[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: syscall filtering on personality



On Tuesday 01 March 2005 18:01, Debora Velarde wrote:
> So if I want to audit a particular syscall, chmod for example, in a 32bit
> executable, is this the correct usage?:
> "auditctl -a exit,always -S chmod -F pers=0x0008"

Yes. This is the correct usage.  The kernel should do the test at

http://lxr.linux.no/source/kernel/auditsc.c#L328

Your test program may not be doing what you think. You may need to strace it 
and find the call into the kernel and look at the params. Post a simple test 
program that illustrates the problem so we can try it and see what's wrong.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]