1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 * Copyright (c) 2018, Joyent, Inc.
26 * Copyright 2024 Oxide Computer Company
27 */
28
29 /*
30 * This file contains the audit event table used to control the production
31 * of audit records for each system call.
32 */
33
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h> /* for sysinfo auditing */
39 #include <sys/utsname.h> /* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h> /* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h> /* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h> /* for accept */
58 #include <sys/utssys.h> /* for fuser */
59 #include <sys/tsol/label.h>
60 #include <sys/tsol/tndb.h>
61 #include <sys/tsol/tsyscall.h>
62 #include <c2/audit.h>
63 #include <c2/audit_kernel.h>
64 #include <c2/audit_kevents.h>
65 #include <c2/audit_record.h>
66 #include <sys/procset.h>
67 #include <nfs/mount.h>
68 #include <sys/param.h>
69 #include <sys/debug.h>
70 #include <sys/sysmacros.h>
71 #include <sys/stream.h>
72 #include <sys/strsubr.h>
73 #include <sys/stropts.h>
74 #include <sys/tihdr.h>
75 #include <sys/socket.h>
76 #include <sys/socketvar.h>
77 #include <sys/vfs_opreg.h>
78 #include <fs/sockfs/sockcommon.h>
79 #include <netinet/in.h>
80 #include <sys/ddi.h>
81 #include <sys/port_impl.h>
82 #include <sys/secflags.h>
83 #include <sys/execx.h>
84
85 static au_event_t aui_fchownat(au_event_t);
86 static au_event_t aui_fchmodat(au_event_t);
87 static au_event_t aui_open(au_event_t);
88 static au_event_t aui_openat(au_event_t);
89 static au_event_t aui_unlinkat(au_event_t);
90 static au_event_t aui_fstatat(au_event_t);
91 static au_event_t aui_msgsys(au_event_t);
92 static au_event_t aui_shmsys(au_event_t);
93 static au_event_t aui_semsys(au_event_t);
94 static au_event_t aui_utssys(au_event_t);
95 static au_event_t aui_fcntl(au_event_t);
96 static au_event_t aui_execve(au_event_t);
97 static au_event_t aui_memcntl(au_event_t);
98 static au_event_t aui_sysinfo(au_event_t);
99 static au_event_t aui_portfs(au_event_t);
100 static au_event_t aui_auditsys(au_event_t);
101 static au_event_t aui_modctl(au_event_t);
102 static au_event_t aui_acl(au_event_t);
103 static au_event_t aui_doorfs(au_event_t);
104 static au_event_t aui_privsys(au_event_t);
105 static au_event_t aui_forksys(au_event_t);
106 static au_event_t aui_labelsys(au_event_t);
107 static au_event_t aui_setpgrp(au_event_t);
108
109
110 static void aus_exit(struct t_audit_data *);
111 static void aus_open(struct t_audit_data *);
112 static void aus_openat(struct t_audit_data *);
113 static void aus_acl(struct t_audit_data *);
114 static void aus_acct(struct t_audit_data *);
115 static void aus_chown(struct t_audit_data *);
116 static void aus_fchown(struct t_audit_data *);
117 static void aus_lchown(struct t_audit_data *);
118 static void aus_fchownat(struct t_audit_data *);
119 static void aus_chmod(struct t_audit_data *);
120 static void aus_facl(struct t_audit_data *);
121 static void aus_fchmod(struct t_audit_data *);
122 static void aus_fchmodat(struct t_audit_data *);
123 static void aus_fcntl(struct t_audit_data *);
124 static void aus_execve(struct t_audit_data *);
125 static void aus_mkdir(struct t_audit_data *);
126 static void aus_mkdirat(struct t_audit_data *);
127 static void aus_mknod(struct t_audit_data *);
128 static void aus_mknodat(struct t_audit_data *);
129 static void aus_mount(struct t_audit_data *);
130 static void aus_umount2(struct t_audit_data *);
131 static void aus_msgsys(struct t_audit_data *);
132 static void aus_semsys(struct t_audit_data *);
133 static void aus_close(struct t_audit_data *);
134 static void aus_fstatfs(struct t_audit_data *);
135 static void aus_setgid(struct t_audit_data *);
136 static void aus_setpgrp(struct t_audit_data *);
137 static void aus_setuid(struct t_audit_data *);
138 static void aus_shmsys(struct t_audit_data *);
139 static void aus_doorfs(struct t_audit_data *);
140 static void aus_ioctl(struct t_audit_data *);
141 static void aus_memcntl(struct t_audit_data *);
142 static void aus_mmap(struct t_audit_data *);
143 static void aus_munmap(struct t_audit_data *);
144 static void aus_priocntlsys(struct t_audit_data *);
145 static void aus_setegid(struct t_audit_data *);
146 static void aus_setgroups(struct t_audit_data *);
147 static void aus_seteuid(struct t_audit_data *);
148 static void aus_putmsg(struct t_audit_data *);
149 static void aus_putpmsg(struct t_audit_data *);
150 static void aus_getmsg(struct t_audit_data *);
151 static void aus_getpmsg(struct t_audit_data *);
152 static void aus_auditsys(struct t_audit_data *);
153 static void aus_sysinfo(struct t_audit_data *);
154 static void aus_modctl(struct t_audit_data *);
155 static void aus_kill(struct t_audit_data *);
156 static void aus_setregid(struct t_audit_data *);
157 static void aus_setreuid(struct t_audit_data *);
158 static void aus_labelsys(struct t_audit_data *);
159
160 static void auf_mknod(struct t_audit_data *, int, rval_t *);
161 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
162 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
163 static void auf_semsys(struct t_audit_data *, int, rval_t *);
164 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
165 static void auf_read(struct t_audit_data *, int, rval_t *);
166 static void auf_write(struct t_audit_data *, int, rval_t *);
167
168 static void aus_sigqueue(struct t_audit_data *);
169 static void aus_p_online(struct t_audit_data *);
170 static void aus_processor_bind(struct t_audit_data *);
171 static void aus_inst_sync(struct t_audit_data *);
172 static void aus_brandsys(struct t_audit_data *);
173
174 static void auf_accept(struct t_audit_data *, int, rval_t *);
175
176 static void auf_bind(struct t_audit_data *, int, rval_t *);
177 static void auf_connect(struct t_audit_data *, int, rval_t *);
178 static void aus_shutdown(struct t_audit_data *);
179 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
180 static void aus_sockconfig(struct t_audit_data *);
181 static void auf_recv(struct t_audit_data *, int, rval_t *);
182 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
183 static void auf_send(struct t_audit_data *, int, rval_t *);
184 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
185 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
186 static void auf_sendto(struct t_audit_data *, int, rval_t *);
187 static void aus_socket(struct t_audit_data *);
188 /*
189 * This table contains mapping information for converting system call numbers
190 * to audit event IDs. In several cases it is necessary to map a single system
191 * call to several events.
192 */
193
194 #define aui_null NULL /* NULL initialize function */
195 #define aus_null NULL /* NULL start function */
196 #define auf_null NULL /* NULL finish function */
197
198 struct audit_s2e audit_s2e[] =
199 {
200 /*
201 * ---------- ---------- ---------- ----------
202 * INITIAL AUDIT START SYSTEM
203 * PROCESSING EVENT PROCESSING CALL
204 * ---------- ---------- ---------- -----------
205 * FINISH EVENT
206 * PROCESSING CONTROL
207 * ----------------------------------------------------------
208 */
209 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
210 auf_null, 0,
211 aui_null, AUE_EXIT, aus_exit, /* 1 exit */
212 auf_null, S2E_NPT,
213 aui_null, AUE_PSECFLAGS, aus_null, /* 2 psecflags */
214 auf_null, 0,
215 aui_null, AUE_READ, aus_null, /* 3 read */
216 auf_read, S2E_PUB,
217 aui_null, AUE_WRITE, aus_null, /* 4 write */
218 auf_write, 0,
219 aui_open, AUE_OPEN, aus_open, /* 5 open */
220 auf_null, S2E_SP,
221 aui_null, AUE_CLOSE, aus_close, /* 6 close */
222 auf_null, 0,
223 aui_null, AUE_LINK, aus_null, /* 7 linkat */
224 auf_null, 0,
225 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
226 auf_null, 0,
227 aui_null, AUE_LINK, aus_null, /* 9 link */
228 auf_null, 0,
229 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
230 auf_null, 0,
231 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
232 auf_null, 0,
233 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
234 auf_null, S2E_SP,
235 aui_null, AUE_NULL, aus_null, /* 13 time */
236 auf_null, 0,
237 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
238 auf_mknod, S2E_MLD,
239 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
240 auf_null, 0,
241 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
242 auf_null, 0,
243 aui_null, AUE_NULL, aus_null, /* 17 brk */
244 auf_null, 0,
245 aui_null, AUE_STAT, aus_null, /* 18 stat */
246 auf_null, S2E_PUB,
247 aui_null, AUE_NULL, aus_null, /* 19 lseek */
248 auf_null, 0,
249 aui_null, AUE_NULL, aus_null, /* 20 getpid */
250 auf_null, 0,
251 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
252 auf_null, S2E_MLD,
253 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
254 auf_null, S2E_PUB,
255 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
256 auf_null, 0,
257 aui_null, AUE_NULL, aus_null, /* 24 getuid */
258 auf_null, 0,
259 aui_null, AUE_STIME, aus_null, /* 25 stime */
260 auf_null, 0,
261 aui_null, AUE_NULL, aus_null, /* 26 pcsample */
262 auf_null, 0,
263 aui_null, AUE_NULL, aus_null, /* 27 alarm */
264 auf_null, 0,
265 aui_null, AUE_NULL, aus_null, /* 28 fstat */
266 auf_null, 0,
267 aui_null, AUE_NULL, aus_null, /* 29 pause */
268 auf_null, 0,
269 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
270 auf_null, 0,
271 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
272 auf_null, 0,
273 aui_null, AUE_NULL, aus_null, /* 32 gtty */
274 auf_null, 0,
275 aui_null, AUE_ACCESS, aus_null, /* 33 access */
276 auf_null, S2E_PUB,
277 aui_null, AUE_NICE, aus_null, /* 34 nice */
278 auf_null, 0,
279 aui_null, AUE_STATFS, aus_null, /* 35 statfs */
280 auf_null, S2E_PUB,
281 aui_null, AUE_NULL, aus_null, /* 36 sync */
282 auf_null, 0,
283 aui_null, AUE_KILL, aus_kill, /* 37 kill */
284 auf_null, 0,
285 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
286 auf_null, S2E_PUB,
287 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
288 auf_null, 0,
289 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
290 auf_null, 0,
291 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
292 auf_null, 0,
293 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
294 auf_null, 0,
295 aui_null, AUE_NULL, aus_null, /* 43 times */
296 auf_null, 0,
297 aui_null, AUE_NULL, aus_null, /* 44 profil */
298 auf_null, 0,
299 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
300 auf_null, S2E_PUB,
301 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
302 auf_null, 0,
303 aui_null, AUE_NULL, aus_null, /* 47 getgid */
304 auf_null, 0,
305 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
306 auf_mknodat, S2E_MLD,
307 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
308 auf_msgsys, 0,
309 #if defined(__x86)
310 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
311 auf_null, 0,
312 #else
313 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
314 auf_null, 0,
315 #endif /* __x86 */
316 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
317 auf_null, 0,
318 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
319 auf_shmsys, 0,
320 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
321 auf_semsys, 0,
322 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
323 auf_null, 0,
324 aui_null, AUE_NULL, aus_null, /* 55 uadmin */
325 auf_null, 0,
326 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
327 auf_null, 0,
328 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
329 auf_null, 0,
330 aui_null, AUE_NULL, aus_null, /* 58 fsync */
331 auf_null, 0,
332 aui_execve, AUE_EXECVE, aus_execve, /* 59 exece */
333 auf_null, S2E_MLD,
334 aui_null, AUE_NULL, aus_null, /* 60 umask */
335 auf_null, 0,
336 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
337 auf_null, S2E_SP,
338 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
339 auf_null, 0,
340 aui_null, AUE_NULL, aus_null, /* 63 ulimit */
341 auf_null, 0,
342 aui_null, AUE_RENAME, aus_null, /* 64 renameat */
343 auf_null, 0,
344 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
345 auf_null, 0,
346 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
347 auf_null, S2E_PUB,
348 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
349 auf_null, S2E_PUB,
350 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
351 auf_null, S2E_SP,
352 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
353 auf_null, S2E_SP,
354 aui_null, AUE_NULL, aus_null, /* 70 tasksys */
355 auf_null, 0,
356 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
357 auf_null, 0,
358 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
359 auf_null, 0,
360 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
361 auf_null, 0,
362 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
363 auf_null, 0,
364 aui_null, AUE_NULL, aus_null, /* 75 sidsys */
365 auf_null, 0,
366 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
367 auf_null, 0,
368 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
369 auf_null, 0,
370 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
371 auf_null, 0,
372 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
373 auf_null, 0,
374 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
375 auf_null, 0,
376 aui_null, AUE_NULL, aus_null, /* 81 getdents */
377 auf_null, 0,
378 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
379 auf_null, 0,
380 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
381 auf_null, 0,
382 aui_null, AUE_NULL, aus_null, /* 84 sysfs */
383 auf_null, 0,
384 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
385 auf_null, 0,
386 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
387 auf_null, 0,
388 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
389 auf_null, 0,
390 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
391 auf_null, S2E_PUB,
392 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
393 auf_null, 0,
394 aui_null, AUE_READLINK, aus_null, /* 90 readlink */
395 auf_null, S2E_PUB,
396 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
397 auf_null, 0,
398 aui_null, AUE_NULL, aus_null, /* 92 getgroups */
399 auf_null, 0,
400 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
401 auf_null, 0,
402 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
403 auf_null, 0,
404 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
405 auf_null, 0,
406 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
407 auf_null, 0,
408 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
409 auf_null, 0,
410 aui_null, AUE_NULL, aus_null, /* 98 sigaction */
411 auf_null, 0,
412 aui_null, AUE_NULL, aus_null, /* 99 sigpending */
413 auf_null, 0,
414 aui_null, AUE_NULL, aus_null, /* 100 setcontext */
415 auf_null, 0,
416 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
417 auf_null, 0,
418 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
419 auf_null, 0,
420 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
421 auf_null, S2E_PUB,
422 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
423 auf_null, 0,
424 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
425 auf_null, 0,
426 aui_null, AUE_NULL, aus_null, /* 106 nfssys */
427 auf_null, 0,
428 aui_null, AUE_NULL, aus_null, /* 107 waitsys */
429 auf_null, 0,
430 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
431 auf_null, 0,
432 #if defined(__x86)
433 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
434 auf_null, 0,
435 #else
436 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
437 auf_null, 0,
438 #endif /* __x86 */
439 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
440 auf_null, 0,
441 aui_null, AUE_NULL, aus_null, /* 111 sigresend */
442 auf_null, 0,
443 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
444 auf_null, 0,
445 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
446 auf_null, S2E_PUB,
447 aui_null, AUE_NULL, aus_null, /* 114 mincore */
448 auf_null, 0,
449 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
450 auf_null, 0,
451 aui_null, AUE_NULL, aus_null, /* 116 mprotect */
452 auf_null, 0,
453 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
454 auf_null, 0,
455 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
456 auf_null, 0,
457 aui_null, AUE_VFORK, aus_null, /* 119 vfork */
458 auf_null, 0,
459 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
460 auf_null, 0,
461 aui_null, AUE_READ, aus_null, /* 121 readv */
462 auf_read, S2E_PUB,
463 aui_null, AUE_WRITE, aus_null, /* 122 writev */
464 auf_write, 0,
465 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
466 auf_null, 0,
467 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
468 auf_null, 0,
469 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
470 auf_null, 0,
471 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
472 auf_null, 0,
473 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
474 auf_null, 0,
475 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
476 auf_null, 0,
477 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
478 auf_null, 0,
479 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
480 auf_null, 0,
481 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
482 auf_null, 0,
483 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
484 auf_null, 0,
485 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
486 auf_null, 0,
487 aui_null, AUE_RENAME, aus_null, /* 134 rename */
488 auf_null, 0,
489 aui_null, AUE_NULL, aus_null, /* 135 uname */
490 auf_null, 0,
491 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
492 auf_null, 0,
493 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
494 auf_null, 0,
495 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
496 auf_null, 0,
497 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
498 auf_null, 0,
499 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
500 auf_null, 0,
501 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
502 auf_null, 0,
503 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
504 auf_null, 0,
505 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
506 auf_null, 0,
507 aui_null, AUE_NULL, aus_null, /* 144 sigwait */
508 auf_null, 0,
509 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
510 auf_null, 0,
511 aui_null, AUE_NULL, aus_null, /* 146 yield */
512 auf_null, 0,
513 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
514 /* was lwp_sema_wait */
515 auf_null, 0,
516 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
517 auf_null, 0,
518 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
519 auf_null, 0,
520 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
521 auf_null, 0,
522 aui_null, AUE_NULL, aus_null, /* 151 corectl */
523 auf_null, 0,
524 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
525 auf_null, 0,
526 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
527 auf_null, 0,
528 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
529 auf_null, 0,
530 aui_null, AUE_NULL, aus_null, /* 155 vhangup */
531 auf_null, 0,
532 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
533 auf_null, 0,
534 aui_null, AUE_NULL, aus_null, /* 157 getitimer */
535 auf_null, 0,
536 aui_null, AUE_NULL, aus_null, /* 158 setitimer */
537 auf_null, 0,
538 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
539 auf_null, 0,
540 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
541 auf_null, 0,
542 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
543 auf_null, 0,
544 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
545 auf_null, 0,
546 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
547 auf_null, 0,
548 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
549 auf_null, 0,
550 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
551 auf_null, 0,
552 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
553 auf_null, 0,
554 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
555 auf_null, 0,
556 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
557 auf_null, 0,
558 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
559 /* was lwp_mutex_lock */
560 auf_null, 0,
561 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
562 auf_null, 0,
563 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
564 auf_null, 0,
565 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
566 auf_null, 0,
567 aui_null, AUE_READ, aus_null, /* 173 pread */
568 auf_read, S2E_PUB,
569 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
570 auf_write, 0,
571 aui_null, AUE_NULL, aus_null, /* 175 llseek */
572 auf_null, 0,
573 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
574 auf_null, 0,
575 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
576 auf_null, 0,
577 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
578 auf_null, 0,
579 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
580 auf_null, 0,
581 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
582 auf_null, 0,
583 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
584 auf_null, 0,
585 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
586 auf_null, S2E_MLD,
587 aui_null, AUE_NULL, aus_null, /* 183 pollsys */
588 auf_null, 0,
589 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
590 auf_null, 0,
591 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
592 auf_null, 0,
593 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
594 auf_null, 0,
595 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
596 auf_null, 0,
597 aui_null, AUE_NULL, aus_null, /* 188 processor_info */
598 auf_null, 0,
599 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
600 auf_null, 0,
601 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
602 auf_null, 0,
603 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
604 auf_null, 0,
605 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
606 auf_null, 0,
607 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
608 auf_null, 0,
609 aui_null, AUE_NULL, aus_null, /* 194 timer_create */
610 auf_null, 0,
611 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
612 auf_null, 0,
613 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
614 auf_null, 0,
615 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
616 auf_null, 0,
617 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
618 auf_null, 0,
619 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
620 auf_null, 0,
621 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
622 auf_null, 0,
623 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
624 auf_null, 0,
625 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
626 auf_null, 0,
627 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
628 auf_null, 0,
629 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
630 auf_null, 0,
631 aui_null, AUE_NULL, aus_null, /* 205 signotify */
632 auf_null, 0,
633 aui_null, AUE_NULL, aus_null, /* 206 schedctl */
634 auf_null, 0,
635 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
636 auf_null, 0,
637 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
638 auf_null, 0,
639 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
640 auf_null, 0,
641 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
642 auf_null, 0,
643 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
644 auf_null, 0,
645 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
646 auf_null, 0,
647 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
648 auf_null, 0,
649 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
650 auf_null, 0,
651 aui_null, AUE_STAT, aus_null, /* 215 stat64 */
652 auf_null, S2E_PUB,
653 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
654 auf_null, S2E_PUB,
655 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
656 auf_null, 0,
657 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
658 auf_null, S2E_PUB,
659 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
660 auf_null, 0,
661 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
662 auf_null, 0,
663 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
664 auf_null, 0,
665 aui_null, AUE_READ, aus_null, /* 222 pread64 */
666 auf_read, S2E_PUB,
667 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
668 auf_write, 0,
669 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
670 auf_null, 0,
671 aui_open, AUE_OPEN, aus_open, /* 225 open64 */
672 auf_null, S2E_SP,
673 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
674 auf_null, 0,
675 aui_null, AUE_NULL, aus_null, /* 227 zone */
676 auf_null, 0,
677 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
678 auf_null, 0,
679 aui_null, AUE_NULL, aus_null, /* 229 getcwd */
680 auf_null, 0,
681 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
682 auf_null, 0,
683 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
684 auf_null, 0,
685 aui_null, AUE_BIND, aus_null, /* 232 bind */
686 auf_bind, 0,
687 aui_null, AUE_NULL, aus_null, /* 233 listen */
688 auf_null, 0,
689 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
690 auf_accept, 0,
691 aui_null, AUE_CONNECT, aus_null, /* 235 connect */
692 auf_connect, 0,
693 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
694 auf_null, 0,
695 aui_null, AUE_READ, aus_null, /* 237 recv */
696 auf_recv, 0,
697 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
698 auf_recvfrom, 0,
699 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
700 auf_recvmsg, 0,
701 aui_null, AUE_WRITE, aus_null, /* 240 send */
702 auf_send, 0,
703 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
704 auf_sendmsg, 0,
705 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
706 auf_sendto, 0,
707 aui_null, AUE_NULL, aus_null, /* 243 getpeername */
708 auf_null, 0,
709 aui_null, AUE_NULL, aus_null, /* 244 getsockname */
710 auf_null, 0,
711 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
712 auf_null, 0,
713 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
714 auf_setsockopt, 0,
715 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
716 auf_null, 0,
717 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
718 auf_null, 0,
719 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
720 auf_null, 0,
721 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
722 auf_null, 0,
723 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
724 auf_null, 0,
725 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
726 auf_null, 0,
727 aui_null, AUE_NULL, aus_null, /* 253 cladm */
728 auf_null, 0,
729 aui_null, AUE_NULL, aus_null, /* 254 uucopy */
730 auf_null, 0,
731 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
732 auf_null, 0
733 };
734
735 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
736
737
738 /* exit start function */
739 /*ARGSUSED*/
740 static void
aus_exit(struct t_audit_data * tad)741 aus_exit(struct t_audit_data *tad)
742 {
743 uint32_t rval;
744 struct a {
745 long rval;
746 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
747
748 rval = (uint32_t)uap->rval;
749 au_uwrite(au_to_arg32(1, "exit status", rval));
750 }
751
752
753 /* acct start function */
754 /*ARGSUSED*/
755 static void
aus_acct(struct t_audit_data * tad)756 aus_acct(struct t_audit_data *tad)
757 {
758 klwp_t *clwp = ttolwp(curthread);
759 uintptr_t fname;
760
761 struct a {
762 long fname; /* char * */
763 } *uap = (struct a *)clwp->lwp_ap;
764
765 fname = (uintptr_t)uap->fname;
766
767 if (fname == 0)
768 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
769 }
770
771 /* chown start function */
772 /*ARGSUSED*/
773 static void
aus_chown(struct t_audit_data * tad)774 aus_chown(struct t_audit_data *tad)
775 {
776 klwp_t *clwp = ttolwp(curthread);
777 uint32_t uid, gid;
778
779 struct a {
780 long fname; /* char * */
781 long uid;
782 long gid;
783 } *uap = (struct a *)clwp->lwp_ap;
784
785 uid = (uint32_t)uap->uid;
786 gid = (uint32_t)uap->gid;
787
788 au_uwrite(au_to_arg32(2, "new file uid", uid));
789 au_uwrite(au_to_arg32(3, "new file gid", gid));
790 }
791
792 /* fchown start function */
793 /*ARGSUSED*/
794 static void
aus_fchown(struct t_audit_data * tad)795 aus_fchown(struct t_audit_data *tad)
796 {
797 klwp_t *clwp = ttolwp(curthread);
798 uint32_t uid, gid, fd;
799 struct file *fp;
800 struct vnode *vp;
801 struct f_audit_data *fad;
802
803 struct a {
804 long fd;
805 long uid;
806 long gid;
807 } *uap = (struct a *)clwp->lwp_ap;
808
809 fd = (uint32_t)uap->fd;
810 uid = (uint32_t)uap->uid;
811 gid = (uint32_t)uap->gid;
812
813 au_uwrite(au_to_arg32(2, "new file uid", uid));
814 au_uwrite(au_to_arg32(3, "new file gid", gid));
815
816 /*
817 * convert file pointer to file descriptor
818 * Note: fd ref count incremented here.
819 */
820 if ((fp = getf(fd)) == NULL)
821 return;
822
823 /* get path from file struct here */
824 fad = F2A(fp);
825 if (fad->fad_aupath != NULL) {
826 au_uwrite(au_to_path(fad->fad_aupath));
827 } else {
828 au_uwrite(au_to_arg32(1, "no path: fd", fd));
829 }
830
831 vp = fp->f_vnode;
832 audit_attributes(vp);
833
834 /* decrement file descriptor reference count */
835 releasef(fd);
836 }
837
838 /*ARGSUSED*/
839 static void
aus_lchown(struct t_audit_data * tad)840 aus_lchown(struct t_audit_data *tad)
841 {
842 klwp_t *clwp = ttolwp(curthread);
843 uint32_t uid, gid;
844
845
846 struct a {
847 long fname; /* char * */
848 long uid;
849 long gid;
850 } *uap = (struct a *)clwp->lwp_ap;
851
852 uid = (uint32_t)uap->uid;
853 gid = (uint32_t)uap->gid;
854
855 au_uwrite(au_to_arg32(2, "new file uid", uid));
856 au_uwrite(au_to_arg32(3, "new file gid", gid));
857 }
858
859 static au_event_t
aui_fchownat(au_event_t e)860 aui_fchownat(au_event_t e)
861 {
862 klwp_t *clwp = ttolwp(curthread);
863
864 struct a {
865 long fd;
866 long fname; /* char * */
867 long uid;
868 long gid;
869 long flags;
870 } *uap = (struct a *)clwp->lwp_ap;
871
872 if (uap->fname == 0)
873 e = AUE_FCHOWN;
874 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
875 e = AUE_LCHOWN;
876 else
877 e = AUE_CHOWN;
878
879 return (e);
880 }
881
882 /*ARGSUSED*/
883 static void
aus_fchownat(struct t_audit_data * tad)884 aus_fchownat(struct t_audit_data *tad)
885 {
886 klwp_t *clwp = ttolwp(curthread);
887 uint32_t uid, gid;
888
889 struct a {
890 long fd;
891 long fname; /* char * */
892 long uid;
893 long gid;
894 long flags;
895 } *uap = (struct a *)clwp->lwp_ap;
896
897 uid = (uint32_t)uap->uid;
898 gid = (uint32_t)uap->gid;
899
900 au_uwrite(au_to_arg32(3, "new file uid", uid));
901 au_uwrite(au_to_arg32(4, "new file gid", gid));
902 }
903
904 /*ARGSUSED*/
905 static void
aus_chmod(struct t_audit_data * tad)906 aus_chmod(struct t_audit_data *tad)
907 {
908 klwp_t *clwp = ttolwp(curthread);
909 uint32_t fmode;
910
911 struct a {
912 long fname; /* char * */
913 long fmode;
914 } *uap = (struct a *)clwp->lwp_ap;
915
916 fmode = (uint32_t)uap->fmode;
917
918 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
919 }
920
921 /*ARGSUSED*/
922 static void
aus_fchmod(struct t_audit_data * tad)923 aus_fchmod(struct t_audit_data *tad)
924 {
925 klwp_t *clwp = ttolwp(curthread);
926 uint32_t fmode, fd;
927 struct file *fp;
928 struct vnode *vp;
929 struct f_audit_data *fad;
930
931 struct a {
932 long fd;
933 long fmode;
934 } *uap = (struct a *)clwp->lwp_ap;
935
936 fd = (uint32_t)uap->fd;
937 fmode = (uint32_t)uap->fmode;
938
939 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
940
941 /*
942 * convert file pointer to file descriptor
943 * Note: fd ref count incremented here.
944 */
945 if ((fp = getf(fd)) == NULL)
946 return;
947
948 /* get path from file struct here */
949 fad = F2A(fp);
950 if (fad->fad_aupath != NULL) {
951 au_uwrite(au_to_path(fad->fad_aupath));
952 } else {
953 au_uwrite(au_to_arg32(1, "no path: fd", fd));
954 }
955
956 vp = fp->f_vnode;
957 audit_attributes(vp);
958
959 /* decrement file descriptor reference count */
960 releasef(fd);
961 }
962
963 static au_event_t
aui_fchmodat(au_event_t e)964 aui_fchmodat(au_event_t e)
965 {
966 klwp_t *clwp = ttolwp(curthread);
967
968 struct a {
969 long fd;
970 long fname; /* char * */
971 long fmode;
972 long flag;
973 } *uap = (struct a *)clwp->lwp_ap;
974
975 if (uap->fname == 0)
976 e = AUE_FCHMOD;
977 else
978 e = AUE_CHMOD;
979
980 return (e);
981 }
982
983 /*ARGSUSED*/
984 static void
aus_fchmodat(struct t_audit_data * tad)985 aus_fchmodat(struct t_audit_data *tad)
986 {
987 klwp_t *clwp = ttolwp(curthread);
988 uint32_t fmode;
989 uint32_t fd;
990 struct file *fp;
991 struct vnode *vp;
992 struct f_audit_data *fad;
993
994 struct a {
995 long fd;
996 long fname; /* char * */
997 long fmode;
998 long flag;
999 } *uap = (struct a *)clwp->lwp_ap;
1000
1001 fd = (uint32_t)uap->fd;
1002 fmode = (uint32_t)uap->fmode;
1003
1004 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1005
1006 if (fd == AT_FDCWD || uap->fname != 0) /* same as chmod() */
1007 return;
1008
1009 /*
1010 * convert file pointer to file descriptor
1011 * Note: fd ref count incremented here.
1012 */
1013 if ((fp = getf(fd)) == NULL)
1014 return;
1015
1016 /* get path from file struct here */
1017 fad = F2A(fp);
1018 if (fad->fad_aupath != NULL) {
1019 au_uwrite(au_to_path(fad->fad_aupath));
1020 } else {
1021 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1022 }
1023
1024 vp = fp->f_vnode;
1025 audit_attributes(vp);
1026
1027 /* decrement file descriptor reference count */
1028 releasef(fd);
1029 }
1030
1031 /*
1032 * convert open mode to appropriate open event
1033 */
1034 au_event_t
open_event(uint_t fm)1035 open_event(uint_t fm)
1036 {
1037 au_event_t e;
1038
1039 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1040 case O_RDONLY:
1041 e = AUE_OPEN_R;
1042 break;
1043 case O_RDONLY | O_CREAT:
1044 e = AUE_OPEN_RC;
1045 break;
1046 case O_RDONLY | O_TRUNC:
1047 e = AUE_OPEN_RT;
1048 break;
1049 case O_RDONLY | O_TRUNC | O_CREAT:
1050 e = AUE_OPEN_RTC;
1051 break;
1052 case O_WRONLY:
1053 e = AUE_OPEN_W;
1054 break;
1055 case O_WRONLY | O_CREAT:
1056 e = AUE_OPEN_WC;
1057 break;
1058 case O_WRONLY | O_TRUNC:
1059 e = AUE_OPEN_WT;
1060 break;
1061 case O_WRONLY | O_TRUNC | O_CREAT:
1062 e = AUE_OPEN_WTC;
1063 break;
1064 case O_RDWR:
1065 e = AUE_OPEN_RW;
1066 break;
1067 case O_RDWR | O_CREAT:
1068 e = AUE_OPEN_RWC;
1069 break;
1070 case O_RDWR | O_TRUNC:
1071 e = AUE_OPEN_RWT;
1072 break;
1073 case O_RDWR | O_TRUNC | O_CREAT:
1074 e = AUE_OPEN_RWTC;
1075 break;
1076 case O_SEARCH:
1077 e = AUE_OPEN_S;
1078 break;
1079 case O_EXEC:
1080 e = AUE_OPEN_E;
1081 break;
1082 default:
1083 e = AUE_NULL;
1084 break;
1085 }
1086
1087 return (e);
1088 }
1089
1090 /* ARGSUSED */
1091 static au_event_t
aui_open(au_event_t e)1092 aui_open(au_event_t e)
1093 {
1094 klwp_t *clwp = ttolwp(curthread);
1095 uint_t fm;
1096
1097 struct a {
1098 long fnamep; /* char * */
1099 long fmode;
1100 long cmode;
1101 } *uap = (struct a *)clwp->lwp_ap;
1102
1103 fm = (uint_t)uap->fmode;
1104
1105 return (open_event(fm));
1106 }
1107
1108 static void
aus_open(struct t_audit_data * tad)1109 aus_open(struct t_audit_data *tad)
1110 {
1111 klwp_t *clwp = ttolwp(curthread);
1112 uint_t fm;
1113
1114 struct a {
1115 long fnamep; /* char * */
1116 long fmode;
1117 long cmode;
1118 } *uap = (struct a *)clwp->lwp_ap;
1119
1120 fm = (uint_t)uap->fmode;
1121
1122 /* If no write, create, or trunc modes, mark as a public op */
1123 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1124 tad->tad_ctrl |= TAD_PUBLIC_EV;
1125 }
1126
1127 /* ARGSUSED */
1128 static au_event_t
aui_openat(au_event_t e)1129 aui_openat(au_event_t e)
1130 {
1131 t_audit_data_t *tad = T2A(curthread);
1132 klwp_t *clwp = ttolwp(curthread);
1133 uint_t fm;
1134
1135 struct a {
1136 long filedes;
1137 long fnamep; /* char * */
1138 long fmode;
1139 long cmode;
1140 } *uap = (struct a *)clwp->lwp_ap;
1141
1142 fm = (uint_t)uap->fmode;
1143
1144 /*
1145 * __openattrdirat() does an extra pathname lookup in order to
1146 * enter the extended system attribute namespace of the referenced
1147 * extended attribute filename.
1148 */
1149 if (fm & FXATTRDIROPEN)
1150 tad->tad_ctrl |= TAD_MLD;
1151
1152 return (open_event(fm));
1153 }
1154
1155 static void
aus_openat(struct t_audit_data * tad)1156 aus_openat(struct t_audit_data *tad)
1157 {
1158 klwp_t *clwp = ttolwp(curthread);
1159 uint_t fm;
1160
1161 struct a {
1162 long filedes;
1163 long fnamep; /* char * */
1164 long fmode;
1165 long cmode;
1166 } *uap = (struct a *)clwp->lwp_ap;
1167
1168 fm = (uint_t)uap->fmode;
1169
1170 /* If no write, create, or trunc modes, mark as a public op */
1171 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1172 tad->tad_ctrl |= TAD_PUBLIC_EV;
1173 }
1174
1175 static au_event_t
aui_unlinkat(au_event_t e)1176 aui_unlinkat(au_event_t e)
1177 {
1178 klwp_t *clwp = ttolwp(curthread);
1179
1180 struct a {
1181 long filedes;
1182 long fnamep; /* char * */
1183 long flags;
1184 } *uap = (struct a *)clwp->lwp_ap;
1185
1186 if (uap->flags & AT_REMOVEDIR)
1187 e = AUE_RMDIR;
1188 else
1189 e = AUE_UNLINK;
1190
1191 return (e);
1192 }
1193
1194 static au_event_t
aui_fstatat(au_event_t e)1195 aui_fstatat(au_event_t e)
1196 {
1197 klwp_t *clwp = ttolwp(curthread);
1198
1199 struct a {
1200 long filedes;
1201 long fnamep; /* char * */
1202 long statb;
1203 long flags;
1204 } *uap = (struct a *)clwp->lwp_ap;
1205
1206 if (uap->fnamep == 0)
1207 e = AUE_FSTAT;
1208 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1209 e = AUE_LSTAT;
1210 else
1211 e = AUE_STAT;
1212
1213 return (e);
1214 }
1215
1216 /* msgsys */
1217 static au_event_t
aui_msgsys(au_event_t e)1218 aui_msgsys(au_event_t e)
1219 {
1220 klwp_t *clwp = ttolwp(curthread);
1221 uint_t fm;
1222
1223 struct a {
1224 long id; /* function code id */
1225 long ap; /* arg pointer for recvmsg */
1226 } *uap = (struct a *)clwp->lwp_ap;
1227
1228 struct b {
1229 long msgid;
1230 long cmd;
1231 long buf; /* struct msqid_ds * */
1232 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1233
1234 fm = (uint_t)uap->id;
1235
1236 switch (fm) {
1237 case 0: /* msgget */
1238 e = AUE_MSGGET;
1239 break;
1240 case 1: /* msgctl */
1241 switch ((uint_t)uap1->cmd) {
1242 case IPC_RMID:
1243 e = AUE_MSGCTL_RMID;
1244 break;
1245 case IPC_SET:
1246 e = AUE_MSGCTL_SET;
1247 break;
1248 case IPC_STAT:
1249 e = AUE_MSGCTL_STAT;
1250 break;
1251 default:
1252 e = AUE_MSGCTL;
1253 break;
1254 }
1255 break;
1256 case 2: /* msgrcv */
1257 e = AUE_MSGRCV;
1258 break;
1259 case 3: /* msgsnd */
1260 e = AUE_MSGSND;
1261 break;
1262 default: /* illegal system call */
1263 e = AUE_NULL;
1264 break;
1265 }
1266
1267 return (e);
1268 }
1269
1270
1271 /* shmsys */
1272 static au_event_t
aui_shmsys(au_event_t e)1273 aui_shmsys(au_event_t e)
1274 {
1275 klwp_t *clwp = ttolwp(curthread);
1276 int fm;
1277
1278 struct a { /* shmsys */
1279 long id; /* function code id */
1280 } *uap = (struct a *)clwp->lwp_ap;
1281
1282 struct b { /* ctrl */
1283 long shmid;
1284 long cmd;
1285 long arg; /* struct shmid_ds * */
1286 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1287 fm = (uint_t)uap->id;
1288
1289 switch (fm) {
1290 case 0: /* shmat */
1291 e = AUE_SHMAT;
1292 break;
1293 case 1: /* shmctl */
1294 switch ((uint_t)uap1->cmd) {
1295 case IPC_RMID:
1296 e = AUE_SHMCTL_RMID;
1297 break;
1298 case IPC_SET:
1299 e = AUE_SHMCTL_SET;
1300 break;
1301 case IPC_STAT:
1302 e = AUE_SHMCTL_STAT;
1303 break;
1304 default:
1305 e = AUE_SHMCTL;
1306 break;
1307 }
1308 break;
1309 case 2: /* shmdt */
1310 e = AUE_SHMDT;
1311 break;
1312 case 3: /* shmget */
1313 e = AUE_SHMGET;
1314 break;
1315 default: /* illegal system call */
1316 e = AUE_NULL;
1317 break;
1318 }
1319
1320 return (e);
1321 }
1322
1323
1324 /* semsys */
1325 static au_event_t
aui_semsys(au_event_t e)1326 aui_semsys(au_event_t e)
1327 {
1328 klwp_t *clwp = ttolwp(curthread);
1329 uint_t fm;
1330
1331 struct a { /* semsys */
1332 long id;
1333 } *uap = (struct a *)clwp->lwp_ap;
1334
1335 struct b { /* ctrl */
1336 long semid;
1337 long semnum;
1338 long cmd;
1339 long arg;
1340 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1341
1342 fm = (uint_t)uap->id;
1343
1344 switch (fm) {
1345 case 0: /* semctl */
1346 switch ((uint_t)uap1->cmd) {
1347 case IPC_RMID:
1348 e = AUE_SEMCTL_RMID;
1349 break;
1350 case IPC_SET:
1351 e = AUE_SEMCTL_SET;
1352 break;
1353 case IPC_STAT:
1354 e = AUE_SEMCTL_STAT;
1355 break;
1356 case GETNCNT:
1357 e = AUE_SEMCTL_GETNCNT;
1358 break;
1359 case GETPID:
1360 e = AUE_SEMCTL_GETPID;
1361 break;
1362 case GETVAL:
1363 e = AUE_SEMCTL_GETVAL;
1364 break;
1365 case GETALL:
1366 e = AUE_SEMCTL_GETALL;
1367 break;
1368 case GETZCNT:
1369 e = AUE_SEMCTL_GETZCNT;
1370 break;
1371 case SETVAL:
1372 e = AUE_SEMCTL_SETVAL;
1373 break;
1374 case SETALL:
1375 e = AUE_SEMCTL_SETALL;
1376 break;
1377 default:
1378 e = AUE_SEMCTL;
1379 break;
1380 }
1381 break;
1382 case 1: /* semget */
1383 e = AUE_SEMGET;
1384 break;
1385 case 2: /* semop */
1386 e = AUE_SEMOP;
1387 break;
1388 default: /* illegal system call */
1389 e = AUE_NULL;
1390 break;
1391 }
1392
1393 return (e);
1394 }
1395
1396 /* utssys - uname(2), ustat(2), fusers(2) */
1397 static au_event_t
aui_utssys(au_event_t e)1398 aui_utssys(au_event_t e)
1399 {
1400 klwp_t *clwp = ttolwp(curthread);
1401 uint_t type;
1402
1403 struct a {
1404 union {
1405 long cbuf; /* char * */
1406 long ubuf; /* struct stat * */
1407 } ub;
1408 union {
1409 long mv; /* for USTAT */
1410 long flags; /* for FUSERS */
1411 } un;
1412 long type;
1413 long outbp; /* char * for FUSERS */
1414 } *uap = (struct a *)clwp->lwp_ap;
1415
1416 type = (uint_t)uap->type;
1417
1418 if (type == UTS_FUSERS)
1419 return (e);
1420 else
1421 return ((au_event_t)AUE_NULL);
1422 }
1423
1424 static au_event_t
aui_fcntl(au_event_t e)1425 aui_fcntl(au_event_t e)
1426 {
1427 klwp_t *clwp = ttolwp(curthread);
1428 uint_t cmd;
1429
1430 struct a {
1431 long fdes;
1432 long cmd;
1433 long arg;
1434 } *uap = (struct a *)clwp->lwp_ap;
1435
1436 cmd = (uint_t)uap->cmd;
1437
1438 switch (cmd) {
1439 case F_GETLK:
1440 case F_SETLK:
1441 case F_SETLKW:
1442 break;
1443 case F_SETFL:
1444 case F_GETFL:
1445 case F_GETFD:
1446 break;
1447 default:
1448 e = (au_event_t)AUE_NULL;
1449 break;
1450 }
1451 return ((au_event_t)e);
1452 }
1453
1454 /* null function for now */
1455 static au_event_t
aui_execve(au_event_t e)1456 aui_execve(au_event_t e)
1457 {
1458 return (e);
1459 }
1460
1461 static void
aus_execve(struct t_audit_data * tad)1462 aus_execve(struct t_audit_data *tad)
1463 {
1464 klwp_t *clwp = ttolwp(curthread);
1465 uint32_t flags, fd;
1466 struct file *fp;
1467 struct f_audit_data *fad;
1468
1469 struct a {
1470 long file;
1471 long argv;
1472 long envp;
1473 long flags;
1474 } *uap = (struct a *)clwp->lwp_ap;
1475
1476 fd = (uint32_t)uap->file;
1477 flags = (uint32_t)uap->flags;
1478
1479 if ((flags & EXEC_DESCRIPTOR) == 0)
1480 return;
1481
1482 if ((fp = getf(fd)) == NULL)
1483 return;
1484
1485 fad = F2A(fp);
1486
1487 if (fad->fad_aupath != NULL)
1488 au_uwrite(au_to_path(fad->fad_aupath));
1489 else
1490 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1491
1492 audit_attributes(fp->f_vnode);
1493
1494 /* Flag that the path is already included in this audit record */
1495 tad->tad_ctrl |= TAD_PATHFND;
1496
1497 releasef(fd);
1498 }
1499
1500 /*ARGSUSED*/
1501 static void
aus_fcntl(struct t_audit_data * tad)1502 aus_fcntl(struct t_audit_data *tad)
1503 {
1504 klwp_t *clwp = ttolwp(curthread);
1505 uint32_t cmd, fd, flags;
1506 struct file *fp;
1507 struct vnode *vp;
1508 struct f_audit_data *fad;
1509
1510 struct a {
1511 long fd;
1512 long cmd;
1513 long arg;
1514 } *uap = (struct a *)clwp->lwp_ap;
1515
1516 cmd = (uint32_t)uap->cmd;
1517 fd = (uint32_t)uap->fd;
1518 flags = (uint32_t)uap->arg;
1519
1520 au_uwrite(au_to_arg32(2, "cmd", cmd));
1521
1522 if (cmd == F_SETFL)
1523 au_uwrite(au_to_arg32(3, "flags", flags));
1524
1525 /*
1526 * convert file pointer to file descriptor
1527 * Note: fd ref count incremented here.
1528 */
1529 if ((fp = getf(fd)) == NULL)
1530 return;
1531
1532 /* get path from file struct here */
1533 fad = F2A(fp);
1534 if (fad->fad_aupath != NULL) {
1535 au_uwrite(au_to_path(fad->fad_aupath));
1536 } else {
1537 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1538 }
1539
1540 vp = fp->f_vnode;
1541 audit_attributes(vp);
1542
1543 /* decrement file descriptor reference count */
1544 releasef(fd);
1545 }
1546
1547 /*ARGSUSED*/
1548 static void
aus_kill(struct t_audit_data * tad)1549 aus_kill(struct t_audit_data *tad)
1550 {
1551 klwp_t *clwp = ttolwp(curthread);
1552 struct proc *p;
1553 uint32_t signo;
1554 uid_t uid, ruid;
1555 gid_t gid, rgid;
1556 pid_t pid;
1557 const auditinfo_addr_t *ainfo;
1558 cred_t *cr;
1559
1560 struct a {
1561 long pid;
1562 long signo;
1563 } *uap = (struct a *)clwp->lwp_ap;
1564
1565 pid = (pid_t)uap->pid;
1566 signo = (uint32_t)uap->signo;
1567
1568 au_uwrite(au_to_arg32(2, "signal", signo));
1569 if (pid > 0) {
1570 mutex_enter(&pidlock);
1571 if (((p = prfind(pid)) == (struct proc *)0) ||
1572 (p->p_stat == SIDL)) {
1573 mutex_exit(&pidlock);
1574 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1575 return;
1576 }
1577 mutex_enter(&p->p_lock); /* so process doesn't go away */
1578 mutex_exit(&pidlock);
1579
1580 mutex_enter(&p->p_crlock);
1581 crhold(cr = p->p_cred);
1582 mutex_exit(&p->p_crlock);
1583 mutex_exit(&p->p_lock);
1584
1585 ainfo = crgetauinfo(cr);
1586 if (ainfo == NULL) {
1587 crfree(cr);
1588 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1589 return;
1590 }
1591
1592 uid = crgetuid(cr);
1593 gid = crgetgid(cr);
1594 ruid = crgetruid(cr);
1595 rgid = crgetrgid(cr);
1596 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1597 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1598
1599 if (is_system_labeled())
1600 au_uwrite(au_to_label(CR_SL(cr)));
1601
1602 crfree(cr);
1603 }
1604 else
1605 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1606 }
1607
1608 /*ARGSUSED*/
1609 static void
aus_mkdir(struct t_audit_data * tad)1610 aus_mkdir(struct t_audit_data *tad)
1611 {
1612 klwp_t *clwp = ttolwp(curthread);
1613 uint32_t dmode;
1614
1615 struct a {
1616 long dirnamep; /* char * */
1617 long dmode;
1618 } *uap = (struct a *)clwp->lwp_ap;
1619
1620 dmode = (uint32_t)uap->dmode;
1621
1622 au_uwrite(au_to_arg32(2, "mode", dmode));
1623 }
1624
1625 /*ARGSUSED*/
1626 static void
aus_mkdirat(struct t_audit_data * tad)1627 aus_mkdirat(struct t_audit_data *tad)
1628 {
1629 klwp_t *clwp = ttolwp(curthread);
1630 uint32_t dmode;
1631
1632 struct a {
1633 long fd;
1634 long dirnamep; /* char * */
1635 long dmode;
1636 } *uap = (struct a *)clwp->lwp_ap;
1637
1638 dmode = (uint32_t)uap->dmode;
1639
1640 au_uwrite(au_to_arg32(2, "mode", dmode));
1641 }
1642
1643 /*ARGSUSED*/
1644 static void
aus_mknod(struct t_audit_data * tad)1645 aus_mknod(struct t_audit_data *tad)
1646 {
1647 klwp_t *clwp = ttolwp(curthread);
1648 uint32_t fmode;
1649 dev_t dev;
1650
1651 struct a {
1652 long pnamep; /* char * */
1653 long fmode;
1654 long dev;
1655 } *uap = (struct a *)clwp->lwp_ap;
1656
1657 fmode = (uint32_t)uap->fmode;
1658 dev = (dev_t)uap->dev;
1659
1660 au_uwrite(au_to_arg32(2, "mode", fmode));
1661 #ifdef _LP64
1662 au_uwrite(au_to_arg64(3, "dev", dev));
1663 #else
1664 au_uwrite(au_to_arg32(3, "dev", dev));
1665 #endif
1666 }
1667
1668 /*ARGSUSED*/
1669 static void
auf_mknod(struct t_audit_data * tad,int error,rval_t * rval)1670 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1671 {
1672 klwp_t *clwp = ttolwp(curthread);
1673 vnode_t *dvp;
1674 caddr_t pnamep;
1675
1676 struct a {
1677 long pnamep; /* char * */
1678 long fmode;
1679 long dev;
1680 } *uap = (struct a *)clwp->lwp_ap;
1681
1682 /* no error, then already path token in audit record */
1683 if (error != EPERM && error != EINVAL)
1684 return;
1685
1686 /* do the lookup to force generation of path token */
1687 pnamep = (caddr_t)uap->pnamep;
1688 tad->tad_ctrl |= TAD_NOATTRB;
1689 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1690 if (error == 0)
1691 VN_RELE(dvp);
1692 }
1693
1694 /*ARGSUSED*/
1695 static void
aus_mknodat(struct t_audit_data * tad)1696 aus_mknodat(struct t_audit_data *tad)
1697 {
1698 klwp_t *clwp = ttolwp(curthread);
1699 uint32_t fmode;
1700 dev_t dev;
1701
1702 struct a {
1703 long fd;
1704 long pnamep; /* char * */
1705 long fmode;
1706 long dev;
1707 } *uap = (struct a *)clwp->lwp_ap;
1708
1709 fmode = (uint32_t)uap->fmode;
1710 dev = (dev_t)uap->dev;
1711
1712 au_uwrite(au_to_arg32(2, "mode", fmode));
1713 #ifdef _LP64
1714 au_uwrite(au_to_arg64(3, "dev", dev));
1715 #else
1716 au_uwrite(au_to_arg32(3, "dev", dev));
1717 #endif
1718 }
1719
1720 /*ARGSUSED*/
1721 static void
auf_mknodat(struct t_audit_data * tad,int error,rval_t * rval)1722 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1723 {
1724 klwp_t *clwp = ttolwp(curthread);
1725 vnode_t *startvp;
1726 vnode_t *dvp;
1727 caddr_t pnamep;
1728 int fd;
1729
1730 struct a {
1731 long fd;
1732 long pnamep; /* char * */
1733 long fmode;
1734 long dev;
1735 } *uap = (struct a *)clwp->lwp_ap;
1736
1737 /* no error, then already path token in audit record */
1738 if (error != EPERM && error != EINVAL)
1739 return;
1740
1741 /* do the lookup to force generation of path token */
1742 fd = (int)uap->fd;
1743 pnamep = (caddr_t)uap->pnamep;
1744 if (pnamep == NULL ||
1745 fgetstartvp(fd, pnamep, &startvp) != 0)
1746 return;
1747 tad->tad_ctrl |= TAD_NOATTRB;
1748 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1749 startvp);
1750 if (error == 0)
1751 VN_RELE(dvp);
1752 if (startvp != NULL)
1753 VN_RELE(startvp);
1754 }
1755
1756 /*ARGSUSED*/
1757 static void
aus_mount(struct t_audit_data * tad)1758 aus_mount(struct t_audit_data *tad)
1759 {
1760 /* AUS_START */
1761 klwp_t *clwp = ttolwp(curthread);
1762 uint32_t flags;
1763 uintptr_t u_fstype, dataptr;
1764 STRUCT_DECL(nfs_args, nfsargs);
1765 size_t len;
1766 char *fstype, *hostname;
1767
1768 struct a {
1769 long spec; /* char * */
1770 long dir; /* char * */
1771 long flags;
1772 long fstype; /* char * */
1773 long dataptr; /* char * */
1774 long datalen;
1775 } *uap = (struct a *)clwp->lwp_ap;
1776
1777 u_fstype = (uintptr_t)uap->fstype;
1778 flags = (uint32_t)uap->flags;
1779 dataptr = (uintptr_t)uap->dataptr;
1780
1781 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1782 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1783 goto mount_free_fstype;
1784
1785 au_uwrite(au_to_arg32(3, "flags", flags));
1786 au_uwrite(au_to_text(fstype));
1787
1788 if (strncmp(fstype, "nfs", 3) == 0) {
1789
1790 STRUCT_INIT(nfsargs, get_udatamodel());
1791 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1792
1793 if (copyin((caddr_t)dataptr, STRUCT_BUF(nfsargs),
1794 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1795 /* DEBUG debug_enter((char *)NULL); */
1796 goto mount_free_fstype;
1797 }
1798 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1799 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1800 (caddr_t)hostname, MAXNAMELEN, &len)) {
1801 goto mount_free_hostname;
1802 }
1803 au_uwrite(au_to_text(hostname));
1804 au_uwrite(au_to_arg32(3, "internal flags",
1805 (uint_t)STRUCT_FGET(nfsargs, flags)));
1806
1807 mount_free_hostname:
1808 kmem_free(hostname, MAXNAMELEN);
1809 }
1810
1811 mount_free_fstype:
1812 kmem_free(fstype, MAXNAMELEN);
1813 } /* AUS_MOUNT */
1814
1815 static void
aus_umount_path(caddr_t umount_dir)1816 aus_umount_path(caddr_t umount_dir)
1817 {
1818 char *dir_path;
1819 struct audit_path *path;
1820 size_t path_len, dir_len;
1821
1822 /* length alloc'd for two string pointers */
1823 path_len = sizeof (struct audit_path) + sizeof (char *);
1824 path = kmem_alloc(path_len, KM_SLEEP);
1825 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1826
1827 if (copyinstr(umount_dir, (caddr_t)dir_path,
1828 MAXPATHLEN, &dir_len))
1829 goto umount2_free_dir;
1830
1831 /*
1832 * the audit_path struct assumes that the buffer pointed to
1833 * by audp_sect[n] contains string 0 immediatedly followed
1834 * by string 1.
1835 */
1836 path->audp_sect[0] = dir_path;
1837 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1838 path->audp_size = path_len;
1839 path->audp_ref = 1; /* not used */
1840 path->audp_cnt = 1; /* one path string */
1841
1842 au_uwrite(au_to_path(path));
1843
1844 umount2_free_dir:
1845 kmem_free(dir_path, MAXPATHLEN);
1846 kmem_free(path, path_len);
1847 }
1848
1849 /*ARGSUSED*/
1850 static void
aus_umount2(struct t_audit_data * tad)1851 aus_umount2(struct t_audit_data *tad)
1852 {
1853 klwp_t *clwp = ttolwp(curthread);
1854 struct a {
1855 long dir; /* char * */
1856 long flags;
1857 } *uap = (struct a *)clwp->lwp_ap;
1858
1859 aus_umount_path((caddr_t)uap->dir);
1860
1861 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1862 }
1863
1864 static void
aus_msgsys(struct t_audit_data * tad)1865 aus_msgsys(struct t_audit_data *tad)
1866 {
1867 klwp_t *clwp = ttolwp(curthread);
1868 uint32_t msgid;
1869
1870 struct b {
1871 long msgid;
1872 long cmd;
1873 long buf; /* struct msqid_ds * */
1874 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1875
1876 msgid = (uint32_t)uap1->msgid;
1877
1878
1879 switch (tad->tad_event) {
1880 case AUE_MSGGET: /* msgget */
1881 au_uwrite(au_to_arg32(1, "msg key", msgid));
1882 break;
1883 case AUE_MSGCTL: /* msgctl */
1884 case AUE_MSGCTL_RMID: /* msgctl */
1885 case AUE_MSGCTL_SET: /* msgctl */
1886 case AUE_MSGCTL_STAT: /* msgctl */
1887 case AUE_MSGRCV: /* msgrcv */
1888 case AUE_MSGSND: /* msgsnd */
1889 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1890 break;
1891 }
1892 }
1893
1894 /*ARGSUSED*/
1895 static void
auf_msgsys(struct t_audit_data * tad,int error,rval_t * rval)1896 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1897 {
1898 int id;
1899
1900 if (error != 0)
1901 return;
1902 if (tad->tad_event == AUE_MSGGET) {
1903 uint32_t scid;
1904 uint32_t sy_flags;
1905
1906 /* need to determine type of executing binary */
1907 scid = tad->tad_scid;
1908 #ifdef _SYSCALL32_IMPL
1909 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1910 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1911 else
1912 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1913 #else
1914 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1915 #endif
1916 if (sy_flags == SE_32RVAL1)
1917 id = rval->r_val1;
1918 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1919 id = rval->r_val1;
1920 if (sy_flags == SE_64RVAL)
1921 id = (int)rval->r_vals;
1922
1923 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1924 }
1925 }
1926
1927 static void
aus_semsys(struct t_audit_data * tad)1928 aus_semsys(struct t_audit_data *tad)
1929 {
1930 klwp_t *clwp = ttolwp(curthread);
1931 uint32_t semid;
1932
1933 struct b { /* ctrl */
1934 long semid;
1935 long semnum;
1936 long cmd;
1937 long arg;
1938 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1939
1940 semid = (uint32_t)uap1->semid;
1941
1942 switch (tad->tad_event) {
1943 case AUE_SEMCTL_RMID:
1944 case AUE_SEMCTL_STAT:
1945 case AUE_SEMCTL_GETNCNT:
1946 case AUE_SEMCTL_GETPID:
1947 case AUE_SEMCTL_GETVAL:
1948 case AUE_SEMCTL_GETALL:
1949 case AUE_SEMCTL_GETZCNT:
1950 case AUE_SEMCTL_SET:
1951 case AUE_SEMCTL_SETVAL:
1952 case AUE_SEMCTL_SETALL:
1953 case AUE_SEMCTL:
1954 case AUE_SEMOP:
1955 au_uwrite(au_to_arg32(1, "sem ID", semid));
1956 break;
1957 case AUE_SEMGET:
1958 au_uwrite(au_to_arg32(1, "sem key", semid));
1959 break;
1960 }
1961 }
1962
1963 /*ARGSUSED*/
1964 static void
auf_semsys(struct t_audit_data * tad,int error,rval_t * rval)1965 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1966 {
1967 int id;
1968
1969 if (error != 0)
1970 return;
1971 if (tad->tad_event == AUE_SEMGET) {
1972 uint32_t scid;
1973 uint32_t sy_flags;
1974
1975 /* need to determine type of executing binary */
1976 scid = tad->tad_scid;
1977 #ifdef _SYSCALL32_IMPL
1978 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1979 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1980 else
1981 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1982 #else
1983 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1984 #endif
1985 if (sy_flags == SE_32RVAL1)
1986 id = rval->r_val1;
1987 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1988 id = rval->r_val1;
1989 if (sy_flags == SE_64RVAL)
1990 id = (int)rval->r_vals;
1991
1992 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1993 }
1994 }
1995
1996 /*ARGSUSED*/
1997 static void
aus_close(struct t_audit_data * tad)1998 aus_close(struct t_audit_data *tad)
1999 {
2000 klwp_t *clwp = ttolwp(curthread);
2001 uint32_t fd;
2002 struct file *fp;
2003 struct f_audit_data *fad;
2004 struct vnode *vp;
2005 struct vattr attr;
2006 au_kcontext_t *kctx = GET_KCTX_PZ;
2007
2008 struct a {
2009 long i;
2010 } *uap = (struct a *)clwp->lwp_ap;
2011
2012 fd = (uint32_t)uap->i;
2013
2014 attr.va_mask = 0;
2015 au_uwrite(au_to_arg32(1, "fd", fd));
2016
2017 /*
2018 * convert file pointer to file descriptor
2019 * Note: fd ref count incremented here.
2020 */
2021 if ((fp = getf(fd)) == NULL)
2022 return;
2023
2024 fad = F2A(fp);
2025 tad->tad_evmod = (au_emod_t)fad->fad_flags;
2026 if (fad->fad_aupath != NULL) {
2027 au_uwrite(au_to_path(fad->fad_aupath));
2028 if ((vp = fp->f_vnode) != NULL) {
2029 attr.va_mask = AT_ALL;
2030 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
2031 /*
2032 * When write was not used and the file can be
2033 * considered public, skip the audit.
2034 */
2035 if (((fp->f_flag & FWRITE) == 0) &&
2036 object_is_public(&attr)) {
2037 tad->tad_flag = 0;
2038 tad->tad_evmod = 0;
2039 /* free any residual audit data */
2040 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
2041 releasef(fd);
2042 return;
2043 }
2044 au_uwrite(au_to_attr(&attr));
2045 audit_sec_attributes(&(u_ad), vp);
2046 }
2047 }
2048 }
2049
2050 /* decrement file descriptor reference count */
2051 releasef(fd);
2052 }
2053
2054 /*ARGSUSED*/
2055 static void
aus_fstatfs(struct t_audit_data * tad)2056 aus_fstatfs(struct t_audit_data *tad)
2057 {
2058 klwp_t *clwp = ttolwp(curthread);
2059 uint32_t fd;
2060 struct file *fp;
2061 struct vnode *vp;
2062 struct f_audit_data *fad;
2063
2064 struct a {
2065 long fd;
2066 long buf; /* struct statfs * */
2067 } *uap = (struct a *)clwp->lwp_ap;
2068
2069 fd = (uint_t)uap->fd;
2070
2071 /*
2072 * convert file pointer to file descriptor
2073 * Note: fd ref count incremented here.
2074 */
2075 if ((fp = getf(fd)) == NULL)
2076 return;
2077
2078 /* get path from file struct here */
2079 fad = F2A(fp);
2080 if (fad->fad_aupath != NULL) {
2081 au_uwrite(au_to_path(fad->fad_aupath));
2082 } else {
2083 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2084 }
2085
2086 vp = fp->f_vnode;
2087 audit_attributes(vp);
2088
2089 /* decrement file descriptor reference count */
2090 releasef(fd);
2091 }
2092
2093 static au_event_t
aui_setpgrp(au_event_t e)2094 aui_setpgrp(au_event_t e)
2095 {
2096 klwp_t *clwp = ttolwp(curthread);
2097 int flag;
2098
2099 struct a {
2100 long flag;
2101 long pid;
2102 long pgid;
2103 } *uap = (struct a *)clwp->lwp_ap;
2104
2105 flag = (int)uap->flag;
2106
2107
2108 switch (flag) {
2109
2110 case 1: /* setpgrp() */
2111 e = AUE_SETPGRP;
2112 break;
2113
2114 case 3: /* setsid() */
2115 e = AUE_SETSID;
2116 break;
2117
2118 case 5: /* setpgid() */
2119 e = AUE_SETPGID;
2120 break;
2121
2122 case 0: /* getpgrp() - not security relevant */
2123 case 2: /* getsid() - not security relevant */
2124 case 4: /* getpgid() - not security relevant */
2125 e = AUE_NULL;
2126 break;
2127
2128 default:
2129 e = AUE_NULL;
2130 break;
2131 }
2132
2133 return (e);
2134 }
2135
2136 /*ARGSUSED*/
2137 static void
aus_setpgrp(struct t_audit_data * tad)2138 aus_setpgrp(struct t_audit_data *tad)
2139 {
2140 klwp_t *clwp = ttolwp(curthread);
2141 pid_t pgid;
2142 struct proc *p;
2143 uid_t uid, ruid;
2144 gid_t gid, rgid;
2145 pid_t pid;
2146 cred_t *cr;
2147 int flag;
2148 const auditinfo_addr_t *ainfo;
2149
2150 struct a {
2151 long flag;
2152 long pid;
2153 long pgid;
2154 } *uap = (struct a *)clwp->lwp_ap;
2155
2156 flag = (int)uap->flag;
2157 pid = (pid_t)uap->pid;
2158 pgid = (pid_t)uap->pgid;
2159
2160
2161 switch (flag) {
2162
2163 case 0: /* getpgrp() */
2164 case 1: /* setpgrp() */
2165 case 2: /* getsid() */
2166 case 3: /* setsid() */
2167 case 4: /* getpgid() */
2168 break;
2169
2170 case 5: /* setpgid() */
2171
2172 /* current process? */
2173 if (pid == 0) {
2174 return;
2175 }
2176
2177 mutex_enter(&pidlock);
2178 p = prfind(pid);
2179 if (p == NULL || p->p_as == &kas ||
2180 p->p_stat == SIDL || p->p_stat == SZOMB) {
2181 mutex_exit(&pidlock);
2182 return;
2183 }
2184 mutex_enter(&p->p_lock); /* so process doesn't go away */
2185 mutex_exit(&pidlock);
2186
2187 mutex_enter(&p->p_crlock);
2188 crhold(cr = p->p_cred);
2189 mutex_exit(&p->p_crlock);
2190 mutex_exit(&p->p_lock);
2191
2192 ainfo = crgetauinfo(cr);
2193 if (ainfo == NULL) {
2194 crfree(cr);
2195 return;
2196 }
2197
2198 uid = crgetuid(cr);
2199 gid = crgetgid(cr);
2200 ruid = crgetruid(cr);
2201 rgid = crgetrgid(cr);
2202 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2203 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2204 crfree(cr);
2205 au_uwrite(au_to_arg32(2, "pgid", pgid));
2206 break;
2207
2208 default:
2209 break;
2210 }
2211 }
2212
2213
2214 /*ARGSUSED*/
2215 static void
aus_setregid(struct t_audit_data * tad)2216 aus_setregid(struct t_audit_data *tad)
2217 {
2218 klwp_t *clwp = ttolwp(curthread);
2219 uint32_t rgid, egid;
2220
2221 struct a {
2222 long rgid;
2223 long egid;
2224 } *uap = (struct a *)clwp->lwp_ap;
2225
2226 rgid = (uint32_t)uap->rgid;
2227 egid = (uint32_t)uap->egid;
2228
2229 au_uwrite(au_to_arg32(1, "rgid", rgid));
2230 au_uwrite(au_to_arg32(2, "egid", egid));
2231 }
2232
2233 /*ARGSUSED*/
2234 static void
aus_setgid(struct t_audit_data * tad)2235 aus_setgid(struct t_audit_data *tad)
2236 {
2237 klwp_t *clwp = ttolwp(curthread);
2238 uint32_t gid;
2239
2240 struct a {
2241 long gid;
2242 } *uap = (struct a *)clwp->lwp_ap;
2243
2244 gid = (uint32_t)uap->gid;
2245
2246 au_uwrite(au_to_arg32(1, "gid", gid));
2247 }
2248
2249
2250 /*ARGSUSED*/
2251 static void
aus_setreuid(struct t_audit_data * tad)2252 aus_setreuid(struct t_audit_data *tad)
2253 {
2254 klwp_t *clwp = ttolwp(curthread);
2255 uint32_t ruid, euid;
2256
2257 struct a {
2258 long ruid;
2259 long euid;
2260 } *uap = (struct a *)clwp->lwp_ap;
2261
2262 ruid = (uint32_t)uap->ruid;
2263 euid = (uint32_t)uap->euid;
2264
2265 au_uwrite(au_to_arg32(1, "ruid", ruid));
2266 au_uwrite(au_to_arg32(2, "euid", euid));
2267 }
2268
2269
2270 /*ARGSUSED*/
2271 static void
aus_setuid(struct t_audit_data * tad)2272 aus_setuid(struct t_audit_data *tad)
2273 {
2274 klwp_t *clwp = ttolwp(curthread);
2275 uint32_t uid;
2276
2277 struct a {
2278 long uid;
2279 } *uap = (struct a *)clwp->lwp_ap;
2280
2281 uid = (uint32_t)uap->uid;
2282
2283 au_uwrite(au_to_arg32(1, "uid", uid));
2284 }
2285
2286 /*ARGSUSED*/
2287 static void
aus_shmsys(struct t_audit_data * tad)2288 aus_shmsys(struct t_audit_data *tad)
2289 {
2290 klwp_t *clwp = ttolwp(curthread);
2291 uint32_t id, cmd;
2292
2293 struct b {
2294 long id;
2295 long cmd;
2296 long buf; /* struct shmid_ds * */
2297 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2298
2299 id = (uint32_t)uap1->id;
2300 cmd = (uint32_t)uap1->cmd;
2301
2302 switch (tad->tad_event) {
2303 case AUE_SHMGET: /* shmget */
2304 au_uwrite(au_to_arg32(1, "shm key", id));
2305 break;
2306 case AUE_SHMCTL: /* shmctl */
2307 case AUE_SHMCTL_RMID: /* shmctl */
2308 case AUE_SHMCTL_STAT: /* shmctl */
2309 case AUE_SHMCTL_SET: /* shmctl */
2310 au_uwrite(au_to_arg32(1, "shm ID", id));
2311 break;
2312 case AUE_SHMDT: /* shmdt */
2313 au_uwrite(au_to_arg32(1, "shm adr", id));
2314 break;
2315 case AUE_SHMAT: /* shmat */
2316 au_uwrite(au_to_arg32(1, "shm ID", id));
2317 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2318 break;
2319 }
2320 }
2321
2322 /*ARGSUSED*/
2323 static void
auf_shmsys(struct t_audit_data * tad,int error,rval_t * rval)2324 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2325 {
2326 int id;
2327
2328 if (error != 0)
2329 return;
2330 if (tad->tad_event == AUE_SHMGET) {
2331 uint32_t scid;
2332 uint32_t sy_flags;
2333
2334 /* need to determine type of executing binary */
2335 scid = tad->tad_scid;
2336 #ifdef _SYSCALL32_IMPL
2337 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2338 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2339 else
2340 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2341 #else
2342 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2343 #endif
2344 if (sy_flags == SE_32RVAL1)
2345 id = rval->r_val1;
2346 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2347 id = rval->r_val1;
2348 if (sy_flags == SE_64RVAL)
2349 id = (int)rval->r_vals;
2350 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2351 }
2352 }
2353
2354
2355 /*ARGSUSED*/
2356 static void
aus_ioctl(struct t_audit_data * tad)2357 aus_ioctl(struct t_audit_data *tad)
2358 {
2359 klwp_t *clwp = ttolwp(curthread);
2360 struct file *fp;
2361 struct vnode *vp;
2362 struct f_audit_data *fad;
2363 uint32_t fd, cmd;
2364 uintptr_t cmarg;
2365
2366 /* XX64 */
2367 struct a {
2368 long fd;
2369 long cmd;
2370 long cmarg; /* caddr_t */
2371 } *uap = (struct a *)clwp->lwp_ap;
2372
2373 fd = (uint32_t)uap->fd;
2374 cmd = (uint32_t)uap->cmd;
2375 cmarg = (uintptr_t)uap->cmarg;
2376
2377 /*
2378 * convert file pointer to file descriptor
2379 * Note: fd ref count incremented here.
2380 */
2381 if ((fp = getf(fd)) == NULL) {
2382 au_uwrite(au_to_arg32(1, "fd", fd));
2383 au_uwrite(au_to_arg32(2, "cmd", cmd));
2384 #ifndef _LP64
2385 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2386 #else
2387 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2388 #endif
2389 return;
2390 }
2391
2392 /* get path from file struct here */
2393 fad = F2A(fp);
2394 if (fad->fad_aupath != NULL) {
2395 au_uwrite(au_to_path(fad->fad_aupath));
2396 } else {
2397 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2398 }
2399
2400 vp = fp->f_vnode;
2401 audit_attributes(vp);
2402
2403 /* decrement file descriptor reference count */
2404 releasef(fd);
2405
2406 au_uwrite(au_to_arg32(2, "cmd", cmd));
2407 #ifndef _LP64
2408 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2409 #else
2410 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2411 #endif
2412 }
2413
2414 /*
2415 * null function for memcntl for now. We might want to limit memcntl()
2416 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2417 * require privileges.
2418 */
2419 static au_event_t
aui_memcntl(au_event_t e)2420 aui_memcntl(au_event_t e)
2421 {
2422 return (e);
2423 }
2424
2425 /*ARGSUSED*/
2426 static au_event_t
aui_privsys(au_event_t e)2427 aui_privsys(au_event_t e)
2428 {
2429 klwp_t *clwp = ttolwp(curthread);
2430
2431 struct a {
2432 long opcode;
2433 } *uap = (struct a *)clwp->lwp_ap;
2434
2435 switch (uap->opcode) {
2436 case PRIVSYS_SETPPRIV:
2437 return (AUE_SETPPRIV);
2438 default:
2439 return (AUE_NULL);
2440 }
2441 }
2442
2443 /*ARGSUSED*/
2444 static void
aus_memcntl(struct t_audit_data * tad)2445 aus_memcntl(struct t_audit_data *tad)
2446 {
2447 klwp_t *clwp = ttolwp(curthread);
2448
2449 struct a {
2450 long addr;
2451 long len;
2452 long cmd;
2453 long arg;
2454 long attr;
2455 long mask;
2456 } *uap = (struct a *)clwp->lwp_ap;
2457
2458 #ifdef _LP64
2459 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2460 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2461 #else
2462 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2463 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2464 #endif
2465 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2466 #ifdef _LP64
2467 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2468 #else
2469 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2470 #endif
2471 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2472 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2473 }
2474
2475 /*ARGSUSED*/
2476 static void
aus_mmap(struct t_audit_data * tad)2477 aus_mmap(struct t_audit_data *tad)
2478 {
2479 klwp_t *clwp = ttolwp(curthread);
2480 struct file *fp;
2481 struct f_audit_data *fad;
2482 struct vnode *vp;
2483 uint32_t fd;
2484
2485 struct a {
2486 long addr;
2487 long len;
2488 long prot;
2489 long flags;
2490 long fd;
2491 long pos;
2492 } *uap = (struct a *)clwp->lwp_ap;
2493
2494 fd = (uint32_t)uap->fd;
2495
2496 #ifdef _LP64
2497 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2498 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2499 #else
2500 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2501 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2502 #endif
2503
2504 if ((fp = getf(fd)) == NULL) {
2505 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2506 return;
2507 }
2508
2509 /*
2510 * Mark in the tad if write access is NOT requested... if
2511 * this is later detected (in audit_attributes) to be a
2512 * public object, the mmap event may be discarded.
2513 */
2514 if (((uap->prot) & PROT_WRITE) == 0) {
2515 tad->tad_ctrl |= TAD_PUBLIC_EV;
2516 }
2517
2518 fad = F2A(fp);
2519 if (fad->fad_aupath != NULL) {
2520 au_uwrite(au_to_path(fad->fad_aupath));
2521 } else {
2522 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2523 }
2524
2525 vp = (struct vnode *)fp->f_vnode;
2526 audit_attributes(vp);
2527
2528 /* mark READ/WRITE since we can't predict access */
2529 if (uap->prot & PROT_READ)
2530 fad->fad_flags |= FAD_READ;
2531 if (uap->prot & PROT_WRITE)
2532 fad->fad_flags |= FAD_WRITE;
2533
2534 /* decrement file descriptor reference count */
2535 releasef(fd);
2536
2537 } /* AUS_MMAP */
2538
2539
2540
2541
2542 /*ARGSUSED*/
2543 static void
aus_munmap(struct t_audit_data * tad)2544 aus_munmap(struct t_audit_data *tad)
2545 {
2546 klwp_t *clwp = ttolwp(curthread);
2547
2548 struct a {
2549 long addr;
2550 long len;
2551 } *uap = (struct a *)clwp->lwp_ap;
2552
2553 #ifdef _LP64
2554 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2555 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2556 #else
2557 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2558 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2559 #endif
2560
2561 } /* AUS_MUNMAP */
2562
2563
2564
2565
2566
2567
2568
2569 /*ARGSUSED*/
2570 static void
aus_priocntlsys(struct t_audit_data * tad)2571 aus_priocntlsys(struct t_audit_data *tad)
2572 {
2573 klwp_t *clwp = ttolwp(curthread);
2574
2575 struct a {
2576 long pc_version;
2577 long psp; /* procset_t */
2578 long cmd;
2579 long arg;
2580 } *uap = (struct a *)clwp->lwp_ap;
2581
2582 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2583 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2584
2585 } /* AUS_PRIOCNTLSYS */
2586
2587
2588 /*ARGSUSED*/
2589 static void
aus_setegid(struct t_audit_data * tad)2590 aus_setegid(struct t_audit_data *tad)
2591 {
2592 klwp_t *clwp = ttolwp(curthread);
2593 uint32_t gid;
2594
2595 struct a {
2596 long gid;
2597 } *uap = (struct a *)clwp->lwp_ap;
2598
2599 gid = (uint32_t)uap->gid;
2600
2601 au_uwrite(au_to_arg32(1, "gid", gid));
2602 } /* AUS_SETEGID */
2603
2604
2605
2606
2607 /*ARGSUSED*/
2608 static void
aus_setgroups(struct t_audit_data * tad)2609 aus_setgroups(struct t_audit_data *tad)
2610 {
2611 klwp_t *clwp = ttolwp(curthread);
2612 int i;
2613 int gidsetsize;
2614 uintptr_t gidset;
2615 gid_t *gidlist;
2616
2617 struct a {
2618 long gidsetsize;
2619 long gidset;
2620 } *uap = (struct a *)clwp->lwp_ap;
2621
2622 gidsetsize = (uint_t)uap->gidsetsize;
2623 gidset = (uintptr_t)uap->gidset;
2624
2625 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2626 return;
2627 if (gidsetsize != 0) {
2628 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2629 KM_SLEEP);
2630 if (copyin((caddr_t)gidset, gidlist,
2631 gidsetsize * sizeof (gid_t)) == 0)
2632 for (i = 0; i < gidsetsize; i++)
2633 au_uwrite(au_to_arg32(1, "setgroups",
2634 (uint32_t)gidlist[i]));
2635 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2636 } else
2637 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2638
2639 } /* AUS_SETGROUPS */
2640
2641
2642
2643
2644
2645 /*ARGSUSED*/
2646 static void
aus_seteuid(struct t_audit_data * tad)2647 aus_seteuid(struct t_audit_data *tad)
2648 {
2649 klwp_t *clwp = ttolwp(curthread);
2650 uint32_t uid;
2651
2652 struct a {
2653 long uid;
2654 } *uap = (struct a *)clwp->lwp_ap;
2655
2656 uid = (uint32_t)uap->uid;
2657
2658 au_uwrite(au_to_arg32(1, "euid", uid));
2659
2660 } /* AUS_SETEUID */
2661
2662 /*ARGSUSED*/
2663 static void
aus_putmsg(struct t_audit_data * tad)2664 aus_putmsg(struct t_audit_data *tad)
2665 {
2666 klwp_t *clwp = ttolwp(curthread);
2667 uint32_t fd, pri;
2668 struct file *fp;
2669 struct f_audit_data *fad;
2670
2671 struct a {
2672 long fdes;
2673 long ctl; /* struct strbuf * */
2674 long data; /* struct strbuf * */
2675 long pri;
2676 } *uap = (struct a *)clwp->lwp_ap;
2677
2678 fd = (uint32_t)uap->fdes;
2679 pri = (uint32_t)uap->pri;
2680
2681 au_uwrite(au_to_arg32(1, "fd", fd));
2682
2683 if ((fp = getf(fd)) != NULL) {
2684 fad = F2A(fp);
2685
2686 fad->fad_flags |= FAD_WRITE;
2687
2688 /* add path name to audit record */
2689 if (fad->fad_aupath != NULL) {
2690 au_uwrite(au_to_path(fad->fad_aupath));
2691 }
2692 audit_attributes(fp->f_vnode);
2693
2694 releasef(fd);
2695 }
2696
2697 au_uwrite(au_to_arg32(4, "pri", pri));
2698 }
2699
2700 /*ARGSUSED*/
2701 static void
aus_putpmsg(struct t_audit_data * tad)2702 aus_putpmsg(struct t_audit_data *tad)
2703 {
2704 klwp_t *clwp = ttolwp(curthread);
2705 uint32_t fd, pri, flags;
2706 struct file *fp;
2707 struct f_audit_data *fad;
2708
2709 struct a {
2710 long fdes;
2711 long ctl; /* struct strbuf * */
2712 long data; /* struct strbuf * */
2713 long pri;
2714 long flags;
2715 } *uap = (struct a *)clwp->lwp_ap;
2716
2717 fd = (uint32_t)uap->fdes;
2718 pri = (uint32_t)uap->pri;
2719 flags = (uint32_t)uap->flags;
2720
2721 au_uwrite(au_to_arg32(1, "fd", fd));
2722
2723 if ((fp = getf(fd)) != NULL) {
2724 fad = F2A(fp);
2725
2726 fad->fad_flags |= FAD_WRITE;
2727
2728 /* add path name to audit record */
2729 if (fad->fad_aupath != NULL) {
2730 au_uwrite(au_to_path(fad->fad_aupath));
2731 }
2732 audit_attributes(fp->f_vnode);
2733
2734 releasef(fd);
2735 }
2736
2737
2738 au_uwrite(au_to_arg32(4, "pri", pri));
2739 au_uwrite(au_to_arg32(5, "flags", flags));
2740 }
2741
2742 /*ARGSUSED*/
2743 static void
aus_getmsg(struct t_audit_data * tad)2744 aus_getmsg(struct t_audit_data *tad)
2745 {
2746 klwp_t *clwp = ttolwp(curthread);
2747 uint32_t fd, pri;
2748 struct file *fp;
2749 struct f_audit_data *fad;
2750
2751 struct a {
2752 long fdes;
2753 long ctl; /* struct strbuf * */
2754 long data; /* struct strbuf * */
2755 long pri;
2756 } *uap = (struct a *)clwp->lwp_ap;
2757
2758 fd = (uint32_t)uap->fdes;
2759 pri = (uint32_t)uap->pri;
2760
2761 au_uwrite(au_to_arg32(1, "fd", fd));
2762
2763 if ((fp = getf(fd)) != NULL) {
2764 fad = F2A(fp);
2765
2766 /*
2767 * read operation on this object
2768 */
2769 fad->fad_flags |= FAD_READ;
2770
2771 /* add path name to audit record */
2772 if (fad->fad_aupath != NULL) {
2773 au_uwrite(au_to_path(fad->fad_aupath));
2774 }
2775 audit_attributes(fp->f_vnode);
2776
2777 releasef(fd);
2778 }
2779
2780 au_uwrite(au_to_arg32(4, "pri", pri));
2781 }
2782
2783 /*ARGSUSED*/
2784 static void
aus_getpmsg(struct t_audit_data * tad)2785 aus_getpmsg(struct t_audit_data *tad)
2786 {
2787 klwp_t *clwp = ttolwp(curthread);
2788 uint32_t fd;
2789 struct file *fp;
2790 struct f_audit_data *fad;
2791
2792 struct a {
2793 long fdes;
2794 long ctl; /* struct strbuf * */
2795 long data; /* struct strbuf * */
2796 long pri;
2797 long flags;
2798 } *uap = (struct a *)clwp->lwp_ap;
2799
2800 fd = (uint32_t)uap->fdes;
2801
2802 au_uwrite(au_to_arg32(1, "fd", fd));
2803
2804 if ((fp = getf(fd)) != NULL) {
2805 fad = F2A(fp);
2806
2807 /*
2808 * read operation on this object
2809 */
2810 fad->fad_flags |= FAD_READ;
2811
2812 /* add path name to audit record */
2813 if (fad->fad_aupath != NULL) {
2814 au_uwrite(au_to_path(fad->fad_aupath));
2815 }
2816 audit_attributes(fp->f_vnode);
2817
2818 releasef(fd);
2819 }
2820 }
2821
2822 static au_event_t
aui_labelsys(au_event_t e)2823 aui_labelsys(au_event_t e)
2824 {
2825 klwp_t *clwp = ttolwp(curthread);
2826 uint32_t code;
2827 uint32_t cmd;
2828
2829 struct a {
2830 long code;
2831 long cmd;
2832 } *uap = (struct a *)clwp->lwp_ap;
2833
2834 code = (uint32_t)uap->code;
2835 cmd = (uint32_t)uap->cmd;
2836
2837 /* not security relevant if not changing kernel cache */
2838 if (cmd == TNDB_GET)
2839 return (AUE_NULL);
2840
2841 switch (code) {
2842 case TSOL_TNRH:
2843 e = AUE_LABELSYS_TNRH;
2844 break;
2845 case TSOL_TNRHTP:
2846 e = AUE_LABELSYS_TNRHTP;
2847 break;
2848 case TSOL_TNMLP:
2849 e = AUE_LABELSYS_TNMLP;
2850 break;
2851 default:
2852 e = AUE_NULL;
2853 break;
2854 }
2855
2856 return (e);
2857
2858 }
2859
2860 static void
aus_labelsys(struct t_audit_data * tad)2861 aus_labelsys(struct t_audit_data *tad)
2862 {
2863 klwp_t *clwp = ttolwp(curthread);
2864 uint32_t cmd;
2865 uintptr_t a2;
2866
2867 struct a {
2868 long code;
2869 long cmd;
2870 long a2;
2871 } *uap = (struct a *)clwp->lwp_ap;
2872
2873 cmd = (uint32_t)uap->cmd;
2874 a2 = (uintptr_t)uap->a2;
2875
2876 switch (tad->tad_event) {
2877 case AUE_LABELSYS_TNRH:
2878 {
2879 tsol_rhent_t *rhent;
2880 tnaddr_t *rh_addr;
2881
2882 au_uwrite(au_to_arg32(1, "cmd", cmd));
2883
2884 /* Remaining args don't apply for FLUSH, so skip */
2885 if (cmd == TNDB_FLUSH)
2886 break;
2887
2888 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2889 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2890 kmem_free(rhent, sizeof (tsol_rhent_t));
2891 return;
2892 }
2893
2894 rh_addr = &rhent->rh_address;
2895 if (rh_addr->ta_family == AF_INET) {
2896 struct in_addr *ipaddr;
2897
2898 ipaddr = &(rh_addr->ta_addr_v4);
2899 au_uwrite(au_to_in_addr(ipaddr));
2900 } else if (rh_addr->ta_family == AF_INET6) {
2901 int32_t *ipaddr;
2902
2903 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2904 au_uwrite(au_to_in_addr_ex(ipaddr));
2905 }
2906 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2907
2908 kmem_free(rhent, sizeof (tsol_rhent_t));
2909
2910 break;
2911 }
2912 case AUE_LABELSYS_TNRHTP:
2913 {
2914 tsol_tpent_t *tpent;
2915
2916 au_uwrite(au_to_arg32(1, "cmd", cmd));
2917
2918 /* Remaining args don't apply for FLUSH, so skip */
2919 if (cmd == TNDB_FLUSH)
2920 break;
2921
2922 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2923 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2924 kmem_free(tpent, sizeof (tsol_tpent_t));
2925 return;
2926 }
2927
2928 /* Make sure that the template name is null-terminated. */
2929 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2930
2931 au_uwrite(au_to_text(tpent->name));
2932 kmem_free(tpent, sizeof (tsol_tpent_t));
2933
2934 break;
2935 }
2936 case AUE_LABELSYS_TNMLP:
2937 {
2938 tsol_mlpent_t *mlpent;
2939
2940 au_uwrite(au_to_arg32(1, "cmd", cmd));
2941
2942 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2943 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2944 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2945 return;
2946 }
2947
2948 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2949 au_uwrite(au_to_text("shared"));
2950 } else {
2951 zone_t *zone;
2952
2953 zone = zone_find_by_id(mlpent->tsme_zoneid);
2954 if (zone != NULL) {
2955 au_uwrite(au_to_text(zone->zone_name));
2956 zone_rele(zone);
2957 }
2958 }
2959
2960 /* Remaining args don't apply for FLUSH, so skip */
2961 if (cmd == TNDB_FLUSH) {
2962 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2963 break;
2964 }
2965
2966 au_uwrite(au_to_arg32(2, "proto num",
2967 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2968 au_uwrite(au_to_arg32(2, "mlp_port",
2969 (uint32_t)mlpent->tsme_mlp.mlp_port));
2970
2971 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2972 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2973 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2974
2975 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2976
2977 break;
2978 }
2979 default:
2980 break;
2981 }
2982 }
2983
2984
2985 static au_event_t
aui_auditsys(au_event_t e)2986 aui_auditsys(au_event_t e)
2987 {
2988 klwp_t *clwp = ttolwp(curthread);
2989 uint32_t code;
2990
2991 struct a {
2992 long code;
2993 long a1;
2994 long a2;
2995 long a3;
2996 long a4;
2997 long a5;
2998 long a6;
2999 long a7;
3000 } *uap = (struct a *)clwp->lwp_ap;
3001
3002 code = (uint32_t)uap->code;
3003
3004 switch (code) {
3005
3006 case BSM_GETAUID:
3007 e = AUE_GETAUID;
3008 break;
3009 case BSM_SETAUID:
3010 e = AUE_SETAUID;
3011 break;
3012 case BSM_GETAUDIT:
3013 e = AUE_GETAUDIT;
3014 break;
3015 case BSM_GETAUDIT_ADDR:
3016 e = AUE_GETAUDIT_ADDR;
3017 break;
3018 case BSM_SETAUDIT:
3019 e = AUE_SETAUDIT;
3020 break;
3021 case BSM_SETAUDIT_ADDR:
3022 e = AUE_SETAUDIT_ADDR;
3023 break;
3024 case BSM_AUDIT:
3025 e = AUE_AUDIT;
3026 break;
3027 case BSM_AUDITCTL:
3028 switch ((uint_t)uap->a1) {
3029
3030 case A_GETPOLICY:
3031 e = AUE_AUDITON_GPOLICY;
3032 break;
3033 case A_SETPOLICY:
3034 e = AUE_AUDITON_SPOLICY;
3035 break;
3036 case A_GETAMASK:
3037 e = AUE_AUDITON_GETAMASK;
3038 break;
3039 case A_SETAMASK:
3040 e = AUE_AUDITON_SETAMASK;
3041 break;
3042 case A_GETKMASK:
3043 e = AUE_AUDITON_GETKMASK;
3044 break;
3045 case A_SETKMASK:
3046 e = AUE_AUDITON_SETKMASK;
3047 break;
3048 case A_GETQCTRL:
3049 e = AUE_AUDITON_GQCTRL;
3050 break;
3051 case A_SETQCTRL:
3052 e = AUE_AUDITON_SQCTRL;
3053 break;
3054 case A_GETCWD:
3055 e = AUE_AUDITON_GETCWD;
3056 break;
3057 case A_GETCAR:
3058 e = AUE_AUDITON_GETCAR;
3059 break;
3060 case A_GETSTAT:
3061 e = AUE_AUDITON_GETSTAT;
3062 break;
3063 case A_SETSTAT:
3064 e = AUE_AUDITON_SETSTAT;
3065 break;
3066 case A_SETUMASK:
3067 e = AUE_AUDITON_SETUMASK;
3068 break;
3069 case A_SETSMASK:
3070 e = AUE_AUDITON_SETSMASK;
3071 break;
3072 case A_GETCOND:
3073 e = AUE_AUDITON_GETCOND;
3074 break;
3075 case A_SETCOND:
3076 e = AUE_AUDITON_SETCOND;
3077 break;
3078 case A_GETCLASS:
3079 e = AUE_AUDITON_GETCLASS;
3080 break;
3081 case A_SETCLASS:
3082 e = AUE_AUDITON_SETCLASS;
3083 break;
3084 case A_GETPINFO:
3085 case A_GETPINFO_ADDR:
3086 e = AUE_AUDITON_GETPINFO;
3087 break;
3088 case A_SETPMASK:
3089 e = AUE_AUDITON_SETPMASK;
3090 break;
3091 case A_GETKAUDIT:
3092 e = AUE_AUDITON_GETKAUDIT;
3093 break;
3094 case A_SETKAUDIT:
3095 e = AUE_AUDITON_SETKAUDIT;
3096 break;
3097 default:
3098 e = AUE_AUDITON_OTHER;
3099 break;
3100 }
3101 break;
3102 default:
3103 e = AUE_NULL;
3104 break;
3105 }
3106
3107 return (e);
3108
3109 } /* AUI_AUDITSYS */
3110
3111
3112 static void
aus_auditsys(struct t_audit_data * tad)3113 aus_auditsys(struct t_audit_data *tad)
3114 {
3115 klwp_t *clwp = ttolwp(curthread);
3116 uintptr_t a1, a2;
3117 STRUCT_DECL(auditinfo, ainfo);
3118 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3119 STRUCT_DECL(auditpinfo, apinfo);
3120 au_evclass_map_t event;
3121 au_mask_t mask;
3122 int auditstate, policy;
3123 au_id_t auid;
3124
3125
3126 struct a {
3127 long code;
3128 long a1;
3129 long a2;
3130 long a3;
3131 long a4;
3132 long a5;
3133 long a6;
3134 long a7;
3135 } *uap = (struct a *)clwp->lwp_ap;
3136
3137 a1 = (uintptr_t)uap->a1;
3138 a2 = (uintptr_t)uap->a2;
3139
3140 switch (tad->tad_event) {
3141 case AUE_SETAUID:
3142 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3143 return;
3144 au_uwrite(au_to_arg32(2, "setauid", auid));
3145 break;
3146 case AUE_SETAUDIT:
3147 STRUCT_INIT(ainfo, get_udatamodel());
3148 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3149 STRUCT_SIZE(ainfo))) {
3150 return;
3151 }
3152 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3153 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3154 #ifdef _LP64
3155 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3156 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3157 #else
3158 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3159 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3160 #endif
3161 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3162 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3163 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3164 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3165 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3166 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3167 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3168 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3169 break;
3170 case AUE_SETAUDIT_ADDR:
3171 STRUCT_INIT(ainfo_addr, get_udatamodel());
3172 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3173 STRUCT_SIZE(ainfo_addr))) {
3174 return;
3175 }
3176 au_uwrite(au_to_arg32((char)1, "auid",
3177 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3178 #ifdef _LP64
3179 au_uwrite(au_to_arg64((char)1, "port",
3180 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3181 #else
3182 au_uwrite(au_to_arg32((char)1, "port",
3183 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3184 #endif
3185 au_uwrite(au_to_arg32((char)1, "type",
3186 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3187 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3188 AU_IPv4) {
3189 au_uwrite(au_to_in_addr(
3190 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3191 ai_termid.at_addr)));
3192 } else {
3193 au_uwrite(au_to_in_addr_ex(
3194 (int32_t *)STRUCT_FGETP(ainfo_addr,
3195 ai_termid.at_addr)));
3196 }
3197 au_uwrite(au_to_arg32((char)1, "as_success",
3198 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3199 au_uwrite(au_to_arg32((char)1, "as_failure",
3200 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3201 au_uwrite(au_to_arg32((char)1, "asid",
3202 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3203 break;
3204 case AUE_AUDITON_SETAMASK:
3205 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3206 return;
3207 au_uwrite(au_to_arg32(
3208 2, "setamask:as_success", (uint32_t)mask.as_success));
3209 au_uwrite(au_to_arg32(
3210 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3211 break;
3212 case AUE_AUDITON_SETKMASK:
3213 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3214 return;
3215 au_uwrite(au_to_arg32(
3216 2, "setkmask:as_success", (uint32_t)mask.as_success));
3217 au_uwrite(au_to_arg32(
3218 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3219 break;
3220 case AUE_AUDITON_SPOLICY:
3221 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3222 return;
3223 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3224 break;
3225 case AUE_AUDITON_SQCTRL: {
3226 STRUCT_DECL(au_qctrl, qctrl);
3227 model_t model;
3228
3229 model = get_udatamodel();
3230 STRUCT_INIT(qctrl, model);
3231 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3232 return;
3233 if (model == DATAMODEL_ILP32) {
3234 au_uwrite(au_to_arg32(
3235 3, "setqctrl:aq_hiwater",
3236 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3237 au_uwrite(au_to_arg32(
3238 3, "setqctrl:aq_lowater",
3239 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3240 au_uwrite(au_to_arg32(
3241 3, "setqctrl:aq_bufsz",
3242 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3243 au_uwrite(au_to_arg32(
3244 3, "setqctrl:aq_delay",
3245 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3246 } else {
3247 au_uwrite(au_to_arg64(
3248 3, "setqctrl:aq_hiwater",
3249 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3250 au_uwrite(au_to_arg64(
3251 3, "setqctrl:aq_lowater",
3252 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3253 au_uwrite(au_to_arg64(
3254 3, "setqctrl:aq_bufsz",
3255 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3256 au_uwrite(au_to_arg64(
3257 3, "setqctrl:aq_delay",
3258 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3259 }
3260 break;
3261 }
3262 case AUE_AUDITON_SETUMASK:
3263 STRUCT_INIT(ainfo, get_udatamodel());
3264 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3265 STRUCT_SIZE(ainfo))) {
3266 return;
3267 }
3268 au_uwrite(au_to_arg32(3, "setumask:as_success",
3269 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3270 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3271 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3272 break;
3273 case AUE_AUDITON_SETSMASK:
3274 STRUCT_INIT(ainfo, get_udatamodel());
3275 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3276 STRUCT_SIZE(ainfo))) {
3277 return;
3278 }
3279 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3280 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3281 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3282 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3283 break;
3284 case AUE_AUDITON_SETCOND:
3285 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3286 return;
3287 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3288 break;
3289 case AUE_AUDITON_SETCLASS:
3290 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3291 return;
3292 au_uwrite(au_to_arg32(
3293 2, "setclass:ec_event", (uint32_t)event.ec_number));
3294 au_uwrite(au_to_arg32(
3295 3, "setclass:ec_class", (uint32_t)event.ec_class));
3296 break;
3297 case AUE_AUDITON_SETPMASK:
3298 STRUCT_INIT(apinfo, get_udatamodel());
3299 if (copyin((caddr_t)uap->a2, STRUCT_BUF(apinfo),
3300 STRUCT_SIZE(apinfo))) {
3301 return;
3302 }
3303 au_uwrite(au_to_arg32(3, "setpmask:pid",
3304 (uint32_t)STRUCT_FGET(apinfo, ap_pid)));
3305 au_uwrite(au_to_arg32(3, "setpmask:as_success",
3306 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_success)));
3307 au_uwrite(au_to_arg32(3, "setpmask:as_failure",
3308 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_failure)));
3309 break;
3310 case AUE_AUDITON_SETKAUDIT:
3311 STRUCT_INIT(ainfo_addr, get_udatamodel());
3312 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3313 STRUCT_SIZE(ainfo_addr))) {
3314 return;
3315 }
3316 au_uwrite(au_to_arg32((char)1, "auid",
3317 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3318 #ifdef _LP64
3319 au_uwrite(au_to_arg64((char)1, "port",
3320 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3321 #else
3322 au_uwrite(au_to_arg32((char)1, "port",
3323 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3324 #endif
3325 au_uwrite(au_to_arg32((char)1, "type",
3326 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3327 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3328 AU_IPv4) {
3329 au_uwrite(au_to_in_addr(
3330 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3331 ai_termid.at_addr)));
3332 } else {
3333 au_uwrite(au_to_in_addr_ex(
3334 (int32_t *)STRUCT_FGETP(ainfo_addr,
3335 ai_termid.at_addr)));
3336 }
3337 au_uwrite(au_to_arg32((char)1, "as_success",
3338 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3339 au_uwrite(au_to_arg32((char)1, "as_failure",
3340 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3341 au_uwrite(au_to_arg32((char)1, "asid",
3342 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3343 break;
3344 case AUE_GETAUID:
3345 case AUE_GETAUDIT:
3346 case AUE_GETAUDIT_ADDR:
3347 case AUE_AUDIT:
3348 case AUE_AUDITON_GPOLICY:
3349 case AUE_AUDITON_GQCTRL:
3350 case AUE_AUDITON_GETAMASK:
3351 case AUE_AUDITON_GETKMASK:
3352 case AUE_AUDITON_GETCWD:
3353 case AUE_AUDITON_GETCAR:
3354 case AUE_AUDITON_GETSTAT:
3355 case AUE_AUDITON_SETSTAT:
3356 case AUE_AUDITON_GETCOND:
3357 case AUE_AUDITON_GETCLASS:
3358 case AUE_AUDITON_GETPINFO:
3359 case AUE_AUDITON_GETKAUDIT:
3360 case AUE_AUDITON_OTHER:
3361 break;
3362 default:
3363 break;
3364 }
3365
3366 } /* AUS_AUDITSYS */
3367
3368
3369 /* only audit privileged operations for systeminfo(2) system call */
3370 static au_event_t
aui_sysinfo(au_event_t e)3371 aui_sysinfo(au_event_t e)
3372 {
3373 klwp_t *clwp = ttolwp(curthread);
3374 uint32_t command;
3375
3376 struct a {
3377 long command;
3378 long buf; /* char * */
3379 long count;
3380 } *uap = (struct a *)clwp->lwp_ap;
3381
3382 command = (uint32_t)uap->command;
3383
3384 switch (command) {
3385 case SI_SET_HOSTNAME:
3386 case SI_SET_SRPC_DOMAIN:
3387 e = (au_event_t)AUE_SYSINFO;
3388 break;
3389 default:
3390 e = (au_event_t)AUE_NULL;
3391 break;
3392 }
3393 return (e);
3394 }
3395
3396 /*ARGSUSED*/
3397 static void
aus_sysinfo(struct t_audit_data * tad)3398 aus_sysinfo(struct t_audit_data *tad)
3399 {
3400 klwp_t *clwp = ttolwp(curthread);
3401 uint32_t command;
3402 size_t len, maxlen;
3403 char *name;
3404 uintptr_t buf;
3405
3406 struct a {
3407 long command;
3408 long buf; /* char * */
3409 long count;
3410 } *uap = (struct a *)clwp->lwp_ap;
3411
3412 command = (uint32_t)uap->command;
3413 buf = (uintptr_t)uap->buf;
3414
3415 au_uwrite(au_to_arg32(1, "cmd", command));
3416
3417 switch (command) {
3418 case SI_SET_HOSTNAME:
3419 {
3420 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3421 return;
3422
3423 maxlen = SYS_NMLN;
3424 name = kmem_alloc(maxlen, KM_SLEEP);
3425 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3426 break;
3427
3428 /*
3429 * Must be non-NULL string and string
3430 * must be less than SYS_NMLN chars.
3431 */
3432 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3433 break;
3434
3435 au_uwrite(au_to_text(name));
3436 break;
3437 }
3438
3439 case SI_SET_SRPC_DOMAIN:
3440 {
3441 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3442 return;
3443
3444 maxlen = SYS_NMLN;
3445 name = kmem_alloc(maxlen, KM_SLEEP);
3446 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3447 break;
3448
3449 /*
3450 * If string passed in is longer than length
3451 * allowed for domain name, fail.
3452 */
3453 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3454 break;
3455
3456 au_uwrite(au_to_text(name));
3457 break;
3458 }
3459
3460 default:
3461 return;
3462 }
3463
3464 kmem_free(name, maxlen);
3465 }
3466
3467 static au_event_t
aui_modctl(au_event_t e)3468 aui_modctl(au_event_t e)
3469 {
3470 klwp_t *clwp = ttolwp(curthread);
3471 uint_t cmd;
3472
3473 struct a {
3474 long cmd;
3475 } *uap = (struct a *)clwp->lwp_ap;
3476
3477 cmd = (uint_t)uap->cmd;
3478
3479 switch (cmd) {
3480 case MODLOAD:
3481 e = AUE_MODLOAD;
3482 break;
3483 case MODUNLOAD:
3484 e = AUE_MODUNLOAD;
3485 break;
3486 case MODADDMAJBIND:
3487 e = AUE_MODADDMAJ;
3488 break;
3489 case MODSETDEVPOLICY:
3490 e = AUE_MODDEVPLCY;
3491 break;
3492 case MODALLOCPRIV:
3493 e = AUE_MODADDPRIV;
3494 break;
3495 default:
3496 e = AUE_NULL;
3497 break;
3498 }
3499 return (e);
3500 }
3501
3502
3503 /*ARGSUSED*/
3504 static void
aus_modctl(struct t_audit_data * tad)3505 aus_modctl(struct t_audit_data *tad)
3506 {
3507 klwp_t *clwp = ttolwp(curthread);
3508 void *a = clwp->lwp_ap;
3509 uint_t use_path;
3510
3511 switch (tad->tad_event) {
3512 case AUE_MODLOAD: {
3513 typedef struct {
3514 long cmd;
3515 long use_path;
3516 long filename; /* char * */
3517 } modloada_t;
3518
3519 char *filenamep;
3520 uintptr_t fname;
3521 extern char *default_path;
3522
3523 fname = (uintptr_t)((modloada_t *)a)->filename;
3524 use_path = (uint_t)((modloada_t *)a)->use_path;
3525
3526 /* space to hold path */
3527 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3528 /* get string */
3529 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3530 /* free allocated path */
3531 kmem_free(filenamep, MOD_MAXPATH);
3532 return;
3533 }
3534 /* ensure it's null terminated */
3535 filenamep[MOD_MAXPATH - 1] = 0;
3536
3537 if (use_path)
3538 au_uwrite(au_to_text(default_path));
3539 au_uwrite(au_to_text(filenamep));
3540
3541 /* release temporary memory */
3542 kmem_free(filenamep, MOD_MAXPATH);
3543 break;
3544 }
3545 case AUE_MODUNLOAD: {
3546 typedef struct {
3547 long cmd;
3548 long id;
3549 } modunloada_t;
3550
3551 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3552
3553 au_uwrite(au_to_arg32(1, "id", id));
3554 break;
3555 }
3556 case AUE_MODADDMAJ: {
3557 STRUCT_DECL(modconfig, mc);
3558 typedef struct {
3559 long cmd;
3560 long subcmd;
3561 long data; /* int * */
3562 } modconfiga_t;
3563
3564 STRUCT_DECL(aliases, alias);
3565 caddr_t ap;
3566 int i, num_aliases;
3567 char *drvname, *mc_drvname;
3568 char *name;
3569 extern char *ddi_major_to_name(major_t);
3570 model_t model;
3571
3572 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3573
3574 model = get_udatamodel();
3575 STRUCT_INIT(mc, model);
3576 /* sanitize buffer */
3577 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3578 /* get user arguments */
3579 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3580 STRUCT_SIZE(mc)) != 0)
3581 return;
3582
3583 mc_drvname = STRUCT_FGET(mc, drvname);
3584 if ((drvname = ddi_major_to_name(
3585 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3586 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3587 /* safety */
3588 if (mc_drvname[0] != '\0') {
3589 mc_drvname[MAXMODCONFNAME-1] = '\0';
3590 au_uwrite(au_to_text(mc_drvname));
3591 }
3592 /* drvname != NULL from test above */
3593 au_uwrite(au_to_text(drvname));
3594 return;
3595 }
3596
3597 if (mc_drvname[0] != '\0') {
3598 /* safety */
3599 mc_drvname[MAXMODCONFNAME-1] = '\0';
3600 au_uwrite(au_to_text(mc_drvname));
3601 } else
3602 au_uwrite(au_to_text("no drvname"));
3603
3604 num_aliases = STRUCT_FGET(mc, num_aliases);
3605 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3606 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3607 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3608 STRUCT_INIT(alias, model);
3609 for (i = 0; i < num_aliases; i++) {
3610 bzero((caddr_t)STRUCT_BUF(alias),
3611 STRUCT_SIZE(alias));
3612 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3613 STRUCT_SIZE(alias)) != 0)
3614 break;
3615 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3616 MAXMODCONFNAME, NULL) != 0) {
3617 break;
3618 }
3619
3620 au_uwrite(au_to_text(name));
3621 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3622 }
3623 kmem_free(name, MAXMODCONFNAME);
3624 break;
3625 }
3626 default:
3627 break;
3628 }
3629 }
3630
3631
3632 /*ARGSUSED*/
3633 static void
auf_accept(struct t_audit_data * tad,int error,rval_t * rval)3634 auf_accept(
3635 struct t_audit_data *tad,
3636 int error,
3637 rval_t *rval)
3638 {
3639 uint32_t scid;
3640 uint32_t sy_flags;
3641 int fd;
3642 struct sonode *so;
3643 char so_laddr[sizeof (struct sockaddr_in6)];
3644 char so_faddr[sizeof (struct sockaddr_in6)];
3645 int err;
3646 short so_family, so_type;
3647 int add_sock_token = 0;
3648
3649 /* need to determine type of executing binary */
3650 scid = tad->tad_scid;
3651 #ifdef _SYSCALL32_IMPL
3652 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3653 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3654 else
3655 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3656 #else
3657 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3658 #endif
3659 switch (sy_flags) {
3660 case SE_32RVAL1:
3661 /* FALLTHRU */
3662 case SE_32RVAL2|SE_32RVAL1:
3663 fd = rval->r_val1;
3664 break;
3665 case SE_64RVAL:
3666 fd = (int)rval->r_vals;
3667 break;
3668 default:
3669 /*
3670 * should never happen, seems to be an internal error
3671 * in sysent => no fd, nothing to audit here, returning
3672 */
3673 return;
3674 }
3675
3676 if (error) {
3677 /* can't trust socket contents. Just return */
3678 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3679 return;
3680 }
3681
3682 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3683 /*
3684 * not security relevant if doing a accept from non socket
3685 * so no extra tokens. Should probably turn off audit record
3686 * generation here.
3687 */
3688 return;
3689 }
3690
3691 so_family = so->so_family;
3692 so_type = so->so_type;
3693
3694 switch (so_family) {
3695 case AF_INET:
3696 case AF_INET6:
3697 /*
3698 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3699 */
3700 if (so->so_type == SOCK_STREAM) {
3701 socklen_t len;
3702
3703 bzero((void *)so_laddr, sizeof (so_laddr));
3704 bzero((void *)so_faddr, sizeof (so_faddr));
3705
3706 len = sizeof (so_laddr);
3707 (void) socket_getsockname(so,
3708 (struct sockaddr *)so_laddr, &len, CRED());
3709 len = sizeof (so_faddr);
3710 (void) socket_getpeername(so,
3711 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3712
3713 add_sock_token = 1;
3714 }
3715 break;
3716
3717 default:
3718 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3719 break;
3720 }
3721
3722 releasef(fd);
3723
3724 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3725
3726 if (add_sock_token == 0) {
3727 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3728 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3729 return;
3730 }
3731
3732 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3733
3734 }
3735
3736 /*ARGSUSED*/
3737 static void
auf_bind(struct t_audit_data * tad,int error,rval_t * rvp)3738 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3739 {
3740 struct a {
3741 long fd;
3742 long addr;
3743 long len;
3744 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3745
3746 struct sonode *so;
3747 char so_laddr[sizeof (struct sockaddr_in6)];
3748 char so_faddr[sizeof (struct sockaddr_in6)];
3749 int err, fd;
3750 socklen_t len;
3751 short so_family, so_type;
3752 int add_sock_token = 0;
3753
3754 fd = (int)uap->fd;
3755
3756 /*
3757 * bind failed, then nothing extra to add to audit record.
3758 */
3759 if (error) {
3760 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3761 /* XXX may want to add failed address some day */
3762 return;
3763 }
3764
3765 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3766 /*
3767 * not security relevant if doing a bind from non socket
3768 * so no extra tokens. Should probably turn off audit record
3769 * generation here.
3770 */
3771 return;
3772 }
3773
3774 so_family = so->so_family;
3775 so_type = so->so_type;
3776
3777 switch (so_family) {
3778 case AF_INET:
3779 case AF_INET6:
3780
3781 bzero(so_faddr, sizeof (so_faddr));
3782 len = sizeof (so_faddr);
3783
3784 (void) socket_getpeername(so,
3785 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3786 add_sock_token = 1;
3787
3788 break;
3789
3790 case AF_UNIX:
3791 /* token added by lookup */
3792 break;
3793 default:
3794 /* AF_ROUTE, AF_KEY do not support accept */
3795 break;
3796 }
3797
3798 releasef(fd);
3799
3800 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3801
3802 if (add_sock_token == 0) {
3803 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3804 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3805 return;
3806 }
3807
3808 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3809
3810 }
3811
3812 /*ARGSUSED*/
3813 static void
auf_connect(struct t_audit_data * tad,int error,rval_t * rval)3814 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3815 {
3816 struct a {
3817 long fd;
3818 long addr;
3819 long len;
3820 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3821
3822 struct sonode *so;
3823 char so_laddr[sizeof (struct sockaddr_in6)];
3824 char so_faddr[sizeof (struct sockaddr_in6)];
3825 int err, fd;
3826 socklen_t len;
3827 short so_family, so_type;
3828 int add_sock_token = 0;
3829
3830 fd = (int)uap->fd;
3831
3832
3833 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3834 /*
3835 * not security relevant if doing a connect from non socket
3836 * so no extra tokens. Should probably turn off audit record
3837 * generation here.
3838 */
3839 return;
3840 }
3841
3842 so_family = so->so_family;
3843 so_type = so->so_type;
3844
3845 switch (so_family) {
3846 case AF_INET:
3847 case AF_INET6:
3848
3849 bzero(so_laddr, sizeof (so_laddr));
3850 bzero(so_faddr, sizeof (so_faddr));
3851
3852 len = sizeof (so_laddr);
3853 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3854 &len, CRED());
3855 if (error) {
3856 if (uap->addr == 0)
3857 break;
3858 if (uap->len <= 0)
3859 break;
3860 len = min(uap->len, sizeof (so_faddr));
3861 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3862 break;
3863 #ifdef NOTYET
3864 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3865 #endif
3866 } else {
3867 /* sanity check on length */
3868 len = sizeof (so_faddr);
3869 (void) socket_getpeername(so,
3870 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3871 }
3872
3873 add_sock_token = 1;
3874
3875 break;
3876
3877 case AF_UNIX:
3878 /* does a lookup on name */
3879 break;
3880
3881 default:
3882 /* AF_ROUTE, AF_KEY do not support accept */
3883 break;
3884 }
3885
3886 releasef(fd);
3887
3888 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3889
3890 if (add_sock_token == 0) {
3891 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3892 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3893 return;
3894 }
3895
3896 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3897
3898 }
3899
3900 /*ARGSUSED*/
3901 static void
aus_shutdown(struct t_audit_data * tad)3902 aus_shutdown(struct t_audit_data *tad)
3903 {
3904 struct a {
3905 long fd;
3906 long how;
3907 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3908
3909 struct sonode *so;
3910 char so_laddr[sizeof (struct sockaddr_in6)];
3911 char so_faddr[sizeof (struct sockaddr_in6)];
3912 int err, fd;
3913 socklen_t len;
3914 short so_family, so_type;
3915 int add_sock_token = 0;
3916 file_t *fp; /* unix domain sockets */
3917 struct f_audit_data *fad; /* unix domain sockets */
3918
3919 fd = (int)uap->fd;
3920
3921 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3922 /*
3923 * not security relevant if doing a shutdown using non socket
3924 * so no extra tokens. Should probably turn off audit record
3925 * generation here.
3926 */
3927 return;
3928 }
3929
3930 so_family = so->so_family;
3931 so_type = so->so_type;
3932
3933 switch (so_family) {
3934 case AF_INET:
3935 case AF_INET6:
3936
3937 bzero(so_laddr, sizeof (so_laddr));
3938 bzero(so_faddr, sizeof (so_faddr));
3939
3940 len = sizeof (so_laddr);
3941 (void) socket_getsockname(so,
3942 (struct sockaddr *)so_laddr, &len, CRED());
3943 len = sizeof (so_faddr);
3944 (void) socket_getpeername(so,
3945 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3946
3947 add_sock_token = 1;
3948
3949 break;
3950
3951 case AF_UNIX:
3952
3953 /* get path from file struct here */
3954 fad = F2A(fp);
3955 ASSERT(fad);
3956
3957 if (fad->fad_aupath != NULL) {
3958 au_uwrite(au_to_path(fad->fad_aupath));
3959 } else {
3960 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3961 }
3962
3963 audit_attributes(fp->f_vnode);
3964
3965 break;
3966
3967 default:
3968 /*
3969 * AF_KEY and AF_ROUTE support shutdown. No socket token
3970 * added.
3971 */
3972 break;
3973 }
3974
3975 releasef(fd);
3976
3977 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3978
3979 if (add_sock_token == 0) {
3980 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3981 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3982 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3983 return;
3984 }
3985
3986 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3987
3988 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3989
3990 }
3991
3992 /*ARGSUSED*/
3993 static void
auf_setsockopt(struct t_audit_data * tad,int error,rval_t * rval)3994 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3995 {
3996 struct a {
3997 long fd;
3998 long level;
3999 long optname;
4000 long *optval;
4001 long optlen;
4002 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4003
4004 struct sonode *so;
4005 char so_laddr[sizeof (struct sockaddr_in6)];
4006 char so_faddr[sizeof (struct sockaddr_in6)];
4007 char val[AU_BUFSIZE];
4008 int err, fd;
4009 socklen_t len;
4010 short so_family, so_type;
4011 int add_sock_token = 0;
4012 file_t *fp; /* unix domain sockets */
4013 struct f_audit_data *fad; /* unix domain sockets */
4014
4015 fd = (int)uap->fd;
4016
4017 if (error) {
4018 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4019 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
4020 /* XXX may want to include other arguments */
4021 return;
4022 }
4023
4024 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4025 /*
4026 * not security relevant if doing a setsockopt from non socket
4027 * so no extra tokens. Should probably turn off audit record
4028 * generation here.
4029 */
4030 return;
4031 }
4032
4033 so_family = so->so_family;
4034 so_type = so->so_type;
4035
4036 switch (so_family) {
4037 case AF_INET:
4038 case AF_INET6:
4039 bzero((void *)so_laddr, sizeof (so_laddr));
4040 bzero((void *)so_faddr, sizeof (so_faddr));
4041
4042 /* get local and foreign addresses */
4043 len = sizeof (so_laddr);
4044 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
4045 &len, CRED());
4046 len = sizeof (so_faddr);
4047 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
4048 &len, B_FALSE, CRED());
4049
4050 add_sock_token = 1;
4051
4052 break;
4053
4054 case AF_UNIX:
4055
4056 /* get path from file struct here */
4057 fad = F2A(fp);
4058 ASSERT(fad);
4059
4060 if (fad->fad_aupath != NULL) {
4061 au_uwrite(au_to_path(fad->fad_aupath));
4062 } else {
4063 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4064 }
4065
4066 audit_attributes(fp->f_vnode);
4067
4068 break;
4069
4070 default:
4071 /*
4072 * AF_KEY and AF_ROUTE support setsockopt. No socket token
4073 * added.
4074 */
4075 break;
4076 }
4077
4078 releasef(fd);
4079
4080 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4081
4082 if (add_sock_token == 0) {
4083 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
4084 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
4085 }
4086 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
4087 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
4088
4089 bzero(val, sizeof (val));
4090 len = min(uap->optlen, sizeof (val));
4091 if ((len > 0) &&
4092 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
4093 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
4094 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
4095 }
4096
4097 if (add_sock_token == 0)
4098 return;
4099
4100 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4101
4102 }
4103
4104 /*ARGSUSED*/
4105 static void
aus_sockconfig(struct t_audit_data * tad)4106 aus_sockconfig(struct t_audit_data *tad)
4107 {
4108 struct a {
4109 long cmd;
4110 long arg1;
4111 long arg2;
4112 long arg3;
4113 long arg4;
4114 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4115
4116 char *buf;
4117 int buflen;
4118 size_t size;
4119
4120 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4121 switch (uap->cmd) {
4122 case SOCKCONFIG_ADD_SOCK:
4123 case SOCKCONFIG_REMOVE_SOCK:
4124 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4125 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4126 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4127
4128 if (uap->arg4 == 0) {
4129 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4130 } else {
4131 buflen = MAXPATHLEN + 1;
4132 buf = kmem_alloc(buflen, KM_SLEEP);
4133 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4134 &size)) {
4135 kmem_free(buf, buflen);
4136 return;
4137 }
4138
4139 if (size > MAXPATHLEN) {
4140 kmem_free(buf, buflen);
4141 return;
4142 }
4143
4144 au_uwrite(au_to_text(buf));
4145 kmem_free(buf, buflen);
4146 }
4147 break;
4148 case SOCKCONFIG_ADD_FILTER:
4149 case SOCKCONFIG_REMOVE_FILTER:
4150 buflen = FILNAME_MAX;
4151 buf = kmem_alloc(buflen, KM_SLEEP);
4152
4153 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4154 kmem_free(buf, buflen);
4155 return;
4156 }
4157
4158 au_uwrite(au_to_text(buf));
4159 kmem_free(buf, buflen);
4160 break;
4161 default:
4162 break;
4163 }
4164 }
4165
4166 /*
4167 * only audit recvmsg when the system call represents the creation of a new
4168 * circuit. This effectively occurs for all UDP packets and may occur for
4169 * special TCP situations where the local host has not set a local address
4170 * in the socket structure.
4171 */
4172 /*ARGSUSED*/
4173 static void
auf_recvmsg(struct t_audit_data * tad,int error,rval_t * rvp)4174 auf_recvmsg(
4175 struct t_audit_data *tad,
4176 int error,
4177 rval_t *rvp)
4178 {
4179 struct a {
4180 long fd;
4181 long msg; /* struct msghdr */
4182 long flags;
4183 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4184
4185 struct sonode *so;
4186 STRUCT_DECL(msghdr, msg);
4187 caddr_t msg_name;
4188 socklen_t msg_namelen;
4189 int fd;
4190 int err;
4191 char so_laddr[sizeof (struct sockaddr_in6)];
4192 char so_faddr[sizeof (struct sockaddr_in6)];
4193 socklen_t len;
4194 file_t *fp; /* unix domain sockets */
4195 struct f_audit_data *fad; /* unix domain sockets */
4196 short so_family, so_type;
4197 int add_sock_token = 0;
4198 au_kcontext_t *kctx = GET_KCTX_PZ;
4199
4200 fd = (int)uap->fd;
4201
4202 /* bail if an error */
4203 if (error) {
4204 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4205 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4206 return;
4207 }
4208
4209 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4210 /*
4211 * not security relevant if doing a recvmsg from non socket
4212 * so no extra tokens. Should probably turn off audit record
4213 * generation here.
4214 */
4215 return;
4216 }
4217
4218 so_family = so->so_family;
4219 so_type = so->so_type;
4220
4221 /*
4222 * only putout SOCKET_EX token if INET/INET6 family.
4223 * XXX - what do we do about other families?
4224 */
4225
4226 switch (so_family) {
4227 case AF_INET:
4228 case AF_INET6:
4229
4230 /*
4231 * if datagram type socket, then just use what is in
4232 * socket structure for local address.
4233 * XXX - what do we do for other types?
4234 */
4235 if ((so->so_type == SOCK_DGRAM) ||
4236 (so->so_type == SOCK_RAW)) {
4237 add_sock_token = 1;
4238
4239 bzero((void *)so_laddr, sizeof (so_laddr));
4240 bzero((void *)so_faddr, sizeof (so_faddr));
4241
4242 /* get local address */
4243 len = sizeof (so_laddr);
4244 (void) socket_getsockname(so,
4245 (struct sockaddr *)so_laddr, &len, CRED());
4246
4247 /* get peer address */
4248 STRUCT_INIT(msg, get_udatamodel());
4249
4250 if (copyin((caddr_t)(uap->msg),
4251 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4252 break;
4253 }
4254 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4255 if (msg_name == NULL) {
4256 break;
4257 }
4258
4259 /* length is value from recvmsg - sanity check */
4260 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4261 if (msg_namelen == 0) {
4262 break;
4263 }
4264 if (copyin(msg_name, so_faddr,
4265 sizeof (so_faddr)) != 0) {
4266 break;
4267 }
4268
4269 } else if (so->so_type == SOCK_STREAM) {
4270
4271 /* get path from file struct here */
4272 fad = F2A(fp);
4273 ASSERT(fad);
4274
4275 /*
4276 * already processed this file for read attempt
4277 */
4278 if (fad->fad_flags & FAD_READ) {
4279 /* don't want to audit every recvmsg attempt */
4280 tad->tad_flag = 0;
4281 /* free any residual audit data */
4282 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4283 releasef(fd);
4284 return;
4285 }
4286 /*
4287 * mark things so we know what happened and don't
4288 * repeat things
4289 */
4290 fad->fad_flags |= FAD_READ;
4291
4292 bzero((void *)so_laddr, sizeof (so_laddr));
4293 bzero((void *)so_faddr, sizeof (so_faddr));
4294
4295 /* get local and foreign addresses */
4296 len = sizeof (so_laddr);
4297 (void) socket_getsockname(so,
4298 (struct sockaddr *)so_laddr, &len, CRED());
4299 len = sizeof (so_faddr);
4300 (void) socket_getpeername(so,
4301 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4302
4303 add_sock_token = 1;
4304 }
4305
4306 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4307
4308 break;
4309
4310 case AF_UNIX:
4311 /*
4312 * first check if this is first time through. Too much
4313 * duplicate code to put this in an aui_ routine.
4314 */
4315
4316 /* get path from file struct here */
4317 fad = F2A(fp);
4318 ASSERT(fad);
4319
4320 /*
4321 * already processed this file for read attempt
4322 */
4323 if (fad->fad_flags & FAD_READ) {
4324 releasef(fd);
4325 /* don't want to audit every recvmsg attempt */
4326 tad->tad_flag = 0;
4327 /* free any residual audit data */
4328 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4329 return;
4330 }
4331 /*
4332 * mark things so we know what happened and don't
4333 * repeat things
4334 */
4335 fad->fad_flags |= FAD_READ;
4336
4337 if (fad->fad_aupath != NULL) {
4338 au_uwrite(au_to_path(fad->fad_aupath));
4339 } else {
4340 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4341 }
4342
4343 audit_attributes(fp->f_vnode);
4344
4345 releasef(fd);
4346
4347 return;
4348
4349 default:
4350 break;
4351
4352 }
4353
4354 releasef(fd);
4355
4356 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4357
4358 if (add_sock_token == 0) {
4359 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4360 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4361 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4362 return;
4363 }
4364
4365 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4366
4367 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4368
4369 }
4370
4371 /*ARGSUSED*/
4372 static void
auf_recvfrom(struct t_audit_data * tad,int error,rval_t * rvp)4373 auf_recvfrom(
4374 struct t_audit_data *tad,
4375 int error,
4376 rval_t *rvp)
4377 {
4378
4379 struct a {
4380 long fd;
4381 long msg; /* char */
4382 long len;
4383 long flags;
4384 long from; /* struct sockaddr */
4385 long fromlen;
4386 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4387
4388 socklen_t fromlen;
4389 struct sonode *so;
4390 char so_laddr[sizeof (struct sockaddr_in6)];
4391 char so_faddr[sizeof (struct sockaddr_in6)];
4392 int fd;
4393 short so_family, so_type;
4394 int add_sock_token = 0;
4395 socklen_t len;
4396 int err;
4397 struct file *fp;
4398 struct f_audit_data *fad; /* unix domain sockets */
4399 au_kcontext_t *kctx = GET_KCTX_PZ;
4400
4401 fd = (int)uap->fd;
4402
4403 /* bail if an error */
4404 if (error) {
4405 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4406 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4407 return;
4408 }
4409
4410 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4411 /*
4412 * not security relevant if doing a recvmsg from non socket
4413 * so no extra tokens. Should probably turn off audit record
4414 * generation here.
4415 */
4416 return;
4417 }
4418
4419 so_family = so->so_family;
4420 so_type = so->so_type;
4421
4422 /*
4423 * only putout SOCKET_EX token if INET/INET6 family.
4424 * XXX - what do we do about other families?
4425 */
4426
4427 switch (so_family) {
4428 case AF_INET:
4429 case AF_INET6:
4430
4431 /*
4432 * if datagram type socket, then just use what is in
4433 * socket structure for local address.
4434 * XXX - what do we do for other types?
4435 */
4436 if ((so->so_type == SOCK_DGRAM) ||
4437 (so->so_type == SOCK_RAW)) {
4438 add_sock_token = 1;
4439
4440 /* get local address */
4441 len = sizeof (so_laddr);
4442 (void) socket_getsockname(so,
4443 (struct sockaddr *)so_laddr, &len, CRED());
4444
4445 /* get peer address */
4446 bzero((void *)so_faddr, sizeof (so_faddr));
4447
4448 /* sanity check */
4449 if (uap->from == 0)
4450 break;
4451
4452 /* sanity checks */
4453 if (uap->fromlen == 0)
4454 break;
4455
4456 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4457 sizeof (fromlen)) != 0)
4458 break;
4459
4460 if (fromlen == 0)
4461 break;
4462
4463 /* enforce maximum size */
4464 if (fromlen > sizeof (so_faddr))
4465 fromlen = sizeof (so_faddr);
4466
4467 if (copyin((caddr_t)(uap->from), so_faddr,
4468 fromlen) != 0)
4469 break;
4470
4471 } else if (so->so_type == SOCK_STREAM) {
4472
4473 /* get path from file struct here */
4474 fad = F2A(fp);
4475 ASSERT(fad);
4476
4477 /*
4478 * already processed this file for read attempt
4479 */
4480 if (fad->fad_flags & FAD_READ) {
4481 /* don't want to audit every recvfrom attempt */
4482 tad->tad_flag = 0;
4483 /* free any residual audit data */
4484 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4485 releasef(fd);
4486 return;
4487 }
4488 /*
4489 * mark things so we know what happened and don't
4490 * repeat things
4491 */
4492 fad->fad_flags |= FAD_READ;
4493
4494 bzero((void *)so_laddr, sizeof (so_laddr));
4495 bzero((void *)so_faddr, sizeof (so_faddr));
4496
4497 /* get local and foreign addresses */
4498 len = sizeof (so_laddr);
4499 (void) socket_getsockname(so,
4500 (struct sockaddr *)so_laddr, &len, CRED());
4501 len = sizeof (so_faddr);
4502 (void) socket_getpeername(so,
4503 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4504
4505 add_sock_token = 1;
4506 }
4507
4508 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4509
4510 break;
4511
4512 case AF_UNIX:
4513 /*
4514 * first check if this is first time through. Too much
4515 * duplicate code to put this in an aui_ routine.
4516 */
4517
4518 /* get path from file struct here */
4519 fad = F2A(fp);
4520 ASSERT(fad);
4521
4522 /*
4523 * already processed this file for read attempt
4524 */
4525 if (fad->fad_flags & FAD_READ) {
4526 /* don't want to audit every recvfrom attempt */
4527 tad->tad_flag = 0;
4528 /* free any residual audit data */
4529 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4530 releasef(fd);
4531 return;
4532 }
4533 /*
4534 * mark things so we know what happened and don't
4535 * repeat things
4536 */
4537 fad->fad_flags |= FAD_READ;
4538
4539 if (fad->fad_aupath != NULL) {
4540 au_uwrite(au_to_path(fad->fad_aupath));
4541 } else {
4542 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4543 }
4544
4545 audit_attributes(fp->f_vnode);
4546
4547 releasef(fd);
4548
4549 return;
4550
4551 default:
4552 break;
4553
4554 }
4555
4556 releasef(fd);
4557
4558 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4559
4560 if (add_sock_token == 0) {
4561 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4562 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4563 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4564 return;
4565 }
4566
4567 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4568
4569 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4570 }
4571
4572 /*ARGSUSED*/
4573 static void
auf_sendmsg(struct t_audit_data * tad,int error,rval_t * rval)4574 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4575 {
4576 struct a {
4577 long fd;
4578 long msg; /* struct msghdr */
4579 long flags;
4580 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4581
4582 struct sonode *so;
4583 char so_laddr[sizeof (struct sockaddr_in6)];
4584 char so_faddr[sizeof (struct sockaddr_in6)];
4585 int err;
4586 int fd;
4587 short so_family, so_type;
4588 int add_sock_token = 0;
4589 socklen_t len;
4590 struct file *fp;
4591 struct f_audit_data *fad;
4592 caddr_t msg_name;
4593 socklen_t msg_namelen;
4594 STRUCT_DECL(msghdr, msg);
4595 au_kcontext_t *kctx = GET_KCTX_PZ;
4596
4597 fd = (int)uap->fd;
4598
4599 /* bail if an error */
4600 if (error) {
4601 /* XXX include destination address from system call arguments */
4602 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4603 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4604 return;
4605 }
4606
4607 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4608 /*
4609 * not security relevant if doing a sendmsg from non socket
4610 * so no extra tokens. Should probably turn off audit record
4611 * generation here.
4612 */
4613 return;
4614 }
4615
4616 so_family = so->so_family;
4617 so_type = so->so_type;
4618
4619 switch (so_family) {
4620 case AF_INET:
4621 case AF_INET6:
4622 /*
4623 * if datagram type socket, then just use what is in
4624 * socket structure for local address.
4625 * XXX - what do we do for other types?
4626 */
4627 if ((so->so_type == SOCK_DGRAM) ||
4628 (so->so_type == SOCK_RAW)) {
4629
4630 bzero((void *)so_laddr, sizeof (so_laddr));
4631 bzero((void *)so_faddr, sizeof (so_faddr));
4632
4633 /* get local address */
4634 len = sizeof (so_laddr);
4635 (void) socket_getsockname(so,
4636 (struct sockaddr *)so_laddr, &len, CRED());
4637
4638 /* get peer address */
4639 STRUCT_INIT(msg, get_udatamodel());
4640
4641 if (copyin((caddr_t)(uap->msg),
4642 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4643 break;
4644 }
4645 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4646 if (msg_name == NULL)
4647 break;
4648
4649 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4650 /* length is value from recvmsg - sanity check */
4651 if (msg_namelen == 0)
4652 break;
4653
4654 if (copyin(msg_name, so_faddr,
4655 sizeof (so_faddr)) != 0)
4656 break;
4657
4658 add_sock_token = 1;
4659
4660 } else if (so->so_type == SOCK_STREAM) {
4661
4662 /* get path from file struct here */
4663 fad = F2A(fp);
4664 ASSERT(fad);
4665
4666 /*
4667 * already processed this file for write attempt
4668 */
4669 if (fad->fad_flags & FAD_WRITE) {
4670 releasef(fd);
4671 /* don't want to audit every sendmsg attempt */
4672 tad->tad_flag = 0;
4673 /* free any residual audit data */
4674 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4675 return;
4676 }
4677
4678 /*
4679 * mark things so we know what happened and don't
4680 * repeat things
4681 */
4682 fad->fad_flags |= FAD_WRITE;
4683
4684 bzero((void *)so_laddr, sizeof (so_laddr));
4685 bzero((void *)so_faddr, sizeof (so_faddr));
4686
4687 /* get local and foreign addresses */
4688 len = sizeof (so_laddr);
4689 (void) socket_getsockname(so,
4690 (struct sockaddr *)so_laddr, &len, CRED());
4691 len = sizeof (so_faddr);
4692 (void) socket_getpeername(so,
4693 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4694
4695 add_sock_token = 1;
4696 }
4697
4698 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4699
4700 break;
4701
4702 case AF_UNIX:
4703 /*
4704 * first check if this is first time through. Too much
4705 * duplicate code to put this in an aui_ routine.
4706 */
4707
4708 /* get path from file struct here */
4709 fad = F2A(fp);
4710 ASSERT(fad);
4711
4712 /*
4713 * already processed this file for write attempt
4714 */
4715 if (fad->fad_flags & FAD_WRITE) {
4716 releasef(fd);
4717 /* don't want to audit every sendmsg attempt */
4718 tad->tad_flag = 0;
4719 /* free any residual audit data */
4720 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4721 return;
4722 }
4723 /*
4724 * mark things so we know what happened and don't
4725 * repeat things
4726 */
4727 fad->fad_flags |= FAD_WRITE;
4728
4729 if (fad->fad_aupath != NULL) {
4730 au_uwrite(au_to_path(fad->fad_aupath));
4731 } else {
4732 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4733 }
4734
4735 audit_attributes(fp->f_vnode);
4736
4737 releasef(fd);
4738
4739 return;
4740
4741 default:
4742 break;
4743 }
4744
4745 releasef(fd);
4746
4747 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4748
4749 if (add_sock_token == 0) {
4750 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4751 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4752 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4753 return;
4754 }
4755
4756 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4757
4758 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4759 }
4760
4761 /*ARGSUSED*/
4762 static void
auf_sendto(struct t_audit_data * tad,int error,rval_t * rval)4763 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4764 {
4765 struct a {
4766 long fd;
4767 long msg; /* char */
4768 long len;
4769 long flags;
4770 long to; /* struct sockaddr */
4771 long tolen;
4772 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4773
4774 struct sonode *so;
4775 char so_laddr[sizeof (struct sockaddr_in6)];
4776 char so_faddr[sizeof (struct sockaddr_in6)];
4777 socklen_t tolen;
4778 int err;
4779 int fd;
4780 socklen_t len;
4781 short so_family, so_type;
4782 int add_sock_token = 0;
4783 struct file *fp;
4784 struct f_audit_data *fad;
4785 au_kcontext_t *kctx = GET_KCTX_PZ;
4786
4787 fd = (int)uap->fd;
4788
4789 /* bail if an error */
4790 if (error) {
4791 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4792 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4793 /* XXX include destination address from system call arguments */
4794 return;
4795 }
4796
4797 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4798 /*
4799 * not security relevant if doing a sendto using non socket
4800 * so no extra tokens. Should probably turn off audit record
4801 * generation here.
4802 */
4803 return;
4804 }
4805
4806 so_family = so->so_family;
4807 so_type = so->so_type;
4808
4809 /*
4810 * only putout SOCKET_EX token if INET/INET6 family.
4811 * XXX - what do we do about other families?
4812 */
4813
4814 switch (so_family) {
4815 case AF_INET:
4816 case AF_INET6:
4817
4818 /*
4819 * if datagram type socket, then just use what is in
4820 * socket structure for local address.
4821 * XXX - what do we do for other types?
4822 */
4823 if ((so->so_type == SOCK_DGRAM) ||
4824 (so->so_type == SOCK_RAW)) {
4825
4826 bzero((void *)so_laddr, sizeof (so_laddr));
4827 bzero((void *)so_faddr, sizeof (so_faddr));
4828
4829 /* get local address */
4830 len = sizeof (so_laddr);
4831 (void) socket_getsockname(so,
4832 (struct sockaddr *)so_laddr, &len, CRED());
4833
4834 /* get peer address */
4835
4836 /* sanity check */
4837 if (uap->to == 0)
4838 break;
4839
4840 /* sanity checks */
4841 if (uap->tolen == 0)
4842 break;
4843
4844 tolen = (socklen_t)uap->tolen;
4845
4846 /* enforce maximum size */
4847 if (tolen > sizeof (so_faddr))
4848 tolen = sizeof (so_faddr);
4849
4850 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4851 break;
4852
4853 add_sock_token = 1;
4854 } else {
4855 /*
4856 * check if this is first time through.
4857 */
4858
4859 /* get path from file struct here */
4860 fad = F2A(fp);
4861 ASSERT(fad);
4862
4863 /*
4864 * already processed this file for write attempt
4865 */
4866 if (fad->fad_flags & FAD_WRITE) {
4867 /* don't want to audit every sendto attempt */
4868 tad->tad_flag = 0;
4869 /* free any residual audit data */
4870 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4871 releasef(fd);
4872 return;
4873 }
4874 /*
4875 * mark things so we know what happened and don't
4876 * repeat things
4877 */
4878 fad->fad_flags |= FAD_WRITE;
4879
4880 bzero((void *)so_laddr, sizeof (so_laddr));
4881 bzero((void *)so_faddr, sizeof (so_faddr));
4882
4883 /* get local and foreign addresses */
4884 len = sizeof (so_laddr);
4885 (void) socket_getsockname(so,
4886 (struct sockaddr *)so_laddr, &len, CRED());
4887 len = sizeof (so_faddr);
4888 (void) socket_getpeername(so,
4889 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4890
4891 add_sock_token = 1;
4892 }
4893
4894 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4895
4896 break;
4897
4898 case AF_UNIX:
4899 /*
4900 * first check if this is first time through. Too much
4901 * duplicate code to put this in an aui_ routine.
4902 */
4903
4904 /* get path from file struct here */
4905 fad = F2A(fp);
4906 ASSERT(fad);
4907
4908 /*
4909 * already processed this file for write attempt
4910 */
4911 if (fad->fad_flags & FAD_WRITE) {
4912 /* don't want to audit every sendto attempt */
4913 tad->tad_flag = 0;
4914 /* free any residual audit data */
4915 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4916 releasef(fd);
4917 return;
4918 }
4919 /*
4920 * mark things so we know what happened and don't
4921 * repeat things
4922 */
4923 fad->fad_flags |= FAD_WRITE;
4924
4925 if (fad->fad_aupath != NULL) {
4926 au_uwrite(au_to_path(fad->fad_aupath));
4927 } else {
4928 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4929 }
4930
4931 audit_attributes(fp->f_vnode);
4932
4933 releasef(fd);
4934
4935 return;
4936
4937 default:
4938 break;
4939
4940 }
4941
4942 releasef(fd);
4943
4944 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4945
4946 if (add_sock_token == 0) {
4947 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4948 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4949 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4950 return;
4951 }
4952
4953 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4954
4955 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4956
4957 }
4958
4959 /*
4960 * XXX socket(2) may be equivalent to open(2) on a unix domain
4961 * socket. This needs investigation.
4962 */
4963
4964 /*ARGSUSED*/
4965 static void
aus_socket(struct t_audit_data * tad)4966 aus_socket(struct t_audit_data *tad)
4967 {
4968 struct a {
4969 long domain;
4970 long type;
4971 long protocol;
4972 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4973
4974 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4975 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4976 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4977 }
4978
4979 /*ARGSUSED*/
4980 static void
aus_sigqueue(struct t_audit_data * tad)4981 aus_sigqueue(struct t_audit_data *tad)
4982 {
4983 struct a {
4984 long pid;
4985 long signo;
4986 long *val;
4987 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4988 struct proc *p;
4989 uid_t uid, ruid;
4990 gid_t gid, rgid;
4991 pid_t pid;
4992 const auditinfo_addr_t *ainfo;
4993 cred_t *cr;
4994
4995 pid = (pid_t)uap->pid;
4996
4997 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4998 if (pid > 0) {
4999 mutex_enter(&pidlock);
5000 if ((p = prfind(pid)) == (struct proc *)0) {
5001 mutex_exit(&pidlock);
5002 return;
5003 }
5004 mutex_enter(&p->p_lock); /* so process doesn't go away */
5005 mutex_exit(&pidlock);
5006
5007 mutex_enter(&p->p_crlock);
5008 crhold(cr = p->p_cred);
5009 mutex_exit(&p->p_crlock);
5010 mutex_exit(&p->p_lock);
5011
5012 ainfo = crgetauinfo(cr);
5013 if (ainfo == NULL) {
5014 crfree(cr);
5015 return;
5016 }
5017
5018 uid = crgetuid(cr);
5019 gid = crgetgid(cr);
5020 ruid = crgetruid(cr);
5021 rgid = crgetrgid(cr);
5022 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5023 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5024 crfree(cr);
5025 }
5026 else
5027 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
5028 }
5029
5030 /*ARGSUSED*/
5031 static void
aus_inst_sync(struct t_audit_data * tad)5032 aus_inst_sync(struct t_audit_data *tad)
5033 {
5034 struct a {
5035 long name; /* char */
5036 long flags;
5037 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5038
5039 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
5040 }
5041
5042 /*ARGSUSED*/
5043 static void
aus_brandsys(struct t_audit_data * tad)5044 aus_brandsys(struct t_audit_data *tad)
5045 {
5046 klwp_t *clwp = ttolwp(curthread);
5047
5048 struct a {
5049 long cmd;
5050 long arg1;
5051 long arg2;
5052 long arg3;
5053 long arg4;
5054 long arg5;
5055 long arg6;
5056 } *uap = (struct a *)clwp->lwp_ap;
5057
5058 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
5059 #ifdef _LP64
5060 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
5061 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
5062 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
5063 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
5064 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
5065 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
5066 #else
5067 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
5068 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
5069 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
5070 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
5071 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
5072 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
5073 #endif
5074 }
5075
5076 /*ARGSUSED*/
5077 static void
aus_p_online(struct t_audit_data * tad)5078 aus_p_online(struct t_audit_data *tad)
5079 {
5080 struct a {
5081 long processor_id;
5082 long flag;
5083 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5084
5085 struct flags {
5086 int flag;
5087 char *cflag;
5088 } aflags[6] = {
5089 { P_ONLINE, "P_ONLINE"},
5090 { P_OFFLINE, "P_OFFLINE"},
5091 { P_NOINTR, "P_NOINTR"},
5092 { P_SPARE, "P_SPARE"},
5093 { P_FAULTED, "P_FAULTED"},
5094 { P_STATUS, "P_STATUS"}
5095 };
5096 int i;
5097 char *cflag;
5098
5099 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
5100 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
5101
5102 for (i = 0; i < 6; i++) {
5103 if (aflags[i].flag == uap->flag)
5104 break;
5105 }
5106 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5107
5108 au_uwrite(au_to_text(cflag));
5109 }
5110
5111 /*ARGSUSED*/
5112 static void
aus_processor_bind(struct t_audit_data * tad)5113 aus_processor_bind(struct t_audit_data *tad)
5114 {
5115 struct a {
5116 long id_type;
5117 long id;
5118 long processor_id;
5119 long obind;
5120 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5121
5122 struct proc *p;
5123 int lwpcnt;
5124 uid_t uid, ruid;
5125 gid_t gid, rgid;
5126 pid_t pid;
5127 const auditinfo_addr_t *ainfo;
5128 cred_t *cr;
5129
5130 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5131 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5132 if (uap->processor_id == PBIND_NONE)
5133 au_uwrite(au_to_text("PBIND_NONE"));
5134 else
5135 au_uwrite(au_to_arg32(3, "processor_id",
5136 (uint32_t)uap->processor_id));
5137
5138 switch (uap->id_type) {
5139 case P_MYID:
5140 case P_LWPID:
5141 mutex_enter(&pidlock);
5142 p = ttoproc(curthread);
5143 if (p == NULL || p->p_as == &kas) {
5144 mutex_exit(&pidlock);
5145 return;
5146 }
5147 mutex_enter(&p->p_lock);
5148 mutex_exit(&pidlock);
5149 lwpcnt = p->p_lwpcnt;
5150 pid = p->p_pid;
5151
5152 mutex_enter(&p->p_crlock);
5153 crhold(cr = p->p_cred);
5154 mutex_exit(&p->p_crlock);
5155 mutex_exit(&p->p_lock);
5156
5157 ainfo = crgetauinfo(cr);
5158 if (ainfo == NULL) {
5159 crfree(cr);
5160 return;
5161 }
5162
5163 uid = crgetuid(cr);
5164 gid = crgetgid(cr);
5165 ruid = crgetruid(cr);
5166 rgid = crgetrgid(cr);
5167 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5168 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5169 crfree(cr);
5170 break;
5171 case P_PID:
5172 mutex_enter(&pidlock);
5173 p = prfind(uap->id);
5174 if (p == NULL || p->p_as == &kas) {
5175 mutex_exit(&pidlock);
5176 return;
5177 }
5178 mutex_enter(&p->p_lock);
5179 mutex_exit(&pidlock);
5180 lwpcnt = p->p_lwpcnt;
5181 pid = p->p_pid;
5182
5183 mutex_enter(&p->p_crlock);
5184 crhold(cr = p->p_cred);
5185 mutex_exit(&p->p_crlock);
5186 mutex_exit(&p->p_lock);
5187
5188 ainfo = crgetauinfo(cr);
5189 if (ainfo == NULL) {
5190 crfree(cr);
5191 return;
5192 }
5193
5194 uid = crgetuid(cr);
5195 gid = crgetgid(cr);
5196 ruid = crgetruid(cr);
5197 rgid = crgetrgid(cr);
5198 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5199 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5200 crfree(cr);
5201
5202 break;
5203 default:
5204 return;
5205 }
5206
5207 if (uap->processor_id == PBIND_NONE &&
5208 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5209 au_uwrite(au_to_text("PBIND_NONE for process"));
5210 else
5211 au_uwrite(au_to_arg32(3, "processor_id",
5212 (uint32_t)uap->processor_id));
5213 }
5214
5215 /*ARGSUSED*/
5216 static au_event_t
aui_doorfs(au_event_t e)5217 aui_doorfs(au_event_t e)
5218 {
5219 uint32_t code;
5220
5221 struct a { /* doorfs */
5222 long a1;
5223 long a2;
5224 long a3;
5225 long a4;
5226 long a5;
5227 long code;
5228 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5229
5230 /*
5231 * audit formats for several of the
5232 * door calls have not yet been determined
5233 */
5234 code = (uint32_t)uap->code;
5235 switch (code) {
5236 case DOOR_CALL:
5237 e = AUE_DOORFS_DOOR_CALL;
5238 break;
5239 case DOOR_RETURN:
5240 e = AUE_NULL;
5241 break;
5242 case DOOR_CREATE:
5243 e = AUE_DOORFS_DOOR_CREATE;
5244 break;
5245 case DOOR_REVOKE:
5246 e = AUE_DOORFS_DOOR_REVOKE;
5247 break;
5248 case DOOR_INFO:
5249 e = AUE_NULL;
5250 break;
5251 case DOOR_UCRED:
5252 e = AUE_NULL;
5253 break;
5254 case DOOR_BIND:
5255 e = AUE_NULL;
5256 break;
5257 case DOOR_UNBIND:
5258 e = AUE_NULL;
5259 break;
5260 case DOOR_GETPARAM:
5261 e = AUE_NULL;
5262 break;
5263 case DOOR_SETPARAM:
5264 e = AUE_NULL;
5265 break;
5266 default: /* illegal system call */
5267 e = AUE_NULL;
5268 break;
5269 }
5270
5271 return (e);
5272 }
5273
5274 static door_node_t *
au_door_lookup(int did)5275 au_door_lookup(int did)
5276 {
5277 vnode_t *vp;
5278 file_t *fp;
5279
5280 if ((fp = getf(did)) == NULL)
5281 return (NULL);
5282 /*
5283 * Use the underlying vnode (we may be namefs mounted)
5284 */
5285 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5286 vp = fp->f_vnode;
5287
5288 if (vp == NULL || vp->v_type != VDOOR) {
5289 releasef(did);
5290 return (NULL);
5291 }
5292
5293 return (VTOD(vp));
5294 }
5295
5296 /*ARGSUSED*/
5297 static void
aus_doorfs(struct t_audit_data * tad)5298 aus_doorfs(struct t_audit_data *tad)
5299 {
5300
5301 struct a { /* doorfs */
5302 long a1;
5303 long a2;
5304 long a3;
5305 long a4;
5306 long a5;
5307 long code;
5308 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5309
5310 door_node_t *dp;
5311 struct proc *p;
5312 uint32_t did;
5313 uid_t uid, ruid;
5314 gid_t gid, rgid;
5315 pid_t pid;
5316 const auditinfo_addr_t *ainfo;
5317 cred_t *cr;
5318
5319 did = (uint32_t)uap->a1;
5320
5321 switch (tad->tad_event) {
5322 case AUE_DOORFS_DOOR_CALL:
5323 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5324 if ((dp = au_door_lookup(did)) == NULL)
5325 break;
5326
5327 if (DOOR_INVALID(dp)) {
5328 releasef(did);
5329 break;
5330 }
5331
5332 if ((p = dp->door_target) == NULL) {
5333 releasef(did);
5334 break;
5335 }
5336 mutex_enter(&p->p_lock);
5337 releasef(did);
5338
5339 pid = p->p_pid;
5340
5341 mutex_enter(&p->p_crlock);
5342 crhold(cr = p->p_cred);
5343 mutex_exit(&p->p_crlock);
5344 mutex_exit(&p->p_lock);
5345
5346 ainfo = crgetauinfo(cr);
5347 if (ainfo == NULL) {
5348 crfree(cr);
5349 return;
5350 }
5351 uid = crgetuid(cr);
5352 gid = crgetgid(cr);
5353 ruid = crgetruid(cr);
5354 rgid = crgetrgid(cr);
5355 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5356 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5357 crfree(cr);
5358 break;
5359 case AUE_DOORFS_DOOR_RETURN:
5360 /*
5361 * We may want to write information about
5362 * all doors (if any) which will be copied
5363 * by this call to the user space
5364 */
5365 break;
5366 case AUE_DOORFS_DOOR_CREATE:
5367 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5368 break;
5369 case AUE_DOORFS_DOOR_REVOKE:
5370 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5371 break;
5372 case AUE_DOORFS_DOOR_INFO:
5373 break;
5374 case AUE_DOORFS_DOOR_CRED:
5375 break;
5376 case AUE_DOORFS_DOOR_BIND:
5377 break;
5378 case AUE_DOORFS_DOOR_UNBIND: {
5379 break;
5380 }
5381 default: /* illegal system call */
5382 break;
5383 }
5384 }
5385
5386 /*ARGSUSED*/
5387 static au_event_t
aui_acl(au_event_t e)5388 aui_acl(au_event_t e)
5389 {
5390 struct a {
5391 union {
5392 long name; /* char */
5393 long fd;
5394 } obj;
5395
5396 long cmd;
5397 long nentries;
5398 long arg; /* aclent_t */
5399 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5400
5401 switch (uap->cmd) {
5402 case SETACL:
5403 case ACE_SETACL:
5404 /*
5405 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5406 * are expected.
5407 */
5408 break;
5409 case GETACL:
5410 case GETACLCNT:
5411 case ACE_GETACL:
5412 case ACE_GETACLCNT:
5413 /* do nothing for these four values. */
5414 e = AUE_NULL;
5415 break;
5416 default:
5417 /* illegal system call */
5418 break;
5419 }
5420
5421 return (e);
5422 }
5423
5424 static void
au_acl(int cmd,int nentries,caddr_t bufp)5425 au_acl(int cmd, int nentries, caddr_t bufp)
5426 {
5427 size_t a_size;
5428 aclent_t *aclbufp;
5429 ace_t *acebufp;
5430 int i;
5431
5432 switch (cmd) {
5433 case GETACL:
5434 case GETACLCNT:
5435 break;
5436 case SETACL:
5437 if (nentries < 3)
5438 break;
5439
5440 a_size = nentries * sizeof (aclent_t);
5441
5442 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5443 break;
5444 if (copyin(bufp, aclbufp, a_size)) {
5445 kmem_free(aclbufp, a_size);
5446 break;
5447 }
5448 for (i = 0; i < nentries; i++) {
5449 au_uwrite(au_to_acl(aclbufp + i));
5450 }
5451 kmem_free(aclbufp, a_size);
5452 break;
5453
5454 case ACE_SETACL:
5455 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5456 break;
5457
5458 a_size = nentries * sizeof (ace_t);
5459 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5460 break;
5461 if (copyin(bufp, acebufp, a_size)) {
5462 kmem_free(acebufp, a_size);
5463 break;
5464 }
5465 for (i = 0; i < nentries; i++) {
5466 au_uwrite(au_to_ace(acebufp + i));
5467 }
5468 kmem_free(acebufp, a_size);
5469 break;
5470 default:
5471 break;
5472 }
5473 }
5474
5475 /*ARGSUSED*/
5476 static void
aus_acl(struct t_audit_data * tad)5477 aus_acl(struct t_audit_data *tad)
5478 {
5479 struct a {
5480 long fname;
5481 long cmd;
5482 long nentries;
5483 long aclbufp;
5484 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5485
5486 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5487 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5488
5489 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5490 }
5491
5492 /*ARGSUSED*/
5493 static void
aus_facl(struct t_audit_data * tad)5494 aus_facl(struct t_audit_data *tad)
5495 {
5496 struct a {
5497 long fd;
5498 long cmd;
5499 long nentries;
5500 long aclbufp;
5501 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5502 struct file *fp;
5503 struct vnode *vp;
5504 struct f_audit_data *fad;
5505 int fd;
5506
5507 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5508 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5509
5510 fd = (int)uap->fd;
5511
5512 if ((fp = getf(fd)) == NULL)
5513 return;
5514
5515 /* get path from file struct here */
5516 fad = F2A(fp);
5517 if (fad->fad_aupath != NULL) {
5518 au_uwrite(au_to_path(fad->fad_aupath));
5519 } else {
5520 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5521 }
5522
5523 vp = fp->f_vnode;
5524 audit_attributes(vp);
5525
5526 /* decrement file descriptor reference count */
5527 releasef(fd);
5528
5529 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5530 }
5531
5532 /*ARGSUSED*/
5533 static void
auf_read(struct t_audit_data * tad,int error,rval_t * rval)5534 auf_read(struct t_audit_data *tad, int error, rval_t *rval)
5535 {
5536 struct file *fp;
5537 struct f_audit_data *fad;
5538 int fd;
5539 register struct a {
5540 long fd;
5541 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5542 au_kcontext_t *kctx = GET_KCTX_PZ;
5543
5544 fd = (int)uap->fd;
5545
5546 /*
5547 * convert file pointer to file descriptor
5548 * Note: fd ref count incremented here.
5549 */
5550 if ((fp = getf(fd)) == NULL)
5551 return;
5552
5553 /* get path from file struct here */
5554 fad = F2A(fp);
5555 ASSERT(fad);
5556
5557 /*
5558 * already processed this file for read attempt
5559 *
5560 * XXX might be better to turn off auditing in a aui_read() routine.
5561 */
5562 if (fad->fad_flags & FAD_READ) {
5563 /* don't really want to audit every read attempt */
5564 tad->tad_flag = 0;
5565 /* free any residual audit data */
5566 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5567 releasef(fd);
5568 return;
5569 }
5570 /* mark things so we know what happened and don't repeat things */
5571 fad->fad_flags |= FAD_READ;
5572
5573 if (fad->fad_aupath != NULL) {
5574 au_uwrite(au_to_path(fad->fad_aupath));
5575 } else {
5576 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5577 }
5578
5579 /* include attributes */
5580 audit_attributes(fp->f_vnode);
5581
5582 /* decrement file descriptor reference count */
5583 releasef(fd);
5584 }
5585
5586 /*ARGSUSED*/
5587 static void
auf_write(struct t_audit_data * tad,int error,rval_t * rval)5588 auf_write(struct t_audit_data *tad, int error, rval_t *rval)
5589 {
5590 struct file *fp;
5591 struct f_audit_data *fad;
5592 int fd;
5593 register struct a {
5594 long fd;
5595 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5596 au_kcontext_t *kctx = GET_KCTX_PZ;
5597
5598 fd = (int)uap->fd;
5599
5600 /*
5601 * convert file pointer to file descriptor
5602 * Note: fd ref count incremented here.
5603 */
5604 if ((fp = getf(fd)) == NULL)
5605 return;
5606
5607 /* get path from file struct here */
5608 fad = F2A(fp);
5609 ASSERT(fad);
5610
5611 /*
5612 * already processed this file for write attempt
5613 *
5614 * XXX might be better to turn off auditing in a aus_write() routine.
5615 */
5616 if (fad->fad_flags & FAD_WRITE) {
5617 /* don't really want to audit every write attempt */
5618 tad->tad_flag = 0;
5619 /* free any residual audit data */
5620 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5621 releasef(fd);
5622 return;
5623 }
5624 /* mark things so we know what happened and don't repeat things */
5625 fad->fad_flags |= FAD_WRITE;
5626
5627 if (fad->fad_aupath != NULL) {
5628 au_uwrite(au_to_path(fad->fad_aupath));
5629 } else {
5630 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5631 }
5632
5633 /* include attributes */
5634 audit_attributes(fp->f_vnode);
5635
5636 /* decrement file descriptor reference count */
5637 releasef(fd);
5638 }
5639
5640 /*ARGSUSED*/
5641 static void
auf_recv(struct t_audit_data * tad,int error,rval_t * rval)5642 auf_recv(struct t_audit_data *tad, int error, rval_t *rval)
5643 {
5644 struct sonode *so;
5645 char so_laddr[sizeof (struct sockaddr_in6)];
5646 char so_faddr[sizeof (struct sockaddr_in6)];
5647 struct file *fp;
5648 struct f_audit_data *fad;
5649 int fd;
5650 int err;
5651 socklen_t len;
5652 short so_family, so_type;
5653 register struct a {
5654 long fd;
5655 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5656 au_kcontext_t *kctx = GET_KCTX_PZ;
5657
5658 /*
5659 * If there was an error, then nothing to do. Only generate
5660 * audit record on first successful recv.
5661 */
5662 if (error) {
5663 /* Turn off audit record generation here. */
5664 tad->tad_flag = 0;
5665 /* free any residual audit data */
5666 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5667 return;
5668 }
5669
5670 fd = (int)uap->fd;
5671
5672 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5673 /* Turn off audit record generation here. */
5674 tad->tad_flag = 0;
5675 /* free any residual audit data */
5676 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5677 return;
5678 }
5679
5680 /* get path from file struct here */
5681 fad = F2A(fp);
5682 ASSERT(fad);
5683
5684 /*
5685 * already processed this file for read attempt
5686 */
5687 if (fad->fad_flags & FAD_READ) {
5688 releasef(fd);
5689 /* don't really want to audit every recv call */
5690 tad->tad_flag = 0;
5691 /* free any residual audit data */
5692 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5693 return;
5694 }
5695
5696 /* mark things so we know what happened and don't repeat things */
5697 fad->fad_flags |= FAD_READ;
5698
5699 so_family = so->so_family;
5700 so_type = so->so_type;
5701
5702 switch (so_family) {
5703 case AF_INET:
5704 case AF_INET6:
5705 /*
5706 * Only for connections.
5707 * XXX - do we need to worry about SOCK_DGRAM or other types???
5708 */
5709 if (so->so_state & SS_ISBOUND) {
5710
5711 bzero((void *)so_laddr, sizeof (so_laddr));
5712 bzero((void *)so_faddr, sizeof (so_faddr));
5713
5714 /* get local and foreign addresses */
5715 len = sizeof (so_laddr);
5716 (void) socket_getsockname(so,
5717 (struct sockaddr *)so_laddr, &len, CRED());
5718 len = sizeof (so_faddr);
5719 (void) socket_getpeername(so,
5720 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5721
5722 /*
5723 * only way to drop out of switch. Note that we
5724 * we release fd below.
5725 */
5726
5727 break;
5728 }
5729
5730 releasef(fd);
5731
5732 /* don't really want to audit every recv call */
5733 tad->tad_flag = 0;
5734 /* free any residual audit data */
5735 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5736
5737 return;
5738
5739 case AF_UNIX:
5740
5741 if (fad->fad_aupath != NULL) {
5742 au_uwrite(au_to_path(fad->fad_aupath));
5743 } else {
5744 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5745 }
5746
5747 audit_attributes(fp->f_vnode);
5748
5749 releasef(fd);
5750
5751 return;
5752
5753 default:
5754 releasef(fd);
5755
5756 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5757 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5758 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5759
5760 return;
5761 }
5762
5763 releasef(fd);
5764
5765 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5766
5767 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5768
5769 }
5770
5771 /*ARGSUSED*/
5772 static void
auf_send(struct t_audit_data * tad,int error,rval_t * rval)5773 auf_send(struct t_audit_data *tad, int error, rval_t *rval)
5774 {
5775 struct sonode *so;
5776 char so_laddr[sizeof (struct sockaddr_in6)];
5777 char so_faddr[sizeof (struct sockaddr_in6)];
5778 struct file *fp;
5779 struct f_audit_data *fad;
5780 int fd;
5781 int err;
5782 socklen_t len;
5783 short so_family, so_type;
5784 register struct a {
5785 long fd;
5786 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5787 au_kcontext_t *kctx = GET_KCTX_PZ;
5788
5789 fd = (int)uap->fd;
5790
5791 /*
5792 * If there was an error, then nothing to do. Only generate
5793 * audit record on first successful send.
5794 */
5795 if (error != 0) {
5796 /* Turn off audit record generation here. */
5797 tad->tad_flag = 0;
5798 /* free any residual audit data */
5799 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5800 return;
5801 }
5802
5803 fd = (int)uap->fd;
5804
5805 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5806 /* Turn off audit record generation here. */
5807 tad->tad_flag = 0;
5808 /* free any residual audit data */
5809 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5810 return;
5811 }
5812
5813 /* get path from file struct here */
5814 fad = F2A(fp);
5815 ASSERT(fad);
5816
5817 /*
5818 * already processed this file for write attempt
5819 */
5820 if (fad->fad_flags & FAD_WRITE) {
5821 releasef(fd);
5822 /* don't really want to audit every send call */
5823 tad->tad_flag = 0;
5824 /* free any residual audit data */
5825 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5826 return;
5827 }
5828
5829 /* mark things so we know what happened and don't repeat things */
5830 fad->fad_flags |= FAD_WRITE;
5831
5832 so_family = so->so_family;
5833 so_type = so->so_type;
5834
5835 switch (so_family) {
5836 case AF_INET:
5837 case AF_INET6:
5838 /*
5839 * Only for connections.
5840 * XXX - do we need to worry about SOCK_DGRAM or other types???
5841 */
5842 if (so->so_state & SS_ISBOUND) {
5843
5844 bzero((void *)so_laddr, sizeof (so_laddr));
5845 bzero((void *)so_faddr, sizeof (so_faddr));
5846
5847 /* get local and foreign addresses */
5848 len = sizeof (so_laddr);
5849 (void) socket_getsockname(so,
5850 (struct sockaddr *)so_laddr, &len, CRED());
5851 len = sizeof (so_faddr);
5852 (void) socket_getpeername(so,
5853 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5854
5855 /*
5856 * only way to drop out of switch. Note that we
5857 * we release fd below.
5858 */
5859
5860 break;
5861 }
5862
5863 releasef(fd);
5864 /* don't really want to audit every send call */
5865 tad->tad_flag = 0;
5866 /* free any residual audit data */
5867 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5868
5869 return;
5870
5871 case AF_UNIX:
5872
5873 if (fad->fad_aupath != NULL) {
5874 au_uwrite(au_to_path(fad->fad_aupath));
5875 } else {
5876 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5877 }
5878
5879 audit_attributes(fp->f_vnode);
5880
5881 releasef(fd);
5882
5883 return;
5884
5885 default:
5886 releasef(fd);
5887
5888 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5889 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5890 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5891
5892 return;
5893 }
5894
5895 releasef(fd);
5896
5897 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5898
5899 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5900 }
5901
5902 static au_event_t
aui_forksys(au_event_t e)5903 aui_forksys(au_event_t e)
5904 {
5905 struct a {
5906 long subcode;
5907 long flags;
5908 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5909
5910 switch ((uint_t)uap->subcode) {
5911 case 0:
5912 e = AUE_FORK1;
5913 break;
5914 case 1:
5915 e = AUE_FORKALL;
5916 break;
5917 case 2:
5918 e = AUE_VFORK;
5919 break;
5920 default:
5921 e = AUE_NULL;
5922 break;
5923 }
5924
5925 return (e);
5926 }
5927
5928 /*ARGSUSED*/
5929 static au_event_t
aui_portfs(au_event_t e)5930 aui_portfs(au_event_t e)
5931 {
5932 struct a { /* portfs */
5933 long a1;
5934 long a2;
5935 long a3;
5936 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5937
5938 /*
5939 * check opcode
5940 */
5941 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5942 case PORT_ASSOCIATE:
5943 /* check source */
5944 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5945 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5946 e = AUE_PORTFS_ASSOCIATE;
5947 } else {
5948 e = AUE_NULL;
5949 }
5950 break;
5951 case PORT_DISSOCIATE:
5952 /* check source */
5953 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5954 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5955 e = AUE_PORTFS_DISSOCIATE;
5956 } else {
5957 e = AUE_NULL;
5958 }
5959 break;
5960 default:
5961 e = AUE_NULL;
5962 }
5963 return (e);
5964 }
5965