Use p_cansee() to check that a target process for an audit state

manipulation is visible to the subject process.  Remove XXX comments
suggesting this.

Convert one XXX on a difference from Darwin into a note: it's not a
bug, it's a feature.

Obtained from:	TrustedBSD Project

1 files changed, 9 insertions, 3 deletions

diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
index 65772a8..1059a50 100644
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -304,9 +304,12 @@ auditon(struct thread *td, struct auditon_args *uap)
 		if (udata.au_aupinfo.ap_pid < 1)
 			return (EINVAL);
 
-		/* XXXAUDIT: p_cansee()? */
 		if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
 			return (EINVAL);
+		if (p_cansee(td, tp) != 0) {
+			PROC_UNLOCK(tp);
+			return (EINVAL);
+		}
 
 		udata.au_aupinfo.ap_auid = tp->p_au->ai_auid;
 		udata.au_aupinfo.ap_mask.am_success =
@@ -324,9 +327,12 @@ auditon(struct thread *td, struct auditon_args *uap)
 		if (udata.au_aupinfo.ap_pid < 1)
 			return (EINVAL);
 
-		/* XXXAUDIT: p_cansee()? */
 		if ((tp = pfind(udata.au_aupinfo.ap_pid)) == NULL)
 			return (EINVAL);
+		if (p_cansee(td, tp) != 0) {
+			PROC_UNLOCK(tp);
+			return (EINVAL);
+		}
 
 		tp->p_au->ai_mask.am_success =
 		    udata.au_aupinfo.ap_mask.am_success;
@@ -570,7 +576,7 @@ auditctl(struct thread *td, struct auditctl_args *uap)
 	 * validity checks, and grab another reference to the current
 	 * credential.
 	 *
-	 * XXXAUDIT: On Darwin, a NULL path is used to disable audit.
+	 * On Darwin, a NULL path argument is also used to disable audit.
 	 */
 	if (uap->path == NULL)
 		return (EINVAL);