Change audit close arguments to a type and value.

That way we can distinguish between different error types.

include/sudo_plugin.h

@@ -206,6 +206,12 @@ struct io_plugin {
     struct sudo_plugin_event * (*event_alloc)(void);
 };
 
+/* Differ audit plugin close status types. */
+#define SUDO_PLUGIN_NO_STATUS		0
+#define SUDO_PLUGIN_WAIT_STATUS		1
+#define SUDO_PLUGIN_EXEC_ERROR		2
+#define SUDO_PLUGIN_SUDO_ERROR		3
+
 /* Audit plugin type and defines */
 struct audit_plugin {
 #define SUDO_AUDIT_PLUGIN	    3
@@ -216,7 +222,7 @@ struct audit_plugin {
 	char * const user_info[], int submit_optind,
 	char * const submit_argv[], char * const submit_envp[],
 	char * const plugin_options[], const char **errstr);
-    void (*close)(int exit_status, int error);
+    void (*close)(int status_type, int status);
     int (*accept)(const char *plugin_name, unsigned int plugin_type,
 	char * const command_info[], char * const run_argv[],
 	char * const run_envp[], const char **errstr);

plugins/audit_json/audit_json.c

@@ -489,23 +489,6 @@ done:
     debug_return_int(ret);
 }
 
-static void
-audit_close(int exit_status, int error)
-{
-    debug_decl(audit_close, SUDO_DEBUG_PLUGIN);
-
-    if (state.accepted) {
-	/* Write log entry for exit_status, or error. */
-	audit_write_exit_record(exit_status, error);
-    }
-
-    free(state.logfile);
-    if (state.log_fp != NULL)
-	fclose(state.log_fp);
-
-    debug_return;
-}
-
 static int
 audit_write_record(const char *audit_str, const char *plugin_name,
     unsigned int plugin_type, const char *reason, char * const command_info[],
@@ -547,6 +530,9 @@ audit_write_record(const char *audit_str, const char *plugin_name,
     sudo_json_add_value(&json, "plugin_name", &json_value);
 
     switch (plugin_type) {
+    case 0:
+	json_value.u.string = "front-end";
+	break;
     case SUDO_POLICY_PLUGIN:
 	json_value.u.string = "policy";
 	break;
@@ -648,6 +634,31 @@ audit_error(const char *plugin_name, unsigned int plugin_type,
     debug_return_int(ret);
 }
 
+static void
+audit_close(int status_type, int status)
+{
+    debug_decl(audit_close, SUDO_DEBUG_PLUGIN);
+
+    switch (status_type) {
+    case SUDO_PLUGIN_WAIT_STATUS:
+	audit_write_exit_record(status, 0);
+	break;
+    case SUDO_PLUGIN_EXEC_ERROR:
+	audit_write_exit_record(0, status);
+	break;
+    case SUDO_PLUGIN_SUDO_ERROR:
+	audit_write_record("error", "sudo", 0, strerror(status),
+	    NULL, NULL, NULL);
+	break;
+    }
+
+    free(state.logfile);
+    if (state.log_fp != NULL)
+	fclose(state.log_fp);
+
+    debug_return;
+}
+
 static int
 audit_show_version(int verbose)
 {

src/sudo.c

@@ -947,7 +947,7 @@ run_command(struct command_details *details)
 	/* exec_setup() or execve() returned an error. */
 	policy_close(0, cstat.val);
 	iolog_close(0, cstat.val);
-	audit_close(0, cstat.val);
+	audit_close(SUDO_PLUGIN_EXEC_ERROR, cstat.val);
 	break;
     case CMD_WSTATUS:
 	/* Command ran, exited or was killed. */
@@ -958,9 +958,10 @@ run_command(struct command_details *details)
 #endif
 	policy_close(status, 0);
 	iolog_close(status, 0);
-	audit_close(status, 0);
+	audit_close(SUDO_PLUGIN_WAIT_STATUS, status);
 	break;
     default:
+	/* TODO: handle front end error conditions. */
 	sudo_warnx(U_("unexpected child termination condition: %d"), cstat.type);
 	break;
     }
@@ -1162,6 +1163,7 @@ policy_check(int argc, char * const argv[],
 	/* Policy must be closed after auditing to avoid use after free. */
 	if (policy_plugin.u.policy->version >= SUDO_API_MKVERSION(1, 15))
 	    policy_close(0, 0);
+	audit_close(SUDO_PLUGIN_NO_STATUS, 0);
 	exit(EXIT_FAILURE); /* policy plugin printed error message */
     }
 
@@ -1209,6 +1211,7 @@ policy_list(int argc, char * const argv[], int verbose,
     /* Policy must be closed after auditing to avoid use after free. */
     if (policy_plugin.u.policy->version >= SUDO_API_MKVERSION(1, 15))
 	policy_close(0, 0);
+    audit_close(SUDO_PLUGIN_NO_STATUS, 0);
 
     exit(ok != 1);
 }
@@ -1252,6 +1255,7 @@ policy_validate(char * const argv[], char * const envp[])
     /* Policy must be closed after auditing to avoid use after free. */
     if (policy_plugin.u.policy->version >= SUDO_API_MKVERSION(1, 15))
 	policy_close(0, 0);
+    audit_close(SUDO_PLUGIN_NO_STATUS, 0);
 
     exit(ok != 1);
 }
@@ -1273,6 +1277,8 @@ policy_invalidate(int remove)
     }
     sudo_debug_set_active_instance(sudo_debug_instance);
 
+    audit_close(SUDO_PLUGIN_NO_STATUS, 0);
+
     exit(EXIT_SUCCESS);
 }
 
@@ -1552,7 +1558,7 @@ audit_open(struct sudo_settings *settings, char * const user_info[],
 }
 
 static void
-audit_close(int exit_status, int error_code)
+audit_close(int status_type, int status)
 {
     struct plugin_container *plugin;
     debug_decl(audit_close, SUDO_DEBUG_PCOMM);
@@ -1560,7 +1566,7 @@ audit_close(int exit_status, int error_code)
     TAILQ_FOREACH(plugin, &audit_plugins, entries) {
 	if (plugin->u.audit->close != NULL) {
 	    sudo_debug_set_active_instance(plugin->debug_instance);
-	    plugin->u.audit->close(exit_status, error_code);
+	    plugin->u.audit->close(status_type, status);
 	    sudo_debug_set_active_instance(sudo_debug_instance);
 	}
     }
@@ -1581,7 +1587,7 @@ audit_show_version(int verbose)
 	    plugin->u.audit->show_version(verbose);
 	}
 	if (plugin->u.audit->close != NULL)
-	    plugin->u.audit->close(0, 0);
+	    plugin->u.audit->close(SUDO_PLUGIN_NO_STATUS, 0);
 	sudo_debug_set_active_instance(sudo_debug_instance);
     }