Bug 242938
| Summary: | audit(4) records the wrong exit code for execve() | ||
|---|---|---|---|
| Product: | Base System | Reporter: | ben |
| Component: | kern | Assignee: | freebsd-audit Mailing List (Nobody) <audit> |
| Status: | Closed DUPLICATE | ||
| Severity: | Affects Some People | CC: | asomers, cem, driesm, kevans, rwatson |
| Priority: | --- | ||
| Version: | CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250670 | ||
|
Description
ben
2019-12-28 12:20:10 UTC
*** This bug has been marked as a duplicate of bug 249179 *** Sorry for having missed this report. =( A commit references this bug: Author: kevans Date: Tue Oct 27 13:13:06 UTC 2020 New revision: 367080 URL: https://svnweb.freebsd.org/changeset/base/367080 Log: MFC r367002, r367060 r367002: audit: correct reporting of *execve(2) success r326145 corrected do_execve() to return EJUSTRETURN upon success so that important registers are not clobbered. This had the side effect of tapping out 'failures' for all *execve(2) audit records, which is less than useful for auditing purposes. Audit exec returns earlier, where we can know for sure that EJUSTRETURN translates to success. Note that this unsets TDP_AUDITREC as we commit the audit record, so the usual audit in the syscall return path will do nothing. r367060: audit: also correctly audit linux_execve() Linux execve() gets audited as AUE_EXECVE as well, we should also interpret the return from this correctly for the same reasoning as in r367002. PR: 249179, 242938 Changes: _U stable/12/ stable/12/sys/amd64/linux/linux_machdep.c stable/12/sys/amd64/linux32/linux32_machdep.c stable/12/sys/arm64/linux/linux_machdep.c stable/12/sys/compat/freebsd32/freebsd32_misc.c stable/12/sys/i386/linux/linux_machdep.c stable/12/sys/kern/kern_exec.c stable/12/sys/kern/subr_syscall.c |
