Re: Is the "possible" option used when checking a syscall filter rule?

On Mon, 2005-04-25 at 14:08 -0500, Mounir Bsaibes wrote: The use of 'possible' means that the auditing state in audit_syscall_entry() is set to AUDIT_BUILD_CONTEXT, which is documented thus: AUDIT_BUILD_CONTEXT, /* Create the per-task audit_context, * and always fill it in at syscall * entry time. This makes a full * syscall record available if some * other part of the kernel decides it * should be recorded. */ So it logs the syscall arguments, but doesn't actually set context->auditable. It merely makes sure that the arguments are there in _case_ some other part of the kernel wants to trigger auditing of this particular syscall. -- dwmw2