Correct a slight regression which was introduced with the implementation of

audit pipes. If the kernel record was not selected for the trail or the pipe,
any user supplied record attached to it would be tossed away, resulting in
otherwise selected events being lost.

- Introduce two new masks: AR_PRESELECT_USER_TRAIL AR_PRESELECT_USER_PIPE,
  currently we have AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE, which tells
  the audit worker that we are interested in the kernel record, with
  the additional masks we can determine if either the pipe or trail is
  interested in seeing the kernel or user record.

- In audit(2), we unconditionally set the AR_PRESELECT_USER_TRAIL and
  AR_PRESELECT_USER_PIPE masks under the assumption that userspace has
  done the preselection [1].

Currently, there is work being done that allows the kernel to parse and
preselect user supplied records, so in the future preselection could occur
in either layer. But there is still a few details to work out here.

[1] At some point we need to teach au_preselect(3) about the interests of
    all the individual audit pipes.

This is a RELENG_6 candidate.

Reviewed by:	rwatson
Obtained from:	TrustedBSD Project
MFC after:	1 week

4 files changed, 20 insertions, 5 deletions

diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c
index 813d0fa..31b6178 100644
--- a/sys/security/audit/audit.c
+++ b/sys/security/audit/audit.c
@@ -396,8 +396,8 @@ audit_commit(struct kaudit_record *ar, int error, int retval)
 	if (audit_pipe_preselect(auid, event, class, sorf,
 	    ar->k_ar_commit & AR_PRESELECT_TRAIL) != 0)
 		ar->k_ar_commit |= AR_PRESELECT_PIPE;
-	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE)) ==
-	    0) {
+	if ((ar->k_ar_commit & (AR_PRESELECT_TRAIL | AR_PRESELECT_PIPE |
+	    AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE)) == 0) {
 		mtx_lock(&audit_mtx);
 		audit_pre_q_len--;
 		mtx_unlock(&audit_mtx);
diff --git a/sys/security/audit/audit_private.h b/sys/security/audit/audit_private.h
index f6cd17a..e232bcd 100644
--- a/sys/security/audit/audit_private.h
+++ b/sys/security/audit/audit_private.h
@@ -96,6 +96,9 @@ extern int			audit_arge;
 #define	AR_PRESELECT_TRAIL	0x00001000U
 #define	AR_PRESELECT_PIPE	0x00002000U
 
+#define	AR_PRESELECT_USER_TRAIL	0x00004000U
+#define	AR_PRESELECT_USER_PIPE	0x00008000U
+
 /*
  * Audit data is generated as a stream of struct audit_record structures,
  * linked by struct kaudit_record, and contain storage for possible audit so
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
index eb18c76..03884b2 100644
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -118,6 +118,14 @@ audit(struct thread *td, struct audit_args *uap)
 	ar->k_udata = rec;
 	ar->k_ulen  = uap->length;
 	ar->k_ar_commit |= AR_COMMIT_USER;
+
+	/*
+	 * Currently we assume that all preselection has been performed in
+	 * userspace. We unconditionally set these masks so that the records
+	 * get committed both to the trail and pipe.  In the future we will
+	 * want to setup kernel based preselection.
+	 */
+	ar->k_ar_commit |= (AR_PRESELECT_USER_TRAIL | AR_PRESELECT_USER_PIPE);
 	return (0);
 
 free_out:
diff --git a/sys/security/audit/audit_worker.c b/sys/security/audit/audit_worker.c
index d4cef64..cfe46fa 100644
--- a/sys/security/audit/audit_worker.c
+++ b/sys/security/audit/audit_worker.c
@@ -323,7 +323,7 @@ audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred,
 	int sorf;
 
 	if ((ar->k_ar_commit & AR_COMMIT_USER) &&
-	    (ar->k_ar_commit & AR_PRESELECT_TRAIL)) {
+	    (ar->k_ar_commit & AR_PRESELECT_USER_TRAIL)) {
 		error = audit_record_write(audit_vp, audit_cred, audit_td,
 		    ar->k_udata, ar->k_ulen);
 		if (error && audit_panic_on_write_fail)
@@ -331,11 +331,14 @@ audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred,
 		else if (error)
 			printf("audit_worker: write error %d\n", error);
 	}
+
 	if ((ar->k_ar_commit & AR_COMMIT_USER) &&
-	    (ar->k_ar_commit & AR_PRESELECT_PIPE))
+	    (ar->k_ar_commit & AR_PRESELECT_USER_PIPE))
 		audit_pipe_submit_user(ar->k_udata, ar->k_ulen);
 
-	if (!(ar->k_ar_commit & AR_COMMIT_KERNEL))
+	if (!(ar->k_ar_commit & AR_COMMIT_KERNEL) ||
+	    ((ar->k_ar_commit & AR_PRESELECT_PIPE) == 0 &&
+	    (ar->k_ar_commit & AR_PRESELECT_TRAIL) == 0))
 		return;
 
 	auid = ar->k_ar.ar_subj_auid;
@@ -372,6 +375,7 @@ audit_worker_process_record(struct vnode *audit_vp, struct ucred *audit_cred,
 			printf("audit_worker: write error %d\n",
 			    error);
 	}
+
 	if (ar->k_ar_commit & AR_PRESELECT_PIPE)
 		audit_pipe_submit(auid, event, class, sorf,
 		    ar->k_ar_commit & AR_PRESELECT_TRAIL, bsm->data,