bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* AUDIT_ARCH_ and __NR_syscall constants for seccomp filters
@ 2021-06-28  7:31 Thomas Weißschuh
  2021-06-28 16:59 ` Paul Moore
  0 siblings, 1 reply; 8+ messages in thread
From: Thomas Weißschuh @ 2021-06-28  7:31 UTC (permalink / raw)
  To: linux-audit, bpf

Hi everyone,

there does not seem to be a way to access the AUDIT_ARCH_ constant that matches
the currently visible syscall numbers (__NR_...) from the kernel uapi headers.


I am writing a seccomp BPF filter using the syscall constants to get the
correct syscall numbers for the target architecture.

seccomp_filter.rst tells users to always check the arch values.
But there does not seem a way to get the correct AUDIT_ARCH_ value from the
kernel headers.


Is it really necessary to validate the arch value when syscall numbers are
already target-specific?
(If not, should this be added to the docs?)

Would it make sense to expose the audit arch matching the syscall numbers in
the uapi headers?

Link to the actual BPF code:


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-06-29 23:41 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-28  7:31 AUDIT_ARCH_ and __NR_syscall constants for seccomp filters Thomas Weißschuh
2021-06-28 16:59 ` Paul Moore
2021-06-28 17:13   ` Thomas Weißschuh
2021-06-28 17:34     ` Paul Moore
2021-06-28 17:58       ` Thomas Weißschuh
2021-06-28 22:43         ` Paul Moore
2021-06-29 10:40           ` Thomas Weißschuh
2021-06-29 23:41             ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).