From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: [PATCH] Audit: EINTR instead of kernel private return codes in
	audit records
Date: Wed, 14 Nov 2007 15:22:08 -0500
Message-ID: <1195071728.2924.40.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: pmoore@hp.com
List-Id: linux-audit@redhat.com

When a syscall gets interrupted by a signal and that signal is set to
not restart the syscall its return code will get collected by the audit
system before the registers are changed to the userspace valid EINTR;
See the discussion in include/linux/errno.h

Thus it is possible to get a syscall audit such as:

type=SYSCALL msg=audit(11/13/2007 23:47:34.648:80314) : arch=x86_64
syscall=accept success=no exit=-512(Unknown error 512) a0=3 [snip]

with this patch we clean up those kernel only return codes and give the
userspace equivalent.

type=SYSCALL msg=audit(11/13/2007 23:06:04.017:898) : arch=x86_64
syscall=accept success=no exit=-4(Interrupted system call) a0=3 [snip]

Signed-off-by: Eric Paris <eparis@redhat.com>

---

 kernel/auditsc.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bce9ecd..447ad65 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -702,7 +702,14 @@ static inline struct audit_context *audit_get_context(struct task_struct *tsk,
 	if (likely(!context))
 		return NULL;
 	context->return_valid = return_valid;
-	context->return_code  = return_code;
+
+	if (unlikely((return_code == -ERESTART_RESTARTBLOCK) ||
+		     (return_code == -ERESTARTNOHAND) ||
+		     (return_code == -ERESTARTSYS) ||
+		     (return_code == -ERESTARTNOINTR)))
+		context->return_code = -EINTR;
+	else
+		context->return_code  = return_code;
 
 	if (context->in_syscall && !context->dummy && !context->auditable) {
 		enum audit_state state;