Provide ability to audit cap_rights_t arguments.

We wish to be able to audit capability rights arguments; this code
provides the necessary infrastructure.

This commit does not, of itself, turn on such auditing for any
system call; that should follow shortly.

Approved by: mentor (rwatson), re (Capsicum blanket)
Sponsored by: Google Inc

sys/security/audit/audit.h

@@ -114,6 +114,7 @@ void	 audit_arg_auditon(union auditon_udata *udata);
 void	 audit_arg_file(struct proc *p, struct file *fp);
 void	 audit_arg_argv(char *argv, int argc, int length);
 void	 audit_arg_envv(char *envv, int envc, int length);
+void	 audit_arg_rights(cap_rights_t rights);
 void	 audit_sysclose(struct thread *td, int fd);
 void	 audit_cred_copy(struct ucred *src, struct ucred *dest);
 void	 audit_cred_destroy(struct ucred *cred);
@@ -235,6 +236,11 @@ void	 audit_thread_free(struct thread *td);
 		audit_arg_rgid((rgid));					\
 } while (0)
 
+#define	AUDIT_ARG_RIGHTS(rights) do {					\
+	if (AUDITING_TD(curthread))					\
+		audit_arg_rights((rights));				\
+} while (0)
+
 #define	AUDIT_ARG_RUID(ruid) do {					\
 	if (AUDITING_TD(curthread))					\
 		audit_arg_ruid((ruid));					\
@@ -342,6 +348,7 @@ void	 audit_thread_free(struct thread *td);
 #define	AUDIT_ARG_PID(pid)
 #define	AUDIT_ARG_PROCESS(p)
 #define	AUDIT_ARG_RGID(rgid)
+#define	AUDIT_ARG_RIGHTS(rights)
 #define	AUDIT_ARG_RUID(ruid)
 #define	AUDIT_ARG_SIGNUM(signum)
 #define	AUDIT_ARG_SGID(sgid)

sys/security/audit/audit_arg.c

@@ -865,6 +865,19 @@ audit_arg_envv(char *envv, int envc, int length)
 	ARG_SET_VALID(ar, ARG_ENVV);
 }
 
+void
+audit_arg_rights(cap_rights_t rights)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	ar->k_ar.ar_arg_rights = rights;
+	ARG_SET_VALID(ar, ARG_RIGHTS);
+}
+
 /*
  * The close() system call uses it's own audit call to capture the path/vnode
  * information because those pieces are not easily obtained within the system

sys/security/audit/audit_bsm.c

@@ -1589,6 +1589,28 @@ kaudit_to_bsm(struct kaudit_record *kar, struct au_record **pau)
 		}
 		break;
 
+	case AUE_CAP_NEW:
+		/*
+		 * XXXRW/XXXJA: Would be nice to audit socket/etc information.
+		 */
+		FD_VNODE1_TOKENS;
+		if (ARG_IS_VALID(kar, ARG_RIGHTS)) {
+			tok = au_to_arg64(2, "rights", ar->ar_arg_rights);
+			kau_write(rec, tok);
+		}
+		break;
+
+	case AUE_CAP_GETRIGHTS:
+		if (ARG_IS_VALID(kar, ARG_FD)) {
+			tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
+			kau_write(rec, tok);
+		}
+		break;
+
+	case AUE_CAP_ENTER:
+	case AUE_CAP_GETMODE:
+		break;
+
 	case AUE_NULL:
 	default:
 		printf("BSM conversion requested for unknown event %d\n",

sys/security/audit/audit_private.h

@@ -229,6 +229,7 @@ struct audit_record {
 	int			ar_arg_exitstatus;
 	int			ar_arg_exitretval;
 	struct sockaddr_storage ar_arg_sockaddr;
+	cap_rights_t		ar_arg_rights;
 };
 
 /*
@@ -288,6 +289,7 @@ struct audit_record {
 #define	ARG_ENVV		0x0002000000000000ULL
 #define	ARG_ATFD1		0x0004000000000000ULL
 #define	ARG_ATFD2		0x0008000000000000ULL
+#define	ARG_RIGHTS		0x0010000000000000ULL
 #define	ARG_NONE		0x0000000000000000ULL
 #define	ARG_ALL			0xFFFFFFFFFFFFFFFFULL