| audit.c (09c817ba36db7c3a4ff5e25ac55816ca181a403d) | audit.c (e4b4bbb665e36adb8e79b1c5c7946be0ba80b9f1) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2005 Apple Inc. 3 * Copyright (c) 2006-2007 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 395 unchanged lines hidden (view full) --- 404 else 405 aumask = &ar->k_ar.ar_subj_amask; 406 407 if (error) 408 sorf = AU_PRS_FAILURE; 409 else 410 sorf = AU_PRS_SUCCESS; 411 | 1/*- 2 * Copyright (c) 1999-2005 Apple Inc. 3 * Copyright (c) 2006-2007 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 395 unchanged lines hidden (view full) --- 404 else 405 aumask = &ar->k_ar.ar_subj_amask; 406 407 if (error) 408 sorf = AU_PRS_FAILURE; 409 else 410 sorf = AU_PRS_SUCCESS; 411 |
| 412 /* 413 * syscalls.master sometimes contains a prototype event number, which 414 * we will transform into a more specific event number now that we 415 * have more complete information gathered during the system call. 416 */ |
|
| 412 switch(ar->k_ar.ar_event) { 413 case AUE_OPEN_RWTC: | 417 switch(ar->k_ar.ar_event) { 418 case AUE_OPEN_RWTC: |
| 414 /* 415 * The open syscall always writes a AUE_OPEN_RWTC event; 416 * change it to the proper type of event based on the flags 417 * and the error value. 418 */ | |
| 419 ar->k_ar.ar_event = audit_flags_and_error_to_openevent( 420 ar->k_ar.ar_arg_fflags, error); 421 break; 422 | 419 ar->k_ar.ar_event = audit_flags_and_error_to_openevent( 420 ar->k_ar.ar_arg_fflags, error); 421 break; 422 |
| 423 case AUE_OPENAT_RWTC: 424 ar->k_ar.ar_event = audit_flags_and_error_to_openatevent( 425 ar->k_ar.ar_arg_fflags, error); 426 break; 427 |
|
| 423 case AUE_SYSCTL: 424 ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( 425 ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); 426 break; 427 428 case AUE_AUDITON: 429 /* Convert the auditon() command to an event. */ 430 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); --- 265 unchanged lines hidden --- | 428 case AUE_SYSCTL: 429 ar->k_ar.ar_event = audit_ctlname_to_sysctlevent( 430 ar->k_ar.ar_arg_ctlname, ar->k_ar.ar_valid_arg); 431 break; 432 433 case AUE_AUDITON: 434 /* Convert the auditon() command to an event. */ 435 ar->k_ar.ar_event = auditon_command_event(ar->k_ar.ar_arg_cmd); --- 265 unchanged lines hidden --- |