diff options
author | rwatson <rwatson@FreeBSD.org> | 2009-07-28 21:39:58 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2009-07-28 21:39:58 +0000 |
commit | 21e3bcee4378f043e902dc1bab9ac2915235f40a (patch) | |
tree | 441a5395402f45cf8439af427c181e056625d4f4 /sys/security/audit/audit.c | |
parent | fa74d2c7e54f546f30ebc8df6467929fa74d72f6 (diff) | |
download | FreeBSD-src-21e3bcee4378f043e902dc1bab9ac2915235f40a.zip FreeBSD-src-21e3bcee4378f043e902dc1bab9ac2915235f40a.tar.gz |
Audit file descriptors passed to fooat(2) system calls, which are used
instead of the root/current working directory as the starting point for
lookups. Up to two such descriptors can be audited. Add audit record
BSM encoding for fooat(2).
Note: due to an error in the OpenBSM 1.1p1 configuration file, a
further change is required to that file in order to fix openat(2)
auditing.
Approved by: re (kib)
Reviewed by: rdivacky (fooat(2) portions)
Obtained from: TrustedBSD Project
MFC after: 1 month
Diffstat (limited to 'sys/security/audit/audit.c')
-rw-r--r-- | sys/security/audit/audit.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c index 1967e05..40daaa9 100644 --- a/sys/security/audit/audit.c +++ b/sys/security/audit/audit.c @@ -409,17 +409,22 @@ audit_commit(struct kaudit_record *ar, int error, int retval) else sorf = AU_PRS_SUCCESS; + /* + * syscalls.master sometimes contains a prototype event number, which + * we will transform into a more specific event number now that we + * have more complete information gathered during the system call. + */ switch(ar->k_ar.ar_event) { case AUE_OPEN_RWTC: - /* - * The open syscall always writes a AUE_OPEN_RWTC event; - * change it to the proper type of event based on the flags - * and the error value. - */ ar->k_ar.ar_event = audit_flags_and_error_to_openevent( ar->k_ar.ar_arg_fflags, error); break; + case AUE_OPENAT_RWTC: + ar->k_ar.ar_event = audit_flags_and_error_to_openatevent( + ar->k_ar.ar_arg_fflags, error); + break; + case AUE_SYSCTL: ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); |