Re: syscall filtering on personality
On Tuesday 01 March 2005 18:01, Debora Velarde wrote:
So if I want to audit a particular syscall, chmod for example, in a
32bit
executable, is this the correct usage?:
"auditctl -a exit,always -S chmod -F pers=0x0008"
Yes. This is the correct usage. The kernel should do the test at
http://lxr.linux.no/source/kernel/auditsc.c#L328
Your test program may not be doing what you think. You may need to strace it
and find the call into the kernel and look at the params. Post a simple test
program that illustrates the problem so we can try it and see what's wrong.
-Steve