AUDIT_ARCH_ and __NR_syscall constants for seccomp filters
Thomas Weißschuh
linux at weissschuh.net
Mon Jun 28 07:31:53 UTC 2021
Hi everyone,
there does not seem to be a way to access the AUDIT_ARCH_ constant that matches
the currently visible syscall numbers (__NR_...) from the kernel uapi headers.
Background:
I am writing a seccomp BPF filter using the syscall constants to get the
correct syscall numbers for the target architecture.
seccomp_filter.rst tells users to always check the arch values.
But there does not seem a way to get the correct AUDIT_ARCH_ value from the
kernel headers.
Questions:
Is it really necessary to validate the arch value when syscall numbers are
already target-specific?
(If not, should this be added to the docs?)
Would it make sense to expose the audit arch matching the syscall numbers in
the uapi headers?
Link to the actual BPF code:
https://github.com/t-8ch/qmk_firmware/blob/optimize-udev/util/udev/qmk_id.c#L154
Thanks,
Thomas
More information about the Linux-audit
mailing list