Change Details

Notably, teach `audit_syscall_exit` about EJUSTRETURN, which is generally more of a 'successful' event rather than an 'erroneous' event as it's currently reported. Oftentimes these syscalls will in-fact not be observed returning at all. This was initially relatively harmless, but became a larger issue after rS326145 corrected do_execve() to use it. Following that revision, all exec's are reported as failure in the audit logs, which is less than useful. The syscallenter changed was deemed necessary by inspection of the potential impact. With TDP_NERRNO set, it becomes a little more complicated because `error` almost certainly doesn't reflect what's going to be returned to userland. There are two examples of this currently in the tree: - sigsuspend(), which will return -1/EINTR (not audited anyways, but still a scenario that we should probably handle correctly) - posix_*(), which will return 0 or an error value, but will not set errno If the syscall is returning 0 but setting td->td_errno, then it should be clear that it wants to return td->td_retval[0] so we can continue treating a returned success as success. On the other hand, if it's setting td->td_errno and returning some non-0 value (presumably these will usually be negative/special errnos), then we should assume that the return value isn't meant for us and we should treat td->td_errno as `error`. PR: 249179

rS326145 corrected do_execve() to return EJUSTRETURN upon success so that important registers are not clobbered. This had the side effect of tapping out 'failures' for all *execve(2) audit records, which is less than useful for auditing purposes. PR: 249179

Notably, teach `audit_syscall_exit` about EJUSTRETURN, which is generally more of a 'successful' event rather than an 'erroneous' event as it's currently reported. Oftentimes these syscalls will in-fact not be observed returning at all. This was initially relatively harmless, but became a larger issue after rS326145 corrected do_execve() to use it. Following that revision, all exec's are reported as failure in the audit logs, which is less than useful. The syscallenter changed was deemed necessary by inspection of the potential impact. With TDP_NERRNO set, it becomes a little more complicated because `error` almost certainly doesn't reflect what's going to be returned to userland. There are two examples of this currently in the tree: - sigsuspend(), which will return -1/EINTR (not audited anyways, but still a scenario that we should probably handle correctly) - posix_*(), which will return 0 or an error value, but will not set errno If the syscall is returning 0 but setting td->td_errno, then it should be clear that it wants to return td->td_retval[0] so we can continue treating a returned success as success. On the other hand,rS326145 corrected do_execve() to return EJUSTRETURN upon success so that important registers are not clobbered. if it's setting td->td_errno and returning some non-0 value (presumably these will usually be negative/special errnos)This had the side effect of tapping out 'failures' for all *execve(2) audit records, then we should assumewhich is less that the return value isn't meantn useful for us and we should treat td->td_errno as `error`auditing purposes. PR: 249179