对audit_context结构的注释

| 2009年5月10日
/* The per-task audit context. */
struct audit_context {
        int                 dummy;      /* must be the first element */
        int                 in_syscall; /* 1 if task is in a syscall 该值是：1 则表示任务在系统调用中 */
        enum audit_state    state, current_state;   //审计级别 有AUDIT_DIABLED:不实用审计
	//AUDIT_BUILD_CONTEXT：创建审计数据结构并做填充 
	//AUDIT_RECORD_CONTEXT：创建审计数据结构并作填充，在系统调用开始和结束时都做记录。
        unsigned int        serial;     /* serial number for record */
        struct timespec     ctime;      /* time of syscall entry */
        int                 major;      /* syscall number ：系统调用号*/
        unsigned long       argv[4];    /* syscall arguments ：系统调用传递的参数*/
        int                 return_valid; /* return code is valid */
        long                return_code;/* syscall return code */
        u64                 prio;
        int                 name_count;	//记录了多少个文件对象，即下面这个names的实际个数
        struct audit_names  names[AUDIT_NAMES];	//记录所审计的文件系统对象的名字
        char *              filterkey;  /* key for rule that triggered record */
        struct path         pwd;
        struct audit_context *previous; /* For nested syscalls */
        struct audit_aux_data *aux;	//保存附加的审计数据
        struct audit_aux_data *aux_pids;//保存在审计时所收到系统信号的进程的进程号
        struct sockaddr_storage *sockaddr;//网络部分审计数据保存
        size_t sockaddr_len;
                                /* Save things to print about task_struct */
	//以下这些都和task_struct中相应的数据项基本一致
        pid_t               pid, ppid;
        uid_t               uid, euid, suid, fsuid;
        gid_t               gid, egid, sgid, fsgid;
        unsigned long       personality;
        int                 arch;

        pid_t               target_pid;
        uid_t               target_auid;
        uid_t               target_uid;
        unsigned int        target_sessionid;
        u32                 target_sid;
        char                target_comm[TASK_COMM_LEN];

        struct audit_tree_refs *trees, *first_trees;
        int tree_count;

        int type;
	//一下所记录的pid，gid等和task_struct中记录的一样
        union {
                struct {
                        int nargs;
                        long args[6];
                } socketcall;
                struct {
                        uid_t                   uid;
                        gid_t                   gid;
                        mode_t                  mode;
                        u32                     osid;
                        int                     has_perm;
                        uid_t                   perm_uid;
                        gid_t                   perm_gid;
                        mode_t                  perm_mode;
                        unsigned long           qbytes;
                } ipc;
                struct {
                        mqd_t                   mqdes;
                        struct mq_attr          mqstat;
                } mq_getsetattr;
                struct {
                        mqd_t                   mqdes;
                        int                     sigev_signo;
                } mq_notify;
                struct {
                        mqd_t                   mqdes;
                        size_t                  msg_len;
                        unsigned int            msg_prio;
                        struct timespec         abs_timeout;
                } mq_sendrecv;
                struct {
                        int                     oflag;
                        mode_t                  mode;
                        struct mq_attr          attr;
                } mq_open;
                struct {
                        pid_t                   pid;
                        struct audit_cap_data   cap;
                } capset;
        };
        int fds[2];

#if AUDIT_DEBUG
        int                 put_count;
        int                 ino_count;
#endif
};
看完本文有收获？请分享给更多人
关注「黑光技术」，关注大数据+微服务
分类

标签
