Bug 229696

Summary: Misplaced negation symbol in auditon(2)'s A_SETPOLICY cmd option
Product: Base System Reporter: Aniket Pandey <aniketp>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: New ---    
Severity: Affects Some People CC: asomers, cem
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Aniket Pandey 2018-07-11 11:56:19 UTC
The system code for auditon(2)'s A_{GET/SET}POLICY command confirms whether user submitted only the allowed values for A_{SET/GET}POLICY by the following method:

	return (EINVAL);

That is: If a bit other than the 4 mentioned above is submitted, we'll get EINVAL.

However, The negation bit is misplaced for "udata.au_policy64" case:

	return (EINVAL);

This returns EINVAL almost everytime. The only occasion when I got a success was passing 0 as the flags, which is not recommended if the system already has some of the flags set.

Try this piece of code. If your system has any of the flags set, you'll probably get EINVAL too.

#include <bsm/audit.h>
#include <stdio.h>

void main(){
        int auditpolicy;
        auditon(A_GETPOLICY, &auditpolicy, sizeof(&auditpolicy));
        printf("retrieved policy = %d\n", auditpolicy);
        int retval = auditon(A_SETPOLICY, &auditpolicy, sizeof(&auditpolicy));
        if (retval < 0)

Fix: review D16222