security/apparmor/audit.c
Source file repositories/reference/linux-study-clean/security/apparmor/audit.c
File Facts
- System
- Linux kernel
- Corpus path
security/apparmor/audit.c- Extension
.c- Size
- 5989 bytes
- Lines
- 292
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: implementation source
- Status
- source implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/audit.hlinux/socket.hinclude/apparmor.hinclude/audit.hinclude/policy.hinclude/policy_ns.hinclude/secid.h
Detected Declarations
struct aa_audit_rulefunction audit_prefunction aa_audit_msgfunction aa_auditfunction aa_audit_rule_freefunction aa_audit_rule_initfunction aa_audit_rule_knownfunction aa_audit_rule_match
Annotated Snippet
struct aa_audit_rule {
struct aa_label *label;
};
void aa_audit_rule_free(void *vrule)
{
struct aa_audit_rule *rule = vrule;
if (rule) {
if (!IS_ERR(rule->label))
aa_put_label(rule->label);
kfree(rule);
}
}
int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp)
{
struct aa_audit_rule *rule;
switch (field) {
case AUDIT_SUBJ_ROLE:
if (op != Audit_equal && op != Audit_not_equal)
return -EINVAL;
break;
default:
return -EINVAL;
}
rule = kzalloc_obj(struct aa_audit_rule, gfp);
if (!rule)
return -ENOMEM;
/* Currently rules are treated as coming from the root ns */
rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
gfp, true, false);
if (IS_ERR(rule->label)) {
int err = PTR_ERR(rule->label);
aa_audit_rule_free(rule);
return err;
}
*vrule = rule;
return 0;
}
int aa_audit_rule_known(struct audit_krule *rule)
{
int i;
for (i = 0; i < rule->field_count; i++) {
struct audit_field *f = &rule->fields[i];
switch (f->type) {
case AUDIT_SUBJ_ROLE:
return 1;
}
}
return 0;
}
int aa_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *vrule)
{
struct aa_audit_rule *rule = vrule;
struct aa_label *label;
int found = 0;
label = prop->apparmor.label;
if (!label)
return -ENOENT;
if (aa_label_is_subset(label, rule->label))
found = 1;
switch (field) {
case AUDIT_SUBJ_ROLE:
switch (op) {
case Audit_equal:
return found;
case Audit_not_equal:
return !found;
}
}
return 0;
}
Annotation
- Immediate include surface: `linux/audit.h`, `linux/socket.h`, `include/apparmor.h`, `include/audit.h`, `include/policy.h`, `include/policy_ns.h`, `include/secid.h`.
- Detected declarations: `struct aa_audit_rule`, `function audit_pre`, `function aa_audit_msg`, `function aa_audit`, `function aa_audit_rule_free`, `function aa_audit_rule_init`, `function aa_audit_rule_known`, `function aa_audit_rule_match`.
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.