xref: /freebsd/sys/security/audit/audit_arg.c (revision bfe691b2f75de2224c7ceb304ebcdef2b42d4179) 
1 /*
2  * Copyright (c) 1999-2005 Apple Computer, Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1.  Redistributions of source code must retain the above copyright
9  *     notice, this list of conditions and the following disclaimer.
10  * 2.  Redistributions in binary form must reproduce the above copyright
11  *     notice, this list of conditions and the following disclaimer in the
12  *     documentation and/or other materials provided with the distribution.
13  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14  *     its contributors may be used to endorse or promote products derived
15  *     from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  *
29  * $FreeBSD$
30  */
31 
32 #include <sys/param.h>
33 #include <sys/filedesc.h>
34 #include <sys/ipc.h>
35 #include <sys/mount.h>
36 #include <sys/proc.h>
37 #include <sys/socket.h>
38 #include <sys/socketvar.h>
39 #include <sys/protosw.h>
40 #include <sys/domain.h>
41 #include <sys/sbuf.h>
42 #include <sys/systm.h>
43 #include <sys/un.h>
44 #include <sys/vnode.h>
45 
46 #include <netinet/in.h>
47 #include <netinet/in_pcb.h>
48 
49 #include <security/audit/audit.h>
50 #include <security/audit/audit_private.h>
51 
52 /*
53  * Calls to manipulate elements of the audit record structure from system
54  * call code.  Macro wrappers will prevent this functions from being
55  * entered if auditing is disabled, avoiding the function call cost.  We
56  * check the thread audit record pointer anyway, as the audit condition
57  * could change, and pre-selection may not have allocated an audit
58  * record for this event.
59  *
60  * XXXAUDIT: Should we assert, in each case, that this field of the record
61  * hasn't already been filled in?
62  */
63 void
64 audit_arg_addr(void * addr)
65 {
66 	struct kaudit_record *ar;
67 
68 	ar = currecord();
69 	if (ar == NULL)
70 		return;
71 
72 	ar->k_ar.ar_arg_addr = addr;
73 	ARG_SET_VALID(ar, ARG_ADDR);
74 }
75 
76 void
77 audit_arg_exit(int status, int retval)
78 {
79 	struct kaudit_record *ar;
80 
81 	ar = currecord();
82 	if (ar == NULL)
83 		return;
84 
85 	ar->k_ar.ar_arg_exitstatus = status;
86 	ar->k_ar.ar_arg_exitretval = retval;
87 	ARG_SET_VALID(ar, ARG_EXIT);
88 }
89 
90 void
91 audit_arg_len(int len)
92 {
93 	struct kaudit_record *ar;
94 
95 	ar = currecord();
96 	if (ar == NULL)
97 		return;
98 
99 	ar->k_ar.ar_arg_len = len;
100 	ARG_SET_VALID(ar, ARG_LEN);
101 }
102 
103 void
104 audit_arg_fd(int fd)
105 {
106 	struct kaudit_record *ar;
107 
108 	ar = currecord();
109 	if (ar == NULL)
110 		return;
111 
112 	ar->k_ar.ar_arg_fd = fd;
113 	ARG_SET_VALID(ar, ARG_FD);
114 }
115 
116 void
117 audit_arg_fflags(int fflags)
118 {
119 	struct kaudit_record *ar;
120 
121 	ar = currecord();
122 	if (ar == NULL)
123 		return;
124 
125 	ar->k_ar.ar_arg_fflags = fflags;
126 	ARG_SET_VALID(ar, ARG_FFLAGS);
127 }
128 
129 void
130 audit_arg_gid(gid_t gid)
131 {
132 	struct kaudit_record *ar;
133 
134 	ar = currecord();
135 	if (ar == NULL)
136 		return;
137 
138 	ar->k_ar.ar_arg_gid = gid;
139 	ARG_SET_VALID(ar, ARG_GID);
140 }
141 
142 void
143 audit_arg_uid(uid_t uid)
144 {
145 	struct kaudit_record *ar;
146 
147 	ar = currecord();
148 	if (ar == NULL)
149 		return;
150 
151 	ar->k_ar.ar_arg_uid = uid;
152 	ARG_SET_VALID(ar, ARG_UID);
153 }
154 
155 void
156 audit_arg_egid(gid_t egid)
157 {
158 	struct kaudit_record *ar;
159 
160 	ar = currecord();
161 	if (ar == NULL)
162 		return;
163 
164 	ar->k_ar.ar_arg_egid = egid;
165 	ARG_SET_VALID(ar, ARG_EGID);
166 }
167 
168 void
169 audit_arg_euid(uid_t euid)
170 {
171 	struct kaudit_record *ar;
172 
173 	ar = currecord();
174 	if (ar == NULL)
175 		return;
176 
177 	ar->k_ar.ar_arg_euid = euid;
178 	ARG_SET_VALID(ar, ARG_EUID);
179 }
180 
181 void
182 audit_arg_rgid(gid_t rgid)
183 {
184 	struct kaudit_record *ar;
185 
186 	ar = currecord();
187 	if (ar == NULL)
188 		return;
189 
190 	ar->k_ar.ar_arg_rgid = rgid;
191 	ARG_SET_VALID(ar, ARG_RGID);
192 }
193 
194 void
195 audit_arg_ruid(uid_t ruid)
196 {
197 	struct kaudit_record *ar;
198 
199 	ar = currecord();
200 	if (ar == NULL)
201 		return;
202 
203 	ar->k_ar.ar_arg_ruid = ruid;
204 	ARG_SET_VALID(ar, ARG_RUID);
205 }
206 
207 void
208 audit_arg_sgid(gid_t sgid)
209 {
210 	struct kaudit_record *ar;
211 
212 	ar = currecord();
213 	if (ar == NULL)
214 		return;
215 
216 	ar->k_ar.ar_arg_sgid = sgid;
217 	ARG_SET_VALID(ar, ARG_SGID);
218 }
219 
220 void
221 audit_arg_suid(uid_t suid)
222 {
223 	struct kaudit_record *ar;
224 
225 	ar = currecord();
226 	if (ar == NULL)
227 		return;
228 
229 	ar->k_ar.ar_arg_suid = suid;
230 	ARG_SET_VALID(ar, ARG_SUID);
231 }
232 
233 void
234 audit_arg_groupset(gid_t *gidset, u_int gidset_size)
235 {
236 	int i;
237 	struct kaudit_record *ar;
238 
239 	ar = currecord();
240 	if (ar == NULL)
241 		return;
242 
243 	for (i = 0; i < gidset_size; i++)
244 		ar->k_ar.ar_arg_groups.gidset[i] = gidset[i];
245 	ar->k_ar.ar_arg_groups.gidset_size = gidset_size;
246 	ARG_SET_VALID(ar, ARG_GROUPSET);
247 }
248 
249 void
250 audit_arg_login(char *login)
251 {
252 	struct kaudit_record *ar;
253 
254 	ar = currecord();
255 	if (ar == NULL)
256 		return;
257 
258 	strlcpy(ar->k_ar.ar_arg_login, login, MAXLOGNAME);
259 	ARG_SET_VALID(ar, ARG_LOGIN);
260 }
261 
262 void
263 audit_arg_ctlname(int *name, int namelen)
264 {
265 	struct kaudit_record *ar;
266 
267 	ar = currecord();
268 	if (ar == NULL)
269 		return;
270 
271 	bcopy(name, &ar->k_ar.ar_arg_ctlname, namelen * sizeof(int));
272 	ar->k_ar.ar_arg_len = namelen;
273 	ARG_SET_VALID(ar, ARG_CTLNAME | ARG_LEN);
274 }
275 
276 void
277 audit_arg_mask(int mask)
278 {
279 	struct kaudit_record *ar;
280 
281 	ar = currecord();
282 	if (ar == NULL)
283 		return;
284 
285 	ar->k_ar.ar_arg_mask = mask;
286 	ARG_SET_VALID(ar, ARG_MASK);
287 }
288 
289 void
290 audit_arg_mode(mode_t mode)
291 {
292 	struct kaudit_record *ar;
293 
294 	ar = currecord();
295 	if (ar == NULL)
296 		return;
297 
298 	ar->k_ar.ar_arg_mode = mode;
299 	ARG_SET_VALID(ar, ARG_MODE);
300 }
301 
302 void
303 audit_arg_dev(int dev)
304 {
305 	struct kaudit_record *ar;
306 
307 	ar = currecord();
308 	if (ar == NULL)
309 		return;
310 
311 	ar->k_ar.ar_arg_dev = dev;
312 	ARG_SET_VALID(ar, ARG_DEV);
313 }
314 
315 void
316 audit_arg_value(long value)
317 {
318 	struct kaudit_record *ar;
319 
320 	ar = currecord();
321 	if (ar == NULL)
322 		return;
323 
324 	ar->k_ar.ar_arg_value = value;
325 	ARG_SET_VALID(ar, ARG_VALUE);
326 }
327 
328 void
329 audit_arg_owner(uid_t uid, gid_t gid)
330 {
331 	struct kaudit_record *ar;
332 
333 	ar = currecord();
334 	if (ar == NULL)
335 		return;
336 
337 	ar->k_ar.ar_arg_uid = uid;
338 	ar->k_ar.ar_arg_gid = gid;
339 	ARG_SET_VALID(ar, ARG_UID | ARG_GID);
340 }
341 
342 void
343 audit_arg_pid(pid_t pid)
344 {
345 	struct kaudit_record *ar;
346 
347 	ar = currecord();
348 	if (ar == NULL)
349 		return;
350 
351 	ar->k_ar.ar_arg_pid = pid;
352 	ARG_SET_VALID(ar, ARG_PID);
353 }
354 
355 void
356 audit_arg_process(struct proc *p)
357 {
358 	struct kaudit_record *ar;
359 
360 	KASSERT(p != NULL, ("audit_arg_process: p == NULL"));
361 
362 	PROC_LOCK_ASSERT(p, MA_OWNED);
363 
364 	ar = currecord();
365 	if (ar == NULL)
366 		return;
367 
368 	ar->k_ar.ar_arg_auid = p->p_au->ai_auid;
369 	ar->k_ar.ar_arg_euid = p->p_ucred->cr_uid;
370 	ar->k_ar.ar_arg_egid = p->p_ucred->cr_groups[0];
371 	ar->k_ar.ar_arg_ruid = p->p_ucred->cr_ruid;
372 	ar->k_ar.ar_arg_rgid = p->p_ucred->cr_rgid;
373 	ar->k_ar.ar_arg_asid = p->p_au->ai_asid;
374 	ar->k_ar.ar_arg_termid = p->p_au->ai_termid;
375 	ar->k_ar.ar_arg_pid = p->p_pid;
376 	ARG_SET_VALID(ar, ARG_AUID | ARG_EUID | ARG_EGID | ARG_RUID |
377 	    ARG_RGID | ARG_ASID | ARG_TERMID | ARG_PID | ARG_PROCESS);
378 }
379 
380 void
381 audit_arg_signum(u_int signum)
382 {
383 	struct kaudit_record *ar;
384 
385 	ar = currecord();
386 	if (ar == NULL)
387 		return;
388 
389 	ar->k_ar.ar_arg_signum = signum;
390 	ARG_SET_VALID(ar, ARG_SIGNUM);
391 }
392 
393 void
394 audit_arg_socket(int sodomain, int sotype, int soprotocol)
395 {
396 	struct kaudit_record *ar;
397 
398 	ar = currecord();
399 	if (ar == NULL)
400 		return;
401 
402 	ar->k_ar.ar_arg_sockinfo.so_domain = sodomain;
403 	ar->k_ar.ar_arg_sockinfo.so_type = sotype;
404 	ar->k_ar.ar_arg_sockinfo.so_protocol = soprotocol;
405 	ARG_SET_VALID(ar, ARG_SOCKINFO);
406 }
407 
408 void
409 audit_arg_sockaddr(struct thread *td, struct sockaddr *sa)
410 {
411 	struct kaudit_record *ar;
412 
413 	KASSERT(td != NULL, ("audit_arg_sockaddr: td == NULL"));
414 	KASSERT(sa != NULL, ("audit_arg_sockaddr: sa == NULL"));
415 
416 	ar = currecord();
417 	if (ar == NULL)
418 		return;
419 
420 	bcopy(sa, &ar->k_ar.ar_arg_sockaddr, sa->sa_len);
421 	switch (sa->sa_family) {
422 	case AF_INET:
423 		ARG_SET_VALID(ar, ARG_SADDRINET);
424 		break;
425 
426 	case AF_INET6:
427 		ARG_SET_VALID(ar, ARG_SADDRINET6);
428 		break;
429 
430 	case AF_UNIX:
431 		audit_arg_upath(td, ((struct sockaddr_un *)sa)->sun_path,
432 				ARG_UPATH1);
433 		ARG_SET_VALID(ar, ARG_SADDRUNIX);
434 		break;
435 	/* XXXAUDIT: default:? */
436 	}
437 }
438 
439 void
440 audit_arg_auid(uid_t auid)
441 {
442 	struct kaudit_record *ar;
443 
444 	ar = currecord();
445 	if (ar == NULL)
446 		return;
447 
448 	ar->k_ar.ar_arg_auid = auid;
449 	ARG_SET_VALID(ar, ARG_AUID);
450 }
451 
452 void
453 audit_arg_auditinfo(struct auditinfo *au_info)
454 {
455 	struct kaudit_record *ar;
456 
457 	ar = currecord();
458 	if (ar == NULL)
459 		return;
460 
461 	ar->k_ar.ar_arg_auid = au_info->ai_auid;
462 	ar->k_ar.ar_arg_asid = au_info->ai_asid;
463 	ar->k_ar.ar_arg_amask.am_success = au_info->ai_mask.am_success;
464 	ar->k_ar.ar_arg_amask.am_failure = au_info->ai_mask.am_failure;
465 	ar->k_ar.ar_arg_termid.port = au_info->ai_termid.port;
466 	ar->k_ar.ar_arg_termid.machine = au_info->ai_termid.machine;
467 	ARG_SET_VALID(ar, ARG_AUID | ARG_ASID | ARG_AMASK | ARG_TERMID);
468 }
469 
470 void
471 audit_arg_text(char *text)
472 {
473 	struct kaudit_record *ar;
474 
475 	KASSERT(text != NULL, ("audit_arg_text: text == NULL"));
476 
477 	ar = currecord();
478 	if (ar == NULL)
479 		return;
480 
481 	/* Invalidate the text string */
482 	ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_TEXT);
483 
484 	if (ar->k_ar.ar_arg_text == NULL)
485 		ar->k_ar.ar_arg_text = malloc(MAXPATHLEN, M_AUDITTEXT,
486 		    M_WAITOK);
487 
488 	strncpy(ar->k_ar.ar_arg_text, text, MAXPATHLEN);
489 	ARG_SET_VALID(ar, ARG_TEXT);
490 }
491 
492 void
493 audit_arg_cmd(int cmd)
494 {
495 	struct kaudit_record *ar;
496 
497 	ar = currecord();
498 	if (ar == NULL)
499 		return;
500 
501 	ar->k_ar.ar_arg_cmd = cmd;
502 	ARG_SET_VALID(ar, ARG_CMD);
503 }
504 
505 void
506 audit_arg_svipc_cmd(int cmd)
507 {
508 	struct kaudit_record *ar;
509 
510 	ar = currecord();
511 	if (ar == NULL)
512 		return;
513 
514 	ar->k_ar.ar_arg_svipc_cmd = cmd;
515 	ARG_SET_VALID(ar, ARG_SVIPC_CMD);
516 }
517 
518 void
519 audit_arg_svipc_perm(struct ipc_perm *perm)
520 {
521 	struct kaudit_record *ar;
522 
523 	ar = currecord();
524 	if (ar == NULL)
525 		return;
526 
527 	bcopy(perm, &ar->k_ar.ar_arg_svipc_perm,
528 	    sizeof(ar->k_ar.ar_arg_svipc_perm));
529 	ARG_SET_VALID(ar, ARG_SVIPC_PERM);
530 }
531 
532 void
533 audit_arg_svipc_id(int id)
534 {
535 	struct kaudit_record *ar;
536 
537 	ar = currecord();
538 	if (ar == NULL)
539 		return;
540 
541 	ar->k_ar.ar_arg_svipc_id = id;
542 	ARG_SET_VALID(ar, ARG_SVIPC_ID);
543 }
544 
545 void
546 audit_arg_svipc_addr(void * addr)
547 {
548 	struct kaudit_record *ar;
549 
550 	ar = currecord();
551 	if (ar == NULL)
552 		return;
553 
554 	ar->k_ar.ar_arg_svipc_addr = addr;
555 	ARG_SET_VALID(ar, ARG_SVIPC_ADDR);
556 }
557 
558 void
559 audit_arg_posix_ipc_perm(uid_t uid, gid_t gid, mode_t mode)
560 {
561 	struct kaudit_record *ar;
562 
563 	ar = currecord();
564 	if (ar == NULL)
565 		return;
566 
567 	ar->k_ar.ar_arg_pipc_perm.pipc_uid = uid;
568 	ar->k_ar.ar_arg_pipc_perm.pipc_gid = gid;
569 	ar->k_ar.ar_arg_pipc_perm.pipc_mode = mode;
570 	ARG_SET_VALID(ar, ARG_POSIX_IPC_PERM);
571 }
572 
573 void
574 audit_arg_auditon(union auditon_udata *udata)
575 {
576 	struct kaudit_record *ar;
577 
578 	ar = currecord();
579 	if (ar == NULL)
580 		return;
581 
582 	bcopy((void *)udata, &ar->k_ar.ar_arg_auditon,
583 	    sizeof(ar->k_ar.ar_arg_auditon));
584 	ARG_SET_VALID(ar, ARG_AUDITON);
585 }
586 
587 /*
588  * Audit information about a file, either the file's vnode info, or its
589  * socket address info.
590  */
591 void
592 audit_arg_file(struct proc *p, struct file *fp)
593 {
594 	struct kaudit_record *ar;
595 	struct socket *so;
596 	struct inpcb *pcb;
597 	struct vnode *vp;
598 	int vfslocked;
599 
600 	ar = currecord();
601 	if (ar == NULL)
602 		return;
603 
604 	switch (fp->f_type) {
605 	case DTYPE_VNODE:
606 	case DTYPE_FIFO:
607 		/*
608 		 * XXXAUDIT: Only possibly to record as first vnode?
609 		 */
610 		vp = fp->f_vnode;
611 		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
612 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, curthread);
613 		audit_arg_vnode(vp, ARG_VNODE1);
614 		VOP_UNLOCK(vp, 0, curthread);
615 		VFS_UNLOCK_GIANT(vfslocked);
616 		break;
617 
618 	case DTYPE_SOCKET:
619 		so = (struct socket *)fp->f_data;
620 		if (INP_CHECK_SOCKAF(so, PF_INET)) {
621 			SOCK_LOCK(so);
622 			ar->k_ar.ar_arg_sockinfo.so_type =
623 			    so->so_type;
624 			ar->k_ar.ar_arg_sockinfo.so_domain =
625 			    INP_SOCKAF(so);
626 			ar->k_ar.ar_arg_sockinfo.so_protocol =
627 			    so->so_proto->pr_protocol;
628 			SOCK_UNLOCK(so);
629 			pcb = (struct inpcb *)so->so_pcb;
630 			INP_LOCK(pcb);
631 			ar->k_ar.ar_arg_sockinfo.so_raddr =
632 			    pcb->inp_faddr.s_addr;
633 			ar->k_ar.ar_arg_sockinfo.so_laddr =
634 			    pcb->inp_laddr.s_addr;
635 			ar->k_ar.ar_arg_sockinfo.so_rport =
636 			    pcb->inp_fport;
637 			ar->k_ar.ar_arg_sockinfo.so_lport =
638 			    pcb->inp_lport;
639 			INP_UNLOCK(pcb);
640 			ARG_SET_VALID(ar, ARG_SOCKINFO);
641 		}
642 		break;
643 
644 	default:
645 		/* XXXAUDIT: else? */
646 		break;
647 	}
648 }
649 
650 /*
651  * Store a path as given by the user process for auditing into the audit
652  * record stored on the user thread. This function will allocate the memory
653  * to store the path info if not already available. This memory will be freed
654  * when the audit record is freed.
655  *
656  * XXXAUDIT: Possibly assert that the memory isn't already allocated?
657  */
658 void
659 audit_arg_upath(struct thread *td, char *upath, u_int64_t flag)
660 {
661 	struct kaudit_record *ar;
662 	char **pathp;
663 
664 	KASSERT(td != NULL, ("audit_arg_upath: td == NULL"));
665 	KASSERT(upath != NULL, ("audit_arg_upath: upath == NULL"));
666 
667 	ar = currecord();
668 	if (ar == NULL)
669 		return;
670 
671 	KASSERT((flag == ARG_UPATH1) || (flag == ARG_UPATH2),
672 	    ("audit_arg_upath: flag %llu", (unsigned long long)flag));
673 	KASSERT((flag != ARG_UPATH1) || (flag != ARG_UPATH2),
674 	    ("audit_arg_upath: flag %llu", (unsigned long long)flag));
675 
676 	if (flag == ARG_UPATH1)
677 		pathp = &ar->k_ar.ar_arg_upath1;
678 	else
679 		pathp = &ar->k_ar.ar_arg_upath2;
680 
681 	if (*pathp == NULL)
682 		*pathp = malloc(MAXPATHLEN, M_AUDITPATH, M_WAITOK);
683 
684 	canon_path(td, upath, *pathp);
685 
686 	ARG_SET_VALID(ar, flag);
687 }
688 
689 /*
690  * Function to save the path and vnode attr information into the audit
691  * record.
692  *
693  * It is assumed that the caller will hold any vnode locks necessary to
694  * perform a VOP_GETATTR() on the passed vnode.
695  *
696  * XXX: The attr code is very similar to vfs_vnops.c:vn_stat(), but
697  * always provides access to the generation number as we need that
698  * to construct the BSM file ID.
699  * XXX: We should accept the process argument from the caller, since
700  * it's very likely they already have a reference.
701  * XXX: Error handling in this function is poor.
702  *
703  * XXXAUDIT: Possibly KASSERT the path pointer is NULL?
704  */
705 void
706 audit_arg_vnode(struct vnode *vp, u_int64_t flags)
707 {
708 	struct kaudit_record *ar;
709 	struct vattr vattr;
710 	int error;
711 	struct vnode_au_info *vnp;
712 
713 	KASSERT(vp != NULL, ("audit_arg_vnode: vp == NULL"));
714 	KASSERT((flags == ARG_VNODE1) || (flags == ARG_VNODE2),
715 	    ("audit_arg_vnode: flags %jd", (intmax_t)flags));
716 
717 	/*
718 	 * Assume that if the caller is calling audit_arg_vnode() on a
719 	 * non-MPSAFE vnode, then it will have acquired Giant.
720 	 */
721 	VFS_ASSERT_GIANT(vp->v_mount);
722 	ASSERT_VOP_LOCKED(vp, "audit_arg_vnode");
723 
724 	ar = currecord();
725 	if (ar == NULL)
726 		return;
727 
728 	/*
729 	 * XXXAUDIT: The below clears, and then resets the flags for valid
730 	 * arguments.  Ideally, either the new vnode is used, or the old one
731 	 * would be.
732 	 */
733 	if (flags & ARG_VNODE1) {
734 		ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE1);
735 		vnp = &ar->k_ar.ar_arg_vnode1;
736 	} else {
737 		ar->k_ar.ar_valid_arg &= (ARG_ALL ^ ARG_VNODE2);
738 		vnp = &ar->k_ar.ar_arg_vnode2;
739 	}
740 
741 	error = VOP_GETATTR(vp, &vattr, curthread->td_ucred, curthread);
742 	if (error) {
743 		/* XXX: How to handle this case? */
744 		return;
745 	}
746 
747 	vnp->vn_mode = vattr.va_mode;
748 	vnp->vn_uid = vattr.va_uid;
749 	vnp->vn_gid = vattr.va_gid;
750 	vnp->vn_dev = vattr.va_rdev;
751 	vnp->vn_fsid = vattr.va_fsid;
752 	vnp->vn_fileid = vattr.va_fileid;
753 	vnp->vn_gen = vattr.va_gen;
754 	if (flags & ARG_VNODE1)
755 		ARG_SET_VALID(ar, ARG_VNODE1);
756 	else
757 		ARG_SET_VALID(ar, ARG_VNODE2);
758 }
759 
760 /*
761  * Audit the argument strings passed to exec.
762  */
763 void
764 audit_arg_argv(char *argv, int argc, int length)
765 {
766 	struct kaudit_record *ar;
767 
768 	if (audit_argv == 0)
769 		return;
770 
771 	ar = currecord();
772 	if (ar == NULL)
773 		return;
774 
775 	ar->k_ar.ar_arg_argv = malloc(length, M_AUDITTEXT, M_WAITOK);
776 	bcopy(argv, ar->k_ar.ar_arg_argv, length);
777 	ar->k_ar.ar_arg_argc = argc;
778 	ARG_SET_VALID(ar, ARG_ARGV);
779 }
780 
781 /*
782  * Audit the environment strings passed to exec.
783  */
784 void
785 audit_arg_envv(char *envv, int envc, int length)
786 {
787 	struct kaudit_record *ar;
788 
789 	if (audit_arge == 0)
790 		return;
791 
792 	ar = currecord();
793 	if (ar == NULL)
794 		return;
795 
796 	ar->k_ar.ar_arg_envv = malloc(length, M_AUDITTEXT, M_WAITOK);
797 	bcopy(envv, ar->k_ar.ar_arg_envv, length);
798 	ar->k_ar.ar_arg_envc = envc;
799 	ARG_SET_VALID(ar, ARG_ENVV);
800 }
801 
802 /*
803  * The close() system call uses it's own audit call to capture the path/vnode
804  * information because those pieces are not easily obtained within the system
805  * call itself.
806  */
807 void
808 audit_sysclose(struct thread *td, int fd)
809 {
810 	struct kaudit_record *ar;
811 	struct vnode *vp;
812 	struct file *fp;
813 	int vfslocked;
814 
815 	KASSERT(td != NULL, ("audit_sysclose: td == NULL"));
816 
817 	ar = currecord();
818 	if (ar == NULL)
819 		return;
820 
821 	audit_arg_fd(fd);
822 
823 	if (getvnode(td->td_proc->p_fd, fd, &fp) != 0)
824 		return;
825 
826 	vp = fp->f_vnode;
827 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
828 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
829 	audit_arg_vnode(vp, ARG_VNODE1);
830 	VOP_UNLOCK(vp, 0, td);
831 	VFS_UNLOCK_GIANT(vfslocked);
832 	fdrop(fp, td);
833 }
834