From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
Subject: Re: Audit not recording the correct syscall return value in Fedora
	10?
Date: Wed, 8 Apr 2009 17:38:42 -0400
Message-ID: <200904081738.42401.paul.moore@hp.com>
References: <200904071134.35379.paul.moore@hp.com>
	<1239158649.24938.46.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n38LdCNx021985
	for <linux-audit@redhat.com>; Wed, 8 Apr 2009 17:39:12 -0400
Received: from g1t0029.austin.hp.com (g1t0029.austin.hp.com [15.216.28.36])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id n38Lcmsr015124
	for <linux-audit@redhat.com>; Wed, 8 Apr 2009 17:38:48 -0400
In-Reply-To: <1239158649.24938.46.camel@klausk.br.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 07 April 2009 10:44:09 pm Klaus Heinrich Kiwi wrote:
> On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> > Does anyone have any thoughts?
>
> I remember debugging an issue with the incorrect return value being
> audited for a syscall. It was s390[x] specific and only occurred with
> successful execve() syscalls. This behavior was pointed out with the
> open-source common-criteria testsuite that checked each
> security-relevant syscalls for parameters, return values, args etc..
>
> I didn't give much important to those since execve() return value is
> really not that important if the call succeeds ;-)
>
> But now I'm curious to what other problems related to syscalls return
> values you've found, and how those weren't caught by the same set of
> tests (hmm, maybe they are x86-specific?)

Well, I'm not certain about the exact root cause (I was hoping others with 
more audit experience would be able to take a look) but I do know that my 
fix/workaround was arch specific.  My hunch is that the problem does lie in 
the arch specific code but it may be that the same problem exists on multiple 
architectures.

> Can you give us some examples?

Of the tests?  Sure, I used the audit-test suite which can be found on 
SourceForge, the tests that trigger the error on my test system are the 
sendto() and sendmsg() syscall tests which are run as part of the network 
tests.

http://sourceforge.net/project/showfiles.php?group_id=167060
http://audit-test.svn.sforge.net/viewvc/audit- 
       test/trunk/tests/audit/utils/bin/do_sendto.c?revision=2019&view=markup
http://audit-test.svn.sourceforge.net/viewvc/audit-
       test/trunk/tests/audit/utils/bin/do_sendmsg.c?view=markup

-- 
paul moore
linux @ hp