Question about max syscall number

Question about max syscall number

[chuli]

Hi,

  When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can be 
added.
But I thought it would report error since there is not such syscall number "1000"
in x86, the max is 318. If I use "auditctl -a exit,always -S 2016" in x86 system, 
it will report " Syscall name unknown: 2016". And it is the same with x86_64 and 
ia64.
(syscalls in S390 and ppc syscall table is 1-318)

  Is there any special reason to set the limitation as "2015"?

Regards
Chu Li

[PATCH]Fix the bug about checking the syscall number

[chuli]

Hi, Steve

>   Is there any special reason to set the limitation as "2015"?
	I think this is a bug. The syscall number is not actually limited according to 
"syscall table" in different platform.

	This is the patch for latest code in audit SVN project. How about your opinion?

Signed-off-by: Chu Li <chul@cn.fujitsu.com>
---
diff --git a/deprecated.c b/deprecated.c
index 4f0c14e..8be8d11 100755
--- a/deprecated.c
+++ b/deprecated.c
@@ -160,6 +160,8 @@ int audit_rule_syscallbyname(struct audit_rule *rule,
 	if (nr < 0) {
 		if (isdigit(scall[0]))
 			nr = strtol(scall, NULL, 0);
+			if (audit_syscall_to_name(nr,machine) == NULL)
+				return -1;
 	}
 	if (nr >= 0)
 		return audit_rule_syscall(rule, nr);

> -----Original Message-----
> From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On
> Behalf Of chuli
> Sent: Thursday, July 31, 2008 11:18 AM
> To: 'Steve Grubb'
> Cc: 'linux-audit'
> Subject: Question about max syscall number
>
> Hi,
>
>   When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can be
> added.
> But I thought it would report error since there is not such syscall number 
> "1000"
> in x86, the max is 318. If I use "auditctl -a exit,always -S 2016" in x86 
> system,
> it will report " Syscall name unknown: 2016". And it is the same with x86_64 and
> ia64.
> (syscalls in S390 and ppc syscall table is 1-318)
>
>   Is there any special reason to set the limitation as "2015"?
>
> Regards
> Chu Li
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: Question about max syscall number

[Steve Grubb]

On Wednesday 30 July 2008 23:18:15 chuli wrote:
>   When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can
> be added. But I thought it would report error since there is not such
> syscall number "1000" in x86, the max is 318. 

We allow this because its possible that someone could write a kernel module 
(maybe not in Linus tree)  that adds syscall numbers. While we wouldn't have 
a text interpretation for what it means, we thought that if this occurs that 
we would like to allow people to audit these new syscalls if they existed. 
Its otherwise harmless if you don't consider the performance hit.

-Steve

RE: Question about max syscall number

[chuli]

Hi,
> We allow this because its possible that someone could write a kernel module
> (maybe not in Linus tree)  that adds syscall numbers.
  I see. Will it be added in the manual?
  If I add a syscall whose number is 1000 in x86, such syscall can also be 
auditd. And If I use ausearch -i -sc 1000 to lookup the log, the result is " 
syscall=unknown syscall(1000)".  Is it should be interpreted in the manual?

Regards
Chu Li
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Tuesday, August 05, 2008 3:46 AM
> To: chuli
> Cc: 'linux-audit'
> Subject: Re: Question about max syscall number
> 
> On Wednesday 30 July 2008 23:18:15 chuli wrote:
> >   When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can
> > be added. But I thought it would report error since there is not such
> > syscall number "1000" in x86, the max is 318.
> 
> We allow this because its possible that someone could write a kernel module
> (maybe not in Linus tree)  that adds syscall numbers. While we wouldn't have
> a text interpretation for what it means, we thought that if this occurs that
> we would like to allow people to audit these new syscalls if they existed.
> Its otherwise harmless if you don't consider the performance hit.
> 
> -Steve

Re: Question about max syscall number

[Steve Grubb]

On Tuesday 05 August 2008 03:13:14 chuli wrote:
> > We allow this because its possible that someone could write a kernel
> > module (maybe not in Linus tree)  that adds syscall numbers.
>
>   I see. Will it be added in the manual?

I suppose I could add a few words. But I don't want to go too far with this 
since I am yet to see a module in the main line that does this. I don't want 
to emphasize something that is rare, or only theoretically possible but in 
practice doesn't exist.


>   If I add a syscall whose number is 1000 in x86, such syscall can also be
> auditd. 

Sure.


> And If I use ausearch -i -sc 1000 to lookup the log, the result is 
> " syscall=unknown syscall(1000)".  Is it should be interpreted in the
> manual?

There is no way to intepret it. We don't know what it is.

-Steve