1AUSYSCALL(8)            System Administration Utilities           AUSYSCALL(8)
2
3
4

NAME

6       ausyscall - a program that allows mapping syscall names and numbers
7

SYNOPSIS

9       ausyscall [arch] name | number | --dump | --exact
10

DESCRIPTION

12       ausyscall is a program that prints out the mapping from syscall name to
13       number and reverse for the given arch. The arch  can  be  anything  re‐
14       turned  by  `uname  -m`.  If arch is not given, the program will take a
15       guess based on the running image. Or for convenience, you can pass  b32
16       or  b64  to  use  the current arch but a specific ABI. You may give the
17       syscall name or number and it will find the opposite. You can also dump
18       the  whole  table  with  the  --dump  option. By default a syscall name
19       lookup will be a substring match meaning that it will try to match  all
20       occurrences  of the given name with syscalls. So giving a name of chown
21       will match both fchown and chown as any other syscall with chown in its
22       name.  If  this  behavior  is not desired, pass the --exact flag and it
23       will do an exact string match.
24
25       The program takes the special arch, uring, to denote that you  want  to
26       specify  io_uring  operations. In this case, the arch must be given be‐
27       cause it will otherwise detect the underlying harware.
28
29       This program can be used to verify syscall numbers on a biarch platform
30       for rule optimization. For example, suppose you had an auditctl rule:
31
32       -a always, exit -S open -F exit=-EPERM -k fail-open
33
34       If  you  wanted to verify that both 32 and 64 bit programs would be au‐
35       dited, run "ausyscall i386 open" and then "ausyscall x86_64 open".  (Or
36       use  the b32 and b64 option.) Look at the returned numbers. If they are
37       different, you will have to write two auditctl rules  to  get  complete
38       coverage.
39
40       -a always,exit -F arch=b32 -S open -F exit=-EPERM -k fail-open
41       -a always,exit -F arch=b64 -S open -F exit=-EPERM -k fail-open
42
43       For  more information about a specific syscall, use the man program and
44       pass the number 2 as an argument to make sure that you get the  syscall
45       information  rather  than a shell script program or glibc function call
46       of the same name. For example, if you wanted to learn  about  the  open
47       syscall, type: man 2 open.
48

OPTIONS

50       --dump Print all syscalls for the given arch
51
52       --exact
53              Instead  of  doing a partial word match, match the given syscall
54              name exactly.
55
56

SEE ALSO

58       ausearch(8), auditctl(8).
59
60

AUTHOR

62       Steve Grubb
63
64
65
66Red Hat                            Feb 2023                       AUSYSCALL(8)