Lines Matching full:rule
86 struct audit_krule *erule = &e->rule; in audit_free_rule()
120 entry->rule.fields = fields; in audit_init_entry()
213 struct audit_field *arch = entry->rule.arch_f; in audit_match_signal()
219 entry->rule.mask) && in audit_match_signal()
221 entry->rule.mask)); in audit_match_signal()
227 entry->rule.mask)); in audit_match_signal()
230 entry->rule.mask)); in audit_match_signal()
237 /* Common user-space to kernel rule translation. */
238 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule) in audit_to_entry_common() argument
245 listnr = rule->flags & ~AUDIT_FILTER_PREPEND; in audit_to_entry_common()
262 if (unlikely(rule->action == AUDIT_POSSIBLE)) { in audit_to_entry_common()
266 if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS) in audit_to_entry_common()
268 if (rule->field_count > AUDIT_MAX_FIELDS) in audit_to_entry_common()
272 entry = audit_init_entry(rule->field_count); in audit_to_entry_common()
276 entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND; in audit_to_entry_common()
277 entry->rule.listnr = listnr; in audit_to_entry_common()
278 entry->rule.action = rule->action; in audit_to_entry_common()
279 entry->rule.field_count = rule->field_count; in audit_to_entry_common()
282 entry->rule.mask[i] = rule->mask[i]; in audit_to_entry_common()
286 __u32 *p = &entry->rule.mask[AUDIT_WORD(bit)]; in audit_to_entry_common()
296 entry->rule.mask[j] |= class[j]; in audit_to_entry_common()
331 if (entry->rule.listnr != AUDIT_FILTER_EXCLUDE && in audit_field_valid()
332 entry->rule.listnr != AUDIT_FILTER_USER) in audit_field_valid()
336 if (entry->rule.listnr != AUDIT_FILTER_FS) in audit_field_valid()
340 if (entry->rule.listnr == AUDIT_FILTER_URING_EXIT) in audit_field_valid()
345 switch (entry->rule.listnr) { in audit_field_valid()
448 /* Translate struct audit_rule_data to kernel's rule representation. */
466 struct audit_field *f = &entry->rule.fields[i]; in audit_data_to_entry()
482 entry->rule.pflags |= AUDIT_LOGINUID_LEGACY; in audit_data_to_entry()
512 entry->rule.arch_f = f; in audit_data_to_entry()
529 entry->rule.buflen += f_val; in audit_data_to_entry()
537 pr_warn("audit rule for LSM \'%s\' is invalid\n", in audit_data_to_entry()
549 err = audit_to_watch(&entry->rule, str, f_val, f->op); in audit_data_to_entry()
554 entry->rule.buflen += f_val; in audit_data_to_entry()
562 err = audit_make_tree(&entry->rule, str, f->op); in audit_data_to_entry()
566 entry->rule.buflen += f_val; in audit_data_to_entry()
570 err = audit_to_inode(&entry->rule, f); in audit_data_to_entry()
575 if (entry->rule.filterkey || f_val > AUDIT_MAX_KEY_LEN) in audit_data_to_entry()
582 entry->rule.buflen += f_val; in audit_data_to_entry()
583 entry->rule.filterkey = str; in audit_data_to_entry()
586 if (entry->rule.exe || f_val > PATH_MAX) in audit_data_to_entry()
593 audit_mark = audit_alloc_mark(&entry->rule, str, f_val); in audit_data_to_entry()
599 entry->rule.buflen += f_val; in audit_data_to_entry()
600 entry->rule.exe = audit_mark; in audit_data_to_entry()
608 if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal) in audit_data_to_entry()
609 entry->rule.inode_f = NULL; in audit_data_to_entry()
615 if (entry->rule.tree) in audit_data_to_entry()
616 audit_put_tree(entry->rule.tree); /* that's the temporary one */ in audit_data_to_entry()
617 if (entry->rule.exe) in audit_data_to_entry()
618 audit_remove_mark(entry->rule.exe); /* that's the template one */ in audit_data_to_entry()
634 /* Translate kernel rule representation to struct audit_rule_data. */
807 pr_warn("audit rule for LSM \'%s\' is invalid\n", in audit_dupe_lsm_field()
815 /* Duplicate an audit rule. This will be a deep copy with the exception
818 * rule with the new rule in the filterlist, then free the old rule.
833 new = &entry->rule; in audit_dupe_rule()
848 * since we'd have to have rule gone from the list *and* removed in audit_dupe_rule()
856 * the originals will all be freed when the old rule is freed. */ in audit_dupe_rule()
899 /* Find an existing audit rule.
900 * Caller must hold audit_filter_mutex to prevent stale rule data. */
908 if (entry->rule.inode_f) { in audit_find_rule()
909 h = audit_hash_ino(entry->rule.inode_f->val); in audit_find_rule()
911 } else if (entry->rule.watch) { in audit_find_rule()
916 if (!audit_compare_rule(&entry->rule, &e->rule)) { in audit_find_rule()
923 *p = list = &audit_filter_list[entry->rule.listnr]; in audit_find_rule()
927 if (!audit_compare_rule(&entry->rule, &e->rule)) { in audit_find_rule()
939 /* Add rule to given filterlist if not a duplicate. */
943 struct audit_watch *watch = entry->rule.watch; in audit_add_rule()
944 struct audit_tree *tree = entry->rule.tree; in audit_add_rule()
951 switch (entry->rule.listnr) { in audit_add_rule()
972 err = audit_add_watch(&entry->rule, &list); in audit_add_rule()
985 err = audit_add_tree_rule(&entry->rule); in audit_add_rule()
992 entry->rule.prio = ~0ULL; in audit_add_rule()
993 if (entry->rule.listnr == AUDIT_FILTER_EXIT || in audit_add_rule()
994 entry->rule.listnr == AUDIT_FILTER_URING_EXIT) { in audit_add_rule()
995 if (entry->rule.flags & AUDIT_FILTER_PREPEND) in audit_add_rule()
996 entry->rule.prio = ++prio_high; in audit_add_rule()
998 entry->rule.prio = --prio_low; in audit_add_rule()
1001 if (entry->rule.flags & AUDIT_FILTER_PREPEND) { in audit_add_rule()
1002 list_add(&entry->rule.list, in audit_add_rule()
1003 &audit_rules_list[entry->rule.listnr]); in audit_add_rule()
1005 entry->rule.flags &= ~AUDIT_FILTER_PREPEND; in audit_add_rule()
1007 list_add_tail(&entry->rule.list, in audit_add_rule()
1008 &audit_rules_list[entry->rule.listnr]); in audit_add_rule()
1023 /* Remove an existing rule from filterlist. */
1027 struct audit_tree *tree = entry->rule.tree; in audit_del_rule()
1034 switch (entry->rule.listnr) { in audit_del_rule()
1049 if (e->rule.watch) in audit_del_rule()
1050 audit_remove_watch_rule(&e->rule); in audit_del_rule()
1052 if (e->rule.tree) in audit_del_rule()
1053 audit_remove_tree_rule(&e->rule); in audit_del_rule()
1055 if (e->rule.exe) in audit_del_rule()
1056 audit_remove_mark_rule(&e->rule); in audit_del_rule()
1067 list_del(&e->rule.list); in audit_del_rule()
1108 /* Log rule additions and removals */
1109 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res) in audit_log_rule_change() argument
1122 audit_log_key(ab, rule->filterkey); in audit_log_rule_change()
1123 audit_log_format(ab, " list=%d res=%d", rule->listnr, res); in audit_log_rule_change()
1145 audit_log_rule_change("add_rule", &entry->rule, !err); in audit_rule_change()
1152 audit_log_rule_change("remove_rule", &entry->rule, !err); in audit_rule_change()
1160 if (entry->rule.exe) in audit_rule_change()
1161 audit_remove_mark(entry->rule.exe); in audit_rule_change()
1340 for (i = 0; i < e->rule.field_count; i++) { in audit_filter()
1341 struct audit_field *f = &e->rule.fields[i]; in audit_filter()
1379 result = audit_exe_compare(current, e->rule.exe); in audit_filter()
1392 if (e->rule.action == AUDIT_NEVER || listtype == AUDIT_FILTER_EXCLUDE) in audit_filter()
1404 struct audit_entry *entry = container_of(r, struct audit_entry, rule); in update_lsm_rule()
1412 if (entry->rule.exe) in update_lsm_rule()
1413 audit_remove_mark(entry->rule.exe); in update_lsm_rule()
1425 list_replace_init(&r->rlist, &nentry->rule.rlist); in update_lsm_rule()
1427 list_replace(&r->list, &nentry->rule.list); in update_lsm_rule()
1436 * specific filter fields. When such a rule is found, it is copied, the
1437 * LSM field is re-initialized, and the old rule is replaced with the
1438 * updated rule. */