlinux/kthread.hlinux/mutex.hlinux/fs.hlinux/namei.hlinux/netlink.hlinux/sched.hlinux/slab.hlinux/security.hnet/net_namespace.hnet/sock.haudit.h
Detected Declarations
function audit_free_lsm_fieldfunction audit_free_rulefunction audit_free_rule_rcufunction audit_to_inodefunction audit_register_classfunction audit_match_classfunction audit_match_class_bitsfunction audit_match_signalfunction audit_to_opfunction audit_field_validfunction audit_pack_stringfunction audit_compare_rulefunction audit_dupe_lsm_fieldfunction list_for_each_entryfunction list_for_each_entryfunction audit_add_rulefunction audit_del_rulefunction audit_list_rulesfunction list_for_each_entryfunction audit_log_rule_changefunction audit_rule_changefunction audit_list_rules_sendfunction audit_comparatorfunction audit_uid_comparatorfunction audit_gid_comparatorfunction parent_lenfunction audit_compare_dname_pathfunction audit_filterfunction update_lsm_rulefunction audit_update_lsm_rulesfunction list_for_each_entry_safe
Annotated Snippet
if (n >= AUDIT_BITMASK_SIZE * 32 - AUDIT_SYSCALL_CLASSES) {
kfree(p);
return -EINVAL;
}
p[AUDIT_WORD(n)] |= AUDIT_BIT(n);
}
if (class >= AUDIT_SYSCALL_CLASSES || classes[class]) {
kfree(p);
return -EINVAL;
}
classes[class] = p;
return 0;
}
int audit_match_class(int class, unsigned int syscall)
{
if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
return 0;
if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
return 0;
return classes[class][AUDIT_WORD(syscall)] & AUDIT_BIT(syscall);
}
#ifdef CONFIG_AUDITSYSCALL
static inline int audit_match_class_bits(int class, u32 *mask)
{
int i;
if (classes[class]) {
for (i = 0; i < AUDIT_BITMASK_SIZE; i++)
if (mask[i] & classes[class][i])
return 0;
}
return 1;
}
static int audit_match_signal(struct audit_entry *entry)
{
struct audit_field *arch = entry->rule.arch_f;
if (!arch) {
/* When arch is unspecified, we must check both masks on biarch
* as syscall number alone is ambiguous. */
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
entry->rule.mask) &&
audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
entry->rule.mask));
}
switch (audit_classify_arch(arch->val)) {
case 0: /* native */
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL,
entry->rule.mask));
case 1: /* 32bit on biarch */
return (audit_match_class_bits(AUDIT_CLASS_SIGNAL_32,
entry->rule.mask));
default:
return 1;
}
}
#endif
/* Common user-space to kernel rule translation. */
static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)
{
unsigned int listnr;
struct audit_entry *entry;
int i, err;
err = -EINVAL;
listnr = rule->flags & ~AUDIT_FILTER_PREPEND;
switch (listnr) {
default:
goto exit_err;
#ifdef CONFIG_AUDITSYSCALL
case AUDIT_FILTER_ENTRY:
pr_err("AUDIT_FILTER_ENTRY is deprecated\n");
goto exit_err;
case AUDIT_FILTER_EXIT:
case AUDIT_FILTER_URING_EXIT:
case AUDIT_FILTER_TASK:
#endif
case AUDIT_FILTER_USER:
case AUDIT_FILTER_EXCLUDE:
case AUDIT_FILTER_FS:
;
}
if (unlikely(rule->action == AUDIT_POSSIBLE)) {
pr_err("AUDIT_POSSIBLE is deprecated\n");
goto exit_err;
Annotation
- Immediate include surface: `linux/kernel.h`, `linux/audit.h`, `linux/kthread.h`, `linux/mutex.h`, `linux/fs.h`, `linux/namei.h`, `linux/netlink.h`, `linux/sched.h`.
- Detected declarations: `function audit_free_lsm_field`, `function audit_free_rule`, `function audit_free_rule_rcu`, `function audit_to_inode`, `function audit_register_class`, `function audit_match_class`, `function audit_match_class_bits`, `function audit_match_signal`, `function audit_to_op`, `function audit_field_valid`.
- Atlas domain: Core OS / Scheduler, Processes, Timers, Sync, And Syscalls.
- Implementation status: source implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.