Q on audit, audit-syscall

[Herbert Rosmanith]

good afternoon,

I'm searching for a way to trace/intercept syscalls, both before and
after execution. "ptrace" is not an option (you probably know why).
I've found CONFIG_AUDIT and CONFIG_AUDITSYSCALL, which offer
"audit_syscall_entry" and "audit_syscall_exit", but I dont know
how to use this. Also, the comment in kernel/auditsc.c reads:
 * The method for actual interception of syscall entry and exit (not in
 * this file -- see entry.S) is based on a GPL'd patch written by
 * okir@xxxxxxx and Copyright 2003 SuSE Linux AG.

So, am I looking in the wrong file?

I just cant see how this software communicates with user-space,
there is no "register_xxx" (or whatever) in the source-files.
Is it neccessary to write an additional module (like se-linux does)
which makes use of audit and exports its own functionality to
userspace?

So far, in the audit-1.1.5 deamon, I've only found a PF_NETLINK/NETLINK_AUDIT
socket. *Is* this it?

What's additionally confusing me is that linux/Documentation/devices.txt
says that "block 130 minor 0 = Audit device", yet, allthugh I'm running
with 2.6.16 + CONFIG_AUDIT & CONFIG_AUDITSYSCALL, there just is no
block dev 130 in /proc/devices. Is the entry in devices.txt wrong?

regards,
h.rosmanith





-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/