Question about max syscall number
Steve Grubb
sgrubb at redhat.com
Tue Aug 5 13:58:02 UTC 2008
On Tuesday 05 August 2008 03:13:14 chuli wrote:
> > We allow this because its possible that someone could write a kernel
> > module (maybe not in Linus tree) that adds syscall numbers.
>
> I see. Will it be added in the manual?
I suppose I could add a few words. But I don't want to go too far with this
since I am yet to see a module in the main line that does this. I don't want
to emphasize something that is rare, or only theoretically possible but in
practice doesn't exist.
> If I add a syscall whose number is 1000 in x86, such syscall can also be
> auditd.
Sure.
> And If I use ausearch -i -sc 1000 to lookup the log, the result is
> " syscall=unknown syscall(1000)". Is it should be interpreted in the
> manual?
There is no way to intepret it. We don't know what it is.
-Steve
More information about the Linux-audit
mailing list