Update docs for b32/b64 in ausyscall

juspence · Sep 15, 2021 · 0f79b32 · 0f79b32
1 parent 862b5de
commit 0f79b32
Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,8 @@
 3.0.6
 - Fixed various issues when dealing with corrupted logs
 - Make IPX packet interpretation dependent on the ipx header file existing
+- Add b32/b64 support to ausyscall (Egor Ignatov )
+- Add support for armv8l (Egor Ignatov )
 
 3.0.5
 - In auditd, flush uid/gid caches when user/group added/deleted/modified

diff --git a/tools/ausyscall/ausyscall.8 b/tools/ausyscall/ausyscall.8
@@ -4,13 +4,13 @@ ausyscall \- a program that allows mapping syscall names and numbers
 .SH SYNOPSIS
 .B ausyscall [arch] name | number | \-\-dump | \-\-exact
 .SH DESCRIPTION
-\fBausyscall\fP is a program that prints out the mapping from syscall name to number and reverse for the given arch. The arch can be anything returned by `uname \-m`. If arch is not given, the program will take a guess based on the running image. You may give the syscall name or number and it will find the opposite. You can also dump the whole table with the \-\-dump option. By default a syscall name lookup will be a substring match meaning that it will try to match all occurrences of the given name with syscalls. So giving a name of chown will match both fchown and chown as any other syscall with chown in its name. If this behavior is not desired, pass the \-\-exact flag and it will do an exact string match.
+\fBausyscall\fP is a program that prints out the mapping from syscall name to number and reverse for the given arch. The arch can be anything returned by `uname \-m`. If arch is not given, the program will take a guess based on the running image. Or for convenience, you can pass \fBb32\fP or \fBb64\fP to use the current arch but a specific ABI. You may give the syscall name or number and it will find the opposite. You can also dump the whole table with the \-\-dump option. By default a syscall name lookup will be a substring match meaning that it will try to match all occurrences of the given name with syscalls. So giving a name of chown will match both fchown and chown as any other syscall with chown in its name. If this behavior is not desired, pass the \-\-exact flag and it will do an exact string match.
 
 This program can be used to verify syscall numbers on a biarch platform for rule optimization. For example, suppose you had an auditctl rule:
 
 .B \-a always, exit \-S open \-F exit=\-EPERM \-k fail\-open
 
-If you wanted to verify that both 32 and 64 bit programs would be audited, run "ausyscall i386 open" and then "ausyscall x86_64 open". Look at the returned numbers. If they are different, you will have to write two auditctl rules to get complete coverage.
+If you wanted to verify that both 32 and 64 bit programs would be audited, run "ausyscall i386 open" and then "ausyscall x86_64 open". (Or use the b32 and b64 option.) Look at the returned numbers. If they are different, you will have to write two auditctl rules to get complete coverage.
 
 .nf
 .B \-a always,exit \-F arch=b32 \-S open \-F exit=\-EPERM \-k fail\-open