From 8930db0e09c4adf573438733ca582bfcfd1b594e Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Sun, 26 Apr 2015 07:55:33 -0600
Subject: [PATCH] Only fall back on AUE_DARWIN_sudo if au_preselect() fails.

---
 plugins/sudoers/bsm_audit.c | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/plugins/sudoers/bsm_audit.c b/plugins/sudoers/bsm_audit.c
index ef0a0e175..7ced6b836 100644
--- a/plugins/sudoers/bsm_audit.c
+++ b/plugins/sudoers/bsm_audit.c
@@ -43,13 +43,7 @@
 # define AUDIT_NOT_CONFIGURED	ENOSYS
 #endif
 
-/*
- * Darwin defines AUE_sudo but au_preselect() only accepts AUE_DARWIN_sudo.
- */
-#if defined(__APPLE__) && defined(AUE_DARWIN_sudo)
-# undef AUE_sudo
-# define AUE_sudo AUE_DARWIN_sudo
-#endif
+static au_event_t sudo_audit_event = AUE_sudo;
 
 static int
 audit_sudo_selected(int sorf)
@@ -75,9 +69,19 @@ audit_sudo_selected(int sorf)
         } else {
 		mask = &ainfo_addr.ai_mask;
 	}
-	rc = au_preselect(AUE_sudo, mask, sorf, AU_PRS_REREAD);
-	if (rc == -1)
+	rc = au_preselect(sudo_audit_event, mask, sorf, AU_PRS_REREAD);
+	if (rc == -1) {
+#if defined(__APPLE__) && defined(AUE_DARWIN_sudo)
+	    /*
+	     * Mac OS X 10.10 au_preselect() only accepts AUE_DARWIN_sudo.
+	     */
+	    sudo_audit_event = AUE_DARWIN_sudo;
+	    rc = au_preselect(sudo_audit_event, mask, sorf, AU_PRS_REREAD);
+	    if (rc == -1)
+#endif
+
 		sudo_warn("au_preselect");
+	}
         debug_return_int(rc);
 }
 
@@ -158,9 +162,9 @@ bsm_audit_success(char *exec_args[])
 	}
 	au_write(aufd, tok);
 #ifdef __sun
-	if (au_close(aufd, 1, AUE_sudo, 0) == -1)
+	if (au_close(aufd, 1, sudo_audit_event, 0) == -1)
 #else
-	if (au_close(aufd, 1, AUE_sudo) == -1)
+	if (au_close(aufd, 1, sudo_audit_event) == -1)
 #endif
 	{
 		sudo_warn(U_("unable to commit audit record"));
@@ -246,9 +250,9 @@ bsm_audit_failure(char *exec_args[], char const *const fmt, va_list ap)
 	}
 	au_write(aufd, tok);
 #ifdef __sun
-	if (au_close(aufd, 1, AUE_sudo, PAD_FAILURE) == -1)
+	if (au_close(aufd, 1, sudo_audit_event, PAD_FAILURE) == -1)
 #else
-	if (au_close(aufd, 1, AUE_sudo) == -1)
+	if (au_close(aufd, 1, sudo_audit_event) == -1)
 #endif
 	{
 		sudo_warn(U_("unable to commit audit record"));
-- 
2.40.0