syscall record for mq_unlink - Michael C Thompson

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Michael C Thompson <thompsmc@us.ibm.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: syscall record for mq_unlink
Date: Tue, 21 Nov 2006 16:04:49 -0600	[thread overview]
Message-ID: <45637801.7060004@us.ibm.com> (raw)

Hey Steve,

So, Happy Thanksgiving, is this a bug? :P

Audit record:
type=SYSCALL msg=audit(1164127960.194:49): arch=c000003e syscall=241 
success=yes exit=0 a0=2aaaaab2171d a1=2aaaaab2171c a2=7fff69a6cab8 
a3=2aaaafb31188 items=3 ppid=1758 pid=1791 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="python" 
exe="/usr/bin/python" subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null)
type=CWD msg=audit(1164127960.194:49): 
cwd="/rhcc/lspp/tests/LTP/ltp-merged/testcases/kernel/security/mls/tests/framework"
type=PATH msg=audit(1164127960.194:49): item=0 name="-RNHJnfkU"
type=PATH msg=audit(1164127960.194:49): item=1 name=(null) inode=7385 
dev=00:0d mode=0100755 ouid=0 ogid=0 rdev=00:00 
obj=abat_u:object_r:abat_tmpfs_t:s0
type=PATH msg=audit(1164127960.194:49): item=2 name=(null) inode=338 
dev=00:0d mode=041777 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:tmpfs_t:s15:c0.c1023

The syscall prototype in the kernel is as follows:
asmlinkage long sys_mq_unlink(const char __user *u_name)

The function all is:
ret = mq_unlink(msgqid);

The value of char *msgqid is:
2aaaaab2171c

So, the question is:
Why is a0=(msgqid)+1, and why is a1=(msgqid)

I am not sure if this is some crazy "feature" or if this is a real bug. 
I know there are some syscalls that differ from the glibc-level calls, 
but this one violates the function internal to the kernel.

Any ideas? This is on the lspp.55 kernel.

Thanks,
Mike

next             reply	other threads:[~2006-11-21 22:05 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-21 22:04 Michael C Thompson [this message]
2006-11-21 22:20 ` syscall record for mq_unlink Steve Grubb
2006-11-22  5:17   ` Michael C Thompson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45637801.7060004@us.ibm.com \
    --to=thompsmc@us.ibm.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox