95 	struct audit_krule *erule = &e->rule;  in audit_free_rule()
129 	entry->rule.fields = fields;  in audit_init_entry()
221 	struct audit_field *arch = entry->rule.arch_f;  in audit_match_signal()
227 					       entry->rule.mask) &&  in audit_match_signal()
229 					       entry->rule.mask));  in audit_match_signal()
235 					       entry->rule.mask));  in audit_match_signal()
238 					       entry->rule.mask));  in audit_match_signal()
246 static inline struct audit_entry *audit_to_entry_common(struct audit_rule_data *rule)  in audit_to_entry_common()  argument
253 	listnr = rule->flags & ~AUDIT_FILTER_PREPEND;  in audit_to_entry_common()
259 		if (rule->action == AUDIT_ALWAYS)  in audit_to_entry_common()
268 	if (unlikely(rule->action == AUDIT_POSSIBLE)) {  in audit_to_entry_common()
272 	if (rule->action != AUDIT_NEVER && rule->action != AUDIT_ALWAYS)  in audit_to_entry_common()
274 	if (rule->field_count > AUDIT_MAX_FIELDS)  in audit_to_entry_common()
278 	entry = audit_init_entry(rule->field_count);  in audit_to_entry_common()
282 	entry->rule.flags = rule->flags & AUDIT_FILTER_PREPEND;  in audit_to_entry_common()
283 	entry->rule.listnr = listnr;  in audit_to_entry_common()
284 	entry->rule.action = rule->action;  in audit_to_entry_common()
285 	entry->rule.field_count = rule->field_count;  in audit_to_entry_common()
288 		entry->rule.mask[i] = rule->mask[i];  in audit_to_entry_common()
292 		__u32 *p = &entry->rule.mask[AUDIT_WORD(bit)];  in audit_to_entry_common()
302 				entry->rule.mask[j] |= class[j];  in audit_to_entry_common()
337 		if (entry->rule.listnr != AUDIT_FILTER_TYPE &&  in audit_field_valid()
338 		    entry->rule.listnr != AUDIT_FILTER_USER)  in audit_field_valid()
429 		struct audit_field *f = &entry->rule.fields[i];  in audit_data_to_entry()
444 			entry->rule.pflags |= AUDIT_LOGINUID_LEGACY;  in audit_data_to_entry()
473 			entry->rule.arch_f = f;  in audit_data_to_entry()
488 			entry->rule.buflen += f->val;  in audit_data_to_entry()
509 			entry->rule.buflen += f->val;  in audit_data_to_entry()
511 			err = audit_to_watch(&entry->rule, str, f->val, f->op);  in audit_data_to_entry()
521 			entry->rule.buflen += f->val;  in audit_data_to_entry()
523 			err = audit_make_tree(&entry->rule, str, f->op);  in audit_data_to_entry()
529 			err = audit_to_inode(&entry->rule, f);  in audit_data_to_entry()
534 			if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)  in audit_data_to_entry()
539 			entry->rule.buflen += f->val;  in audit_data_to_entry()
540 			entry->rule.filterkey = str;  in audit_data_to_entry()
545 	if (entry->rule.inode_f && entry->rule.inode_f->op == Audit_not_equal)  in audit_data_to_entry()
546 		entry->rule.inode_f = NULL;  in audit_data_to_entry()
552 	if (entry->rule.watch)  in audit_data_to_entry()
553 		audit_put_watch(entry->rule.watch); /* matches initial get */  in audit_data_to_entry()
554 	if (entry->rule.tree)  in audit_data_to_entry()
555 		audit_put_tree(entry->rule.tree); /* that's the temporary one */  in audit_data_to_entry()
759 	new = &entry->rule;  in audit_dupe_rule()
828 	if (entry->rule.inode_f) {  in audit_find_rule()
829 		h = audit_hash_ino(entry->rule.inode_f->val);  in audit_find_rule()
831 	} else if (entry->rule.watch) {  in audit_find_rule()
836 				if (!audit_compare_rule(&entry->rule, &e->rule)) {  in audit_find_rule()
843 		*p = list = &audit_filter_list[entry->rule.listnr];  in audit_find_rule()
847 		if (!audit_compare_rule(&entry->rule, &e->rule)) {  in audit_find_rule()
863 	struct audit_watch *watch = entry->rule.watch;  in audit_add_rule()
864 	struct audit_tree *tree = entry->rule.tree;  in audit_add_rule()
871 	if (entry->rule.listnr == AUDIT_FILTER_USER ||  in audit_add_rule()
872 		entry->rule.listnr == AUDIT_FILTER_TYPE)  in audit_add_rule()
889 		err = audit_add_watch(&entry->rule, &list);  in audit_add_rule()
902 		err = audit_add_tree_rule(&entry->rule);  in audit_add_rule()
909 	entry->rule.prio = ~0ULL;  in audit_add_rule()
910 	if (entry->rule.listnr == AUDIT_FILTER_EXIT) {  in audit_add_rule()
911 		if (entry->rule.flags & AUDIT_FILTER_PREPEND)  in audit_add_rule()
912 			entry->rule.prio = ++prio_high;  in audit_add_rule()
914 			entry->rule.prio = --prio_low;  in audit_add_rule()
917 	if (entry->rule.flags & AUDIT_FILTER_PREPEND) {  in audit_add_rule()
918 		list_add(&entry->rule.list,  in audit_add_rule()
919 			 &audit_rules_list[entry->rule.listnr]);  in audit_add_rule()
921 		entry->rule.flags &= ~AUDIT_FILTER_PREPEND;  in audit_add_rule()
923 		list_add_tail(&entry->rule.list,  in audit_add_rule()
924 			      &audit_rules_list[entry->rule.listnr]);  in audit_add_rule()
948 	struct audit_watch *watch = entry->rule.watch;  in audit_del_rule()
949 	struct audit_tree *tree = entry->rule.tree;  in audit_del_rule()
956 	if (entry->rule.listnr == AUDIT_FILTER_USER ||  in audit_del_rule()
957 		entry->rule.listnr == AUDIT_FILTER_TYPE)  in audit_del_rule()
969 	if (e->rule.watch)  in audit_del_rule()
970 		audit_remove_watch_rule(&e->rule);  in audit_del_rule()
972 	if (e->rule.tree)  in audit_del_rule()
973 		audit_remove_tree_rule(&e->rule);  in audit_del_rule()
976 	list_del(&e->rule.list);  in audit_del_rule()
1027 static void audit_log_rule_change(char *action, struct audit_krule *rule, int res)  in audit_log_rule_change()  argument
1043 	audit_log_key(ab, rule->filterkey);  in audit_log_rule_change()
1044 	audit_log_format(ab, " list=%d res=%d", rule->listnr, res);  in audit_log_rule_change()
1069 		audit_log_rule_change("add_rule", &entry->rule, !err);  in audit_rule_change()
1073 		audit_log_rule_change("remove_rule", &entry->rule, !err);  in audit_rule_change()
1254 static int audit_filter_user_rules(struct audit_krule *rule, int type,  in audit_filter_user_rules()  argument
1259 	for (i = 0; i < rule->field_count; i++) {  in audit_filter_user_rules()
1260 		struct audit_field *f = &rule->fields[i];  in audit_filter_user_rules()
1306 	switch (rule->action) {  in audit_filter_user_rules()
1323 		rc = audit_filter_user_rules(&e->rule, type, &state);  in audit_filter_user()
1347 		for (i = 0; i < e->rule.field_count; i++) {  in audit_filter_type()
1348 			struct audit_field *f = &e->rule.fields[i];  in audit_filter_type()
1365 	struct audit_entry *entry = container_of(r, struct audit_entry, rule);  in update_lsm_rule()
1384 			list_replace_init(&r->rlist, &nentry->rule.rlist);  in update_lsm_rule()
1386 		list_replace(&r->list, &nentry->rule.list);  in update_lsm_rule()