Re: Question about max syscall number
On Wednesday 30 July 2008 23:18:15 chuli wrote:
When I use "auditctl -a exit,always -S 2015" in x86
system, this rule can
be added. But I thought it would report error since there is not such
syscall number "1000" in x86, the max is 318.
We allow this because its possible that someone could write a kernel module
(maybe not in Linus tree) that adds syscall numbers. While we wouldn't have
a text interpretation for what it means, we thought that if this occurs that
we would like to allow people to audit these new syscalls if they existed.
Its otherwise harmless if you don't consider the performance hit.
-Steve