Lines Matching refs:record
96 * to churn a lot whenever the audit record flow gets high.
187 * record at the present time. Also, the queue control parameter
303 * Converts an audit record into the BSM format before writing out to the
308 * EINVAL if the kaudit_record ar is not a valid audit record.
326 * if we're unable to perform the operation, we drop the record
411 * If there is a user audit record attached to the kernel record,
412 * then write the user record.
415 * record is written, but the write of the kernel record fails,
416 * what to do? Should the kernel record come before or after the
417 * user record? For now, we write the user record first, and
428 * Convert the internal kernel record to BSM format and write it
443 * XXX: We drop the record on BSM conversion failure, but really
453 * away from the BSM record generation and have the BSM generation
455 * take the BSM record as a parameter.
463 * When we're done processing the current record, we have to
465 * this was the last record left to be drained. If we're done
471 panic("Audit store overflow; record queue drained.");
579 * write to, drain the record queue. Generally, we
613 * to write to. Dequeue a record, and start the write.
688 /* Assume 3 MAC labels for each audit record: two for vnodes,
794 * record to the kernel for inclusion in the audit log. This function
795 * does little verification on the audit record that is submitted.
823 /* If there's no current audit record (audit() itself not audited)
824 * commit the user audit record.
832 * a complete kernel audit record just so the user record
846 error = copyin(uap->record, rec, uap->length);
856 /* Verify the record */
862 /* Attach the user audit record to the kernel audit record. Because
864 * record along with the record for this audit event.
872 /* audit_syscall_exit() will free the audit record on the thread
1479 * the record is created. These events will generally
1497 * Initialize the audit record header.
1597 * Decide whether to commit the audit record by checking the
1696 * another audit record.
1743 * Allocate an audit record, if preselection allows it, and store
1793 * Commit the audit record as desired; once we pass the record
1815 * record will be suppressed. Other values at this
1816 * point result in the audit record being committed.
1836 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
1884 * Allocate an audit record, if desired, and store in the BSD
1908 * Calls to manipulate elements of the audit record structure from system
1911 * check the thread audit record pointer anyway, as the audit condition
1913 * record for this event.
2180 * in the audit record.
2405 * record stored on the user thread. This function will allocate the memory to
2407 * freed when the audit record is freed. Note that the current working
2411 * real (non-chroot) path being recorded in the audit record.
2457 * record.
2523 * attached to the audit record, and set a flag indicating
2638 * from a policy to the current audit record.
2643 struct mac_audit_record *record;
2662 record = (struct mac_audit_record *)kalloc(sizeof(*record));
2663 if (record == NULL)
2666 record->type = type;
2667 record->length = len;
2668 record->data = data;
2669 LIST_INSERT_HEAD(cur->k_ar.ar_mac_records, record, records);
2706 * if an audit record will be stored, reducing wasted memory allocation