Clone and fcntl64 flags patch
John D. Ramsdell
ramsdell at mitre.org
Mon Jul 23 11:44:42 UTC 2007
Enclosed is a patch for auparse/interpret.c that makes it so that
a0 is interpreted for clone flags, not a2. It also fixes two problems
with interpreting the fcntl system call. The name of the system call
is fcntl64, but the original code looked for the name fcntl. I have
also added a case so that a2 is printed as FD_CLOEXEC whenever a1 is
F_SETFD and a2 is 1.
I still haven't figured out why the auparse library prints getdents
when strace print getdents64. I'll keep on looking. You'd think that
either both getdents and fcntl would be printed with or without the
64 tacked on, but the current situation seem very odd to me.
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clone-fcntl-flags.patch
Type: text/x-patch
Size: 7789 bytes
Desc: clone fcntl64
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070723/97375708/attachment.bin>
More information about the Linux-audit
mailing list