Hi, > We allow this because its possible that someone could write a kernel module > (maybe not in Linus tree) that adds syscall numbers. I see. Will it be added in the manual? If I add a syscall whose number is 1000 in x86, such syscall can also be auditd. And If I use ausearch -i -sc 1000 to lookup the log, the result is " syscall=unknown syscall(1000)". Is it should be interpreted in the manual?
Regards Chu Li > -----Original Message----- > From: Steve Grubb [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2008 3:46 AM > To: chuli > Cc: 'linux-audit' > Subject: Re: Question about max syscall number > > On Wednesday 30 July 2008 23:18:15 chuli wrote: > > When I use "auditctl -a exit,always -S 2015" in x86 system, this rule can > > be added. But I thought it would report error since there is not such > > syscall number "1000" in x86, the max is 318. > > We allow this because its possible that someone could write a kernel module > (maybe not in Linus tree) that adds syscall numbers. While we wouldn't have > a text interpretation for what it means, we thought that if this occurs that > we would like to allow people to audit these new syscalls if they existed. > Its otherwise harmless if you don't consider the performance hit. > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
