diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index 0677fae89ff4..7913f43f78af 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -442,6 +442,7 @@ freebsd32_execve(struct thread *td, struct freebsd32_execve_args *uap) if (error == 0) error = kern_execve(td, &eargs, NULL, oldvmspace); post_execve(td, error, oldvmspace); + AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); return (error); } @@ -462,6 +463,7 @@ freebsd32_fexecve(struct thread *td, struct freebsd32_fexecve_args *uap) error = kern_execve(td, &eargs, NULL, oldvmspace); } post_execve(td, error, oldvmspace); + AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); return (error); } diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index c6c2f058a714..d4452fe2a401 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -225,6 +225,7 @@ sys_execve(struct thread *td, struct execve_args *uap) if (error == 0) error = kern_execve(td, &args, NULL, oldvmspace); post_execve(td, error, oldvmspace); + AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); return (error); } @@ -252,6 +253,7 @@ sys_fexecve(struct thread *td, struct fexecve_args *uap) error = kern_execve(td, &args, NULL, oldvmspace); } post_execve(td, error, oldvmspace); + AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); return (error); } @@ -280,6 +282,7 @@ sys___mac_execve(struct thread *td, struct __mac_execve_args *uap) if (error == 0) error = kern_execve(td, &args, uap->mac_p, oldvmspace); post_execve(td, error, oldvmspace); + AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td); return (error); #else return (ENOSYS); diff --git a/sys/kern/subr_syscall.c b/sys/kern/subr_syscall.c index 5ed9a402caad..381756b37323 100644 --- a/sys/kern/subr_syscall.c +++ b/sys/kern/subr_syscall.c @@ -154,7 +154,18 @@ syscallenter(struct thread *td) td->td_pflags &= ~TDP_NERRNO; else td->td_errno = error; + + /* + * Note that some syscall implementations (e.g., sys_execve) + * will commit the audit record just before their final return. + * These were done under the assumption that nothing of interest + * would happen between their return and here, where we would + * normally commit the audit record. These assumptions will + * need to be revisited should any substantial logic be added + * above. + */ AUDIT_SYSCALL_EXIT(error, td); + #ifdef KDTRACE_HOOKS /* Give the syscall:::return DTrace probe a chance to fire. */ if (__predict_false(sa->callp->sy_return != 0))