bug?: audit filtering on negative values

Hey all, I'm not sure if anyone else has seen this, or if its been brought up before (though I think not), but I've discovered a problem with trying to have audit filter on fields with negative values. I suspect this is due to a difference in kernel space and user space, given the results I've seen below, but here are the particulars: On zSeries and on xSeries, we have noticed that we are incapable (in some situations) of filtering messages when the filter value is negative. On zSeries, this seems to be true for all fields, while on xSeries, its true if the field is a1,a2,a3. We have explicity tested -9 and -1, but I believe this code will extend to all manner of negative values because seems to be related to the representation of these values in the different architectures (32 v 64). I have not tested it on a 32-bit only platform, if someone has the ability to that (should take all of 3minutes) that would probably be useful :) Below is all of my test information. Thanks, Mike Here are the records we not are seeing (you can trap them without an special filters): zSeries: type=SYSCALL msg=audit(1137516317.334:8619): arch=80000016 syscall=180 success=no exit=-22 a0=ffffffffffffffff a1=ffffffffffffffff a2=ffffffffffffffff a3=ffffffffffffffff items=0 pid=17427 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pread_attempt" exe="/rhcc/lspp/tests/LTP/ltp-merged/testcases/audit/filters/pread_attempt" xSeries: type=SYSCALL msg=audit(1137489462.885:205387): arch=c000003e syscall=17 success=no exit=-22 a0=ffffffff a1=ffffffffffffffff a2=ffffffffffffffff a3=ffffffffffffffff items=0 pid=8121 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="a.out" exe="/tests/LTP/ltp-merged/testcases/audit/syscalls/a.out" Here are the auditctl commands we are using: auditctl -a exit,always -S pread -- works always auditctl -a exit,always -S pread -F a0=-1 -- works only on xSeries, no message on zSeries auditctl -a exit,always -S pread -F a1->a3=-1 -- no record on either auditctl -a exit,always -S pread -F exit=-22 -- no record on zSeries or xSeries Here is the code we are running: #define _XOPEN_SOURCE 500 #include <fcntl.h> #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> int main(int argc, char **argv) { int fd; ssize_t read; size_t size = 5; char buff[size+1]; off_t offset = 1; memset(buff,0,size+1); fd = open("test_file",O_RDONLY); read = pread(-1, -1, -1, -1); printf("read: %d from fd: %d\n",read,fd); printf("Contents: %s\n",buff); close(fd); }