xref: /titanic_41/usr/src/uts/common/c2/audit_event.c (revision 89b43686db1fe9681d80a7cf5662730cb9378cae)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 
81 static au_event_t	aui_fchownat(au_event_t);
82 static au_event_t	aui_fchmodat(au_event_t);
83 static au_event_t	aui_open(au_event_t);
84 static au_event_t	aui_openat(au_event_t);
85 static au_event_t	aui_unlinkat(au_event_t);
86 static au_event_t	aui_fstatat(au_event_t);
87 static au_event_t	aui_msgsys(au_event_t);
88 static au_event_t	aui_shmsys(au_event_t);
89 static au_event_t	aui_semsys(au_event_t);
90 static au_event_t	aui_utssys(au_event_t);
91 static au_event_t	aui_fcntl(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_portfs(au_event_t);
96 static au_event_t	aui_auditsys(au_event_t);
97 static au_event_t	aui_modctl(au_event_t);
98 static au_event_t	aui_acl(au_event_t);
99 static au_event_t	aui_doorfs(au_event_t);
100 static au_event_t	aui_privsys(au_event_t);
101 static au_event_t	aui_forksys(au_event_t);
102 static au_event_t	aui_labelsys(au_event_t);
103 static au_event_t	aui_setpgrp(au_event_t);
104 
105 static void	aus_exit(struct t_audit_data *);
106 static void	aus_open(struct t_audit_data *);
107 static void	aus_openat(struct t_audit_data *);
108 static void	aus_acl(struct t_audit_data *);
109 static void	aus_acct(struct t_audit_data *);
110 static void	aus_chown(struct t_audit_data *);
111 static void	aus_fchown(struct t_audit_data *);
112 static void	aus_lchown(struct t_audit_data *);
113 static void	aus_fchownat(struct t_audit_data *);
114 static void	aus_chmod(struct t_audit_data *);
115 static void	aus_facl(struct t_audit_data *);
116 static void	aus_fchmod(struct t_audit_data *);
117 static void	aus_fchmodat(struct t_audit_data *);
118 static void	aus_fcntl(struct t_audit_data *);
119 static void	aus_mkdir(struct t_audit_data *);
120 static void	aus_mkdirat(struct t_audit_data *);
121 static void	aus_mknod(struct t_audit_data *);
122 static void	aus_mknodat(struct t_audit_data *);
123 static void	aus_mount(struct t_audit_data *);
124 static void	aus_umount2(struct t_audit_data *);
125 static void	aus_msgsys(struct t_audit_data *);
126 static void	aus_semsys(struct t_audit_data *);
127 static void	aus_close(struct t_audit_data *);
128 static void	aus_fstatfs(struct t_audit_data *);
129 static void	aus_setgid(struct t_audit_data *);
130 static void	aus_setpgrp(struct t_audit_data *);
131 static void	aus_setuid(struct t_audit_data *);
132 static void	aus_shmsys(struct t_audit_data *);
133 static void	aus_doorfs(struct t_audit_data *);
134 static void	aus_ioctl(struct t_audit_data *);
135 static void	aus_memcntl(struct t_audit_data *);
136 static void	aus_mmap(struct t_audit_data *);
137 static void	aus_munmap(struct t_audit_data *);
138 static void	aus_priocntlsys(struct t_audit_data *);
139 static void	aus_setegid(struct t_audit_data *);
140 static void	aus_setgroups(struct t_audit_data *);
141 static void	aus_seteuid(struct t_audit_data *);
142 static void	aus_putmsg(struct t_audit_data *);
143 static void	aus_putpmsg(struct t_audit_data *);
144 static void	aus_getmsg(struct t_audit_data *);
145 static void	aus_getpmsg(struct t_audit_data *);
146 static void	aus_auditsys(struct t_audit_data *);
147 static void	aus_sysinfo(struct t_audit_data *);
148 static void	aus_modctl(struct t_audit_data *);
149 static void	aus_kill(struct t_audit_data *);
150 static void	aus_setregid(struct t_audit_data *);
151 static void	aus_setreuid(struct t_audit_data *);
152 static void	aus_labelsys(struct t_audit_data *);
153 
154 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
155 static void	auf_mknodat(struct t_audit_data *, int, rval_t *);
156 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
157 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
158 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
159 static void	auf_read(struct t_audit_data *, int, rval_t *);
160 static void	auf_write(struct t_audit_data *, int, rval_t *);
161 
162 static void	aus_sigqueue(struct t_audit_data *);
163 static void	aus_p_online(struct t_audit_data *);
164 static void	aus_processor_bind(struct t_audit_data *);
165 static void	aus_inst_sync(struct t_audit_data *);
166 static void	aus_brandsys(struct t_audit_data *);
167 
168 static void	auf_accept(struct t_audit_data *, int, rval_t *);
169 
170 static void	auf_bind(struct t_audit_data *, int, rval_t *);
171 static void	auf_connect(struct t_audit_data *, int, rval_t *);
172 static void	aus_shutdown(struct t_audit_data *);
173 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
174 static void	aus_sockconfig(struct t_audit_data *);
175 static void	auf_recv(struct t_audit_data *, int, rval_t *);
176 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
177 static void	auf_send(struct t_audit_data *, int, rval_t *);
178 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
179 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
180 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
181 static void	aus_socket(struct t_audit_data *);
182 /*
183  * This table contains mapping information for converting system call numbers
184  * to audit event IDs. In several cases it is necessary to map a single system
185  * call to several events.
186  */
187 
188 #define	aui_null	NULL	/* NULL initialize function */
189 #define	aus_null	NULL	/* NULL start function */
190 #define	auf_null	NULL	/* NULL finish function */
191 
192 struct audit_s2e audit_s2e[] =
193 {
194 /*
195  * ----------	---------- 	----------	----------
196  * INITIAL	AUDIT		START		SYSTEM
197  * PROCESSING	EVENT		PROCESSING	CALL
198  * ----------	----------	----------	-----------
199  *		FINISH		EVENT
200  *		PROCESSING	CONTROL
201  * ----------------------------------------------------------
202  */
203 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
204 		auf_null,	0,
205 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
206 		auf_null,	S2E_NPT,
207 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
208 		auf_null,	0,
209 aui_null,	AUE_READ,	aus_null,	/* 3 read */
210 		auf_read,	S2E_PUB,
211 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
212 		auf_write,	0,
213 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
214 		auf_null,	S2E_SP,
215 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
216 		auf_null,	0,
217 aui_null,	AUE_LINK,	aus_null,	/* 7 linkat */
218 		auf_null,	0,
219 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
220 		auf_null,	0,
221 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
222 		auf_null,	0,
223 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
224 		auf_null,	0,
225 aui_null,	AUE_SYMLINK,	aus_null,	/* 11 symlinkat */
226 		auf_null,	0,
227 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
228 		auf_null,	S2E_SP,
229 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
230 		auf_null,	0,
231 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
232 		auf_mknod,	S2E_MLD,
233 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
234 		auf_null,	0,
235 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
236 		auf_null,	0,
237 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
238 		auf_null,	0,
239 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
240 		auf_null,	S2E_PUB,
241 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
242 		auf_null,	0,
243 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
244 		auf_null,	0,
245 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
246 		auf_null,	S2E_MLD,
247 aui_null,	AUE_READLINK,	aus_null,	/* 22 readlinkat */
248 		auf_null,	S2E_PUB,
249 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
252 		auf_null,	0,
253 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
264 		auf_null,	0,
265 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
266 		auf_null,	0,
267 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
268 		auf_null,	0,
269 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
270 		auf_null,	S2E_PUB,
271 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
272 		auf_null,	0,
273 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
274 		auf_null,	S2E_PUB,
275 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
276 		auf_null,	0,
277 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
278 		auf_null,	0,
279 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
280 		auf_null,	S2E_PUB,
281 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
286 		auf_null,	0,
287 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
288 		auf_null,	0,
289 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
290 		auf_null,	0,
291 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
292 		auf_null,	0,
293 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
294 		auf_null,	S2E_PUB,
295 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
296 		auf_null,	0,
297 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
298 		auf_null,	0,
299 aui_null,	AUE_MKNOD,	aus_mknodat,	/* 48 mknodat */
300 		auf_mknodat,	S2E_MLD,
301 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
302 		auf_msgsys,	0,
303 #if defined(__x86)
304 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
305 		auf_null,	0,
306 #else
307 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
308 		auf_null,	0,
309 #endif /* __x86 */
310 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
311 		auf_null,	0,
312 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
313 		auf_shmsys,	0,
314 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
315 		auf_semsys,	0,
316 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
317 		auf_null,	0,
318 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
319 		auf_null,	0,
320 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
321 		auf_null,	0,
322 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
323 		auf_null,	0,
324 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
325 		auf_null,	0,
326 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
327 		auf_null,	S2E_MLD,
328 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
329 		auf_null,	0,
330 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
331 		auf_null,	S2E_SP,
332 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
333 		auf_null,	0,
334 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
335 		auf_null,	0,
336 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
337 		auf_null,	0,
338 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
339 		auf_null,	0,
340 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
341 		auf_null,	S2E_PUB,
342 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
343 		auf_null,	S2E_PUB,
344 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
345 		auf_null,	S2E_SP,
346 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
347 		auf_null,	S2E_SP,
348 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
363 		auf_null,	0,
364 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
365 		auf_null,	0,
366 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
367 		auf_null,	0,
368 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
369 		auf_null,	0,
370 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
371 		auf_null,	0,
372 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
373 		auf_null,	0,
374 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
377 		auf_null,	0,
378 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
379 		auf_null,	0,
380 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
381 		auf_null,	0,
382 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
383 		auf_null,	0,
384 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
385 		auf_null,	S2E_PUB,
386 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
387 		auf_null,	0,
388 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
389 		auf_null,	S2E_PUB,
390 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
391 		auf_null,	0,
392 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
393 		auf_null,	0,
394 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
395 		auf_null,	0,
396 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
409 		auf_null,	0,
410 aui_fchmodat,	AUE_NULL,	aus_fchmodat,	/* 101 fchmodat */
411 		auf_null,	0,
412 aui_null,	AUE_MKDIR,	aus_mkdirat,	/* 102 mkdirat */
413 		auf_null,	0,
414 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
415 		auf_null,	S2E_PUB,
416 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
425 		auf_null,	0,
426 #if defined(__x86)
427 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
428 		auf_null,	0,
429 #else
430 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
431 		auf_null,	0,
432 #endif /* __x86 */
433 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
434 		auf_null,	0,
435 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
436 		auf_null,	0,
437 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
438 		auf_null,	0,
439 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
440 		auf_null,	S2E_PUB,
441 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
442 		auf_null,	0,
443 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
444 		auf_null,	0,
445 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
446 		auf_null,	0,
447 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
448 		auf_null,	0,
449 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
450 		auf_null,	0,
451 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
452 		auf_null,	0,
453 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
454 		auf_null,	0,
455 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
456 		auf_read,	S2E_PUB,
457 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
458 		auf_write,	0,
459 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
460 		auf_null,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
464 		auf_null,	0,
465 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
466 		auf_null,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
468 		auf_null,	0,
469 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
470 		auf_null,	0,
471 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
472 		auf_null,	0,
473 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
474 		auf_null,	0,
475 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
476 		auf_null,	0,
477 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
478 		auf_null,	0,
479 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
480 		auf_null,	0,
481 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
482 		auf_null,	0,
483 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
484 		auf_null,	0,
485 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
486 		auf_null,	0,
487 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
488 		auf_null,	0,
489 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
490 		auf_null,	0,
491 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
492 		auf_null,	0,
493 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
494 		auf_null,	0,
495 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
496 		auf_null,	0,
497 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
498 		auf_null,	0,
499 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
508 						/*	was lwp_sema_wait */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
517 		auf_null,	0,
518 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
519 		auf_null,	0,
520 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
521 		auf_null,	0,
522 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
553 						/*	was lwp_mutex_lock */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
560 		auf_null,	0,
561 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
562 		auf_read,	S2E_PUB,
563 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
564 		auf_write,	0,
565 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
566 		auf_null,	0,
567 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
568 		auf_null,	0,
569 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
570 		auf_null,	0,
571 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
578 		auf_null,	0,
579 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
580 		auf_null,	S2E_MLD,
581 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
582 		auf_null,	0,
583 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
584 		auf_null,	0,
585 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
586 		auf_null,	0,
587 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
588 		auf_null,	0,
589 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
590 		auf_null,	0,
591 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
592 		auf_null,	0,
593 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
594 		auf_null,	0,
595 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
598 		auf_null,	0,
599 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
614 		auf_null,	0,
615 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
616 		auf_null,	0,
617 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
618 		auf_null,	0,
619 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
620 		auf_null,	0,
621 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
622 		auf_null,	0,
623 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
642 		auf_null,	0,
643 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
644 		auf_null,	0,
645 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
646 		auf_null,	S2E_PUB,
647 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
650 		auf_null,	0,
651 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
652 		auf_null,	S2E_PUB,
653 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
654 		auf_null,	0,
655 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
656 		auf_null,	0,
657 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
660 		auf_read,	S2E_PUB,
661 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
662 		auf_write,	0,
663 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
664 		auf_null,	0,
665 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
666 		auf_null,	S2E_SP,
667 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
668 		auf_null,	0,
669 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
674 		auf_null,	0,
675 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
676 		auf_null,	0,
677 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
678 		auf_null,	0,
679 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
680 		auf_bind,	0,
681 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
682 		auf_null,	0,
683 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
684 		auf_accept,	0,
685 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
686 		auf_connect,	0,
687 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
688 		auf_null,	0,
689 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
690 		auf_recv,	0,
691 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
692 		auf_recvfrom,	0,
693 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
694 		auf_recvmsg,	0,
695 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
696 		auf_send,	0,
697 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
698 		auf_sendmsg,	0,
699 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
700 		auf_sendto,	0,
701 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
702 		auf_null,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
706 		auf_null,	0,
707 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
708 		auf_setsockopt,	0,
709 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
710 		auf_null,	0,
711 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
712 		auf_null,	0,
713 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
724 		auf_null,	0,
725 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
726 		auf_null,	0
727 };
728 
729 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
730 
731 
732 /* exit start function */
733 /*ARGSUSED*/
734 static void
aus_exit(struct t_audit_data * tad)735 aus_exit(struct t_audit_data *tad)
736 {
737 	uint32_t rval;
738 	struct a {
739 		long rval;
740 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
741 
742 	rval = (uint32_t)uap->rval;
743 	au_uwrite(au_to_arg32(1, "exit status", rval));
744 }
745 
746 /* acct start function */
747 /*ARGSUSED*/
748 static void
aus_acct(struct t_audit_data * tad)749 aus_acct(struct t_audit_data *tad)
750 {
751 	klwp_t *clwp = ttolwp(curthread);
752 	uintptr_t fname;
753 
754 	struct a {
755 		long	fname;		/* char * */
756 	} *uap = (struct a *)clwp->lwp_ap;
757 
758 	fname = (uintptr_t)uap->fname;
759 
760 	if (fname == 0)
761 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
762 }
763 
764 /* chown start function */
765 /*ARGSUSED*/
766 static void
aus_chown(struct t_audit_data * tad)767 aus_chown(struct t_audit_data *tad)
768 {
769 	klwp_t *clwp = ttolwp(curthread);
770 	uint32_t uid, gid;
771 
772 	struct a {
773 		long	fname;		/* char * */
774 		long	uid;
775 		long	gid;
776 	} *uap = (struct a *)clwp->lwp_ap;
777 
778 	uid = (uint32_t)uap->uid;
779 	gid = (uint32_t)uap->gid;
780 
781 	au_uwrite(au_to_arg32(2, "new file uid", uid));
782 	au_uwrite(au_to_arg32(3, "new file gid", gid));
783 }
784 
785 /* fchown start function */
786 /*ARGSUSED*/
787 static void
aus_fchown(struct t_audit_data * tad)788 aus_fchown(struct t_audit_data *tad)
789 {
790 	klwp_t *clwp = ttolwp(curthread);
791 	uint32_t uid, gid, fd;
792 	struct file  *fp;
793 	struct vnode *vp;
794 	struct f_audit_data *fad;
795 
796 	struct a {
797 		long fd;
798 		long uid;
799 		long gid;
800 	} *uap = (struct a *)clwp->lwp_ap;
801 
802 	fd  = (uint32_t)uap->fd;
803 	uid = (uint32_t)uap->uid;
804 	gid = (uint32_t)uap->gid;
805 
806 	au_uwrite(au_to_arg32(2, "new file uid", uid));
807 	au_uwrite(au_to_arg32(3, "new file gid", gid));
808 
809 		/*
810 		 * convert file pointer to file descriptor
811 		 *   Note: fd ref count incremented here.
812 		 */
813 	if ((fp = getf(fd)) == NULL)
814 		return;
815 
816 	/* get path from file struct here */
817 	fad = F2A(fp);
818 	if (fad->fad_aupath != NULL) {
819 		au_uwrite(au_to_path(fad->fad_aupath));
820 	} else {
821 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
822 	}
823 
824 	vp = fp->f_vnode;
825 	audit_attributes(vp);
826 
827 	/* decrement file descriptor reference count */
828 	releasef(fd);
829 }
830 
831 /*ARGSUSED*/
832 static void
aus_lchown(struct t_audit_data * tad)833 aus_lchown(struct t_audit_data *tad)
834 {
835 	klwp_t *clwp = ttolwp(curthread);
836 	uint32_t uid, gid;
837 
838 
839 	struct a {
840 		long	fname;		/* char	* */
841 		long	uid;
842 		long	gid;
843 	} *uap = (struct a *)clwp->lwp_ap;
844 
845 	uid = (uint32_t)uap->uid;
846 	gid = (uint32_t)uap->gid;
847 
848 	au_uwrite(au_to_arg32(2, "new file uid", uid));
849 	au_uwrite(au_to_arg32(3, "new file gid", gid));
850 }
851 
852 static au_event_t
aui_fchownat(au_event_t e)853 aui_fchownat(au_event_t e)
854 {
855 	klwp_t *clwp = ttolwp(curthread);
856 
857 	struct a {
858 		long	fd;
859 		long	fname;		/* char * */
860 		long	uid;
861 		long	gid;
862 		long	flags;
863 	} *uap = (struct a *)clwp->lwp_ap;
864 
865 	if (uap->fname == NULL)
866 		e = AUE_FCHOWN;
867 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
868 		e = AUE_LCHOWN;
869 	else
870 		e = AUE_CHOWN;
871 
872 	return (e);
873 }
874 
875 /*ARGSUSED*/
876 static void
aus_fchownat(struct t_audit_data * tad)877 aus_fchownat(struct t_audit_data *tad)
878 {
879 	klwp_t *clwp = ttolwp(curthread);
880 	uint32_t uid, gid;
881 
882 	struct a {
883 		long	fd;
884 		long	fname;		/* char * */
885 		long	uid;
886 		long	gid;
887 		long	flags;
888 	} *uap = (struct a *)clwp->lwp_ap;
889 
890 	uid = (uint32_t)uap->uid;
891 	gid = (uint32_t)uap->gid;
892 
893 	au_uwrite(au_to_arg32(3, "new file uid", uid));
894 	au_uwrite(au_to_arg32(4, "new file gid", gid));
895 }
896 
897 /*ARGSUSED*/
898 static void
aus_chmod(struct t_audit_data * tad)899 aus_chmod(struct t_audit_data *tad)
900 {
901 	klwp_t *clwp = ttolwp(curthread);
902 	uint32_t fmode;
903 
904 	struct a {
905 		long	fname;		/* char	* */
906 		long	fmode;
907 	} *uap = (struct a *)clwp->lwp_ap;
908 
909 	fmode = (uint32_t)uap->fmode;
910 
911 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
912 }
913 
914 /*ARGSUSED*/
915 static void
aus_fchmod(struct t_audit_data * tad)916 aus_fchmod(struct t_audit_data *tad)
917 {
918 	klwp_t *clwp = ttolwp(curthread);
919 	uint32_t fmode, fd;
920 	struct file  *fp;
921 	struct vnode *vp;
922 	struct f_audit_data *fad;
923 
924 	struct a {
925 		long	fd;
926 		long	fmode;
927 	} *uap = (struct a *)clwp->lwp_ap;
928 
929 	fd = (uint32_t)uap->fd;
930 	fmode = (uint32_t)uap->fmode;
931 
932 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
933 
934 	/*
935 	 * convert file pointer to file descriptor
936 	 *   Note: fd ref count incremented here.
937 	 */
938 	if ((fp = getf(fd)) == NULL)
939 		return;
940 
941 	/* get path from file struct here */
942 	fad = F2A(fp);
943 	if (fad->fad_aupath != NULL) {
944 		au_uwrite(au_to_path(fad->fad_aupath));
945 	} else {
946 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
947 	}
948 
949 	vp = fp->f_vnode;
950 	audit_attributes(vp);
951 
952 	/* decrement file descriptor reference count */
953 	releasef(fd);
954 }
955 
956 static au_event_t
aui_fchmodat(au_event_t e)957 aui_fchmodat(au_event_t e)
958 {
959 	klwp_t *clwp = ttolwp(curthread);
960 
961 	struct a {
962 		long	fd;
963 		long	fname;		/* char	* */
964 		long	fmode;
965 		long	flag;
966 	} *uap = (struct a *)clwp->lwp_ap;
967 
968 	if (uap->fname == NULL)
969 		e = AUE_FCHMOD;
970 	else
971 		e = AUE_CHMOD;
972 
973 	return (e);
974 }
975 
976 /*ARGSUSED*/
977 static void
aus_fchmodat(struct t_audit_data * tad)978 aus_fchmodat(struct t_audit_data *tad)
979 {
980 	klwp_t *clwp = ttolwp(curthread);
981 	uint32_t fmode;
982 	uint32_t fd;
983 	struct file  *fp;
984 	struct vnode *vp;
985 	struct f_audit_data *fad;
986 
987 	struct a {
988 		long	fd;
989 		long	fname;		/* char	* */
990 		long	fmode;
991 		long	flag;
992 	} *uap = (struct a *)clwp->lwp_ap;
993 
994 	fd = (uint32_t)uap->fd;
995 	fmode = (uint32_t)uap->fmode;
996 
997 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
998 
999 	if (fd == AT_FDCWD || uap->fname != NULL)	/* same as chmod() */
1000 		return;
1001 
1002 	/*
1003 	 * convert file pointer to file descriptor
1004 	 *   Note: fd ref count incremented here.
1005 	 */
1006 	if ((fp = getf(fd)) == NULL)
1007 		return;
1008 
1009 	/* get path from file struct here */
1010 	fad = F2A(fp);
1011 	if (fad->fad_aupath != NULL) {
1012 		au_uwrite(au_to_path(fad->fad_aupath));
1013 	} else {
1014 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1015 	}
1016 
1017 	vp = fp->f_vnode;
1018 	audit_attributes(vp);
1019 
1020 	/* decrement file descriptor reference count */
1021 	releasef(fd);
1022 }
1023 
1024 /*
1025  * convert open mode to appropriate open event
1026  */
1027 au_event_t
open_event(uint_t fm)1028 open_event(uint_t fm)
1029 {
1030 	au_event_t e;
1031 
1032 	switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1033 	case O_RDONLY:
1034 		e = AUE_OPEN_R;
1035 		break;
1036 	case O_RDONLY | O_CREAT:
1037 		e = AUE_OPEN_RC;
1038 		break;
1039 	case O_RDONLY | O_TRUNC:
1040 		e = AUE_OPEN_RT;
1041 		break;
1042 	case O_RDONLY | O_TRUNC | O_CREAT:
1043 		e = AUE_OPEN_RTC;
1044 		break;
1045 	case O_WRONLY:
1046 		e = AUE_OPEN_W;
1047 		break;
1048 	case O_WRONLY | O_CREAT:
1049 		e = AUE_OPEN_WC;
1050 		break;
1051 	case O_WRONLY | O_TRUNC:
1052 		e = AUE_OPEN_WT;
1053 		break;
1054 	case O_WRONLY | O_TRUNC | O_CREAT:
1055 		e = AUE_OPEN_WTC;
1056 		break;
1057 	case O_RDWR:
1058 		e = AUE_OPEN_RW;
1059 		break;
1060 	case O_RDWR | O_CREAT:
1061 		e = AUE_OPEN_RWC;
1062 		break;
1063 	case O_RDWR | O_TRUNC:
1064 		e = AUE_OPEN_RWT;
1065 		break;
1066 	case O_RDWR | O_TRUNC | O_CREAT:
1067 		e = AUE_OPEN_RWTC;
1068 		break;
1069 	case O_SEARCH:
1070 		e = AUE_OPEN_S;
1071 		break;
1072 	case O_EXEC:
1073 		e = AUE_OPEN_E;
1074 		break;
1075 	default:
1076 		e = AUE_NULL;
1077 		break;
1078 	}
1079 
1080 	return (e);
1081 }
1082 
1083 /* ARGSUSED */
1084 static au_event_t
aui_open(au_event_t e)1085 aui_open(au_event_t e)
1086 {
1087 	klwp_t *clwp = ttolwp(curthread);
1088 	uint_t fm;
1089 
1090 	struct a {
1091 		long	fnamep;		/* char	* */
1092 		long	fmode;
1093 		long	cmode;
1094 	} *uap = (struct a *)clwp->lwp_ap;
1095 
1096 	fm = (uint_t)uap->fmode;
1097 
1098 	return (open_event(fm));
1099 }
1100 
1101 static void
aus_open(struct t_audit_data * tad)1102 aus_open(struct t_audit_data *tad)
1103 {
1104 	klwp_t *clwp = ttolwp(curthread);
1105 	uint_t fm;
1106 
1107 	struct a {
1108 		long	fnamep;		/* char	* */
1109 		long	fmode;
1110 		long	cmode;
1111 	} *uap = (struct a *)clwp->lwp_ap;
1112 
1113 	fm = (uint_t)uap->fmode;
1114 
1115 	/* If no write, create, or trunc modes, mark as a public op */
1116 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1117 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1118 }
1119 
1120 /* ARGSUSED */
1121 static au_event_t
aui_openat(au_event_t e)1122 aui_openat(au_event_t e)
1123 {
1124 	t_audit_data_t *tad = T2A(curthread);
1125 	klwp_t *clwp = ttolwp(curthread);
1126 	uint_t fm;
1127 
1128 	struct a {
1129 		long	filedes;
1130 		long	fnamep;		/* char	* */
1131 		long	fmode;
1132 		long	cmode;
1133 	} *uap = (struct a *)clwp->lwp_ap;
1134 
1135 	fm = (uint_t)uap->fmode;
1136 
1137 	/*
1138 	 * __openattrdirat() does an extra pathname lookup in order to
1139 	 * enter the extended system attribute namespace of the referenced
1140 	 * extended attribute filename.
1141 	 */
1142 	if (fm & FXATTRDIROPEN)
1143 		tad->tad_ctrl |= TAD_MLD;
1144 
1145 	return (open_event(fm));
1146 }
1147 
1148 static void
aus_openat(struct t_audit_data * tad)1149 aus_openat(struct t_audit_data *tad)
1150 {
1151 	klwp_t *clwp = ttolwp(curthread);
1152 	uint_t fm;
1153 
1154 	struct a {
1155 		long	filedes;
1156 		long	fnamep;		/* char	* */
1157 		long	fmode;
1158 		long	cmode;
1159 	} *uap = (struct a *)clwp->lwp_ap;
1160 
1161 	fm = (uint_t)uap->fmode;
1162 
1163 	/* If no write, create, or trunc modes, mark as a public op */
1164 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1165 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1166 }
1167 
1168 static au_event_t
aui_unlinkat(au_event_t e)1169 aui_unlinkat(au_event_t e)
1170 {
1171 	klwp_t *clwp = ttolwp(curthread);
1172 
1173 	struct a {
1174 		long	filedes;
1175 		long	fnamep;		/* char	* */
1176 		long	flags;
1177 	} *uap = (struct a *)clwp->lwp_ap;
1178 
1179 	if (uap->flags & AT_REMOVEDIR)
1180 		e = AUE_RMDIR;
1181 	else
1182 		e = AUE_UNLINK;
1183 
1184 	return (e);
1185 }
1186 
1187 static au_event_t
aui_fstatat(au_event_t e)1188 aui_fstatat(au_event_t e)
1189 {
1190 	klwp_t *clwp = ttolwp(curthread);
1191 
1192 	struct a {
1193 		long	filedes;
1194 		long	fnamep;		/* char	* */
1195 		long	statb;
1196 		long	flags;
1197 	} *uap = (struct a *)clwp->lwp_ap;
1198 
1199 	if (uap->fnamep == NULL)
1200 		e = AUE_FSTAT;
1201 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1202 		e = AUE_LSTAT;
1203 	else
1204 		e = AUE_STAT;
1205 
1206 	return (e);
1207 }
1208 
1209 /* msgsys */
1210 static au_event_t
aui_msgsys(au_event_t e)1211 aui_msgsys(au_event_t e)
1212 {
1213 	klwp_t *clwp = ttolwp(curthread);
1214 	uint_t fm;
1215 
1216 	struct a {
1217 		long	id;	/* function code id */
1218 		long	ap;	/* arg pointer for recvmsg */
1219 	} *uap = (struct a *)clwp->lwp_ap;
1220 
1221 	struct b {
1222 		long	msgid;
1223 		long	cmd;
1224 		long	buf;	/* struct msqid_ds * */
1225 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1226 
1227 	fm  = (uint_t)uap->id;
1228 
1229 	switch (fm) {
1230 	case 0:		/* msgget */
1231 		e = AUE_MSGGET;
1232 		break;
1233 	case 1:		/* msgctl */
1234 		switch ((uint_t)uap1->cmd) {
1235 		case IPC_RMID:
1236 			e = AUE_MSGCTL_RMID;
1237 			break;
1238 		case IPC_SET:
1239 			e = AUE_MSGCTL_SET;
1240 			break;
1241 		case IPC_STAT:
1242 			e = AUE_MSGCTL_STAT;
1243 			break;
1244 		default:
1245 			e = AUE_MSGCTL;
1246 			break;
1247 		}
1248 		break;
1249 	case 2:		/* msgrcv */
1250 		e = AUE_MSGRCV;
1251 		break;
1252 	case 3:		/* msgsnd */
1253 		e = AUE_MSGSND;
1254 		break;
1255 	default:	/* illegal system call */
1256 		e = AUE_NULL;
1257 		break;
1258 	}
1259 
1260 	return (e);
1261 }
1262 
1263 
1264 /* shmsys */
1265 static au_event_t
aui_shmsys(au_event_t e)1266 aui_shmsys(au_event_t e)
1267 {
1268 	klwp_t *clwp = ttolwp(curthread);
1269 	int fm;
1270 
1271 	struct a {		/* shmsys */
1272 		long	id;	/* function code id */
1273 	} *uap = (struct a *)clwp->lwp_ap;
1274 
1275 	struct b {		/* ctrl */
1276 		long	shmid;
1277 		long	cmd;
1278 		long	arg;		/* struct shmid_ds * */
1279 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1280 	fm  = (uint_t)uap->id;
1281 
1282 	switch (fm) {
1283 	case 0:		/* shmat */
1284 		e = AUE_SHMAT;
1285 		break;
1286 	case 1:		/* shmctl */
1287 		switch ((uint_t)uap1->cmd) {
1288 		case IPC_RMID:
1289 			e = AUE_SHMCTL_RMID;
1290 			break;
1291 		case IPC_SET:
1292 			e = AUE_SHMCTL_SET;
1293 			break;
1294 		case IPC_STAT:
1295 			e = AUE_SHMCTL_STAT;
1296 			break;
1297 		default:
1298 			e = AUE_SHMCTL;
1299 			break;
1300 		}
1301 		break;
1302 	case 2:		/* shmdt */
1303 		e = AUE_SHMDT;
1304 		break;
1305 	case 3:		/* shmget */
1306 		e = AUE_SHMGET;
1307 		break;
1308 	default:	/* illegal system call */
1309 		e = AUE_NULL;
1310 		break;
1311 	}
1312 
1313 	return (e);
1314 }
1315 
1316 
1317 /* semsys */
1318 static au_event_t
aui_semsys(au_event_t e)1319 aui_semsys(au_event_t e)
1320 {
1321 	klwp_t *clwp = ttolwp(curthread);
1322 	uint_t fm;
1323 
1324 	struct a {		/* semsys */
1325 		long	id;
1326 	} *uap = (struct a *)clwp->lwp_ap;
1327 
1328 	struct b {		/* ctrl */
1329 		long	semid;
1330 		long	semnum;
1331 		long	cmd;
1332 		long	arg;
1333 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1334 
1335 	fm = (uint_t)uap->id;
1336 
1337 	switch (fm) {
1338 	case 0:		/* semctl */
1339 		switch ((uint_t)uap1->cmd) {
1340 		case IPC_RMID:
1341 			e = AUE_SEMCTL_RMID;
1342 			break;
1343 		case IPC_SET:
1344 			e = AUE_SEMCTL_SET;
1345 			break;
1346 		case IPC_STAT:
1347 			e = AUE_SEMCTL_STAT;
1348 			break;
1349 		case GETNCNT:
1350 			e = AUE_SEMCTL_GETNCNT;
1351 			break;
1352 		case GETPID:
1353 			e = AUE_SEMCTL_GETPID;
1354 			break;
1355 		case GETVAL:
1356 			e = AUE_SEMCTL_GETVAL;
1357 			break;
1358 		case GETALL:
1359 			e = AUE_SEMCTL_GETALL;
1360 			break;
1361 		case GETZCNT:
1362 			e = AUE_SEMCTL_GETZCNT;
1363 			break;
1364 		case SETVAL:
1365 			e = AUE_SEMCTL_SETVAL;
1366 			break;
1367 		case SETALL:
1368 			e = AUE_SEMCTL_SETALL;
1369 			break;
1370 		default:
1371 			e = AUE_SEMCTL;
1372 			break;
1373 		}
1374 		break;
1375 	case 1:		/* semget */
1376 		e = AUE_SEMGET;
1377 		break;
1378 	case 2:		/* semop */
1379 		e = AUE_SEMOP;
1380 		break;
1381 	default:	/* illegal system call */
1382 		e = AUE_NULL;
1383 		break;
1384 	}
1385 
1386 	return (e);
1387 }
1388 
1389 /* utssys - uname(2), ustat(2), fusers(2) */
1390 static au_event_t
aui_utssys(au_event_t e)1391 aui_utssys(au_event_t e)
1392 {
1393 	klwp_t *clwp = ttolwp(curthread);
1394 	uint_t type;
1395 
1396 	struct a {
1397 		union {
1398 			long	cbuf;		/* char * */
1399 			long	ubuf;		/* struct stat * */
1400 		} ub;
1401 		union {
1402 			long	mv;	/* for USTAT */
1403 			long	flags;	/* for FUSERS */
1404 		} un;
1405 		long	type;
1406 		long	outbp;		/* char * for FUSERS */
1407 	} *uap = (struct a *)clwp->lwp_ap;
1408 
1409 	type = (uint_t)uap->type;
1410 
1411 	if (type == UTS_FUSERS)
1412 		return (e);
1413 	else
1414 		return ((au_event_t)AUE_NULL);
1415 }
1416 
1417 static au_event_t
aui_fcntl(au_event_t e)1418 aui_fcntl(au_event_t e)
1419 {
1420 	klwp_t *clwp = ttolwp(curthread);
1421 	uint_t cmd;
1422 
1423 	struct a {
1424 		long	fdes;
1425 		long	cmd;
1426 		long	arg;
1427 	} *uap = (struct a *)clwp->lwp_ap;
1428 
1429 	cmd = (uint_t)uap->cmd;
1430 
1431 	switch (cmd) {
1432 	case F_GETLK:
1433 	case F_SETLK:
1434 	case F_SETLKW:
1435 		break;
1436 	case F_SETFL:
1437 	case F_GETFL:
1438 	case F_GETFD:
1439 		break;
1440 	default:
1441 		e = (au_event_t)AUE_NULL;
1442 		break;
1443 	}
1444 	return ((au_event_t)e);
1445 }
1446 
1447 /* null function for now */
1448 static au_event_t
aui_execve(au_event_t e)1449 aui_execve(au_event_t e)
1450 {
1451 	return (e);
1452 }
1453 
1454 /*ARGSUSED*/
1455 static void
aus_fcntl(struct t_audit_data * tad)1456 aus_fcntl(struct t_audit_data *tad)
1457 {
1458 	klwp_t *clwp = ttolwp(curthread);
1459 	uint32_t cmd, fd, flags;
1460 	struct file  *fp;
1461 	struct vnode *vp;
1462 	struct f_audit_data *fad;
1463 
1464 	struct a {
1465 		long	fd;
1466 		long	cmd;
1467 		long	arg;
1468 	} *uap = (struct a *)clwp->lwp_ap;
1469 
1470 	cmd	= (uint32_t)uap->cmd;
1471 	fd	= (uint32_t)uap->fd;
1472 	flags	= (uint32_t)uap->arg;
1473 
1474 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1475 
1476 	if (cmd == F_SETFL)
1477 		au_uwrite(au_to_arg32(3, "flags", flags));
1478 
1479 		/*
1480 		 * convert file pointer to file descriptor
1481 		 *   Note: fd ref count incremented here.
1482 		 */
1483 	if ((fp = getf(fd)) == NULL)
1484 		return;
1485 
1486 	/* get path from file struct here */
1487 	fad = F2A(fp);
1488 	if (fad->fad_aupath != NULL) {
1489 		au_uwrite(au_to_path(fad->fad_aupath));
1490 	} else {
1491 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1492 	}
1493 
1494 	vp = fp->f_vnode;
1495 	audit_attributes(vp);
1496 
1497 	/* decrement file descriptor reference count */
1498 	releasef(fd);
1499 }
1500 
1501 /*ARGSUSED*/
1502 static void
aus_kill(struct t_audit_data * tad)1503 aus_kill(struct t_audit_data *tad)
1504 {
1505 	klwp_t *clwp = ttolwp(curthread);
1506 	struct proc *p;
1507 	uint32_t signo;
1508 	uid_t uid, ruid;
1509 	gid_t gid, rgid;
1510 	pid_t pid;
1511 	const auditinfo_addr_t *ainfo;
1512 	cred_t *cr;
1513 
1514 	struct a {
1515 		long	pid;
1516 		long	signo;
1517 	} *uap = (struct a *)clwp->lwp_ap;
1518 
1519 	pid   = (pid_t)uap->pid;
1520 	signo = (uint32_t)uap->signo;
1521 
1522 	au_uwrite(au_to_arg32(2, "signal", signo));
1523 	if (pid > 0) {
1524 		mutex_enter(&pidlock);
1525 		if (((p = prfind(pid)) == (struct proc *)0) ||
1526 		    (p->p_stat == SIDL)) {
1527 			mutex_exit(&pidlock);
1528 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1529 			return;
1530 		}
1531 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1532 		mutex_exit(&pidlock);
1533 
1534 		mutex_enter(&p->p_crlock);
1535 		crhold(cr = p->p_cred);
1536 		mutex_exit(&p->p_crlock);
1537 		mutex_exit(&p->p_lock);
1538 
1539 		ainfo = crgetauinfo(cr);
1540 		if (ainfo == NULL) {
1541 			crfree(cr);
1542 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1543 			return;
1544 		}
1545 
1546 		uid  = crgetuid(cr);
1547 		gid  = crgetgid(cr);
1548 		ruid = crgetruid(cr);
1549 		rgid = crgetrgid(cr);
1550 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1551 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1552 
1553 		if (is_system_labeled())
1554 			au_uwrite(au_to_label(CR_SL(cr)));
1555 
1556 		crfree(cr);
1557 	}
1558 	else
1559 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1560 }
1561 
1562 /*ARGSUSED*/
1563 static void
aus_mkdir(struct t_audit_data * tad)1564 aus_mkdir(struct t_audit_data *tad)
1565 {
1566 	klwp_t *clwp = ttolwp(curthread);
1567 	uint32_t dmode;
1568 
1569 	struct a {
1570 		long	dirnamep;		/* char * */
1571 		long	dmode;
1572 	} *uap = (struct a *)clwp->lwp_ap;
1573 
1574 	dmode = (uint32_t)uap->dmode;
1575 
1576 	au_uwrite(au_to_arg32(2, "mode", dmode));
1577 }
1578 
1579 /*ARGSUSED*/
1580 static void
aus_mkdirat(struct t_audit_data * tad)1581 aus_mkdirat(struct t_audit_data *tad)
1582 {
1583 	klwp_t *clwp = ttolwp(curthread);
1584 	uint32_t dmode;
1585 
1586 	struct a {
1587 		long	fd;
1588 		long	dirnamep;		/* char * */
1589 		long	dmode;
1590 	} *uap = (struct a *)clwp->lwp_ap;
1591 
1592 	dmode = (uint32_t)uap->dmode;
1593 
1594 	au_uwrite(au_to_arg32(2, "mode", dmode));
1595 }
1596 
1597 /*ARGSUSED*/
1598 static void
aus_mknod(struct t_audit_data * tad)1599 aus_mknod(struct t_audit_data *tad)
1600 {
1601 	klwp_t *clwp = ttolwp(curthread);
1602 	uint32_t fmode;
1603 	dev_t dev;
1604 
1605 	struct a {
1606 		long	pnamep;		/* char * */
1607 		long	fmode;
1608 		long	dev;
1609 	} *uap = (struct a *)clwp->lwp_ap;
1610 
1611 	fmode = (uint32_t)uap->fmode;
1612 	dev   = (dev_t)uap->dev;
1613 
1614 	au_uwrite(au_to_arg32(2, "mode", fmode));
1615 #ifdef _LP64
1616 	au_uwrite(au_to_arg64(3, "dev", dev));
1617 #else
1618 	au_uwrite(au_to_arg32(3, "dev", dev));
1619 #endif
1620 }
1621 
1622 /*ARGSUSED*/
1623 static void
auf_mknod(struct t_audit_data * tad,int error,rval_t * rval)1624 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1625 {
1626 	klwp_t *clwp = ttolwp(curthread);
1627 	vnode_t	*dvp;
1628 	caddr_t pnamep;
1629 
1630 	struct a {
1631 		long	pnamep;		/* char * */
1632 		long	fmode;
1633 		long	dev;
1634 	} *uap = (struct a *)clwp->lwp_ap;
1635 
1636 	/* no error, then already path token in audit record */
1637 	if (error != EPERM && error != EINVAL)
1638 		return;
1639 
1640 	/* do the lookup to force generation of path token */
1641 	pnamep = (caddr_t)uap->pnamep;
1642 	tad->tad_ctrl |= TAD_NOATTRB;
1643 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1644 	if (error == 0)
1645 		VN_RELE(dvp);
1646 }
1647 
1648 /*ARGSUSED*/
1649 static void
aus_mknodat(struct t_audit_data * tad)1650 aus_mknodat(struct t_audit_data *tad)
1651 {
1652 	klwp_t *clwp = ttolwp(curthread);
1653 	uint32_t fmode;
1654 	dev_t dev;
1655 
1656 	struct a {
1657 		long	fd;
1658 		long	pnamep;		/* char * */
1659 		long	fmode;
1660 		long	dev;
1661 	} *uap = (struct a *)clwp->lwp_ap;
1662 
1663 	fmode = (uint32_t)uap->fmode;
1664 	dev   = (dev_t)uap->dev;
1665 
1666 	au_uwrite(au_to_arg32(2, "mode", fmode));
1667 #ifdef _LP64
1668 	au_uwrite(au_to_arg64(3, "dev", dev));
1669 #else
1670 	au_uwrite(au_to_arg32(3, "dev", dev));
1671 #endif
1672 }
1673 
1674 /*ARGSUSED*/
1675 static void
auf_mknodat(struct t_audit_data * tad,int error,rval_t * rval)1676 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1677 {
1678 	klwp_t *clwp = ttolwp(curthread);
1679 	vnode_t	*startvp;
1680 	vnode_t	*dvp;
1681 	caddr_t pnamep;
1682 	int fd;
1683 
1684 	struct a {
1685 		long	fd;
1686 		long	pnamep;		/* char * */
1687 		long	fmode;
1688 		long	dev;
1689 	} *uap = (struct a *)clwp->lwp_ap;
1690 
1691 	/* no error, then already path token in audit record */
1692 	if (error != EPERM && error != EINVAL)
1693 		return;
1694 
1695 	/* do the lookup to force generation of path token */
1696 	fd = (int)uap->fd;
1697 	pnamep = (caddr_t)uap->pnamep;
1698 	if (pnamep == NULL ||
1699 	    fgetstartvp(fd, pnamep, &startvp) != 0)
1700 		return;
1701 	tad->tad_ctrl |= TAD_NOATTRB;
1702 	error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1703 	    startvp);
1704 	if (error == 0)
1705 		VN_RELE(dvp);
1706 	if (startvp != NULL)
1707 		VN_RELE(startvp);
1708 }
1709 
1710 /*ARGSUSED*/
1711 static void
aus_mount(struct t_audit_data * tad)1712 aus_mount(struct t_audit_data *tad)
1713 {	/* AUS_START */
1714 	klwp_t *clwp = ttolwp(curthread);
1715 	uint32_t flags;
1716 	uintptr_t u_fstype, dataptr;
1717 	STRUCT_DECL(nfs_args, nfsargs);
1718 	size_t len;
1719 	char *fstype, *hostname;
1720 
1721 	struct a {
1722 		long	spec;		/* char    * */
1723 		long	dir;		/* char    * */
1724 		long	flags;
1725 		long	fstype;		/* char    * */
1726 		long	dataptr;	/* char    * */
1727 		long	datalen;
1728 	} *uap = (struct a *)clwp->lwp_ap;
1729 
1730 	u_fstype = (uintptr_t)uap->fstype;
1731 	flags    = (uint32_t)uap->flags;
1732 	dataptr  = (uintptr_t)uap->dataptr;
1733 
1734 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1735 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1736 		goto mount_free_fstype;
1737 
1738 	au_uwrite(au_to_arg32(3, "flags", flags));
1739 	au_uwrite(au_to_text(fstype));
1740 
1741 	if (strncmp(fstype, "nfs", 3) == 0) {
1742 
1743 		STRUCT_INIT(nfsargs, get_udatamodel());
1744 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1745 
1746 		if (copyin((caddr_t)dataptr,
1747 				STRUCT_BUF(nfsargs),
1748 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1749 			/* DEBUG debug_enter((char *)NULL); */
1750 			goto mount_free_fstype;
1751 		}
1752 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1753 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1754 				(caddr_t)hostname,
1755 				MAXNAMELEN, &len)) {
1756 			goto mount_free_hostname;
1757 		}
1758 		au_uwrite(au_to_text(hostname));
1759 		au_uwrite(au_to_arg32(3, "internal flags",
1760 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1761 
1762 mount_free_hostname:
1763 		kmem_free(hostname, MAXNAMELEN);
1764 	}
1765 
1766 mount_free_fstype:
1767 	kmem_free(fstype, MAXNAMELEN);
1768 }	/* AUS_MOUNT */
1769 
1770 static void
aus_umount_path(caddr_t umount_dir)1771 aus_umount_path(caddr_t umount_dir)
1772 {
1773 	char			*dir_path;
1774 	struct audit_path	*path;
1775 	size_t			path_len, dir_len;
1776 
1777 	/* length alloc'd for two string pointers */
1778 	path_len = sizeof (struct audit_path) + sizeof (char *);
1779 	path = kmem_alloc(path_len, KM_SLEEP);
1780 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1781 
1782 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1783 	    MAXPATHLEN, &dir_len))
1784 		goto umount2_free_dir;
1785 
1786 	/*
1787 	 * the audit_path struct assumes that the buffer pointed to
1788 	 * by audp_sect[n] contains string 0 immediatedly followed
1789 	 * by string 1.
1790 	 */
1791 	path->audp_sect[0] = dir_path;
1792 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1793 	path->audp_size = path_len;
1794 	path->audp_ref = 1;		/* not used */
1795 	path->audp_cnt = 1;		/* one path string */
1796 
1797 	au_uwrite(au_to_path(path));
1798 
1799 umount2_free_dir:
1800 	kmem_free(dir_path, MAXPATHLEN);
1801 	kmem_free(path, path_len);
1802 }
1803 
1804 /*ARGSUSED*/
1805 static void
aus_umount2(struct t_audit_data * tad)1806 aus_umount2(struct t_audit_data *tad)
1807 {
1808 	klwp_t			*clwp = ttolwp(curthread);
1809 	struct a {
1810 		long	dir;		/* char    * */
1811 		long	flags;
1812 	} *uap = (struct a *)clwp->lwp_ap;
1813 
1814 	aus_umount_path((caddr_t)uap->dir);
1815 
1816 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1817 }
1818 
1819 static void
aus_msgsys(struct t_audit_data * tad)1820 aus_msgsys(struct t_audit_data *tad)
1821 {
1822 	klwp_t *clwp = ttolwp(curthread);
1823 	uint32_t msgid;
1824 
1825 	struct b {
1826 		long	msgid;
1827 		long	cmd;
1828 		long	buf;		/* struct msqid_ds * */
1829 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1830 
1831 	msgid = (uint32_t)uap1->msgid;
1832 
1833 
1834 	switch (tad->tad_event) {
1835 	case AUE_MSGGET:		/* msgget */
1836 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1837 		break;
1838 	case AUE_MSGCTL:		/* msgctl */
1839 	case AUE_MSGCTL_RMID:		/* msgctl */
1840 	case AUE_MSGCTL_SET:		/* msgctl */
1841 	case AUE_MSGCTL_STAT:		/* msgctl */
1842 	case AUE_MSGRCV:		/* msgrcv */
1843 	case AUE_MSGSND:		/* msgsnd */
1844 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1845 		break;
1846 	}
1847 }
1848 
1849 /*ARGSUSED*/
1850 static void
auf_msgsys(struct t_audit_data * tad,int error,rval_t * rval)1851 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1852 {
1853 	int id;
1854 
1855 	if (error != 0)
1856 		return;
1857 	if (tad->tad_event == AUE_MSGGET) {
1858 		uint32_t scid;
1859 		uint32_t sy_flags;
1860 
1861 		/* need to determine type of executing binary */
1862 		scid = tad->tad_scid;
1863 #ifdef _SYSCALL32_IMPL
1864 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1865 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1866 		else
1867 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1868 #else
1869 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1870 #endif
1871 		if (sy_flags == SE_32RVAL1)
1872 			id = rval->r_val1;
1873 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1874 			id = rval->r_val1;
1875 		if (sy_flags == SE_64RVAL)
1876 			id = (int)rval->r_vals;
1877 
1878 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1879 	}
1880 }
1881 
1882 static void
aus_semsys(struct t_audit_data * tad)1883 aus_semsys(struct t_audit_data *tad)
1884 {
1885 	klwp_t *clwp = ttolwp(curthread);
1886 	uint32_t semid;
1887 
1888 	struct b {		/* ctrl */
1889 		long	semid;
1890 		long	semnum;
1891 		long	cmd;
1892 		long	arg;
1893 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1894 
1895 	semid = (uint32_t)uap1->semid;
1896 
1897 	switch (tad->tad_event) {
1898 	case AUE_SEMCTL_RMID:
1899 	case AUE_SEMCTL_STAT:
1900 	case AUE_SEMCTL_GETNCNT:
1901 	case AUE_SEMCTL_GETPID:
1902 	case AUE_SEMCTL_GETVAL:
1903 	case AUE_SEMCTL_GETALL:
1904 	case AUE_SEMCTL_GETZCNT:
1905 	case AUE_SEMCTL_SET:
1906 	case AUE_SEMCTL_SETVAL:
1907 	case AUE_SEMCTL_SETALL:
1908 	case AUE_SEMCTL:
1909 	case AUE_SEMOP:
1910 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1911 		break;
1912 	case AUE_SEMGET:
1913 		au_uwrite(au_to_arg32(1, "sem key", semid));
1914 		break;
1915 	}
1916 }
1917 
1918 /*ARGSUSED*/
1919 static void
auf_semsys(struct t_audit_data * tad,int error,rval_t * rval)1920 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1921 {
1922 	int id;
1923 
1924 	if (error != 0)
1925 		return;
1926 	if (tad->tad_event == AUE_SEMGET) {
1927 		uint32_t scid;
1928 		uint32_t sy_flags;
1929 
1930 		/* need to determine type of executing binary */
1931 		scid = tad->tad_scid;
1932 #ifdef _SYSCALL32_IMPL
1933 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1934 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1935 		else
1936 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1937 #else
1938 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1939 #endif
1940 		if (sy_flags == SE_32RVAL1)
1941 			id = rval->r_val1;
1942 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1943 			id = rval->r_val1;
1944 		if (sy_flags == SE_64RVAL)
1945 			id = (int)rval->r_vals;
1946 
1947 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1948 	}
1949 }
1950 
1951 /*ARGSUSED*/
1952 static void
aus_close(struct t_audit_data * tad)1953 aus_close(struct t_audit_data *tad)
1954 {
1955 	klwp_t *clwp = ttolwp(curthread);
1956 	uint32_t fd;
1957 	struct file *fp;
1958 	struct f_audit_data *fad;
1959 	struct vnode *vp;
1960 	struct vattr attr;
1961 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1962 
1963 	struct a {
1964 		long	i;
1965 	} *uap = (struct a *)clwp->lwp_ap;
1966 
1967 	fd = (uint32_t)uap->i;
1968 
1969 	attr.va_mask = 0;
1970 	au_uwrite(au_to_arg32(1, "fd", fd));
1971 
1972 		/*
1973 		 * convert file pointer to file descriptor
1974 		 *   Note: fd ref count incremented here.
1975 		 */
1976 	if ((fp = getf(fd)) == NULL)
1977 		return;
1978 
1979 	fad = F2A(fp);
1980 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1981 	if (fad->fad_aupath != NULL) {
1982 		au_uwrite(au_to_path(fad->fad_aupath));
1983 		if ((vp = fp->f_vnode) != NULL) {
1984 			attr.va_mask = AT_ALL;
1985 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1986 				/*
1987 				 * When write was not used and the file can be
1988 				 * considered public, skip the audit.
1989 				 */
1990 				if (((fp->f_flag & FWRITE) == 0) &&
1991 				    object_is_public(&attr)) {
1992 					tad->tad_flag = 0;
1993 					tad->tad_evmod = 0;
1994 					/* free any residual audit data */
1995 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1996 					releasef(fd);
1997 					return;
1998 				}
1999 				au_uwrite(au_to_attr(&attr));
2000 				audit_sec_attributes(&(u_ad), vp);
2001 			}
2002 		}
2003 	}
2004 
2005 	/* decrement file descriptor reference count */
2006 	releasef(fd);
2007 }
2008 
2009 /*ARGSUSED*/
2010 static void
aus_fstatfs(struct t_audit_data * tad)2011 aus_fstatfs(struct t_audit_data *tad)
2012 {
2013 	klwp_t *clwp = ttolwp(curthread);
2014 	uint32_t fd;
2015 	struct file  *fp;
2016 	struct vnode *vp;
2017 	struct f_audit_data *fad;
2018 
2019 	struct a {
2020 		long	fd;
2021 		long	buf;		/* struct statfs * */
2022 	} *uap = (struct a *)clwp->lwp_ap;
2023 
2024 	fd = (uint_t)uap->fd;
2025 
2026 		/*
2027 		 * convert file pointer to file descriptor
2028 		 *   Note: fd ref count incremented here.
2029 		 */
2030 	if ((fp = getf(fd)) == NULL)
2031 		return;
2032 
2033 		/* get path from file struct here */
2034 	fad = F2A(fp);
2035 	if (fad->fad_aupath != NULL) {
2036 		au_uwrite(au_to_path(fad->fad_aupath));
2037 	} else {
2038 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2039 	}
2040 
2041 	vp = fp->f_vnode;
2042 	audit_attributes(vp);
2043 
2044 	/* decrement file descriptor reference count */
2045 	releasef(fd);
2046 }
2047 
2048 static au_event_t
aui_setpgrp(au_event_t e)2049 aui_setpgrp(au_event_t e)
2050 {
2051 	klwp_t *clwp = ttolwp(curthread);
2052 	int flag;
2053 
2054 	struct a {
2055 		long	flag;
2056 		long	pid;
2057 		long	pgid;
2058 	} *uap = (struct a *)clwp->lwp_ap;
2059 
2060 	flag = (int)uap->flag;
2061 
2062 
2063 	switch (flag) {
2064 
2065 	case 1:	/* setpgrp() */
2066 		e = AUE_SETPGRP;
2067 		break;
2068 
2069 	case 3: /* setsid() */
2070 		e = AUE_SETSID;
2071 		break;
2072 
2073 	case 5: /* setpgid() */
2074 		e = AUE_SETPGID;
2075 		break;
2076 
2077 	case 0: /* getpgrp()	- not security relevant */
2078 	case 2: /* getsid()	- not security relevant */
2079 	case 4: /* getpgid() 	- not security relevant */
2080 		e = AUE_NULL;
2081 		break;
2082 
2083 	default:
2084 		e = AUE_NULL;
2085 		break;
2086 	}
2087 
2088 	return (e);
2089 }
2090 
2091 /*ARGSUSED*/
2092 static void
aus_setpgrp(struct t_audit_data * tad)2093 aus_setpgrp(struct t_audit_data *tad)
2094 {
2095 	klwp_t		*clwp = ttolwp(curthread);
2096 	pid_t		pgid;
2097 	struct proc	*p;
2098 	uid_t		uid, ruid;
2099 	gid_t		gid, rgid;
2100 	pid_t		pid;
2101 	cred_t		*cr;
2102 	int		flag;
2103 	const auditinfo_addr_t	*ainfo;
2104 
2105 	struct a {
2106 		long	flag;
2107 		long	pid;
2108 		long	pgid;
2109 	} *uap = (struct a *)clwp->lwp_ap;
2110 
2111 	flag = (int)uap->flag;
2112 	pid  = (pid_t)uap->pid;
2113 	pgid = (pid_t)uap->pgid;
2114 
2115 
2116 	switch (flag) {
2117 
2118 	case 0: /* getpgrp() */
2119 	case 1: /* setpgrp() */
2120 	case 2: /* getsid() */
2121 	case 3: /* setsid() */
2122 	case 4: /* getpgid() */
2123 		break;
2124 
2125 	case 5: /* setpgid() */
2126 
2127 		/* current process? */
2128 		if (pid == 0) {
2129 			return;
2130 		}
2131 
2132 		mutex_enter(&pidlock);
2133 		p = prfind(pid);
2134 		if (p == NULL || p->p_as == &kas ||
2135 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
2136 			mutex_exit(&pidlock);
2137 			return;
2138 		}
2139 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
2140 		mutex_exit(&pidlock);
2141 
2142 		mutex_enter(&p->p_crlock);
2143 		crhold(cr = p->p_cred);
2144 		mutex_exit(&p->p_crlock);
2145 		mutex_exit(&p->p_lock);
2146 
2147 		ainfo = crgetauinfo(cr);
2148 		if (ainfo == NULL) {
2149 			crfree(cr);
2150 			return;
2151 		}
2152 
2153 		uid  = crgetuid(cr);
2154 		gid  = crgetgid(cr);
2155 		ruid = crgetruid(cr);
2156 		rgid = crgetrgid(cr);
2157 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2158 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2159 		crfree(cr);
2160 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2161 		break;
2162 
2163 	default:
2164 		break;
2165 	}
2166 }
2167 
2168 
2169 /*ARGSUSED*/
2170 static void
aus_setregid(struct t_audit_data * tad)2171 aus_setregid(struct t_audit_data *tad)
2172 {
2173 	klwp_t *clwp = ttolwp(curthread);
2174 	uint32_t rgid, egid;
2175 
2176 	struct a {
2177 		long	 rgid;
2178 		long	 egid;
2179 	} *uap = (struct a *)clwp->lwp_ap;
2180 
2181 	rgid  = (uint32_t)uap->rgid;
2182 	egid  = (uint32_t)uap->egid;
2183 
2184 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2185 	au_uwrite(au_to_arg32(2, "egid", egid));
2186 }
2187 
2188 /*ARGSUSED*/
2189 static void
aus_setgid(struct t_audit_data * tad)2190 aus_setgid(struct t_audit_data *tad)
2191 {
2192 	klwp_t *clwp = ttolwp(curthread);
2193 	uint32_t gid;
2194 
2195 	struct a {
2196 		long	gid;
2197 	} *uap = (struct a *)clwp->lwp_ap;
2198 
2199 	gid = (uint32_t)uap->gid;
2200 
2201 	au_uwrite(au_to_arg32(1, "gid", gid));
2202 }
2203 
2204 
2205 /*ARGSUSED*/
2206 static void
aus_setreuid(struct t_audit_data * tad)2207 aus_setreuid(struct t_audit_data *tad)
2208 {
2209 	klwp_t *clwp = ttolwp(curthread);
2210 	uint32_t ruid, euid;
2211 
2212 	struct a {
2213 		long	ruid;
2214 		long	euid;
2215 	} *uap = (struct a *)clwp->lwp_ap;
2216 
2217 	ruid = (uint32_t)uap->ruid;
2218 	euid  = (uint32_t)uap->euid;
2219 
2220 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2221 	au_uwrite(au_to_arg32(2, "euid", euid));
2222 }
2223 
2224 
2225 /*ARGSUSED*/
2226 static void
aus_setuid(struct t_audit_data * tad)2227 aus_setuid(struct t_audit_data *tad)
2228 {
2229 	klwp_t *clwp = ttolwp(curthread);
2230 	uint32_t uid;
2231 
2232 	struct a {
2233 		long	uid;
2234 	} *uap = (struct a *)clwp->lwp_ap;
2235 
2236 	uid = (uint32_t)uap->uid;
2237 
2238 	au_uwrite(au_to_arg32(1, "uid", uid));
2239 }
2240 
2241 /*ARGSUSED*/
2242 static void
aus_shmsys(struct t_audit_data * tad)2243 aus_shmsys(struct t_audit_data *tad)
2244 {
2245 	klwp_t *clwp = ttolwp(curthread);
2246 	uint32_t id, cmd;
2247 
2248 	struct b {
2249 		long	id;
2250 		long	cmd;
2251 		long	buf;		/* struct shmid_ds * */
2252 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2253 
2254 	id  = (uint32_t)uap1->id;
2255 	cmd = (uint32_t)uap1->cmd;
2256 
2257 	switch (tad->tad_event) {
2258 	case AUE_SHMGET:			/* shmget */
2259 		au_uwrite(au_to_arg32(1, "shm key", id));
2260 		break;
2261 	case AUE_SHMCTL:			/* shmctl */
2262 	case AUE_SHMCTL_RMID:			/* shmctl */
2263 	case AUE_SHMCTL_STAT:			/* shmctl */
2264 	case AUE_SHMCTL_SET:			/* shmctl */
2265 		au_uwrite(au_to_arg32(1, "shm ID", id));
2266 		break;
2267 	case AUE_SHMDT:				/* shmdt */
2268 		au_uwrite(au_to_arg32(1, "shm adr", id));
2269 		break;
2270 	case AUE_SHMAT:				/* shmat */
2271 		au_uwrite(au_to_arg32(1, "shm ID", id));
2272 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2273 		break;
2274 	}
2275 }
2276 
2277 /*ARGSUSED*/
2278 static void
auf_shmsys(struct t_audit_data * tad,int error,rval_t * rval)2279 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2280 {
2281 	int id;
2282 
2283 	if (error != 0)
2284 		return;
2285 	if (tad->tad_event == AUE_SHMGET) {
2286 		uint32_t scid;
2287 		uint32_t sy_flags;
2288 
2289 		/* need to determine type of executing binary */
2290 		scid = tad->tad_scid;
2291 #ifdef _SYSCALL32_IMPL
2292 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2293 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2294 		else
2295 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2296 #else
2297 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2298 #endif
2299 		if (sy_flags == SE_32RVAL1)
2300 			id = rval->r_val1;
2301 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2302 			id = rval->r_val1;
2303 		if (sy_flags == SE_64RVAL)
2304 			id = (int)rval->r_vals;
2305 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2306 	}
2307 }
2308 
2309 
2310 /*ARGSUSED*/
2311 static void
aus_ioctl(struct t_audit_data * tad)2312 aus_ioctl(struct t_audit_data *tad)
2313 {
2314 	klwp_t *clwp = ttolwp(curthread);
2315 	struct file *fp;
2316 	struct vnode *vp;
2317 	struct f_audit_data *fad;
2318 	uint32_t fd, cmd;
2319 	uintptr_t cmarg;
2320 
2321 	/* XX64 */
2322 	struct a {
2323 		long	fd;
2324 		long	cmd;
2325 		long	cmarg;		/* caddr_t */
2326 	} *uap = (struct a *)clwp->lwp_ap;
2327 
2328 	fd    = (uint32_t)uap->fd;
2329 	cmd   = (uint32_t)uap->cmd;
2330 	cmarg = (uintptr_t)uap->cmarg;
2331 
2332 		/*
2333 		 * convert file pointer to file descriptor
2334 		 *   Note: fd ref count incremented here.
2335 		 */
2336 	if ((fp = getf(fd)) == NULL) {
2337 		au_uwrite(au_to_arg32(1, "fd", fd));
2338 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2339 #ifndef _LP64
2340 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2341 #else
2342 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2343 #endif
2344 		return;
2345 	}
2346 
2347 	/* get path from file struct here */
2348 	fad = F2A(fp);
2349 	if (fad->fad_aupath != NULL) {
2350 		au_uwrite(au_to_path(fad->fad_aupath));
2351 	} else {
2352 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2353 	}
2354 
2355 	vp = fp->f_vnode;
2356 	audit_attributes(vp);
2357 
2358 	/* decrement file descriptor reference count */
2359 	releasef(fd);
2360 
2361 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2362 #ifndef _LP64
2363 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2364 #else
2365 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2366 #endif
2367 }
2368 
2369 /*
2370  * null function for memcntl for now. We might want to limit memcntl()
2371  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2372  * require privileges.
2373  */
2374 static au_event_t
aui_memcntl(au_event_t e)2375 aui_memcntl(au_event_t e)
2376 {
2377 	return (e);
2378 }
2379 
2380 /*ARGSUSED*/
2381 static au_event_t
aui_privsys(au_event_t e)2382 aui_privsys(au_event_t e)
2383 {
2384 	klwp_t *clwp = ttolwp(curthread);
2385 
2386 	struct a {
2387 		long	opcode;
2388 	} *uap = (struct a *)clwp->lwp_ap;
2389 
2390 	switch (uap->opcode) {
2391 	case PRIVSYS_SETPPRIV:
2392 		return (AUE_SETPPRIV);
2393 	default:
2394 		return (AUE_NULL);
2395 	}
2396 }
2397 
2398 /*ARGSUSED*/
2399 static void
aus_memcntl(struct t_audit_data * tad)2400 aus_memcntl(struct t_audit_data *tad)
2401 {
2402 	klwp_t *clwp = ttolwp(curthread);
2403 
2404 	struct a {
2405 		long	addr;
2406 		long	len;
2407 		long	cmd;
2408 		long	arg;
2409 		long	attr;
2410 		long	mask;
2411 	} *uap = (struct a *)clwp->lwp_ap;
2412 
2413 #ifdef _LP64
2414 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2415 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2416 #else
2417 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2418 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2419 #endif
2420 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2421 #ifdef _LP64
2422 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2423 #else
2424 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2425 #endif
2426 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2427 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2428 }
2429 
2430 /*ARGSUSED*/
2431 static void
aus_mmap(struct t_audit_data * tad)2432 aus_mmap(struct t_audit_data *tad)
2433 {
2434 	klwp_t *clwp = ttolwp(curthread);
2435 	struct file *fp;
2436 	struct f_audit_data *fad;
2437 	struct vnode *vp;
2438 	uint32_t fd;
2439 
2440 	struct a {
2441 		long	addr;
2442 		long	len;
2443 		long	prot;
2444 		long	flags;
2445 		long	fd;
2446 		long	pos;
2447 	} *uap = (struct a *)clwp->lwp_ap;
2448 
2449 	fd = (uint32_t)uap->fd;
2450 
2451 #ifdef _LP64
2452 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2453 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2454 #else
2455 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2456 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2457 #endif
2458 
2459 	if ((fp = getf(fd)) == NULL) {
2460 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2461 		return;
2462 	}
2463 
2464 	/*
2465 	 * Mark in the tad if write access is NOT requested... if
2466 	 * this is later detected (in audit_attributes) to be a
2467 	 * public object, the mmap event may be discarded.
2468 	 */
2469 	if (((uap->prot) & PROT_WRITE) == 0) {
2470 		tad->tad_ctrl |= TAD_PUBLIC_EV;
2471 	}
2472 
2473 	fad = F2A(fp);
2474 	if (fad->fad_aupath != NULL) {
2475 		au_uwrite(au_to_path(fad->fad_aupath));
2476 	} else {
2477 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2478 	}
2479 
2480 	vp = (struct vnode *)fp->f_vnode;
2481 	audit_attributes(vp);
2482 
2483 	/* mark READ/WRITE since we can't predict access */
2484 	if (uap->prot & PROT_READ)
2485 		fad->fad_flags |= FAD_READ;
2486 	if (uap->prot & PROT_WRITE)
2487 		fad->fad_flags |= FAD_WRITE;
2488 
2489 	/* decrement file descriptor reference count */
2490 	releasef(fd);
2491 
2492 }	/* AUS_MMAP */
2493 
2494 
2495 
2496 
2497 /*ARGSUSED*/
2498 static void
aus_munmap(struct t_audit_data * tad)2499 aus_munmap(struct t_audit_data *tad)
2500 {
2501 	klwp_t *clwp = ttolwp(curthread);
2502 
2503 	struct a {
2504 		long	addr;
2505 		long	len;
2506 	} *uap = (struct a *)clwp->lwp_ap;
2507 
2508 #ifdef _LP64
2509 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2510 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2511 #else
2512 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2513 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2514 #endif
2515 
2516 }	/* AUS_MUNMAP */
2517 
2518 
2519 
2520 
2521 
2522 
2523 
2524 /*ARGSUSED*/
2525 static void
aus_priocntlsys(struct t_audit_data * tad)2526 aus_priocntlsys(struct t_audit_data *tad)
2527 {
2528 	klwp_t *clwp = ttolwp(curthread);
2529 
2530 	struct a {
2531 		long	pc_version;
2532 		long	psp;		/* procset_t */
2533 		long	cmd;
2534 		long	arg;
2535 	} *uap = (struct a *)clwp->lwp_ap;
2536 
2537 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2538 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2539 
2540 }	/* AUS_PRIOCNTLSYS */
2541 
2542 
2543 /*ARGSUSED*/
2544 static void
aus_setegid(struct t_audit_data * tad)2545 aus_setegid(struct t_audit_data *tad)
2546 {
2547 	klwp_t *clwp = ttolwp(curthread);
2548 	uint32_t gid;
2549 
2550 	struct a {
2551 		long	gid;
2552 	} *uap = (struct a *)clwp->lwp_ap;
2553 
2554 	gid = (uint32_t)uap->gid;
2555 
2556 	au_uwrite(au_to_arg32(1, "gid", gid));
2557 }	/* AUS_SETEGID */
2558 
2559 
2560 
2561 
2562 /*ARGSUSED*/
2563 static void
aus_setgroups(struct t_audit_data * tad)2564 aus_setgroups(struct t_audit_data *tad)
2565 {
2566 	klwp_t *clwp = ttolwp(curthread);
2567 	int i;
2568 	int gidsetsize;
2569 	uintptr_t gidset;
2570 	gid_t *gidlist;
2571 
2572 	struct a {
2573 		long	gidsetsize;
2574 		long	gidset;
2575 	} *uap = (struct a *)clwp->lwp_ap;
2576 
2577 	gidsetsize = (uint_t)uap->gidsetsize;
2578 	gidset = (uintptr_t)uap->gidset;
2579 
2580 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2581 		return;
2582 	if (gidsetsize != 0) {
2583 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2584 		    KM_SLEEP);
2585 		if (copyin((caddr_t)gidset, gidlist,
2586 		    gidsetsize * sizeof (gid_t)) == 0)
2587 			for (i = 0; i < gidsetsize; i++)
2588 				au_uwrite(au_to_arg32(1, "setgroups",
2589 				    (uint32_t)gidlist[i]));
2590 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2591 	} else
2592 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2593 
2594 }	/* AUS_SETGROUPS */
2595 
2596 
2597 
2598 
2599 
2600 /*ARGSUSED*/
2601 static void
aus_seteuid(struct t_audit_data * tad)2602 aus_seteuid(struct t_audit_data *tad)
2603 {
2604 	klwp_t *clwp = ttolwp(curthread);
2605 	uint32_t uid;
2606 
2607 	struct a {
2608 		long	uid;
2609 	} *uap = (struct a *)clwp->lwp_ap;
2610 
2611 	uid = (uint32_t)uap->uid;
2612 
2613 	au_uwrite(au_to_arg32(1, "euid", uid));
2614 
2615 }	/* AUS_SETEUID */
2616 
2617 /*ARGSUSED*/
2618 static void
aus_putmsg(struct t_audit_data * tad)2619 aus_putmsg(struct t_audit_data *tad)
2620 {
2621 	klwp_t *clwp = ttolwp(curthread);
2622 	uint32_t fd, pri;
2623 	struct file *fp;
2624 	struct f_audit_data *fad;
2625 
2626 	struct a {
2627 		long	fdes;
2628 		long	ctl;		/* struct strbuf * */
2629 		long	data;		/* struct strbuf * */
2630 		long	pri;
2631 	} *uap = (struct a *)clwp->lwp_ap;
2632 
2633 	fd  = (uint32_t)uap->fdes;
2634 	pri = (uint32_t)uap->pri;
2635 
2636 	au_uwrite(au_to_arg32(1, "fd", fd));
2637 
2638 	if ((fp = getf(fd)) != NULL) {
2639 		fad = F2A(fp);
2640 
2641 		fad->fad_flags |= FAD_WRITE;
2642 
2643 		/* add path name to audit record */
2644 		if (fad->fad_aupath != NULL) {
2645 			au_uwrite(au_to_path(fad->fad_aupath));
2646 		}
2647 		audit_attributes(fp->f_vnode);
2648 
2649 		releasef(fd);
2650 	}
2651 
2652 	au_uwrite(au_to_arg32(4, "pri", pri));
2653 }
2654 
2655 /*ARGSUSED*/
2656 static void
aus_putpmsg(struct t_audit_data * tad)2657 aus_putpmsg(struct t_audit_data *tad)
2658 {
2659 	klwp_t *clwp = ttolwp(curthread);
2660 	uint32_t fd, pri, flags;
2661 	struct file *fp;
2662 	struct f_audit_data *fad;
2663 
2664 	struct a {
2665 		long	fdes;
2666 		long	ctl;		/* struct strbuf * */
2667 		long	data;		/* struct strbuf * */
2668 		long	pri;
2669 		long	flags;
2670 	} *uap = (struct a *)clwp->lwp_ap;
2671 
2672 	fd = (uint32_t)uap->fdes;
2673 	pri  = (uint32_t)uap->pri;
2674 	flags  = (uint32_t)uap->flags;
2675 
2676 	au_uwrite(au_to_arg32(1, "fd", fd));
2677 
2678 	if ((fp = getf(fd)) != NULL) {
2679 		fad = F2A(fp);
2680 
2681 		fad->fad_flags |= FAD_WRITE;
2682 
2683 		/* add path name to audit record */
2684 		if (fad->fad_aupath != NULL) {
2685 			au_uwrite(au_to_path(fad->fad_aupath));
2686 		}
2687 		audit_attributes(fp->f_vnode);
2688 
2689 		releasef(fd);
2690 	}
2691 
2692 
2693 	au_uwrite(au_to_arg32(4, "pri", pri));
2694 	au_uwrite(au_to_arg32(5, "flags", flags));
2695 }
2696 
2697 /*ARGSUSED*/
2698 static void
aus_getmsg(struct t_audit_data * tad)2699 aus_getmsg(struct t_audit_data *tad)
2700 {
2701 	klwp_t *clwp = ttolwp(curthread);
2702 	uint32_t fd, pri;
2703 	struct file *fp;
2704 	struct f_audit_data *fad;
2705 
2706 	struct a {
2707 		long	fdes;
2708 		long	ctl;		/* struct strbuf * */
2709 		long	data;		/* struct strbuf * */
2710 		long	pri;
2711 	} *uap = (struct a *)clwp->lwp_ap;
2712 
2713 	fd  = (uint32_t)uap->fdes;
2714 	pri = (uint32_t)uap->pri;
2715 
2716 	au_uwrite(au_to_arg32(1, "fd", fd));
2717 
2718 	if ((fp = getf(fd)) != NULL) {
2719 		fad = F2A(fp);
2720 
2721 		/*
2722 		 * read operation on this object
2723 		 */
2724 		fad->fad_flags |= FAD_READ;
2725 
2726 		/* add path name to audit record */
2727 		if (fad->fad_aupath != NULL) {
2728 			au_uwrite(au_to_path(fad->fad_aupath));
2729 		}
2730 		audit_attributes(fp->f_vnode);
2731 
2732 		releasef(fd);
2733 	}
2734 
2735 	au_uwrite(au_to_arg32(4, "pri", pri));
2736 }
2737 
2738 /*ARGSUSED*/
2739 static void
aus_getpmsg(struct t_audit_data * tad)2740 aus_getpmsg(struct t_audit_data *tad)
2741 {
2742 	klwp_t *clwp = ttolwp(curthread);
2743 	uint32_t fd;
2744 	struct file *fp;
2745 	struct f_audit_data *fad;
2746 
2747 	struct a {
2748 		long	fdes;
2749 		long	ctl;		/* struct strbuf * */
2750 		long	data;		/* struct strbuf * */
2751 		long	pri;
2752 		long	flags;
2753 	} *uap = (struct a *)clwp->lwp_ap;
2754 
2755 	fd = (uint32_t)uap->fdes;
2756 
2757 	au_uwrite(au_to_arg32(1, "fd", fd));
2758 
2759 	if ((fp = getf(fd)) != NULL) {
2760 		fad = F2A(fp);
2761 
2762 		/*
2763 		 * read operation on this object
2764 		 */
2765 		fad->fad_flags |= FAD_READ;
2766 
2767 		/* add path name to audit record */
2768 		if (fad->fad_aupath != NULL) {
2769 			au_uwrite(au_to_path(fad->fad_aupath));
2770 		}
2771 		audit_attributes(fp->f_vnode);
2772 
2773 		releasef(fd);
2774 	}
2775 }
2776 
2777 static au_event_t
aui_labelsys(au_event_t e)2778 aui_labelsys(au_event_t e)
2779 {
2780 	klwp_t *clwp = ttolwp(curthread);
2781 	uint32_t code;
2782 	uint32_t cmd;
2783 
2784 	struct a {
2785 		long	code;
2786 		long	cmd;
2787 	} *uap = (struct a *)clwp->lwp_ap;
2788 
2789 	code = (uint32_t)uap->code;
2790 	cmd = (uint32_t)uap->cmd;
2791 
2792 	/* not security relevant if not changing kernel cache */
2793 	if (cmd == TNDB_GET)
2794 		return (AUE_NULL);
2795 
2796 	switch (code) {
2797 	case TSOL_TNRH:
2798 		e = AUE_LABELSYS_TNRH;
2799 		break;
2800 	case TSOL_TNRHTP:
2801 		e = AUE_LABELSYS_TNRHTP;
2802 		break;
2803 	case TSOL_TNMLP:
2804 		e = AUE_LABELSYS_TNMLP;
2805 		break;
2806 	default:
2807 		e = AUE_NULL;
2808 		break;
2809 	}
2810 
2811 	return (e);
2812 
2813 }
2814 
2815 static void
aus_labelsys(struct t_audit_data * tad)2816 aus_labelsys(struct t_audit_data *tad)
2817 {
2818 	klwp_t *clwp = ttolwp(curthread);
2819 	uint32_t cmd;
2820 	uintptr_t a2;
2821 
2822 	struct a {
2823 		long	code;
2824 		long	cmd;
2825 		long	a2;
2826 	} *uap = (struct a *)clwp->lwp_ap;
2827 
2828 	cmd = (uint32_t)uap->cmd;
2829 	a2 = (uintptr_t)uap->a2;
2830 
2831 	switch (tad->tad_event) {
2832 	case AUE_LABELSYS_TNRH:
2833 	{
2834 		tsol_rhent_t	*rhent;
2835 		tnaddr_t	*rh_addr;
2836 
2837 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2838 
2839 		/* Remaining args don't apply for FLUSH, so skip */
2840 		if (cmd == TNDB_FLUSH)
2841 			break;
2842 
2843 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2844 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2845 			kmem_free(rhent, sizeof (tsol_rhent_t));
2846 			return;
2847 		}
2848 
2849 		rh_addr = &rhent->rh_address;
2850 		if (rh_addr->ta_family == AF_INET) {
2851 			struct in_addr	*ipaddr;
2852 
2853 			ipaddr = &(rh_addr->ta_addr_v4);
2854 			au_uwrite(au_to_in_addr(ipaddr));
2855 		} else if (rh_addr->ta_family == AF_INET6) {
2856 			int32_t		*ipaddr;
2857 
2858 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2859 			au_uwrite(au_to_in_addr_ex(ipaddr));
2860 		}
2861 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2862 
2863 		kmem_free(rhent, sizeof (tsol_rhent_t));
2864 
2865 		break;
2866 	}
2867 	case AUE_LABELSYS_TNRHTP:
2868 	{
2869 		tsol_tpent_t	*tpent;
2870 
2871 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2872 
2873 		/* Remaining args don't apply for FLUSH, so skip */
2874 		if (cmd == TNDB_FLUSH)
2875 			break;
2876 
2877 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2878 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2879 			kmem_free(tpent, sizeof (tsol_tpent_t));
2880 			return;
2881 		}
2882 
2883 		/* Make sure that the template name is null-terminated. */
2884 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2885 
2886 		au_uwrite(au_to_text(tpent->name));
2887 		kmem_free(tpent, sizeof (tsol_tpent_t));
2888 
2889 		break;
2890 	}
2891 	case AUE_LABELSYS_TNMLP:
2892 	{
2893 		tsol_mlpent_t	*mlpent;
2894 
2895 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2896 
2897 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2898 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2899 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2900 			return;
2901 		}
2902 
2903 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2904 			au_uwrite(au_to_text("shared"));
2905 		} else {
2906 			zone_t	*zone;
2907 
2908 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2909 			if (zone != NULL) {
2910 				au_uwrite(au_to_text(zone->zone_name));
2911 				zone_rele(zone);
2912 			}
2913 		}
2914 
2915 		/* Remaining args don't apply for FLUSH, so skip */
2916 		if (cmd == TNDB_FLUSH) {
2917 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2918 			break;
2919 		}
2920 
2921 		au_uwrite(au_to_arg32(2, "proto num",
2922 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2923 		au_uwrite(au_to_arg32(2, "mlp_port",
2924 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2925 
2926 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2927 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2928 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2929 
2930 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2931 
2932 		break;
2933 	}
2934 	default:
2935 		break;
2936 	}
2937 }
2938 
2939 
2940 static au_event_t
aui_auditsys(au_event_t e)2941 aui_auditsys(au_event_t e)
2942 {
2943 	klwp_t *clwp = ttolwp(curthread);
2944 	uint32_t code;
2945 
2946 	struct a {
2947 		long	code;
2948 		long	a1;
2949 		long	a2;
2950 		long	a3;
2951 		long	a4;
2952 		long	a5;
2953 		long	a6;
2954 		long	a7;
2955 	} *uap = (struct a *)clwp->lwp_ap;
2956 
2957 	code = (uint32_t)uap->code;
2958 
2959 	switch (code) {
2960 
2961 	case BSM_GETAUID:
2962 		e = AUE_GETAUID;
2963 		break;
2964 	case BSM_SETAUID:
2965 		e = AUE_SETAUID;
2966 		break;
2967 	case BSM_GETAUDIT:
2968 		e = AUE_GETAUDIT;
2969 		break;
2970 	case BSM_GETAUDIT_ADDR:
2971 		e = AUE_GETAUDIT_ADDR;
2972 		break;
2973 	case BSM_SETAUDIT:
2974 		e = AUE_SETAUDIT;
2975 		break;
2976 	case BSM_SETAUDIT_ADDR:
2977 		e = AUE_SETAUDIT_ADDR;
2978 		break;
2979 	case BSM_AUDIT:
2980 		e = AUE_AUDIT;
2981 		break;
2982 	case BSM_AUDITCTL:
2983 		switch ((uint_t)uap->a1) {
2984 
2985 		case A_GETPOLICY:
2986 			e = AUE_AUDITON_GPOLICY;
2987 			break;
2988 		case A_SETPOLICY:
2989 			e = AUE_AUDITON_SPOLICY;
2990 			break;
2991 		case A_GETAMASK:
2992 			e = AUE_AUDITON_GETAMASK;
2993 			break;
2994 		case A_SETAMASK:
2995 			e = AUE_AUDITON_SETAMASK;
2996 			break;
2997 		case A_GETKMASK:
2998 			e = AUE_AUDITON_GETKMASK;
2999 			break;
3000 		case A_SETKMASK:
3001 			e = AUE_AUDITON_SETKMASK;
3002 			break;
3003 		case A_GETQCTRL:
3004 			e = AUE_AUDITON_GQCTRL;
3005 			break;
3006 		case A_SETQCTRL:
3007 			e = AUE_AUDITON_SQCTRL;
3008 			break;
3009 		case A_GETCWD:
3010 			e = AUE_AUDITON_GETCWD;
3011 			break;
3012 		case A_GETCAR:
3013 			e = AUE_AUDITON_GETCAR;
3014 			break;
3015 		case A_GETSTAT:
3016 			e = AUE_AUDITON_GETSTAT;
3017 			break;
3018 		case A_SETSTAT:
3019 			e = AUE_AUDITON_SETSTAT;
3020 			break;
3021 		case A_SETUMASK:
3022 			e = AUE_AUDITON_SETUMASK;
3023 			break;
3024 		case A_SETSMASK:
3025 			e = AUE_AUDITON_SETSMASK;
3026 			break;
3027 		case A_GETCOND:
3028 			e = AUE_AUDITON_GETCOND;
3029 			break;
3030 		case A_SETCOND:
3031 			e = AUE_AUDITON_SETCOND;
3032 			break;
3033 		case A_GETCLASS:
3034 			e = AUE_AUDITON_GETCLASS;
3035 			break;
3036 		case A_SETCLASS:
3037 			e = AUE_AUDITON_SETCLASS;
3038 			break;
3039 		default:
3040 			e = AUE_NULL;
3041 			break;
3042 		}
3043 		break;
3044 	default:
3045 		e = AUE_NULL;
3046 		break;
3047 	}
3048 
3049 	return (e);
3050 
3051 }	/* AUI_AUDITSYS */
3052 
3053 
3054 static void
aus_auditsys(struct t_audit_data * tad)3055 aus_auditsys(struct t_audit_data *tad)
3056 {
3057 	klwp_t *clwp = ttolwp(curthread);
3058 	uintptr_t a1, a2;
3059 	STRUCT_DECL(auditinfo, ainfo);
3060 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
3061 	au_evclass_map_t event;
3062 	au_mask_t mask;
3063 	int auditstate, policy;
3064 	au_id_t auid;
3065 
3066 
3067 	struct a {
3068 		long	code;
3069 		long	a1;
3070 		long	a2;
3071 		long	a3;
3072 		long	a4;
3073 		long	a5;
3074 		long	a6;
3075 		long	a7;
3076 	} *uap = (struct a *)clwp->lwp_ap;
3077 
3078 	a1   = (uintptr_t)uap->a1;
3079 	a2   = (uintptr_t)uap->a2;
3080 
3081 	switch (tad->tad_event) {
3082 	case AUE_SETAUID:
3083 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3084 				return;
3085 		au_uwrite(au_to_arg32(2, "setauid", auid));
3086 		break;
3087 	case AUE_SETAUDIT:
3088 		STRUCT_INIT(ainfo, get_udatamodel());
3089 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3090 		    STRUCT_SIZE(ainfo))) {
3091 				return;
3092 		}
3093 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3094 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3095 #ifdef _LP64
3096 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
3097 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3098 #else
3099 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
3100 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 #endif
3102 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3103 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3104 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3105 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3106 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3107 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3108 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3109 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3110 		break;
3111 	case AUE_SETAUDIT_ADDR:
3112 		STRUCT_INIT(ainfo_addr, get_udatamodel());
3113 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3114 		    STRUCT_SIZE(ainfo_addr))) {
3115 				return;
3116 		}
3117 		au_uwrite(au_to_arg32((char)1, "auid",
3118 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3119 #ifdef _LP64
3120 		au_uwrite(au_to_arg64((char)1, "port",
3121 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3122 #else
3123 		au_uwrite(au_to_arg32((char)1, "port",
3124 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 #endif
3126 		au_uwrite(au_to_arg32((char)1, "type",
3127 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3128 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3129 		    AU_IPv4) {
3130 			au_uwrite(au_to_in_addr(
3131 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3132 			    ai_termid.at_addr)));
3133 		} else {
3134 			au_uwrite(au_to_in_addr_ex(
3135 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
3136 			    ai_termid.at_addr)));
3137 		}
3138 		au_uwrite(au_to_arg32((char)1, "as_success",
3139 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3140 		au_uwrite(au_to_arg32((char)1, "as_failure",
3141 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3142 		au_uwrite(au_to_arg32((char)1, "asid",
3143 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3144 		break;
3145 	case AUE_AUDITON_SETAMASK:
3146 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3147 				return;
3148 		au_uwrite(au_to_arg32(
3149 		    2, "setamask:as_success", (uint32_t)mask.as_success));
3150 		au_uwrite(au_to_arg32(
3151 		    2, "setamask:as_failure", (uint32_t)mask.as_failure));
3152 		break;
3153 	case AUE_AUDITON_SETKMASK:
3154 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3155 				return;
3156 		au_uwrite(au_to_arg32(
3157 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
3158 		au_uwrite(au_to_arg32(
3159 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3160 		break;
3161 	case AUE_AUDITON_SPOLICY:
3162 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3163 			return;
3164 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3165 		break;
3166 	case AUE_AUDITON_SQCTRL: {
3167 		STRUCT_DECL(au_qctrl, qctrl);
3168 		model_t model;
3169 
3170 		model = get_udatamodel();
3171 		STRUCT_INIT(qctrl, model);
3172 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3173 				return;
3174 		if (model == DATAMODEL_ILP32) {
3175 			au_uwrite(au_to_arg32(
3176 			    3, "setqctrl:aq_hiwater",
3177 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3178 			au_uwrite(au_to_arg32(
3179 			    3, "setqctrl:aq_lowater",
3180 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3181 			au_uwrite(au_to_arg32(
3182 			    3, "setqctrl:aq_bufsz",
3183 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3184 			au_uwrite(au_to_arg32(
3185 			    3, "setqctrl:aq_delay",
3186 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3187 		} else {
3188 			au_uwrite(au_to_arg64(
3189 			    3, "setqctrl:aq_hiwater",
3190 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3191 			au_uwrite(au_to_arg64(
3192 			    3, "setqctrl:aq_lowater",
3193 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3194 			au_uwrite(au_to_arg64(
3195 			    3, "setqctrl:aq_bufsz",
3196 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3197 			au_uwrite(au_to_arg64(
3198 			    3, "setqctrl:aq_delay",
3199 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3200 		}
3201 		break;
3202 	}
3203 	case AUE_AUDITON_SETUMASK:
3204 		STRUCT_INIT(ainfo, get_udatamodel());
3205 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3206 		    STRUCT_SIZE(ainfo))) {
3207 			return;
3208 		}
3209 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3210 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3211 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3212 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3213 		break;
3214 	case AUE_AUDITON_SETSMASK:
3215 		STRUCT_INIT(ainfo, get_udatamodel());
3216 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3217 		    STRUCT_SIZE(ainfo))) {
3218 			return;
3219 		}
3220 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3221 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3222 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3223 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3224 		break;
3225 	case AUE_AUDITON_SETCOND:
3226 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3227 			return;
3228 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3229 		break;
3230 	case AUE_AUDITON_SETCLASS:
3231 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3232 			return;
3233 		au_uwrite(au_to_arg32(
3234 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3235 		au_uwrite(au_to_arg32(
3236 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3237 		break;
3238 	case AUE_GETAUID:
3239 	case AUE_GETAUDIT:
3240 	case AUE_GETAUDIT_ADDR:
3241 	case AUE_AUDIT:
3242 	case AUE_AUDITON_GPOLICY:
3243 	case AUE_AUDITON_GQCTRL:
3244 	case AUE_AUDITON_GETAMASK:
3245 	case AUE_AUDITON_GETKMASK:
3246 	case AUE_AUDITON_GETCWD:
3247 	case AUE_AUDITON_GETCAR:
3248 	case AUE_AUDITON_GETSTAT:
3249 	case AUE_AUDITON_SETSTAT:
3250 	case AUE_AUDITON_GETCOND:
3251 	case AUE_AUDITON_GETCLASS:
3252 		break;
3253 	default:
3254 		break;
3255 	}
3256 
3257 }	/* AUS_AUDITSYS */
3258 
3259 
3260 /* only audit privileged operations for systeminfo(2) system call */
3261 static au_event_t
aui_sysinfo(au_event_t e)3262 aui_sysinfo(au_event_t e)
3263 {
3264 	klwp_t *clwp = ttolwp(curthread);
3265 	uint32_t command;
3266 
3267 	struct a {
3268 		long	command;
3269 		long	buf;		/* char * */
3270 		long	count;
3271 	} *uap = (struct a *)clwp->lwp_ap;
3272 
3273 	command = (uint32_t)uap->command;
3274 
3275 	switch (command) {
3276 	case SI_SET_HOSTNAME:
3277 	case SI_SET_SRPC_DOMAIN:
3278 		e = (au_event_t)AUE_SYSINFO;
3279 		break;
3280 	default:
3281 		e = (au_event_t)AUE_NULL;
3282 		break;
3283 	}
3284 	return (e);
3285 }
3286 
3287 /*ARGSUSED*/
3288 static void
aus_sysinfo(struct t_audit_data * tad)3289 aus_sysinfo(struct t_audit_data *tad)
3290 {
3291 	klwp_t *clwp = ttolwp(curthread);
3292 	uint32_t command;
3293 	size_t len, maxlen;
3294 	char *name;
3295 	uintptr_t buf;
3296 
3297 	struct a {
3298 		long	command;
3299 		long	buf;		/* char * */
3300 		long	count;
3301 	} *uap = (struct a *)clwp->lwp_ap;
3302 
3303 	command = (uint32_t)uap->command;
3304 	buf = (uintptr_t)uap->buf;
3305 
3306 	au_uwrite(au_to_arg32(1, "cmd", command));
3307 
3308 	switch (command) {
3309 	case SI_SET_HOSTNAME:
3310 	{
3311 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3312 			return;
3313 
3314 		maxlen = SYS_NMLN;
3315 		name = kmem_alloc(maxlen, KM_SLEEP);
3316 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3317 			break;
3318 
3319 		/*
3320 		 * Must be non-NULL string and string
3321 		 * must be less than SYS_NMLN chars.
3322 		 */
3323 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3324 			break;
3325 
3326 		au_uwrite(au_to_text(name));
3327 		break;
3328 	}
3329 
3330 	case SI_SET_SRPC_DOMAIN:
3331 	{
3332 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3333 			return;
3334 
3335 		maxlen = SYS_NMLN;
3336 		name = kmem_alloc(maxlen, KM_SLEEP);
3337 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3338 			break;
3339 
3340 		/*
3341 		 * If string passed in is longer than length
3342 		 * allowed for domain name, fail.
3343 		 */
3344 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3345 			break;
3346 
3347 		au_uwrite(au_to_text(name));
3348 		break;
3349 	}
3350 
3351 	default:
3352 		return;
3353 	}
3354 
3355 	kmem_free(name, maxlen);
3356 }
3357 
3358 static au_event_t
aui_modctl(au_event_t e)3359 aui_modctl(au_event_t e)
3360 {
3361 	klwp_t *clwp = ttolwp(curthread);
3362 	uint_t cmd;
3363 
3364 	struct a {
3365 		long	cmd;
3366 	} *uap = (struct a *)clwp->lwp_ap;
3367 
3368 	cmd = (uint_t)uap->cmd;
3369 
3370 	switch (cmd) {
3371 	case MODLOAD:
3372 		e = AUE_MODLOAD;
3373 		break;
3374 	case MODUNLOAD:
3375 		e = AUE_MODUNLOAD;
3376 		break;
3377 	case MODADDMAJBIND:
3378 		e = AUE_MODADDMAJ;
3379 		break;
3380 	case MODSETDEVPOLICY:
3381 		e = AUE_MODDEVPLCY;
3382 		break;
3383 	case MODALLOCPRIV:
3384 		e = AUE_MODADDPRIV;
3385 		break;
3386 	default:
3387 		e = AUE_NULL;
3388 		break;
3389 	}
3390 	return (e);
3391 }
3392 
3393 
3394 /*ARGSUSED*/
3395 static void
aus_modctl(struct t_audit_data * tad)3396 aus_modctl(struct t_audit_data *tad)
3397 {
3398 	klwp_t *clwp = ttolwp(curthread);
3399 	void *a	= clwp->lwp_ap;
3400 	uint_t use_path;
3401 
3402 	switch (tad->tad_event) {
3403 	case AUE_MODLOAD: {
3404 		typedef struct {
3405 			long	cmd;
3406 			long	use_path;
3407 			long	filename;		/* char * */
3408 		} modloada_t;
3409 
3410 		char *filenamep;
3411 		uintptr_t fname;
3412 		extern char *default_path;
3413 
3414 		fname = (uintptr_t)((modloada_t *)a)->filename;
3415 		use_path = (uint_t)((modloada_t *)a)->use_path;
3416 
3417 			/* space to hold path */
3418 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3419 			/* get string */
3420 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3421 				/* free allocated path */
3422 			kmem_free(filenamep, MOD_MAXPATH);
3423 			return;
3424 		}
3425 			/* ensure it's null terminated */
3426 		filenamep[MOD_MAXPATH - 1] = 0;
3427 
3428 		if (use_path)
3429 			au_uwrite(au_to_text(default_path));
3430 		au_uwrite(au_to_text(filenamep));
3431 
3432 			/* release temporary memory */
3433 		kmem_free(filenamep, MOD_MAXPATH);
3434 		break;
3435 	}
3436 	case AUE_MODUNLOAD: {
3437 		typedef struct {
3438 			long	cmd;
3439 			long	id;
3440 		} modunloada_t;
3441 
3442 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3443 
3444 		au_uwrite(au_to_arg32(1, "id", id));
3445 		break;
3446 	}
3447 	case AUE_MODADDMAJ: {
3448 		STRUCT_DECL(modconfig, mc);
3449 		typedef struct {
3450 			long	cmd;
3451 			long	subcmd;
3452 			long	data;		/* int * */
3453 		} modconfiga_t;
3454 
3455 		STRUCT_DECL(aliases, alias);
3456 		caddr_t ap;
3457 		int i, num_aliases;
3458 		char *drvname, *mc_drvname;
3459 		char *name;
3460 		extern char *ddi_major_to_name(major_t);
3461 		model_t model;
3462 
3463 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3464 
3465 		model = get_udatamodel();
3466 		STRUCT_INIT(mc, model);
3467 			/* sanitize buffer */
3468 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3469 			/* get user arguments */
3470 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3471 		    STRUCT_SIZE(mc)) != 0)
3472 			return;
3473 
3474 		mc_drvname = STRUCT_FGET(mc, drvname);
3475 		if ((drvname = ddi_major_to_name(
3476 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3477 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3478 				/* safety */
3479 			if (mc_drvname[0] != '\0') {
3480 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3481 				au_uwrite(au_to_text(mc_drvname));
3482 			}
3483 				/* drvname != NULL from test above */
3484 			au_uwrite(au_to_text(drvname));
3485 			return;
3486 		}
3487 
3488 		if (mc_drvname[0] != '\0') {
3489 				/* safety */
3490 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3491 			au_uwrite(au_to_text(mc_drvname));
3492 		} else
3493 			au_uwrite(au_to_text("no drvname"));
3494 
3495 		num_aliases = STRUCT_FGET(mc, num_aliases);
3496 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3497 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3498 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3499 		STRUCT_INIT(alias, model);
3500 		for (i = 0; i < num_aliases; i++) {
3501 			bzero((caddr_t)STRUCT_BUF(alias),
3502 			    STRUCT_SIZE(alias));
3503 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3504 			    STRUCT_SIZE(alias)) != 0)
3505 				break;
3506 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3507 			    MAXMODCONFNAME, NULL) != 0) {
3508 				break;
3509 			}
3510 
3511 			au_uwrite(au_to_text(name));
3512 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3513 		}
3514 		kmem_free(name, MAXMODCONFNAME);
3515 		break;
3516 	}
3517 	default:
3518 		break;
3519 	}
3520 }
3521 
3522 
3523 /*ARGSUSED*/
3524 static void
auf_accept(struct t_audit_data * tad,int error,rval_t * rval)3525 auf_accept(
3526 	struct t_audit_data *tad,
3527 	int	error,
3528 	rval_t	*rval)
3529 {
3530 	uint32_t scid;
3531 	uint32_t sy_flags;
3532 	int fd;
3533 	struct sonode *so;
3534 	char so_laddr[sizeof (struct sockaddr_in6)];
3535 	char so_faddr[sizeof (struct sockaddr_in6)];
3536 	int err;
3537 	short so_family, so_type;
3538 	int add_sock_token = 0;
3539 
3540 	/* need to determine type of executing binary */
3541 	scid = tad->tad_scid;
3542 #ifdef _SYSCALL32_IMPL
3543 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3544 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3545 	else
3546 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3547 #else
3548 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3549 #endif
3550 	switch (sy_flags) {
3551 	case SE_32RVAL1:
3552 		/* FALLTHRU */
3553 	case SE_32RVAL2|SE_32RVAL1:
3554 		fd = rval->r_val1;
3555 		break;
3556 	case SE_64RVAL:
3557 		fd = (int)rval->r_vals;
3558 		break;
3559 	default:
3560 		/*
3561 		 * should never happen, seems to be an internal error
3562 		 * in sysent => no fd, nothing to audit here, returning
3563 		 */
3564 		return;
3565 	}
3566 
3567 	if (error) {
3568 		/* can't trust socket contents. Just return */
3569 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3570 		return;
3571 	}
3572 
3573 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3574 		/*
3575 		 * not security relevant if doing a accept from non socket
3576 		 * so no extra tokens. Should probably turn off audit record
3577 		 * generation here.
3578 		 */
3579 		return;
3580 	}
3581 
3582 	so_family = so->so_family;
3583 	so_type   = so->so_type;
3584 
3585 	switch (so_family) {
3586 	case AF_INET:
3587 	case AF_INET6:
3588 		/*
3589 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3590 		 */
3591 		if (so->so_type == SOCK_STREAM) {
3592 			socklen_t len;
3593 
3594 			bzero((void *)so_laddr, sizeof (so_laddr));
3595 			bzero((void *)so_faddr, sizeof (so_faddr));
3596 
3597 			len = sizeof (so_laddr);
3598 			(void) socket_getsockname(so,
3599 			    (struct sockaddr *)so_laddr, &len, CRED());
3600 			len = sizeof (so_faddr);
3601 			(void) socket_getpeername(so,
3602 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3603 
3604 			add_sock_token = 1;
3605 		}
3606 		break;
3607 
3608 	default:
3609 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3610 		break;
3611 	}
3612 
3613 	releasef(fd);
3614 
3615 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3616 
3617 	if (add_sock_token == 0) {
3618 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3619 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3620 		return;
3621 	}
3622 
3623 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3624 
3625 }
3626 
3627 /*ARGSUSED*/
3628 static void
auf_bind(struct t_audit_data * tad,int error,rval_t * rvp)3629 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3630 {
3631 	struct a {
3632 		long	fd;
3633 		long	addr;
3634 		long	len;
3635 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3636 
3637 	struct sonode *so;
3638 	char so_laddr[sizeof (struct sockaddr_in6)];
3639 	char so_faddr[sizeof (struct sockaddr_in6)];
3640 	int err, fd;
3641 	socklen_t len;
3642 	short so_family, so_type;
3643 	int add_sock_token = 0;
3644 
3645 	fd = (int)uap->fd;
3646 
3647 	/*
3648 	 * bind failed, then nothing extra to add to audit record.
3649 	 */
3650 	if (error) {
3651 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3652 		/* XXX may want to add failed address some day */
3653 		return;
3654 	}
3655 
3656 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3657 		/*
3658 		 * not security relevant if doing a bind from non socket
3659 		 * so no extra tokens. Should probably turn off audit record
3660 		 * generation here.
3661 		 */
3662 		return;
3663 	}
3664 
3665 	so_family = so->so_family;
3666 	so_type   = so->so_type;
3667 
3668 	switch (so_family) {
3669 	case AF_INET:
3670 	case AF_INET6:
3671 
3672 		bzero(so_faddr, sizeof (so_faddr));
3673 		len = sizeof (so_faddr);
3674 
3675 		(void) socket_getpeername(so,
3676 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3677 		add_sock_token = 1;
3678 
3679 		break;
3680 
3681 	case AF_UNIX:
3682 		/* token added by lookup */
3683 		break;
3684 	default:
3685 		/* AF_ROUTE, AF_KEY do not support accept */
3686 		break;
3687 	}
3688 
3689 	releasef(fd);
3690 
3691 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3692 
3693 	if (add_sock_token == 0) {
3694 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3695 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3696 		return;
3697 	}
3698 
3699 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3700 
3701 }
3702 
3703 /*ARGSUSED*/
3704 static void
auf_connect(struct t_audit_data * tad,int error,rval_t * rval)3705 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3706 {
3707 	struct a {
3708 		long	fd;
3709 		long	addr;
3710 		long	len;
3711 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3712 
3713 	struct sonode *so;
3714 	char so_laddr[sizeof (struct sockaddr_in6)];
3715 	char so_faddr[sizeof (struct sockaddr_in6)];
3716 	int err, fd;
3717 	socklen_t len;
3718 	short so_family, so_type;
3719 	int add_sock_token = 0;
3720 
3721 	fd = (int)uap->fd;
3722 
3723 
3724 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3725 		/*
3726 		 * not security relevant if doing a connect from non socket
3727 		 * so no extra tokens. Should probably turn off audit record
3728 		 * generation here.
3729 		 */
3730 		return;
3731 	}
3732 
3733 	so_family = so->so_family;
3734 	so_type   = so->so_type;
3735 
3736 	switch (so_family) {
3737 	case AF_INET:
3738 	case AF_INET6:
3739 
3740 		bzero(so_laddr, sizeof (so_laddr));
3741 		bzero(so_faddr, sizeof (so_faddr));
3742 
3743 		len = sizeof (so_laddr);
3744 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3745 		    &len, CRED());
3746 		if (error) {
3747 			if (uap->addr == NULL)
3748 				break;
3749 			if (uap->len <= 0)
3750 				break;
3751 			len = min(uap->len, sizeof (so_faddr));
3752 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3753 				break;
3754 #ifdef NOTYET
3755 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3756 #endif
3757 		} else {
3758 			/* sanity check on length */
3759 			len = sizeof (so_faddr);
3760 			(void) socket_getpeername(so,
3761 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3762 		}
3763 
3764 		add_sock_token = 1;
3765 
3766 		break;
3767 
3768 	case AF_UNIX:
3769 		/* does a lookup on name */
3770 		break;
3771 
3772 	default:
3773 		/* AF_ROUTE, AF_KEY do not support accept */
3774 		break;
3775 	}
3776 
3777 	releasef(fd);
3778 
3779 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3780 
3781 	if (add_sock_token == 0) {
3782 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3783 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3784 		return;
3785 	}
3786 
3787 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3788 
3789 }
3790 
3791 /*ARGSUSED*/
3792 static void
aus_shutdown(struct t_audit_data * tad)3793 aus_shutdown(struct t_audit_data *tad)
3794 {
3795 	struct a {
3796 		long	fd;
3797 		long	how;
3798 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3799 
3800 	struct sonode *so;
3801 	char so_laddr[sizeof (struct sockaddr_in6)];
3802 	char so_faddr[sizeof (struct sockaddr_in6)];
3803 	int err, fd;
3804 	socklen_t len;
3805 	short so_family, so_type;
3806 	int add_sock_token = 0;
3807 	file_t *fp;				/* unix domain sockets */
3808 	struct f_audit_data *fad;		/* unix domain sockets */
3809 
3810 	fd = (int)uap->fd;
3811 
3812 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3813 		/*
3814 		 * not security relevant if doing a shutdown using non socket
3815 		 * so no extra tokens. Should probably turn off audit record
3816 		 * generation here.
3817 		 */
3818 		return;
3819 	}
3820 
3821 	so_family = so->so_family;
3822 	so_type   = so->so_type;
3823 
3824 	switch (so_family) {
3825 	case AF_INET:
3826 	case AF_INET6:
3827 
3828 		bzero(so_laddr, sizeof (so_laddr));
3829 		bzero(so_faddr, sizeof (so_faddr));
3830 
3831 		len = sizeof (so_laddr);
3832 		(void) socket_getsockname(so,
3833 		    (struct sockaddr *)so_laddr, &len, CRED());
3834 		len = sizeof (so_faddr);
3835 		(void) socket_getpeername(so,
3836 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3837 
3838 		add_sock_token = 1;
3839 
3840 		break;
3841 
3842 	case AF_UNIX:
3843 
3844 		/* get path from file struct here */
3845 		fad = F2A(fp);
3846 		ASSERT(fad);
3847 
3848 		if (fad->fad_aupath != NULL) {
3849 			au_uwrite(au_to_path(fad->fad_aupath));
3850 		} else {
3851 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3852 		}
3853 
3854 		audit_attributes(fp->f_vnode);
3855 
3856 		break;
3857 
3858 	default:
3859 		/*
3860 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3861 		 * added.
3862 		 */
3863 		break;
3864 	}
3865 
3866 	releasef(fd);
3867 
3868 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3869 
3870 	if (add_sock_token == 0) {
3871 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3872 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3873 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3874 		return;
3875 	}
3876 
3877 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3878 
3879 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3880 
3881 }
3882 
3883 /*ARGSUSED*/
3884 static void
auf_setsockopt(struct t_audit_data * tad,int error,rval_t * rval)3885 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3886 {
3887 	struct a {
3888 		long	fd;
3889 		long	level;
3890 		long	optname;
3891 		long	*optval;
3892 		long	optlen;
3893 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3894 
3895 	struct sonode	*so;
3896 	char so_laddr[sizeof (struct sockaddr_in6)];
3897 	char so_faddr[sizeof (struct sockaddr_in6)];
3898 	char		val[AU_BUFSIZE];
3899 	int		err, fd;
3900 	socklen_t	len;
3901 	short so_family, so_type;
3902 	int		add_sock_token = 0;
3903 	file_t *fp;				/* unix domain sockets */
3904 	struct f_audit_data *fad;		/* unix domain sockets */
3905 
3906 	fd = (int)uap->fd;
3907 
3908 	if (error) {
3909 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3910 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3911 		/* XXX may want to include other arguments */
3912 		return;
3913 	}
3914 
3915 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3916 		/*
3917 		 * not security relevant if doing a setsockopt from non socket
3918 		 * so no extra tokens. Should probably turn off audit record
3919 		 * generation here.
3920 		 */
3921 		return;
3922 	}
3923 
3924 	so_family = so->so_family;
3925 	so_type   = so->so_type;
3926 
3927 	switch (so_family) {
3928 	case AF_INET:
3929 	case AF_INET6:
3930 		bzero((void *)so_laddr, sizeof (so_laddr));
3931 		bzero((void *)so_faddr, sizeof (so_faddr));
3932 
3933 		/* get local and foreign addresses */
3934 		len = sizeof (so_laddr);
3935 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3936 		    &len, CRED());
3937 		len = sizeof (so_faddr);
3938 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3939 		    &len, B_FALSE, CRED());
3940 
3941 		add_sock_token = 1;
3942 
3943 		break;
3944 
3945 	case AF_UNIX:
3946 
3947 		/* get path from file struct here */
3948 		fad = F2A(fp);
3949 		ASSERT(fad);
3950 
3951 		if (fad->fad_aupath != NULL) {
3952 			au_uwrite(au_to_path(fad->fad_aupath));
3953 		} else {
3954 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3955 		}
3956 
3957 		audit_attributes(fp->f_vnode);
3958 
3959 		break;
3960 
3961 	default:
3962 		/*
3963 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3964 		 * added.
3965 		 */
3966 		break;
3967 	}
3968 
3969 	releasef(fd);
3970 
3971 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3972 
3973 	if (add_sock_token == 0) {
3974 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3975 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3976 	}
3977 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3978 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3979 
3980 	bzero(val, sizeof (val));
3981 	len = min(uap->optlen, sizeof (val));
3982 	if ((len > 0) &&
3983 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3984 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3985 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3986 	}
3987 
3988 	if (add_sock_token == 0)
3989 		return;
3990 
3991 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3992 
3993 }
3994 
3995 /*ARGSUSED*/
3996 static void
aus_sockconfig(tad)3997 aus_sockconfig(tad)
3998 	struct t_audit_data *tad;
3999 {
4000 	struct a {
4001 		long	cmd;
4002 		long	arg1;
4003 		long	arg2;
4004 		long	arg3;
4005 		long	arg4;
4006 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4007 
4008 	char	*buf;
4009 	int	buflen;
4010 	size_t	size;
4011 
4012 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4013 	switch (uap->cmd) {
4014 	case SOCKCONFIG_ADD_SOCK:
4015 	case SOCKCONFIG_REMOVE_SOCK:
4016 		au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4017 		au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4018 		au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4019 
4020 		if (uap->arg4 == 0) {
4021 			au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4022 		} else {
4023 			buflen = MAXPATHLEN + 1;
4024 			buf = kmem_alloc(buflen, KM_SLEEP);
4025 			if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4026 			    &size)) {
4027 				kmem_free(buf, buflen);
4028 				return;
4029 			}
4030 
4031 			if (size > MAXPATHLEN) {
4032 				kmem_free(buf, buflen);
4033 				return;
4034 			}
4035 
4036 			au_uwrite(au_to_text(buf));
4037 			kmem_free(buf, buflen);
4038 		}
4039 		break;
4040 	case SOCKCONFIG_ADD_FILTER:
4041 	case SOCKCONFIG_REMOVE_FILTER:
4042 		buflen = FILNAME_MAX;
4043 		buf = kmem_alloc(buflen, KM_SLEEP);
4044 
4045 		if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4046 			kmem_free(buf, buflen);
4047 			return;
4048 		}
4049 
4050 		au_uwrite(au_to_text(buf));
4051 		kmem_free(buf, buflen);
4052 		break;
4053 	default:
4054 		break;
4055 	}
4056 }
4057 
4058 /*
4059  * only audit recvmsg when the system call represents the creation of a new
4060  * circuit. This effectively occurs for all UDP packets and may occur for
4061  * special TCP situations where the local host has not set a local address
4062  * in the socket structure.
4063  */
4064 /*ARGSUSED*/
4065 static void
auf_recvmsg(struct t_audit_data * tad,int error,rval_t * rvp)4066 auf_recvmsg(
4067 	struct t_audit_data *tad,
4068 	int error,
4069 	rval_t *rvp)
4070 {
4071 	struct a {
4072 		long	fd;
4073 		long	msg;	/* struct msghdr */
4074 		long	flags;
4075 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4076 
4077 	struct sonode	*so;
4078 	STRUCT_DECL(msghdr, msg);
4079 	caddr_t msg_name;
4080 	socklen_t msg_namelen;
4081 	int fd;
4082 	int err;
4083 	char so_laddr[sizeof (struct sockaddr_in6)];
4084 	char so_faddr[sizeof (struct sockaddr_in6)];
4085 	socklen_t len;
4086 	file_t *fp;				/* unix domain sockets */
4087 	struct f_audit_data *fad;		/* unix domain sockets */
4088 	short so_family, so_type;
4089 	int add_sock_token = 0;
4090 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4091 
4092 	fd = (int)uap->fd;
4093 
4094 	/* bail if an error */
4095 	if (error) {
4096 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4097 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4098 		return;
4099 	}
4100 
4101 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4102 		/*
4103 		 * not security relevant if doing a recvmsg from non socket
4104 		 * so no extra tokens. Should probably turn off audit record
4105 		 * generation here.
4106 		 */
4107 		return;
4108 	}
4109 
4110 	so_family = so->so_family;
4111 	so_type   = so->so_type;
4112 
4113 	/*
4114 	 * only putout SOCKET_EX token if INET/INET6 family.
4115 	 * XXX - what do we do about other families?
4116 	 */
4117 
4118 	switch (so_family) {
4119 	case AF_INET:
4120 	case AF_INET6:
4121 
4122 		/*
4123 		 * if datagram type socket, then just use what is in
4124 		 * socket structure for local address.
4125 		 * XXX - what do we do for other types?
4126 		 */
4127 		if ((so->so_type == SOCK_DGRAM) ||
4128 		    (so->so_type == SOCK_RAW)) {
4129 			add_sock_token = 1;
4130 
4131 			bzero((void *)so_laddr, sizeof (so_laddr));
4132 			bzero((void *)so_faddr, sizeof (so_faddr));
4133 
4134 			/* get local address */
4135 			len = sizeof (so_laddr);
4136 			(void) socket_getsockname(so,
4137 			    (struct sockaddr *)so_laddr, &len, CRED());
4138 
4139 			/* get peer address */
4140 			STRUCT_INIT(msg, get_udatamodel());
4141 
4142 			if (copyin((caddr_t)(uap->msg),
4143 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4144 				break;
4145 			}
4146 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4147 			if (msg_name == NULL) {
4148 				break;
4149 			}
4150 
4151 			/* length is value from recvmsg - sanity check */
4152 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4153 			if (msg_namelen == 0) {
4154 				break;
4155 			}
4156 			if (copyin(msg_name, so_faddr,
4157 			    sizeof (so_faddr)) != 0) {
4158 				break;
4159 			}
4160 
4161 		} else if (so->so_type == SOCK_STREAM) {
4162 
4163 			/* get path from file struct here */
4164 			fad = F2A(fp);
4165 			ASSERT(fad);
4166 
4167 			/*
4168 			 * already processed this file for read attempt
4169 			 */
4170 			if (fad->fad_flags & FAD_READ) {
4171 				/* don't want to audit every recvmsg attempt */
4172 				tad->tad_flag = 0;
4173 				/* free any residual audit data */
4174 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4175 				releasef(fd);
4176 				return;
4177 			}
4178 			/*
4179 			 * mark things so we know what happened and don't
4180 			 * repeat things
4181 			 */
4182 			fad->fad_flags |= FAD_READ;
4183 
4184 			bzero((void *)so_laddr, sizeof (so_laddr));
4185 			bzero((void *)so_faddr, sizeof (so_faddr));
4186 
4187 			/* get local and foreign addresses */
4188 			len = sizeof (so_laddr);
4189 			(void) socket_getsockname(so,
4190 			    (struct sockaddr *)so_laddr, &len, CRED());
4191 			len = sizeof (so_faddr);
4192 			(void) socket_getpeername(so,
4193 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4194 
4195 			add_sock_token = 1;
4196 		}
4197 
4198 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4199 
4200 		break;
4201 
4202 	case AF_UNIX:
4203 		/*
4204 		 * first check if this is first time through. Too much
4205 		 * duplicate code to put this in an aui_ routine.
4206 		 */
4207 
4208 		/* get path from file struct here */
4209 		fad = F2A(fp);
4210 		ASSERT(fad);
4211 
4212 		/*
4213 		 * already processed this file for read attempt
4214 		 */
4215 		if (fad->fad_flags & FAD_READ) {
4216 			releasef(fd);
4217 			/* don't want to audit every recvmsg attempt */
4218 			tad->tad_flag = 0;
4219 			/* free any residual audit data */
4220 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4221 			return;
4222 		}
4223 		/*
4224 		 * mark things so we know what happened and don't
4225 		 * repeat things
4226 		 */
4227 		fad->fad_flags |= FAD_READ;
4228 
4229 		if (fad->fad_aupath != NULL) {
4230 			au_uwrite(au_to_path(fad->fad_aupath));
4231 		} else {
4232 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4233 		}
4234 
4235 		audit_attributes(fp->f_vnode);
4236 
4237 		releasef(fd);
4238 
4239 		return;
4240 
4241 	default:
4242 		break;
4243 
4244 	}
4245 
4246 	releasef(fd);
4247 
4248 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4249 
4250 	if (add_sock_token == 0) {
4251 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4252 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4253 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4254 		return;
4255 	}
4256 
4257 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4258 
4259 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4260 
4261 }
4262 
4263 /*ARGSUSED*/
4264 static void
auf_recvfrom(struct t_audit_data * tad,int error,rval_t * rvp)4265 auf_recvfrom(
4266 	struct t_audit_data *tad,
4267 	int error,
4268 	rval_t *rvp)
4269 {
4270 
4271 	struct a {
4272 		long	fd;
4273 		long	msg;	/* char */
4274 		long	len;
4275 		long	flags;
4276 		long	from;	/* struct sockaddr */
4277 		long	fromlen;
4278 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4279 
4280 	socklen_t	fromlen;
4281 	struct sonode	*so;
4282 	char so_laddr[sizeof (struct sockaddr_in6)];
4283 	char so_faddr[sizeof (struct sockaddr_in6)];
4284 	int		fd;
4285 	short so_family, so_type;
4286 	int add_sock_token = 0;
4287 	socklen_t len;
4288 	int err;
4289 	struct file *fp;
4290 	struct f_audit_data *fad;		/* unix domain sockets */
4291 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4292 
4293 	fd = (int)uap->fd;
4294 
4295 	/* bail if an error */
4296 	if (error) {
4297 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4298 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4299 		return;
4300 	}
4301 
4302 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4303 		/*
4304 		 * not security relevant if doing a recvmsg from non socket
4305 		 * so no extra tokens. Should probably turn off audit record
4306 		 * generation here.
4307 		 */
4308 		return;
4309 	}
4310 
4311 	so_family = so->so_family;
4312 	so_type   = so->so_type;
4313 
4314 	/*
4315 	 * only putout SOCKET_EX token if INET/INET6 family.
4316 	 * XXX - what do we do about other families?
4317 	 */
4318 
4319 	switch (so_family) {
4320 	case AF_INET:
4321 	case AF_INET6:
4322 
4323 		/*
4324 		 * if datagram type socket, then just use what is in
4325 		 * socket structure for local address.
4326 		 * XXX - what do we do for other types?
4327 		 */
4328 		if ((so->so_type == SOCK_DGRAM) ||
4329 		    (so->so_type == SOCK_RAW)) {
4330 			add_sock_token = 1;
4331 
4332 			/* get local address */
4333 			len = sizeof (so_laddr);
4334 			(void) socket_getsockname(so,
4335 			    (struct sockaddr *)so_laddr, &len, CRED());
4336 
4337 			/* get peer address */
4338 			bzero((void *)so_faddr, sizeof (so_faddr));
4339 
4340 			/* sanity check */
4341 			if (uap->from == NULL)
4342 				break;
4343 
4344 			/* sanity checks */
4345 			if (uap->fromlen == 0)
4346 				break;
4347 
4348 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4349 			    sizeof (fromlen)) != 0)
4350 				break;
4351 
4352 			if (fromlen == 0)
4353 				break;
4354 
4355 			/* enforce maximum size */
4356 			if (fromlen > sizeof (so_faddr))
4357 				fromlen = sizeof (so_faddr);
4358 
4359 			if (copyin((caddr_t)(uap->from), so_faddr,
4360 			    fromlen) != 0)
4361 				break;
4362 
4363 		} else if (so->so_type == SOCK_STREAM) {
4364 
4365 			/* get path from file struct here */
4366 			fad = F2A(fp);
4367 			ASSERT(fad);
4368 
4369 			/*
4370 			 * already processed this file for read attempt
4371 			 */
4372 			if (fad->fad_flags & FAD_READ) {
4373 				/* don't want to audit every recvfrom attempt */
4374 				tad->tad_flag = 0;
4375 				/* free any residual audit data */
4376 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4377 				releasef(fd);
4378 				return;
4379 			}
4380 			/*
4381 			 * mark things so we know what happened and don't
4382 			 * repeat things
4383 			 */
4384 			fad->fad_flags |= FAD_READ;
4385 
4386 			bzero((void *)so_laddr, sizeof (so_laddr));
4387 			bzero((void *)so_faddr, sizeof (so_faddr));
4388 
4389 			/* get local and foreign addresses */
4390 			len = sizeof (so_laddr);
4391 			(void) socket_getsockname(so,
4392 			    (struct sockaddr *)so_laddr, &len, CRED());
4393 			len = sizeof (so_faddr);
4394 			(void) socket_getpeername(so,
4395 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4396 
4397 			add_sock_token = 1;
4398 		}
4399 
4400 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4401 
4402 		break;
4403 
4404 	case AF_UNIX:
4405 		/*
4406 		 * first check if this is first time through. Too much
4407 		 * duplicate code to put this in an aui_ routine.
4408 		 */
4409 
4410 		/* get path from file struct here */
4411 		fad = F2A(fp);
4412 		ASSERT(fad);
4413 
4414 		/*
4415 		 * already processed this file for read attempt
4416 		 */
4417 		if (fad->fad_flags & FAD_READ) {
4418 			/* don't want to audit every recvfrom attempt */
4419 			tad->tad_flag = 0;
4420 			/* free any residual audit data */
4421 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4422 			releasef(fd);
4423 			return;
4424 		}
4425 		/*
4426 		 * mark things so we know what happened and don't
4427 		 * repeat things
4428 		 */
4429 		fad->fad_flags |= FAD_READ;
4430 
4431 		if (fad->fad_aupath != NULL) {
4432 			au_uwrite(au_to_path(fad->fad_aupath));
4433 		} else {
4434 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4435 		}
4436 
4437 		audit_attributes(fp->f_vnode);
4438 
4439 		releasef(fd);
4440 
4441 		return;
4442 
4443 	default:
4444 		break;
4445 
4446 	}
4447 
4448 	releasef(fd);
4449 
4450 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4451 
4452 	if (add_sock_token == 0) {
4453 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4454 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4455 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4456 		return;
4457 	}
4458 
4459 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4460 
4461 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4462 }
4463 
4464 /*ARGSUSED*/
4465 static void
auf_sendmsg(struct t_audit_data * tad,int error,rval_t * rval)4466 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4467 {
4468 	struct a {
4469 		long	fd;
4470 		long	msg;	/* struct msghdr */
4471 		long	flags;
4472 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4473 
4474 	struct sonode	*so;
4475 	char so_laddr[sizeof (struct sockaddr_in6)];
4476 	char so_faddr[sizeof (struct sockaddr_in6)];
4477 	int		err;
4478 	int		fd;
4479 	short so_family, so_type;
4480 	int		add_sock_token = 0;
4481 	socklen_t	len;
4482 	struct file	*fp;
4483 	struct f_audit_data *fad;
4484 	caddr_t		msg_name;
4485 	socklen_t	msg_namelen;
4486 	STRUCT_DECL(msghdr, msg);
4487 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4488 
4489 	fd = (int)uap->fd;
4490 
4491 	/* bail if an error */
4492 	if (error) {
4493 		/* XXX include destination address from system call arguments */
4494 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4495 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4496 		return;
4497 	}
4498 
4499 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4500 		/*
4501 		 * not security relevant if doing a sendmsg from non socket
4502 		 * so no extra tokens. Should probably turn off audit record
4503 		 * generation here.
4504 		 */
4505 		return;
4506 	}
4507 
4508 	so_family = so->so_family;
4509 	so_type   = so->so_type;
4510 
4511 	switch (so_family) {
4512 	case AF_INET:
4513 	case AF_INET6:
4514 		/*
4515 		 * if datagram type socket, then just use what is in
4516 		 * socket structure for local address.
4517 		 * XXX - what do we do for other types?
4518 		 */
4519 		if ((so->so_type == SOCK_DGRAM) ||
4520 		    (so->so_type == SOCK_RAW)) {
4521 
4522 			bzero((void *)so_laddr, sizeof (so_laddr));
4523 			bzero((void *)so_faddr, sizeof (so_faddr));
4524 
4525 			/* get local address */
4526 			len = sizeof (so_laddr);
4527 			(void) socket_getsockname(so,
4528 			    (struct sockaddr *)so_laddr, &len, CRED());
4529 
4530 			/* get peer address */
4531 			STRUCT_INIT(msg, get_udatamodel());
4532 
4533 			if (copyin((caddr_t)(uap->msg),
4534 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4535 				break;
4536 			}
4537 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4538 			if (msg_name == NULL)
4539 				break;
4540 
4541 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4542 			/* length is value from recvmsg - sanity check */
4543 			if (msg_namelen == 0)
4544 				break;
4545 
4546 			if (copyin(msg_name, so_faddr,
4547 			    sizeof (so_faddr)) != 0)
4548 				break;
4549 
4550 			add_sock_token = 1;
4551 
4552 		} else if (so->so_type == SOCK_STREAM) {
4553 
4554 			/* get path from file struct here */
4555 			fad = F2A(fp);
4556 			ASSERT(fad);
4557 
4558 			/*
4559 			 * already processed this file for write attempt
4560 			 */
4561 			if (fad->fad_flags & FAD_WRITE) {
4562 				releasef(fd);
4563 				/* don't want to audit every sendmsg attempt */
4564 				tad->tad_flag = 0;
4565 				/* free any residual audit data */
4566 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4567 				return;
4568 			}
4569 
4570 			/*
4571 			 * mark things so we know what happened and don't
4572 			 * repeat things
4573 			 */
4574 			fad->fad_flags |= FAD_WRITE;
4575 
4576 			bzero((void *)so_laddr, sizeof (so_laddr));
4577 			bzero((void *)so_faddr, sizeof (so_faddr));
4578 
4579 			/* get local and foreign addresses */
4580 			len = sizeof (so_laddr);
4581 			(void) socket_getsockname(so,
4582 			    (struct sockaddr *)so_laddr, &len, CRED());
4583 			len = sizeof (so_faddr);
4584 			(void) socket_getpeername(so,
4585 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4586 
4587 			add_sock_token = 1;
4588 		}
4589 
4590 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4591 
4592 		break;
4593 
4594 	case AF_UNIX:
4595 		/*
4596 		 * first check if this is first time through. Too much
4597 		 * duplicate code to put this in an aui_ routine.
4598 		 */
4599 
4600 		/* get path from file struct here */
4601 		fad = F2A(fp);
4602 		ASSERT(fad);
4603 
4604 		/*
4605 		 * already processed this file for write attempt
4606 		 */
4607 		if (fad->fad_flags & FAD_WRITE) {
4608 			releasef(fd);
4609 			/* don't want to audit every sendmsg attempt */
4610 			tad->tad_flag = 0;
4611 			/* free any residual audit data */
4612 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4613 			return;
4614 		}
4615 		/*
4616 		 * mark things so we know what happened and don't
4617 		 * repeat things
4618 		 */
4619 		fad->fad_flags |= FAD_WRITE;
4620 
4621 		if (fad->fad_aupath != NULL) {
4622 			au_uwrite(au_to_path(fad->fad_aupath));
4623 		} else {
4624 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4625 		}
4626 
4627 		audit_attributes(fp->f_vnode);
4628 
4629 		releasef(fd);
4630 
4631 		return;
4632 
4633 	default:
4634 		break;
4635 	}
4636 
4637 	releasef(fd);
4638 
4639 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4640 
4641 	if (add_sock_token == 0) {
4642 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4643 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4644 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4645 		return;
4646 	}
4647 
4648 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4649 
4650 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4651 }
4652 
4653 /*ARGSUSED*/
4654 static void
auf_sendto(struct t_audit_data * tad,int error,rval_t * rval)4655 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4656 {
4657 	struct a {
4658 		long	fd;
4659 		long	msg;	/* char */
4660 		long	len;
4661 		long	flags;
4662 		long	to;	/* struct sockaddr */
4663 		long	tolen;
4664 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4665 
4666 	struct sonode	*so;
4667 	char so_laddr[sizeof (struct sockaddr_in6)];
4668 	char so_faddr[sizeof (struct sockaddr_in6)];
4669 	socklen_t	tolen;
4670 	int		err;
4671 	int		fd;
4672 	socklen_t	len;
4673 	short so_family, so_type;
4674 	int		add_sock_token = 0;
4675 	struct file	*fp;
4676 	struct f_audit_data *fad;
4677 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4678 
4679 	fd = (int)uap->fd;
4680 
4681 	/* bail if an error */
4682 	if (error) {
4683 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4684 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4685 		/* XXX include destination address from system call arguments */
4686 		return;
4687 	}
4688 
4689 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4690 		/*
4691 		 * not security relevant if doing a sendto using non socket
4692 		 * so no extra tokens. Should probably turn off audit record
4693 		 * generation here.
4694 		 */
4695 		return;
4696 	}
4697 
4698 	so_family = so->so_family;
4699 	so_type   = so->so_type;
4700 
4701 	/*
4702 	 * only putout SOCKET_EX token if INET/INET6 family.
4703 	 * XXX - what do we do about other families?
4704 	 */
4705 
4706 	switch (so_family) {
4707 	case AF_INET:
4708 	case AF_INET6:
4709 
4710 		/*
4711 		 * if datagram type socket, then just use what is in
4712 		 * socket structure for local address.
4713 		 * XXX - what do we do for other types?
4714 		 */
4715 		if ((so->so_type == SOCK_DGRAM) ||
4716 		    (so->so_type == SOCK_RAW)) {
4717 
4718 			bzero((void *)so_laddr, sizeof (so_laddr));
4719 			bzero((void *)so_faddr, sizeof (so_faddr));
4720 
4721 			/* get local address */
4722 			len = sizeof (so_laddr);
4723 			(void) socket_getsockname(so,
4724 			    (struct sockaddr *)so_laddr, &len, CRED());
4725 
4726 			/* get peer address */
4727 
4728 			/* sanity check */
4729 			if (uap->to == NULL)
4730 				break;
4731 
4732 			/* sanity checks */
4733 			if (uap->tolen == 0)
4734 				break;
4735 
4736 			tolen = (socklen_t)uap->tolen;
4737 
4738 			/* enforce maximum size */
4739 			if (tolen > sizeof (so_faddr))
4740 				tolen = sizeof (so_faddr);
4741 
4742 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4743 				break;
4744 
4745 			add_sock_token = 1;
4746 		} else {
4747 			/*
4748 			 * check if this is first time through.
4749 			 */
4750 
4751 			/* get path from file struct here */
4752 			fad = F2A(fp);
4753 			ASSERT(fad);
4754 
4755 			/*
4756 			 * already processed this file for write attempt
4757 			 */
4758 			if (fad->fad_flags & FAD_WRITE) {
4759 				/* don't want to audit every sendto attempt */
4760 				tad->tad_flag = 0;
4761 				/* free any residual audit data */
4762 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4763 				releasef(fd);
4764 				return;
4765 			}
4766 			/*
4767 			 * mark things so we know what happened and don't
4768 			 * repeat things
4769 			 */
4770 			fad->fad_flags |= FAD_WRITE;
4771 
4772 			bzero((void *)so_laddr, sizeof (so_laddr));
4773 			bzero((void *)so_faddr, sizeof (so_faddr));
4774 
4775 			/* get local and foreign addresses */
4776 			len = sizeof (so_laddr);
4777 			(void) socket_getsockname(so,
4778 			    (struct sockaddr *)so_laddr, &len, CRED());
4779 			len = sizeof (so_faddr);
4780 			(void) socket_getpeername(so,
4781 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4782 
4783 			add_sock_token = 1;
4784 		}
4785 
4786 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4787 
4788 		break;
4789 
4790 	case AF_UNIX:
4791 		/*
4792 		 * first check if this is first time through. Too much
4793 		 * duplicate code to put this in an aui_ routine.
4794 		 */
4795 
4796 		/* get path from file struct here */
4797 		fad = F2A(fp);
4798 		ASSERT(fad);
4799 
4800 		/*
4801 		 * already processed this file for write attempt
4802 		 */
4803 		if (fad->fad_flags & FAD_WRITE) {
4804 			/* don't want to audit every sendto attempt */
4805 			tad->tad_flag = 0;
4806 			/* free any residual audit data */
4807 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4808 			releasef(fd);
4809 			return;
4810 		}
4811 		/*
4812 		 * mark things so we know what happened and don't
4813 		 * repeat things
4814 		 */
4815 		fad->fad_flags |= FAD_WRITE;
4816 
4817 		if (fad->fad_aupath != NULL) {
4818 			au_uwrite(au_to_path(fad->fad_aupath));
4819 		} else {
4820 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4821 		}
4822 
4823 		audit_attributes(fp->f_vnode);
4824 
4825 		releasef(fd);
4826 
4827 		return;
4828 
4829 	default:
4830 		break;
4831 
4832 	}
4833 
4834 	releasef(fd);
4835 
4836 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4837 
4838 	if (add_sock_token == 0) {
4839 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4840 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4841 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4842 		return;
4843 	}
4844 
4845 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4846 
4847 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4848 
4849 }
4850 
4851 /*
4852  * XXX socket(2) may be equivalent to open(2) on a unix domain
4853  * socket. This needs investigation.
4854  */
4855 
4856 /*ARGSUSED*/
4857 static void
aus_socket(struct t_audit_data * tad)4858 aus_socket(struct t_audit_data *tad)
4859 {
4860 	struct a {
4861 		long	domain;
4862 		long	type;
4863 		long	protocol;
4864 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4865 
4866 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4867 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4868 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4869 }
4870 
4871 /*ARGSUSED*/
4872 static void
aus_sigqueue(struct t_audit_data * tad)4873 aus_sigqueue(struct t_audit_data *tad)
4874 {
4875 	struct a {
4876 		long	pid;
4877 		long	signo;
4878 		long	*val;
4879 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4880 	struct proc *p;
4881 	uid_t uid, ruid;
4882 	gid_t gid, rgid;
4883 	pid_t pid;
4884 	const auditinfo_addr_t *ainfo;
4885 	cred_t *cr;
4886 
4887 	pid = (pid_t)uap->pid;
4888 
4889 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4890 	if (pid > 0) {
4891 		mutex_enter(&pidlock);
4892 		if ((p = prfind(pid)) == (struct proc *)0) {
4893 			mutex_exit(&pidlock);
4894 			return;
4895 		}
4896 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4897 		mutex_exit(&pidlock);
4898 
4899 		mutex_enter(&p->p_crlock);
4900 		crhold(cr = p->p_cred);
4901 		mutex_exit(&p->p_crlock);
4902 		mutex_exit(&p->p_lock);
4903 
4904 		ainfo = crgetauinfo(cr);
4905 		if (ainfo == NULL) {
4906 			crfree(cr);
4907 			return;
4908 		}
4909 
4910 		uid  = crgetuid(cr);
4911 		gid  = crgetgid(cr);
4912 		ruid = crgetruid(cr);
4913 		rgid = crgetrgid(cr);
4914 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4915 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4916 		crfree(cr);
4917 	}
4918 	else
4919 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4920 }
4921 
4922 /*ARGSUSED*/
4923 static void
aus_inst_sync(struct t_audit_data * tad)4924 aus_inst_sync(struct t_audit_data *tad)
4925 {
4926 	struct a {
4927 		long	name;	/* char */
4928 		long	flags;
4929 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4930 
4931 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4932 }
4933 
4934 /*ARGSUSED*/
4935 static void
aus_brandsys(struct t_audit_data * tad)4936 aus_brandsys(struct t_audit_data *tad)
4937 {
4938 	klwp_t *clwp = ttolwp(curthread);
4939 
4940 	struct a {
4941 		long	cmd;
4942 		long	arg1;
4943 		long	arg2;
4944 		long	arg3;
4945 		long	arg4;
4946 		long	arg5;
4947 		long	arg6;
4948 	} *uap = (struct a *)clwp->lwp_ap;
4949 
4950 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4951 #ifdef _LP64
4952 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4953 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4954 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4955 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4956 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4957 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4958 #else
4959 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4960 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4961 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4962 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4963 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4964 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4965 #endif
4966 }
4967 
4968 /*ARGSUSED*/
4969 static void
aus_p_online(struct t_audit_data * tad)4970 aus_p_online(struct t_audit_data *tad)
4971 {
4972 	struct a {
4973 		long	processor_id;
4974 		long	flag;
4975 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4976 
4977 	struct flags {
4978 			int	flag;
4979 			char	*cflag;
4980 	} aflags[6] = {
4981 			{ P_ONLINE, "P_ONLINE"},
4982 			{ P_OFFLINE, "P_OFFLINE"},
4983 			{ P_NOINTR, "P_NOINTR"},
4984 			{ P_SPARE, "P_SPARE"},
4985 			{ P_FAULTED, "P_FAULTED"},
4986 			{ P_STATUS, "P_STATUS"}
4987 	};
4988 	int i;
4989 	char *cflag;
4990 
4991 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4992 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4993 
4994 	for (i = 0; i < 6; i++) {
4995 		if (aflags[i].flag == uap->flag)
4996 			break;
4997 	}
4998 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4999 
5000 	au_uwrite(au_to_text(cflag));
5001 }
5002 
5003 /*ARGSUSED*/
5004 static void
aus_processor_bind(struct t_audit_data * tad)5005 aus_processor_bind(struct t_audit_data *tad)
5006 {
5007 	struct a {
5008 		long	id_type;
5009 		long	id;
5010 		long	processor_id;
5011 		long	obind;
5012 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5013 
5014 	struct proc *p;
5015 	int lwpcnt;
5016 	uid_t uid, ruid;
5017 	gid_t gid, rgid;
5018 	pid_t pid;
5019 	const auditinfo_addr_t *ainfo;
5020 	cred_t *cr;
5021 
5022 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5023 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5024 	if (uap->processor_id == PBIND_NONE)
5025 		au_uwrite(au_to_text("PBIND_NONE"));
5026 	else
5027 		au_uwrite(au_to_arg32(3, "processor_id",
5028 		    (uint32_t)uap->processor_id));
5029 
5030 	switch (uap->id_type) {
5031 	case P_MYID:
5032 	case P_LWPID:
5033 		mutex_enter(&pidlock);
5034 		p = ttoproc(curthread);
5035 		if (p == NULL || p->p_as == &kas) {
5036 			mutex_exit(&pidlock);
5037 			return;
5038 		}
5039 		mutex_enter(&p->p_lock);
5040 		mutex_exit(&pidlock);
5041 		lwpcnt = p->p_lwpcnt;
5042 		pid  = p->p_pid;
5043 
5044 		mutex_enter(&p->p_crlock);
5045 		crhold(cr = p->p_cred);
5046 		mutex_exit(&p->p_crlock);
5047 		mutex_exit(&p->p_lock);
5048 
5049 		ainfo = crgetauinfo(cr);
5050 		if (ainfo == NULL) {
5051 			crfree(cr);
5052 			return;
5053 		}
5054 
5055 		uid  = crgetuid(cr);
5056 		gid  = crgetgid(cr);
5057 		ruid = crgetruid(cr);
5058 		rgid = crgetrgid(cr);
5059 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5060 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5061 		crfree(cr);
5062 		break;
5063 	case P_PID:
5064 		mutex_enter(&pidlock);
5065 		p = prfind(uap->id);
5066 		if (p == NULL || p->p_as == &kas) {
5067 			mutex_exit(&pidlock);
5068 			return;
5069 		}
5070 		mutex_enter(&p->p_lock);
5071 		mutex_exit(&pidlock);
5072 		lwpcnt = p->p_lwpcnt;
5073 		pid  = p->p_pid;
5074 
5075 		mutex_enter(&p->p_crlock);
5076 		crhold(cr = p->p_cred);
5077 		mutex_exit(&p->p_crlock);
5078 		mutex_exit(&p->p_lock);
5079 
5080 		ainfo = crgetauinfo(cr);
5081 		if (ainfo == NULL) {
5082 			crfree(cr);
5083 			return;
5084 		}
5085 
5086 		uid  = crgetuid(cr);
5087 		gid  = crgetgid(cr);
5088 		ruid = crgetruid(cr);
5089 		rgid = crgetrgid(cr);
5090 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5091 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5092 		crfree(cr);
5093 
5094 		break;
5095 	default:
5096 		return;
5097 	}
5098 
5099 	if (uap->processor_id == PBIND_NONE &&
5100 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5101 		au_uwrite(au_to_text("PBIND_NONE for process"));
5102 	else
5103 		au_uwrite(au_to_arg32(3, "processor_id",
5104 		    (uint32_t)uap->processor_id));
5105 }
5106 
5107 /*ARGSUSED*/
5108 static au_event_t
aui_doorfs(au_event_t e)5109 aui_doorfs(au_event_t e)
5110 {
5111 	uint32_t code;
5112 
5113 	struct a {		/* doorfs */
5114 		long	a1;
5115 		long	a2;
5116 		long	a3;
5117 		long	a4;
5118 		long	a5;
5119 		long	code;
5120 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5121 
5122 	/*
5123 	 *	audit formats for several of the
5124 	 *	door calls have not yet been determined
5125 	 */
5126 	code = (uint32_t)uap->code;
5127 	switch (code) {
5128 	case DOOR_CALL:
5129 		e = AUE_DOORFS_DOOR_CALL;
5130 		break;
5131 	case DOOR_RETURN:
5132 		e = AUE_NULL;
5133 		break;
5134 	case DOOR_CREATE:
5135 		e = AUE_DOORFS_DOOR_CREATE;
5136 		break;
5137 	case DOOR_REVOKE:
5138 		e = AUE_DOORFS_DOOR_REVOKE;
5139 		break;
5140 	case DOOR_INFO:
5141 		e = AUE_NULL;
5142 		break;
5143 	case DOOR_UCRED:
5144 		e = AUE_NULL;
5145 		break;
5146 	case DOOR_BIND:
5147 		e = AUE_NULL;
5148 		break;
5149 	case DOOR_UNBIND:
5150 		e = AUE_NULL;
5151 		break;
5152 	case DOOR_GETPARAM:
5153 		e = AUE_NULL;
5154 		break;
5155 	case DOOR_SETPARAM:
5156 		e = AUE_NULL;
5157 		break;
5158 	default:	/* illegal system call */
5159 		e = AUE_NULL;
5160 		break;
5161 	}
5162 
5163 	return (e);
5164 }
5165 
5166 static door_node_t *
au_door_lookup(int did)5167 au_door_lookup(int did)
5168 {
5169 	vnode_t	*vp;
5170 	file_t *fp;
5171 
5172 	if ((fp = getf(did)) == NULL)
5173 		return (NULL);
5174 	/*
5175 	 * Use the underlying vnode (we may be namefs mounted)
5176 	 */
5177 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5178 		vp = fp->f_vnode;
5179 
5180 	if (vp == NULL || vp->v_type != VDOOR) {
5181 		releasef(did);
5182 		return (NULL);
5183 	}
5184 
5185 	return (VTOD(vp));
5186 }
5187 
5188 /*ARGSUSED*/
5189 static void
aus_doorfs(struct t_audit_data * tad)5190 aus_doorfs(struct t_audit_data *tad)
5191 {
5192 
5193 	struct a {		/* doorfs */
5194 		long	a1;
5195 		long	a2;
5196 		long	a3;
5197 		long	a4;
5198 		long	a5;
5199 		long	code;
5200 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5201 
5202 	door_node_t	*dp;
5203 	struct proc	*p;
5204 	uint32_t	did;
5205 	uid_t uid, ruid;
5206 	gid_t gid, rgid;
5207 	pid_t pid;
5208 	const auditinfo_addr_t *ainfo;
5209 	cred_t *cr;
5210 
5211 	did = (uint32_t)uap->a1;
5212 
5213 	switch (tad->tad_event) {
5214 	case AUE_DOORFS_DOOR_CALL:
5215 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5216 		if ((dp = au_door_lookup(did)) == NULL)
5217 			break;
5218 
5219 		if (DOOR_INVALID(dp)) {
5220 			releasef(did);
5221 			break;
5222 		}
5223 
5224 		if ((p = dp->door_target) == NULL) {
5225 			releasef(did);
5226 			break;
5227 		}
5228 		mutex_enter(&p->p_lock);
5229 		releasef(did);
5230 
5231 		pid  = p->p_pid;
5232 
5233 		mutex_enter(&p->p_crlock);
5234 		crhold(cr = p->p_cred);
5235 		mutex_exit(&p->p_crlock);
5236 		mutex_exit(&p->p_lock);
5237 
5238 		ainfo = crgetauinfo(cr);
5239 		if (ainfo == NULL) {
5240 			crfree(cr);
5241 			return;
5242 		}
5243 		uid  = crgetuid(cr);
5244 		gid  = crgetgid(cr);
5245 		ruid = crgetruid(cr);
5246 		rgid = crgetrgid(cr);
5247 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5248 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5249 		crfree(cr);
5250 		break;
5251 	case AUE_DOORFS_DOOR_RETURN:
5252 		/*
5253 		 * We may want to write information about
5254 		 * all doors (if any) which will be copied
5255 		 * by this call to the user space
5256 		 */
5257 		break;
5258 	case AUE_DOORFS_DOOR_CREATE:
5259 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5260 		break;
5261 	case AUE_DOORFS_DOOR_REVOKE:
5262 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5263 		break;
5264 	case AUE_DOORFS_DOOR_INFO:
5265 		break;
5266 	case AUE_DOORFS_DOOR_CRED:
5267 		break;
5268 	case AUE_DOORFS_DOOR_BIND:
5269 		break;
5270 	case AUE_DOORFS_DOOR_UNBIND: {
5271 		break;
5272 	}
5273 	default:	/* illegal system call */
5274 		break;
5275 	}
5276 }
5277 
5278 /*ARGSUSED*/
5279 static au_event_t
aui_acl(au_event_t e)5280 aui_acl(au_event_t e)
5281 {
5282 	struct a {
5283 		union {
5284 			long	name;	/* char */
5285 			long	fd;
5286 		}		obj;
5287 
5288 		long		cmd;
5289 		long		nentries;
5290 		long		arg;	/* aclent_t */
5291 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5292 
5293 	switch (uap->cmd) {
5294 	case SETACL:
5295 	case ACE_SETACL:
5296 		/*
5297 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5298 		 * are expected.
5299 		 */
5300 		break;
5301 	case GETACL:
5302 	case GETACLCNT:
5303 	case ACE_GETACL:
5304 	case ACE_GETACLCNT:
5305 		/* do nothing for these four values. */
5306 		e = AUE_NULL;
5307 		break;
5308 	default:
5309 		/* illegal system call */
5310 		break;
5311 	}
5312 
5313 	return (e);
5314 }
5315 
5316 static void
au_acl(int cmd,int nentries,caddr_t bufp)5317 au_acl(int cmd, int nentries, caddr_t bufp)
5318 {
5319 	size_t		a_size;
5320 	aclent_t	*aclbufp;
5321 	ace_t		*acebufp;
5322 	int		i;
5323 
5324 	switch (cmd) {
5325 	case GETACL:
5326 	case GETACLCNT:
5327 		break;
5328 	case SETACL:
5329 		if (nentries < 3)
5330 			break;
5331 
5332 		a_size = nentries * sizeof (aclent_t);
5333 
5334 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5335 			break;
5336 		if (copyin(bufp, aclbufp, a_size)) {
5337 			kmem_free(aclbufp, a_size);
5338 			break;
5339 		}
5340 		for (i = 0; i < nentries; i++) {
5341 			au_uwrite(au_to_acl(aclbufp + i));
5342 		}
5343 		kmem_free(aclbufp, a_size);
5344 		break;
5345 
5346 	case ACE_SETACL:
5347 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5348 			break;
5349 
5350 		a_size = nentries * sizeof (ace_t);
5351 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5352 			break;
5353 		if (copyin(bufp, acebufp, a_size)) {
5354 			kmem_free(acebufp, a_size);
5355 			break;
5356 		}
5357 		for (i = 0; i < nentries; i++) {
5358 			au_uwrite(au_to_ace(acebufp + i));
5359 		}
5360 		kmem_free(acebufp, a_size);
5361 		break;
5362 	default:
5363 		break;
5364 	}
5365 }
5366 
5367 /*ARGSUSED*/
5368 static void
aus_acl(struct t_audit_data * tad)5369 aus_acl(struct t_audit_data *tad)
5370 {
5371 	struct a {
5372 		long	fname;
5373 		long	cmd;
5374 		long	nentries;
5375 		long	aclbufp;
5376 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5377 
5378 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5379 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5380 
5381 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5382 }
5383 
5384 /*ARGSUSED*/
5385 static void
aus_facl(struct t_audit_data * tad)5386 aus_facl(struct t_audit_data *tad)
5387 {
5388 	struct a {
5389 		long	fd;
5390 		long	cmd;
5391 		long	nentries;
5392 		long	aclbufp;
5393 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5394 	struct file  *fp;
5395 	struct vnode *vp;
5396 	struct f_audit_data *fad;
5397 	int fd;
5398 
5399 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5400 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5401 
5402 	fd = (int)uap->fd;
5403 
5404 	if ((fp = getf(fd)) == NULL)
5405 		return;
5406 
5407 	/* get path from file struct here */
5408 	fad = F2A(fp);
5409 	if (fad->fad_aupath != NULL) {
5410 		au_uwrite(au_to_path(fad->fad_aupath));
5411 	} else {
5412 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5413 	}
5414 
5415 	vp = fp->f_vnode;
5416 	audit_attributes(vp);
5417 
5418 	/* decrement file descriptor reference count */
5419 	releasef(fd);
5420 
5421 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5422 }
5423 
5424 /*ARGSUSED*/
5425 static void
auf_read(tad,error,rval)5426 auf_read(tad, error, rval)
5427 	struct t_audit_data *tad;
5428 	int error;
5429 	rval_t *rval;
5430 {
5431 	struct file *fp;
5432 	struct f_audit_data *fad;
5433 	int fd;
5434 	register struct a {
5435 		long	fd;
5436 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5437 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5438 
5439 	fd = (int)uap->fd;
5440 
5441 	/*
5442 	 * convert file pointer to file descriptor
5443 	 *   Note: fd ref count incremented here.
5444 	 */
5445 	if ((fp = getf(fd)) == NULL)
5446 		return;
5447 
5448 	/* get path from file struct here */
5449 	fad = F2A(fp);
5450 	ASSERT(fad);
5451 
5452 	/*
5453 	 * already processed this file for read attempt
5454 	 *
5455 	 * XXX might be better to turn off auditing in a aui_read() routine.
5456 	 */
5457 	if (fad->fad_flags & FAD_READ) {
5458 		/* don't really want to audit every read attempt */
5459 		tad->tad_flag = 0;
5460 		/* free any residual audit data */
5461 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5462 		releasef(fd);
5463 		return;
5464 	}
5465 	/* mark things so we know what happened and don't repeat things */
5466 	fad->fad_flags |= FAD_READ;
5467 
5468 	if (fad->fad_aupath != NULL) {
5469 		au_uwrite(au_to_path(fad->fad_aupath));
5470 	} else {
5471 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5472 	}
5473 
5474 	/* include attributes */
5475 	audit_attributes(fp->f_vnode);
5476 
5477 	/* decrement file descriptor reference count */
5478 	releasef(fd);
5479 }
5480 
5481 /*ARGSUSED*/
5482 static void
auf_write(tad,error,rval)5483 auf_write(tad, error, rval)
5484 	struct t_audit_data *tad;
5485 	int error;
5486 	rval_t *rval;
5487 {
5488 	struct file *fp;
5489 	struct f_audit_data *fad;
5490 	int fd;
5491 	register struct a {
5492 		long	fd;
5493 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5494 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5495 
5496 	fd = (int)uap->fd;
5497 
5498 	/*
5499 	 * convert file pointer to file descriptor
5500 	 *   Note: fd ref count incremented here.
5501 	 */
5502 	if ((fp = getf(fd)) == NULL)
5503 		return;
5504 
5505 	/* get path from file struct here */
5506 	fad = F2A(fp);
5507 	ASSERT(fad);
5508 
5509 	/*
5510 	 * already processed this file for write attempt
5511 	 *
5512 	 * XXX might be better to turn off auditing in a aus_write() routine.
5513 	 */
5514 	if (fad->fad_flags & FAD_WRITE) {
5515 		/* don't really want to audit every write attempt */
5516 		tad->tad_flag = 0;
5517 		/* free any residual audit data */
5518 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5519 		releasef(fd);
5520 		return;
5521 	}
5522 	/* mark things so we know what happened and don't repeat things */
5523 	fad->fad_flags |= FAD_WRITE;
5524 
5525 	if (fad->fad_aupath != NULL) {
5526 		au_uwrite(au_to_path(fad->fad_aupath));
5527 	} else {
5528 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5529 	}
5530 
5531 	/* include attributes */
5532 	audit_attributes(fp->f_vnode);
5533 
5534 	/* decrement file descriptor reference count */
5535 	releasef(fd);
5536 }
5537 
5538 /*ARGSUSED*/
5539 static void
auf_recv(tad,error,rval)5540 auf_recv(tad, error, rval)
5541 	struct t_audit_data *tad;
5542 	int error;
5543 	rval_t *rval;
5544 {
5545 	struct sonode *so;
5546 	char so_laddr[sizeof (struct sockaddr_in6)];
5547 	char so_faddr[sizeof (struct sockaddr_in6)];
5548 	struct file *fp;
5549 	struct f_audit_data *fad;
5550 	int fd;
5551 	int err;
5552 	socklen_t len;
5553 	short so_family, so_type;
5554 	register struct a {
5555 		long	fd;
5556 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5557 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5558 
5559 	/*
5560 	 * If there was an error, then nothing to do. Only generate
5561 	 * audit record on first successful recv.
5562 	 */
5563 	if (error) {
5564 		/* Turn off audit record generation here. */
5565 		tad->tad_flag = 0;
5566 		/* free any residual audit data */
5567 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5568 		return;
5569 	}
5570 
5571 	fd = (int)uap->fd;
5572 
5573 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5574 		/* Turn off audit record generation here. */
5575 		tad->tad_flag = 0;
5576 		/* free any residual audit data */
5577 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5578 		return;
5579 	}
5580 
5581 	/* get path from file struct here */
5582 	fad = F2A(fp);
5583 	ASSERT(fad);
5584 
5585 	/*
5586 	 * already processed this file for read attempt
5587 	 */
5588 	if (fad->fad_flags & FAD_READ) {
5589 		releasef(fd);
5590 		/* don't really want to audit every recv call */
5591 		tad->tad_flag = 0;
5592 		/* free any residual audit data */
5593 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5594 		return;
5595 	}
5596 
5597 	/* mark things so we know what happened and don't repeat things */
5598 	fad->fad_flags |= FAD_READ;
5599 
5600 	so_family = so->so_family;
5601 	so_type   = so->so_type;
5602 
5603 	switch (so_family) {
5604 	case AF_INET:
5605 	case AF_INET6:
5606 		/*
5607 		 * Only for connections.
5608 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5609 		 */
5610 		if (so->so_state & SS_ISBOUND) {
5611 
5612 			bzero((void *)so_laddr, sizeof (so_laddr));
5613 			bzero((void *)so_faddr, sizeof (so_faddr));
5614 
5615 			/* get local and foreign addresses */
5616 			len = sizeof (so_laddr);
5617 			(void) socket_getsockname(so,
5618 			    (struct sockaddr *)so_laddr, &len, CRED());
5619 			len = sizeof (so_faddr);
5620 			(void) socket_getpeername(so,
5621 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5622 
5623 			/*
5624 			 * only way to drop out of switch. Note that we
5625 			 * we release fd below.
5626 			 */
5627 
5628 			break;
5629 		}
5630 
5631 		releasef(fd);
5632 
5633 		/* don't really want to audit every recv call */
5634 		tad->tad_flag = 0;
5635 		/* free any residual audit data */
5636 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5637 
5638 		return;
5639 
5640 	case AF_UNIX:
5641 
5642 		if (fad->fad_aupath != NULL) {
5643 			au_uwrite(au_to_path(fad->fad_aupath));
5644 		} else {
5645 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5646 		}
5647 
5648 		audit_attributes(fp->f_vnode);
5649 
5650 		releasef(fd);
5651 
5652 		return;
5653 
5654 	default:
5655 		releasef(fd);
5656 
5657 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5658 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5659 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5660 
5661 		return;
5662 	}
5663 
5664 	releasef(fd);
5665 
5666 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5667 
5668 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5669 
5670 }
5671 
5672 /*ARGSUSED*/
5673 static void
auf_send(tad,error,rval)5674 auf_send(tad, error, rval)
5675 	struct t_audit_data *tad;
5676 	int error;
5677 	rval_t *rval;
5678 {
5679 	struct sonode *so;
5680 	char so_laddr[sizeof (struct sockaddr_in6)];
5681 	char so_faddr[sizeof (struct sockaddr_in6)];
5682 	struct file *fp;
5683 	struct f_audit_data *fad;
5684 	int fd;
5685 	int err;
5686 	socklen_t len;
5687 	short so_family, so_type;
5688 	register struct a {
5689 		long	fd;
5690 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5691 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5692 
5693 	fd = (int)uap->fd;
5694 
5695 	/*
5696 	 * If there was an error, then nothing to do. Only generate
5697 	 * audit record on first successful send.
5698 	 */
5699 	if (error != 0) {
5700 		/* Turn off audit record generation here. */
5701 		tad->tad_flag = 0;
5702 		/* free any residual audit data */
5703 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5704 		return;
5705 	}
5706 
5707 	fd = (int)uap->fd;
5708 
5709 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5710 		/* Turn off audit record generation here. */
5711 		tad->tad_flag = 0;
5712 		/* free any residual audit data */
5713 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5714 		return;
5715 	}
5716 
5717 	/* get path from file struct here */
5718 	fad = F2A(fp);
5719 	ASSERT(fad);
5720 
5721 	/*
5722 	 * already processed this file for write attempt
5723 	 */
5724 	if (fad->fad_flags & FAD_WRITE) {
5725 		releasef(fd);
5726 		/* don't really want to audit every send call */
5727 		tad->tad_flag = 0;
5728 		/* free any residual audit data */
5729 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5730 		return;
5731 	}
5732 
5733 	/* mark things so we know what happened and don't repeat things */
5734 	fad->fad_flags |= FAD_WRITE;
5735 
5736 	so_family = so->so_family;
5737 	so_type   = so->so_type;
5738 
5739 	switch (so_family) {
5740 	case AF_INET:
5741 	case AF_INET6:
5742 		/*
5743 		 * Only for connections.
5744 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5745 		 */
5746 		if (so->so_state & SS_ISBOUND) {
5747 
5748 			bzero((void *)so_laddr, sizeof (so_laddr));
5749 			bzero((void *)so_faddr, sizeof (so_faddr));
5750 
5751 			/* get local and foreign addresses */
5752 			len = sizeof (so_laddr);
5753 			(void) socket_getsockname(so,
5754 			    (struct sockaddr *)so_laddr, &len, CRED());
5755 			len = sizeof (so_faddr);
5756 			(void) socket_getpeername(so,
5757 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5758 
5759 			/*
5760 			 * only way to drop out of switch. Note that we
5761 			 * we release fd below.
5762 			 */
5763 
5764 			break;
5765 		}
5766 
5767 		releasef(fd);
5768 		/* don't really want to audit every send call */
5769 		tad->tad_flag = 0;
5770 		/* free any residual audit data */
5771 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5772 
5773 		return;
5774 
5775 	case AF_UNIX:
5776 
5777 		if (fad->fad_aupath != NULL) {
5778 			au_uwrite(au_to_path(fad->fad_aupath));
5779 		} else {
5780 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5781 		}
5782 
5783 		audit_attributes(fp->f_vnode);
5784 
5785 		releasef(fd);
5786 
5787 		return;
5788 
5789 	default:
5790 		releasef(fd);
5791 
5792 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5793 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5794 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5795 
5796 		return;
5797 	}
5798 
5799 	releasef(fd);
5800 
5801 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5802 
5803 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5804 }
5805 
5806 static au_event_t
aui_forksys(au_event_t e)5807 aui_forksys(au_event_t e)
5808 {
5809 	struct a {
5810 		long	subcode;
5811 		long	flags;
5812 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5813 
5814 	switch ((uint_t)uap->subcode) {
5815 	case 0:
5816 		e = AUE_FORK1;
5817 		break;
5818 	case 1:
5819 		e = AUE_FORKALL;
5820 		break;
5821 	case 2:
5822 		e = AUE_VFORK;
5823 		break;
5824 	default:
5825 		e = AUE_NULL;
5826 		break;
5827 	}
5828 
5829 	return (e);
5830 }
5831 
5832 /*ARGSUSED*/
5833 static au_event_t
aui_portfs(au_event_t e)5834 aui_portfs(au_event_t e)
5835 {
5836 	struct a {		/* portfs */
5837 		long	a1;
5838 		long	a2;
5839 		long	a3;
5840 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5841 
5842 	/*
5843 	 * check opcode
5844 	 */
5845 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5846 	case PORT_ASSOCIATE:
5847 		/* check source */
5848 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5849 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5850 			e = AUE_PORTFS_ASSOCIATE;
5851 		} else {
5852 			e = AUE_NULL;
5853 		}
5854 		break;
5855 	case PORT_DISSOCIATE:
5856 		/* check source */
5857 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5858 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5859 			e = AUE_PORTFS_DISSOCIATE;
5860 		} else {
5861 			e = AUE_NULL;
5862 		}
5863 		break;
5864 	default:
5865 		e = AUE_NULL;
5866 	}
5867 	return (e);
5868 }
5869