PERFORCE change 84214 for review

Robert Watson rwatson at FreeBSD.org
Sat Sep 24 17:49:26 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=84214

Change 84214 by rwatson at rwatson_peppercorn on 2005/09/24 17:49:12

	Add an exit token to the audit exit record, and attach the process
	exit status.  For now, don't attach additional status information
	since we don't know what it should be.  It may be directly
	derivable from the remainder of (rv) using other macros from wait.h.

Affected files ...

.. //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#17 edit
.. //depot/projects/trustedbsd/audit3/sys/kern/kern_exit.c#7 edit
.. //depot/projects/trustedbsd/audit3/sys/kern/kern_fork.c#8 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#38 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#13 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/sys/bsm/audit_kernel.h#17 (text+ko) ====

@@ -95,6 +95,7 @@
 #define ARG_PROCESS		0x0000080000000000ULL
 #define ARG_MACHPORT1		0x0000100000000000ULL
 #define ARG_MACHPORT2		0x0000200000000000ULL
+#define	ARG_EXIT		0x0000400000000000ULL
 #define ARG_NONE		0x0000000000000000ULL
 #define ARG_ALL			0xFFFFFFFFFFFFFFFFULL
 
@@ -217,6 +218,8 @@
 	void *				ar_arg_svipc_addr;
 	struct posix_ipc_perm		ar_arg_pipc_perm;
 	union auditon_udata		ar_arg_auditon;
+	int				ar_arg_exitstatus;
+	int				ar_arg_exitretval;
 };
 
 /*
@@ -268,6 +271,7 @@
  */
 #ifdef AUDIT
 void			 audit_arg_addr(void * addr);
+void			 audit_arg_exit(int status, int retval);
 void			 audit_arg_len(int len);
 void			 audit_arg_fd(int fd);
 void			 audit_arg_fflags(int fflags);

==== //depot/projects/trustedbsd/audit3/sys/kern/kern_exit.c#7 (text+ko) ====

@@ -174,6 +174,13 @@
 	PROC_UNLOCK(p);
 
 #ifdef AUDIT
+	/*
+	 * The Sun BSM exit token contains two components: an exit status as
+	 * passed to exit(), and a return value to indicate what sort of exit
+	 * it was.  The exit status is WEXITSTATUS(rv), but it's not clear
+	 * what the return value is.
+	 */
+	AUDIT_ARG(exit, WEXITSTATUS(rv), 0);
 	AUDIT_SYSCALL_EXIT(0, td);
 #endif
 

==== //depot/projects/trustedbsd/audit3/sys/kern/kern_fork.c#8 (text+ko) ====


==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#38 (text+ko) ====

@@ -1698,6 +1698,19 @@
 }
 
 void
+audit_arg_exit(int status, int retval)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_exitstatus = status;
+	ar->k_ar.ar_arg_exitretval = retval;
+}
+
+void
 audit_arg_len(int len)
 {
 	struct kaudit_record *ar;

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_bsm_audit.c#13 (text+ko) ====

@@ -557,9 +557,13 @@
 		KPATH1_VNODE1_OR_UPATH1_TOKENS;
 		break;
 
+	case AUE_EXIT:
+		tok = au_to_exit(ar->ar_arg_exitretval, ar->ar_arg_exitstatus);
+		kau_write(rec, tok);
+		break;
+
 	case AUE_ADJTIME:
 	case AUE_AUDIT:
-	case AUE_EXIT:
 	case AUE_GETAUDIT:
 	case AUE_GETAUDIT_ADDR:
 	case AUE_GETAUID:
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list