syscall filtering on personality
Steve Grubb
sgrubb at redhat.com
Tue Mar 8 20:34:48 UTC 2005
On Tuesday 08 March 2005 15:18, Debora Velarde wrote:
> So it looks like, if you add a syscall by name to auditctl, it always adds
> only the rule for the 64bit syscall number.
Actually, this should be the syscall number that auditctl was compiled with.
> Should auditctl add both?
I don't think so. How does it know what personalities you want to watch?
> Or should auditctl use the pers flag to figure out which syscall number to
> add?
How about we make pers take a list? This could be implemented one of 2 ways.
auditctl can generate a rule for each personality. Or with some changes in
the kernel, we can make personality act more like a bit mask so that we don't
have to load as many rules in the kernel.
Userspace can generate a mask or separate rules. Any preferences?
-Steve
More information about the Linux-audit
mailing list