Hook up audit to fork() and exit() events. These changes manage the

audit state on processes, not auditing of these events. Much work by: wsalamon Obtained from: TrustedBSD Project
svn path=/head/; revision=155198
2006-02-02 01:32:58 +00:00 · 2006-02-02 01:32:58 +00:00 · fcf7f27a36 · 2020-12-20 02:59:44 +00:00
commit fcf7f27a36
parent 2d61cce037
2 changed files with 16 additions and 1 deletions
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@ -72,6 +72,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/ktrace.h>
 #endif

+#include <security/audit/audit.h>
+
 #include <vm/vm.h>
 #include <vm/vm_extern.h>
 #include <vm/vm_param.h>
@ -826,6 +828,9 @@ kern_wait(struct thread *td, pid_t pid, int *status, int options,
 			vm_waitproc(p);
 #ifdef MAC
 			mac_destroy_proc(p);
+#endif
+#ifdef AUDIT
+			audit_proc_free(p);
 #endif
 			KASSERT(FIRST_THREAD_IN_PROC(p),
 			    ("kern_wait: no residual thread!"));
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@ -66,6 +66,8 @@ __FBSDID("$FreeBSD$");
 #include <sys/sx.h>
 #include <sys/signalvar.h>

+#include <security/audit/audit.h>
+
 #include <vm/vm.h>
 #include <vm/pmap.h>
 #include <vm/vm_map.h>
@ -270,6 +272,9 @@ fork1(td, flags, pages, procp)
 	newproc = uma_zalloc(proc_zone, M_WAITOK);
 #ifdef MAC
 	mac_init_proc(newproc);
+#endif
+#ifdef AUDIT
+	audit_proc_alloc(newproc);
 #endif
 	knlist_init(&newproc->p_klist, &newproc->p_mtx, NULL, NULL, NULL);
 	STAILQ_INIT(&newproc->p_ktr);
@ -492,7 +497,9 @@ fork1(td, flags, pages, procp)
 	mtx_unlock_spin(&sched_lock);
 	p2->p_ucred = crhold(td->td_ucred);
 	td2->td_ucred = crhold(p2->p_ucred);	/* XXXKSE */
-
+#ifdef AUDIT
+	audit_proc_fork(p1, p2);
+#endif
 	pargs_hold(p2->p_args);

 	if (flags & RFSIGSHARE) {
@ -730,6 +737,9 @@ fork1(td, flags, pages, procp)
 	sx_xunlock(&allproc_lock);
 #ifdef MAC
 	mac_destroy_proc(newproc);
+#endif
+#ifdef AUDIT
+	audit_proc_free(newproc);
 #endif
 	uma_zfree(proc_zone, newproc);
 	if (p1->p_flag & P_HADTHREADS) {