Filtering Connect syscalls for af_inet only
Paul Moore
paul at paul-moore.com
Thu Feb 5 20:16:59 UTC 2015
On Thu, Feb 5, 2015 at 2:06 PM, F Rafi <farhanible at gmail.com> wrote:
> I did some digging and now I understand the different size variations of
> sockaddr_storage. I guess I can just filter on a2!=6e then.
I assume 0x6e is the size of sockaddr_un? I would still caution
against filtering on any particular size as you could still use
sockaddr_storage for AF_UNIX. Granted, it's unlikely, but it is
possible.
> And we'd have to keep an eye out for x86 systems. I understand that x86_64
> does not use socketcall() but, do you know if multiarch support somehow
> allows 32bit apps on x86_64 to use / translate these calls?
32-bit x86 applications running on a x86_64 system use the 32-bit
socketcall() system call; there is no way around that, it's part of
the 32-bit x86 ABI for Linux.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list