BUG: auditctl reports incorrect architecture for 64-bit PPC

[prb112]

Background/Setup

On a RHCOS Linux system, we have audit audit-3.0.7-103.el9.ppc64le running on a Power System. The rules display the wrong architecture, however are correct in the rule file, and when not interpreted.

Wrong Arch

# auditctl -l
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at,openat2 -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at,openat2 -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=unsuccessful-access
-a always,exclude -F msgtype=NETFILTER_CFG
-a always,exclude -F msgtype=ANOM_PROMISCUOUS

Correct Arch, not interpreted

auditctl -l -i 
-a always,exit -F arch=ppc64 -S open,openat,open_by_handle_at,openat2 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=ppc64 -S open,openat,open_by_handle_at,openat2 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exclude -F msgtype=NETFILTER_CFG
-a always,exclude -F msgtype=ANOM_PROMISCUOUS

I think this is just an auditctl listing error. Most likely in https://github.com/linux-audit/audit-userspace/blob/f8e9bc5914d715cdacb2edc938ab339d5094d017/src/auditctl-listing.c#L116 when it goes to search it reverts back to interporlating the rule's reference architecture.

The audit.log is still displayed correctly. This is a minor issue (hopefully), and I wanted to report to avoid further confusion for others.

Operating System Details

# uname -a
Linux worker0.hidden 5.14.0-284.52.1.el9_2.ppc64le #1 SMP Tue Jan 30 07:59:19 EST 2024 ppc64le ppc64le ppc64le GNU/Linux

Additional

Also, from 10 years, I don't think this is an accurate comment.

https://github.com/linux-audit/audit-kernel/blob/401fb9b2c228be30ade8acf7a4cbc3b620e853a1/include/uapi/linux/audit.h#L423

`/* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */`