close_range: add audit support

This fixes the closefrom test in sys/audit.

Includes cherry-picks of the following commits from openbsm:

4dfc628aaf
99ff6fe32a
da48a0399e

Reviewed By:	kevans
Differential Revision: https://reviews.freebsd.org/D28388

contrib/openbsm/etc/audit_event

@@ -614,6 +614,8 @@
 43261:AUE_LGETUUID:lgetuuid(2):ip
 43262:AUE_EXECVEAT:execveat(2):pc,ex
 43263:AUE_SHMRENAME:shm_rename(2):ip
+43264:AUE_REALPATHAT:realpathat(2):fa
+43265:AUE_CLOSERANGE:close_range(2):cl
 #
 # Solaris userspace events.
 #

contrib/openbsm/sys/bsm/audit_kevents.h

@@ -653,6 +653,8 @@
 #define	AUE_LGETUUID		43261	/* CADETS. */
 #define	AUE_EXECVEAT		43262	/* FreeBSD/Linux. */
 #define	AUE_SHMRENAME		43263	/* FreeBSD-specific. */
+#define	AUE_REALPATHAT		43264	/* FreeBSD-specific. */
+#define	AUE_CLOSERANGE		43265	/* FreeBSD-specific. */
 
 /*
  * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the

sys/kern/kern_descrip.c

@@ -1422,6 +1422,10 @@ int
 sys_close_range(struct thread *td, struct close_range_args *uap)
 {
 
+	AUDIT_ARG_FD(uap->lowfd);
+	AUDIT_ARG_CMD(uap->highfd);
+	AUDIT_ARG_FFLAGS(uap->flags);
+
 	/* No flags currently defined */
 	if (uap->flags != 0)
 		return (EINVAL);

sys/security/audit/audit_bsm.c

@@ -941,6 +941,21 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		}
 		break;
 
+	case AUE_CLOSERANGE:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "lowfd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_CMD)) {
+			tok = au_to_arg32(2, "highfd", ar->ar_arg_cmd);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
+			tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
+			kau_write(rec, tok);
+		}
+		break;
+
 	case AUE_CORE:
 		if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
 			tok = au_to_arg32(1, "signal", ar->ar_arg_signum);

tests/sys/audit/file-close.c

@@ -154,10 +154,10 @@ ATF_TC_HEAD(closefrom_success, tc)
 
 ATF_TC_BODY(closefrom_success, tc)
 {
-	const char *regex = "closefrom.*return,success";
+	const char *regex = "close_range\\(2\\),.*,0x7fffffff,lowfd,.*"
+	    "0xffffffff,highfd,.*return,success";
 	FILE *pipefd = setup(fds, auclass);
 
-	atf_tc_expect_fail("closefrom was converted to close_range");
 	/* closefrom(2) returns 'void' */
 	closefrom(INT_MAX);
 	check_audit(fds, regex, pipefd);