More fully audit fexecve(2) and its arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.

2 files changed, 9 insertions, 0 deletions

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 0d1e871..8ea45d5 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -412,11 +412,13 @@ interpret:
 		binvp  = ndp->ni_vp;
 		imgp->vp = binvp;
 	} else {
+		AUDIT_ARG(fd, args->fd);
 		error = fgetvp(td, args->fd, &binvp);
 		if (error)
 			goto exec_fail;
 		vfslocked = VFS_LOCK_GIANT(binvp->v_mount);
 		vn_lock(binvp, LK_EXCLUSIVE | LK_RETRY);
+		AUDIT_ARG(vnode, binvp, ARG_VNODE1);
 		imgp->vp = binvp;
 	}
 
diff --git a/sys/security/audit/audit_bsm.c b/sys/security/audit/audit_bsm.c
index a7fbb21..e060727 100644
--- a/sys/security/audit/audit_bsm.c
+++ b/sys/security/audit/audit_bsm.c
@@ -762,6 +762,13 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		EXTATTR_TOKENS;
 		break;
 
+	case AUE_FEXECVE:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		/* FALLTHROUGH */
+
 	case AUE_EXECVE:
 		if (ARG_IS_VALID(kar, ARG_ARGV)) {
 			tok = au_to_exec_args(ar->ar_arg_argv,