BUG: some syscall records missing a success field

[stevegrubb]

There are some syscalls being emitted that have missing success and exit values. For example:

type=PROCTITLE msg=audit(11/16/2016 12:50:35.860:856) : proctitle=/lib/ld-linux.so.2 --verify /home/sgrubb/working/BUILDROOT/audit-2.7-1.fc24.x86_64/sbin/audisp-remote

type=SYSCALL msg=audit(11/16/2016 12:50:35.860:856) : arch=i386 syscall=exit_group a0=EXIT_FAILURE a1=0xffc738a4 a2=0x56621ca9 a3=0x0 items=0 ppid=20063 pid=20065 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts4 ses=5 comm=ld-linux.so.2 exe=/usr/lib/ld-2.23.so subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=32bit-abi

We really need to know if the syscall succeeded or not.

[pcmoore]

We would need to verify this, but I believe the issue might be due to the nature of the syscall, for example, the exit_group(2) syscall never returns. Do you have a list of syscalls where you have observed this behavior?

[pcmoore]

@stevegrubb (see comment above) I know you've been working on this a lot recently, do you have a list of syscalls where you are seeing missing success/exit values?

[stevegrubb]

I looked at the code and there seems to be a conditional. The one I noticed is exit_group. I don't know of others. It would seem that if exit_group can never fail, then we should assign success and the exit value be whatever is returned to the parent process via sigchld.

[pcmoore]

I looked at the code and there seems to be a conditional.

I'm sorry, I need some context here; which code are you referring to with "the code"? Kernel? Userspace? Some test?

The one I noticed is exit_group. I don't know of others.

While I recognize that the syscall list potentially changes with each kernel release, it would be really nice if we had a definitive answer to this for a given kernel release. When you say, "I don't know of others", do you mean you checked all the syscalls for kernel X and exit_group() was the only one like this? Or do you mean, I've done some limited testing/inspection and exit_group() is the only one I'm aware of, but there may be others. For obvious reasons, the former is better than the latter.

I just want to make sure we understand the scope of the changes requested before we jump to any sort of conclusion/fix.

[stevegrubb]

The code in question is the kernel code (otherwise I'd file the bug against user space). When I say I noticed that exit_group doesn't having a success field, I mean that I see this in my logs. To look for it,

ausearch --start today -m syscall --format csv > audit.csv

Then open it in libreoffice. Of course what you see is an absence of success or fail.