Index: contrib/openbsm/etc/audit_event =================================================================== --- contrib/openbsm/etc/audit_event +++ contrib/openbsm/etc/audit_event @@ -614,6 +614,7 @@ 43261:AUE_LGETUUID:lgetuuid(2):ip 43262:AUE_EXECVEAT:execveat(2):pc,ex 43263:AUE_SHMRENAME:shm_rename(2):ip +43265:AUE_CLOSERANGE:close_range(2):cl # # Solaris userspace events. # Index: sys/kern/kern_descrip.c =================================================================== --- sys/kern/kern_descrip.c +++ sys/kern/kern_descrip.c @@ -1366,6 +1366,8 @@ sys_close_range(struct thread *td, struct close_range_args *uap) { + AUDIT_ARG_FD(uap->lowfd); + AUDIT_ARG_FD2(uap->highfd); /* No flags currently defined */ if (uap->flags != 0) return (EINVAL); Index: sys/security/audit/audit.h =================================================================== --- sys/security/audit/audit.h +++ sys/security/audit/audit.h @@ -91,6 +91,7 @@ void audit_arg_atfd1(int atfd); void audit_arg_atfd2(int atfd); void audit_arg_fd(int fd); +void audit_arg_fd2(int fd); void audit_arg_fflags(int fflags); void audit_arg_gid(gid_t gid); void audit_arg_uid(uid_t uid); @@ -216,6 +217,11 @@ audit_arg_fd((fd)); \ } while (0) +#define AUDIT_ARG_FD2(fd) do { \ + if (AUDITING_TD(curthread)) \ + audit_arg_fd2((fd)); \ +} while (0) + #define AUDIT_ARG_FILE(p, fp) do { \ if (AUDITING_TD(curthread)) \ audit_arg_file((p), (fp)); \ @@ -432,6 +438,7 @@ #define AUDIT_ARG_EXIT(status, retval) #define AUDIT_ARG_EUID(euid) #define AUDIT_ARG_FD(fd) +#define AUDIT_ARG_FD2(fd) #define AUDIT_ARG_FILE(p, fp) #define AUDIT_ARG_FFLAGS(fflags) #define AUDIT_ARG_GID(gid) Index: sys/security/audit/audit_arg.c =================================================================== --- sys/security/audit/audit_arg.c +++ sys/security/audit/audit_arg.c @@ -148,6 +148,19 @@ ARG_SET_VALID(ar, ARG_FD); } +void +audit_arg_fd2(int fd) +{ + struct kaudit_record *ar; + + ar = currecord(); + if (ar == NULL) + return; + + ar->k_ar.ar_arg_fd2 = fd; + ARG_SET_VALID(ar, ARG_FD2); +} + void audit_arg_fflags(int fflags) { Index: sys/security/audit/audit_bsm.c =================================================================== --- sys/security/audit/audit_bsm.c +++ sys/security/audit/audit_bsm.c @@ -942,6 +942,17 @@ } break; + case AUE_CLOSERANGE: + if (ARG_IS_VALID(kar, ARG_FD)) { + tok = au_to_arg32(1, "fd", ar->ar_arg_fd); + kau_write(rec, tok); + } + if (ARG_IS_VALID(kar, ARG_FD2)) { + tok = au_to_arg32(2, "fd", ar->ar_arg_fd2); + kau_write(rec, tok); + } + break; + case AUE_CORE: if (ARG_IS_VALID(kar, ARG_SIGNUM)) { tok = au_to_arg32(1, "signal", ar->ar_arg_signum); Index: sys/security/audit/audit_private.h =================================================================== --- sys/security/audit/audit_private.h +++ sys/security/audit/audit_private.h @@ -208,6 +208,7 @@ gid_t ar_arg_gid; struct groupset ar_arg_groups; int ar_arg_fd; + int ar_arg_fd2; int ar_arg_atfd1; int ar_arg_atfd2; int ar_arg_fflags; @@ -307,6 +308,7 @@ #define ARG_RIGHTS 0x0010000000000000ULL #define ARG_FCNTL_RIGHTS 0x0020000000000000ULL #define ARG_SVIPC_WHICH 0x0200000000000000ULL +#define ARG_FD2 0x0400000000000000ULL #define ARG_NONE 0x0000000000000000ULL #define ARG_ALL 0xFFFFFFFFFFFFFFFFULL