From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] audit: fix broken class-based syscall audit
Date: Thu, 17 May 2007 09:58:25 -0400
Message-ID: <200705170958.25421.sgrubb@redhat.com>
References: <20070516224542.GD11536@w-m-p.com>
	<16777.1179407950@turing-police.cc.vt.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <16777.1179407950@turing-police.cc.vt.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Valdis.Kletnieks@vt.edu, Linus Torvalds <torvalds@osdl.org>, Al Viro <viro@zeniv.linux.org.uk>
List-Id: linux-audit@redhat.com

On Thursday 17 May 2007 09:19, Valdis.Kletnieks@vt.edu wrote:
> > I'd suggest adding a printk() in addition to returning 0 - you don't want
> > to silently ignore unknown or unsupported syscalls when auditing.
>
> Make it rate-limited, so a program can't unintentionally spam your logs.

For this to happen, the syscall would have to be > 2048. I'd almost image 
syscalls out of range in general...whether being auditing by class as in this 
case or with a typical syscall rule is a problem. So, way back over at 
syscall entry would be the time to notice this problem instead of here. If we 
are concerned about this, it might be a general control feature like 
enable/disable, fail mode, or backlog. We could make something to report out 
of range syscalls.

-Steve