audit syscall information

[David Woodhouse]

On Fri, 2005-04-29 at 10:32 -0500, Debora Velarde wrote:
> Then this patch is already on the system I am testing on.  
> But the a0, a1, a2, and a3 values for the IPC syscalls are still not
> matching the expected values when compiled and run in 32bit mode on a
> 64bit system.

I think you are misunderstanding the point of the IPC patch. The point
in it was that we wanted to log information which is _not_ directly
available in the syscall arguments (a0, a1, etc.). It isn't relevant to
how we report the contents of those arguments.

Here's what I see when I compile a simple test program for both ppc32
and ppc64 and execute both. The arguments appear correct in both cases,
and you see the 'auxitem' which accompanies the IPC_SET (a2==101) call.

type=KERNEL msg=audit(1114799507.492:3226863): syscall=117 arch=80000015 success=yes exit=0 a0=17 a1=ffffffffdeadbeef a2=1000 a3=3ff items=0 pid=6551 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ipcstuff64" exe=/home/dwmw2/ipcstuff64
type=KERNEL msg=audit(1114799507.493:3226881): syscall=117 arch=80000015 success=yes exit=0 a0=18 a1=0 a2=102 a3=0 items=0 pid=6551 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ipcstuff64" exe=/home/dwmw2/ipcstuff64
type=KERNEL msg=audit(1114799507.493:3226898): auxitem=0 qbytes=0 uid=0 gid=4041 mode=1f8
type=KERNEL msg=audit(1114799507.493:3226898): syscall=117 arch=80000015 success=yes exit=0 a0=18 a1=0 a2=101 a3=0 items=0 pid=6551 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ipcstuff64" exe=/home/dwmw2/ipcstuff64
type=KERNEL msg=audit(1114799518.993:3227560): syscall=117 arch=14 success=yes exit=0 a0=17 a1=deadbeef a2=1000 a3=3ff items=0 pid=6554 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ipcstuff" exe=/home/dwmw2/ipcstuff
type=KERNEL msg=audit(1114799518.994:3227578): syscall=117 arch=14 success=yes exit=0 a0=18 a1=0 a2=102 a3=0 items=0 pid=6554 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ipcstuff" exe=/home/dwmw2/ipcstuff
type=KERNEL msg=audit(1114799518.994:3227595): auxitem=0 qbytes=0 uid=0 gid=4041 mode=1f8
type=KERNEL msg=audit(1114799518.994:3227595): syscall=117 arch=14 success=yes exit=0 a0=18 a1=0 a2=101 a3=0 items=0 pid=6554 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ipcstuff" exe=/home/dwmw2/ipcstuff

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipcstuff.c
Type: text/x-csrc
Size: 389 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050429/7081e940/attachment.bin>