From mboxrd@z Thu Jan  1 00:00:00 1970
From: ramsdell@mitre.org (John D. Ramsdell)
Subject: clone flags
Date: 19 Jul 2007 09:24:09 -0400
Message-ID: <ogtbqe8y1ae.fsf@oolong.mitre.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6JDOCOm005303
	for <linux-audit@redhat.com>; Thu, 19 Jul 2007 09:24:12 -0400
Received: from smtp-mclean.mitre.org (smtp-mclean.mitre.org [192.80.55.71])
	by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l6JDOAnv025391
	for <linux-audit@redhat.com>; Thu, 19 Jul 2007 09:24:10 -0400
Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with SMTP id
	l6JDO9dC013338
	for <linux-audit@redhat.com>; Thu, 19 Jul 2007 09:24:09 -0400
Received: from smtp-mclean.mitre.org (localhost.localdomain [127.0.0.1])
	by smtp-mclean.mitre.org (Postfix) with ESMTP id AA0244F8D7
	for <linux-audit@redhat.com>; Thu, 19 Jul 2007 09:24:09 -0400 (EDT)
Received: from linus.mitre.org (linus.mitre.org [129.83.10.1])
	by smtp-mclean.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id
	l6JDO907013303
	for <linux-audit@redhat.com>; Thu, 19 Jul 2007 09:24:09 -0400
Received: from oolong.mitre.org (oolong.mitre.org [129.83.162.84])
	by linus.mitre.org (8.12.11/8.12.10) with ESMTP id l6JDO9vF011312
	for <linux-audit@redhat.com>; Thu, 19 Jul 2007 09:24:09 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I've been carefully comparing output I obtain with autrace with what I
get from strace.  It appears they differ when the clone system call is
invoked from the C library via fork.  In particular, strace reports
flags of CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, while
autrace says the flags are 0.  The flags are in field a2.

John

[ramsdell@goo fork]$ uname -r
2.6.21-1.3228.fc7
[ramsdell@goo fork]$ make fork
cc     fork.c   -o fork
[ramsdell@goo fork]$ strace -o strace.txt ./fork
[ramsdell@goo fork]$ su -
Password: 
[root@goo ~]# cd /home/ramsdell/proj/fork
[root@goo fork]# autrace ./fork
Waiting to execute: ./fork
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 1160'
[root@goo fork]# ausearch -i -p 1160 > autrace.txt
[root@goo fork]# grep clone strace.txt 
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7efb708) = 1122
[root@goo fork]# grep clone autrace.txt 
type=SYSCALL msg=audit(07/19/2007 09:16:02.350:848) : arch=i386 syscall=clone success=yes exit=1161 a0=1200011 a1=0 a2=0 a3=0 items=0 ppid=1158 pid=1160 auid=ramsdell uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=fork exe=/home/ramsdell/proj/fork/fork subj=user_u:system_r:unconfined_t:s0 key=(null) 
[root@goo fork]# cat fork.c 
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/wait.h>

int main(int argc, char **argv)
{
  int status;
  pid_t pid;
  switch (fork()) {
  case -1:
    perror("clone");
    return 1;
  case 0:
    return 0;
  default:
    do {
      pid = wait(&status);
    } while (pid < 0 && errno == EINTR);
    if (WIFEXITED(status))
      return WEXITSTATUS(status);
    else
      return 1;
  }
}
[root@goo fork]#