6 files changed, 25 insertions, 7 deletions

diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
index dd55875..559d571 100644
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@@ -114,7 +114,7 @@ void	 audit_arg_auditon(union auditon_udata *udata);
 void	 audit_arg_file(struct proc *p, struct file *fp);
 void	 audit_arg_argv(char *argv, int argc, int length);
 void	 audit_arg_envv(char *envv, int envc, int length);
-void	 audit_arg_rights(cap_rights_t rights);
+void	 audit_arg_rights(cap_rights_t *rightsp);
 void	 audit_arg_fcntl_rights(uint32_t fcntlrights);
 void	 audit_sysclose(struct thread *td, int fd);
 void	 audit_cred_copy(struct ucred *src, struct ucred *dest);
diff --git a/sys/security/audit/audit_arg.c b/sys/security/audit/audit_arg.c
index 4927be0..2e86842 100644
--- a/sys/security/audit/audit_arg.c
+++ b/sys/security/audit/audit_arg.c
@@ -861,7 +861,7 @@ audit_arg_envv(char *envv, int envc, int length)
 }
 
 void
-audit_arg_rights(cap_rights_t rights)
+audit_arg_rights(cap_rights_t *rightsp)
 {
 	struct kaudit_record *ar;
 
@@ -869,7 +869,7 @@ audit_arg_rights(cap_rights_t rights)
 	if (ar == NULL)
 		return;
 
-	ar->k_ar.ar_arg_rights = rights;
+	ar->k_ar.ar_arg_rights = *rightsp;
 	ARG_SET_VALID(ar, ARG_RIGHTS);
 }
 
diff --git a/sys/security/audit/audit_bsm.c b/sys/security/audit/audit_bsm.c
index 03b3c23..9f29ece 100644
--- a/sys/security/audit/audit_bsm.c
+++ b/sys/security/audit/audit_bsm.c
@@ -1611,14 +1611,13 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		}
 		break;
 
-	case AUE_CAP_NEW:
 	case AUE_CAP_RIGHTS_LIMIT:
 		/*
 		 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
 		 */
 		FD_VNODE1_TOKENS;
 		if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
-			tok = au_to_arg64(2, "rights", ar->ar_arg_rights);
+			tok = au_to_rights(&ar->ar_arg_rights);
 			kau_write(rec, tok);
 		}
 		break;
diff --git a/sys/security/audit/audit_private.h b/sys/security/audit/audit_private.h
index e23ba08..b5c373a 100644
--- a/sys/security/audit/audit_private.h
+++ b/sys/security/audit/audit_private.h
@@ -41,6 +41,7 @@
 #error "no user-serviceable parts inside"
 #endif
 
+#include <sys/caprights.h>
 #include <sys/ipc.h>
 #include <sys/socket.h>
 #include <sys/ucred.h>
diff --git a/sys/security/audit/bsm_token.c b/sys/security/audit/bsm_token.c
index 6d0d67f..763d597 100644
--- a/sys/security/audit/bsm_token.c
+++ b/sys/security/audit/bsm_token.c
@@ -835,6 +835,22 @@ au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	    tid));
 }
 
+token_t *
+au_to_rights(cap_rights_t *rightsp)
+{
+	token_t *t;
+	u_char *dptr;
+	int i;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(*rightsp));
+
+	ADD_U_CHAR(dptr, AUT_RIGHTS);
+	for (i = 0; i < nitems(rightsp->cr_rights); i++)
+		ADD_U_INT64(dptr, rightsp->cr_rights[i]);
+
+	return (t);
+}
+
 /*
  * token ID                1 byte
  * error status            1 byte
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index ff55ec9..6405586 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -229,6 +229,7 @@ sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 	struct vnode *vp;
 	struct pipe *pipe;
 	struct socket *so;
+	cap_rights_t rights;
 	short label_type;
 	int error;
 
@@ -248,7 +249,7 @@ sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = fget(td, uap->fd, CAP_MAC_GET, &fp);
+	error = fget(td, uap->fd, cap_rights_init(&rights, CAP_MAC_GET), &fp);
 	if (error)
 		goto out;
 
@@ -425,6 +426,7 @@ sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 	struct mount *mp;
 	struct vnode *vp;
 	struct mac mac;
+	cap_rights_t rights;
 	char *buffer;
 	int error;
 
@@ -443,7 +445,7 @@ sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 		return (error);
 	}
 
-	error = fget(td, uap->fd, CAP_MAC_SET, &fp);
+	error = fget(td, uap->fd, cap_rights_init(&rights, CAP_MAC_SET), &fp);
 	if (error)
 		goto out;