// SPDX-License-Identifier: GPL-2.0-or-later /* audit_watch.c -- watching inodes * * Copyright 2003-2009 Red Hat, Inc. * Copyright 2005 Hewlett-Packard Development Company, L.P. * Copyright 2005 IBM Corporation */ #include <linux/file.h> #include <linux/kernel.h> #include <linux/audit.h> #include <linux/kthread.h> #include <linux/mutex.h> #include <linux/fs.h> #include <linux/fsnotify_backend.h> #include <linux/namei.h> #include <linux/netlink.h> #include <linux/refcount.h> #include <linux/sched.h> #include <linux/slab.h> #include <linux/security.h> #include "audit.h" /* * Reference counting: * * audit_parent: lifetime is from audit_init_parent() to receipt of an FS_IGNORED * event. Each audit_watch holds a reference to its associated parent. * * audit_watch: if added to lists, lifetime is from audit_init_watch() to * audit_remove_watch(). Additionally, an audit_watch may exist * temporarily to assist in searching existing filter data. Each * audit_krule holds a reference to its associated watch. */ struct audit_watch { … }; struct audit_parent { … }; /* fsnotify handle. */ static struct fsnotify_group *audit_watch_group; /* fsnotify events we care about. */ #define AUDIT_FS_WATCH … static void audit_free_parent(struct audit_parent *parent) { … } static void audit_watch_free_mark(struct fsnotify_mark *entry) { … } static void audit_get_parent(struct audit_parent *parent) { … } static void audit_put_parent(struct audit_parent *parent) { … } /* * Find and return the audit_parent on the given inode. If found a reference * is taken on this parent. */ static inline struct audit_parent *audit_find_parent(struct inode *inode) { … } void audit_get_watch(struct audit_watch *watch) { … } void audit_put_watch(struct audit_watch *watch) { … } static void audit_remove_watch(struct audit_watch *watch) { … } char *audit_watch_path(struct audit_watch *watch) { … } int audit_watch_compare(struct audit_watch *watch, unsigned long ino, dev_t dev) { … } /* Initialize a parent watch entry. */ static struct audit_parent *audit_init_parent(const struct path *path) { … } /* Initialize a watch entry. */ static struct audit_watch *audit_init_watch(char *path) { … } /* Translate a watch string to kernel representation. */ int audit_to_watch(struct audit_krule *krule, char *path, int len, u32 op) { … } /* Duplicate the given audit watch. The new watch's rules list is initialized * to an empty list and wlist is undefined. */ static struct audit_watch *audit_dupe_watch(struct audit_watch *old) { … } static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watch *w, char *op) { … } /* Update inode info in audit rules based on filesystem event. */ static void audit_update_watch(struct audit_parent *parent, const struct qstr *dname, dev_t dev, unsigned long ino, unsigned invalidating) { … } /* Remove all watches & rules associated with a parent that is going away. */ static void audit_remove_parent_watches(struct audit_parent *parent) { … } /* Get path information necessary for adding watches. */ static int audit_get_nd(struct audit_watch *watch, struct path *parent) { … } /* Associate the given rule with an existing parent. * Caller must hold audit_filter_mutex. */ static void audit_add_to_parent(struct audit_krule *krule, struct audit_parent *parent) { … } /* Find a matching watch entry, or add this one. * Caller must hold audit_filter_mutex. */ int audit_add_watch(struct audit_krule *krule, struct list_head **list) { … } void audit_remove_watch_rule(struct audit_krule *krule) { … } /* Update watch data in audit rules based on fsnotify events. */ static int audit_watch_handle_event(struct fsnotify_mark *inode_mark, u32 mask, struct inode *inode, struct inode *dir, const struct qstr *dname, u32 cookie) { … } static const struct fsnotify_ops audit_watch_fsnotify_ops = …; static int __init audit_watch_init(void) { … } device_initcall(audit_watch_init); int audit_dupe_exe(struct audit_krule *new, struct audit_krule *old) { … } int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark) { … }
Codebase Browser
linux