close_range: add audit support

This fixes the closefrom test in sys/audit. Includes cherry-picks of the following commits from openbsm: 4dfc628aaf 99ff6fe32a da48a0399e Reviewed By: kevans Differential Revision: https://reviews.freebsd.org/D28388
2021-02-23 17:47:07 +00:00 · 2021-02-23 17:47:07 +00:00 · fa32350347
commit fa32350347
parent 3775ddcf5a
5 changed files with 25 additions and 2 deletions
--- a/contrib/openbsm/etc/audit_event
+++ b/contrib/openbsm/etc/audit_event
@ -614,6 +614,8 @@
 43261:AUE_LGETUUID:lgetuuid(2):ip
 43262:AUE_EXECVEAT:execveat(2):pc,ex
 43263:AUE_SHMRENAME:shm_rename(2):ip
+43264:AUE_REALPATHAT:realpathat(2):fa
+43265:AUE_CLOSERANGE:close_range(2):cl
 #
 # Solaris userspace events.
 #
--- a/contrib/openbsm/sys/bsm/audit_kevents.h
+++ b/contrib/openbsm/sys/bsm/audit_kevents.h
@ -653,6 +653,8 @@
 #define	AUE_LGETUUID		43261	/* CADETS. */
 #define	AUE_EXECVEAT		43262	/* FreeBSD/Linux. */
 #define	AUE_SHMRENAME		43263	/* FreeBSD-specific. */
+#define	AUE_REALPATHAT		43264	/* FreeBSD-specific. */
+#define	AUE_CLOSERANGE		43265	/* FreeBSD-specific. */

 /*
 * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@ -1422,6 +1422,10 @@ int
 sys_close_range(struct thread *td, struct close_range_args *uap)
 {

+	AUDIT_ARG_FD(uap->lowfd);
+	AUDIT_ARG_CMD(uap->highfd);
+	AUDIT_ARG_FFLAGS(uap->flags);
+
 	/* No flags currently defined */
 	if (uap->flags != 0)
 		return (EINVAL);
--- a/sys/security/audit/audit_bsm.c
+++ b/sys/security/audit/audit_bsm.c
@ -941,6 +941,21 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		}
 		break;

+	case AUE_CLOSERANGE:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "lowfd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_CMD)) {
+			tok = au_to_arg32(2, "highfd", ar->ar_arg_cmd);
+			kau_write(rec, tok);
+		}
+		if (ARG_IS_VALID(kar, ARG_FFLAGS)) {
+			tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
+			kau_write(rec, tok);
+		}
+		break;
+
 	case AUE_CORE:
 		if (ARG_IS_VALID(kar, ARG_SIGNUM)) {
 			tok = au_to_arg32(1, "signal", ar->ar_arg_signum);
--- a/tests/sys/audit/file-close.c
+++ b/tests/sys/audit/file-close.c
@ -154,10 +154,10 @@ ATF_TC_HEAD(closefrom_success, tc)

 ATF_TC_BODY(closefrom_success, tc)
 {
-	const char *regex = "closefrom.*return,success";
+	const char *regex = "close_range\\(2\\),.*,0x7fffffff,lowfd,.*"
+	    "0xffffffff,highfd,.*return,success";
 	FILE *pipefd = setup(fds, auclass);

-	atf_tc_expect_fail("closefrom was converted to close_range");
 	/* closefrom(2) returns 'void' */
 	closefrom(INT_MAX);
 	check_audit(fds, regex, pipefd);