PERFORCE change 63849 for review

Robert Watson rwatson at
Wed Oct 27 21:25:18 GMT 2004

Change 63849 by rwatson at rwatson_tislabs on 2004/10/27 21:25:02

	Use the per-process system call vector rather than the global
	vector, in order to permit auditing based on per-vector audit
	event types, which may not match the global ones.  E.g., the
	FreeBSD system call number for open() is not the same as the
	Linux one.

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#12 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#12 (text+ko) ====

@@ -1361,7 +1361,17 @@
 	int audit_event;
 	struct au_mask *aumask;
-	audit_event = sysent[code].sy_auevent;
+	/*
+	 * In FreeBSD, each ABI has its own system call table, and hence
+	 * mapping of system call codes to audit events.  Convert the code to
+	 * an audit event identifier using the process system call table
+	 * reference.  In Darwin, there's only one, so we use the global
+	 * symbol for the system call table.
+	 */
+	if (code >= td->td_proc->p_sysent->sv_size)
+		return;
+	audit_event = td->td_proc->p_sysent->sv_table[code].sy_auevent;
 	if (audit_event == AUE_NULL)
To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list