Why two AUDIT_SYSCALL_EXIT in trustedbsd-audit3?
Wayne Salamon
wsalamon at computer.org
Fri Dec 23 12:54:28 GMT 2005
On Dec 23, 2005, at 2:01 AM, Yuan MailList wrote:
> It is noted that the exit function AUDIT_SYSCALL_EXIT() is also in
> syscall exit(). Does this cause to two different audit records for
> syscall exit? or exit() will not return to trap.c?
No, it won't result in two audit records. We are capturing the exit
status and committing the audit record a bit early for the exit
system call, with a return value of 0. And yes, for the exit system
call, the the process won't return through trap.c as thread_exit()
doesn't return.
Thanks,
----------------------
Wayne Salamon
wsalamon at freebsd.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freebsd.org/pipermail/trustedbsd-audit/attachments/20051223/924cf065/attachment.html
More information about the trustedbsd-audit
mailing list