In testing I am trying to understand the arguments audited by the sendto syscall (socketcall 11). The second argument is a pointer and always off by the same amount. I assume this is something like the mq_ syscall issue; however, I could not find a similar reason in the glibc code. Below are the expected results by my test and the actual audit record. (Fields with -2147483648 in the expected records are don't cares).
Thanks, Kylie >>> Expected: SYSCALL: arch=ffffffff80000000 syscall=102 success=no exit=2 a0=b a1=3ffffb4d562 a2=e a3=0 ppid=-2147483648 pid=-2147483648 auid=-2147483648 uid=-2147483648 gid=-2147483648 euid=-2147483648 suid=-2147483648 fsuid=-2147483648 egid=-2147483648 sgid=-2147483648 fsgid=-2147483648 subj= key= >>> Actual: Time 1166038908 - Serial_No 2259 SYSCALL: arch=80000016 syscall=102 success=no exit=2 a0=b a1=3ffffb4d468 a2=e a3=0 ppid=8775 pid=8807 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 subj=testuser_u:user_r:user_t:s3 key=(null -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
