Hook up audit to fork() and exit() events. These changes manage the

audit state on processes, not auditing of these events.

Much work by:	wsalamon
Obtained from:	TrustedBSD Project

2 files changed, 16 insertions, 1 deletions

diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 38e0131..c9e058d 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -72,6 +72,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/ktrace.h>
 #endif
 
+#include <security/audit/audit.h>
+
 #include <vm/vm.h>
 #include <vm/vm_extern.h>
 #include <vm/vm_param.h>
@@ -827,6 +829,9 @@ loop:
 #ifdef MAC
 			mac_destroy_proc(p);
 #endif
+#ifdef AUDIT
+			audit_proc_free(p);
+#endif
 			KASSERT(FIRST_THREAD_IN_PROC(p),
 			    ("kern_wait: no residual thread!"));
 			uma_zfree(proc_zone, p);
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index 5d300c9..5a2c042 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -66,6 +66,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/sx.h>
 #include <sys/signalvar.h>
 
+#include <security/audit/audit.h>
+
 #include <vm/vm.h>
 #include <vm/pmap.h>
 #include <vm/vm_map.h>
@@ -271,6 +273,9 @@ fork1(td, flags, pages, procp)
 #ifdef MAC
 	mac_init_proc(newproc);
 #endif
+#ifdef AUDIT
+	audit_proc_alloc(newproc);
+#endif
 	knlist_init(&newproc->p_klist, &newproc->p_mtx, NULL, NULL, NULL);
 	STAILQ_INIT(&newproc->p_ktr);
 
@@ -492,7 +497,9 @@ again:
 	mtx_unlock_spin(&sched_lock);
 	p2->p_ucred = crhold(td->td_ucred);
 	td2->td_ucred = crhold(p2->p_ucred);	/* XXXKSE */
-
+#ifdef AUDIT
+	audit_proc_fork(p1, p2);
+#endif
 	pargs_hold(p2->p_args);
 
 	if (flags & RFSIGSHARE) {
@@ -731,6 +738,9 @@ fail:
 #ifdef MAC
 	mac_destroy_proc(newproc);
 #endif
+#ifdef AUDIT
+	audit_proc_free(newproc);
+#endif
 	uma_zfree(proc_zone, newproc);
 	if (p1->p_flag & P_HADTHREADS) {
 		PROC_LOCK(p1);