# [solved] which syscall calls "linkat"

## toralf

I'm fuzzying a chroot image with trinity - and although I excluded that syscall from being executing due to a mass of 

```
kernel: type=1702 audit(1368866091.575:12): op=linkat action=denied pid=1901 comm="trinity-child2" path="/mnt/n22/v/f05" dev="loop2" ino=32010
```

lines in my syslog, I still get (much fewer) hits of those lines.Last edited by toralf on Mon May 20, 2013 9:04 pm; edited 1 time in total

----------

## user

Hi toralf,

process "trinity-child2" called syscall linkat().

```
# man 2 linkat

...

The linkat() system call operates in exactly the same way as link(2), except for the differences described in this manual page.

...
```

Looks like this process has no proper rights to create a symlink.

----------

## Hu

I believe toralf is not worried about resolving the denial, but rather wants to understand why the process took the action which was denied.  He believes he has instructed it not to use linkat, yet he sees the kernel claiming that linkat is being used.  This means either trinity is ignoring his instructions, the kernel is printing wrong data in a very well formed way, or, as toralf suggests, the internals of linkat are used by some other syscall that he has not blacklisted.

----------

## toralf

it was just unlinkat  - ick.

----------

