Undetected syscall error

[d4l-w4r]

Hi!
I just noticed that sysdig seems to miss a syscall error that is caught by both auditd and strace.
Note: I'm using sysdig without eBPF

When I run the following command from my normal, non-privileged user

[ -r /root ] || echo "not root"

sysdig correctly catches that the syscall faccessat2 is used by this expression, however no correspondingEACCES error is found in the "Errors" view of csysdig.

When using the same expression with strace, I get the following line in the output:
access("/root", R_OK) = -1 EACCES (Permission denied)

And also auditd will log this EACCES (13) event when I add the rule -a always,exit -S all -F exit=-EACCES:
type=SYSCALL (...) syscall=439 success=no exit=-13 (...) comm="bash" exe="/usr/bin/bash" (...) SYSCALL=faccessat2

If I instead try to use touch /root/test as a non-privileged user, csysdig will correctly show an EACCES error caused by the openat syscall.

Is this a bug, or somehow expected/intended behavior?

The only real difference I see here is that [ or the equivalent test are built-ins of the shell.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.