Hi, Steve
Is there any special reason to set the limitation as
"2015"?
I think this is a bug. The syscall number is not actually limited
according to
"syscall table" in different platform.
This is the patch for latest code in audit SVN project. How about your opinion?
Signed-off-by: Chu Li <chul(a)cn.fujitsu.com>
---
diff --git a/deprecated.c b/deprecated.c
index 4f0c14e..8be8d11 100755
--- a/deprecated.c
+++ b/deprecated.c
@@ -160,6 +160,8 @@ int audit_rule_syscallbyname(struct audit_rule *rule,
if (nr < 0) {
if (isdigit(scall[0]))
nr = strtol(scall, NULL, 0);
+ if (audit_syscall_to_name(nr,machine) == NULL)
+ return -1;
}
if (nr >= 0)
return audit_rule_syscall(rule, nr);
> -----Original Message-----
> From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On
> Behalf Of chuli
> Sent: Thursday, July 31, 2008 11:18 AM
> To: 'Steve Grubb'
> Cc: 'linux-audit'
> Subject: Question about max syscall number
>
> Hi,
>
> When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can
be
> added.
> But I thought it would report error since there is not such syscall number
> "1000"
> in x86, the max is 318. If I use "auditctl -a exit,always -S 2016" in x86
> system,
> it will report " Syscall name unknown: 2016". And it is the same with
x86_64 and
> ia64.
> (syscalls in S390 and ppc syscall table is 1-318)
>
Is there any special reason to set the limitation as
"2015"?
>
> Regards
> Chu Li
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/linux-audit