diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index f94b7d31791b..dbea55ccbd96 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -128,6 +128,7 @@ sys_pdfork(struct thread *td, struct pdfork_args *uap) fr.fr_pidp = &pid; fr.fr_pd_fd = &fd; fr.fr_pd_flags = uap->flags; + AUDIT_ARG_FFLAGS(uap->flags); /* * It is necessary to return fd by reference because 0 is a valid file * descriptor number, and the child needs to be able to distinguish @@ -909,6 +910,7 @@ fork1(struct thread *td, struct fork_req *fr) fr->fr_pd_flags, fr->fr_pd_fcaps); if (error != 0) goto fail2; + AUDIT_ARG_FD(*fr->fr_pd_fd); } mem_charged = 0; diff --git a/sys/security/audit/audit_bsm.c b/sys/security/audit/audit_bsm.c index 7cc99de20086..3094509dbfdd 100644 --- a/sys/security/audit/audit_bsm.c +++ b/sys/security/audit/audit_bsm.c @@ -1317,6 +1317,38 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) UPATH1_VNODE1_TOKENS; break; + case AUE_PDKILL: + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_SIGNUM)) { + tok = au_to_arg32(2, "signal", ar->ar_arg_signum); + kau_write(rec, tok); + } + PROCESS_PID_TOKENS(1); + break; + case AUE_PDFORK: + if (ARG_IS_VALID(kar, ARG_PID)) { + tok = au_to_arg32(0, "child PID", ar->ar_arg_pid); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_FFLAGS)) { + tok = au_to_arg32(2, "flags", ar->ar_arg_fflags); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + break; + case AUE_PDGETPID: + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + break; + case AUE_PROCCTL: if (ARG_IS_VALID(kar, ARG_VALUE)) { tok = au_to_arg32(1, "idtype", ar->ar_arg_value); @@ -1747,6 +1779,8 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau) break; case AUE_THR_NEW: + case AUE_THR_KILL: + case AUE_THR_EXIT: break; case AUE_NULL: