It seems that audit is recording an errno of EJUSTRETURN instead of 0 for calls to execve(). This makes an audit policy with +ex ineffective. header_ex,301,11,execve(2),0,::1,Sat Dec 28 12:10:13 2019, + 102 msec exec arg,/usr/libexec/atrun (...) return,failure: Unknown error: 201,4294967295 I suspect D13180/r326145, but haven't investigated further.
*** This bug has been marked as a duplicate of bug 249179 ***
Sorry for having missed this report. =(
A commit references this bug: Author: kevans Date: Tue Oct 27 13:13:06 UTC 2020 New revision: 367080 URL: https://svnweb.freebsd.org/changeset/base/367080 Log: MFC r367002, r367060 r367002: audit: correct reporting of *execve(2) success r326145 corrected do_execve() to return EJUSTRETURN upon success so that important registers are not clobbered. This had the side effect of tapping out 'failures' for all *execve(2) audit records, which is less than useful for auditing purposes. Audit exec returns earlier, where we can know for sure that EJUSTRETURN translates to success. Note that this unsets TDP_AUDITREC as we commit the audit record, so the usual audit in the syscall return path will do nothing. r367060: audit: also correctly audit linux_execve() Linux execve() gets audited as AUE_EXECVE as well, we should also interpret the return from this correctly for the same reasoning as in r367002. PR: 249179, 242938 Changes: _U stable/12/ stable/12/sys/amd64/linux/linux_machdep.c stable/12/sys/amd64/linux32/linux32_machdep.c stable/12/sys/arm64/linux/linux_machdep.c stable/12/sys/compat/freebsd32/freebsd32_misc.c stable/12/sys/i386/linux/linux_machdep.c stable/12/sys/kern/kern_exec.c stable/12/sys/kern/subr_syscall.c