对audit_context结构的注释


/* The per-task audit context. */
struct audit_context {
int dummy; /* must be the first element */
int in_syscall; /* 1 if task is in a syscall 该值是:1 则表示任务在系统调用中 */
enum audit_state state, current_state; //审计级别 有AUDIT_DIABLED:不实用审计
//AUDIT_BUILD_CONTEXT:创建审计数据结构并做填充
//AUDIT_RECORD_CONTEXT:创建审计数据结构并作填充,在系统调用开始和结束时都做记录。
unsigned int serial; /* serial number for record */
struct timespec ctime; /* time of syscall entry */
int major; /* syscall number :系统调用号*/
unsigned long argv[4]; /* syscall arguments :系统调用传递的参数*/
int return_valid; /* return code is valid */
long return_code;/* syscall return code */
u64 prio;
int name_count; //记录了多少个文件对象,即下面这个names的实际个数
struct audit_names names[AUDIT_NAMES]; //记录所审计的文件系统对象的名字
char * filterkey; /* key for rule that triggered record */
struct path pwd;
struct audit_context *previous; /* For nested syscalls */
struct audit_aux_data *aux; //保存附加的审计数据
struct audit_aux_data *aux_pids;//保存在审计时所收到系统信号的进程的进程号
struct sockaddr_storage *sockaddr;//网络部分审计数据保存
size_t sockaddr_len;
/* Save things to print about task_struct */
//以下这些都和task_struct中相应的数据项基本一致
pid_t pid, ppid;
uid_t uid, euid, suid, fsuid;
gid_t gid, egid, sgid, fsgid;
unsigned long personality;
int arch;

pid_t target_pid;
uid_t target_auid;
uid_t target_uid;
unsigned int target_sessionid;
u32 target_sid;
char target_comm[TASK_COMM_LEN];

struct audit_tree_refs *trees, *first_trees;
int tree_count;

int type;
//一下所记录的pid,gid等和task_struct中记录的一样
union {
struct {
int nargs;
long args[6];
} socketcall;
struct {
uid_t uid;
gid_t gid;
mode_t mode;
u32 osid;
int has_perm;
uid_t perm_uid;
gid_t perm_gid;
mode_t perm_mode;
unsigned long qbytes;
} ipc;
struct {
mqd_t mqdes;
struct mq_attr mqstat;
} mq_getsetattr;
struct {
mqd_t mqdes;
int sigev_signo;
} mq_notify;
struct {
mqd_t mqdes;
size_t msg_len;
unsigned int msg_prio;
struct timespec abs_timeout;
} mq_sendrecv;
struct {
int oflag;
mode_t mode;
struct mq_attr attr;
} mq_open;
struct {
pid_t pid;
struct audit_cap_data cap;
} capset;
};
int fds[2];

#if AUDIT_DEBUG
int put_count;
int ino_count;
#endif
};

感觉有意思?来鼓励一下!
打赏黑光技术

Leave a Reply

Your email address will not be published. Required fields are marked *