Filtering Connect syscalls for af_inet only
Paul Moore
paul at paul-moore.com
Thu Feb 5 20:34:47 UTC 2015
On Thu, Feb 5, 2015 at 3:26 PM, Hassan Sultan <hsultan at thefroid.net> wrote:
> Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter
> only connect, and one on a3 for the sockaddr size ?
>
> Basically, on x86 you have one rule : the one with 2 comparisons
> On x64 you have 2 rules : one on the connect syscall, and one on the
> socketcall syscall with 2 comparisons
The socketcall() syscall take two arguments, the first indicates the
syscall (e.g. connect()) and the second is binary blob that contains
the arguments for the socket syscall.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list