Re: syscall filtering on personality
On Tuesday 08 March 2005 15:18, Debora Velarde wrote:
So it looks like, if you add a syscall by name to auditctl, it always
adds
only the rule for the 64bit syscall number.
Actually, this should be the syscall number that auditctl was compiled with.
Should auditctl add both?
I don't think so. How does it know what personalities you want to watch?
Or should auditctl use the pers flag to figure out which syscall
number to
add?
How about we make pers take a list? This could be implemented one of 2 ways.
auditctl can generate a rule for each personality. Or with some changes in
the kernel, we can make personality act more like a bit mask so that we don't
have to load as many rules in the kernel.
Userspace can generate a mask or separate rules. Any preferences?
-Steve