audit_syscall_entry — fill in an audit record at syscall entry
void audit_syscall_entry ( | int | arch, |
int | major, | |
unsigned long | a1, | |
unsigned long | a2, | |
unsigned long | a3, | |
unsigned long | a4) ; |
arch
architecture type
major
major syscall type (function)
a1
additional syscall register 1
a2
additional syscall register 2
a3
additional syscall register 3
a4
additional syscall register 4
Fill in audit context at syscall entry. This only happens if the audit context was created when the task was created and the state or filters demand the audit context be built. If the state from the per-task filter or from the per-syscall filter is AUDIT_RECORD_CONTEXT, then the record will be written at syscall exit time (otherwise, it will only be written if another part of the kernel requests that it be written).