[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: [PATCH] audit: fix broken class-based syscall audit
From:       Steve Grubb <sgrubb () redhat ! com>
Date:       2007-05-17 15:45:19
Message-ID: 200705171145.19880.sgrubb () redhat ! com
[Download RAW message or body]

On Thursday 17 May 2007 11:23, Klaus Weidner wrote:
> > So, way back over at syscall entry would be the time to notice this
> > problem instead of here. If we are concerned about this, it might be a
> > general control feature like enable/disable, fail mode, or backlog. We
> > could make something to report out of range syscalls.
>
> Can we agree to do just the simple fix for this issue for now, and maybe
> revisit adding additional sanity checks later if people think they are
> helpful?

Certainly. The patch as submitted is fine and Al ack'ed it. I was thinking we 
should have one more cleanup as a separate patch at some point that catches 
this at syscall entry and allows ignore/printk/panic selection just like the 
fail option for the audit system does. In the case of ignore (which would be 
default), your patch is needed.

-Steve

[prev in list] [next in list] [prev in thread] [next in thread]