It seems that audit is recording an errno of EJUSTRETURN instead of 0 for calls to execve(). This makes an audit policy with +ex ineffective.
header_ex,301,11,execve(2),0,::1,Sat Dec 28 12:10:13 2019, + 102 msec
return,failure: Unknown error: 201,4294967295
I suspect D13180/r326145, but haven't investigated further.
*** This bug has been marked as a duplicate of bug 249179 ***
Sorry for having missed this report. =(
A commit references this bug:
Date: Tue Oct 27 13:13:06 UTC 2020
New revision: 367080
MFC r367002, r367060
audit: correct reporting of *execve(2) success
r326145 corrected do_execve() to return EJUSTRETURN upon success so that
important registers are not clobbered. This had the side effect of tapping
out 'failures' for all *execve(2) audit records, which is less than useful
for auditing purposes.
Audit exec returns earlier, where we can know for sure that EJUSTRETURN
translates to success. Note that this unsets TDP_AUDITREC as we commit the
audit record, so the usual audit in the syscall return path will do nothing.
audit: also correctly audit linux_execve()
Linux execve() gets audited as AUE_EXECVE as well, we should also interpret
the return from this correctly for the same reasoning as in r367002.
PR: 249179, 242938