From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: syscall record for mq_unlink
Date: Tue, 21 Nov 2006 16:04:49 -0600
Message-ID: <45637801.7060004@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id kALM51jf002978
	for <linux-audit@redhat.com>; Tue, 21 Nov 2006 17:05:01 -0500
Received: from e34.co.us.ibm.com (e34.co.us.ibm.com [32.97.110.152])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	kALM4xES007555
	for <linux-audit@redhat.com>; Tue, 21 Nov 2006 17:04:59 -0500
Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com
	[9.17.195.106])
	by e34.co.us.ibm.com (8.13.8/8.12.11) with ESMTP id kALM4sE6016690
	for <linux-audit@redhat.com>; Tue, 21 Nov 2006 17:04:54 -0500
Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170])
	by d03relay04.boulder.ibm.com (8.13.6/8.13.6/NCO v8.1.1) with ESMTP id
	kALM4rrc332312
	for <linux-audit@redhat.com>; Tue, 21 Nov 2006 15:04:53 -0700
Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1])
	by d03av04.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	kALM4rD9029566
	for <linux-audit@redhat.com>; Tue, 21 Nov 2006 15:04:53 -0700
Received: from [127.0.0.1] (wecm-9-67-7-233.wecm.ibm.com [9.67.7.233])
	by d03av04.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	kALM4p5p029435
	for <linux-audit@redhat.com>; Tue, 21 Nov 2006 15:04:52 -0700
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hey Steve,

So, Happy Thanksgiving, is this a bug? :P

Audit record:
type=SYSCALL msg=audit(1164127960.194:49): arch=c000003e syscall=241 
success=yes exit=0 a0=2aaaaab2171d a1=2aaaaab2171c a2=7fff69a6cab8 
a3=2aaaafb31188 items=3 ppid=1758 pid=1791 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="python" 
exe="/usr/bin/python" subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null)
type=CWD msg=audit(1164127960.194:49): 
cwd="/rhcc/lspp/tests/LTP/ltp-merged/testcases/kernel/security/mls/tests/framework"
type=PATH msg=audit(1164127960.194:49): item=0 name="-RNHJnfkU"
type=PATH msg=audit(1164127960.194:49): item=1 name=(null) inode=7385 
dev=00:0d mode=0100755 ouid=0 ogid=0 rdev=00:00 
obj=abat_u:object_r:abat_tmpfs_t:s0
type=PATH msg=audit(1164127960.194:49): item=2 name=(null) inode=338 
dev=00:0d mode=041777 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:tmpfs_t:s15:c0.c1023

The syscall prototype in the kernel is as follows:
asmlinkage long sys_mq_unlink(const char __user *u_name)

The function all is:
ret = mq_unlink(msgqid);

The value of char *msgqid is:
2aaaaab2171c

So, the question is:
Why is a0=(msgqid)+1, and why is a1=(msgqid)

I am not sure if this is some crazy "feature" or if this is a real bug. 
I know there are some syscalls that differ from the glibc-level calls, 
but this one violates the function internal to the kernel.

Any ideas? This is on the lspp.55 kernel.

Thanks,
Mike