Date: Sat, 24 Sep 2005 17:49:26 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 84214 for review Message-ID: <200509241749.j8OHnQ1U007516@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=84214 Change 84214 by rwatson@rwatson_peppercorn on 2005/09/24 17:49:12 Add an exit token to the audit exit record, and attach the process exit status. For now, don't attach additional status information since we don't know what it should be. It may be directly derivable from the remainder of (rv) using other macros from wait.h. Affected files ... .. //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#17 edit .. //depot/projects/trustedbsd/audit3/sys/kern/kern_exit.c#7 edit .. //depot/projects/trustedbsd/audit3/sys/kern/kern_fork.c#8 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#38 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#13 edit Differences ... ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#17 (text+ko) ==== @@ -95,6 +95,7 @@ #define ARG_PROCESS 0x0000080000000000ULL #define ARG_MACHPORT1 0x0000100000000000ULL #define ARG_MACHPORT2 0x0000200000000000ULL +#define ARG_EXIT 0x0000400000000000ULL #define ARG_NONE 0x0000000000000000ULL #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL @@ -217,6 +218,8 @@ void * ar_arg_svipc_addr; struct posix_ipc_perm ar_arg_pipc_perm; union auditon_udata ar_arg_auditon; + int ar_arg_exitstatus; + int ar_arg_exitretval; }; /* @@ -268,6 +271,7 @@ */ #ifdef AUDIT void audit_arg_addr(void * addr); +void audit_arg_exit(int status, int retval); void audit_arg_len(int len); void audit_arg_fd(int fd); void audit_arg_fflags(int fflags); ==== //depot/projects/trustedbsd/audit3/sys/kern/kern_exit.c#7 (text+ko) ==== @@ -174,6 +174,13 @@ PROC_UNLOCK(p); #ifdef AUDIT + /* + * The Sun BSM exit token contains two components: an exit status as + * passed to exit(), and a return value to indicate what sort of exit + * it was. The exit status is WEXITSTATUS(rv), but it's not clear + * what the return value is. + */ + AUDIT_ARG(exit, WEXITSTATUS(rv), 0); AUDIT_SYSCALL_EXIT(0, td); #endif ==== //depot/projects/trustedbsd/audit3/sys/kern/kern_fork.c#8 (text+ko) ==== ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#38 (text+ko) ==== @@ -1698,6 +1698,19 @@ } void +audit_arg_exit(int status, int retval) +{ + struct kaudit_record *ar; + + ar = currecord(); + if (ar == NULL) + return; + + ar->k_ar.ar_arg_exitstatus = status; + ar->k_ar.ar_arg_exitretval = retval; +} + +void audit_arg_len(int len) { struct kaudit_record *ar; ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#13 (text+ko) ==== @@ -557,9 +557,13 @@ KPATH1_VNODE1_OR_UPATH1_TOKENS; break; + case AUE_EXIT: + tok = au_to_exit(ar->ar_arg_exitretval, ar->ar_arg_exitstatus); + kau_write(rec, tok); + break; + case AUE_ADJTIME: case AUE_AUDIT: - case AUE_EXIT: case AUE_GETAUDIT: case AUE_GETAUDIT_ADDR: case AUE_GETAUID:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509241749.j8OHnQ1U007516>