diff --git a/sys/security/audit/audit.c b/sys/security/audit/audit.c index 4ea76c66f9a5..b46c02c3cdcd 100644 --- a/sys/security/audit/audit.c +++ b/sys/security/audit/audit.c @@ -492,6 +492,8 @@ audit_syscall_enter(unsigned short code, struct thread *td) au_id_t auid; KASSERT(td->td_ar == NULL, ("audit_syscall_enter: td->td_ar != NULL")); + KASSERT((td->td_pflags & TDP_AUDITREC) == 0, + ("audit_syscall_enter: TDP_AUDITREC set")); /* * In FreeBSD, each ABI has its own system call table, and hence @@ -542,9 +544,13 @@ audit_syscall_enter(unsigned short code, struct thread *td) panic("audit_failing_stop: thread continued"); } td->td_ar = audit_new(event, td); - } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) + if (td->td_ar != NULL) + td->td_pflags |= TDP_AUDITREC; + } else if (audit_pipe_preselect(auid, event, class, AU_PRS_BOTH, 0)) { td->td_ar = audit_new(event, td); - else + if (td->td_ar != NULL) + td->td_pflags |= TDP_AUDITREC; + } else td->td_ar = NULL; } @@ -572,6 +578,7 @@ audit_syscall_exit(int error, struct thread *td) audit_commit(td->td_ar, error, retval); td->td_ar = NULL; + td->td_pflags &= ~TDP_AUDITREC; } void @@ -626,6 +633,8 @@ audit_thread_free(struct thread *td) { KASSERT(td->td_ar == NULL, ("audit_thread_free: td_ar != NULL")); + KASSERT((td->td_pflags & TDP_AUDITREC) == 0, + ("audit_thread_free: TDP_AUDITREC set")); } void diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h index 227d2dce3368..5ba2aee5dc42 100644 --- a/sys/security/audit/audit.h +++ b/sys/security/audit/audit.h @@ -186,7 +186,7 @@ void audit_thread_free(struct thread *td); * audit_enabled flag before performing the actual call. */ #define AUDIT_ARG(op, args...) do { \ - if (td->td_ar != NULL) \ + if (td->td_pflags & TDP_AUDITREC) \ audit_arg_ ## op (args); \ } while (0) @@ -202,7 +202,7 @@ void audit_thread_free(struct thread *td); * auditing is disabled, so we don't just check audit_enabled here. */ #define AUDIT_SYSCALL_EXIT(error, td) do { \ - if (td->td_ar != NULL) \ + if (td->td_pflags & TDP_AUDITREC) \ audit_syscall_exit(error, td); \ } while (0) @@ -210,7 +210,7 @@ void audit_thread_free(struct thread *td); * A Macro to wrap the audit_sysclose() function. */ #define AUDIT_SYSCLOSE(td, fd) do { \ - if (audit_enabled) \ + if (td->td_pflags & TDP_AUDITREC) \ audit_sysclose(td, fd); \ } while (0) diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index b70b10d6898d..7ca797ddf612 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -96,6 +96,7 @@ audit(struct thread *td, struct audit_args *uap) td->td_ar = audit_new(AUE_NULL, td); if (td->td_ar == NULL) return (ENOTSUP); + td->td_pflags |= TDP_AUDITREC; ar = td->td_ar; } diff --git a/sys/sys/proc.h b/sys/sys/proc.h index c592aaf20d27..3c3a5789d8ed 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -368,6 +368,7 @@ do { \ #define TDP_KTHREAD 0x00200000 /* This is an official kernel thread */ #define TDP_CALLCHAIN 0x00400000 /* Capture thread's callchain */ #define TDP_IGNSUSP 0x00800000 /* Permission to ignore the MNTK_SUSPEND* */ +#define TDP_AUDITREC 0x01000000 /* Audit record pending on thread */ /* * Reasons that the current thread can not be run yet.