kernel/auditsc.c
Source file repositories/reference/linux-study-clean/kernel/auditsc.c
File Facts
- System
- Linux kernel
- Corpus path
kernel/auditsc.c- Extension
.c- Size
- 82252 bytes
- Lines
- 2984
- Domain
- Core OS
- Bucket
- Scheduler, Processes, Timers, Sync, And Syscalls
- Inferred role
- Core OS: exported/initcall integration point
- Status
- integration implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Exports symbols or registers init work; inspect boot/module ordering and who consumes the exported contract.
- Uses kernel synchronization; read lock ordering, sleepability, and interrupt context assumptions before translating.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/init.hasm/types.hlinux/atomic.hlinux/fs.hlinux/namei.hlinux/mm.hlinux/export.hlinux/slab.hlinux/mount.hlinux/socket.hlinux/mqueue.hlinux/audit.hlinux/personality.hlinux/time.hlinux/netlink.hlinux/compiler.hasm/unistd.hlinux/security.hlinux/list.hlinux/binfmts.hlinux/highmem.hlinux/syscalls.hasm/syscall.hlinux/capability.hlinux/fs_struct.hlinux/compat.hlinux/ctype.hlinux/string.hlinux/uaccess.hlinux/fsnotify_backend.huapi/linux/limits.huapi/linux/netfilter/nf_tables.h
Detected Declarations
struct audit_aux_datastruct audit_aux_data_pidsstruct audit_aux_data_bprm_fcapsstruct audit_tree_refsstruct audit_nfcfgop_tabfunction audit_match_permfunction audit_match_filetypefunction list_for_each_entryfunction audit_set_auditablefunction put_tree_reffunction grow_tree_refsfunction unroll_tree_refsfunction free_tree_refsfunction match_tree_refsfunction audit_compare_uidfunction audit_compare_gidfunction audit_field_comparefunction audit_filter_rulesfunction list_for_each_entryfunction list_for_each_entryfunction list_for_each_entryfunction list_for_each_entryfunction list_for_each_entryfunction audit_filter_taskfunction audit_in_maskfunction __audit_filter_opfunction list_for_each_entry_rcufunction audit_filter_uringfunction audit_filter_syscallfunction audit_filter_inode_namefunction audit_filter_inodesfunction list_for_each_entryfunction audit_proctitle_freefunction audit_free_modulefunction audit_free_namesfunction list_for_each_entry_safefunction audit_free_auxfunction audit_reset_contextfunction audit_allocfunction audit_free_contextfunction audit_log_pid_contextfunction audit_log_execve_infofunction audit_log_capfunction audit_log_fcapsfunction audit_log_timefunction show_specialfunction audit_proctitle_rtrimfunction audit_log_name
Annotated Snippet
* fork()/copy_process() in which case
* the new @tsk creds are still a dup
* of @current's creds so we can still
* use
* security_current_getlsmprop_subj()
* here even though it always refs
* @current's creds
*/
security_current_getlsmprop_subj(&prop);
need_sid = 0;
}
result = security_audit_rule_match(&prop,
f->type,
f->op,
f->lsm_rule);
}
break;
case AUDIT_OBJ_USER:
case AUDIT_OBJ_ROLE:
case AUDIT_OBJ_TYPE:
case AUDIT_OBJ_LEV_LOW:
case AUDIT_OBJ_LEV_HIGH:
/* The above note for AUDIT_SUBJ_USER...AUDIT_SUBJ_CLR
also applies here */
if (f->lsm_rule) {
/* Find files that match */
if (name) {
result = security_audit_rule_match(
&name->oprop,
f->type,
f->op,
f->lsm_rule);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
if (security_audit_rule_match(
&n->oprop,
f->type,
f->op,
f->lsm_rule)) {
++result;
break;
}
}
}
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
if (security_audit_rule_match(&ctx->ipc.oprop,
f->type, f->op,
f->lsm_rule))
++result;
}
break;
case AUDIT_ARG0:
case AUDIT_ARG1:
case AUDIT_ARG2:
case AUDIT_ARG3:
if (ctx)
result = audit_comparator(ctx->argv[f->type-AUDIT_ARG0], f->op, f->val);
break;
case AUDIT_FILTERKEY:
/* ignore this field for filtering */
result = 1;
break;
case AUDIT_PERM:
result = audit_match_perm(ctx, f->val);
if (f->op == Audit_not_equal)
result = !result;
break;
case AUDIT_FILETYPE:
result = audit_match_filetype(ctx, f->val);
if (f->op == Audit_not_equal)
result = !result;
break;
case AUDIT_FIELD_COMPARE:
result = audit_field_compare(tsk, cred, f, ctx, name);
break;
}
if (!result)
return 0;
}
if (ctx) {
if (rule->filterkey) {
kfree(ctx->filterkey);
ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
}
ctx->prio = rule->prio;
}
switch (rule->action) {
Annotation
- Immediate include surface: `linux/init.h`, `asm/types.h`, `linux/atomic.h`, `linux/fs.h`, `linux/namei.h`, `linux/mm.h`, `linux/export.h`, `linux/slab.h`.
- Detected declarations: `struct audit_aux_data`, `struct audit_aux_data_pids`, `struct audit_aux_data_bprm_fcaps`, `struct audit_tree_refs`, `struct audit_nfcfgop_tab`, `function audit_match_perm`, `function audit_match_filetype`, `function list_for_each_entry`, `function audit_set_auditable`, `function put_tree_ref`.
- Atlas domain: Core OS / Scheduler, Processes, Timers, Sync, And Syscalls.
- Implementation status: integration implementation candidate.
- Synchronization appears in or near this file; preserve lock ordering, sleepability, and interrupt-context constraints.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.