1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 */
26
27 /*
28 * This file contains the audit event table used to control the production
29 * of audit records for each system call.
30 */
31
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h> /* for sysinfo auditing */
37 #include <sys/utsname.h> /* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h> /* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h> /* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h> /* for accept */
56 #include <sys/utssys.h> /* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80
81 static au_event_t aui_fchownat(au_event_t);
82 static au_event_t aui_fchmodat(au_event_t);
83 static au_event_t aui_open(au_event_t);
84 static au_event_t aui_openat(au_event_t);
85 static au_event_t aui_unlinkat(au_event_t);
86 static au_event_t aui_fstatat(au_event_t);
87 static au_event_t aui_msgsys(au_event_t);
88 static au_event_t aui_shmsys(au_event_t);
89 static au_event_t aui_semsys(au_event_t);
90 static au_event_t aui_utssys(au_event_t);
91 static au_event_t aui_fcntl(au_event_t);
92 static au_event_t aui_execve(au_event_t);
93 static au_event_t aui_memcntl(au_event_t);
94 static au_event_t aui_sysinfo(au_event_t);
95 static au_event_t aui_portfs(au_event_t);
96 static au_event_t aui_auditsys(au_event_t);
97 static au_event_t aui_modctl(au_event_t);
98 static au_event_t aui_acl(au_event_t);
99 static au_event_t aui_doorfs(au_event_t);
100 static au_event_t aui_privsys(au_event_t);
101 static au_event_t aui_forksys(au_event_t);
102 static au_event_t aui_labelsys(au_event_t);
103 static au_event_t aui_setpgrp(au_event_t);
104
105 static void aus_exit(struct t_audit_data *);
106 static void aus_open(struct t_audit_data *);
107 static void aus_openat(struct t_audit_data *);
108 static void aus_acl(struct t_audit_data *);
109 static void aus_acct(struct t_audit_data *);
110 static void aus_chown(struct t_audit_data *);
111 static void aus_fchown(struct t_audit_data *);
112 static void aus_lchown(struct t_audit_data *);
113 static void aus_fchownat(struct t_audit_data *);
114 static void aus_chmod(struct t_audit_data *);
115 static void aus_facl(struct t_audit_data *);
116 static void aus_fchmod(struct t_audit_data *);
117 static void aus_fchmodat(struct t_audit_data *);
118 static void aus_fcntl(struct t_audit_data *);
119 static void aus_mkdir(struct t_audit_data *);
120 static void aus_mkdirat(struct t_audit_data *);
121 static void aus_mknod(struct t_audit_data *);
122 static void aus_mknodat(struct t_audit_data *);
123 static void aus_mount(struct t_audit_data *);
124 static void aus_umount2(struct t_audit_data *);
125 static void aus_msgsys(struct t_audit_data *);
126 static void aus_semsys(struct t_audit_data *);
127 static void aus_close(struct t_audit_data *);
128 static void aus_fstatfs(struct t_audit_data *);
129 static void aus_setgid(struct t_audit_data *);
130 static void aus_setpgrp(struct t_audit_data *);
131 static void aus_setuid(struct t_audit_data *);
132 static void aus_shmsys(struct t_audit_data *);
133 static void aus_doorfs(struct t_audit_data *);
134 static void aus_ioctl(struct t_audit_data *);
135 static void aus_memcntl(struct t_audit_data *);
136 static void aus_mmap(struct t_audit_data *);
137 static void aus_munmap(struct t_audit_data *);
138 static void aus_priocntlsys(struct t_audit_data *);
139 static void aus_setegid(struct t_audit_data *);
140 static void aus_setgroups(struct t_audit_data *);
141 static void aus_seteuid(struct t_audit_data *);
142 static void aus_putmsg(struct t_audit_data *);
143 static void aus_putpmsg(struct t_audit_data *);
144 static void aus_getmsg(struct t_audit_data *);
145 static void aus_getpmsg(struct t_audit_data *);
146 static void aus_auditsys(struct t_audit_data *);
147 static void aus_sysinfo(struct t_audit_data *);
148 static void aus_modctl(struct t_audit_data *);
149 static void aus_kill(struct t_audit_data *);
150 static void aus_setregid(struct t_audit_data *);
151 static void aus_setreuid(struct t_audit_data *);
152 static void aus_labelsys(struct t_audit_data *);
153
154 static void auf_mknod(struct t_audit_data *, int, rval_t *);
155 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
156 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
157 static void auf_semsys(struct t_audit_data *, int, rval_t *);
158 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
159 static void auf_read(struct t_audit_data *, int, rval_t *);
160 static void auf_write(struct t_audit_data *, int, rval_t *);
161
162 static void aus_sigqueue(struct t_audit_data *);
163 static void aus_p_online(struct t_audit_data *);
164 static void aus_processor_bind(struct t_audit_data *);
165 static void aus_inst_sync(struct t_audit_data *);
166 static void aus_brandsys(struct t_audit_data *);
167
168 static void auf_accept(struct t_audit_data *, int, rval_t *);
169
170 static void auf_bind(struct t_audit_data *, int, rval_t *);
171 static void auf_connect(struct t_audit_data *, int, rval_t *);
172 static void aus_shutdown(struct t_audit_data *);
173 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
174 static void aus_sockconfig(struct t_audit_data *);
175 static void auf_recv(struct t_audit_data *, int, rval_t *);
176 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
177 static void auf_send(struct t_audit_data *, int, rval_t *);
178 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
179 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
180 static void auf_sendto(struct t_audit_data *, int, rval_t *);
181 static void aus_socket(struct t_audit_data *);
182 /*
183 * This table contains mapping information for converting system call numbers
184 * to audit event IDs. In several cases it is necessary to map a single system
185 * call to several events.
186 */
187
188 #define aui_null NULL /* NULL initialize function */
189 #define aus_null NULL /* NULL start function */
190 #define auf_null NULL /* NULL finish function */
191
192 struct audit_s2e audit_s2e[] =
193 {
194 /*
195 * ---------- ---------- ---------- ----------
196 * INITIAL AUDIT START SYSTEM
197 * PROCESSING EVENT PROCESSING CALL
198 * ---------- ---------- ---------- -----------
199 * FINISH EVENT
200 * PROCESSING CONTROL
201 * ----------------------------------------------------------
202 */
203 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
204 auf_null, 0,
205 aui_null, AUE_EXIT, aus_exit, /* 1 exit */
206 auf_null, S2E_NPT,
207 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */
208 auf_null, 0,
209 aui_null, AUE_READ, aus_null, /* 3 read */
210 auf_read, S2E_PUB,
211 aui_null, AUE_WRITE, aus_null, /* 4 write */
212 auf_write, 0,
213 aui_open, AUE_OPEN, aus_open, /* 5 open */
214 auf_null, S2E_SP,
215 aui_null, AUE_CLOSE, aus_close, /* 6 close */
216 auf_null, 0,
217 aui_null, AUE_LINK, aus_null, /* 7 linkat */
218 auf_null, 0,
219 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
220 auf_null, 0,
221 aui_null, AUE_LINK, aus_null, /* 9 link */
222 auf_null, 0,
223 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
224 auf_null, 0,
225 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
226 auf_null, 0,
227 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
228 auf_null, S2E_SP,
229 aui_null, AUE_NULL, aus_null, /* 13 time */
230 auf_null, 0,
231 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
232 auf_mknod, S2E_MLD,
233 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
234 auf_null, 0,
235 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
236 auf_null, 0,
237 aui_null, AUE_NULL, aus_null, /* 17 brk */
238 auf_null, 0,
239 aui_null, AUE_STAT, aus_null, /* 18 stat */
240 auf_null, S2E_PUB,
241 aui_null, AUE_NULL, aus_null, /* 19 lseek */
242 auf_null, 0,
243 aui_null, AUE_NULL, aus_null, /* 20 getpid */
244 auf_null, 0,
245 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
246 auf_null, S2E_MLD,
247 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
248 auf_null, S2E_PUB,
249 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
250 auf_null, 0,
251 aui_null, AUE_NULL, aus_null, /* 24 getuid */
252 auf_null, 0,
253 aui_null, AUE_STIME, aus_null, /* 25 stime */
254 auf_null, 0,
255 aui_null, AUE_NULL, aus_null, /* 26 pcsample */
256 auf_null, 0,
257 aui_null, AUE_NULL, aus_null, /* 27 alarm */
258 auf_null, 0,
259 aui_null, AUE_NULL, aus_null, /* 28 fstat */
260 auf_null, 0,
261 aui_null, AUE_NULL, aus_null, /* 29 pause */
262 auf_null, 0,
263 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
264 auf_null, 0,
265 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
266 auf_null, 0,
267 aui_null, AUE_NULL, aus_null, /* 32 gtty */
268 auf_null, 0,
269 aui_null, AUE_ACCESS, aus_null, /* 33 access */
270 auf_null, S2E_PUB,
271 aui_null, AUE_NICE, aus_null, /* 34 nice */
272 auf_null, 0,
273 aui_null, AUE_STATFS, aus_null, /* 35 statfs */
274 auf_null, S2E_PUB,
275 aui_null, AUE_NULL, aus_null, /* 36 sync */
276 auf_null, 0,
277 aui_null, AUE_KILL, aus_kill, /* 37 kill */
278 auf_null, 0,
279 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
280 auf_null, S2E_PUB,
281 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
282 auf_null, 0,
283 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
284 auf_null, 0,
285 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
286 auf_null, 0,
287 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
288 auf_null, 0,
289 aui_null, AUE_NULL, aus_null, /* 43 times */
290 auf_null, 0,
291 aui_null, AUE_NULL, aus_null, /* 44 profil */
292 auf_null, 0,
293 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
294 auf_null, S2E_PUB,
295 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
296 auf_null, 0,
297 aui_null, AUE_NULL, aus_null, /* 47 getgid */
298 auf_null, 0,
299 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
300 auf_mknodat, S2E_MLD,
301 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
302 auf_msgsys, 0,
303 #if defined(__x86)
304 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
305 auf_null, 0,
306 #else
307 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
308 auf_null, 0,
309 #endif /* __x86 */
310 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
311 auf_null, 0,
312 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
313 auf_shmsys, 0,
314 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
315 auf_semsys, 0,
316 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
317 auf_null, 0,
318 aui_null, AUE_NULL, aus_null, /* 55 uadmin */
319 auf_null, 0,
320 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
321 auf_null, 0,
322 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
323 auf_null, 0,
324 aui_null, AUE_NULL, aus_null, /* 58 fsync */
325 auf_null, 0,
326 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */
327 auf_null, S2E_MLD,
328 aui_null, AUE_NULL, aus_null, /* 60 umask */
329 auf_null, 0,
330 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
331 auf_null, S2E_SP,
332 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
333 auf_null, 0,
334 aui_null, AUE_NULL, aus_null, /* 63 ulimit */
335 auf_null, 0,
336 aui_null, AUE_RENAME, aus_null, /* 64 renameat */
337 auf_null, 0,
338 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
339 auf_null, 0,
340 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
341 auf_null, S2E_PUB,
342 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
343 auf_null, S2E_PUB,
344 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
345 auf_null, S2E_SP,
346 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
347 auf_null, S2E_SP,
348 aui_null, AUE_NULL, aus_null, /* 70 tasksys */
349 auf_null, 0,
350 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
351 auf_null, 0,
352 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
353 auf_null, 0,
354 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
355 auf_null, 0,
356 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
357 auf_null, 0,
358 aui_null, AUE_NULL, aus_null, /* 75 sidsys */
359 auf_null, 0,
360 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
361 auf_null, 0,
362 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
363 auf_null, 0,
364 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
365 auf_null, 0,
366 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
367 auf_null, 0,
368 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
369 auf_null, 0,
370 aui_null, AUE_NULL, aus_null, /* 81 getdents */
371 auf_null, 0,
372 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
373 auf_null, 0,
374 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
375 auf_null, 0,
376 aui_null, AUE_NULL, aus_null, /* 84 sysfs */
377 auf_null, 0,
378 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
379 auf_null, 0,
380 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
381 auf_null, 0,
382 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
383 auf_null, 0,
384 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
385 auf_null, S2E_PUB,
386 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
387 auf_null, 0,
388 aui_null, AUE_READLINK, aus_null, /* 90 readlink */
389 auf_null, S2E_PUB,
390 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
391 auf_null, 0,
392 aui_null, AUE_NULL, aus_null, /* 92 getgroups */
393 auf_null, 0,
394 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
395 auf_null, 0,
396 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
397 auf_null, 0,
398 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
399 auf_null, 0,
400 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
401 auf_null, 0,
402 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
403 auf_null, 0,
404 aui_null, AUE_NULL, aus_null, /* 98 sigaction */
405 auf_null, 0,
406 aui_null, AUE_NULL, aus_null, /* 99 sigpending */
407 auf_null, 0,
408 aui_null, AUE_NULL, aus_null, /* 100 setcontext */
409 auf_null, 0,
410 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
411 auf_null, 0,
412 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
413 auf_null, 0,
414 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
415 auf_null, S2E_PUB,
416 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
417 auf_null, 0,
418 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
419 auf_null, 0,
420 aui_null, AUE_NULL, aus_null, /* 106 nfssys */
421 auf_null, 0,
422 aui_null, AUE_NULL, aus_null, /* 107 waitsys */
423 auf_null, 0,
424 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
425 auf_null, 0,
426 #if defined(__x86)
427 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
428 auf_null, 0,
429 #else
430 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
431 auf_null, 0,
432 #endif /* __x86 */
433 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
434 auf_null, 0,
435 aui_null, AUE_NULL, aus_null, /* 111 sigresend */
436 auf_null, 0,
437 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
438 auf_null, 0,
439 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
440 auf_null, S2E_PUB,
441 aui_null, AUE_NULL, aus_null, /* 114 mincore */
442 auf_null, 0,
443 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
444 auf_null, 0,
445 aui_null, AUE_NULL, aus_null, /* 116 mprotect */
446 auf_null, 0,
447 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
448 auf_null, 0,
449 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
450 auf_null, 0,
451 aui_null, AUE_VFORK, aus_null, /* 119 vfork */
452 auf_null, 0,
453 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
454 auf_null, 0,
455 aui_null, AUE_READ, aus_null, /* 121 readv */
456 auf_read, S2E_PUB,
457 aui_null, AUE_WRITE, aus_null, /* 122 writev */
458 auf_write, 0,
459 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
460 auf_null, 0,
461 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
462 auf_null, 0,
463 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
464 auf_null, 0,
465 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
466 auf_null, 0,
467 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
468 auf_null, 0,
469 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
470 auf_null, 0,
471 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
472 auf_null, 0,
473 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
474 auf_null, 0,
475 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
476 auf_null, 0,
477 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
478 auf_null, 0,
479 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
480 auf_null, 0,
481 aui_null, AUE_RENAME, aus_null, /* 134 rename */
482 auf_null, 0,
483 aui_null, AUE_NULL, aus_null, /* 135 uname */
484 auf_null, 0,
485 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
486 auf_null, 0,
487 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
488 auf_null, 0,
489 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
490 auf_null, 0,
491 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
492 auf_null, 0,
493 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
494 auf_null, 0,
495 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
496 auf_null, 0,
497 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
498 auf_null, 0,
499 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
500 auf_null, 0,
501 aui_null, AUE_NULL, aus_null, /* 144 sigwait */
502 auf_null, 0,
503 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
504 auf_null, 0,
505 aui_null, AUE_NULL, aus_null, /* 146 yield */
506 auf_null, 0,
507 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
508 /* was lwp_sema_wait */
509 auf_null, 0,
510 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
511 auf_null, 0,
512 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
513 auf_null, 0,
514 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
515 auf_null, 0,
516 aui_null, AUE_NULL, aus_null, /* 151 corectl */
517 auf_null, 0,
518 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
519 auf_null, 0,
520 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
521 auf_null, 0,
522 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
523 auf_null, 0,
524 aui_null, AUE_NULL, aus_null, /* 155 vhangup */
525 auf_null, 0,
526 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
527 auf_null, 0,
528 aui_null, AUE_NULL, aus_null, /* 157 getitimer */
529 auf_null, 0,
530 aui_null, AUE_NULL, aus_null, /* 158 setitimer */
531 auf_null, 0,
532 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
533 auf_null, 0,
534 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
535 auf_null, 0,
536 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
537 auf_null, 0,
538 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
539 auf_null, 0,
540 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
541 auf_null, 0,
542 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
543 auf_null, 0,
544 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
545 auf_null, 0,
546 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
547 auf_null, 0,
548 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
549 auf_null, 0,
550 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
551 auf_null, 0,
552 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
553 /* was lwp_mutex_lock */
554 auf_null, 0,
555 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
556 auf_null, 0,
557 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
558 auf_null, 0,
559 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
560 auf_null, 0,
561 aui_null, AUE_READ, aus_null, /* 173 pread */
562 auf_read, S2E_PUB,
563 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
564 auf_write, 0,
565 aui_null, AUE_NULL, aus_null, /* 175 llseek */
566 auf_null, 0,
567 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
568 auf_null, 0,
569 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
570 auf_null, 0,
571 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
572 auf_null, 0,
573 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
574 auf_null, 0,
575 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
576 auf_null, 0,
577 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
578 auf_null, 0,
579 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
580 auf_null, S2E_MLD,
581 aui_null, AUE_NULL, aus_null, /* 183 pollsys */
582 auf_null, 0,
583 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
584 auf_null, 0,
585 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
586 auf_null, 0,
587 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
588 auf_null, 0,
589 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
590 auf_null, 0,
591 aui_null, AUE_NULL, aus_null, /* 188 processor_info */
592 auf_null, 0,
593 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
594 auf_null, 0,
595 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
596 auf_null, 0,
597 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
598 auf_null, 0,
599 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
600 auf_null, 0,
601 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
602 auf_null, 0,
603 aui_null, AUE_NULL, aus_null, /* 194 timer_create */
604 auf_null, 0,
605 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
606 auf_null, 0,
607 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
608 auf_null, 0,
609 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
610 auf_null, 0,
611 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
612 auf_null, 0,
613 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
614 auf_null, 0,
615 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
616 auf_null, 0,
617 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
618 auf_null, 0,
619 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
620 auf_null, 0,
621 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
622 auf_null, 0,
623 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
624 auf_null, 0,
625 aui_null, AUE_NULL, aus_null, /* 205 signotify */
626 auf_null, 0,
627 aui_null, AUE_NULL, aus_null, /* 206 schedctl */
628 auf_null, 0,
629 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
630 auf_null, 0,
631 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
632 auf_null, 0,
633 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
634 auf_null, 0,
635 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
636 auf_null, 0,
637 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
638 auf_null, 0,
639 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
640 auf_null, 0,
641 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
642 auf_null, 0,
643 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
644 auf_null, 0,
645 aui_null, AUE_STAT, aus_null, /* 215 stat64 */
646 auf_null, S2E_PUB,
647 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
648 auf_null, S2E_PUB,
649 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
650 auf_null, 0,
651 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
652 auf_null, S2E_PUB,
653 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
654 auf_null, 0,
655 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
656 auf_null, 0,
657 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
658 auf_null, 0,
659 aui_null, AUE_READ, aus_null, /* 222 pread64 */
660 auf_read, S2E_PUB,
661 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
662 auf_write, 0,
663 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
664 auf_null, 0,
665 aui_open, AUE_OPEN, aus_open, /* 225 open64 */
666 auf_null, S2E_SP,
667 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
668 auf_null, 0,
669 aui_null, AUE_NULL, aus_null, /* 227 zone */
670 auf_null, 0,
671 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
672 auf_null, 0,
673 aui_null, AUE_NULL, aus_null, /* 229 getcwd */
674 auf_null, 0,
675 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
676 auf_null, 0,
677 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
678 auf_null, 0,
679 aui_null, AUE_BIND, aus_null, /* 232 bind */
680 auf_bind, 0,
681 aui_null, AUE_NULL, aus_null, /* 233 listen */
682 auf_null, 0,
683 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
684 auf_accept, 0,
685 aui_null, AUE_CONNECT, aus_null, /* 235 connect */
686 auf_connect, 0,
687 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
688 auf_null, 0,
689 aui_null, AUE_READ, aus_null, /* 237 recv */
690 auf_recv, 0,
691 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
692 auf_recvfrom, 0,
693 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
694 auf_recvmsg, 0,
695 aui_null, AUE_WRITE, aus_null, /* 240 send */
696 auf_send, 0,
697 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
698 auf_sendmsg, 0,
699 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
700 auf_sendto, 0,
701 aui_null, AUE_NULL, aus_null, /* 243 getpeername */
702 auf_null, 0,
703 aui_null, AUE_NULL, aus_null, /* 244 getsockname */
704 auf_null, 0,
705 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
706 auf_null, 0,
707 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
708 auf_setsockopt, 0,
709 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
710 auf_null, 0,
711 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
712 auf_null, 0,
713 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
714 auf_null, 0,
715 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
716 auf_null, 0,
717 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
718 auf_null, 0,
719 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
720 auf_null, 0,
721 aui_null, AUE_NULL, aus_null, /* 253 cladm */
722 auf_null, 0,
723 aui_null, AUE_NULL, aus_null, /* 254 uucopy */
724 auf_null, 0,
725 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
726 auf_null, 0
727 };
728
729 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
730
731
732 /* exit start function */
733 /*ARGSUSED*/
734 static void
aus_exit(struct t_audit_data * tad)735 aus_exit(struct t_audit_data *tad)
736 {
737 uint32_t rval;
738 struct a {
739 long rval;
740 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
741
742 rval = (uint32_t)uap->rval;
743 au_uwrite(au_to_arg32(1, "exit status", rval));
744 }
745
746 /* acct start function */
747 /*ARGSUSED*/
748 static void
aus_acct(struct t_audit_data * tad)749 aus_acct(struct t_audit_data *tad)
750 {
751 klwp_t *clwp = ttolwp(curthread);
752 uintptr_t fname;
753
754 struct a {
755 long fname; /* char * */
756 } *uap = (struct a *)clwp->lwp_ap;
757
758 fname = (uintptr_t)uap->fname;
759
760 if (fname == 0)
761 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
762 }
763
764 /* chown start function */
765 /*ARGSUSED*/
766 static void
aus_chown(struct t_audit_data * tad)767 aus_chown(struct t_audit_data *tad)
768 {
769 klwp_t *clwp = ttolwp(curthread);
770 uint32_t uid, gid;
771
772 struct a {
773 long fname; /* char * */
774 long uid;
775 long gid;
776 } *uap = (struct a *)clwp->lwp_ap;
777
778 uid = (uint32_t)uap->uid;
779 gid = (uint32_t)uap->gid;
780
781 au_uwrite(au_to_arg32(2, "new file uid", uid));
782 au_uwrite(au_to_arg32(3, "new file gid", gid));
783 }
784
785 /* fchown start function */
786 /*ARGSUSED*/
787 static void
aus_fchown(struct t_audit_data * tad)788 aus_fchown(struct t_audit_data *tad)
789 {
790 klwp_t *clwp = ttolwp(curthread);
791 uint32_t uid, gid, fd;
792 struct file *fp;
793 struct vnode *vp;
794 struct f_audit_data *fad;
795
796 struct a {
797 long fd;
798 long uid;
799 long gid;
800 } *uap = (struct a *)clwp->lwp_ap;
801
802 fd = (uint32_t)uap->fd;
803 uid = (uint32_t)uap->uid;
804 gid = (uint32_t)uap->gid;
805
806 au_uwrite(au_to_arg32(2, "new file uid", uid));
807 au_uwrite(au_to_arg32(3, "new file gid", gid));
808
809 /*
810 * convert file pointer to file descriptor
811 * Note: fd ref count incremented here.
812 */
813 if ((fp = getf(fd)) == NULL)
814 return;
815
816 /* get path from file struct here */
817 fad = F2A(fp);
818 if (fad->fad_aupath != NULL) {
819 au_uwrite(au_to_path(fad->fad_aupath));
820 } else {
821 au_uwrite(au_to_arg32(1, "no path: fd", fd));
822 }
823
824 vp = fp->f_vnode;
825 audit_attributes(vp);
826
827 /* decrement file descriptor reference count */
828 releasef(fd);
829 }
830
831 /*ARGSUSED*/
832 static void
aus_lchown(struct t_audit_data * tad)833 aus_lchown(struct t_audit_data *tad)
834 {
835 klwp_t *clwp = ttolwp(curthread);
836 uint32_t uid, gid;
837
838
839 struct a {
840 long fname; /* char * */
841 long uid;
842 long gid;
843 } *uap = (struct a *)clwp->lwp_ap;
844
845 uid = (uint32_t)uap->uid;
846 gid = (uint32_t)uap->gid;
847
848 au_uwrite(au_to_arg32(2, "new file uid", uid));
849 au_uwrite(au_to_arg32(3, "new file gid", gid));
850 }
851
852 static au_event_t
aui_fchownat(au_event_t e)853 aui_fchownat(au_event_t e)
854 {
855 klwp_t *clwp = ttolwp(curthread);
856
857 struct a {
858 long fd;
859 long fname; /* char * */
860 long uid;
861 long gid;
862 long flags;
863 } *uap = (struct a *)clwp->lwp_ap;
864
865 if (uap->fname == NULL)
866 e = AUE_FCHOWN;
867 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
868 e = AUE_LCHOWN;
869 else
870 e = AUE_CHOWN;
871
872 return (e);
873 }
874
875 /*ARGSUSED*/
876 static void
aus_fchownat(struct t_audit_data * tad)877 aus_fchownat(struct t_audit_data *tad)
878 {
879 klwp_t *clwp = ttolwp(curthread);
880 uint32_t uid, gid;
881
882 struct a {
883 long fd;
884 long fname; /* char * */
885 long uid;
886 long gid;
887 long flags;
888 } *uap = (struct a *)clwp->lwp_ap;
889
890 uid = (uint32_t)uap->uid;
891 gid = (uint32_t)uap->gid;
892
893 au_uwrite(au_to_arg32(3, "new file uid", uid));
894 au_uwrite(au_to_arg32(4, "new file gid", gid));
895 }
896
897 /*ARGSUSED*/
898 static void
aus_chmod(struct t_audit_data * tad)899 aus_chmod(struct t_audit_data *tad)
900 {
901 klwp_t *clwp = ttolwp(curthread);
902 uint32_t fmode;
903
904 struct a {
905 long fname; /* char * */
906 long fmode;
907 } *uap = (struct a *)clwp->lwp_ap;
908
909 fmode = (uint32_t)uap->fmode;
910
911 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
912 }
913
914 /*ARGSUSED*/
915 static void
aus_fchmod(struct t_audit_data * tad)916 aus_fchmod(struct t_audit_data *tad)
917 {
918 klwp_t *clwp = ttolwp(curthread);
919 uint32_t fmode, fd;
920 struct file *fp;
921 struct vnode *vp;
922 struct f_audit_data *fad;
923
924 struct a {
925 long fd;
926 long fmode;
927 } *uap = (struct a *)clwp->lwp_ap;
928
929 fd = (uint32_t)uap->fd;
930 fmode = (uint32_t)uap->fmode;
931
932 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
933
934 /*
935 * convert file pointer to file descriptor
936 * Note: fd ref count incremented here.
937 */
938 if ((fp = getf(fd)) == NULL)
939 return;
940
941 /* get path from file struct here */
942 fad = F2A(fp);
943 if (fad->fad_aupath != NULL) {
944 au_uwrite(au_to_path(fad->fad_aupath));
945 } else {
946 au_uwrite(au_to_arg32(1, "no path: fd", fd));
947 }
948
949 vp = fp->f_vnode;
950 audit_attributes(vp);
951
952 /* decrement file descriptor reference count */
953 releasef(fd);
954 }
955
956 static au_event_t
aui_fchmodat(au_event_t e)957 aui_fchmodat(au_event_t e)
958 {
959 klwp_t *clwp = ttolwp(curthread);
960
961 struct a {
962 long fd;
963 long fname; /* char * */
964 long fmode;
965 long flag;
966 } *uap = (struct a *)clwp->lwp_ap;
967
968 if (uap->fname == NULL)
969 e = AUE_FCHMOD;
970 else
971 e = AUE_CHMOD;
972
973 return (e);
974 }
975
976 /*ARGSUSED*/
977 static void
aus_fchmodat(struct t_audit_data * tad)978 aus_fchmodat(struct t_audit_data *tad)
979 {
980 klwp_t *clwp = ttolwp(curthread);
981 uint32_t fmode;
982 uint32_t fd;
983 struct file *fp;
984 struct vnode *vp;
985 struct f_audit_data *fad;
986
987 struct a {
988 long fd;
989 long fname; /* char * */
990 long fmode;
991 long flag;
992 } *uap = (struct a *)clwp->lwp_ap;
993
994 fd = (uint32_t)uap->fd;
995 fmode = (uint32_t)uap->fmode;
996
997 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
998
999 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */
1000 return;
1001
1002 /*
1003 * convert file pointer to file descriptor
1004 * Note: fd ref count incremented here.
1005 */
1006 if ((fp = getf(fd)) == NULL)
1007 return;
1008
1009 /* get path from file struct here */
1010 fad = F2A(fp);
1011 if (fad->fad_aupath != NULL) {
1012 au_uwrite(au_to_path(fad->fad_aupath));
1013 } else {
1014 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1015 }
1016
1017 vp = fp->f_vnode;
1018 audit_attributes(vp);
1019
1020 /* decrement file descriptor reference count */
1021 releasef(fd);
1022 }
1023
1024 /*
1025 * convert open mode to appropriate open event
1026 */
1027 au_event_t
open_event(uint_t fm)1028 open_event(uint_t fm)
1029 {
1030 au_event_t e;
1031
1032 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1033 case O_RDONLY:
1034 e = AUE_OPEN_R;
1035 break;
1036 case O_RDONLY | O_CREAT:
1037 e = AUE_OPEN_RC;
1038 break;
1039 case O_RDONLY | O_TRUNC:
1040 e = AUE_OPEN_RT;
1041 break;
1042 case O_RDONLY | O_TRUNC | O_CREAT:
1043 e = AUE_OPEN_RTC;
1044 break;
1045 case O_WRONLY:
1046 e = AUE_OPEN_W;
1047 break;
1048 case O_WRONLY | O_CREAT:
1049 e = AUE_OPEN_WC;
1050 break;
1051 case O_WRONLY | O_TRUNC:
1052 e = AUE_OPEN_WT;
1053 break;
1054 case O_WRONLY | O_TRUNC | O_CREAT:
1055 e = AUE_OPEN_WTC;
1056 break;
1057 case O_RDWR:
1058 e = AUE_OPEN_RW;
1059 break;
1060 case O_RDWR | O_CREAT:
1061 e = AUE_OPEN_RWC;
1062 break;
1063 case O_RDWR | O_TRUNC:
1064 e = AUE_OPEN_RWT;
1065 break;
1066 case O_RDWR | O_TRUNC | O_CREAT:
1067 e = AUE_OPEN_RWTC;
1068 break;
1069 case O_SEARCH:
1070 e = AUE_OPEN_S;
1071 break;
1072 case O_EXEC:
1073 e = AUE_OPEN_E;
1074 break;
1075 default:
1076 e = AUE_NULL;
1077 break;
1078 }
1079
1080 return (e);
1081 }
1082
1083 /* ARGSUSED */
1084 static au_event_t
aui_open(au_event_t e)1085 aui_open(au_event_t e)
1086 {
1087 klwp_t *clwp = ttolwp(curthread);
1088 uint_t fm;
1089
1090 struct a {
1091 long fnamep; /* char * */
1092 long fmode;
1093 long cmode;
1094 } *uap = (struct a *)clwp->lwp_ap;
1095
1096 fm = (uint_t)uap->fmode;
1097
1098 return (open_event(fm));
1099 }
1100
1101 static void
aus_open(struct t_audit_data * tad)1102 aus_open(struct t_audit_data *tad)
1103 {
1104 klwp_t *clwp = ttolwp(curthread);
1105 uint_t fm;
1106
1107 struct a {
1108 long fnamep; /* char * */
1109 long fmode;
1110 long cmode;
1111 } *uap = (struct a *)clwp->lwp_ap;
1112
1113 fm = (uint_t)uap->fmode;
1114
1115 /* If no write, create, or trunc modes, mark as a public op */
1116 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1117 tad->tad_ctrl |= TAD_PUBLIC_EV;
1118 }
1119
1120 /* ARGSUSED */
1121 static au_event_t
aui_openat(au_event_t e)1122 aui_openat(au_event_t e)
1123 {
1124 t_audit_data_t *tad = T2A(curthread);
1125 klwp_t *clwp = ttolwp(curthread);
1126 uint_t fm;
1127
1128 struct a {
1129 long filedes;
1130 long fnamep; /* char * */
1131 long fmode;
1132 long cmode;
1133 } *uap = (struct a *)clwp->lwp_ap;
1134
1135 fm = (uint_t)uap->fmode;
1136
1137 /*
1138 * __openattrdirat() does an extra pathname lookup in order to
1139 * enter the extended system attribute namespace of the referenced
1140 * extended attribute filename.
1141 */
1142 if (fm & FXATTRDIROPEN)
1143 tad->tad_ctrl |= TAD_MLD;
1144
1145 return (open_event(fm));
1146 }
1147
1148 static void
aus_openat(struct t_audit_data * tad)1149 aus_openat(struct t_audit_data *tad)
1150 {
1151 klwp_t *clwp = ttolwp(curthread);
1152 uint_t fm;
1153
1154 struct a {
1155 long filedes;
1156 long fnamep; /* char * */
1157 long fmode;
1158 long cmode;
1159 } *uap = (struct a *)clwp->lwp_ap;
1160
1161 fm = (uint_t)uap->fmode;
1162
1163 /* If no write, create, or trunc modes, mark as a public op */
1164 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1165 tad->tad_ctrl |= TAD_PUBLIC_EV;
1166 }
1167
1168 static au_event_t
aui_unlinkat(au_event_t e)1169 aui_unlinkat(au_event_t e)
1170 {
1171 klwp_t *clwp = ttolwp(curthread);
1172
1173 struct a {
1174 long filedes;
1175 long fnamep; /* char * */
1176 long flags;
1177 } *uap = (struct a *)clwp->lwp_ap;
1178
1179 if (uap->flags & AT_REMOVEDIR)
1180 e = AUE_RMDIR;
1181 else
1182 e = AUE_UNLINK;
1183
1184 return (e);
1185 }
1186
1187 static au_event_t
aui_fstatat(au_event_t e)1188 aui_fstatat(au_event_t e)
1189 {
1190 klwp_t *clwp = ttolwp(curthread);
1191
1192 struct a {
1193 long filedes;
1194 long fnamep; /* char * */
1195 long statb;
1196 long flags;
1197 } *uap = (struct a *)clwp->lwp_ap;
1198
1199 if (uap->fnamep == NULL)
1200 e = AUE_FSTAT;
1201 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1202 e = AUE_LSTAT;
1203 else
1204 e = AUE_STAT;
1205
1206 return (e);
1207 }
1208
1209 /* msgsys */
1210 static au_event_t
aui_msgsys(au_event_t e)1211 aui_msgsys(au_event_t e)
1212 {
1213 klwp_t *clwp = ttolwp(curthread);
1214 uint_t fm;
1215
1216 struct a {
1217 long id; /* function code id */
1218 long ap; /* arg pointer for recvmsg */
1219 } *uap = (struct a *)clwp->lwp_ap;
1220
1221 struct b {
1222 long msgid;
1223 long cmd;
1224 long buf; /* struct msqid_ds * */
1225 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1226
1227 fm = (uint_t)uap->id;
1228
1229 switch (fm) {
1230 case 0: /* msgget */
1231 e = AUE_MSGGET;
1232 break;
1233 case 1: /* msgctl */
1234 switch ((uint_t)uap1->cmd) {
1235 case IPC_RMID:
1236 e = AUE_MSGCTL_RMID;
1237 break;
1238 case IPC_SET:
1239 e = AUE_MSGCTL_SET;
1240 break;
1241 case IPC_STAT:
1242 e = AUE_MSGCTL_STAT;
1243 break;
1244 default:
1245 e = AUE_MSGCTL;
1246 break;
1247 }
1248 break;
1249 case 2: /* msgrcv */
1250 e = AUE_MSGRCV;
1251 break;
1252 case 3: /* msgsnd */
1253 e = AUE_MSGSND;
1254 break;
1255 default: /* illegal system call */
1256 e = AUE_NULL;
1257 break;
1258 }
1259
1260 return (e);
1261 }
1262
1263
1264 /* shmsys */
1265 static au_event_t
aui_shmsys(au_event_t e)1266 aui_shmsys(au_event_t e)
1267 {
1268 klwp_t *clwp = ttolwp(curthread);
1269 int fm;
1270
1271 struct a { /* shmsys */
1272 long id; /* function code id */
1273 } *uap = (struct a *)clwp->lwp_ap;
1274
1275 struct b { /* ctrl */
1276 long shmid;
1277 long cmd;
1278 long arg; /* struct shmid_ds * */
1279 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1280 fm = (uint_t)uap->id;
1281
1282 switch (fm) {
1283 case 0: /* shmat */
1284 e = AUE_SHMAT;
1285 break;
1286 case 1: /* shmctl */
1287 switch ((uint_t)uap1->cmd) {
1288 case IPC_RMID:
1289 e = AUE_SHMCTL_RMID;
1290 break;
1291 case IPC_SET:
1292 e = AUE_SHMCTL_SET;
1293 break;
1294 case IPC_STAT:
1295 e = AUE_SHMCTL_STAT;
1296 break;
1297 default:
1298 e = AUE_SHMCTL;
1299 break;
1300 }
1301 break;
1302 case 2: /* shmdt */
1303 e = AUE_SHMDT;
1304 break;
1305 case 3: /* shmget */
1306 e = AUE_SHMGET;
1307 break;
1308 default: /* illegal system call */
1309 e = AUE_NULL;
1310 break;
1311 }
1312
1313 return (e);
1314 }
1315
1316
1317 /* semsys */
1318 static au_event_t
aui_semsys(au_event_t e)1319 aui_semsys(au_event_t e)
1320 {
1321 klwp_t *clwp = ttolwp(curthread);
1322 uint_t fm;
1323
1324 struct a { /* semsys */
1325 long id;
1326 } *uap = (struct a *)clwp->lwp_ap;
1327
1328 struct b { /* ctrl */
1329 long semid;
1330 long semnum;
1331 long cmd;
1332 long arg;
1333 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1334
1335 fm = (uint_t)uap->id;
1336
1337 switch (fm) {
1338 case 0: /* semctl */
1339 switch ((uint_t)uap1->cmd) {
1340 case IPC_RMID:
1341 e = AUE_SEMCTL_RMID;
1342 break;
1343 case IPC_SET:
1344 e = AUE_SEMCTL_SET;
1345 break;
1346 case IPC_STAT:
1347 e = AUE_SEMCTL_STAT;
1348 break;
1349 case GETNCNT:
1350 e = AUE_SEMCTL_GETNCNT;
1351 break;
1352 case GETPID:
1353 e = AUE_SEMCTL_GETPID;
1354 break;
1355 case GETVAL:
1356 e = AUE_SEMCTL_GETVAL;
1357 break;
1358 case GETALL:
1359 e = AUE_SEMCTL_GETALL;
1360 break;
1361 case GETZCNT:
1362 e = AUE_SEMCTL_GETZCNT;
1363 break;
1364 case SETVAL:
1365 e = AUE_SEMCTL_SETVAL;
1366 break;
1367 case SETALL:
1368 e = AUE_SEMCTL_SETALL;
1369 break;
1370 default:
1371 e = AUE_SEMCTL;
1372 break;
1373 }
1374 break;
1375 case 1: /* semget */
1376 e = AUE_SEMGET;
1377 break;
1378 case 2: /* semop */
1379 e = AUE_SEMOP;
1380 break;
1381 default: /* illegal system call */
1382 e = AUE_NULL;
1383 break;
1384 }
1385
1386 return (e);
1387 }
1388
1389 /* utssys - uname(2), ustat(2), fusers(2) */
1390 static au_event_t
aui_utssys(au_event_t e)1391 aui_utssys(au_event_t e)
1392 {
1393 klwp_t *clwp = ttolwp(curthread);
1394 uint_t type;
1395
1396 struct a {
1397 union {
1398 long cbuf; /* char * */
1399 long ubuf; /* struct stat * */
1400 } ub;
1401 union {
1402 long mv; /* for USTAT */
1403 long flags; /* for FUSERS */
1404 } un;
1405 long type;
1406 long outbp; /* char * for FUSERS */
1407 } *uap = (struct a *)clwp->lwp_ap;
1408
1409 type = (uint_t)uap->type;
1410
1411 if (type == UTS_FUSERS)
1412 return (e);
1413 else
1414 return ((au_event_t)AUE_NULL);
1415 }
1416
1417 static au_event_t
aui_fcntl(au_event_t e)1418 aui_fcntl(au_event_t e)
1419 {
1420 klwp_t *clwp = ttolwp(curthread);
1421 uint_t cmd;
1422
1423 struct a {
1424 long fdes;
1425 long cmd;
1426 long arg;
1427 } *uap = (struct a *)clwp->lwp_ap;
1428
1429 cmd = (uint_t)uap->cmd;
1430
1431 switch (cmd) {
1432 case F_GETLK:
1433 case F_SETLK:
1434 case F_SETLKW:
1435 break;
1436 case F_SETFL:
1437 case F_GETFL:
1438 case F_GETFD:
1439 break;
1440 default:
1441 e = (au_event_t)AUE_NULL;
1442 break;
1443 }
1444 return ((au_event_t)e);
1445 }
1446
1447 /* null function for now */
1448 static au_event_t
aui_execve(au_event_t e)1449 aui_execve(au_event_t e)
1450 {
1451 return (e);
1452 }
1453
1454 /*ARGSUSED*/
1455 static void
aus_fcntl(struct t_audit_data * tad)1456 aus_fcntl(struct t_audit_data *tad)
1457 {
1458 klwp_t *clwp = ttolwp(curthread);
1459 uint32_t cmd, fd, flags;
1460 struct file *fp;
1461 struct vnode *vp;
1462 struct f_audit_data *fad;
1463
1464 struct a {
1465 long fd;
1466 long cmd;
1467 long arg;
1468 } *uap = (struct a *)clwp->lwp_ap;
1469
1470 cmd = (uint32_t)uap->cmd;
1471 fd = (uint32_t)uap->fd;
1472 flags = (uint32_t)uap->arg;
1473
1474 au_uwrite(au_to_arg32(2, "cmd", cmd));
1475
1476 if (cmd == F_SETFL)
1477 au_uwrite(au_to_arg32(3, "flags", flags));
1478
1479 /*
1480 * convert file pointer to file descriptor
1481 * Note: fd ref count incremented here.
1482 */
1483 if ((fp = getf(fd)) == NULL)
1484 return;
1485
1486 /* get path from file struct here */
1487 fad = F2A(fp);
1488 if (fad->fad_aupath != NULL) {
1489 au_uwrite(au_to_path(fad->fad_aupath));
1490 } else {
1491 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1492 }
1493
1494 vp = fp->f_vnode;
1495 audit_attributes(vp);
1496
1497 /* decrement file descriptor reference count */
1498 releasef(fd);
1499 }
1500
1501 /*ARGSUSED*/
1502 static void
aus_kill(struct t_audit_data * tad)1503 aus_kill(struct t_audit_data *tad)
1504 {
1505 klwp_t *clwp = ttolwp(curthread);
1506 struct proc *p;
1507 uint32_t signo;
1508 uid_t uid, ruid;
1509 gid_t gid, rgid;
1510 pid_t pid;
1511 const auditinfo_addr_t *ainfo;
1512 cred_t *cr;
1513
1514 struct a {
1515 long pid;
1516 long signo;
1517 } *uap = (struct a *)clwp->lwp_ap;
1518
1519 pid = (pid_t)uap->pid;
1520 signo = (uint32_t)uap->signo;
1521
1522 au_uwrite(au_to_arg32(2, "signal", signo));
1523 if (pid > 0) {
1524 mutex_enter(&pidlock);
1525 if (((p = prfind(pid)) == (struct proc *)0) ||
1526 (p->p_stat == SIDL)) {
1527 mutex_exit(&pidlock);
1528 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1529 return;
1530 }
1531 mutex_enter(&p->p_lock); /* so process doesn't go away */
1532 mutex_exit(&pidlock);
1533
1534 mutex_enter(&p->p_crlock);
1535 crhold(cr = p->p_cred);
1536 mutex_exit(&p->p_crlock);
1537 mutex_exit(&p->p_lock);
1538
1539 ainfo = crgetauinfo(cr);
1540 if (ainfo == NULL) {
1541 crfree(cr);
1542 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1543 return;
1544 }
1545
1546 uid = crgetuid(cr);
1547 gid = crgetgid(cr);
1548 ruid = crgetruid(cr);
1549 rgid = crgetrgid(cr);
1550 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1551 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1552
1553 if (is_system_labeled())
1554 au_uwrite(au_to_label(CR_SL(cr)));
1555
1556 crfree(cr);
1557 }
1558 else
1559 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1560 }
1561
1562 /*ARGSUSED*/
1563 static void
aus_mkdir(struct t_audit_data * tad)1564 aus_mkdir(struct t_audit_data *tad)
1565 {
1566 klwp_t *clwp = ttolwp(curthread);
1567 uint32_t dmode;
1568
1569 struct a {
1570 long dirnamep; /* char * */
1571 long dmode;
1572 } *uap = (struct a *)clwp->lwp_ap;
1573
1574 dmode = (uint32_t)uap->dmode;
1575
1576 au_uwrite(au_to_arg32(2, "mode", dmode));
1577 }
1578
1579 /*ARGSUSED*/
1580 static void
aus_mkdirat(struct t_audit_data * tad)1581 aus_mkdirat(struct t_audit_data *tad)
1582 {
1583 klwp_t *clwp = ttolwp(curthread);
1584 uint32_t dmode;
1585
1586 struct a {
1587 long fd;
1588 long dirnamep; /* char * */
1589 long dmode;
1590 } *uap = (struct a *)clwp->lwp_ap;
1591
1592 dmode = (uint32_t)uap->dmode;
1593
1594 au_uwrite(au_to_arg32(2, "mode", dmode));
1595 }
1596
1597 /*ARGSUSED*/
1598 static void
aus_mknod(struct t_audit_data * tad)1599 aus_mknod(struct t_audit_data *tad)
1600 {
1601 klwp_t *clwp = ttolwp(curthread);
1602 uint32_t fmode;
1603 dev_t dev;
1604
1605 struct a {
1606 long pnamep; /* char * */
1607 long fmode;
1608 long dev;
1609 } *uap = (struct a *)clwp->lwp_ap;
1610
1611 fmode = (uint32_t)uap->fmode;
1612 dev = (dev_t)uap->dev;
1613
1614 au_uwrite(au_to_arg32(2, "mode", fmode));
1615 #ifdef _LP64
1616 au_uwrite(au_to_arg64(3, "dev", dev));
1617 #else
1618 au_uwrite(au_to_arg32(3, "dev", dev));
1619 #endif
1620 }
1621
1622 /*ARGSUSED*/
1623 static void
auf_mknod(struct t_audit_data * tad,int error,rval_t * rval)1624 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1625 {
1626 klwp_t *clwp = ttolwp(curthread);
1627 vnode_t *dvp;
1628 caddr_t pnamep;
1629
1630 struct a {
1631 long pnamep; /* char * */
1632 long fmode;
1633 long dev;
1634 } *uap = (struct a *)clwp->lwp_ap;
1635
1636 /* no error, then already path token in audit record */
1637 if (error != EPERM && error != EINVAL)
1638 return;
1639
1640 /* do the lookup to force generation of path token */
1641 pnamep = (caddr_t)uap->pnamep;
1642 tad->tad_ctrl |= TAD_NOATTRB;
1643 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1644 if (error == 0)
1645 VN_RELE(dvp);
1646 }
1647
1648 /*ARGSUSED*/
1649 static void
aus_mknodat(struct t_audit_data * tad)1650 aus_mknodat(struct t_audit_data *tad)
1651 {
1652 klwp_t *clwp = ttolwp(curthread);
1653 uint32_t fmode;
1654 dev_t dev;
1655
1656 struct a {
1657 long fd;
1658 long pnamep; /* char * */
1659 long fmode;
1660 long dev;
1661 } *uap = (struct a *)clwp->lwp_ap;
1662
1663 fmode = (uint32_t)uap->fmode;
1664 dev = (dev_t)uap->dev;
1665
1666 au_uwrite(au_to_arg32(2, "mode", fmode));
1667 #ifdef _LP64
1668 au_uwrite(au_to_arg64(3, "dev", dev));
1669 #else
1670 au_uwrite(au_to_arg32(3, "dev", dev));
1671 #endif
1672 }
1673
1674 /*ARGSUSED*/
1675 static void
auf_mknodat(struct t_audit_data * tad,int error,rval_t * rval)1676 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1677 {
1678 klwp_t *clwp = ttolwp(curthread);
1679 vnode_t *startvp;
1680 vnode_t *dvp;
1681 caddr_t pnamep;
1682 int fd;
1683
1684 struct a {
1685 long fd;
1686 long pnamep; /* char * */
1687 long fmode;
1688 long dev;
1689 } *uap = (struct a *)clwp->lwp_ap;
1690
1691 /* no error, then already path token in audit record */
1692 if (error != EPERM && error != EINVAL)
1693 return;
1694
1695 /* do the lookup to force generation of path token */
1696 fd = (int)uap->fd;
1697 pnamep = (caddr_t)uap->pnamep;
1698 if (pnamep == NULL ||
1699 fgetstartvp(fd, pnamep, &startvp) != 0)
1700 return;
1701 tad->tad_ctrl |= TAD_NOATTRB;
1702 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1703 startvp);
1704 if (error == 0)
1705 VN_RELE(dvp);
1706 if (startvp != NULL)
1707 VN_RELE(startvp);
1708 }
1709
1710 /*ARGSUSED*/
1711 static void
aus_mount(struct t_audit_data * tad)1712 aus_mount(struct t_audit_data *tad)
1713 { /* AUS_START */
1714 klwp_t *clwp = ttolwp(curthread);
1715 uint32_t flags;
1716 uintptr_t u_fstype, dataptr;
1717 STRUCT_DECL(nfs_args, nfsargs);
1718 size_t len;
1719 char *fstype, *hostname;
1720
1721 struct a {
1722 long spec; /* char * */
1723 long dir; /* char * */
1724 long flags;
1725 long fstype; /* char * */
1726 long dataptr; /* char * */
1727 long datalen;
1728 } *uap = (struct a *)clwp->lwp_ap;
1729
1730 u_fstype = (uintptr_t)uap->fstype;
1731 flags = (uint32_t)uap->flags;
1732 dataptr = (uintptr_t)uap->dataptr;
1733
1734 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1735 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1736 goto mount_free_fstype;
1737
1738 au_uwrite(au_to_arg32(3, "flags", flags));
1739 au_uwrite(au_to_text(fstype));
1740
1741 if (strncmp(fstype, "nfs", 3) == 0) {
1742
1743 STRUCT_INIT(nfsargs, get_udatamodel());
1744 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1745
1746 if (copyin((caddr_t)dataptr,
1747 STRUCT_BUF(nfsargs),
1748 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1749 /* DEBUG debug_enter((char *)NULL); */
1750 goto mount_free_fstype;
1751 }
1752 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1753 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1754 (caddr_t)hostname,
1755 MAXNAMELEN, &len)) {
1756 goto mount_free_hostname;
1757 }
1758 au_uwrite(au_to_text(hostname));
1759 au_uwrite(au_to_arg32(3, "internal flags",
1760 (uint_t)STRUCT_FGET(nfsargs, flags)));
1761
1762 mount_free_hostname:
1763 kmem_free(hostname, MAXNAMELEN);
1764 }
1765
1766 mount_free_fstype:
1767 kmem_free(fstype, MAXNAMELEN);
1768 } /* AUS_MOUNT */
1769
1770 static void
aus_umount_path(caddr_t umount_dir)1771 aus_umount_path(caddr_t umount_dir)
1772 {
1773 char *dir_path;
1774 struct audit_path *path;
1775 size_t path_len, dir_len;
1776
1777 /* length alloc'd for two string pointers */
1778 path_len = sizeof (struct audit_path) + sizeof (char *);
1779 path = kmem_alloc(path_len, KM_SLEEP);
1780 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1781
1782 if (copyinstr(umount_dir, (caddr_t)dir_path,
1783 MAXPATHLEN, &dir_len))
1784 goto umount2_free_dir;
1785
1786 /*
1787 * the audit_path struct assumes that the buffer pointed to
1788 * by audp_sect[n] contains string 0 immediatedly followed
1789 * by string 1.
1790 */
1791 path->audp_sect[0] = dir_path;
1792 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1793 path->audp_size = path_len;
1794 path->audp_ref = 1; /* not used */
1795 path->audp_cnt = 1; /* one path string */
1796
1797 au_uwrite(au_to_path(path));
1798
1799 umount2_free_dir:
1800 kmem_free(dir_path, MAXPATHLEN);
1801 kmem_free(path, path_len);
1802 }
1803
1804 /*ARGSUSED*/
1805 static void
aus_umount2(struct t_audit_data * tad)1806 aus_umount2(struct t_audit_data *tad)
1807 {
1808 klwp_t *clwp = ttolwp(curthread);
1809 struct a {
1810 long dir; /* char * */
1811 long flags;
1812 } *uap = (struct a *)clwp->lwp_ap;
1813
1814 aus_umount_path((caddr_t)uap->dir);
1815
1816 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1817 }
1818
1819 static void
aus_msgsys(struct t_audit_data * tad)1820 aus_msgsys(struct t_audit_data *tad)
1821 {
1822 klwp_t *clwp = ttolwp(curthread);
1823 uint32_t msgid;
1824
1825 struct b {
1826 long msgid;
1827 long cmd;
1828 long buf; /* struct msqid_ds * */
1829 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1830
1831 msgid = (uint32_t)uap1->msgid;
1832
1833
1834 switch (tad->tad_event) {
1835 case AUE_MSGGET: /* msgget */
1836 au_uwrite(au_to_arg32(1, "msg key", msgid));
1837 break;
1838 case AUE_MSGCTL: /* msgctl */
1839 case AUE_MSGCTL_RMID: /* msgctl */
1840 case AUE_MSGCTL_SET: /* msgctl */
1841 case AUE_MSGCTL_STAT: /* msgctl */
1842 case AUE_MSGRCV: /* msgrcv */
1843 case AUE_MSGSND: /* msgsnd */
1844 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1845 break;
1846 }
1847 }
1848
1849 /*ARGSUSED*/
1850 static void
auf_msgsys(struct t_audit_data * tad,int error,rval_t * rval)1851 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1852 {
1853 int id;
1854
1855 if (error != 0)
1856 return;
1857 if (tad->tad_event == AUE_MSGGET) {
1858 uint32_t scid;
1859 uint32_t sy_flags;
1860
1861 /* need to determine type of executing binary */
1862 scid = tad->tad_scid;
1863 #ifdef _SYSCALL32_IMPL
1864 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1865 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1866 else
1867 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1868 #else
1869 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1870 #endif
1871 if (sy_flags == SE_32RVAL1)
1872 id = rval->r_val1;
1873 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1874 id = rval->r_val1;
1875 if (sy_flags == SE_64RVAL)
1876 id = (int)rval->r_vals;
1877
1878 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1879 }
1880 }
1881
1882 static void
aus_semsys(struct t_audit_data * tad)1883 aus_semsys(struct t_audit_data *tad)
1884 {
1885 klwp_t *clwp = ttolwp(curthread);
1886 uint32_t semid;
1887
1888 struct b { /* ctrl */
1889 long semid;
1890 long semnum;
1891 long cmd;
1892 long arg;
1893 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1894
1895 semid = (uint32_t)uap1->semid;
1896
1897 switch (tad->tad_event) {
1898 case AUE_SEMCTL_RMID:
1899 case AUE_SEMCTL_STAT:
1900 case AUE_SEMCTL_GETNCNT:
1901 case AUE_SEMCTL_GETPID:
1902 case AUE_SEMCTL_GETVAL:
1903 case AUE_SEMCTL_GETALL:
1904 case AUE_SEMCTL_GETZCNT:
1905 case AUE_SEMCTL_SET:
1906 case AUE_SEMCTL_SETVAL:
1907 case AUE_SEMCTL_SETALL:
1908 case AUE_SEMCTL:
1909 case AUE_SEMOP:
1910 au_uwrite(au_to_arg32(1, "sem ID", semid));
1911 break;
1912 case AUE_SEMGET:
1913 au_uwrite(au_to_arg32(1, "sem key", semid));
1914 break;
1915 }
1916 }
1917
1918 /*ARGSUSED*/
1919 static void
auf_semsys(struct t_audit_data * tad,int error,rval_t * rval)1920 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1921 {
1922 int id;
1923
1924 if (error != 0)
1925 return;
1926 if (tad->tad_event == AUE_SEMGET) {
1927 uint32_t scid;
1928 uint32_t sy_flags;
1929
1930 /* need to determine type of executing binary */
1931 scid = tad->tad_scid;
1932 #ifdef _SYSCALL32_IMPL
1933 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1934 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1935 else
1936 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1937 #else
1938 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1939 #endif
1940 if (sy_flags == SE_32RVAL1)
1941 id = rval->r_val1;
1942 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1943 id = rval->r_val1;
1944 if (sy_flags == SE_64RVAL)
1945 id = (int)rval->r_vals;
1946
1947 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1948 }
1949 }
1950
1951 /*ARGSUSED*/
1952 static void
aus_close(struct t_audit_data * tad)1953 aus_close(struct t_audit_data *tad)
1954 {
1955 klwp_t *clwp = ttolwp(curthread);
1956 uint32_t fd;
1957 struct file *fp;
1958 struct f_audit_data *fad;
1959 struct vnode *vp;
1960 struct vattr attr;
1961 au_kcontext_t *kctx = GET_KCTX_PZ;
1962
1963 struct a {
1964 long i;
1965 } *uap = (struct a *)clwp->lwp_ap;
1966
1967 fd = (uint32_t)uap->i;
1968
1969 attr.va_mask = 0;
1970 au_uwrite(au_to_arg32(1, "fd", fd));
1971
1972 /*
1973 * convert file pointer to file descriptor
1974 * Note: fd ref count incremented here.
1975 */
1976 if ((fp = getf(fd)) == NULL)
1977 return;
1978
1979 fad = F2A(fp);
1980 tad->tad_evmod = (au_emod_t)fad->fad_flags;
1981 if (fad->fad_aupath != NULL) {
1982 au_uwrite(au_to_path(fad->fad_aupath));
1983 if ((vp = fp->f_vnode) != NULL) {
1984 attr.va_mask = AT_ALL;
1985 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1986 /*
1987 * When write was not used and the file can be
1988 * considered public, skip the audit.
1989 */
1990 if (((fp->f_flag & FWRITE) == 0) &&
1991 object_is_public(&attr)) {
1992 tad->tad_flag = 0;
1993 tad->tad_evmod = 0;
1994 /* free any residual audit data */
1995 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1996 releasef(fd);
1997 return;
1998 }
1999 au_uwrite(au_to_attr(&attr));
2000 audit_sec_attributes(&(u_ad), vp);
2001 }
2002 }
2003 }
2004
2005 /* decrement file descriptor reference count */
2006 releasef(fd);
2007 }
2008
2009 /*ARGSUSED*/
2010 static void
aus_fstatfs(struct t_audit_data * tad)2011 aus_fstatfs(struct t_audit_data *tad)
2012 {
2013 klwp_t *clwp = ttolwp(curthread);
2014 uint32_t fd;
2015 struct file *fp;
2016 struct vnode *vp;
2017 struct f_audit_data *fad;
2018
2019 struct a {
2020 long fd;
2021 long buf; /* struct statfs * */
2022 } *uap = (struct a *)clwp->lwp_ap;
2023
2024 fd = (uint_t)uap->fd;
2025
2026 /*
2027 * convert file pointer to file descriptor
2028 * Note: fd ref count incremented here.
2029 */
2030 if ((fp = getf(fd)) == NULL)
2031 return;
2032
2033 /* get path from file struct here */
2034 fad = F2A(fp);
2035 if (fad->fad_aupath != NULL) {
2036 au_uwrite(au_to_path(fad->fad_aupath));
2037 } else {
2038 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2039 }
2040
2041 vp = fp->f_vnode;
2042 audit_attributes(vp);
2043
2044 /* decrement file descriptor reference count */
2045 releasef(fd);
2046 }
2047
2048 static au_event_t
aui_setpgrp(au_event_t e)2049 aui_setpgrp(au_event_t e)
2050 {
2051 klwp_t *clwp = ttolwp(curthread);
2052 int flag;
2053
2054 struct a {
2055 long flag;
2056 long pid;
2057 long pgid;
2058 } *uap = (struct a *)clwp->lwp_ap;
2059
2060 flag = (int)uap->flag;
2061
2062
2063 switch (flag) {
2064
2065 case 1: /* setpgrp() */
2066 e = AUE_SETPGRP;
2067 break;
2068
2069 case 3: /* setsid() */
2070 e = AUE_SETSID;
2071 break;
2072
2073 case 5: /* setpgid() */
2074 e = AUE_SETPGID;
2075 break;
2076
2077 case 0: /* getpgrp() - not security relevant */
2078 case 2: /* getsid() - not security relevant */
2079 case 4: /* getpgid() - not security relevant */
2080 e = AUE_NULL;
2081 break;
2082
2083 default:
2084 e = AUE_NULL;
2085 break;
2086 }
2087
2088 return (e);
2089 }
2090
2091 /*ARGSUSED*/
2092 static void
aus_setpgrp(struct t_audit_data * tad)2093 aus_setpgrp(struct t_audit_data *tad)
2094 {
2095 klwp_t *clwp = ttolwp(curthread);
2096 pid_t pgid;
2097 struct proc *p;
2098 uid_t uid, ruid;
2099 gid_t gid, rgid;
2100 pid_t pid;
2101 cred_t *cr;
2102 int flag;
2103 const auditinfo_addr_t *ainfo;
2104
2105 struct a {
2106 long flag;
2107 long pid;
2108 long pgid;
2109 } *uap = (struct a *)clwp->lwp_ap;
2110
2111 flag = (int)uap->flag;
2112 pid = (pid_t)uap->pid;
2113 pgid = (pid_t)uap->pgid;
2114
2115
2116 switch (flag) {
2117
2118 case 0: /* getpgrp() */
2119 case 1: /* setpgrp() */
2120 case 2: /* getsid() */
2121 case 3: /* setsid() */
2122 case 4: /* getpgid() */
2123 break;
2124
2125 case 5: /* setpgid() */
2126
2127 /* current process? */
2128 if (pid == 0) {
2129 return;
2130 }
2131
2132 mutex_enter(&pidlock);
2133 p = prfind(pid);
2134 if (p == NULL || p->p_as == &kas ||
2135 p->p_stat == SIDL || p->p_stat == SZOMB) {
2136 mutex_exit(&pidlock);
2137 return;
2138 }
2139 mutex_enter(&p->p_lock); /* so process doesn't go away */
2140 mutex_exit(&pidlock);
2141
2142 mutex_enter(&p->p_crlock);
2143 crhold(cr = p->p_cred);
2144 mutex_exit(&p->p_crlock);
2145 mutex_exit(&p->p_lock);
2146
2147 ainfo = crgetauinfo(cr);
2148 if (ainfo == NULL) {
2149 crfree(cr);
2150 return;
2151 }
2152
2153 uid = crgetuid(cr);
2154 gid = crgetgid(cr);
2155 ruid = crgetruid(cr);
2156 rgid = crgetrgid(cr);
2157 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2158 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2159 crfree(cr);
2160 au_uwrite(au_to_arg32(2, "pgid", pgid));
2161 break;
2162
2163 default:
2164 break;
2165 }
2166 }
2167
2168
2169 /*ARGSUSED*/
2170 static void
aus_setregid(struct t_audit_data * tad)2171 aus_setregid(struct t_audit_data *tad)
2172 {
2173 klwp_t *clwp = ttolwp(curthread);
2174 uint32_t rgid, egid;
2175
2176 struct a {
2177 long rgid;
2178 long egid;
2179 } *uap = (struct a *)clwp->lwp_ap;
2180
2181 rgid = (uint32_t)uap->rgid;
2182 egid = (uint32_t)uap->egid;
2183
2184 au_uwrite(au_to_arg32(1, "rgid", rgid));
2185 au_uwrite(au_to_arg32(2, "egid", egid));
2186 }
2187
2188 /*ARGSUSED*/
2189 static void
aus_setgid(struct t_audit_data * tad)2190 aus_setgid(struct t_audit_data *tad)
2191 {
2192 klwp_t *clwp = ttolwp(curthread);
2193 uint32_t gid;
2194
2195 struct a {
2196 long gid;
2197 } *uap = (struct a *)clwp->lwp_ap;
2198
2199 gid = (uint32_t)uap->gid;
2200
2201 au_uwrite(au_to_arg32(1, "gid", gid));
2202 }
2203
2204
2205 /*ARGSUSED*/
2206 static void
aus_setreuid(struct t_audit_data * tad)2207 aus_setreuid(struct t_audit_data *tad)
2208 {
2209 klwp_t *clwp = ttolwp(curthread);
2210 uint32_t ruid, euid;
2211
2212 struct a {
2213 long ruid;
2214 long euid;
2215 } *uap = (struct a *)clwp->lwp_ap;
2216
2217 ruid = (uint32_t)uap->ruid;
2218 euid = (uint32_t)uap->euid;
2219
2220 au_uwrite(au_to_arg32(1, "ruid", ruid));
2221 au_uwrite(au_to_arg32(2, "euid", euid));
2222 }
2223
2224
2225 /*ARGSUSED*/
2226 static void
aus_setuid(struct t_audit_data * tad)2227 aus_setuid(struct t_audit_data *tad)
2228 {
2229 klwp_t *clwp = ttolwp(curthread);
2230 uint32_t uid;
2231
2232 struct a {
2233 long uid;
2234 } *uap = (struct a *)clwp->lwp_ap;
2235
2236 uid = (uint32_t)uap->uid;
2237
2238 au_uwrite(au_to_arg32(1, "uid", uid));
2239 }
2240
2241 /*ARGSUSED*/
2242 static void
aus_shmsys(struct t_audit_data * tad)2243 aus_shmsys(struct t_audit_data *tad)
2244 {
2245 klwp_t *clwp = ttolwp(curthread);
2246 uint32_t id, cmd;
2247
2248 struct b {
2249 long id;
2250 long cmd;
2251 long buf; /* struct shmid_ds * */
2252 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2253
2254 id = (uint32_t)uap1->id;
2255 cmd = (uint32_t)uap1->cmd;
2256
2257 switch (tad->tad_event) {
2258 case AUE_SHMGET: /* shmget */
2259 au_uwrite(au_to_arg32(1, "shm key", id));
2260 break;
2261 case AUE_SHMCTL: /* shmctl */
2262 case AUE_SHMCTL_RMID: /* shmctl */
2263 case AUE_SHMCTL_STAT: /* shmctl */
2264 case AUE_SHMCTL_SET: /* shmctl */
2265 au_uwrite(au_to_arg32(1, "shm ID", id));
2266 break;
2267 case AUE_SHMDT: /* shmdt */
2268 au_uwrite(au_to_arg32(1, "shm adr", id));
2269 break;
2270 case AUE_SHMAT: /* shmat */
2271 au_uwrite(au_to_arg32(1, "shm ID", id));
2272 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2273 break;
2274 }
2275 }
2276
2277 /*ARGSUSED*/
2278 static void
auf_shmsys(struct t_audit_data * tad,int error,rval_t * rval)2279 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2280 {
2281 int id;
2282
2283 if (error != 0)
2284 return;
2285 if (tad->tad_event == AUE_SHMGET) {
2286 uint32_t scid;
2287 uint32_t sy_flags;
2288
2289 /* need to determine type of executing binary */
2290 scid = tad->tad_scid;
2291 #ifdef _SYSCALL32_IMPL
2292 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2293 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2294 else
2295 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2296 #else
2297 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2298 #endif
2299 if (sy_flags == SE_32RVAL1)
2300 id = rval->r_val1;
2301 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2302 id = rval->r_val1;
2303 if (sy_flags == SE_64RVAL)
2304 id = (int)rval->r_vals;
2305 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2306 }
2307 }
2308
2309
2310 /*ARGSUSED*/
2311 static void
aus_ioctl(struct t_audit_data * tad)2312 aus_ioctl(struct t_audit_data *tad)
2313 {
2314 klwp_t *clwp = ttolwp(curthread);
2315 struct file *fp;
2316 struct vnode *vp;
2317 struct f_audit_data *fad;
2318 uint32_t fd, cmd;
2319 uintptr_t cmarg;
2320
2321 /* XX64 */
2322 struct a {
2323 long fd;
2324 long cmd;
2325 long cmarg; /* caddr_t */
2326 } *uap = (struct a *)clwp->lwp_ap;
2327
2328 fd = (uint32_t)uap->fd;
2329 cmd = (uint32_t)uap->cmd;
2330 cmarg = (uintptr_t)uap->cmarg;
2331
2332 /*
2333 * convert file pointer to file descriptor
2334 * Note: fd ref count incremented here.
2335 */
2336 if ((fp = getf(fd)) == NULL) {
2337 au_uwrite(au_to_arg32(1, "fd", fd));
2338 au_uwrite(au_to_arg32(2, "cmd", cmd));
2339 #ifndef _LP64
2340 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2341 #else
2342 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2343 #endif
2344 return;
2345 }
2346
2347 /* get path from file struct here */
2348 fad = F2A(fp);
2349 if (fad->fad_aupath != NULL) {
2350 au_uwrite(au_to_path(fad->fad_aupath));
2351 } else {
2352 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2353 }
2354
2355 vp = fp->f_vnode;
2356 audit_attributes(vp);
2357
2358 /* decrement file descriptor reference count */
2359 releasef(fd);
2360
2361 au_uwrite(au_to_arg32(2, "cmd", cmd));
2362 #ifndef _LP64
2363 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2364 #else
2365 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2366 #endif
2367 }
2368
2369 /*
2370 * null function for memcntl for now. We might want to limit memcntl()
2371 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2372 * require privileges.
2373 */
2374 static au_event_t
aui_memcntl(au_event_t e)2375 aui_memcntl(au_event_t e)
2376 {
2377 return (e);
2378 }
2379
2380 /*ARGSUSED*/
2381 static au_event_t
aui_privsys(au_event_t e)2382 aui_privsys(au_event_t e)
2383 {
2384 klwp_t *clwp = ttolwp(curthread);
2385
2386 struct a {
2387 long opcode;
2388 } *uap = (struct a *)clwp->lwp_ap;
2389
2390 switch (uap->opcode) {
2391 case PRIVSYS_SETPPRIV:
2392 return (AUE_SETPPRIV);
2393 default:
2394 return (AUE_NULL);
2395 }
2396 }
2397
2398 /*ARGSUSED*/
2399 static void
aus_memcntl(struct t_audit_data * tad)2400 aus_memcntl(struct t_audit_data *tad)
2401 {
2402 klwp_t *clwp = ttolwp(curthread);
2403
2404 struct a {
2405 long addr;
2406 long len;
2407 long cmd;
2408 long arg;
2409 long attr;
2410 long mask;
2411 } *uap = (struct a *)clwp->lwp_ap;
2412
2413 #ifdef _LP64
2414 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2415 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2416 #else
2417 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2418 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2419 #endif
2420 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2421 #ifdef _LP64
2422 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2423 #else
2424 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2425 #endif
2426 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2427 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2428 }
2429
2430 /*ARGSUSED*/
2431 static void
aus_mmap(struct t_audit_data * tad)2432 aus_mmap(struct t_audit_data *tad)
2433 {
2434 klwp_t *clwp = ttolwp(curthread);
2435 struct file *fp;
2436 struct f_audit_data *fad;
2437 struct vnode *vp;
2438 uint32_t fd;
2439
2440 struct a {
2441 long addr;
2442 long len;
2443 long prot;
2444 long flags;
2445 long fd;
2446 long pos;
2447 } *uap = (struct a *)clwp->lwp_ap;
2448
2449 fd = (uint32_t)uap->fd;
2450
2451 #ifdef _LP64
2452 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2453 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2454 #else
2455 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2456 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2457 #endif
2458
2459 if ((fp = getf(fd)) == NULL) {
2460 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2461 return;
2462 }
2463
2464 /*
2465 * Mark in the tad if write access is NOT requested... if
2466 * this is later detected (in audit_attributes) to be a
2467 * public object, the mmap event may be discarded.
2468 */
2469 if (((uap->prot) & PROT_WRITE) == 0) {
2470 tad->tad_ctrl |= TAD_PUBLIC_EV;
2471 }
2472
2473 fad = F2A(fp);
2474 if (fad->fad_aupath != NULL) {
2475 au_uwrite(au_to_path(fad->fad_aupath));
2476 } else {
2477 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2478 }
2479
2480 vp = (struct vnode *)fp->f_vnode;
2481 audit_attributes(vp);
2482
2483 /* mark READ/WRITE since we can't predict access */
2484 if (uap->prot & PROT_READ)
2485 fad->fad_flags |= FAD_READ;
2486 if (uap->prot & PROT_WRITE)
2487 fad->fad_flags |= FAD_WRITE;
2488
2489 /* decrement file descriptor reference count */
2490 releasef(fd);
2491
2492 } /* AUS_MMAP */
2493
2494
2495
2496
2497 /*ARGSUSED*/
2498 static void
aus_munmap(struct t_audit_data * tad)2499 aus_munmap(struct t_audit_data *tad)
2500 {
2501 klwp_t *clwp = ttolwp(curthread);
2502
2503 struct a {
2504 long addr;
2505 long len;
2506 } *uap = (struct a *)clwp->lwp_ap;
2507
2508 #ifdef _LP64
2509 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2510 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2511 #else
2512 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2513 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2514 #endif
2515
2516 } /* AUS_MUNMAP */
2517
2518
2519
2520
2521
2522
2523
2524 /*ARGSUSED*/
2525 static void
aus_priocntlsys(struct t_audit_data * tad)2526 aus_priocntlsys(struct t_audit_data *tad)
2527 {
2528 klwp_t *clwp = ttolwp(curthread);
2529
2530 struct a {
2531 long pc_version;
2532 long psp; /* procset_t */
2533 long cmd;
2534 long arg;
2535 } *uap = (struct a *)clwp->lwp_ap;
2536
2537 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2538 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2539
2540 } /* AUS_PRIOCNTLSYS */
2541
2542
2543 /*ARGSUSED*/
2544 static void
aus_setegid(struct t_audit_data * tad)2545 aus_setegid(struct t_audit_data *tad)
2546 {
2547 klwp_t *clwp = ttolwp(curthread);
2548 uint32_t gid;
2549
2550 struct a {
2551 long gid;
2552 } *uap = (struct a *)clwp->lwp_ap;
2553
2554 gid = (uint32_t)uap->gid;
2555
2556 au_uwrite(au_to_arg32(1, "gid", gid));
2557 } /* AUS_SETEGID */
2558
2559
2560
2561
2562 /*ARGSUSED*/
2563 static void
aus_setgroups(struct t_audit_data * tad)2564 aus_setgroups(struct t_audit_data *tad)
2565 {
2566 klwp_t *clwp = ttolwp(curthread);
2567 int i;
2568 int gidsetsize;
2569 uintptr_t gidset;
2570 gid_t *gidlist;
2571
2572 struct a {
2573 long gidsetsize;
2574 long gidset;
2575 } *uap = (struct a *)clwp->lwp_ap;
2576
2577 gidsetsize = (uint_t)uap->gidsetsize;
2578 gidset = (uintptr_t)uap->gidset;
2579
2580 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2581 return;
2582 if (gidsetsize != 0) {
2583 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2584 KM_SLEEP);
2585 if (copyin((caddr_t)gidset, gidlist,
2586 gidsetsize * sizeof (gid_t)) == 0)
2587 for (i = 0; i < gidsetsize; i++)
2588 au_uwrite(au_to_arg32(1, "setgroups",
2589 (uint32_t)gidlist[i]));
2590 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2591 } else
2592 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2593
2594 } /* AUS_SETGROUPS */
2595
2596
2597
2598
2599
2600 /*ARGSUSED*/
2601 static void
aus_seteuid(struct t_audit_data * tad)2602 aus_seteuid(struct t_audit_data *tad)
2603 {
2604 klwp_t *clwp = ttolwp(curthread);
2605 uint32_t uid;
2606
2607 struct a {
2608 long uid;
2609 } *uap = (struct a *)clwp->lwp_ap;
2610
2611 uid = (uint32_t)uap->uid;
2612
2613 au_uwrite(au_to_arg32(1, "euid", uid));
2614
2615 } /* AUS_SETEUID */
2616
2617 /*ARGSUSED*/
2618 static void
aus_putmsg(struct t_audit_data * tad)2619 aus_putmsg(struct t_audit_data *tad)
2620 {
2621 klwp_t *clwp = ttolwp(curthread);
2622 uint32_t fd, pri;
2623 struct file *fp;
2624 struct f_audit_data *fad;
2625
2626 struct a {
2627 long fdes;
2628 long ctl; /* struct strbuf * */
2629 long data; /* struct strbuf * */
2630 long pri;
2631 } *uap = (struct a *)clwp->lwp_ap;
2632
2633 fd = (uint32_t)uap->fdes;
2634 pri = (uint32_t)uap->pri;
2635
2636 au_uwrite(au_to_arg32(1, "fd", fd));
2637
2638 if ((fp = getf(fd)) != NULL) {
2639 fad = F2A(fp);
2640
2641 fad->fad_flags |= FAD_WRITE;
2642
2643 /* add path name to audit record */
2644 if (fad->fad_aupath != NULL) {
2645 au_uwrite(au_to_path(fad->fad_aupath));
2646 }
2647 audit_attributes(fp->f_vnode);
2648
2649 releasef(fd);
2650 }
2651
2652 au_uwrite(au_to_arg32(4, "pri", pri));
2653 }
2654
2655 /*ARGSUSED*/
2656 static void
aus_putpmsg(struct t_audit_data * tad)2657 aus_putpmsg(struct t_audit_data *tad)
2658 {
2659 klwp_t *clwp = ttolwp(curthread);
2660 uint32_t fd, pri, flags;
2661 struct file *fp;
2662 struct f_audit_data *fad;
2663
2664 struct a {
2665 long fdes;
2666 long ctl; /* struct strbuf * */
2667 long data; /* struct strbuf * */
2668 long pri;
2669 long flags;
2670 } *uap = (struct a *)clwp->lwp_ap;
2671
2672 fd = (uint32_t)uap->fdes;
2673 pri = (uint32_t)uap->pri;
2674 flags = (uint32_t)uap->flags;
2675
2676 au_uwrite(au_to_arg32(1, "fd", fd));
2677
2678 if ((fp = getf(fd)) != NULL) {
2679 fad = F2A(fp);
2680
2681 fad->fad_flags |= FAD_WRITE;
2682
2683 /* add path name to audit record */
2684 if (fad->fad_aupath != NULL) {
2685 au_uwrite(au_to_path(fad->fad_aupath));
2686 }
2687 audit_attributes(fp->f_vnode);
2688
2689 releasef(fd);
2690 }
2691
2692
2693 au_uwrite(au_to_arg32(4, "pri", pri));
2694 au_uwrite(au_to_arg32(5, "flags", flags));
2695 }
2696
2697 /*ARGSUSED*/
2698 static void
aus_getmsg(struct t_audit_data * tad)2699 aus_getmsg(struct t_audit_data *tad)
2700 {
2701 klwp_t *clwp = ttolwp(curthread);
2702 uint32_t fd, pri;
2703 struct file *fp;
2704 struct f_audit_data *fad;
2705
2706 struct a {
2707 long fdes;
2708 long ctl; /* struct strbuf * */
2709 long data; /* struct strbuf * */
2710 long pri;
2711 } *uap = (struct a *)clwp->lwp_ap;
2712
2713 fd = (uint32_t)uap->fdes;
2714 pri = (uint32_t)uap->pri;
2715
2716 au_uwrite(au_to_arg32(1, "fd", fd));
2717
2718 if ((fp = getf(fd)) != NULL) {
2719 fad = F2A(fp);
2720
2721 /*
2722 * read operation on this object
2723 */
2724 fad->fad_flags |= FAD_READ;
2725
2726 /* add path name to audit record */
2727 if (fad->fad_aupath != NULL) {
2728 au_uwrite(au_to_path(fad->fad_aupath));
2729 }
2730 audit_attributes(fp->f_vnode);
2731
2732 releasef(fd);
2733 }
2734
2735 au_uwrite(au_to_arg32(4, "pri", pri));
2736 }
2737
2738 /*ARGSUSED*/
2739 static void
aus_getpmsg(struct t_audit_data * tad)2740 aus_getpmsg(struct t_audit_data *tad)
2741 {
2742 klwp_t *clwp = ttolwp(curthread);
2743 uint32_t fd;
2744 struct file *fp;
2745 struct f_audit_data *fad;
2746
2747 struct a {
2748 long fdes;
2749 long ctl; /* struct strbuf * */
2750 long data; /* struct strbuf * */
2751 long pri;
2752 long flags;
2753 } *uap = (struct a *)clwp->lwp_ap;
2754
2755 fd = (uint32_t)uap->fdes;
2756
2757 au_uwrite(au_to_arg32(1, "fd", fd));
2758
2759 if ((fp = getf(fd)) != NULL) {
2760 fad = F2A(fp);
2761
2762 /*
2763 * read operation on this object
2764 */
2765 fad->fad_flags |= FAD_READ;
2766
2767 /* add path name to audit record */
2768 if (fad->fad_aupath != NULL) {
2769 au_uwrite(au_to_path(fad->fad_aupath));
2770 }
2771 audit_attributes(fp->f_vnode);
2772
2773 releasef(fd);
2774 }
2775 }
2776
2777 static au_event_t
aui_labelsys(au_event_t e)2778 aui_labelsys(au_event_t e)
2779 {
2780 klwp_t *clwp = ttolwp(curthread);
2781 uint32_t code;
2782 uint32_t cmd;
2783
2784 struct a {
2785 long code;
2786 long cmd;
2787 } *uap = (struct a *)clwp->lwp_ap;
2788
2789 code = (uint32_t)uap->code;
2790 cmd = (uint32_t)uap->cmd;
2791
2792 /* not security relevant if not changing kernel cache */
2793 if (cmd == TNDB_GET)
2794 return (AUE_NULL);
2795
2796 switch (code) {
2797 case TSOL_TNRH:
2798 e = AUE_LABELSYS_TNRH;
2799 break;
2800 case TSOL_TNRHTP:
2801 e = AUE_LABELSYS_TNRHTP;
2802 break;
2803 case TSOL_TNMLP:
2804 e = AUE_LABELSYS_TNMLP;
2805 break;
2806 default:
2807 e = AUE_NULL;
2808 break;
2809 }
2810
2811 return (e);
2812
2813 }
2814
2815 static void
aus_labelsys(struct t_audit_data * tad)2816 aus_labelsys(struct t_audit_data *tad)
2817 {
2818 klwp_t *clwp = ttolwp(curthread);
2819 uint32_t cmd;
2820 uintptr_t a2;
2821
2822 struct a {
2823 long code;
2824 long cmd;
2825 long a2;
2826 } *uap = (struct a *)clwp->lwp_ap;
2827
2828 cmd = (uint32_t)uap->cmd;
2829 a2 = (uintptr_t)uap->a2;
2830
2831 switch (tad->tad_event) {
2832 case AUE_LABELSYS_TNRH:
2833 {
2834 tsol_rhent_t *rhent;
2835 tnaddr_t *rh_addr;
2836
2837 au_uwrite(au_to_arg32(1, "cmd", cmd));
2838
2839 /* Remaining args don't apply for FLUSH, so skip */
2840 if (cmd == TNDB_FLUSH)
2841 break;
2842
2843 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2844 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2845 kmem_free(rhent, sizeof (tsol_rhent_t));
2846 return;
2847 }
2848
2849 rh_addr = &rhent->rh_address;
2850 if (rh_addr->ta_family == AF_INET) {
2851 struct in_addr *ipaddr;
2852
2853 ipaddr = &(rh_addr->ta_addr_v4);
2854 au_uwrite(au_to_in_addr(ipaddr));
2855 } else if (rh_addr->ta_family == AF_INET6) {
2856 int32_t *ipaddr;
2857
2858 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2859 au_uwrite(au_to_in_addr_ex(ipaddr));
2860 }
2861 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2862
2863 kmem_free(rhent, sizeof (tsol_rhent_t));
2864
2865 break;
2866 }
2867 case AUE_LABELSYS_TNRHTP:
2868 {
2869 tsol_tpent_t *tpent;
2870
2871 au_uwrite(au_to_arg32(1, "cmd", cmd));
2872
2873 /* Remaining args don't apply for FLUSH, so skip */
2874 if (cmd == TNDB_FLUSH)
2875 break;
2876
2877 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2878 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2879 kmem_free(tpent, sizeof (tsol_tpent_t));
2880 return;
2881 }
2882
2883 /* Make sure that the template name is null-terminated. */
2884 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2885
2886 au_uwrite(au_to_text(tpent->name));
2887 kmem_free(tpent, sizeof (tsol_tpent_t));
2888
2889 break;
2890 }
2891 case AUE_LABELSYS_TNMLP:
2892 {
2893 tsol_mlpent_t *mlpent;
2894
2895 au_uwrite(au_to_arg32(1, "cmd", cmd));
2896
2897 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2898 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2899 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2900 return;
2901 }
2902
2903 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2904 au_uwrite(au_to_text("shared"));
2905 } else {
2906 zone_t *zone;
2907
2908 zone = zone_find_by_id(mlpent->tsme_zoneid);
2909 if (zone != NULL) {
2910 au_uwrite(au_to_text(zone->zone_name));
2911 zone_rele(zone);
2912 }
2913 }
2914
2915 /* Remaining args don't apply for FLUSH, so skip */
2916 if (cmd == TNDB_FLUSH) {
2917 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2918 break;
2919 }
2920
2921 au_uwrite(au_to_arg32(2, "proto num",
2922 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2923 au_uwrite(au_to_arg32(2, "mlp_port",
2924 (uint32_t)mlpent->tsme_mlp.mlp_port));
2925
2926 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2927 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2928 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2929
2930 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2931
2932 break;
2933 }
2934 default:
2935 break;
2936 }
2937 }
2938
2939
2940 static au_event_t
aui_auditsys(au_event_t e)2941 aui_auditsys(au_event_t e)
2942 {
2943 klwp_t *clwp = ttolwp(curthread);
2944 uint32_t code;
2945
2946 struct a {
2947 long code;
2948 long a1;
2949 long a2;
2950 long a3;
2951 long a4;
2952 long a5;
2953 long a6;
2954 long a7;
2955 } *uap = (struct a *)clwp->lwp_ap;
2956
2957 code = (uint32_t)uap->code;
2958
2959 switch (code) {
2960
2961 case BSM_GETAUID:
2962 e = AUE_GETAUID;
2963 break;
2964 case BSM_SETAUID:
2965 e = AUE_SETAUID;
2966 break;
2967 case BSM_GETAUDIT:
2968 e = AUE_GETAUDIT;
2969 break;
2970 case BSM_GETAUDIT_ADDR:
2971 e = AUE_GETAUDIT_ADDR;
2972 break;
2973 case BSM_SETAUDIT:
2974 e = AUE_SETAUDIT;
2975 break;
2976 case BSM_SETAUDIT_ADDR:
2977 e = AUE_SETAUDIT_ADDR;
2978 break;
2979 case BSM_AUDIT:
2980 e = AUE_AUDIT;
2981 break;
2982 case BSM_AUDITCTL:
2983 switch ((uint_t)uap->a1) {
2984
2985 case A_GETPOLICY:
2986 e = AUE_AUDITON_GPOLICY;
2987 break;
2988 case A_SETPOLICY:
2989 e = AUE_AUDITON_SPOLICY;
2990 break;
2991 case A_GETAMASK:
2992 e = AUE_AUDITON_GETAMASK;
2993 break;
2994 case A_SETAMASK:
2995 e = AUE_AUDITON_SETAMASK;
2996 break;
2997 case A_GETKMASK:
2998 e = AUE_AUDITON_GETKMASK;
2999 break;
3000 case A_SETKMASK:
3001 e = AUE_AUDITON_SETKMASK;
3002 break;
3003 case A_GETQCTRL:
3004 e = AUE_AUDITON_GQCTRL;
3005 break;
3006 case A_SETQCTRL:
3007 e = AUE_AUDITON_SQCTRL;
3008 break;
3009 case A_GETCWD:
3010 e = AUE_AUDITON_GETCWD;
3011 break;
3012 case A_GETCAR:
3013 e = AUE_AUDITON_GETCAR;
3014 break;
3015 case A_GETSTAT:
3016 e = AUE_AUDITON_GETSTAT;
3017 break;
3018 case A_SETSTAT:
3019 e = AUE_AUDITON_SETSTAT;
3020 break;
3021 case A_SETUMASK:
3022 e = AUE_AUDITON_SETUMASK;
3023 break;
3024 case A_SETSMASK:
3025 e = AUE_AUDITON_SETSMASK;
3026 break;
3027 case A_GETCOND:
3028 e = AUE_AUDITON_GETCOND;
3029 break;
3030 case A_SETCOND:
3031 e = AUE_AUDITON_SETCOND;
3032 break;
3033 case A_GETCLASS:
3034 e = AUE_AUDITON_GETCLASS;
3035 break;
3036 case A_SETCLASS:
3037 e = AUE_AUDITON_SETCLASS;
3038 break;
3039 default:
3040 e = AUE_NULL;
3041 break;
3042 }
3043 break;
3044 default:
3045 e = AUE_NULL;
3046 break;
3047 }
3048
3049 return (e);
3050
3051 } /* AUI_AUDITSYS */
3052
3053
3054 static void
aus_auditsys(struct t_audit_data * tad)3055 aus_auditsys(struct t_audit_data *tad)
3056 {
3057 klwp_t *clwp = ttolwp(curthread);
3058 uintptr_t a1, a2;
3059 STRUCT_DECL(auditinfo, ainfo);
3060 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3061 au_evclass_map_t event;
3062 au_mask_t mask;
3063 int auditstate, policy;
3064 au_id_t auid;
3065
3066
3067 struct a {
3068 long code;
3069 long a1;
3070 long a2;
3071 long a3;
3072 long a4;
3073 long a5;
3074 long a6;
3075 long a7;
3076 } *uap = (struct a *)clwp->lwp_ap;
3077
3078 a1 = (uintptr_t)uap->a1;
3079 a2 = (uintptr_t)uap->a2;
3080
3081 switch (tad->tad_event) {
3082 case AUE_SETAUID:
3083 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3084 return;
3085 au_uwrite(au_to_arg32(2, "setauid", auid));
3086 break;
3087 case AUE_SETAUDIT:
3088 STRUCT_INIT(ainfo, get_udatamodel());
3089 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3090 STRUCT_SIZE(ainfo))) {
3091 return;
3092 }
3093 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3094 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3095 #ifdef _LP64
3096 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3097 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3098 #else
3099 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3100 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 #endif
3102 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3103 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3104 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3105 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3106 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3107 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3108 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3109 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3110 break;
3111 case AUE_SETAUDIT_ADDR:
3112 STRUCT_INIT(ainfo_addr, get_udatamodel());
3113 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3114 STRUCT_SIZE(ainfo_addr))) {
3115 return;
3116 }
3117 au_uwrite(au_to_arg32((char)1, "auid",
3118 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3119 #ifdef _LP64
3120 au_uwrite(au_to_arg64((char)1, "port",
3121 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3122 #else
3123 au_uwrite(au_to_arg32((char)1, "port",
3124 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 #endif
3126 au_uwrite(au_to_arg32((char)1, "type",
3127 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3128 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3129 AU_IPv4) {
3130 au_uwrite(au_to_in_addr(
3131 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3132 ai_termid.at_addr)));
3133 } else {
3134 au_uwrite(au_to_in_addr_ex(
3135 (int32_t *)STRUCT_FGETP(ainfo_addr,
3136 ai_termid.at_addr)));
3137 }
3138 au_uwrite(au_to_arg32((char)1, "as_success",
3139 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3140 au_uwrite(au_to_arg32((char)1, "as_failure",
3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3142 au_uwrite(au_to_arg32((char)1, "asid",
3143 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3144 break;
3145 case AUE_AUDITON_SETAMASK:
3146 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3147 return;
3148 au_uwrite(au_to_arg32(
3149 2, "setamask:as_success", (uint32_t)mask.as_success));
3150 au_uwrite(au_to_arg32(
3151 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3152 break;
3153 case AUE_AUDITON_SETKMASK:
3154 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3155 return;
3156 au_uwrite(au_to_arg32(
3157 2, "setkmask:as_success", (uint32_t)mask.as_success));
3158 au_uwrite(au_to_arg32(
3159 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3160 break;
3161 case AUE_AUDITON_SPOLICY:
3162 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3163 return;
3164 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3165 break;
3166 case AUE_AUDITON_SQCTRL: {
3167 STRUCT_DECL(au_qctrl, qctrl);
3168 model_t model;
3169
3170 model = get_udatamodel();
3171 STRUCT_INIT(qctrl, model);
3172 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3173 return;
3174 if (model == DATAMODEL_ILP32) {
3175 au_uwrite(au_to_arg32(
3176 3, "setqctrl:aq_hiwater",
3177 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3178 au_uwrite(au_to_arg32(
3179 3, "setqctrl:aq_lowater",
3180 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3181 au_uwrite(au_to_arg32(
3182 3, "setqctrl:aq_bufsz",
3183 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3184 au_uwrite(au_to_arg32(
3185 3, "setqctrl:aq_delay",
3186 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3187 } else {
3188 au_uwrite(au_to_arg64(
3189 3, "setqctrl:aq_hiwater",
3190 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3191 au_uwrite(au_to_arg64(
3192 3, "setqctrl:aq_lowater",
3193 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3194 au_uwrite(au_to_arg64(
3195 3, "setqctrl:aq_bufsz",
3196 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3197 au_uwrite(au_to_arg64(
3198 3, "setqctrl:aq_delay",
3199 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3200 }
3201 break;
3202 }
3203 case AUE_AUDITON_SETUMASK:
3204 STRUCT_INIT(ainfo, get_udatamodel());
3205 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3206 STRUCT_SIZE(ainfo))) {
3207 return;
3208 }
3209 au_uwrite(au_to_arg32(3, "setumask:as_success",
3210 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3211 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3212 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3213 break;
3214 case AUE_AUDITON_SETSMASK:
3215 STRUCT_INIT(ainfo, get_udatamodel());
3216 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3217 STRUCT_SIZE(ainfo))) {
3218 return;
3219 }
3220 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3221 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3222 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3223 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3224 break;
3225 case AUE_AUDITON_SETCOND:
3226 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3227 return;
3228 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3229 break;
3230 case AUE_AUDITON_SETCLASS:
3231 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3232 return;
3233 au_uwrite(au_to_arg32(
3234 2, "setclass:ec_event", (uint32_t)event.ec_number));
3235 au_uwrite(au_to_arg32(
3236 3, "setclass:ec_class", (uint32_t)event.ec_class));
3237 break;
3238 case AUE_GETAUID:
3239 case AUE_GETAUDIT:
3240 case AUE_GETAUDIT_ADDR:
3241 case AUE_AUDIT:
3242 case AUE_AUDITON_GPOLICY:
3243 case AUE_AUDITON_GQCTRL:
3244 case AUE_AUDITON_GETAMASK:
3245 case AUE_AUDITON_GETKMASK:
3246 case AUE_AUDITON_GETCWD:
3247 case AUE_AUDITON_GETCAR:
3248 case AUE_AUDITON_GETSTAT:
3249 case AUE_AUDITON_SETSTAT:
3250 case AUE_AUDITON_GETCOND:
3251 case AUE_AUDITON_GETCLASS:
3252 break;
3253 default:
3254 break;
3255 }
3256
3257 } /* AUS_AUDITSYS */
3258
3259
3260 /* only audit privileged operations for systeminfo(2) system call */
3261 static au_event_t
aui_sysinfo(au_event_t e)3262 aui_sysinfo(au_event_t e)
3263 {
3264 klwp_t *clwp = ttolwp(curthread);
3265 uint32_t command;
3266
3267 struct a {
3268 long command;
3269 long buf; /* char * */
3270 long count;
3271 } *uap = (struct a *)clwp->lwp_ap;
3272
3273 command = (uint32_t)uap->command;
3274
3275 switch (command) {
3276 case SI_SET_HOSTNAME:
3277 case SI_SET_SRPC_DOMAIN:
3278 e = (au_event_t)AUE_SYSINFO;
3279 break;
3280 default:
3281 e = (au_event_t)AUE_NULL;
3282 break;
3283 }
3284 return (e);
3285 }
3286
3287 /*ARGSUSED*/
3288 static void
aus_sysinfo(struct t_audit_data * tad)3289 aus_sysinfo(struct t_audit_data *tad)
3290 {
3291 klwp_t *clwp = ttolwp(curthread);
3292 uint32_t command;
3293 size_t len, maxlen;
3294 char *name;
3295 uintptr_t buf;
3296
3297 struct a {
3298 long command;
3299 long buf; /* char * */
3300 long count;
3301 } *uap = (struct a *)clwp->lwp_ap;
3302
3303 command = (uint32_t)uap->command;
3304 buf = (uintptr_t)uap->buf;
3305
3306 au_uwrite(au_to_arg32(1, "cmd", command));
3307
3308 switch (command) {
3309 case SI_SET_HOSTNAME:
3310 {
3311 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3312 return;
3313
3314 maxlen = SYS_NMLN;
3315 name = kmem_alloc(maxlen, KM_SLEEP);
3316 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3317 break;
3318
3319 /*
3320 * Must be non-NULL string and string
3321 * must be less than SYS_NMLN chars.
3322 */
3323 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3324 break;
3325
3326 au_uwrite(au_to_text(name));
3327 break;
3328 }
3329
3330 case SI_SET_SRPC_DOMAIN:
3331 {
3332 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3333 return;
3334
3335 maxlen = SYS_NMLN;
3336 name = kmem_alloc(maxlen, KM_SLEEP);
3337 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3338 break;
3339
3340 /*
3341 * If string passed in is longer than length
3342 * allowed for domain name, fail.
3343 */
3344 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3345 break;
3346
3347 au_uwrite(au_to_text(name));
3348 break;
3349 }
3350
3351 default:
3352 return;
3353 }
3354
3355 kmem_free(name, maxlen);
3356 }
3357
3358 static au_event_t
aui_modctl(au_event_t e)3359 aui_modctl(au_event_t e)
3360 {
3361 klwp_t *clwp = ttolwp(curthread);
3362 uint_t cmd;
3363
3364 struct a {
3365 long cmd;
3366 } *uap = (struct a *)clwp->lwp_ap;
3367
3368 cmd = (uint_t)uap->cmd;
3369
3370 switch (cmd) {
3371 case MODLOAD:
3372 e = AUE_MODLOAD;
3373 break;
3374 case MODUNLOAD:
3375 e = AUE_MODUNLOAD;
3376 break;
3377 case MODADDMAJBIND:
3378 e = AUE_MODADDMAJ;
3379 break;
3380 case MODSETDEVPOLICY:
3381 e = AUE_MODDEVPLCY;
3382 break;
3383 case MODALLOCPRIV:
3384 e = AUE_MODADDPRIV;
3385 break;
3386 default:
3387 e = AUE_NULL;
3388 break;
3389 }
3390 return (e);
3391 }
3392
3393
3394 /*ARGSUSED*/
3395 static void
aus_modctl(struct t_audit_data * tad)3396 aus_modctl(struct t_audit_data *tad)
3397 {
3398 klwp_t *clwp = ttolwp(curthread);
3399 void *a = clwp->lwp_ap;
3400 uint_t use_path;
3401
3402 switch (tad->tad_event) {
3403 case AUE_MODLOAD: {
3404 typedef struct {
3405 long cmd;
3406 long use_path;
3407 long filename; /* char * */
3408 } modloada_t;
3409
3410 char *filenamep;
3411 uintptr_t fname;
3412 extern char *default_path;
3413
3414 fname = (uintptr_t)((modloada_t *)a)->filename;
3415 use_path = (uint_t)((modloada_t *)a)->use_path;
3416
3417 /* space to hold path */
3418 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3419 /* get string */
3420 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3421 /* free allocated path */
3422 kmem_free(filenamep, MOD_MAXPATH);
3423 return;
3424 }
3425 /* ensure it's null terminated */
3426 filenamep[MOD_MAXPATH - 1] = 0;
3427
3428 if (use_path)
3429 au_uwrite(au_to_text(default_path));
3430 au_uwrite(au_to_text(filenamep));
3431
3432 /* release temporary memory */
3433 kmem_free(filenamep, MOD_MAXPATH);
3434 break;
3435 }
3436 case AUE_MODUNLOAD: {
3437 typedef struct {
3438 long cmd;
3439 long id;
3440 } modunloada_t;
3441
3442 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3443
3444 au_uwrite(au_to_arg32(1, "id", id));
3445 break;
3446 }
3447 case AUE_MODADDMAJ: {
3448 STRUCT_DECL(modconfig, mc);
3449 typedef struct {
3450 long cmd;
3451 long subcmd;
3452 long data; /* int * */
3453 } modconfiga_t;
3454
3455 STRUCT_DECL(aliases, alias);
3456 caddr_t ap;
3457 int i, num_aliases;
3458 char *drvname, *mc_drvname;
3459 char *name;
3460 extern char *ddi_major_to_name(major_t);
3461 model_t model;
3462
3463 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3464
3465 model = get_udatamodel();
3466 STRUCT_INIT(mc, model);
3467 /* sanitize buffer */
3468 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3469 /* get user arguments */
3470 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3471 STRUCT_SIZE(mc)) != 0)
3472 return;
3473
3474 mc_drvname = STRUCT_FGET(mc, drvname);
3475 if ((drvname = ddi_major_to_name(
3476 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3477 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3478 /* safety */
3479 if (mc_drvname[0] != '\0') {
3480 mc_drvname[MAXMODCONFNAME-1] = '\0';
3481 au_uwrite(au_to_text(mc_drvname));
3482 }
3483 /* drvname != NULL from test above */
3484 au_uwrite(au_to_text(drvname));
3485 return;
3486 }
3487
3488 if (mc_drvname[0] != '\0') {
3489 /* safety */
3490 mc_drvname[MAXMODCONFNAME-1] = '\0';
3491 au_uwrite(au_to_text(mc_drvname));
3492 } else
3493 au_uwrite(au_to_text("no drvname"));
3494
3495 num_aliases = STRUCT_FGET(mc, num_aliases);
3496 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3497 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3498 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3499 STRUCT_INIT(alias, model);
3500 for (i = 0; i < num_aliases; i++) {
3501 bzero((caddr_t)STRUCT_BUF(alias),
3502 STRUCT_SIZE(alias));
3503 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3504 STRUCT_SIZE(alias)) != 0)
3505 break;
3506 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3507 MAXMODCONFNAME, NULL) != 0) {
3508 break;
3509 }
3510
3511 au_uwrite(au_to_text(name));
3512 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3513 }
3514 kmem_free(name, MAXMODCONFNAME);
3515 break;
3516 }
3517 default:
3518 break;
3519 }
3520 }
3521
3522
3523 /*ARGSUSED*/
3524 static void
auf_accept(struct t_audit_data * tad,int error,rval_t * rval)3525 auf_accept(
3526 struct t_audit_data *tad,
3527 int error,
3528 rval_t *rval)
3529 {
3530 uint32_t scid;
3531 uint32_t sy_flags;
3532 int fd;
3533 struct sonode *so;
3534 char so_laddr[sizeof (struct sockaddr_in6)];
3535 char so_faddr[sizeof (struct sockaddr_in6)];
3536 int err;
3537 short so_family, so_type;
3538 int add_sock_token = 0;
3539
3540 /* need to determine type of executing binary */
3541 scid = tad->tad_scid;
3542 #ifdef _SYSCALL32_IMPL
3543 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3544 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3545 else
3546 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3547 #else
3548 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3549 #endif
3550 switch (sy_flags) {
3551 case SE_32RVAL1:
3552 /* FALLTHRU */
3553 case SE_32RVAL2|SE_32RVAL1:
3554 fd = rval->r_val1;
3555 break;
3556 case SE_64RVAL:
3557 fd = (int)rval->r_vals;
3558 break;
3559 default:
3560 /*
3561 * should never happen, seems to be an internal error
3562 * in sysent => no fd, nothing to audit here, returning
3563 */
3564 return;
3565 }
3566
3567 if (error) {
3568 /* can't trust socket contents. Just return */
3569 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3570 return;
3571 }
3572
3573 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3574 /*
3575 * not security relevant if doing a accept from non socket
3576 * so no extra tokens. Should probably turn off audit record
3577 * generation here.
3578 */
3579 return;
3580 }
3581
3582 so_family = so->so_family;
3583 so_type = so->so_type;
3584
3585 switch (so_family) {
3586 case AF_INET:
3587 case AF_INET6:
3588 /*
3589 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3590 */
3591 if (so->so_type == SOCK_STREAM) {
3592 socklen_t len;
3593
3594 bzero((void *)so_laddr, sizeof (so_laddr));
3595 bzero((void *)so_faddr, sizeof (so_faddr));
3596
3597 len = sizeof (so_laddr);
3598 (void) socket_getsockname(so,
3599 (struct sockaddr *)so_laddr, &len, CRED());
3600 len = sizeof (so_faddr);
3601 (void) socket_getpeername(so,
3602 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3603
3604 add_sock_token = 1;
3605 }
3606 break;
3607
3608 default:
3609 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3610 break;
3611 }
3612
3613 releasef(fd);
3614
3615 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3616
3617 if (add_sock_token == 0) {
3618 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3619 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3620 return;
3621 }
3622
3623 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3624
3625 }
3626
3627 /*ARGSUSED*/
3628 static void
auf_bind(struct t_audit_data * tad,int error,rval_t * rvp)3629 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3630 {
3631 struct a {
3632 long fd;
3633 long addr;
3634 long len;
3635 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3636
3637 struct sonode *so;
3638 char so_laddr[sizeof (struct sockaddr_in6)];
3639 char so_faddr[sizeof (struct sockaddr_in6)];
3640 int err, fd;
3641 socklen_t len;
3642 short so_family, so_type;
3643 int add_sock_token = 0;
3644
3645 fd = (int)uap->fd;
3646
3647 /*
3648 * bind failed, then nothing extra to add to audit record.
3649 */
3650 if (error) {
3651 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3652 /* XXX may want to add failed address some day */
3653 return;
3654 }
3655
3656 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3657 /*
3658 * not security relevant if doing a bind from non socket
3659 * so no extra tokens. Should probably turn off audit record
3660 * generation here.
3661 */
3662 return;
3663 }
3664
3665 so_family = so->so_family;
3666 so_type = so->so_type;
3667
3668 switch (so_family) {
3669 case AF_INET:
3670 case AF_INET6:
3671
3672 bzero(so_faddr, sizeof (so_faddr));
3673 len = sizeof (so_faddr);
3674
3675 (void) socket_getpeername(so,
3676 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3677 add_sock_token = 1;
3678
3679 break;
3680
3681 case AF_UNIX:
3682 /* token added by lookup */
3683 break;
3684 default:
3685 /* AF_ROUTE, AF_KEY do not support accept */
3686 break;
3687 }
3688
3689 releasef(fd);
3690
3691 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3692
3693 if (add_sock_token == 0) {
3694 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3695 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3696 return;
3697 }
3698
3699 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3700
3701 }
3702
3703 /*ARGSUSED*/
3704 static void
auf_connect(struct t_audit_data * tad,int error,rval_t * rval)3705 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3706 {
3707 struct a {
3708 long fd;
3709 long addr;
3710 long len;
3711 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3712
3713 struct sonode *so;
3714 char so_laddr[sizeof (struct sockaddr_in6)];
3715 char so_faddr[sizeof (struct sockaddr_in6)];
3716 int err, fd;
3717 socklen_t len;
3718 short so_family, so_type;
3719 int add_sock_token = 0;
3720
3721 fd = (int)uap->fd;
3722
3723
3724 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3725 /*
3726 * not security relevant if doing a connect from non socket
3727 * so no extra tokens. Should probably turn off audit record
3728 * generation here.
3729 */
3730 return;
3731 }
3732
3733 so_family = so->so_family;
3734 so_type = so->so_type;
3735
3736 switch (so_family) {
3737 case AF_INET:
3738 case AF_INET6:
3739
3740 bzero(so_laddr, sizeof (so_laddr));
3741 bzero(so_faddr, sizeof (so_faddr));
3742
3743 len = sizeof (so_laddr);
3744 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3745 &len, CRED());
3746 if (error) {
3747 if (uap->addr == NULL)
3748 break;
3749 if (uap->len <= 0)
3750 break;
3751 len = min(uap->len, sizeof (so_faddr));
3752 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3753 break;
3754 #ifdef NOTYET
3755 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3756 #endif
3757 } else {
3758 /* sanity check on length */
3759 len = sizeof (so_faddr);
3760 (void) socket_getpeername(so,
3761 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3762 }
3763
3764 add_sock_token = 1;
3765
3766 break;
3767
3768 case AF_UNIX:
3769 /* does a lookup on name */
3770 break;
3771
3772 default:
3773 /* AF_ROUTE, AF_KEY do not support accept */
3774 break;
3775 }
3776
3777 releasef(fd);
3778
3779 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3780
3781 if (add_sock_token == 0) {
3782 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3783 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3784 return;
3785 }
3786
3787 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3788
3789 }
3790
3791 /*ARGSUSED*/
3792 static void
aus_shutdown(struct t_audit_data * tad)3793 aus_shutdown(struct t_audit_data *tad)
3794 {
3795 struct a {
3796 long fd;
3797 long how;
3798 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3799
3800 struct sonode *so;
3801 char so_laddr[sizeof (struct sockaddr_in6)];
3802 char so_faddr[sizeof (struct sockaddr_in6)];
3803 int err, fd;
3804 socklen_t len;
3805 short so_family, so_type;
3806 int add_sock_token = 0;
3807 file_t *fp; /* unix domain sockets */
3808 struct f_audit_data *fad; /* unix domain sockets */
3809
3810 fd = (int)uap->fd;
3811
3812 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3813 /*
3814 * not security relevant if doing a shutdown using non socket
3815 * so no extra tokens. Should probably turn off audit record
3816 * generation here.
3817 */
3818 return;
3819 }
3820
3821 so_family = so->so_family;
3822 so_type = so->so_type;
3823
3824 switch (so_family) {
3825 case AF_INET:
3826 case AF_INET6:
3827
3828 bzero(so_laddr, sizeof (so_laddr));
3829 bzero(so_faddr, sizeof (so_faddr));
3830
3831 len = sizeof (so_laddr);
3832 (void) socket_getsockname(so,
3833 (struct sockaddr *)so_laddr, &len, CRED());
3834 len = sizeof (so_faddr);
3835 (void) socket_getpeername(so,
3836 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3837
3838 add_sock_token = 1;
3839
3840 break;
3841
3842 case AF_UNIX:
3843
3844 /* get path from file struct here */
3845 fad = F2A(fp);
3846 ASSERT(fad);
3847
3848 if (fad->fad_aupath != NULL) {
3849 au_uwrite(au_to_path(fad->fad_aupath));
3850 } else {
3851 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3852 }
3853
3854 audit_attributes(fp->f_vnode);
3855
3856 break;
3857
3858 default:
3859 /*
3860 * AF_KEY and AF_ROUTE support shutdown. No socket token
3861 * added.
3862 */
3863 break;
3864 }
3865
3866 releasef(fd);
3867
3868 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3869
3870 if (add_sock_token == 0) {
3871 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3872 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3873 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3874 return;
3875 }
3876
3877 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3878
3879 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3880
3881 }
3882
3883 /*ARGSUSED*/
3884 static void
auf_setsockopt(struct t_audit_data * tad,int error,rval_t * rval)3885 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3886 {
3887 struct a {
3888 long fd;
3889 long level;
3890 long optname;
3891 long *optval;
3892 long optlen;
3893 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3894
3895 struct sonode *so;
3896 char so_laddr[sizeof (struct sockaddr_in6)];
3897 char so_faddr[sizeof (struct sockaddr_in6)];
3898 char val[AU_BUFSIZE];
3899 int err, fd;
3900 socklen_t len;
3901 short so_family, so_type;
3902 int add_sock_token = 0;
3903 file_t *fp; /* unix domain sockets */
3904 struct f_audit_data *fad; /* unix domain sockets */
3905
3906 fd = (int)uap->fd;
3907
3908 if (error) {
3909 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3910 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3911 /* XXX may want to include other arguments */
3912 return;
3913 }
3914
3915 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3916 /*
3917 * not security relevant if doing a setsockopt from non socket
3918 * so no extra tokens. Should probably turn off audit record
3919 * generation here.
3920 */
3921 return;
3922 }
3923
3924 so_family = so->so_family;
3925 so_type = so->so_type;
3926
3927 switch (so_family) {
3928 case AF_INET:
3929 case AF_INET6:
3930 bzero((void *)so_laddr, sizeof (so_laddr));
3931 bzero((void *)so_faddr, sizeof (so_faddr));
3932
3933 /* get local and foreign addresses */
3934 len = sizeof (so_laddr);
3935 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3936 &len, CRED());
3937 len = sizeof (so_faddr);
3938 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3939 &len, B_FALSE, CRED());
3940
3941 add_sock_token = 1;
3942
3943 break;
3944
3945 case AF_UNIX:
3946
3947 /* get path from file struct here */
3948 fad = F2A(fp);
3949 ASSERT(fad);
3950
3951 if (fad->fad_aupath != NULL) {
3952 au_uwrite(au_to_path(fad->fad_aupath));
3953 } else {
3954 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3955 }
3956
3957 audit_attributes(fp->f_vnode);
3958
3959 break;
3960
3961 default:
3962 /*
3963 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3964 * added.
3965 */
3966 break;
3967 }
3968
3969 releasef(fd);
3970
3971 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3972
3973 if (add_sock_token == 0) {
3974 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3975 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3976 }
3977 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3978 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3979
3980 bzero(val, sizeof (val));
3981 len = min(uap->optlen, sizeof (val));
3982 if ((len > 0) &&
3983 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3984 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3985 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3986 }
3987
3988 if (add_sock_token == 0)
3989 return;
3990
3991 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3992
3993 }
3994
3995 /*ARGSUSED*/
3996 static void
aus_sockconfig(tad)3997 aus_sockconfig(tad)
3998 struct t_audit_data *tad;
3999 {
4000 struct a {
4001 long cmd;
4002 long arg1;
4003 long arg2;
4004 long arg3;
4005 long arg4;
4006 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4007
4008 char *buf;
4009 int buflen;
4010 size_t size;
4011
4012 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4013 switch (uap->cmd) {
4014 case SOCKCONFIG_ADD_SOCK:
4015 case SOCKCONFIG_REMOVE_SOCK:
4016 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4017 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4018 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4019
4020 if (uap->arg4 == 0) {
4021 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4022 } else {
4023 buflen = MAXPATHLEN + 1;
4024 buf = kmem_alloc(buflen, KM_SLEEP);
4025 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4026 &size)) {
4027 kmem_free(buf, buflen);
4028 return;
4029 }
4030
4031 if (size > MAXPATHLEN) {
4032 kmem_free(buf, buflen);
4033 return;
4034 }
4035
4036 au_uwrite(au_to_text(buf));
4037 kmem_free(buf, buflen);
4038 }
4039 break;
4040 case SOCKCONFIG_ADD_FILTER:
4041 case SOCKCONFIG_REMOVE_FILTER:
4042 buflen = FILNAME_MAX;
4043 buf = kmem_alloc(buflen, KM_SLEEP);
4044
4045 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4046 kmem_free(buf, buflen);
4047 return;
4048 }
4049
4050 au_uwrite(au_to_text(buf));
4051 kmem_free(buf, buflen);
4052 break;
4053 default:
4054 break;
4055 }
4056 }
4057
4058 /*
4059 * only audit recvmsg when the system call represents the creation of a new
4060 * circuit. This effectively occurs for all UDP packets and may occur for
4061 * special TCP situations where the local host has not set a local address
4062 * in the socket structure.
4063 */
4064 /*ARGSUSED*/
4065 static void
auf_recvmsg(struct t_audit_data * tad,int error,rval_t * rvp)4066 auf_recvmsg(
4067 struct t_audit_data *tad,
4068 int error,
4069 rval_t *rvp)
4070 {
4071 struct a {
4072 long fd;
4073 long msg; /* struct msghdr */
4074 long flags;
4075 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4076
4077 struct sonode *so;
4078 STRUCT_DECL(msghdr, msg);
4079 caddr_t msg_name;
4080 socklen_t msg_namelen;
4081 int fd;
4082 int err;
4083 char so_laddr[sizeof (struct sockaddr_in6)];
4084 char so_faddr[sizeof (struct sockaddr_in6)];
4085 socklen_t len;
4086 file_t *fp; /* unix domain sockets */
4087 struct f_audit_data *fad; /* unix domain sockets */
4088 short so_family, so_type;
4089 int add_sock_token = 0;
4090 au_kcontext_t *kctx = GET_KCTX_PZ;
4091
4092 fd = (int)uap->fd;
4093
4094 /* bail if an error */
4095 if (error) {
4096 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4097 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4098 return;
4099 }
4100
4101 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4102 /*
4103 * not security relevant if doing a recvmsg from non socket
4104 * so no extra tokens. Should probably turn off audit record
4105 * generation here.
4106 */
4107 return;
4108 }
4109
4110 so_family = so->so_family;
4111 so_type = so->so_type;
4112
4113 /*
4114 * only putout SOCKET_EX token if INET/INET6 family.
4115 * XXX - what do we do about other families?
4116 */
4117
4118 switch (so_family) {
4119 case AF_INET:
4120 case AF_INET6:
4121
4122 /*
4123 * if datagram type socket, then just use what is in
4124 * socket structure for local address.
4125 * XXX - what do we do for other types?
4126 */
4127 if ((so->so_type == SOCK_DGRAM) ||
4128 (so->so_type == SOCK_RAW)) {
4129 add_sock_token = 1;
4130
4131 bzero((void *)so_laddr, sizeof (so_laddr));
4132 bzero((void *)so_faddr, sizeof (so_faddr));
4133
4134 /* get local address */
4135 len = sizeof (so_laddr);
4136 (void) socket_getsockname(so,
4137 (struct sockaddr *)so_laddr, &len, CRED());
4138
4139 /* get peer address */
4140 STRUCT_INIT(msg, get_udatamodel());
4141
4142 if (copyin((caddr_t)(uap->msg),
4143 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4144 break;
4145 }
4146 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4147 if (msg_name == NULL) {
4148 break;
4149 }
4150
4151 /* length is value from recvmsg - sanity check */
4152 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4153 if (msg_namelen == 0) {
4154 break;
4155 }
4156 if (copyin(msg_name, so_faddr,
4157 sizeof (so_faddr)) != 0) {
4158 break;
4159 }
4160
4161 } else if (so->so_type == SOCK_STREAM) {
4162
4163 /* get path from file struct here */
4164 fad = F2A(fp);
4165 ASSERT(fad);
4166
4167 /*
4168 * already processed this file for read attempt
4169 */
4170 if (fad->fad_flags & FAD_READ) {
4171 /* don't want to audit every recvmsg attempt */
4172 tad->tad_flag = 0;
4173 /* free any residual audit data */
4174 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4175 releasef(fd);
4176 return;
4177 }
4178 /*
4179 * mark things so we know what happened and don't
4180 * repeat things
4181 */
4182 fad->fad_flags |= FAD_READ;
4183
4184 bzero((void *)so_laddr, sizeof (so_laddr));
4185 bzero((void *)so_faddr, sizeof (so_faddr));
4186
4187 /* get local and foreign addresses */
4188 len = sizeof (so_laddr);
4189 (void) socket_getsockname(so,
4190 (struct sockaddr *)so_laddr, &len, CRED());
4191 len = sizeof (so_faddr);
4192 (void) socket_getpeername(so,
4193 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4194
4195 add_sock_token = 1;
4196 }
4197
4198 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4199
4200 break;
4201
4202 case AF_UNIX:
4203 /*
4204 * first check if this is first time through. Too much
4205 * duplicate code to put this in an aui_ routine.
4206 */
4207
4208 /* get path from file struct here */
4209 fad = F2A(fp);
4210 ASSERT(fad);
4211
4212 /*
4213 * already processed this file for read attempt
4214 */
4215 if (fad->fad_flags & FAD_READ) {
4216 releasef(fd);
4217 /* don't want to audit every recvmsg attempt */
4218 tad->tad_flag = 0;
4219 /* free any residual audit data */
4220 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4221 return;
4222 }
4223 /*
4224 * mark things so we know what happened and don't
4225 * repeat things
4226 */
4227 fad->fad_flags |= FAD_READ;
4228
4229 if (fad->fad_aupath != NULL) {
4230 au_uwrite(au_to_path(fad->fad_aupath));
4231 } else {
4232 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4233 }
4234
4235 audit_attributes(fp->f_vnode);
4236
4237 releasef(fd);
4238
4239 return;
4240
4241 default:
4242 break;
4243
4244 }
4245
4246 releasef(fd);
4247
4248 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4249
4250 if (add_sock_token == 0) {
4251 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4252 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4253 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4254 return;
4255 }
4256
4257 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4258
4259 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4260
4261 }
4262
4263 /*ARGSUSED*/
4264 static void
auf_recvfrom(struct t_audit_data * tad,int error,rval_t * rvp)4265 auf_recvfrom(
4266 struct t_audit_data *tad,
4267 int error,
4268 rval_t *rvp)
4269 {
4270
4271 struct a {
4272 long fd;
4273 long msg; /* char */
4274 long len;
4275 long flags;
4276 long from; /* struct sockaddr */
4277 long fromlen;
4278 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4279
4280 socklen_t fromlen;
4281 struct sonode *so;
4282 char so_laddr[sizeof (struct sockaddr_in6)];
4283 char so_faddr[sizeof (struct sockaddr_in6)];
4284 int fd;
4285 short so_family, so_type;
4286 int add_sock_token = 0;
4287 socklen_t len;
4288 int err;
4289 struct file *fp;
4290 struct f_audit_data *fad; /* unix domain sockets */
4291 au_kcontext_t *kctx = GET_KCTX_PZ;
4292
4293 fd = (int)uap->fd;
4294
4295 /* bail if an error */
4296 if (error) {
4297 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4298 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4299 return;
4300 }
4301
4302 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4303 /*
4304 * not security relevant if doing a recvmsg from non socket
4305 * so no extra tokens. Should probably turn off audit record
4306 * generation here.
4307 */
4308 return;
4309 }
4310
4311 so_family = so->so_family;
4312 so_type = so->so_type;
4313
4314 /*
4315 * only putout SOCKET_EX token if INET/INET6 family.
4316 * XXX - what do we do about other families?
4317 */
4318
4319 switch (so_family) {
4320 case AF_INET:
4321 case AF_INET6:
4322
4323 /*
4324 * if datagram type socket, then just use what is in
4325 * socket structure for local address.
4326 * XXX - what do we do for other types?
4327 */
4328 if ((so->so_type == SOCK_DGRAM) ||
4329 (so->so_type == SOCK_RAW)) {
4330 add_sock_token = 1;
4331
4332 /* get local address */
4333 len = sizeof (so_laddr);
4334 (void) socket_getsockname(so,
4335 (struct sockaddr *)so_laddr, &len, CRED());
4336
4337 /* get peer address */
4338 bzero((void *)so_faddr, sizeof (so_faddr));
4339
4340 /* sanity check */
4341 if (uap->from == NULL)
4342 break;
4343
4344 /* sanity checks */
4345 if (uap->fromlen == 0)
4346 break;
4347
4348 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4349 sizeof (fromlen)) != 0)
4350 break;
4351
4352 if (fromlen == 0)
4353 break;
4354
4355 /* enforce maximum size */
4356 if (fromlen > sizeof (so_faddr))
4357 fromlen = sizeof (so_faddr);
4358
4359 if (copyin((caddr_t)(uap->from), so_faddr,
4360 fromlen) != 0)
4361 break;
4362
4363 } else if (so->so_type == SOCK_STREAM) {
4364
4365 /* get path from file struct here */
4366 fad = F2A(fp);
4367 ASSERT(fad);
4368
4369 /*
4370 * already processed this file for read attempt
4371 */
4372 if (fad->fad_flags & FAD_READ) {
4373 /* don't want to audit every recvfrom attempt */
4374 tad->tad_flag = 0;
4375 /* free any residual audit data */
4376 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4377 releasef(fd);
4378 return;
4379 }
4380 /*
4381 * mark things so we know what happened and don't
4382 * repeat things
4383 */
4384 fad->fad_flags |= FAD_READ;
4385
4386 bzero((void *)so_laddr, sizeof (so_laddr));
4387 bzero((void *)so_faddr, sizeof (so_faddr));
4388
4389 /* get local and foreign addresses */
4390 len = sizeof (so_laddr);
4391 (void) socket_getsockname(so,
4392 (struct sockaddr *)so_laddr, &len, CRED());
4393 len = sizeof (so_faddr);
4394 (void) socket_getpeername(so,
4395 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4396
4397 add_sock_token = 1;
4398 }
4399
4400 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4401
4402 break;
4403
4404 case AF_UNIX:
4405 /*
4406 * first check if this is first time through. Too much
4407 * duplicate code to put this in an aui_ routine.
4408 */
4409
4410 /* get path from file struct here */
4411 fad = F2A(fp);
4412 ASSERT(fad);
4413
4414 /*
4415 * already processed this file for read attempt
4416 */
4417 if (fad->fad_flags & FAD_READ) {
4418 /* don't want to audit every recvfrom attempt */
4419 tad->tad_flag = 0;
4420 /* free any residual audit data */
4421 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4422 releasef(fd);
4423 return;
4424 }
4425 /*
4426 * mark things so we know what happened and don't
4427 * repeat things
4428 */
4429 fad->fad_flags |= FAD_READ;
4430
4431 if (fad->fad_aupath != NULL) {
4432 au_uwrite(au_to_path(fad->fad_aupath));
4433 } else {
4434 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4435 }
4436
4437 audit_attributes(fp->f_vnode);
4438
4439 releasef(fd);
4440
4441 return;
4442
4443 default:
4444 break;
4445
4446 }
4447
4448 releasef(fd);
4449
4450 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4451
4452 if (add_sock_token == 0) {
4453 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4454 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4455 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4456 return;
4457 }
4458
4459 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4460
4461 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4462 }
4463
4464 /*ARGSUSED*/
4465 static void
auf_sendmsg(struct t_audit_data * tad,int error,rval_t * rval)4466 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4467 {
4468 struct a {
4469 long fd;
4470 long msg; /* struct msghdr */
4471 long flags;
4472 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4473
4474 struct sonode *so;
4475 char so_laddr[sizeof (struct sockaddr_in6)];
4476 char so_faddr[sizeof (struct sockaddr_in6)];
4477 int err;
4478 int fd;
4479 short so_family, so_type;
4480 int add_sock_token = 0;
4481 socklen_t len;
4482 struct file *fp;
4483 struct f_audit_data *fad;
4484 caddr_t msg_name;
4485 socklen_t msg_namelen;
4486 STRUCT_DECL(msghdr, msg);
4487 au_kcontext_t *kctx = GET_KCTX_PZ;
4488
4489 fd = (int)uap->fd;
4490
4491 /* bail if an error */
4492 if (error) {
4493 /* XXX include destination address from system call arguments */
4494 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4495 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4496 return;
4497 }
4498
4499 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4500 /*
4501 * not security relevant if doing a sendmsg from non socket
4502 * so no extra tokens. Should probably turn off audit record
4503 * generation here.
4504 */
4505 return;
4506 }
4507
4508 so_family = so->so_family;
4509 so_type = so->so_type;
4510
4511 switch (so_family) {
4512 case AF_INET:
4513 case AF_INET6:
4514 /*
4515 * if datagram type socket, then just use what is in
4516 * socket structure for local address.
4517 * XXX - what do we do for other types?
4518 */
4519 if ((so->so_type == SOCK_DGRAM) ||
4520 (so->so_type == SOCK_RAW)) {
4521
4522 bzero((void *)so_laddr, sizeof (so_laddr));
4523 bzero((void *)so_faddr, sizeof (so_faddr));
4524
4525 /* get local address */
4526 len = sizeof (so_laddr);
4527 (void) socket_getsockname(so,
4528 (struct sockaddr *)so_laddr, &len, CRED());
4529
4530 /* get peer address */
4531 STRUCT_INIT(msg, get_udatamodel());
4532
4533 if (copyin((caddr_t)(uap->msg),
4534 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4535 break;
4536 }
4537 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4538 if (msg_name == NULL)
4539 break;
4540
4541 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4542 /* length is value from recvmsg - sanity check */
4543 if (msg_namelen == 0)
4544 break;
4545
4546 if (copyin(msg_name, so_faddr,
4547 sizeof (so_faddr)) != 0)
4548 break;
4549
4550 add_sock_token = 1;
4551
4552 } else if (so->so_type == SOCK_STREAM) {
4553
4554 /* get path from file struct here */
4555 fad = F2A(fp);
4556 ASSERT(fad);
4557
4558 /*
4559 * already processed this file for write attempt
4560 */
4561 if (fad->fad_flags & FAD_WRITE) {
4562 releasef(fd);
4563 /* don't want to audit every sendmsg attempt */
4564 tad->tad_flag = 0;
4565 /* free any residual audit data */
4566 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4567 return;
4568 }
4569
4570 /*
4571 * mark things so we know what happened and don't
4572 * repeat things
4573 */
4574 fad->fad_flags |= FAD_WRITE;
4575
4576 bzero((void *)so_laddr, sizeof (so_laddr));
4577 bzero((void *)so_faddr, sizeof (so_faddr));
4578
4579 /* get local and foreign addresses */
4580 len = sizeof (so_laddr);
4581 (void) socket_getsockname(so,
4582 (struct sockaddr *)so_laddr, &len, CRED());
4583 len = sizeof (so_faddr);
4584 (void) socket_getpeername(so,
4585 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4586
4587 add_sock_token = 1;
4588 }
4589
4590 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4591
4592 break;
4593
4594 case AF_UNIX:
4595 /*
4596 * first check if this is first time through. Too much
4597 * duplicate code to put this in an aui_ routine.
4598 */
4599
4600 /* get path from file struct here */
4601 fad = F2A(fp);
4602 ASSERT(fad);
4603
4604 /*
4605 * already processed this file for write attempt
4606 */
4607 if (fad->fad_flags & FAD_WRITE) {
4608 releasef(fd);
4609 /* don't want to audit every sendmsg attempt */
4610 tad->tad_flag = 0;
4611 /* free any residual audit data */
4612 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4613 return;
4614 }
4615 /*
4616 * mark things so we know what happened and don't
4617 * repeat things
4618 */
4619 fad->fad_flags |= FAD_WRITE;
4620
4621 if (fad->fad_aupath != NULL) {
4622 au_uwrite(au_to_path(fad->fad_aupath));
4623 } else {
4624 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4625 }
4626
4627 audit_attributes(fp->f_vnode);
4628
4629 releasef(fd);
4630
4631 return;
4632
4633 default:
4634 break;
4635 }
4636
4637 releasef(fd);
4638
4639 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4640
4641 if (add_sock_token == 0) {
4642 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4643 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4644 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4645 return;
4646 }
4647
4648 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4649
4650 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4651 }
4652
4653 /*ARGSUSED*/
4654 static void
auf_sendto(struct t_audit_data * tad,int error,rval_t * rval)4655 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4656 {
4657 struct a {
4658 long fd;
4659 long msg; /* char */
4660 long len;
4661 long flags;
4662 long to; /* struct sockaddr */
4663 long tolen;
4664 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4665
4666 struct sonode *so;
4667 char so_laddr[sizeof (struct sockaddr_in6)];
4668 char so_faddr[sizeof (struct sockaddr_in6)];
4669 socklen_t tolen;
4670 int err;
4671 int fd;
4672 socklen_t len;
4673 short so_family, so_type;
4674 int add_sock_token = 0;
4675 struct file *fp;
4676 struct f_audit_data *fad;
4677 au_kcontext_t *kctx = GET_KCTX_PZ;
4678
4679 fd = (int)uap->fd;
4680
4681 /* bail if an error */
4682 if (error) {
4683 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4684 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4685 /* XXX include destination address from system call arguments */
4686 return;
4687 }
4688
4689 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4690 /*
4691 * not security relevant if doing a sendto using non socket
4692 * so no extra tokens. Should probably turn off audit record
4693 * generation here.
4694 */
4695 return;
4696 }
4697
4698 so_family = so->so_family;
4699 so_type = so->so_type;
4700
4701 /*
4702 * only putout SOCKET_EX token if INET/INET6 family.
4703 * XXX - what do we do about other families?
4704 */
4705
4706 switch (so_family) {
4707 case AF_INET:
4708 case AF_INET6:
4709
4710 /*
4711 * if datagram type socket, then just use what is in
4712 * socket structure for local address.
4713 * XXX - what do we do for other types?
4714 */
4715 if ((so->so_type == SOCK_DGRAM) ||
4716 (so->so_type == SOCK_RAW)) {
4717
4718 bzero((void *)so_laddr, sizeof (so_laddr));
4719 bzero((void *)so_faddr, sizeof (so_faddr));
4720
4721 /* get local address */
4722 len = sizeof (so_laddr);
4723 (void) socket_getsockname(so,
4724 (struct sockaddr *)so_laddr, &len, CRED());
4725
4726 /* get peer address */
4727
4728 /* sanity check */
4729 if (uap->to == NULL)
4730 break;
4731
4732 /* sanity checks */
4733 if (uap->tolen == 0)
4734 break;
4735
4736 tolen = (socklen_t)uap->tolen;
4737
4738 /* enforce maximum size */
4739 if (tolen > sizeof (so_faddr))
4740 tolen = sizeof (so_faddr);
4741
4742 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4743 break;
4744
4745 add_sock_token = 1;
4746 } else {
4747 /*
4748 * check if this is first time through.
4749 */
4750
4751 /* get path from file struct here */
4752 fad = F2A(fp);
4753 ASSERT(fad);
4754
4755 /*
4756 * already processed this file for write attempt
4757 */
4758 if (fad->fad_flags & FAD_WRITE) {
4759 /* don't want to audit every sendto attempt */
4760 tad->tad_flag = 0;
4761 /* free any residual audit data */
4762 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4763 releasef(fd);
4764 return;
4765 }
4766 /*
4767 * mark things so we know what happened and don't
4768 * repeat things
4769 */
4770 fad->fad_flags |= FAD_WRITE;
4771
4772 bzero((void *)so_laddr, sizeof (so_laddr));
4773 bzero((void *)so_faddr, sizeof (so_faddr));
4774
4775 /* get local and foreign addresses */
4776 len = sizeof (so_laddr);
4777 (void) socket_getsockname(so,
4778 (struct sockaddr *)so_laddr, &len, CRED());
4779 len = sizeof (so_faddr);
4780 (void) socket_getpeername(so,
4781 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4782
4783 add_sock_token = 1;
4784 }
4785
4786 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4787
4788 break;
4789
4790 case AF_UNIX:
4791 /*
4792 * first check if this is first time through. Too much
4793 * duplicate code to put this in an aui_ routine.
4794 */
4795
4796 /* get path from file struct here */
4797 fad = F2A(fp);
4798 ASSERT(fad);
4799
4800 /*
4801 * already processed this file for write attempt
4802 */
4803 if (fad->fad_flags & FAD_WRITE) {
4804 /* don't want to audit every sendto attempt */
4805 tad->tad_flag = 0;
4806 /* free any residual audit data */
4807 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4808 releasef(fd);
4809 return;
4810 }
4811 /*
4812 * mark things so we know what happened and don't
4813 * repeat things
4814 */
4815 fad->fad_flags |= FAD_WRITE;
4816
4817 if (fad->fad_aupath != NULL) {
4818 au_uwrite(au_to_path(fad->fad_aupath));
4819 } else {
4820 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4821 }
4822
4823 audit_attributes(fp->f_vnode);
4824
4825 releasef(fd);
4826
4827 return;
4828
4829 default:
4830 break;
4831
4832 }
4833
4834 releasef(fd);
4835
4836 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4837
4838 if (add_sock_token == 0) {
4839 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4840 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4841 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4842 return;
4843 }
4844
4845 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4846
4847 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4848
4849 }
4850
4851 /*
4852 * XXX socket(2) may be equivalent to open(2) on a unix domain
4853 * socket. This needs investigation.
4854 */
4855
4856 /*ARGSUSED*/
4857 static void
aus_socket(struct t_audit_data * tad)4858 aus_socket(struct t_audit_data *tad)
4859 {
4860 struct a {
4861 long domain;
4862 long type;
4863 long protocol;
4864 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4865
4866 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4867 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4868 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4869 }
4870
4871 /*ARGSUSED*/
4872 static void
aus_sigqueue(struct t_audit_data * tad)4873 aus_sigqueue(struct t_audit_data *tad)
4874 {
4875 struct a {
4876 long pid;
4877 long signo;
4878 long *val;
4879 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4880 struct proc *p;
4881 uid_t uid, ruid;
4882 gid_t gid, rgid;
4883 pid_t pid;
4884 const auditinfo_addr_t *ainfo;
4885 cred_t *cr;
4886
4887 pid = (pid_t)uap->pid;
4888
4889 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4890 if (pid > 0) {
4891 mutex_enter(&pidlock);
4892 if ((p = prfind(pid)) == (struct proc *)0) {
4893 mutex_exit(&pidlock);
4894 return;
4895 }
4896 mutex_enter(&p->p_lock); /* so process doesn't go away */
4897 mutex_exit(&pidlock);
4898
4899 mutex_enter(&p->p_crlock);
4900 crhold(cr = p->p_cred);
4901 mutex_exit(&p->p_crlock);
4902 mutex_exit(&p->p_lock);
4903
4904 ainfo = crgetauinfo(cr);
4905 if (ainfo == NULL) {
4906 crfree(cr);
4907 return;
4908 }
4909
4910 uid = crgetuid(cr);
4911 gid = crgetgid(cr);
4912 ruid = crgetruid(cr);
4913 rgid = crgetrgid(cr);
4914 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4915 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4916 crfree(cr);
4917 }
4918 else
4919 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4920 }
4921
4922 /*ARGSUSED*/
4923 static void
aus_inst_sync(struct t_audit_data * tad)4924 aus_inst_sync(struct t_audit_data *tad)
4925 {
4926 struct a {
4927 long name; /* char */
4928 long flags;
4929 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4930
4931 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4932 }
4933
4934 /*ARGSUSED*/
4935 static void
aus_brandsys(struct t_audit_data * tad)4936 aus_brandsys(struct t_audit_data *tad)
4937 {
4938 klwp_t *clwp = ttolwp(curthread);
4939
4940 struct a {
4941 long cmd;
4942 long arg1;
4943 long arg2;
4944 long arg3;
4945 long arg4;
4946 long arg5;
4947 long arg6;
4948 } *uap = (struct a *)clwp->lwp_ap;
4949
4950 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4951 #ifdef _LP64
4952 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4953 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4954 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4955 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4956 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4957 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4958 #else
4959 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4960 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4961 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4962 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4963 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4964 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4965 #endif
4966 }
4967
4968 /*ARGSUSED*/
4969 static void
aus_p_online(struct t_audit_data * tad)4970 aus_p_online(struct t_audit_data *tad)
4971 {
4972 struct a {
4973 long processor_id;
4974 long flag;
4975 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4976
4977 struct flags {
4978 int flag;
4979 char *cflag;
4980 } aflags[6] = {
4981 { P_ONLINE, "P_ONLINE"},
4982 { P_OFFLINE, "P_OFFLINE"},
4983 { P_NOINTR, "P_NOINTR"},
4984 { P_SPARE, "P_SPARE"},
4985 { P_FAULTED, "P_FAULTED"},
4986 { P_STATUS, "P_STATUS"}
4987 };
4988 int i;
4989 char *cflag;
4990
4991 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4992 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4993
4994 for (i = 0; i < 6; i++) {
4995 if (aflags[i].flag == uap->flag)
4996 break;
4997 }
4998 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4999
5000 au_uwrite(au_to_text(cflag));
5001 }
5002
5003 /*ARGSUSED*/
5004 static void
aus_processor_bind(struct t_audit_data * tad)5005 aus_processor_bind(struct t_audit_data *tad)
5006 {
5007 struct a {
5008 long id_type;
5009 long id;
5010 long processor_id;
5011 long obind;
5012 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5013
5014 struct proc *p;
5015 int lwpcnt;
5016 uid_t uid, ruid;
5017 gid_t gid, rgid;
5018 pid_t pid;
5019 const auditinfo_addr_t *ainfo;
5020 cred_t *cr;
5021
5022 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5023 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5024 if (uap->processor_id == PBIND_NONE)
5025 au_uwrite(au_to_text("PBIND_NONE"));
5026 else
5027 au_uwrite(au_to_arg32(3, "processor_id",
5028 (uint32_t)uap->processor_id));
5029
5030 switch (uap->id_type) {
5031 case P_MYID:
5032 case P_LWPID:
5033 mutex_enter(&pidlock);
5034 p = ttoproc(curthread);
5035 if (p == NULL || p->p_as == &kas) {
5036 mutex_exit(&pidlock);
5037 return;
5038 }
5039 mutex_enter(&p->p_lock);
5040 mutex_exit(&pidlock);
5041 lwpcnt = p->p_lwpcnt;
5042 pid = p->p_pid;
5043
5044 mutex_enter(&p->p_crlock);
5045 crhold(cr = p->p_cred);
5046 mutex_exit(&p->p_crlock);
5047 mutex_exit(&p->p_lock);
5048
5049 ainfo = crgetauinfo(cr);
5050 if (ainfo == NULL) {
5051 crfree(cr);
5052 return;
5053 }
5054
5055 uid = crgetuid(cr);
5056 gid = crgetgid(cr);
5057 ruid = crgetruid(cr);
5058 rgid = crgetrgid(cr);
5059 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5060 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5061 crfree(cr);
5062 break;
5063 case P_PID:
5064 mutex_enter(&pidlock);
5065 p = prfind(uap->id);
5066 if (p == NULL || p->p_as == &kas) {
5067 mutex_exit(&pidlock);
5068 return;
5069 }
5070 mutex_enter(&p->p_lock);
5071 mutex_exit(&pidlock);
5072 lwpcnt = p->p_lwpcnt;
5073 pid = p->p_pid;
5074
5075 mutex_enter(&p->p_crlock);
5076 crhold(cr = p->p_cred);
5077 mutex_exit(&p->p_crlock);
5078 mutex_exit(&p->p_lock);
5079
5080 ainfo = crgetauinfo(cr);
5081 if (ainfo == NULL) {
5082 crfree(cr);
5083 return;
5084 }
5085
5086 uid = crgetuid(cr);
5087 gid = crgetgid(cr);
5088 ruid = crgetruid(cr);
5089 rgid = crgetrgid(cr);
5090 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5091 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5092 crfree(cr);
5093
5094 break;
5095 default:
5096 return;
5097 }
5098
5099 if (uap->processor_id == PBIND_NONE &&
5100 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5101 au_uwrite(au_to_text("PBIND_NONE for process"));
5102 else
5103 au_uwrite(au_to_arg32(3, "processor_id",
5104 (uint32_t)uap->processor_id));
5105 }
5106
5107 /*ARGSUSED*/
5108 static au_event_t
aui_doorfs(au_event_t e)5109 aui_doorfs(au_event_t e)
5110 {
5111 uint32_t code;
5112
5113 struct a { /* doorfs */
5114 long a1;
5115 long a2;
5116 long a3;
5117 long a4;
5118 long a5;
5119 long code;
5120 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5121
5122 /*
5123 * audit formats for several of the
5124 * door calls have not yet been determined
5125 */
5126 code = (uint32_t)uap->code;
5127 switch (code) {
5128 case DOOR_CALL:
5129 e = AUE_DOORFS_DOOR_CALL;
5130 break;
5131 case DOOR_RETURN:
5132 e = AUE_NULL;
5133 break;
5134 case DOOR_CREATE:
5135 e = AUE_DOORFS_DOOR_CREATE;
5136 break;
5137 case DOOR_REVOKE:
5138 e = AUE_DOORFS_DOOR_REVOKE;
5139 break;
5140 case DOOR_INFO:
5141 e = AUE_NULL;
5142 break;
5143 case DOOR_UCRED:
5144 e = AUE_NULL;
5145 break;
5146 case DOOR_BIND:
5147 e = AUE_NULL;
5148 break;
5149 case DOOR_UNBIND:
5150 e = AUE_NULL;
5151 break;
5152 case DOOR_GETPARAM:
5153 e = AUE_NULL;
5154 break;
5155 case DOOR_SETPARAM:
5156 e = AUE_NULL;
5157 break;
5158 default: /* illegal system call */
5159 e = AUE_NULL;
5160 break;
5161 }
5162
5163 return (e);
5164 }
5165
5166 static door_node_t *
au_door_lookup(int did)5167 au_door_lookup(int did)
5168 {
5169 vnode_t *vp;
5170 file_t *fp;
5171
5172 if ((fp = getf(did)) == NULL)
5173 return (NULL);
5174 /*
5175 * Use the underlying vnode (we may be namefs mounted)
5176 */
5177 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5178 vp = fp->f_vnode;
5179
5180 if (vp == NULL || vp->v_type != VDOOR) {
5181 releasef(did);
5182 return (NULL);
5183 }
5184
5185 return (VTOD(vp));
5186 }
5187
5188 /*ARGSUSED*/
5189 static void
aus_doorfs(struct t_audit_data * tad)5190 aus_doorfs(struct t_audit_data *tad)
5191 {
5192
5193 struct a { /* doorfs */
5194 long a1;
5195 long a2;
5196 long a3;
5197 long a4;
5198 long a5;
5199 long code;
5200 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5201
5202 door_node_t *dp;
5203 struct proc *p;
5204 uint32_t did;
5205 uid_t uid, ruid;
5206 gid_t gid, rgid;
5207 pid_t pid;
5208 const auditinfo_addr_t *ainfo;
5209 cred_t *cr;
5210
5211 did = (uint32_t)uap->a1;
5212
5213 switch (tad->tad_event) {
5214 case AUE_DOORFS_DOOR_CALL:
5215 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5216 if ((dp = au_door_lookup(did)) == NULL)
5217 break;
5218
5219 if (DOOR_INVALID(dp)) {
5220 releasef(did);
5221 break;
5222 }
5223
5224 if ((p = dp->door_target) == NULL) {
5225 releasef(did);
5226 break;
5227 }
5228 mutex_enter(&p->p_lock);
5229 releasef(did);
5230
5231 pid = p->p_pid;
5232
5233 mutex_enter(&p->p_crlock);
5234 crhold(cr = p->p_cred);
5235 mutex_exit(&p->p_crlock);
5236 mutex_exit(&p->p_lock);
5237
5238 ainfo = crgetauinfo(cr);
5239 if (ainfo == NULL) {
5240 crfree(cr);
5241 return;
5242 }
5243 uid = crgetuid(cr);
5244 gid = crgetgid(cr);
5245 ruid = crgetruid(cr);
5246 rgid = crgetrgid(cr);
5247 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5248 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5249 crfree(cr);
5250 break;
5251 case AUE_DOORFS_DOOR_RETURN:
5252 /*
5253 * We may want to write information about
5254 * all doors (if any) which will be copied
5255 * by this call to the user space
5256 */
5257 break;
5258 case AUE_DOORFS_DOOR_CREATE:
5259 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5260 break;
5261 case AUE_DOORFS_DOOR_REVOKE:
5262 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5263 break;
5264 case AUE_DOORFS_DOOR_INFO:
5265 break;
5266 case AUE_DOORFS_DOOR_CRED:
5267 break;
5268 case AUE_DOORFS_DOOR_BIND:
5269 break;
5270 case AUE_DOORFS_DOOR_UNBIND: {
5271 break;
5272 }
5273 default: /* illegal system call */
5274 break;
5275 }
5276 }
5277
5278 /*ARGSUSED*/
5279 static au_event_t
aui_acl(au_event_t e)5280 aui_acl(au_event_t e)
5281 {
5282 struct a {
5283 union {
5284 long name; /* char */
5285 long fd;
5286 } obj;
5287
5288 long cmd;
5289 long nentries;
5290 long arg; /* aclent_t */
5291 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5292
5293 switch (uap->cmd) {
5294 case SETACL:
5295 case ACE_SETACL:
5296 /*
5297 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5298 * are expected.
5299 */
5300 break;
5301 case GETACL:
5302 case GETACLCNT:
5303 case ACE_GETACL:
5304 case ACE_GETACLCNT:
5305 /* do nothing for these four values. */
5306 e = AUE_NULL;
5307 break;
5308 default:
5309 /* illegal system call */
5310 break;
5311 }
5312
5313 return (e);
5314 }
5315
5316 static void
au_acl(int cmd,int nentries,caddr_t bufp)5317 au_acl(int cmd, int nentries, caddr_t bufp)
5318 {
5319 size_t a_size;
5320 aclent_t *aclbufp;
5321 ace_t *acebufp;
5322 int i;
5323
5324 switch (cmd) {
5325 case GETACL:
5326 case GETACLCNT:
5327 break;
5328 case SETACL:
5329 if (nentries < 3)
5330 break;
5331
5332 a_size = nentries * sizeof (aclent_t);
5333
5334 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5335 break;
5336 if (copyin(bufp, aclbufp, a_size)) {
5337 kmem_free(aclbufp, a_size);
5338 break;
5339 }
5340 for (i = 0; i < nentries; i++) {
5341 au_uwrite(au_to_acl(aclbufp + i));
5342 }
5343 kmem_free(aclbufp, a_size);
5344 break;
5345
5346 case ACE_SETACL:
5347 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5348 break;
5349
5350 a_size = nentries * sizeof (ace_t);
5351 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5352 break;
5353 if (copyin(bufp, acebufp, a_size)) {
5354 kmem_free(acebufp, a_size);
5355 break;
5356 }
5357 for (i = 0; i < nentries; i++) {
5358 au_uwrite(au_to_ace(acebufp + i));
5359 }
5360 kmem_free(acebufp, a_size);
5361 break;
5362 default:
5363 break;
5364 }
5365 }
5366
5367 /*ARGSUSED*/
5368 static void
aus_acl(struct t_audit_data * tad)5369 aus_acl(struct t_audit_data *tad)
5370 {
5371 struct a {
5372 long fname;
5373 long cmd;
5374 long nentries;
5375 long aclbufp;
5376 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5377
5378 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5379 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5380
5381 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5382 }
5383
5384 /*ARGSUSED*/
5385 static void
aus_facl(struct t_audit_data * tad)5386 aus_facl(struct t_audit_data *tad)
5387 {
5388 struct a {
5389 long fd;
5390 long cmd;
5391 long nentries;
5392 long aclbufp;
5393 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5394 struct file *fp;
5395 struct vnode *vp;
5396 struct f_audit_data *fad;
5397 int fd;
5398
5399 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5400 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5401
5402 fd = (int)uap->fd;
5403
5404 if ((fp = getf(fd)) == NULL)
5405 return;
5406
5407 /* get path from file struct here */
5408 fad = F2A(fp);
5409 if (fad->fad_aupath != NULL) {
5410 au_uwrite(au_to_path(fad->fad_aupath));
5411 } else {
5412 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5413 }
5414
5415 vp = fp->f_vnode;
5416 audit_attributes(vp);
5417
5418 /* decrement file descriptor reference count */
5419 releasef(fd);
5420
5421 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5422 }
5423
5424 /*ARGSUSED*/
5425 static void
auf_read(tad,error,rval)5426 auf_read(tad, error, rval)
5427 struct t_audit_data *tad;
5428 int error;
5429 rval_t *rval;
5430 {
5431 struct file *fp;
5432 struct f_audit_data *fad;
5433 int fd;
5434 register struct a {
5435 long fd;
5436 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5437 au_kcontext_t *kctx = GET_KCTX_PZ;
5438
5439 fd = (int)uap->fd;
5440
5441 /*
5442 * convert file pointer to file descriptor
5443 * Note: fd ref count incremented here.
5444 */
5445 if ((fp = getf(fd)) == NULL)
5446 return;
5447
5448 /* get path from file struct here */
5449 fad = F2A(fp);
5450 ASSERT(fad);
5451
5452 /*
5453 * already processed this file for read attempt
5454 *
5455 * XXX might be better to turn off auditing in a aui_read() routine.
5456 */
5457 if (fad->fad_flags & FAD_READ) {
5458 /* don't really want to audit every read attempt */
5459 tad->tad_flag = 0;
5460 /* free any residual audit data */
5461 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5462 releasef(fd);
5463 return;
5464 }
5465 /* mark things so we know what happened and don't repeat things */
5466 fad->fad_flags |= FAD_READ;
5467
5468 if (fad->fad_aupath != NULL) {
5469 au_uwrite(au_to_path(fad->fad_aupath));
5470 } else {
5471 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5472 }
5473
5474 /* include attributes */
5475 audit_attributes(fp->f_vnode);
5476
5477 /* decrement file descriptor reference count */
5478 releasef(fd);
5479 }
5480
5481 /*ARGSUSED*/
5482 static void
auf_write(tad,error,rval)5483 auf_write(tad, error, rval)
5484 struct t_audit_data *tad;
5485 int error;
5486 rval_t *rval;
5487 {
5488 struct file *fp;
5489 struct f_audit_data *fad;
5490 int fd;
5491 register struct a {
5492 long fd;
5493 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5494 au_kcontext_t *kctx = GET_KCTX_PZ;
5495
5496 fd = (int)uap->fd;
5497
5498 /*
5499 * convert file pointer to file descriptor
5500 * Note: fd ref count incremented here.
5501 */
5502 if ((fp = getf(fd)) == NULL)
5503 return;
5504
5505 /* get path from file struct here */
5506 fad = F2A(fp);
5507 ASSERT(fad);
5508
5509 /*
5510 * already processed this file for write attempt
5511 *
5512 * XXX might be better to turn off auditing in a aus_write() routine.
5513 */
5514 if (fad->fad_flags & FAD_WRITE) {
5515 /* don't really want to audit every write attempt */
5516 tad->tad_flag = 0;
5517 /* free any residual audit data */
5518 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5519 releasef(fd);
5520 return;
5521 }
5522 /* mark things so we know what happened and don't repeat things */
5523 fad->fad_flags |= FAD_WRITE;
5524
5525 if (fad->fad_aupath != NULL) {
5526 au_uwrite(au_to_path(fad->fad_aupath));
5527 } else {
5528 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5529 }
5530
5531 /* include attributes */
5532 audit_attributes(fp->f_vnode);
5533
5534 /* decrement file descriptor reference count */
5535 releasef(fd);
5536 }
5537
5538 /*ARGSUSED*/
5539 static void
auf_recv(tad,error,rval)5540 auf_recv(tad, error, rval)
5541 struct t_audit_data *tad;
5542 int error;
5543 rval_t *rval;
5544 {
5545 struct sonode *so;
5546 char so_laddr[sizeof (struct sockaddr_in6)];
5547 char so_faddr[sizeof (struct sockaddr_in6)];
5548 struct file *fp;
5549 struct f_audit_data *fad;
5550 int fd;
5551 int err;
5552 socklen_t len;
5553 short so_family, so_type;
5554 register struct a {
5555 long fd;
5556 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5557 au_kcontext_t *kctx = GET_KCTX_PZ;
5558
5559 /*
5560 * If there was an error, then nothing to do. Only generate
5561 * audit record on first successful recv.
5562 */
5563 if (error) {
5564 /* Turn off audit record generation here. */
5565 tad->tad_flag = 0;
5566 /* free any residual audit data */
5567 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5568 return;
5569 }
5570
5571 fd = (int)uap->fd;
5572
5573 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5574 /* Turn off audit record generation here. */
5575 tad->tad_flag = 0;
5576 /* free any residual audit data */
5577 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5578 return;
5579 }
5580
5581 /* get path from file struct here */
5582 fad = F2A(fp);
5583 ASSERT(fad);
5584
5585 /*
5586 * already processed this file for read attempt
5587 */
5588 if (fad->fad_flags & FAD_READ) {
5589 releasef(fd);
5590 /* don't really want to audit every recv call */
5591 tad->tad_flag = 0;
5592 /* free any residual audit data */
5593 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5594 return;
5595 }
5596
5597 /* mark things so we know what happened and don't repeat things */
5598 fad->fad_flags |= FAD_READ;
5599
5600 so_family = so->so_family;
5601 so_type = so->so_type;
5602
5603 switch (so_family) {
5604 case AF_INET:
5605 case AF_INET6:
5606 /*
5607 * Only for connections.
5608 * XXX - do we need to worry about SOCK_DGRAM or other types???
5609 */
5610 if (so->so_state & SS_ISBOUND) {
5611
5612 bzero((void *)so_laddr, sizeof (so_laddr));
5613 bzero((void *)so_faddr, sizeof (so_faddr));
5614
5615 /* get local and foreign addresses */
5616 len = sizeof (so_laddr);
5617 (void) socket_getsockname(so,
5618 (struct sockaddr *)so_laddr, &len, CRED());
5619 len = sizeof (so_faddr);
5620 (void) socket_getpeername(so,
5621 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5622
5623 /*
5624 * only way to drop out of switch. Note that we
5625 * we release fd below.
5626 */
5627
5628 break;
5629 }
5630
5631 releasef(fd);
5632
5633 /* don't really want to audit every recv call */
5634 tad->tad_flag = 0;
5635 /* free any residual audit data */
5636 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5637
5638 return;
5639
5640 case AF_UNIX:
5641
5642 if (fad->fad_aupath != NULL) {
5643 au_uwrite(au_to_path(fad->fad_aupath));
5644 } else {
5645 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5646 }
5647
5648 audit_attributes(fp->f_vnode);
5649
5650 releasef(fd);
5651
5652 return;
5653
5654 default:
5655 releasef(fd);
5656
5657 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5658 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5659 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5660
5661 return;
5662 }
5663
5664 releasef(fd);
5665
5666 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5667
5668 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5669
5670 }
5671
5672 /*ARGSUSED*/
5673 static void
auf_send(tad,error,rval)5674 auf_send(tad, error, rval)
5675 struct t_audit_data *tad;
5676 int error;
5677 rval_t *rval;
5678 {
5679 struct sonode *so;
5680 char so_laddr[sizeof (struct sockaddr_in6)];
5681 char so_faddr[sizeof (struct sockaddr_in6)];
5682 struct file *fp;
5683 struct f_audit_data *fad;
5684 int fd;
5685 int err;
5686 socklen_t len;
5687 short so_family, so_type;
5688 register struct a {
5689 long fd;
5690 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5691 au_kcontext_t *kctx = GET_KCTX_PZ;
5692
5693 fd = (int)uap->fd;
5694
5695 /*
5696 * If there was an error, then nothing to do. Only generate
5697 * audit record on first successful send.
5698 */
5699 if (error != 0) {
5700 /* Turn off audit record generation here. */
5701 tad->tad_flag = 0;
5702 /* free any residual audit data */
5703 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5704 return;
5705 }
5706
5707 fd = (int)uap->fd;
5708
5709 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5710 /* Turn off audit record generation here. */
5711 tad->tad_flag = 0;
5712 /* free any residual audit data */
5713 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5714 return;
5715 }
5716
5717 /* get path from file struct here */
5718 fad = F2A(fp);
5719 ASSERT(fad);
5720
5721 /*
5722 * already processed this file for write attempt
5723 */
5724 if (fad->fad_flags & FAD_WRITE) {
5725 releasef(fd);
5726 /* don't really want to audit every send call */
5727 tad->tad_flag = 0;
5728 /* free any residual audit data */
5729 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5730 return;
5731 }
5732
5733 /* mark things so we know what happened and don't repeat things */
5734 fad->fad_flags |= FAD_WRITE;
5735
5736 so_family = so->so_family;
5737 so_type = so->so_type;
5738
5739 switch (so_family) {
5740 case AF_INET:
5741 case AF_INET6:
5742 /*
5743 * Only for connections.
5744 * XXX - do we need to worry about SOCK_DGRAM or other types???
5745 */
5746 if (so->so_state & SS_ISBOUND) {
5747
5748 bzero((void *)so_laddr, sizeof (so_laddr));
5749 bzero((void *)so_faddr, sizeof (so_faddr));
5750
5751 /* get local and foreign addresses */
5752 len = sizeof (so_laddr);
5753 (void) socket_getsockname(so,
5754 (struct sockaddr *)so_laddr, &len, CRED());
5755 len = sizeof (so_faddr);
5756 (void) socket_getpeername(so,
5757 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5758
5759 /*
5760 * only way to drop out of switch. Note that we
5761 * we release fd below.
5762 */
5763
5764 break;
5765 }
5766
5767 releasef(fd);
5768 /* don't really want to audit every send call */
5769 tad->tad_flag = 0;
5770 /* free any residual audit data */
5771 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5772
5773 return;
5774
5775 case AF_UNIX:
5776
5777 if (fad->fad_aupath != NULL) {
5778 au_uwrite(au_to_path(fad->fad_aupath));
5779 } else {
5780 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5781 }
5782
5783 audit_attributes(fp->f_vnode);
5784
5785 releasef(fd);
5786
5787 return;
5788
5789 default:
5790 releasef(fd);
5791
5792 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5793 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5794 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5795
5796 return;
5797 }
5798
5799 releasef(fd);
5800
5801 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5802
5803 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5804 }
5805
5806 static au_event_t
aui_forksys(au_event_t e)5807 aui_forksys(au_event_t e)
5808 {
5809 struct a {
5810 long subcode;
5811 long flags;
5812 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5813
5814 switch ((uint_t)uap->subcode) {
5815 case 0:
5816 e = AUE_FORK1;
5817 break;
5818 case 1:
5819 e = AUE_FORKALL;
5820 break;
5821 case 2:
5822 e = AUE_VFORK;
5823 break;
5824 default:
5825 e = AUE_NULL;
5826 break;
5827 }
5828
5829 return (e);
5830 }
5831
5832 /*ARGSUSED*/
5833 static au_event_t
aui_portfs(au_event_t e)5834 aui_portfs(au_event_t e)
5835 {
5836 struct a { /* portfs */
5837 long a1;
5838 long a2;
5839 long a3;
5840 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5841
5842 /*
5843 * check opcode
5844 */
5845 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5846 case PORT_ASSOCIATE:
5847 /* check source */
5848 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5849 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5850 e = AUE_PORTFS_ASSOCIATE;
5851 } else {
5852 e = AUE_NULL;
5853 }
5854 break;
5855 case PORT_DISSOCIATE:
5856 /* check source */
5857 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5858 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5859 e = AUE_PORTFS_DISSOCIATE;
5860 } else {
5861 e = AUE_NULL;
5862 }
5863 break;
5864 default:
5865 e = AUE_NULL;
5866 }
5867 return (e);
5868 }
5869