audit 0.6.10 released
David Woodhouse
dwmw2 at infradead.org
Tue Apr 5 21:56:29 UTC 2005
On Tue, 2005-04-05 at 17:05 -0400, Steve Grubb wrote:
> How would people want this to work? Like Debbie suggested?
Dunno; I didn't read that mail because it was HTML, so required a lot
more effort to read than normal mail, which is in a carefully-selected
and _uniform_ font so it only requires a glance to take in the
information. Let me dig it out and spend some time interpreting it...
... /me wonders why Evolution has taken to displaying HTML in such a
_tiny_ font these days anyway...
...apart from the fact that she's specifying architectures by number and
using the wrong numbers, yes. You might want to provide a name<->number
mapping to make this easier for users. A,so, if the '-F arch=XXX' is
omitted on a biarch machine and the syscall is specified by name, you
might want to set a watch on the appropriately numbered syscall in
_each_ available syscall type.
> > The lower 16 bits are the ELF machine type.
>
> How do you get the ELF machine type?
#include <elf.h>
See the discussion with Chris -- it seemed most appropriate to re-use
these instead of inventing a new number space. We had to add the
'64-bit' flag since the EM_xxx number space doesn't distinguish between
these for some architectures (S390, MIPS etc.). I think it's because
with ELF, you've already had to work out whether it's Elf32 or Elf64
before you can get to the e_machine field anyway.
Since I had to add the 64-bit flag to disambiguate between 32-bit and
64-bit on some architectures, I figured I'd make it uniform and set it
on _all_ 64-bit architectures, in case that made life easy for you --
for example when dealing with arguments. I added the endianness flag for
similar reasons.
--
dwmw2
More information about the Linux-audit
mailing list