Question about max syscall number
chuli
chul at cn.fujitsu.com
Tue Aug 5 07:13:14 UTC 2008
Hi,
> We allow this because its possible that someone could write a kernel module
> (maybe not in Linus tree) that adds syscall numbers.
I see. Will it be added in the manual?
If I add a syscall whose number is 1000 in x86, such syscall can also be
auditd. And If I use ausearch -i -sc 1000 to lookup the log, the result is "
syscall=unknown syscall(1000)". Is it should be interpreted in the manual?
Regards
Chu Li
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb at redhat.com]
> Sent: Tuesday, August 05, 2008 3:46 AM
> To: chuli
> Cc: 'linux-audit'
> Subject: Re: Question about max syscall number
>
> On Wednesday 30 July 2008 23:18:15 chuli wrote:
> > When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can
> > be added. But I thought it would report error since there is not such
> > syscall number "1000" in x86, the max is 318.
>
> We allow this because its possible that someone could write a kernel module
> (maybe not in Linus tree) that adds syscall numbers. While we wouldn't have
> a text interpretation for what it means, we thought that if this occurs that
> we would like to allow people to audit these new syscalls if they existed.
> Its otherwise harmless if you don't consider the performance hit.
>
> -Steve
More information about the Linux-audit
mailing list