On Tuesday 05 August 2008 03:13:14 chuli wrote: > > We allow this because its possible that someone could write a kernel > > module (maybe not in Linus tree) that adds syscall numbers. > > I see. Will it be added in the manual?
I suppose I could add a few words. But I don't want to go too far with this since I am yet to see a module in the main line that does this. I don't want to emphasize something that is rare, or only theoretically possible but in practice doesn't exist. > If I add a syscall whose number is 1000 in x86, such syscall can also be > auditd. Sure. > And If I use ausearch -i -sc 1000 to lookup the log, the result is > " syscall=unknown syscall(1000)". Is it should be interpreted in the > manual? There is no way to intepret it. We don't know what it is. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
