Q: rules and filterkeys do not match

[LidiYuan]

static int audit_filter_rules() { /省略..../

if (ctx && rule->prio <= ctx->prio)
        return 0;

/*省略....*/

if (ctx) {
        if (rule->filterkey) {
            kfree(ctx->filterkey);
            ctx->filterkey = kstrdup(rule->filterkey, GFP_ATOMIC);
        }
        ctx->prio = rule->prio;
    }

/*省略....*/

} If the priority of a rule is higher than the priority stored in ctx, but this high priority rule does not have a filterkey, then the filterkey of the previous low priority rule will be stored in ctx, resulting in a mismatch between the rule and the filterkey.

[pcmoore]

This is the expected behavior, tracking the highest priority filterkey that matches on the audit event, and is not a bug.