* Benefit of 'arch' parameter for syscall rules
@ 2010-09-27 14:59 Matt Rixon
2010-09-27 17:10 ` Eric Paris
0 siblings, 1 reply; 2+ messages in thread
From: Matt Rixon @ 2010-09-27 14:59 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 125 bytes --]
Hi everyone,
What is the benefit of using the 'arch' field parameter in a syscall rule?
Is it necessary?
Thanks,
Matt Rixon
[-- Attachment #1.2: Type: text/html, Size: 153 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Benefit of 'arch' parameter for syscall rules
2010-09-27 14:59 Benefit of 'arch' parameter for syscall rules Matt Rixon
@ 2010-09-27 17:10 ` Eric Paris
0 siblings, 0 replies; 2+ messages in thread
From: Eric Paris @ 2010-09-27 17:10 UTC (permalink / raw)
To: Matt Rixon; +Cc: Linux-audit
On Mon, 2010-09-27 at 10:59 -0400, Matt Rixon wrote:
> Hi everyone,
> What is the benefit of using the 'arch' field parameter in a syscall
> rule? Is it necessary?
Yes, for some 'not so nice' (IMHO) reasons. The syscall name you give
to -S is translated to a number and then matched exactly. since syscall
#100 on x86_64 might not be the same as syscall #100 on x86_32 if you
don't supply a -F arch= you might end up getting chmod on 32bit and
socket on 64bit (I'm just making that up as an example)
I personally think userspace should handle that for you (instead of just
complaining lightly) if you don't enter -F arch= on a biarch system.
-Eric
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-27 17:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-27 14:59 Benefit of 'arch' parameter for syscall rules Matt Rixon
2010-09-27 17:10 ` Eric Paris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox