Re: Sycall Rules vs Watch Rules
On Thursday, September 21, 2023 4:02:49 PM EDT Amjad Gabbar wrote:
> The best solution would be a kernel modification so that there
are no
> mismatched lists.
I agree as well....This would be the cleanest solution. This would also
solve the userspace problem of maintaining different lists which can get
out of hand fairly quickly.
After looking into this, a kernel patch would also not work well. It has to
be arch specific
> I guess we can warn on that to rewrite in syscall notation.
We certainly should. I think the user should know that there is a
performance cost associated with watches and we should explicitly mention
how it can be optimized in the manpages also. The reason being I am pretty
sure, numerous users/repos still do make use of the -w notation and we do
want to let them know the issue here. We also need to make quite a few
changes to the manpages also regarding this. Because, initially even I was
very confused when reading the man pages and seeing the actual
implementation of and results were not quite in sync.
I have made the changes to the master and audit-3.1-maint branches. Please
everyone concerned give them tests. The short of it is that if you use the '-
w' notation for watches, it will remain the same and slower. If you use the
syscall notation without "-F arch", you will get a warning that it cannot be
optimized without adding "-Farch". If you add "-F arch", you will
possibly
need one for both arches which means doubling the rules. If you do not want
to double the rules, you might place a syscall rule for any 32 system call
(21-no32bit.rules). Or you can leave it as is and not care. The sample rules
and all man pages have been updated.
Please, let me know if this works out better.
-Steve