RE: Question about max syscall number
Hi,
We allow this because its possible that someone could write a kernel
module
(maybe not in Linus tree) that adds syscall numbers.
I see. Will it be added in
the manual?
If I add a syscall whose number is 1000 in x86, such syscall can also be
auditd. And If I use ausearch -i -sc 1000 to lookup the log, the result is "
syscall=unknown syscall(1000)". Is it should be interpreted in the manual?
Regards
Chu Li
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Tuesday, August 05, 2008 3:46 AM
To: chuli
Cc: 'linux-audit'
Subject: Re: Question about max syscall number
On Wednesday 30 July 2008 23:18:15 chuli wrote:
> When I use "auditctl -a exit,always -S 2015" in x86 system, this rule
can
> be added. But I thought it would report error since there is not such
> syscall number "1000" in x86, the max is 318.
We allow this because its possible that someone could write a kernel module
(maybe not in Linus tree) that adds syscall numbers. While we wouldn't have
a text interpretation for what it means, we thought that if this occurs that
we would like to allow people to audit these new syscalls if they existed.
Its otherwise harmless if you don't consider the performance hit.
-Steve