From 51d1f690696f60bb0b8483d5a51ee0b4075f92f0 Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sun, 10 Jul 2016 08:04:02 +0000
Subject: [PATCH] Audit file-descriptor arguments to I/O system calls such as
 read(2), write(2), dup(2), and mmap(2).  This auditing is not required by the
 Common Criteria (and hence was not being performed), but is valuable in both
 contemporary live analysis and forensic use cases.

MFC after:	3 days
Sponsored by:	DARPA, AFRL
---
 sys/kern/kern_descrip.c | 3 +++
 sys/kern/sys_generic.c  | 3 +++
 sys/vm/vm_mmap.c        | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index 7f0ef8dde6f2..1005830df416 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -820,6 +820,9 @@ kern_dup(struct thread *td, u_int mode, int flags, int old, int new)
 	MPASS((flags & ~(FDDUP_FLAG_CLOEXEC)) == 0);
 	MPASS(mode < FDDUP_LASTMODE);
 
+	AUDIT_ARG_FD(old);
+	/* XXXRW: if (flags & FDDUP_FIXED) AUDIT_ARG_FD2(new); */
+
 	/*
 	 * Verify we have a valid descriptor to dup from and possibly to
 	 * dup to. Unlike dup() and dup2(), fcntl()'s F_DUPFD should
diff --git a/sys/kern/sys_generic.c b/sys/kern/sys_generic.c
index 75fb66efe2b7..8a77e17d035e 100644
--- a/sys/kern/sys_generic.c
+++ b/sys/kern/sys_generic.c
@@ -363,6 +363,8 @@ dofileread(td, fd, fp, auio, offset, flags)
 	struct uio *ktruio = NULL;
 #endif
 
+	AUDIT_ARG_FD(fd);
+
 	/* Finish zero length reads right here */
 	if (auio->uio_resid == 0) {
 		td->td_retval[0] = 0;
@@ -576,6 +578,7 @@ dofilewrite(td, fd, fp, auio, offset, flags)
 	struct uio *ktruio = NULL;
 #endif
 
+	AUDIT_ARG_FD(fd);
 	auio->uio_rw = UIO_WRITE;
 	auio->uio_td = td;
 	auio->uio_offset = offset;
diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c
index ca48df86c3f9..16ee7606b8b0 100644
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@@ -74,6 +74,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/sysent.h>
 #include <sys/vmmeter.h>
 
+#include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>
 
 #include <vm/vm.h>
@@ -206,6 +207,7 @@ sys_mmap(td, uap)
 	pos = uap->pos;
 
 	fp = NULL;
+	AUDIT_ARG_FD(uap->fd);
 
 	/*
 	 * Ignore old flags that used to be defined but did not do anything.