From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Question about max syscall number
Date: Tue, 5 Aug 2008 09:58:02 -0400
Message-ID: <200808050958.03375.sgrubb@redhat.com>
References: <001401c8f2bc$1279e150$958da70a@truly>
	<200808041546.12397.sgrubb@redhat.com>
	<004701c8f6ca$bca8b9a0$958da70a@truly>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <004701c8f6ca$bca8b9a0$958da70a@truly>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: chuli <chul@cn.fujitsu.com>
Cc: 'linux-audit' <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday 05 August 2008 03:13:14 chuli wrote:
> > We allow this because its possible that someone could write a kernel
> > module (maybe not in Linus tree) =C2=A0that adds syscall numbers.
>
> =C2=A0 I see. Will it be added in the manual?

I suppose I could add a few words. But I don't want to go too far with th=
is=20
since I am yet to see a module in the main line that does this. I don't w=
ant=20
to emphasize something that is rare, or only theoretically possible but i=
n=20
practice doesn't exist.


> =C2=A0 If I add a syscall whose number is 1000 in x86, such syscall can=
 also be
> auditd.=20

Sure.


> And If I use ausearch -i -sc 1000 to lookup the log, the result is=20
> " syscall=3Dunknown syscall(1000)". =C2=A0Is it should be interpreted i=
n the
> manual?

There is no way to intepret it. We don't know what it is.

-Steve