I did some digging and now I understand the different size variations of sockaddr_storage. I guess I can just filter on a2!=6e then.

And we'd have to keep an eye out for x86 systems. I understand that x86_64 does not use socketcall() but, do you know if multiarch support somehow allows 32bit apps on x86_64 to use / translate these calls?

Thanks again!

Farhan

On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul@paul-moore.com> wrote:

On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote:
> Ahh..thanks Paul!
>
> Is there a better way to intercept outbound network access calls while
> avoiding af_unix?

I'm not sure, I'm not overly familiar with the auditd/auditctl
filtering capabilities. There are several people on this list that
are far more knowledgeable about that than me.

> I assume sockaddr_storage is just a different size (I think 128?)

The idea behind the sockaddr_storage struct was to create a structure
that could be used to represent any address family that the system
supports. I don't believe there is a standard size across OSes due to
different level of support, padding, etc; in other words, it's
probably best not to rely on a specific size of sockaddr_storage.

--
paul moore
www.paul-moore.com