Page MenuHomeFreeBSD

close_range(2): finalize audit bits
Needs ReviewPublic

Authored by kevans on Apr 24 2020, 2:06 AM.

Details

Reviewers
csjp
Summary

Included here:

  • audit_event addition (whoops, need to send this upstream)
  • AUDIT_ARG_FD(*) in sys_close_range
  • Plumb the fds out in kaudit_to_bsm

Tested by make -j4 buildkernel installkernel, manually installing audit_event, reboot, fire up auditd and execute a close_range.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Unit Tests Skipped
Build Status
Buildable 30778

Event Timeline

kevans edited the summary of this revision. (Show Details)

Stab #2, now we get:

root@viper:~/grep# praudit /var/audit/current | grep -A 5 'close_range(2)'
header,90,11,close_range(2),0,Tue Apr 28 16:25:31 2020, + 582 msec
argument,1,0x6,fd
argument,2,0xffffffff,fd
subject,-1,root,0,root,0,1308,0,0,0.0.0.0
return,success,0
trailer,90
--
header,90,11,close_range(2),0,Tue Apr 28 16:30:19 2020, + 115 msec
argument,1,0x5,fd
argument,2,0x9,fd
subject,kevans,root,0,root,0,1404,1308,64348,10.0.2.2
return,success,0
trailer,90

Which lines up with:

close_range(6, ~0UL, 0);   // AKA closefrom(6)
close_range(5, 9, 0);

The upper-end is now audited successfully.