Is the "possible" option used when checking a syscall filter rule?
David Woodhouse
dwmw2 at infradead.org
Fri Apr 29 13:21:25 UTC 2005
On Mon, 2005-04-25 at 14:08 -0500, Mounir Bsaibes wrote:
> What is the meaning (how it is used) of "possible" in the following
> example:
> auditctl -a entry,possible -S chmod
The use of 'possible' means that the auditing state in
audit_syscall_entry() is set to AUDIT_BUILD_CONTEXT, which is documented
thus:
AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context,
* and always fill it in at syscall
* entry time. This makes a full
* syscall record available if some
* other part of the kernel decides it
* should be recorded. */
So it logs the syscall arguments, but doesn't actually set
context->auditable. It merely makes sure that the arguments are there in
_case_ some other part of the kernel wants to trigger auditing of this
particular syscall.
--
dwmw2
More information about the Linux-audit
mailing list