6 files changed, 258 insertions, 173 deletions
diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h
index 1d05625..d67b853 100644
--- a/contrib/openbsm/bsm/audit.h
+++ b/contrib/openbsm/bsm/audit.h
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#16 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#19 $
  */
 
 #ifndef _BSM_AUDIT_H
@@ -38,11 +38,12 @@
 
 #define	AUDIT_RECORD_MAGIC	0x828a0f1b
 #define	MAX_AUDIT_RECORDS	20
-#define	MAX_AUDIT_RECORD_SIZE	4096
+#define	MAXAUDITDATA		(0x8000 - 1)
+#define	MAX_AUDIT_RECORD_SIZE	MAXAUDITDATA
 #define	MIN_AUDIT_FILE_SIZE	(512 * 1024)
 
 /*
- * Triggers for the audit daemon
+ * Triggers for the audit daemon.
  */
 #define	AUDIT_TRIGGER_MIN		1
 #define	AUDIT_TRIGGER_LOW_SPACE		1
@@ -53,7 +54,8 @@
 #define	AUDIT_TRIGGER_MAX		5
 
 /*
- * File that will be read for trigger events from the kernel
+ * Special file that will be read for trigger events from the kernel
+ * (FreeBSD).
  */
 #define	AUDIT_TRIGGER_FILE	"/dev/audit"
 
@@ -101,7 +103,7 @@
 #define	AU_ALL		0xffffffff
 
 /*
- * IPC types
+ * IPC types.
  */
 #define	AT_IPC_MSG	((u_char)1)	/* Message IPC id. */
 #define	AT_IPC_SEM	((u_char)2)	/* Semaphore IPC id. */
@@ -150,16 +152,19 @@
 #define	AUDIT_AHLT	0x0002
 #define	AUDIT_ARGV	0x0004
 #define	AUDIT_ARGE	0x0008
-#define	AUDIT_PASSWD	0x0010
-#define	AUDIT_SEQ	0x0020
-#define	AUDIT_WINDATA	0x0040
-#define	AUDIT_USER	0x0080
-#define	AUDIT_GROUP	0x0100
-#define	AUDIT_TRAIL	0x0200
-#define	AUDIT_PATH	0x0400
+#define	AUDIT_SEQ	0x0010
+#define	AUDIT_WINDATA	0x0020
+#define	AUDIT_USER	0x0040
+#define	AUDIT_GROUP	0x0080
+#define	AUDIT_TRAIL	0x0100
+#define	AUDIT_PATH	0x0200
+#define	AUDIT_SCNT	0x0400
+#define	AUDIT_PUBLIC	0x0800
+#define	AUDIT_ZONENAME	0x1000
+#define	AUDIT_PERZONE	0x2000
 
 /*
- * Audit queue control parameters
+ * Audit queue control parameters.
  */
 #define	AQ_HIWATER	100
 #define	AQ_MAXHIGH	10000
diff --git a/contrib/openbsm/bsm/audit_filter.h b/contrib/openbsm/bsm/audit_filter.h
index 5b7dd4f..8a548f7 100644
--- a/contrib/openbsm/bsm/audit_filter.h
+++ b/contrib/openbsm/bsm/audit_filter.h
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#2 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_filter.h#4 $
  */
 
 #ifndef _BSM_AUDIT_FILTER_H_
@@ -38,22 +38,28 @@
  * audit_filter_reinit_t - arguments to module have changed
  * audit_filter_record_t - present parsed record to filter module, with
  *                         receipt time
- * audit_filter_bsmrecord_t - present bsm format record to filter module,
+ * audit_filter_rawrecord_t - present BSM format record to filter module,
  *                            with receipt time
  * audit_filter_destach_t - filter module is being detached
  *
  * There may be many instances of the same filter, identified by the instance
  * void pointer maintained by the filter instance.
  */
-typedef int (*audit_filter_attach_t)(void **instance, int argc, char *argv[]);
+typedef int (*audit_filter_attach_t)(void *instance, int argc, char *argv[]);
 typedef int (*audit_filter_reinit_t)(void *instance, int argc, char *argv[]);
 typedef void (*audit_filter_record_t)(void *instance, struct timespec *ts,
 	    int token_count, const tokenstr_t tok[]);
-typedef void (*audit_filter_bsmrecord_t)(void *instance, struct timespec *ts,
+typedef void (*audit_filter_rawrecord_t)(void *instance, struct timespec *ts,
 	    void *data, u_int len);
 typedef void (*audit_filter_detach_t)(void *instance);
 
 /*
+ * APIs that may be called by audit filters.
+ */
+void	audit_filter_getcookie(void *instance, void **cookie);
+void	audit_filter_setcookie(void *instance, void *cookie);
+
+/*
  * Values to be returned by audit_filter_init_t.
  */
 #define	AUDIT_FILTER_SUCCESS	(0)
@@ -66,12 +72,12 @@ typedef void (*audit_filter_detach_t)(void *instance);
 #define	AUDIT_FILTER_ATTACH	audit_filter_attach
 #define	AUDIT_FILTER_REINIT	audit_filter_reinit
 #define	AUDIT_FILTER_RECORD	audit_filter_record
-#define	AUDIT_FILTER_BSMRECORD	audit_filter_bsmrecord
+#define	AUDIT_FILTER_RAWRECORD	audit_filter_rawrecord
 #define	AUDIT_FILTER_DETACH	audit_filter_detach
 #define	AUDIT_FILTER_ATTACH_STRING	"audit_filter_attach"
 #define	AUDIT_FILTER_REINIT_STRING	"audit_filter_reinit"
 #define	AUDIT_FILTER_RECORD_STRING	"audit_filter_record"
-#define	AUDIT_FILTER_BSMRECORD_STRING	"audit_filter_bsmrecord"
+#define	AUDIT_FILTER_RAWRECORD_STRING	"audit_filter_rawrecord"
 #define	AUDIT_FILTER_DETACH_STRING	"audit_filter_detach"
 
 #endif /* !_BSM_AUDIT_FILTER_H_ */
diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h
index 00f44bf..97bafca 100644
--- a/contrib/openbsm/bsm/audit_internal.h
+++ b/contrib/openbsm/bsm/audit_internal.h
@@ -34,7 +34,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#13 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#14 $
  */
 
 #ifndef _AUDIT_INTERNAL_H
@@ -68,15 +68,15 @@ struct au_record {
 typedef	struct au_record	au_record_t;
 
 
-/* We could determined the header and trailer sizes by
- * defining appropriate structures. We hold off that approach
- * till we have a consistant way of using structures for all tokens.
- * This is not straightforward since these token structures may
- * contain pointers of whose contents we dont know the size
- * (e.g text tokens)
+/*
+ * We could determined the header and trailer sizes by defining appropriate
+ * structures.  We hold off that approach until we have a consistant way of
+ * using structures for all tokens.  This is not straightforward since these
+ * token structures may contain pointers of whose contents we dont know the
+ * size (e.g text tokens).
  */
-#define	BSM_HEADER_SIZE		18
-#define	BSM_TRAILER_SIZE	7
+#define	AUDIT_HEADER_SIZE	18
+#define	AUDIT_TRAILER_SIZE	7
 
 /*
  * BSM token streams store fields in big endian byte order, so as to be
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
index b323692..cd55883 100644
--- a/contrib/openbsm/bsm/audit_kevents.h
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#38 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#40 $
  */
 
 #ifndef _BSM_AUDIT_KEVENTS_H_
@@ -273,134 +273,200 @@
 #define	AUE_NTP_ADJTIME		288
 
 /*
- * Events not present in OpenSolaris BSM, generally derived from Apple Darwin
- * BSM or added in OpenBSM.  This start a little too close to the top end of
- * the OpenSolaris event list for my comfort.
+ * Events added for Apple Darwin that potentially collide with future Solaris
+ * BSM events.  These are assigned AUE_DARWIN prefixes, and are deprecated in
+ * new trails.  Systems generating these events should switch to the new
+ * identifiers that avoid colliding with the Solaris identifier space.
  */
-#define	AUE_GETFSSTAT		301
-#define	AUE_PTRACE		302
-#define	AUE_CHFLAGS		303
-#define	AUE_FCHFLAGS		304
-#define	AUE_PROFILE		305
-#define	AUE_KTRACE		306
-#define	AUE_SETLOGIN		307
+#define	AUE_DARWIN_GETFSSTAT	301
+#define	AUE_DARWIN_PTRACE	302
+#define	AUE_DARWIN_CHFLAGS	303
+#define	AUE_DARWIN_FCHFLAGS	304
+#define	AUE_DARWIN_PROFILE	305
+#define	AUE_DARWIN_KTRACE	306
+#define	AUE_DARWIN_SETLOGIN	307
 #define	AUE_DARWIN_REBOOT	308	/* XXX: See AUE_REBOOT. */
-#define	AUE_REVOKE		309
-#define	AUE_UMASK		310
-#define	AUE_MPROTECT		311
+#define	AUE_DARWIN_REVOKE	309
+#define	AUE_DARWIN_UMASK	310
+#define	AUE_DARWIN_MPROTECT	311
 #define	AUE_DARWIN_SETPRIORITY	312	/* XXX: See AUE_SETPRIORITY. */
 #define	AUE_DARWIN_SETTIMEOFDAY	313	/* XXX: See AUE_SETTIMEOFDAY. */
 #define	AUE_DARWIN_FLOCK	314	/* XXX: See AUE_FLOCK. */
-#define	AUE_MKFIFO		315
-#define	AUE_POLL		316
+#define	AUE_DARWIN_MKFIFO	315
+#define	AUE_DARWIN_POLL		316
 #define	AUE_DARWIN_SOCKETPAIR	317	/* XXXRW: See AUE_SOCKETPAIR. */
-#define	AUE_FUTIMES		318
-#define	AUE_SETSID		319
-#define	AUE_SETPRIVEXEC		320	/* Darwin-specific. */
+#define	AUE_DARWIN_FUTIMES	318
+#define	AUE_DARWIN_SETSID	319
+#define	AUE_DARWIN_SETPRIVEXEC	320	/* Darwin-specific. */
 #define	AUE_DARWIN_NFSSVC	321	/* XXX: See AUE_NFS_SVC. */
 #define	AUE_DARWIN_GETFH	322	/* XXX: See AUE_NFS_GETFH. */
 #define	AUE_DARWIN_QUOTACTL	323	/* XXX: See AUE_QUOTACTL. */
-#define	AUE_ADDPROFILE		324	/* Darwin-specific. */
-#define	AUE_KDEBUGTRACE		325	/* Darwin-specific. */
-#define	AUE_KDBUGTRACE		AUE_KDEBUGTRACE
-#define	AUE_FSTAT		326
-#define	AUE_FPATHCONF		327
-#define	AUE_GETDIRENTRIES	328
+#define	AUE_DARWIN_ADDPROFILE	324	/* Darwin-specific. */
+#define	AUE_DARWIN_KDEBUGTRACE	325	/* Darwin-specific. */
+#define	AUE_DARWIN_KDBUGTRACE	AUE_KDEBUGTRACE
+#define	AUE_DARWIN_FSTAT	326
+#define	AUE_DARWIN_FPATHCONF	327
+#define	AUE_DARWIN_GETDIRENTRIES	328
 #define	AUE_DARWIN_TRUNCATE	329	/* XXX: See AUE_TRUNCATE. */
 #define	AUE_DARWIN_FTRUNCATE	330	/* XXX: See AUE_FTRUNCATE. */
-#define	AUE_SYSCTL		331
-#define	AUE_MLOCK		332
-#define	AUE_MUNLOCK		333
-#define	AUE_UNDELETE		334
-#define	AUE_GETATTRLIST		335	/* Darwin-specific. */
-#define	AUE_SETATTRLIST		336	/* Darwin-specific. */
-#define	AUE_GETDIRENTRIESATTR	337	/* Darwin-specific. */
-#define	AUE_EXCHANGEDATA	338	/* Darwin-specific. */
-#define	AUE_SEARCHFS		339	/* Darwin-specific. */
-#define	AUE_MINHERIT		340
-#define	AUE_SEMCONFIG		341
-#define	AUE_SEMOPEN		342
-#define	AUE_SEMCLOSE		343
-#define	AUE_SEMUNLINK		344
-#define	AUE_SHMOPEN		345
-#define	AUE_SHMUNLINK		346
-#define	AUE_LOADSHFILE		347	/* Darwin-specific. */
-#define	AUE_RESETSHFILE		348	/* Darwin-specific. */
-#define	AUE_NEWSYSTEMSHREG	349	/* Darwin-specific. */
-#define	AUE_PTHREADKILL		350	/* Darwin-specific. */
-#define	AUE_PTHREADSIGMASK	351	/* Darwin-specific. */
-#define	AUE_AUDITCTL		352
-#define	AUE_RFORK		353
-#define	AUE_LCHMOD		354
-#define	AUE_SWAPOFF		355
-#define	AUE_INITPROCESS		356	/* Darwin-specific. */
-#define	AUE_MAPFD		357	/* Darwin-specific. */
-#define	AUE_TASKFORPID		358	/* Darwin-specific. */
-#define	AUE_PIDFORTASK		359	/* Darwin-specific. */
-#define	AUE_SYSCTL_NONADMIN	360
-#define	AUE_COPYFILE		361	/* Darwin-specific. */
-#define	AUE_LUTIMES		362
-#define	AUE_LCHFLAGS		363	/* FreeBSD-specific. */
-#define	AUE_SENDFILE		364	/* BSD/Linux-specific. */
-#define	AUE_USELIB		365	/* Linux-specific. */
-#define	AUE_GETRESUID		366
-#define	AUE_SETRESUID		367
-#define	AUE_GETRESGID		368
-#define	AUE_SETRESGID		369
-#define	AUE_WAIT4		370	/* FreeBSD-specific. */
-#define	AUE_LGETFH		371	/* FreeBSD-specific. */
-#define	AUE_FHSTATFS		372	/* FreeBSD-specific. */
-#define	AUE_FHOPEN		373	/* FreeBSD-specific. */
-#define	AUE_FHSTAT		374	/* FreeBSD-specific. */
-#define	AUE_JAIL		375	/* FreeBSD-specific. */
-#define	AUE_EACCESS		376	/* FreeBSD-specific. */
-#define	AUE_KQUEUE		377	/* FreeBSD-specific. */
-#define	AUE_KEVENT		378	/* FreeBSD-specific. */
-#define	AUE_FSYNC		379
-#define	AUE_NMOUNT		380	/* FreeBSD-specific. */
-#define	AUE_BDFLUSH		381	/* Linux-specific. */
-#define	AUE_SETFSUID		382	/* Linux-specific. */
-#define	AUE_SETFSGID		383	/* Linux-specific. */
-#define	AUE_PERSONALITY		384	/* Linux-specific. */
-#define	AUE_SCHED_GETSCHEDULER	385	/* POSIX.1b. */
-#define	AUE_SCHED_SETSCHEDULER	386	/* POSIX.1b. */
-#define	AUE_PRCTL		387	/* Linux-specific. */
-#define	AUE_GETCWD		388	/* FreeBSD/Linux-specific. */
-#define	AUE_CAPGET		389	/* Linux-specific. */
-#define	AUE_CAPSET		390	/* Linux-specific. */
-#define	AUE_PIVOT_ROOT		391	/* Linux-specific. */
-#define	AUE_RTPRIO		392	/* FreeBSD-specific. */
-#define	AUE_SCHED_GETPARAM	393	/* POSIX.1b. */
-#define	AUE_SCHED_SETPARAM	394	/* POSIX.1b. */
-#define	AUE_SCHED_GET_PRIORITY_MAX	395	/* POSIX.1b. */
-#define	AUE_SCHED_GET_PRIORITY_MIN	396	/* POSIX.1b. */
-#define	AUE_SCHED_RR_GET_INTERVAL	397	/* POSIX.1b. */
-#define	AUE_ACL_GET_FILE		398	/* FreeBSD. */
-#define	AUE_ACL_SET_FILE		399	/* FreeBSD. */
-#define	AUE_ACL_GET_FD			400	/* FreeBSD. */
-#define	AUE_ACL_SET_FD			401	/* FreeBSD. */
-#define	AUE_ACL_DELETE_FILE		402	/* FreeBSD. */
-#define	AUE_ACL_DELETE_FD		403	/* FreeBSD. */
-#define	AUE_ACL_CHECK_FILE		404	/* FreeBSD. */
-#define	AUE_ACL_CHECK_FD		405	/* FreeBSD. */
-#define	AUE_ACL_GET_LINK		406	/* FreeBSD. */
-#define	AUE_ACL_SET_LINK		407	/* FreeBSD. */
-#define	AUE_ACL_DELETE_LINK		408	/* FreeBSD. */
-#define	AUE_ACL_CHECK_LINK		409	/* FreeBSD. */
-#define	AUE_SYSARCH			410	/* FreeBSD. */
-#define	AUE_EXTATTRCTL			411	/* FreeBSD. */
-#define	AUE_EXTATTR_GET_FILE		412	/* FreeBSD. */
-#define	AUE_EXTATTR_SET_FILE		413	/* FreeBSD. */
-#define	AUE_EXTATTR_LIST_FILE		414	/* FreeBSD. */
-#define	AUE_EXTATTR_DELETE_FILE		415	/* FreeBSD. */
-#define	AUE_EXTATTR_GET_FD		416	/* FreeBSD. */
-#define	AUE_EXTATTR_SET_FD		417	/* FreeBSD. */
-#define	AUE_EXTATTR_LIST_FD		418	/* FreeBSD. */
-#define	AUE_EXTATTR_DELETE_FD		419	/* FreeBSD. */
-#define	AUE_EXTATTR_GET_LINK		420	/* FreeBSD. */
-#define	AUE_EXTATTR_SET_LINK		421	/* FreeBSD. */
-#define	AUE_EXTATTR_LIST_LINK		422	/* FreeBSD. */
-#define	AUE_EXTATTR_DELETE_LINK		423	/* FreeBSD. */
+#define	AUE_DARWIN_SYSCTL	331
+#define	AUE_DARWIN_MLOCK	332
+#define	AUE_DARWIN_MUNLOCK	333
+#define	AUE_DARWIN_UNDELETE	334
+#define	AUE_DARWIN_GETATTRLIST	335	/* Darwin-specific. */
+#define	AUE_DARWIN_SETATTRLIST	336	/* Darwin-specific. */
+#define	AUE_DARWIN_GETDIRENTRIESATTR	337	/* Darwin-specific. */
+#define	AUE_DARWIN_EXCHANGEDATA	338	/* Darwin-specific. */
+#define	AUE_DARWIN_SEARCHFS	339	/* Darwin-specific. */
+#define	AUE_DARWIN_MINHERIT	340
+#define	AUE_DARWIN_SEMCONFIG	341
+#define	AUE_DARWIN_SEMOPEN	342
+#define	AUE_DARWIN_SEMCLOSE	343
+#define	AUE_DARWIN_SEMUNLINK	344
+#define	AUE_DARWIN_SHMOPEN	345
+#define	AUE_DARWIN_SHMUNLINK	346
+#define	AUE_DARWIN_LOADSHFILE	347	/* Darwin-specific. */
+#define	AUE_DARWIN_RESETSHFILE	348	/* Darwin-specific. */
+#define	AUE_DARWIN_NEWSYSTEMSHREG	349	/* Darwin-specific. */
+#define	AUE_DARWIN_PTHREADKILL	350	/* Darwin-specific. */
+#define	AUE_DARWIN_PTHREADSIGMASK	351	/* Darwin-specific. */
+#define	AUE_DARWIN_AUDITCTL	352
+#define	AUE_DARWIN_RFORK	353
+#define	AUE_DARWIN_LCHMOD	354
+#define	AUE_DARWIN_SWAPOFF	355
+#define	AUE_DARWIN_INITPROCESS	356	/* Darwin-specific. */
+#define	AUE_DARWIN_MAPFD	357	/* Darwin-specific. */
+#define	AUE_DARWIN_TASKFORPID	358	/* Darwin-specific. */
+#define	AUE_DARWIN_PIDFORTASK	359	/* Darwin-specific. */
+#define	AUE_DARWIN_SYSCTL_NONADMIN	360
+#define	AUE_DARWIN_COPYFILE	361	/* Darwin-specific. */
+
+/*
+ * Audit event identifiers added as part of OpenBSM, generally corresponding
+ * to events in FreeBSD, Darwin, and Linux that were not present in Solaris.
+ * These often duplicate events added to the Solaris set by Darwin, but use
+ * event identifiers in a higher range in order to avoid colliding with
+ * future Solaris additions.
+ */
+#define	AUE_GETFSSTAT		43001
+#define	AUE_PTRACE		43002
+#define	AUE_CHFLAGS		43003
+#define	AUE_FCHFLAGS		43004
+#define	AUE_PROFILE		43005
+#define	AUE_KTRACE		43006
+#define	AUE_SETLOGIN		43007
+#define	AUE_REVOKE		43008
+#define	AUE_UMASK		43009
+#define	AUE_MPROTECT		43010
+#define	AUE_MKFIFO		43011
+#define	AUE_POLL		43012
+#define	AUE_FUTIMES		43013
+#define	AUE_SETSID		43014
+#define	AUE_SETPRIVEXEC		43015	/* Darwin-specific. */
+#define	AUE_ADDPROFILE		43016	/* Darwin-specific. */
+#define	AUE_KDEBUGTRACE		43017	/* Darwin-specific. */
+#define	AUE_KDBUGTRACE		AUE_KDEBUGTRACE
+#define	AUE_FSTAT		43018
+#define	AUE_FPATHCONF		43019
+#define	AUE_GETDIRENTRIES	43020
+#define	AUE_SYSCTL		43021
+#define	AUE_MLOCK		43022
+#define	AUE_MUNLOCK		43023
+#define	AUE_UNDELETE		43024
+#define	AUE_GETATTRLIST		43025	/* Darwin-specific. */
+#define	AUE_SETATTRLIST		43026	/* Darwin-specific. */
+#define	AUE_GETDIRENTRIESATTR	43027	/* Darwin-specific. */
+#define	AUE_EXCHANGEDATA	43028	/* Darwin-specific. */
+#define	AUE_SEARCHFS		43029	/* Darwin-specific. */
+#define	AUE_MINHERIT		43030
+#define	AUE_SEMCONFIG		43031
+#define	AUE_SEMOPEN		43032
+#define	AUE_SEMCLOSE		43033
+#define	AUE_SEMUNLINK		43034
+#define	AUE_SHMOPEN		43035
+#define	AUE_SHMUNLINK		43036
+#define	AUE_LOADSHFILE		43037	/* Darwin-specific. */
+#define	AUE_RESETSHFILE		43038	/* Darwin-specific. */
+#define	AUE_NEWSYSTEMSHREG	43039	/* Darwin-specific. */
+#define	AUE_PTHREADKILL		43040	/* Darwin-specific. */
+#define	AUE_PTHREADSIGMASK	43041	/* Darwin-specific. */
+#define	AUE_AUDITCTL		43042
+#define	AUE_RFORK		43043
+#define	AUE_LCHMOD		43044
+#define	AUE_SWAPOFF		43045
+#define	AUE_INITPROCESS		43046	/* Darwin-specific. */
+#define	AUE_MAPFD		43047	/* Darwin-specific. */
+#define	AUE_TASKFORPID		43048	/* Darwin-specific. */
+#define	AUE_PIDFORTASK		43049	/* Darwin-specific. */
+#define	AUE_SYSCTL_NONADMIN	43050
+#define	AUE_COPYFILE		43051	/* Darwin-specific. */
+
+/*
+ * Events added to OpenBSM for FreeBSD and Linux; may also be used by Darwin
+ * in the future.
+ */
+#define	AUE_LUTIMES		43052
+#define	AUE_LCHFLAGS		43053	/* FreeBSD-specific. */
+#define	AUE_SENDFILE		43054	/* BSD/Linux-specific. */
+#define	AUE_USELIB		43055	/* Linux-specific. */
+#define	AUE_GETRESUID		43056
+#define	AUE_SETRESUID		43057
+#define	AUE_GETRESGID		43058
+#define	AUE_SETRESGID		43059
+#define	AUE_WAIT4		43060	/* FreeBSD-specific. */
+#define	AUE_LGETFH		43061	/* FreeBSD-specific. */
+#define	AUE_FHSTATFS		43062	/* FreeBSD-specific. */
+#define	AUE_FHOPEN		43063	/* FreeBSD-specific. */
+#define	AUE_FHSTAT		43064	/* FreeBSD-specific. */
+#define	AUE_JAIL		43065	/* FreeBSD-specific. */
+#define	AUE_EACCESS		43066	/* FreeBSD-specific. */
+#define	AUE_KQUEUE		43067	/* FreeBSD-specific. */
+#define	AUE_KEVENT		43068	/* FreeBSD-specific. */
+#define	AUE_FSYNC		43069
+#define	AUE_NMOUNT		43070	/* FreeBSD-specific. */
+#define	AUE_BDFLUSH		43071	/* Linux-specific. */
+#define	AUE_SETFSUID		43072	/* Linux-specific. */
+#define	AUE_SETFSGID		43073	/* Linux-specific. */
+#define	AUE_PERSONALITY		43074	/* Linux-specific. */
+#define	AUE_SCHED_GETSCHEDULER	43075	/* POSIX.1b. */
+#define	AUE_SCHED_SETSCHEDULER	43076	/* POSIX.1b. */
+#define	AUE_PRCTL		43077	/* Linux-specific. */
+#define	AUE_GETCWD		43078	/* FreeBSD/Linux-specific. */
+#define	AUE_CAPGET		43079	/* Linux-specific. */
+#define	AUE_CAPSET		43080	/* Linux-specific. */
+#define	AUE_PIVOT_ROOT		43081	/* Linux-specific. */
+#define	AUE_RTPRIO		43082	/* FreeBSD-specific. */
+#define	AUE_SCHED_GETPARAM	43083	/* POSIX.1b. */
+#define	AUE_SCHED_SETPARAM	43084	/* POSIX.1b. */
+#define	AUE_SCHED_GET_PRIORITY_MAX	43085	/* POSIX.1b. */
+#define	AUE_SCHED_GET_PRIORITY_MIN	43086	/* POSIX.1b. */
+#define	AUE_SCHED_RR_GET_INTERVAL	43087	/* POSIX.1b. */
+#define	AUE_ACL_GET_FILE	43088	/* FreeBSD. */
+#define	AUE_ACL_SET_FILE	43089	/* FreeBSD. */
+#define	AUE_ACL_GET_FD		43090	/* FreeBSD. */
+#define	AUE_ACL_SET_FD		43091	/* FreeBSD. */
+#define	AUE_ACL_DELETE_FILE	43092	/* FreeBSD. */
+#define	AUE_ACL_DELETE_FD	43093	/* FreeBSD. */
+#define	AUE_ACL_CHECK_FILE	43094	/* FreeBSD. */
+#define	AUE_ACL_CHECK_FD	43095	/* FreeBSD. */
+#define	AUE_ACL_GET_LINK	43096	/* FreeBSD. */
+#define	AUE_ACL_SET_LINK	43097	/* FreeBSD. */
+#define	AUE_ACL_DELETE_LINK	43098	/* FreeBSD. */
+#define	AUE_ACL_CHECK_LINK	43099	/* FreeBSD. */
+#define	AUE_SYSARCH		43100	/* FreeBSD. */
+#define	AUE_EXTATTRCTL		43101	/* FreeBSD. */
+#define	AUE_EXTATTR_GET_FILE	43102	/* FreeBSD. */
+#define	AUE_EXTATTR_SET_FILE	43103	/* FreeBSD. */
+#define	AUE_EXTATTR_LIST_FILE	43104	/* FreeBSD. */
+#define	AUE_EXTATTR_DELETE_FILE	43105	/* FreeBSD. */
+#define	AUE_EXTATTR_GET_FD	43106	/* FreeBSD. */
+#define	AUE_EXTATTR_SET_FD	43107	/* FreeBSD. */
+#define	AUE_EXTATTR_LIST_FD	43108	/* FreeBSD. */
+#define	AUE_EXTATTR_DELETE_FD	43109	/* FreeBSD. */
+#define	AUE_EXTATTR_GET_LINK	43110	/* FreeBSD. */
+#define	AUE_EXTATTR_SET_LINK	43111	/* FreeBSD. */
+#define	AUE_EXTATTR_LIST_LINK	43112	/* FreeBSD. */
+#define	AUE_EXTATTR_DELETE_LINK	43113	/* FreeBSD. */
 
 /*
  * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h
index f9c0288..79d13c3 100644
--- a/contrib/openbsm/bsm/audit_record.h
+++ b/contrib/openbsm/bsm/audit_record.h
@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#19 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#23 $
  */
 
 #ifndef _BSM_AUDIT_RECORD_H_
@@ -184,7 +184,7 @@
 #define AUR_CHAR        AUR_BYTE
 #define AUR_SHORT       1
 #define AUR_INT32       2
-#define AUR_INT         AUR_INT
+#define AUR_INT         AUR_INT32
 #define AUR_INT64       3
 
 /* ... and their sizes */
@@ -199,9 +199,19 @@
 #define PAD_NOTATTR  0x4000   /* nonattributable event */
 #define PAD_FAILURE  0x8000   /* fail audit event */
 
+#define AUDIT_MAX_GROUPS      16
 
-#define BSM_MAX_GROUPS      16
-#define HEADER_VERSION      1
+/*
+ * A number of BSM versions are floating around and defined.  Here are
+ * constants for them.  OpenBSM uses the same token types, etc, used in the
+ * Solaris BSM version, but has a separate version number in order to
+ * identify a potentially different event identifier name space.
+ */
+#define	AUDIT_HEADER_VERSION_OLDDARWIN	1	/* In retrospect, a mistake. */
+#define	AUDIT_HEADER_VERSION_SOLARIS	2
+#define	AUDIT_HEADER_VERSION_TSOL25	3
+#define	AUDIT_HEADER_VERSION_TSOL	4
+#define	AUDIT_HEADER_VERSION_OPENBSM	10
 
 /*
  * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
@@ -308,8 +318,13 @@ token_t	*au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
 token_t	*au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
-token_t	*au_to_exec_args(const char **);
-token_t	*au_to_exec_env(const char **);
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_exec_args(char *args, int argc);
+token_t	*au_to_exec_env(char *envs, int envc);
+#else
+token_t	*au_to_exec_args(char **argv);
+token_t	*au_to_exec_env(char **envp);
+#endif
 token_t	*au_to_text(char *text);
 token_t	*au_to_kevent(struct kevent *kev);
 token_t	*au_to_trailer(int rec_size);
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
index 2efdace..5fea48c 100644
--- a/contrib/openbsm/bsm/libbsm.h
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#21 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#27 $
  */
 
 #ifndef _LIBBSM_H_
@@ -37,8 +37,8 @@
  * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
  */
 
-#define	MAX_ARGS	10
-#define	MAX_ENV		10
+#define	AUDIT_MAX_ARGS	10
+#define	AUDIT_MAX_ENV	10
 
 #include <sys/types.h>
 #include <sys/cdefs.h>
@@ -82,11 +82,10 @@
 #define	BSM_TEXTBUFSZ		MAX_AUDITSTRING_LEN	/* OpenSSH compatibility */
 
 /*
- * These are referenced in Solaris 9 au_open(3BSM); values are guesses.
- * Provided for OpenSSH compatibility.
+ * Arguments to au_close(3).
  */
-#define	AU_TO_NO_WRITE		0
-#define	AU_TO_WRITE		1
+#define	AU_TO_NO_WRITE		0	/* Abandon audit record. */
+#define	AU_TO_WRITE		1	/* Commit audit record. */
 
 __BEGIN_DECLS
 struct au_event_ent {
@@ -138,15 +137,6 @@ __END_DECLS
 
 __BEGIN_DECLS
 
-/*
- * Internal representation of audit user in libnsl.
- */
-typedef struct au_user_str_s {
-	char	*au_name;
-	char	*au_always;
-	char	*au_never;
-} au_user_str_t;
-
 typedef struct au_tid32 {
 	u_int32_t	port;
 	u_int32_t	addr;
@@ -228,7 +218,7 @@ typedef struct {
  */
 typedef struct {
 	u_int32_t	 count;
-	char		*text[MAX_ARGS];
+	char		*text[AUDIT_MAX_ARGS];
 } au_execarg_t;
 
 /*
@@ -237,7 +227,7 @@ typedef struct {
  */
 typedef struct {
 	u_int32_t	 count;
-	char		*text[MAX_ENV];
+	char		*text[AUDIT_MAX_ENV];
 } au_execenv_t;
 
 /*
@@ -269,7 +259,7 @@ typedef struct {
  */
 typedef struct {
 	u_int16_t	no;
-	u_int32_t	list[BSM_MAX_GROUPS];
+	u_int32_t	list[AUDIT_MAX_GROUPS];
 } au_groups_t;
 
 /*
@@ -729,8 +719,6 @@ int			 au_preselect(au_event_t event, au_mask_t *mask_p,
 
 /*
  * Functions relating to querying audit event information.
- *
- * XXXRW: getauevnonam() has no _r version?
  */
 void			 setauevent(void);
 void			 endauevent(void);
@@ -770,6 +758,11 @@ void			 au_print_tok(FILE *outfp, tokenstr_t *tok,
 			    char *del, char raw, char sfrm);
 __END_DECLS
 
+/*
+ * The remaining APIs are associated with Apple's BSM implementation, in
+ * particular as relates to Mach IPC auditing and triggers passed via Mach
+ * IPC.
+ */
 #ifdef __APPLE__
 #include <sys/appleapiopts.h>