From owner-trustedbsd-cvs@FreeBSD.ORG  Thu Sep  7 14:59:23 2006
Return-Path: <owner-trustedbsd-cvs@FreeBSD.ORG>
X-Original-To: trustedbsd-cvs@freebsd.org
Delivered-To: trustedbsd-cvs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8D48116A54A
	for <trustedbsd-cvs@freebsd.org>; Thu,  7 Sep 2006 14:59:23 +0000 (UTC)
	(envelope-from owner-perforce@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DB60F43D55
	for <trustedbsd-cvs@freebsd.org>; Thu,  7 Sep 2006 14:59:05 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119])
	by cyrus.watson.org (Postfix) with ESMTP id C27C646D95
	for <trustedbsd-cvs@trustedbsd.org>;
	Thu,  7 Sep 2006 10:59:03 -0400 (EDT)
Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18])
	by mx2.freebsd.org (Postfix) with ESMTP id 738E592C0E;
	Thu,  7 Sep 2006 14:58:08 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 7BC4616A50C; Thu,  7 Sep 2006 14:58:05 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5370416A500
	for <perforce@freebsd.org>; Thu,  7 Sep 2006 14:58:05 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 02F2643D5E
	for <perforce@freebsd.org>; Thu,  7 Sep 2006 14:58:05 +0000 (GMT)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k87Ew4m7021830
	for <perforce@freebsd.org>; Thu, 7 Sep 2006 14:58:04 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k87Ew4bk021827
	for perforce@freebsd.org; Thu, 7 Sep 2006 14:58:04 GMT
	(envelope-from millert@freebsd.org)
Date: Thu, 7 Sep 2006 14:58:04 GMT
Message-Id: <200609071458.k87Ew4bk021827@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 105793 for review
X-BeenThere: trustedbsd-cvs@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD CVS and Perforce commit message list
	<trustedbsd-cvs.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>, 
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-cvs>
List-Post: <mailto:trustedbsd-cvs@FreeBSD.org>
List-Help: <mailto:trustedbsd-cvs-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>,
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2006 14:59:23 -0000

http://perforce.freebsd.org/chv.cgi?CH=105793

Change 105793 by millert@millert_g5tower on 2006/09/07 14:57:46

	Audit updates

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#4 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#2 (text+ko) ====

@@ -283,6 +283,36 @@
 359:AUE_PIDFORTASK:pid_for_task():pc
 360:AUE_SYSCTL_NONADMIN:sysctl() - non-admin:ot
 361:AUE_COPYFILE:copyfile():fr,fw
+400:AUE_MAC_GET_PROC:mac_get_proc(2):pc
+401:AUE_MAC_SET_PROC:mac_set_proc(2):pc
+402:AUE_MAC_GET_PID:mac_get_pid(2):pc
+403:AUE_MAC_SET_FILE:mac_set_file(2):fm
+404:AUE_MAC_GET_FILE:mac_get_file(2):fa
+405:AUE_MAC_SET_LINK:mac_set_link(2):fm
+406:AUE_MAC_GET_LINK:mac_get_link(2):fa
+407:AUE_MAC_SET_FD:mac_set_fd(2):fm
+408:AUE_MAC_GET_FD:mac_get_fd(2):fa
+409:AUE_MAC_EXECVE:mac_execve(2):pc,ex
+410:AUE_MAC_SYSCALL:mac_syscall(2):ad
+411:AUE_MAC_GET_LCID:mac_get_lcid(2):pc
+412:AUE_MAC_GET_LCTX:mac_get_lctx(2):pc
+413:AUE_MAC_SET_LCTX:mac_set_lctx(2):pc
+414:AUE_SETLCID:setlcid(2):pc
+415:AUE_GETLCID:getlcid(2):pc
+416:AUE_MAC_MOUNT:mac_mount(2):ad
+417:AUE_MAC_GET_MOUNT:mac_get_mount(2):fa
+451:AUE_EXTATTR_SET_FILE:extattr_set_file(2):fm
+452:AUE_EXTATTR_GET_FILE:extattr_get_file(2):fa
+453:AUE_EXTATTR_DELETE_FILE:extattr_delete_file(2):fm
+454:AUE_EXTATTR_LIST_FILE:extattr_list_file(2):fa
+455:AUE_EXTATTR_SET_LINK:extattr_set_link(2):fm
+456:AUE_EXTATTR_GET_LINK:extattr_get_link(2):fa
+457:AUE_EXTATTR_DELETE_LINK:extattr_delete_link(2):fm
+458:AUE_EXTATTR_LIST_LINK:extattr_list_link(2):fa
+459:AUE_EXTATTR_SET_FD:extattr_set_fd(2):fm
+460:AUE_EXTATTR_GET_FD:extattr_get_fd(2):fa
+461:AUE_EXTATTR_DELETE_FD:extattr_delete_fd(2):fm
+462:AUE_EXTATTR_LIST_FD:extattr_list_fd(2):fa
 6152:AUE_login:login - local:lo
 6153:AUE_logout:logout - local:lo
 6159:AUE_su:su(1):lo

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#3 (text+ko) ====

@@ -106,6 +106,7 @@
 #define ARG_PROCESS		0x0000080000000000ULL
 #define ARG_MACHPORT1		0x0000100000000000ULL
 #define ARG_MACHPORT2		0x0000200000000000ULL
+#define ARG_MAC_STRING		0x0000400000000000ULL
 #define ARG_NONE		0x0000000000000000ULL
 #define ARG_ALL			0xFFFFFFFFFFFFFFFFULL
 
@@ -231,6 +232,7 @@
 	char				*ar_vnode1_mac_labels;
 	char				*ar_vnode2_mac_labels;
 	char				*ar_cred_mac_labels;
+	char				*ar_arg_mac_string;
 #endif
 	char				*ar_arg_text;
 	struct au_mask			ar_arg_amask;
@@ -383,6 +385,7 @@
  * It currently creates only text and data audit tokens.
  */
 int			 audit_mac_data(int type, int len, u_char *data);
+void			 audit_arg_mac_string(const char *string);
 
 #endif
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#2 (text+ko) ====

@@ -335,6 +335,7 @@
 #define AUE_SYSCTL_NONADMIN	360
 
 // BSM events for security system calls
+#define AUE_MAC_GET_PROC		400
 #define AUE_MAC_SET_PROC		401
 #define AUE_MAC_GET_PID			402
 #define AUE_MAC_SET_FILE		403
@@ -351,6 +352,7 @@
 #define	AUE_SETLCID			414
 #define	AUE_GETLCID			415
 #define	AUE_MAC_MOUNT			416
+#define	AUE_MAC_GET_MOUNT		417
  
 // BSM events for extended attributes
 #define AUE_EXTATTR_SET_FILE		451

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#4 (text+ko) ====

@@ -71,6 +71,8 @@
 #include <security/mac.h>
 #include <security/mac_framework.h>
 #include <security/mac_policy.h>
+#define MAC_ARG_PREFIX "arg: "
+#define MAC_ARG_PREFIX_LEN 5
 #endif
 
 #include <net/route.h>
@@ -258,6 +260,10 @@
 	if (ar->k_ar.ar_cred_mac_labels != NULL) {
 		kfree(ar->k_ar.ar_cred_mac_labels, MAC_AUDIT_LABEL_LEN);
 	}
+	if (ar->k_ar.ar_arg_mac_string != NULL) {
+		kfree(ar->k_ar.ar_arg_mac_string,
+		    MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
+	}
 
 	/* Free the audit data from the MAC policies. */
 	do {
@@ -1344,7 +1350,7 @@
 	struct nameidata nd;
 	kauth_cred_t cred;
 	struct vnode *vp;
-	int error, flags;
+	int error;
 	struct vfs_context context;
 
 	context.vc_proc = p;
@@ -1362,15 +1368,20 @@
 	 * validity checks, and grab another reference to the current
 	 * credential.
 	 */
-	if (uap->path != 0) {
+	if (uap->path != USER_ADDR_NULL) {
 		NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1, 
-			(IS_64BIT_PROCESS(p) ? UIO_USERSPACE64 : UIO_USERSPACE32),
-			uap->path, &context);
-		flags = audit_open_flags;
-		error = vn_open(&nd, flags, 0);
+			UIO_USERSPACE, uap->path, &context);
+		error = vn_open(&nd, audit_open_flags, 0);
 		if (error)
 			goto out;
 		vp = nd.ni_vp;
+
+		if (vp->v_type != VREG) {
+			vn_close(vp, audit_close_flags, kauth_cred_get(), p);
+			vnode_put(vp);
+			error = EINVAL;
+			goto out;
+		}
 #ifdef MAC
 		/*
 		 * Accessibility of the vnode was determined in
@@ -1383,19 +1394,13 @@
 		 * sensitivity.
 		 */
 
-		error = mac_system_check_auditctl(kauth_cred_get(), nd.ni_vp);
+		error = mac_system_check_auditctl(kauth_cred_get(), vp);
 		if (error) {
-			vn_close(nd.ni_vp, audit_close_flags, kauth_cred_get(), p);
+			vn_close(vp, audit_close_flags, kauth_cred_get(), p);
 			vnode_put(vp);
 			goto out;
 		}
 #endif
-		if (vp->v_type != VREG) {
-			vn_close(vp, audit_close_flags, kauth_cred_get(), p);
-			vnode_put(vp);
-			error = EINVAL;
-			goto out;
-		}
 		cred = kauth_cred_get_with_ref();
 		audit_suspended = 0;
 	}
@@ -2618,6 +2623,27 @@
 	kfree(data, len);
 	return (ret);
 }
+
+void
+audit_arg_mac_string(const char *string)
+{
+	struct kaudit_record *ar;
+
+	ar = currecord();
+	if (ar == NULL)
+		return;
+
+	if (ar->k_ar.ar_arg_mac_string == NULL) {
+		ar->k_ar.ar_arg_mac_string =
+		    (char *)kalloc(MAC_MAX_LABEL_BUF_LEN + MAC_ARG_PREFIX_LEN);
+		if (ar->k_ar.ar_arg_mac_string == NULL)
+			return;
+	}
+	strncpy(ar->k_ar.ar_arg_mac_string, MAC_ARG_PREFIX, MAC_ARG_PREFIX_LEN);
+	strcpy(ar->k_ar.ar_arg_mac_string + MAC_ARG_PREFIX_LEN, string);
+	ar->k_ar.ar_valid_arg |= ARG_MAC_STRING;
+
+}
 #endif  /* MAC */
 
 /*

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#3 (text+ko) ====

@@ -341,6 +341,14 @@
 		}							\
 	} while (0)							\
 
+#define PROCESS_MAC_TOKENS						\
+	do {								\
+		if (ar->ar_valid_arg & ARG_MAC_STRING) {		\
+			tok = au_to_text(ar->ar_arg_mac_string);	\
+			kau_write(rec, tok);				\
+		}							\
+	} while (0)							\
+
 /*
  * Implement auditing for the auditon() system call. The audit tokens
  * that are generated depend on the command that was sent into the 
@@ -619,7 +627,6 @@
 	case AUE_GETATTRLIST:
 	case AUE_GETFH:
 	case AUE_LSTAT:
-	case AUE_MAC_EXECVE:
 	case AUE_MKFIFO:
 	case AUE_PATHCONF:
 	case AUE_READLINK:
@@ -694,12 +701,8 @@
 	case AUE_EXTATTR_LIST_FD:
 	case AUE_EXTATTR_SET_FD:
 	case AUE_EXTATTR_DELETE_FD:
-#ifdef MAC
-	case AUE_MAC_GET_FD:
-	case AUE_MAC_SET_FD:
 		FD_KPATH1_VNODE1_TOKENS;
 		break;
-#endif
 	
 	case AUE_FCHOWN:
 		tok = au_to_arg32(2, "new file uid", ar->ar_arg_uid);
@@ -735,6 +738,18 @@
 		kau_write(rec, tok);
 		break;
 	
+	case AUE_GETLCID:
+		tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
+		kau_write(rec, tok);
+		break;
+
+	case AUE_SETLCID:
+		tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
+		kau_write(rec, tok);
+		tok = au_to_arg32(2, "lcid", (u_int32_t)ar->ar_arg_value);
+		kau_write(rec, tok);
+		break;
+
 	case AUE_IOCTL:
 		tok = au_to_arg32(2, "cmd", ar->ar_arg_cmd);
 		kau_write(rec, tok);
@@ -816,8 +831,11 @@
 		}
 		break;
 
+#ifdef MAC
 	case AUE_MAC_MOUNT:
-		/* XXX Audit the label string? */
+		PROCESS_MAC_TOKENS;
+		/* fall through */
+#endif
 	case AUE_MOUNT:
 		/* XXX Need to handle NFS mounts */
 		tok = au_to_arg32(3, "flags", ar->ar_arg_fflags);
@@ -1168,12 +1186,6 @@
 		FD_KPATH1_VNODE1_TOKENS;
 		break;
 
-#ifdef MAC
-	case AUE_MAC_GET_FILE:
-	case AUE_MAC_SET_FILE:
-	case AUE_MAC_GET_LINK:
-	case AUE_MAC_SET_LINK:
-#endif
 	case AUE_EXTATTR_GET_FILE:
 	case AUE_EXTATTR_SET_FILE:
 	case AUE_EXTATTR_LIST_FILE:
@@ -1186,8 +1198,49 @@
 		break;
 
 #ifdef MAC
+	case AUE_MAC_GET_FILE:
+	case AUE_MAC_SET_FILE:
+	case AUE_MAC_GET_LINK:
+	case AUE_MAC_SET_LINK:
+	case AUE_MAC_GET_MOUNT:
+		UPATH1_KPATH1_VNODE1_TOKENS;
+		PROCESS_MAC_TOKENS;
+		break;
+
+	case AUE_MAC_GET_FD:
+	case AUE_MAC_SET_FD:
+		FD_KPATH1_VNODE1_TOKENS;
+		PROCESS_MAC_TOKENS;
+		break;
+
+	case AUE_MAC_SYSCALL:
+		PROCESS_MAC_TOKENS;
+		tok = au_to_arg32(3, "call", ar->ar_arg_value);
+		kau_write(rec, tok);
+		break;
+
+	case AUE_MAC_EXECVE:
+		UPATH1_KPATH1_VNODE1_TOKENS;
+		PROCESS_MAC_TOKENS;
+		break;
+
+	case AUE_MAC_GET_PID:
+		tok = au_to_arg32(1, "pid", (u_int32_t)ar->ar_arg_pid);
+		kau_write(rec, tok);
+		PROCESS_MAC_TOKENS;
+		break;
+
+	case AUE_MAC_GET_LCID:
+		tok = au_to_arg32(1, "lcid", (u_int32_t)ar->ar_arg_value);
+		kau_write(rec, tok);
+		PROCESS_MAC_TOKENS;
+		break;
+
+	case AUE_MAC_GET_PROC:
 	case AUE_MAC_SET_PROC:
-	case AUE_MAC_SYSCALL:
+	case AUE_MAC_GET_LCTX:
+	case AUE_MAC_SET_LCTX:
+		PROCESS_MAC_TOKENS;
 		break;
 #endif
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#2 (text+ko) ====

@@ -448,7 +448,7 @@
 	AUE_MAC_SET_FILE,	       	/* 383 = __mac_set_file */
 	AUE_MAC_GET_LINK,	       	/* 384 = __mac_get_link */
 	AUE_MAC_SET_LINK,	       	/* 385 = __mac_set_link */
-	AUE_NULL,			/* 386 = __mac_get_proc */
+	AUE_MAC_GET_PROC,		/* 386 = __mac_get_proc */
 	AUE_MAC_SET_PROC,      		/* 387 = __mac_set_proc */
 	AUE_MAC_GET_FD,			/* 388 = __mac_get_fd */
 	AUE_MAC_SET_FD,			/* 389 = __mac_set_fd */
@@ -459,6 +459,7 @@
 	AUE_SETLCID,			/* 394 = setlcid */
 	AUE_GETLCID,			/* 395 = getlcid */
 	AUE_MAC_MOUNT,			/* 396 = __mac_mount */
+	AUE_MAC_GET_MOUNT,		/* 397 = __mac_get_mount */
 };
 int	nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#5 (text+ko) ====

@@ -1049,6 +1049,8 @@
 	struct lctx *l;
 	int error;
 
+	AUDIT_ARG(pid, uap->pid);
+	AUDIT_ARG(value, uap->lcid);
 	if (uap->pid == LCID_PROC_SELF) {	/* Create/Join/Leave */
 		p = p0;
 	} else {				/* Adopt/Orphan */
@@ -1131,6 +1133,7 @@
 	struct proc *p;
 	int error;
 
+	AUDIT_ARG(pid, uap->pid);
 	if (uap->pid == LCID_PROC_SELF) {
 		p = p0;
 	} else {

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#8 (text+ko) ====

@@ -1029,6 +1029,7 @@
 	int error;
 	size_t ulen;
 
+	AUDIT_ARG(pid, uap->pid);
 	error = copyin(CAST_USER_ADDR_T(uap->mac_p), &mac, sizeof(mac));
 	if (error)
 		return (error);
@@ -1049,6 +1050,7 @@
 		kauth_cred_rele(tcred);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, elements);
 
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
 	error = mac_cred_externalize_label(tcred->cr_label, elements,
@@ -1085,6 +1087,7 @@
 		FREE(elements, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, elements);
 
 	cr = kauth_cred_proc_ref(p);
 
@@ -1128,6 +1131,7 @@
 		FREE(buffer, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, buffer);
 
 	intlabel = mac_cred_alloc_label();
 	error = mac_cred_internalize_label(intlabel, buffer);
@@ -1174,6 +1178,7 @@
 	int error;
 	size_t ulen;
 
+	AUDIT_ARG(value, uap->lcid);
 	error = copyin(CAST_USER_ADDR_T(uap->mac_p), &mac, sizeof(mac));
 	if (error)
 		return (error);
@@ -1193,6 +1198,7 @@
 		FREE(elements, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, elements);
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
 	error = mac_lctx_externalize_label(l->lc_label, elements,
 					   buffer, mac.m_buflen);
@@ -1227,6 +1233,7 @@
 		FREE(elements, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, elements);
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
 
 	PROC_LOCK(p);
@@ -1271,6 +1278,7 @@
 		FREE(buffer, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, buffer);
 
 	intlabel = mac_lctx_alloc_label();
 	error = mac_lctx_internalize_label(intlabel, buffer);
@@ -1349,6 +1357,7 @@
 		FREE(elements, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, elements);
 
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
 	error = fdgetf_noref(p, uap->fd, &fp);
@@ -1419,6 +1428,7 @@
 		FREE(elements, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, elements);
 
 	context.vc_proc = p;
 	context.vc_ucred = kauth_cred_get();
@@ -1498,6 +1508,7 @@
 		FREE(buffer, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, buffer);
 	
 	error = fdgetf_noref(p, uap->fd, &fp);
 	if (error) {
@@ -1564,6 +1575,7 @@
 		FREE(buffer, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, buffer);
 
 	intlabel = mac_vnode_alloc_label();
 	error = mac_vnode_internalize_label(intlabel, buffer);
@@ -1627,6 +1639,8 @@
 	error = copyinstr(CAST_USER_ADDR_T(uap->policy), target, sizeof(target), &ulen);
 	if (error)
 		return (error);
+	AUDIT_ARG(value, uap->call);
+	AUDIT_ARG(mac_string, target);
 
 	error = ENOSYS;
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#4 (text+ko) ====

@@ -47,6 +47,12 @@
 
 #include <security/mac_internal.h>
 
+#ifdef MAC_DEBUG
+extern u_int nmaccreds, nmacprocs;
+#endif
+
+#include <bsd/bsm/audit_kernel.h>
+
 struct label *
 mac_cred_alloc_label(void)
 {
@@ -219,6 +225,7 @@
 		FREE(buffer, M_MACTEMP);
 		return (error);
 	}
+	AUDIT_ARG(mac_string, buffer);
 
 	error = mac_cred_internalize_label(execlabelstorage, buffer);
 	FREE(buffer, M_MACTEMP);