From owner-p4-projects@FreeBSD.ORG  Sat Sep 24 17:49:27 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 154EB16A421; Sat, 24 Sep 2005 17:49:27 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B3D7A16A41F
	for <perforce@freebsd.org>; Sat, 24 Sep 2005 17:49:26 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7FC1E43D49
	for <perforce@freebsd.org>; Sat, 24 Sep 2005 17:49:26 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j8OHnQ48007519
	for <perforce@freebsd.org>; Sat, 24 Sep 2005 17:49:26 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j8OHnQ1U007516
	for perforce@freebsd.org; Sat, 24 Sep 2005 17:49:26 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sat, 24 Sep 2005 17:49:26 GMT
Message-Id: <200509241749.j8OHnQ1U007516@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 84214 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2005 17:49:27 -0000

http://perforce.freebsd.org/chv.cgi?CH=84214

Change 84214 by rwatson@rwatson_peppercorn on 2005/09/24 17:49:12

	Add an exit token to the audit exit record, and attach the process
	exit status.  For now, don't attach additional status information
	since we don't know what it should be.  It may be directly
	derivable from the remainder of (rv) using other macros from wait.h.

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#17 edit
.. //depot/projects/trustedbsd/audit3/sys/kern/kern_exit.c#7 edit
.. //depot/projects/trustedbsd/audit3/sys/kern/kern_fork.c#8 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#38 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#13 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#17 (text+ko) ====

@@ -95,6 +95,7 @@
 #define ARG_PROCESS		0x0000080000000000ULL
 #define ARG_MACHPORT1		0x0000100000000000ULL
 #define ARG_MACHPORT2		0x0000200000000000ULL
+#define	ARG_EXIT		0x0000400000000000ULL
 #define ARG_NONE		0x0000000000000000ULL
 #define ARG_ALL			0xFFFFFFFFFFFFFFFFULL
 
@@ -217,6 +218,8 @@
 	void *				ar_arg_svipc_addr;
 	struct posix_ipc_perm		ar_arg_pipc_perm;
 	union auditon_udata		ar_arg_auditon;
+	int				ar_arg_exitstatus;
+	int				ar_arg_exitretval;
 };
 
 /*
@@ -268,6 +271,7 @@
  */
 #ifdef AUDIT
 void			 audit_arg_addr(void * addr);
+void			 audit_arg_exit(int status, int retval);
 void			 audit_arg_len(int len);
 void			 audit_arg_fd(int fd);
 void			 audit_arg_fflags(int fflags);

==== //depot/projects/trustedbsd/audit3/sys/kern/kern_exit.c#7 (text+ko) ====

@@ -174,6 +174,13 @@
 	PROC_UNLOCK(p);
 
 #ifdef AUDIT
+	/*
+	 * The Sun BSM exit token contains two components: an exit status as
+	 * passed to exit(), and a return value to indicate what sort of exit
+	 * it was.  The exit status is WEXITSTATUS(rv), but it's not clear
+	 * what the return value is.
+	 */
+	AUDIT_ARG(exit, WEXITSTATUS(rv), 0);
 	AUDIT_SYSCALL_EXIT(0, td);
 #endif
 

==== //depot/projects/trustedbsd/audit3/sys/kern/kern_fork.c#8 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#38 (text+ko) ====

@@ -1698,6 +1698,19 @@
 }
 
 void
+audit_arg_exit(int status, int retval)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_exitstatus = status;
+	ar->k_ar.ar_arg_exitretval = retval;
+}
+
+void
 audit_arg_len(int len)
 {
 	struct kaudit_record *ar;

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#13 (text+ko) ====

@@ -557,9 +557,13 @@
 		KPATH1_VNODE1_OR_UPATH1_TOKENS;
 		break;
 
+	case AUE_EXIT:
+		tok = au_to_exit(ar->ar_arg_exitretval, ar->ar_arg_exitstatus);
+		kau_write(rec, tok);
+		break;
+
 	case AUE_ADJTIME:
 	case AUE_AUDIT:
-	case AUE_EXIT:
 	case AUE_GETAUDIT:
 	case AUE_GETAUDIT_ADDR:
 	case AUE_GETAUID: