Audit file descriptors passed to fooat(2) system calls, which are used

instead of the root/current working directory as the starting point for
lookups.  Up to two such descriptors can be audited.  Add audit record
BSM encoding for fooat(2).

Note: due to an error in the OpenBSM 1.1p1 configuration file, a
further change is required to that file in order to fix openat(2)
auditing.

Approved by:	re (kib)
Reviewed by:	rdivacky (fooat(2) portions)
Obtained from:	TrustedBSD Project
MFC after:	1 month

1 files changed, 26 insertions, 0 deletions

diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c
index cf62421..bf4cb0a 100644
--- a/sys/security/audit/audit_arg.c
+++ b/sys/security/audit/audit_arg.c
@@ -101,6 +101,32 @@ audit_arg_len(int len)
 }
 
 void
+audit_arg_atfd1(int atfd)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_atfd1 = atfd;
+	ARG_SET_VALID(ar, ARG_ATFD1);
+}
+
+void
+audit_arg_atfd2(int atfd)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_atfd2 = atfd;
+	ARG_SET_VALID(ar, ARG_ATFD2);
+}
+
+void
 audit_arg_fd(int fd)
 {
 	struct kaudit_record *ar;