From 21e3bcee4378f043e902dc1bab9ac2915235f40a Mon Sep 17 00:00:00 2001 From: rwatson Date: Tue, 28 Jul 2009 21:39:58 +0000 Subject: Audit file descriptors passed to fooat(2) system calls, which are used instead of the root/current working directory as the starting point for lookups. Up to two such descriptors can be audited. Add audit record BSM encoding for fooat(2). Note: due to an error in the OpenBSM 1.1p1 configuration file, a further change is required to that file in order to fix openat(2) auditing. Approved by: re (kib) Reviewed by: rdivacky (fooat(2) portions) Obtained from: TrustedBSD Project MFC after: 1 month --- sys/security/audit/audit.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'sys/security/audit/audit.c') diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c index 1967e05..40daaa9 100644 --- a/sys/security/audit/audit.c +++ b/sys/security/audit/audit.c @@ -409,17 +409,22 @@ audit_commit(struct kaudit_record *ar, int error, int retval) else sorf = AU_PRS_SUCCESS; + /* + * syscalls.master sometimes contains a prototype event number, which + * we will transform into a more specific event number now that we + * have more complete information gathered during the system call. + */ switch(ar->k_ar.ar_event) { case AUE_OPEN_RWTC: - /* - * The open syscall always writes a AUE_OPEN_RWTC event; - * change it to the proper type of event based on the flags - * and the error value. - */ ar->k_ar.ar_event = audit_flags_and_error_to_openevent( ar->k_ar.ar_arg_fflags, error); break; + case AUE_OPENAT_RWTC: + ar->k_ar.ar_event = audit_flags_and_error_to_openatevent( + ar->k_ar.ar_arg_fflags, error); + break; + case AUE_SYSCTL: ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); -- cgit v1.1