Question about max syscall number
Steve Grubb
sgrubb at redhat.com
Mon Aug 4 19:46:11 UTC 2008
On Wednesday 30 July 2008 23:18:15 chuli wrote:
> When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can
> be added. But I thought it would report error since there is not such
> syscall number "1000" in x86, the max is 318.
We allow this because its possible that someone could write a kernel module
(maybe not in Linus tree) that adds syscall numbers. While we wouldn't have
a text interpretation for what it means, we thought that if this occurs that
we would like to allow people to audit these new syscalls if they existed.
Its otherwise harmless if you don't consider the performance hit.
-Steve
More information about the Linux-audit
mailing list