[PATCH 1/2] add SIGNAL syscall class
Steve Grubb
sgrubb at redhat.com
Wed Feb 14 20:32:02 UTC 2007
On Wednesday 14 February 2007 15:12:05 Amy Griffis wrote:
> Steve Grubb wrote: [Wed Feb 14 2007, 02:04:07PM EST]
>
> > On Wednesday 14 February 2007 13:24:31 Amy Griffis wrote:
> > > Add a syscall class for sending signals.
> >
> > The intent of the syscall classes had been to make an update independent
> > way of being able to specify audit rules for filesystem auditing where
> > new syscalls could be added.
>
> Yeah, I know I used it in a different way from the original purpose.
So, how does this work from a user perspective? Do you need to patch auditctl?
> But I think this is still a valid use... When we are adding or
> removing a rule, we need a way to determine if the rule specified one
> of the syscalls for sending signals.
Could you show a sample use? (Just so I understand what its doing.)
> Makes sense. Do you think we're in danger of running out of slots for
> syscall classes?
I think we should be fairly conservative. I hadn't quite got to the point of
saying we needed close and delete since I am still thinking about the
requirements.
Thanks,
-Steve
More information about the Linux-audit
mailing list