Re: Is the "possible" option used when checking a syscall filter rule?
On Friday 29 April 2005 09:21, David Woodhouse wrote:
So it logs the syscall arguments, but doesn't actually set
context->auditable. It merely makes sure that the arguments are there in
_case_ some other part of the kernel wants to trigger auditing of this
particular syscall.
Which leads back to the first part of the question:
Does this option make sense when setting a syscall entry filter or
exit
filter? Or, it is meant just for task filtering?
When would a user want to set possible? It seems that by loading syscall
rules, we are asking the audit system to trigger auditing of the syscall.
Perhaps this was meant to complement FileSystem auditing?
I guess we need to figure out what we say on the man page for this and what a
valid use is. And is there an invalid use? (testing scripts)
-Steve