From mboxrd@z Thu Jan 1 00:00:00 1970 From: "chuli" Subject: RE: Question about max syscall number Date: Tue, 5 Aug 2008 15:13:14 +0800 Message-ID: <004701c8f6ca$bca8b9a0$958da70a@truly> References: <001401c8f2bc$1279e150$958da70a@truly> <200808041546.12397.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200808041546.12397.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: 'Steve Grubb' Cc: 'linux-audit' List-Id: linux-audit@redhat.com Hi, > We allow this because its possible that someone could write a kernel module > (maybe not in Linus tree) that adds syscall numbers. I see. Will it be added in the manual? If I add a syscall whose number is 1000 in x86, such syscall can also be auditd. And If I use ausearch -i -sc 1000 to lookup the log, the result is " syscall=unknown syscall(1000)". Is it should be interpreted in the manual? Regards Chu Li > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Tuesday, August 05, 2008 3:46 AM > To: chuli > Cc: 'linux-audit' > Subject: Re: Question about max syscall number > > On Wednesday 30 July 2008 23:18:15 chuli wrote: > > When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can > > be added. But I thought it would report error since there is not such > > syscall number "1000" in x86, the max is 318. > > We allow this because its possible that someone could write a kernel module > (maybe not in Linus tree) that adds syscall numbers. While we wouldn't have > a text interpretation for what it means, we thought that if this occurs that > we would like to allow people to audit these new syscalls if they existed. > Its otherwise harmless if you don't consider the performance hit. > > -Steve