6545618 exit audit records could include process return value

2 files changed, 18 insertions, 2 deletions

diff --git a/usr/src/cmd/auditrecord/audit_record_attr.txt b/usr/src/cmd/auditrecord/audit_record_attr.txt
index 53bf1ff177..d03c712482 100644
--- a/usr/src/cmd/auditrecord/audit_record_attr.txt
+++ b/usr/src/cmd/auditrecord/audit_record_attr.txt
@@ -705,7 +705,8 @@ label=AUE_EXECVE
 #	trailer,86
 
 label=AUE_EXIT
-  format=[text]1
+  format=arg1:[text]2
+    comment=1, exit status, "exit status":
     comment=event aborted
 
 label=AUE_EXITPROM
diff --git a/usr/src/uts/common/c2/audit_event.c b/usr/src/uts/common/c2/audit_event.c
index 3ac61782c2..6433ab14f4 100644
--- a/usr/src/uts/common/c2/audit_event.c
+++ b/usr/src/uts/common/c2/audit_event.c
@@ -104,6 +104,7 @@ static au_event_t	aui_forksys(au_event_t);
 static au_event_t	aui_labelsys(au_event_t);
 static au_event_t	aui_setpgrp(au_event_t);
 
+static void	aus_exit(struct t_audit_data *);
 static void	aus_open(struct t_audit_data *);
 static void	aus_openat(struct t_audit_data *);
 static void	aus_acl(struct t_audit_data *);
@@ -199,7 +200,7 @@ struct audit_s2e audit_s2e[] =
  */
 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
 		auf_null,	0,
-aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
+aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
 		auf_null,	S2E_NPT,
 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
 		auf_null,	0,
@@ -726,6 +727,20 @@ aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
 
 
+/* exit start function */
+/*ARGSUSED*/
+static void
+aus_exit(struct t_audit_data *tad)
+{
+	uint32_t rval;
+	struct a {
+		long rval;
+	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
+
+	rval = (uint32_t)uap->rval;
+	au_uwrite(au_to_arg32(1, "exit status", rval));
+}
+
 /* acct start function */
 /*ARGSUSED*/
 static void