• Richard Guy Briggs's avatar
    audit: add arch field to seccomp event log · 84db564a
    Richard Guy Briggs authored
    The AUDIT_SECCOMP record looks something like this:
    
    type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0
    
    In order to determine what syscall 231 maps to, we need to have the arch= field right before it.
    
    To see the event, compile this test.c program:
    
    =====
    int main(void)
    {
            return seccomp_load(seccomp_init(SCMP_ACT_KILL));
    }
    =====
    
    gcc -g test.c -o test -lseccomp
    
    After running the program, find the record by:  ausearch --start recent -m SECCOMP -i
    Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    signed-off-by: default avatarEric Paris <eparis@redhat.com>
    84db564a
auditsc.c 66 KB