On Tue, 2013-10-29 at 17:28 -0400, Paul Moore wrote: > Take x86_64 and x32 as an example (think of x32 as a 32-bit version of > x86_64). Both x32 and x86_64 use the AUDIT_ARCH_X86_64 value and general > calling convention, but they have a different syscall table.
I guess a good question is "is that right" ? #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) Would we not be better off with a: #define AUDIT_ARCH_X32 (EM_X86_64|__AUDIT_ARCH_LE) ? Do x86_64 and x32 share the same syscall entry code? Is there where the AUDIT_ARCH_X86_64 comes from? Is this similar for ARM? Right now, the only thing we have is: #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) Is this enough? Should we add more? I'm way way way more ARM idiotic than I am about x86_64. I know the ARM people at least told us that ARM wasn't going to work right with what we have today... So they added to the audit Kconfig: depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) Is fixing this with differentiated AUDIT_ARCH flags even possible? Am I just talking out of my bum? -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit