[PATCH] audit: fix broken class-based syscall audit
Steve Grubb
sgrubb at redhat.com
Thu May 17 15:45:19 UTC 2007
On Thursday 17 May 2007 11:23, Klaus Weidner wrote:
> > So, way back over at syscall entry would be the time to notice this
> > problem instead of here. If we are concerned about this, it might be a
> > general control feature like enable/disable, fail mode, or backlog. We
> > could make something to report out of range syscalls.
>
> Can we agree to do just the simple fix for this issue for now, and maybe
> revisit adding additional sanity checks later if people think they are
> helpful?
Certainly. The patch as submitted is fine and Al ack'ed it. I was thinking we
should have one more cleanup as a separate patch at some point that catches
this at syscall entry and allows ignore/printk/panic selection just like the
fail option for the audit system does. In the case of ignore (which would be
default), your patch is needed.
-Steve
More information about the Linux-audit
mailing list