Hey all,

I'm not sure if anyone else has seen this, or if its been brought up before (though I think
not), but I've discovered a problem with trying to have audit filter on fields with negative
values. I suspect this is due to a difference in kernel space and user space, given the
results I've seen below, but here are the particulars:

On zSeries and on xSeries, we have noticed that we are incapable (in some situations) of
filtering messages when the filter value is negative. On zSeries, this seems to be true for all
fields, while on xSeries, its true if the field is a1,a2,a3.

We have explicity tested -9 and -1, but I believe this code will extend to all manner of
negative values because seems to be related to the representation of these values in
the different architectures (32 v 64). I have not tested it on a 32-bit only platform, if someone
has the ability to that (should take all of 3minutes) that would probably be useful :)

Below is all of my test information.

Thanks,
Mike


Here are the records we not are seeing (you can trap them without an special filters):
zSeries:
type=SYSCALL msg=audit(1137516317.334:8619): arch=80000016 syscall=180 success=no exit=-22 a0=ffffffffffffffff a1=ffffffffffffffff a2=ffffffffffffffff a3=ffffffffffffffff items=0 pid=17427 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pread_attempt" exe="/rhcc/lspp/tests/LTP/ltp-merged/testcases/audit/filters/pread_attempt"

xSeries:
type=SYSCALL msg=audit(1137489462.885:205387): arch=c000003e syscall=17 success=no exit=-22 a0=ffffffff a1=ffffffffffffffff a2=ffffffffffffffff a3=ffffffffffffffff items=0 pid=8121 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="a.out" exe="/tests/LTP/ltp-merged/testcases/audit/syscalls/a.out"


Here are the auditctl commands we are using:
auditctl -a exit,always -S pread -- works always
auditctl -a exit,always -S pread -F a0=-1 -- works only on xSeries, no message on zSeries
auditctl -a exit,always -S pread -F a1->a3=-1 -- no record on either
auditctl -a exit,always -S pread -F exit=-22 -- no record on zSeries or xSeries


Here is the code we are running:
#define _XOPEN_SOURCE 500

#include <fcntl.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

int main(int argc, char **argv)
{
int fd;
ssize_t read;
size_t size = 5;
char buff[size+1];
off_t offset = 1;

memset(buff,0,size+1);
fd = open("test_file",O_RDONLY);
read = pread(-1, -1, -1, -1);
printf("read: %d from fd: %d\n",read,fd);
printf("Contents: %s\n",buff);
close(fd);
}