Audit the argv and env vectors passed in on exec:

  Add the argument auditing functions for argv and env.
  Add kernel-specific versions of the tokenizer functions for the
  arg and env represented as a char array.
  Implement the AUDIT_ARGV and AUDIT_ARGE audit policy commands to
  enable/disable argv/env auditing.
  Call the argument auditing from the exec system calls.

Obtained from: TrustedBSD Project
Approved by: rwatson (mentor)

1 files changed, 8 insertions, 0 deletions

diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c
index 07cf3278..be0d481 100644
--- a/sys/security/audit/audit.c
+++ b/sys/security/audit/audit.c
@@ -92,6 +92,8 @@ int			audit_suspended;
  */
 int			audit_panic_on_write_fail;
 int			audit_fail_stop;
+int			audit_argv;
+int			audit_arge;
 
 /*
  * Are we currently "failing stop" due to out of disk space?
@@ -204,6 +206,10 @@ audit_record_dtor(void *mem, int size, void *arg)
 		free(ar->k_ar.ar_arg_text, M_AUDITTEXT);
 	if (ar->k_udata != NULL)
 		free(ar->k_udata, M_AUDITDATA);
+	if (ar->k_ar.ar_arg_argv != NULL)
+		free(ar->k_ar.ar_arg_argv, M_AUDITTEXT);
+	if (ar->k_ar.ar_arg_envv != NULL)
+		free(ar->k_ar.ar_arg_envv, M_AUDITTEXT);
 }
 
 /*
@@ -221,6 +227,8 @@ audit_init(void)
 	audit_panic_on_write_fail = 0;
 	audit_fail_stop = 0;
 	audit_in_failure = 0;
+	audit_argv = 0;
+	audit_arge = 0;
 
 	audit_fstat.af_filesz = 0;	/* '0' means unset, unbounded */
 	audit_fstat.af_currsz = 0;