From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Subject: Re: Audit not recording the correct syscall return value in Fedora
 10?
Date: Tue, 07 Apr 2009 23:44:09 -0300
Message-ID: <1239158649.24938.46.camel@klausk.br.ibm.com>
References: <200904071134.35379.paul.moore@hp.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n382iZTv003062
	for <linux-audit@redhat.com>; Tue, 7 Apr 2009 22:44:35 -0400
Received: from e24smtp05.br.ibm.com (e24smtp05.br.ibm.com [32.104.18.26])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n382iCiv009081
	for <linux-audit@redhat.com>; Tue, 7 Apr 2009 22:44:13 -0400
Received: from mailhub1.br.ibm.com (mailhub1.br.ibm.com [9.18.232.109])
	by e24smtp05.br.ibm.com (8.13.1/8.13.1) with ESMTP id n382eBD5026238
	for <linux-audit@redhat.com>; Tue, 7 Apr 2009 23:40:11 -0300
Received: from d24av01.br.ibm.com (d24av01.br.ibm.com [9.18.232.46])
	by mailhub1.br.ibm.com (8.13.8/8.13.8/NCO v9.2) with ESMTP id
	n382iUaw1421346
	for <linux-audit@redhat.com>; Tue, 7 Apr 2009 23:44:30 -0300
Received: from d24av01.br.ibm.com (loopback [127.0.0.1])
	by d24av01.br.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	n382iAB0002702
	for <linux-audit@redhat.com>; Tue, 7 Apr 2009 23:44:10 -0300
In-Reply-To: <200904071134.35379.paul.moore@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul.moore@hp.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> Does anyone have any thoughts?

I remember debugging an issue with the incorrect return value being
audited for a syscall. It was s390[x] specific and only occurred with
successful execve() syscalls. This behavior was pointed out with the
open-source common-criteria testsuite that checked each
security-relevant syscalls for parameters, return values, args etc..

I didn't give much important to those since execve() return value is
really not that important if the call succeeds ;-)

But now I'm curious to what other problems related to syscalls return
values you've found, and how those weren't caught by the same set of
tests (hmm, maybe they are x86-specific?)

Can you give us some examples?

Thanks,

 -Klaus
-- 
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center