xref: /illumos-gate/usr/src/uts/common/c2/audit.c (revision 1a220b56b93ff1dc80855691548503117af4cc10)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the audit hook support code for auditing.
28  */
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #include <sys/types.h>
33 #include <sys/proc.h>
34 #include <sys/vnode.h>
35 #include <sys/vfs.h>
36 #include <sys/file.h>
37 #include <sys/user.h>
38 #include <sys/stropts.h>
39 #include <sys/systm.h>
40 #include <sys/pathname.h>
41 #include <sys/syscall.h>
42 #include <sys/fcntl.h>
43 #include <sys/ipc_impl.h>
44 #include <sys/msg_impl.h>
45 #include <sys/sem_impl.h>
46 #include <sys/shm_impl.h>
47 #include <sys/kmem.h>		/* for KM_SLEEP */
48 #include <sys/socket.h>
49 #include <sys/cmn_err.h>	/* snprintf... */
50 #include <sys/debug.h>
51 #include <sys/thread.h>
52 #include <netinet/in.h>
53 #include <c2/audit.h>		/* needs to be included before user.h */
54 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
55 #include <c2/audit_kevents.h>
56 #include <c2/audit_record.h>
57 #include <sys/strsubr.h>
58 #include <sys/tihdr.h>
59 #include <sys/tiuser.h>
60 #include <sys/timod.h>
61 #include <sys/model.h>		/* for model_t */
62 #include <sys/disp.h>		/* for servicing_interrupt() */
63 #include <sys/devpolicy.h>
64 #include <sys/crypto/ioctladmin.h>
65 #include <inet/kssl/kssl.h>
66 #include <sys/tsol/label.h>
67 
68 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
69 
70 static void audit_pathbuild(struct pathname *pnp);
71 
72 /*
73  * ROUTINE:	AUDIT_NEWPROC
74  * PURPOSE:	initialize the child p_audit_data structure
75  * CALLBY:	GETPROC
76  * NOTE:	All threads for the parent process are locked at this point.
77  *		We are essentially running singled threaded for this reason.
78  *		GETPROC is called when system creates a new process.
79  *		By the time AUDIT_NEWPROC is called, the child proc
80  *		structure has already been initialized. What we need
81  *		to do is to allocate the child p_audit_data and
82  *		initialize it with the content of current parent process.
83  */
84 
85 void
86 audit_newproc(struct proc *cp)	/* initialized child proc structure */
87 {
88 	p_audit_data_t *pad;	/* child process audit data */
89 	p_audit_data_t *opad;	/* parent process audit data */
90 
91 	pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
92 
93 	P2A(cp) = pad;
94 
95 	opad = P2A(curproc);
96 
97 	/*
98 	 * copy the audit data. Note that all threads of current
99 	 *   process have been "held". Thus there is no race condition
100 	 *   here with mutiple threads trying to alter the cwrd
101 	 *   structure (such as releasing it).
102 	 *
103 	 *   The audit context in the cred is "duplicated" for the new
104 	 *   proc by elsewhere crhold'ing the parent's cred which it shares.
105 	 *
106 	 *   We still want to hold things since auditon() [A_SETUMASK,
107 	 *   A_SETSMASK] could be walking through the processes to
108 	 *   update things.
109 	 */
110 	mutex_enter(&opad->pad_lock);	/* lock opad structure during copy */
111 	pad->pad_data = opad->pad_data;	/* copy parent's process audit data */
112 	au_pathhold(pad->pad_root);
113 	au_pathhold(pad->pad_cwd);
114 	mutex_exit(&opad->pad_lock);	/* current proc will keep cwrd open */
115 
116 	/*
117 	 * finish auditing of parent here so that it will be done
118 	 * before child has a chance to run. We include the child
119 	 * pid since the return value in the return token is a dummy
120 	 * one and contains no useful information (it is included to
121 	 * make the audit record structure consistant).
122 	 *
123 	 * tad_flag is set if auditing is on
124 	 */
125 	if (((t_audit_data_t *)T2A(curthread))->tad_flag)
126 		au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
127 
128 	/*
129 	 * finish up audit record generation here because child process
130 	 * is set to run before parent process. We distinguish here
131 	 * between FORK, FORK1, or VFORK by the saved system call ID.
132 	 */
133 	audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
134 }
135 
136 /*
137  * ROUTINE:	AUDIT_PFREE
138  * PURPOSE:	deallocate the per-process udit data structure
139  * CALLBY:	EXIT
140  *		FORK_FAIL
141  * NOTE:	all lwp except current one have stopped in SEXITLWPS
142  * 		why we are single threaded?
143  *		. all lwp except current one have stopped in SEXITLWPS.
144  */
145 void
146 audit_pfree(struct proc *p)		/* proc structure to be freed */
147 
148 {	/* AUDIT_PFREE */
149 
150 	p_audit_data_t *pad;
151 
152 	pad = P2A(p);
153 
154 	/* better be a per process audit data structure */
155 	ASSERT(pad != (p_audit_data_t *)0);
156 
157 	if (pad == pad0) {
158 		return;
159 	}
160 
161 	/* deallocate all auditing resources for this process */
162 	au_pathrele(pad->pad_root);
163 	au_pathrele(pad->pad_cwd);
164 
165 	/*
166 	 * Since the pad structure is completely overwritten after alloc,
167 	 * we don't bother to clear it.
168 	 */
169 
170 	kmem_cache_free(au_pad_cache, pad);
171 }
172 
173 /*
174  * ROUTINE:	AUDIT_THREAD_CREATE
175  * PURPOSE:	allocate per-process thread audit data structure
176  * CALLBY:	THREAD_CREATE
177  * NOTE:	This is called just after *t was bzero'd.
178  *		We are single threaded in this routine.
179  * TODO:
180  * QUESTION:
181  */
182 
183 void
184 audit_thread_create(kthread_id_t t)
185 {
186 	t_audit_data_t *tad;	/* per-thread audit data */
187 
188 	tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
189 
190 	T2A(t) = tad;		/* set up thread audit data ptr */
191 	tad->tad_thread = t;	/* back ptr to thread: DEBUG */
192 }
193 
194 /*
195  * ROUTINE:	AUDIT_THREAD_FREE
196  * PURPOSE:	free the per-thread audit data structure
197  * CALLBY:	THREAD_FREE
198  * NOTE:	most thread data is clear after return
199  */
200 void
201 audit_thread_free(kthread_t *t)
202 {
203 	t_audit_data_t *tad;
204 	au_defer_info_t	*attr;
205 
206 	tad = T2A(t);
207 
208 	/* thread audit data must still be set */
209 
210 	if (tad == tad0) {
211 		return;
212 	}
213 
214 	if (tad == NULL) {
215 		return;
216 	}
217 
218 	t->t_audit_data = 0;
219 
220 	/* must not have any audit record residual */
221 	ASSERT(tad->tad_ad == NULL);
222 
223 	/* saved path must be empty */
224 	ASSERT(tad->tad_aupath == NULL);
225 
226 	if (tad->tad_atpath)
227 		au_pathrele(tad->tad_atpath);
228 
229 	attr = tad->tad_defer_head;
230 	while (attr != NULL) {
231 		au_defer_info_t	*tmp_attr = attr;
232 
233 		au_free_rec(attr->audi_ad);
234 
235 		attr = attr->audi_next;
236 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
237 	}
238 
239 	kmem_free(tad, sizeof (*tad));
240 }
241 
242 /*
243  * ROUTINE:	AUDIT_SAVEPATH
244  * PURPOSE:
245  * CALLBY:	LOOKUPPN
246  *
247  * NOTE:	We have reached the end of a path in fs/lookup.c.
248  *		We get two pieces of information here:
249  *		the vnode of the last component (vp) and
250  *		the status of the last access (flag).
251  * TODO:
252  * QUESTION:
253  */
254 
255 /*ARGSUSED*/
256 int
257 audit_savepath(
258 	struct pathname *pnp,		/* pathname to lookup */
259 	struct vnode *vp,		/* vnode of the last component */
260 	int    flag,			/* status of the last access */
261 	cred_t *cr)			/* cred of requestor */
262 {
263 
264 	t_audit_data_t *tad;	/* current thread */
265 	p_audit_data_t *pad;	/* current process */
266 	au_kcontext_t	*kctx = SET_KCTX_PZ;
267 
268 	if (kctx == NULL) {
269 		zone_status_t zstate = zone_status_get(curproc->p_zone);
270 		ASSERT(zstate != ZONE_IS_READY);
271 		return (0);
272 	}
273 
274 	tad = U2A(u);
275 	ASSERT(tad != (t_audit_data_t *)0);
276 	pad = P2A(curproc);
277 	ASSERT(pad != (p_audit_data_t *)0);
278 
279 	/*
280 	 * this event being audited or do we need path information
281 	 * later? This might be for a chdir/chroot or open (add path
282 	 * to file pointer. If the path has already been found for an
283 	 * open/creat then we don't need to process the path.
284 	 *
285 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
286 	 *	chroot, chdir, open, creat system call processing. It determines
287 	 *	if audit_savepath() will discard the path or we need it later.
288 	 * PAD_PATHFND means path already included in this audit record. It
289 	 *	is used in cases where multiple path lookups are done per
290 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
291 	 *	paths are allowed.
292 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
293 	 *	exit processing to inhibit any paths that may be added due to
294 	 *	closes.
295 	 */
296 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
297 		((tad->tad_ctrl & PAD_PATHFND) &&
298 		!(kctx->auk_policy & AUDIT_PATH)) ||
299 		(tad->tad_ctrl & PAD_NOPATH)) {
300 			return (0);
301 	}
302 
303 	tad->tad_ctrl |= PAD_NOPATH;		/* prevent possible reentry */
304 
305 	audit_pathbuild(pnp);
306 	tad->tad_vn = vp;
307 
308 	/*
309 	 * are we auditing only if error, or if it is not open or create
310 	 * otherwise audit_setf will do it
311 	 */
312 
313 	if (tad->tad_flag) {
314 		if (flag && (tad->tad_scid == SYS_open ||
315 		    tad->tad_scid == SYS_open64 ||
316 		    tad->tad_scid == SYS_creat ||
317 		    tad->tad_scid == SYS_creat64 ||
318 		    tad->tad_scid == SYS_fsat)) {
319 			tad->tad_ctrl |= PAD_TRUE_CREATE;
320 		}
321 
322 		/* add token to audit record for this name */
323 		au_uwrite(au_to_path(tad->tad_aupath));
324 
325 		/* add the attributes of the object */
326 		if (vp) {
327 			/*
328 			 * only capture attributes when there is no error
329 			 * lookup will not return the vnode of the failing
330 			 * component.
331 			 *
332 			 * if there was a lookup error, then don't add
333 			 * attribute. if lookup in vn_create(),
334 			 * then don't add attribute,
335 			 * it will be added at end of vn_create().
336 			 */
337 			if (!flag && !(tad->tad_ctrl & PAD_NOATTRB))
338 				audit_attributes(vp);
339 		}
340 	}
341 
342 	/* free up space if we're not going to save path (open, crate) */
343 	if ((tad->tad_ctrl & PAD_SAVPATH) == 0) {
344 		if (tad->tad_aupath != NULL) {
345 			au_pathrele(tad->tad_aupath);
346 			tad->tad_aupath = NULL;
347 			tad->tad_vn = NULL;
348 		}
349 	}
350 	if (tad->tad_ctrl & PAD_MLD)
351 		tad->tad_ctrl |= PAD_PATHFND;
352 
353 	tad->tad_ctrl &= ~PAD_NOPATH;		/* restore */
354 	return (0);
355 }
356 
357 static void
358 audit_pathbuild(struct pathname *pnp)
359 {
360 	char *pp;	/* pointer to path */
361 	int len;	/* length of incoming segment */
362 	int newsect;	/* path requires a new section */
363 	struct audit_path	*pfxapp;	/* prefix for path */
364 	struct audit_path	*newapp;	/* new audit_path */
365 	t_audit_data_t *tad;	/* current thread */
366 	p_audit_data_t *pad;	/* current process */
367 
368 	tad = U2A(u);
369 	ASSERT(tad != NULL);
370 	pad = P2A(curproc);
371 	ASSERT(pad != NULL);
372 
373 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
374 	ASSERT(len > 0);
375 
376 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
377 	mutex_enter(&pad->pad_lock);
378 	if (tad->tad_aupath != NULL) {
379 		pfxapp = tad->tad_aupath;
380 	} else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') {
381 		ASSERT(tad->tad_atpath != NULL);
382 		pfxapp = tad->tad_atpath;
383 	} else if (tad->tad_ctrl & PAD_ABSPATH) {
384 		pfxapp = pad->pad_root;
385 	} else {
386 		pfxapp = pad->pad_cwd;
387 	}
388 	au_pathhold(pfxapp);
389 	mutex_exit(&pad->pad_lock);
390 
391 	/* get an expanded buffer to hold the anchored path */
392 	newsect = tad->tad_ctrl & PAD_ATPATH;
393 	newapp = au_pathdup(pfxapp, newsect, len);
394 	au_pathrele(pfxapp);
395 
396 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
397 	if (!newsect) {
398 		/* overlay previous NUL terminator */
399 		*(pp - 1) = '/';
400 	}
401 
402 	/* now add string of processed path */
403 	bcopy(pnp->pn_buf, pp, len);
404 	pp[len - 1] = '\0';
405 
406 	/* perform path simplification as necessary */
407 	audit_fixpath(newapp, len);
408 
409 	if (tad->tad_aupath)
410 		au_pathrele(tad->tad_aupath);
411 	tad->tad_aupath = newapp;
412 
413 	/* for case where multiple lookups in one syscall (rename) */
414 	tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH);
415 }
416 
417 
418 
419 /*ARGSUSED*/
420 
421 /*
422  * ROUTINE:	AUDIT_ADDCOMPONENT
423  * PURPOSE:	extend the path by the component accepted
424  * CALLBY:	LOOKUPPN
425  * NOTE:	This function is called only when there is an error in
426  *		parsing a path component
427  * TODO:	Add the error component to audit record
428  * QUESTION:	what is this for
429  */
430 
431 void
432 audit_addcomponent(struct pathname *pnp)
433 {
434 	au_kcontext_t	*kctx = SET_KCTX_PZ;
435 	t_audit_data_t *tad;
436 
437 	if (kctx == NULL) {
438 		zone_status_t zstate = zone_status_get(curproc->p_zone);
439 		ASSERT(zstate != ZONE_IS_READY);
440 		return;
441 	}
442 
443 	tad = U2A(u);
444 	/*
445 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
446 	 *	chroot, chdir, open, creat system call processing. It determines
447 	 *	if audit_savepath() will discard the path or we need it later.
448 	 * PAD_PATHFND means path already included in this audit record. It
449 	 *	is used in cases where multiple path lookups are done per
450 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
451 	 *	paths are allowed.
452 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
453 	 *	exit processing to inhibit any paths that may be added due to
454 	 *	closes.
455 	 */
456 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
457 		((tad->tad_ctrl & PAD_PATHFND) &&
458 		!(kctx->auk_policy & AUDIT_PATH)) ||
459 		(tad->tad_ctrl & PAD_NOPATH)) {
460 			return;
461 	}
462 
463 	return;
464 
465 }	/* AUDIT_ADDCOMPONENT */
466 
467 
468 
469 
470 
471 
472 
473 
474 /*
475  * ROUTINE:	AUDIT_ANCHORPATH
476  * PURPOSE:
477  * CALLBY:	LOOKUPPN
478  * NOTE:
479  * anchor path at "/". We have seen a symbolic link or entering for the
480  * first time we will throw away any saved path if path is anchored.
481  *
482  * flag = 0, path is relative.
483  * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH.
484  *
485  * If the (new) path is absolute, then we have to throw away whatever we have
486  * already accumulated since it is being superceeded by new path which is
487  * anchored at the root.
488  *		Note that if the path is relative, this function does nothing
489  * TODO:
490  * QUESTION:
491  */
492 /*ARGSUSED*/
493 void
494 audit_anchorpath(struct pathname *pnp, int flag)
495 {
496 	au_kcontext_t	*kctx = SET_KCTX_PZ;
497 	t_audit_data_t *tad;
498 
499 	if (kctx == NULL) {
500 		zone_status_t zstate = zone_status_get(curproc->p_zone);
501 		ASSERT(zstate != ZONE_IS_READY);
502 		return;
503 	}
504 
505 	tad = U2A(u);
506 
507 	/*
508 	 * this event being audited or do we need path information
509 	 * later? This might be for a chdir/chroot or open (add path
510 	 * to file pointer. If the path has already been found for an
511 	 * open/creat then we don't need to process the path.
512 	 *
513 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
514 	 *	chroot, chdir, open, creat system call processing. It determines
515 	 *	if audit_savepath() will discard the path or we need it later.
516 	 * PAD_PATHFND means path already included in this audit record. It
517 	 *	is used in cases where multiple path lookups are done per
518 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
519 	 *	paths are allowed.
520 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
521 	 *	exit processing to inhibit any paths that may be added due to
522 	 *	closes.
523 	 */
524 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
525 		((tad->tad_ctrl & PAD_PATHFND) &&
526 		!(kctx->auk_policy & AUDIT_PATH)) ||
527 		(tad->tad_ctrl & PAD_NOPATH)) {
528 			return;
529 	}
530 
531 	if (flag) {
532 		tad->tad_ctrl |= PAD_ABSPATH;
533 		if (tad->tad_aupath != NULL) {
534 			au_pathrele(tad->tad_aupath);
535 			tad->tad_aupath = NULL;
536 			tad->tad_vn = NULL;
537 		}
538 	}
539 }
540 
541 
542 /*
543  * symbolic link. Save previous components.
544  *
545  * the path seen so far looks like this
546  *
547  *  +-----------------------+----------------+
548  *  | path processed so far | remaining path |
549  *  +-----------------------+----------------+
550  *  \-----------------------/
551  *	save this string if
552  *	symbolic link relative
553  *	(but don't include  symlink component)
554  */
555 
556 /*ARGSUSED*/
557 
558 
559 /*
560  * ROUTINE:	AUDIT_SYMLINK
561  * PURPOSE:
562  * CALLBY:	LOOKUPPN
563  * NOTE:
564  * TODO:
565  * QUESTION:
566  */
567 void
568 audit_symlink(struct pathname *pnp, struct pathname *sympath)
569 {
570 	char *sp;	/* saved initial pp */
571 	char *cp;	/* start of symlink path */
572 	uint_t len_path;	/* processed path before symlink */
573 	t_audit_data_t *tad;
574 	au_kcontext_t	*kctx = SET_KCTX_PZ;
575 
576 	if (kctx == NULL) {
577 		zone_status_t zstate = zone_status_get(curproc->p_zone);
578 		ASSERT(zstate != ZONE_IS_READY);
579 		return;
580 	}
581 
582 	tad = U2A(u);
583 
584 	/*
585 	 * this event being audited or do we need path information
586 	 * later? This might be for a chdir/chroot or open (add path
587 	 * to file pointer. If the path has already been found for an
588 	 * open/creat then we don't need to process the path.
589 	 *
590 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
591 	 *	chroot, chdir, open, creat system call processing. It determines
592 	 *	if audit_savepath() will discard the path or we need it later.
593 	 * PAD_PATHFND means path already included in this audit record. It
594 	 *	is used in cases where multiple path lookups are done per
595 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
596 	 *	paths are allowed.
597 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
598 	 *	exit processing to inhibit any paths that may be added due to
599 	 *	closes.
600 	 */
601 	if ((tad->tad_flag == 0 &&
602 		!(tad->tad_ctrl & PAD_SAVPATH)) ||
603 		((tad->tad_ctrl & PAD_PATHFND) &&
604 		!(kctx->auk_policy & AUDIT_PATH)) ||
605 		(tad->tad_ctrl & PAD_NOPATH)) {
606 			return;
607 	}
608 
609 	/*
610 	 * if symbolic link is anchored at / then do nothing.
611 	 * When we cycle back to begin: in lookuppn() we will
612 	 * call audit_anchorpath() with a flag indicating if the
613 	 * path is anchored at / or is relative. We will release
614 	 * any saved path at that point.
615 	 *
616 	 * Note In the event that an error occurs in pn_combine then
617 	 * we want to remain pointing at the component that caused the
618 	 * path to overflow the pnp structure.
619 	 */
620 	if (sympath->pn_buf[0] == '/')
621 		return;
622 
623 	/* backup over last component */
624 	sp = cp = pnp->pn_path;
625 	while (*--cp != '/' && cp > pnp->pn_buf)
626 		;
627 
628 	len_path = cp - pnp->pn_buf;
629 
630 	/* is there anything to save? */
631 	if (len_path) {
632 		pnp->pn_path = cp;
633 		audit_pathbuild(pnp);
634 		pnp->pn_path = sp;
635 	}
636 }
637 
638 /*
639  * file_is_public : determine whether events for the file (corresponding to
640  * 			the specified file attr) should be audited or ignored.
641  *
642  * returns: 	1 - if audit policy and file attributes indicate that
643  *			file is effectively public. read events for
644  *			the file should not be audited.
645  *		0 - otherwise
646  *
647  * The required attributes to be considered a public object are:
648  * - owned by root, AND
649  * - world-readable (permissions for other include read), AND
650  * - NOT world-writeable (permissions for other don't
651  *	include write)
652  *   (mode doesn't need to be checked for symlinks)
653  */
654 int
655 file_is_public(struct vattr *attr)
656 {
657 	au_kcontext_t	*kctx = SET_KCTX_PZ;
658 
659 	if (kctx == NULL) {
660 		zone_status_t zstate = zone_status_get(curproc->p_zone);
661 		ASSERT(zstate != ZONE_IS_READY);
662 		return (0);
663 	}
664 
665 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
666 	    ((attr->va_type == VLNK) ||
667 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
668 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
669 		return (1);
670 	}
671 	return (0);
672 }
673 
674 
675 /*
676  * ROUTINE:	AUDIT_ATTRIBUTES
677  * PURPOSE:	Audit the attributes so we can tell why the error occured
678  * CALLBY:	AUDIT_SAVEPATH
679  *		AUDIT_VNCREATE_FINISH
680  *		AUS_FCHOWN...audit_event.c...audit_path.c
681  * NOTE:
682  * TODO:
683  * QUESTION:
684  */
685 void
686 audit_attributes(struct vnode *vp)
687 {
688 	struct vattr attr;
689 	struct t_audit_data *tad;
690 
691 	tad = U2A(u);
692 
693 	if (vp) {
694 		attr.va_mask = AT_ALL;
695 		if (VOP_GETATTR(vp, &attr, 0, CRED()) != 0)
696 			return;
697 
698 		if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) {
699 			/*
700 			 * This is a public object and a "public" event
701 			 * (i.e., read only) -- either by definition
702 			 * (e.g., stat, access...) or by virtue of write access
703 			 * not being requested (e.g. mmap).
704 			 * Flag it in the tad to prevent this audit at the end.
705 			 */
706 			tad->tad_ctrl |= PAD_NOAUDIT;
707 		} else {
708 			au_uwrite(au_to_attr(&attr));
709 			audit_sec_attributes(&(u_ad), vp);
710 		}
711 	}
712 }
713 
714 
715 /*
716  * ROUTINE:	AUDIT_FALLOC
717  * PURPOSE:	allocating a new file structure
718  * CALLBY:	FALLOC
719  * NOTE:	file structure already initialized
720  * TODO:
721  * QUESTION:
722  */
723 
724 void
725 audit_falloc(struct file *fp)
726 {	/* AUDIT_FALLOC */
727 
728 	f_audit_data_t *fad;
729 
730 	/* allocate per file audit structure if there a'int any */
731 	ASSERT(F2A(fp) == NULL);
732 
733 	fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
734 
735 	F2A(fp) = fad;
736 
737 	fad->fad_thread = curthread; 	/* file audit data back ptr; DEBUG */
738 }
739 
740 /*
741  * ROUTINE:	AUDIT_UNFALLOC
742  * PURPOSE:	deallocate file audit data structure
743  * CALLBY:	CLOSEF
744  *		UNFALLOC
745  * NOTE:
746  * TODO:
747  * QUESTION:
748  */
749 
750 void
751 audit_unfalloc(struct file *fp)
752 {
753 	f_audit_data_t *fad;
754 
755 	fad = F2A(fp);
756 
757 	if (!fad) {
758 		return;
759 	}
760 	if (fad->fad_aupath != NULL) {
761 		au_pathrele(fad->fad_aupath);
762 	}
763 	fp->f_audit_data = 0;
764 	kmem_free(fad, sizeof (struct f_audit_data));
765 }
766 
767 /*
768  * ROUTINE:	AUDIT_EXIT
769  * PURPOSE:
770  * CALLBY:	EXIT
771  * NOTE:
772  * TODO:
773  * QUESTION:	why cmw code as offset by 2 but not here
774  */
775 /* ARGSUSED */
776 void
777 audit_exit(int code, int what)
778 {
779 	struct t_audit_data *tad;
780 	tad = U2A(u);
781 
782 	/*
783 	 * tad_scid will be set by audit_start even if we are not auditing
784 	 * the event.
785 	 */
786 	if (tad->tad_scid == SYS_exit) {
787 		/*
788 		 * if we are auditing the exit system call, then complete
789 		 * audit record generation (no return from system call).
790 		 */
791 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
792 			audit_finish(0, SYS_exit, 0, 0);
793 		return;
794 	}
795 
796 	/*
797 	 * Anyone auditing the system call that was aborted?
798 	 */
799 	if (tad->tad_flag) {
800 		au_uwrite(au_to_text("event aborted"));
801 		audit_finish(0, tad->tad_scid, 0, 0);
802 	}
803 
804 	/*
805 	 * Generate an audit record for process exit if preselected.
806 	 */
807 	(void) audit_start(0, SYS_exit, 0, 0);
808 	audit_finish(0, SYS_exit, 0, 0);
809 }
810 
811 /*
812  * ROUTINE:	AUDIT_CORE_START
813  * PURPOSE:
814  * CALLBY: 	PSIG
815  * NOTE:
816  * TODO:
817  */
818 void
819 audit_core_start(int sig)
820 {
821 	au_event_t event;
822 	au_state_t estate;
823 	t_audit_data_t *tad;
824 	au_kcontext_t	*kctx;
825 
826 	tad = U2A(u);
827 
828 	ASSERT(tad != (t_audit_data_t *)0);
829 
830 	ASSERT(tad->tad_scid == 0);
831 	ASSERT(tad->tad_event == 0);
832 	ASSERT(tad->tad_evmod == 0);
833 	ASSERT(tad->tad_ctrl == 0);
834 	ASSERT(tad->tad_flag == 0);
835 	ASSERT(tad->tad_aupath == NULL);
836 
837 	kctx = SET_KCTX_PZ;
838 
839 	if (kctx == NULL) {
840 		zone_status_t zstate = zone_status_get(curproc->p_zone);
841 		ASSERT(zstate != ZONE_IS_READY);
842 		return;
843 	}
844 
845 	/* get basic event for system call */
846 	event = AUE_CORE;
847 	estate = kctx->auk_ets[event];
848 
849 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
850 		return;
851 
852 	/* reset the flags for non-user attributable events */
853 	tad->tad_ctrl   = PAD_CORE;
854 	tad->tad_scid   = 0;
855 
856 	/* if auditing not enabled, then don't generate an audit record */
857 
858 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
859 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
860 	    kctx->auk_auditstate == AUC_NOSPACE)) {
861 		tad->tad_flag = 0;
862 		tad->tad_ctrl = 0;
863 		return;
864 	}
865 
866 	tad->tad_event  = event;
867 	tad->tad_evmod  = 0;
868 
869 	ASSERT(tad->tad_ad == NULL);
870 
871 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
872 }
873 
874 /*
875  * ROUTINE:	AUDIT_CORE_FINISH
876  * PURPOSE:
877  * CALLBY:	PSIG
878  * NOTE:
879  * TODO:
880  * QUESTION:
881  */
882 
883 /*ARGSUSED*/
884 void
885 audit_core_finish(int code)
886 {
887 	int flag;
888 	t_audit_data_t *tad;
889 	au_kcontext_t	*kctx;
890 
891 	tad = U2A(u);
892 
893 	ASSERT(tad != (t_audit_data_t *)0);
894 
895 	if ((flag = tad->tad_flag) == 0) {
896 		tad->tad_event = 0;
897 		tad->tad_evmod = 0;
898 		tad->tad_ctrl  = 0;
899 		ASSERT(tad->tad_aupath == NULL);
900 		return;
901 	}
902 	tad->tad_flag = 0;
903 
904 	kctx = SET_KCTX_PZ;
905 	if (kctx == NULL) {
906 		zone_status_t zstate = zone_status_get(curproc->p_zone);
907 		ASSERT(zstate != ZONE_IS_READY);
908 		return;
909 	}
910 
911 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
912 	if (flag = audit_success(kctx, tad, 0)) {
913 		cred_t *cr = CRED();
914 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
915 
916 		ASSERT(ainfo != NULL);
917 
918 		/*
919 		 * Add a subject token (no locks since our private copy of
920 		 * credential
921 		 */
922 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo);
923 
924 		/* Add an optional group token */
925 		AUDIT_SETGROUP(&(u_ad), cr, kctx);
926 
927 		/* Add slabel token */
928 		if (is_system_labeled())
929 			au_write(&(u_ad), au_to_label(CR_SL(cr)));
930 
931 		/* Add a return token (should use f argument) */
932 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
933 
934 		AS_INC(as_generated, 1, kctx);
935 		AS_INC(as_kernel, 1, kctx);
936 	}
937 
938 	/* Close up everything */
939 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
940 
941 	/* free up any space remaining with the path's */
942 	if (tad->tad_aupath != NULL) {
943 		au_pathrele(tad->tad_aupath);
944 		tad->tad_aupath = NULL;
945 		tad->tad_vn = NULL;
946 	}
947 	tad->tad_event = 0;
948 	tad->tad_evmod = 0;
949 	tad->tad_ctrl  = 0;
950 }
951 
952 /*ARGSUSED*/
953 void
954 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp)
955 {
956 }
957 
958 /*ARGSUSED*/
959 void
960 audit_strclose(struct vnode *vp, int flag, cred_t *crp)
961 {
962 }
963 
964 /*ARGSUSED*/
965 void
966 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag,
967     int copyflag, cred_t *crp, int *rvalp)
968 {
969 }
970 
971 
972 /*ARGSUSED*/
973 void
974 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
975     unsigned char *pri, int *flag, int fmode)
976 {
977 	struct stdata *stp;
978 	t_audit_data_t *tad = U2A(u);
979 
980 	ASSERT(tad != (t_audit_data_t *)0);
981 
982 	stp = vp->v_stream;
983 
984 	/* lock stdata from audit_sock */
985 	mutex_enter(&stp->sd_lock);
986 
987 	/* proceed ONLY if user is being audited */
988 	if (!tad->tad_flag) {
989 		/*
990 		 * this is so we will not add audit data onto
991 		 * a thread that is not being audited.
992 		 */
993 		stp->sd_t_audit_data = NULL;
994 		mutex_exit(&stp->sd_lock);
995 		return;
996 	}
997 
998 	stp->sd_t_audit_data = (caddr_t)curthread;
999 	mutex_exit(&stp->sd_lock);
1000 }
1001 
1002 /*ARGSUSED*/
1003 void
1004 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
1005     unsigned char pri, int flag, int fmode)
1006 {
1007 	struct stdata *stp;
1008 	t_audit_data_t *tad = U2A(u);
1009 
1010 	ASSERT(tad != (t_audit_data_t *)0);
1011 
1012 	stp = vp->v_stream;
1013 
1014 	/* lock stdata from audit_sock */
1015 	mutex_enter(&stp->sd_lock);
1016 
1017 	/* proceed ONLY if user is being audited */
1018 	if (!tad->tad_flag) {
1019 		/*
1020 		 * this is so we will not add audit data onto
1021 		 * a thread that is not being audited.
1022 		 */
1023 		stp->sd_t_audit_data = NULL;
1024 		mutex_exit(&stp->sd_lock);
1025 		return;
1026 	}
1027 
1028 	stp->sd_t_audit_data = (caddr_t)curthread;
1029 	mutex_exit(&stp->sd_lock);
1030 }
1031 
1032 /*
1033  * ROUTINE:	AUDIT_CLOSEF
1034  * PURPOSE:
1035  * CALLBY:	CLOSEF
1036  * NOTE:
1037  * release per file audit resources when file structure is being released.
1038  *
1039  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
1040  *	on the audit queue if it becomes full. This means
1041  *	audit_closef can not be called when f_count == 0. Since
1042  *	f_count == 0 indicates the file structure is free, another
1043  *	process could attempt to use the file while we were still
1044  *	asleep waiting on the audit queue. This would cause the
1045  *	per file audit data to be corrupted when we finally do
1046  *	wakeup.
1047  * TODO:
1048  * QUESTION:
1049  */
1050 
1051 void
1052 audit_closef(struct file *fp)
1053 {	/* AUDIT_CLOSEF */
1054 	f_audit_data_t *fad;
1055 	t_audit_data_t *tad;
1056 	int success;
1057 	au_state_t estate;
1058 	struct vnode *vp;
1059 	token_t *ad = NULL;
1060 	struct vattr attr;
1061 	short evmod = 0;
1062 	const auditinfo_addr_t *ainfo;
1063 	int getattr_ret;
1064 	cred_t *cr;
1065 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1066 
1067 	if (kctx == NULL) {
1068 		zone_status_t zstate = zone_status_get(curproc->p_zone);
1069 		ASSERT(zstate != ZONE_IS_READY);
1070 		return;
1071 	}
1072 
1073 	fad = F2A(fp);
1074 	estate = kctx->auk_ets[AUE_CLOSE];
1075 	tad = U2A(u);
1076 	cr = CRED();
1077 
1078 	/* audit record already generated by system call envelope */
1079 	if (tad->tad_event == AUE_CLOSE) {
1080 		/* so close audit event will have bits set */
1081 		tad->tad_evmod |= (short)fad->fad_flags;
1082 		return;
1083 	}
1084 
1085 	/* if auditing not enabled, then don't generate an audit record */
1086 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
1087 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
1088 	    kctx->auk_auditstate == AUC_NOSPACE))
1089 		return;
1090 
1091 	ainfo = crgetauinfo(cr);
1092 	if (ainfo == NULL)
1093 		return;
1094 
1095 	success = ainfo->ai_mask.as_success & estate;
1096 
1097 	/* not selected for this event */
1098 	if (success == 0)
1099 		return;
1100 
1101 	/*
1102 	 * can't use audit_attributes here since we use a private audit area
1103 	 * to build the audit record instead of the one off the thread.
1104 	 */
1105 	if ((vp = fp->f_vnode) != NULL) {
1106 		attr.va_mask = AT_ALL;
1107 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED());
1108 	}
1109 
1110 	/*
1111 	 * When write was not used and the file can be considered public,
1112 	 * then skip the audit.
1113 	 */
1114 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
1115 		if (file_is_public(&attr)) {
1116 			return;
1117 		}
1118 	}
1119 
1120 	evmod = (short)fad->fad_flags;
1121 	if (fad->fad_aupath != NULL) {
1122 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
1123 	} else {
1124 #ifdef _LP64
1125 		au_write((caddr_t *)&(ad), au_to_arg64(
1126 			1, "no path: fp", (uint64_t)fp));
1127 #else
1128 		au_write((caddr_t *)&(ad), au_to_arg32(
1129 			1, "no path: fp", (uint32_t)fp));
1130 #endif
1131 	}
1132 
1133 	if (getattr_ret == 0) {
1134 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
1135 		audit_sec_attributes((caddr_t *)&(ad), vp);
1136 	}
1137 
1138 	/* Add a subject token */
1139 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo);
1140 
1141 	/* add an optional group token */
1142 	AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx);
1143 
1144 	/* add slabel token */
1145 	if (is_system_labeled())
1146 		au_write((caddr_t *)&(ad), au_to_label(CR_SL(cr)));
1147 
1148 	/* add a return token */
1149 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
1150 
1151 	AS_INC(as_generated, 1, kctx);
1152 	AS_INC(as_kernel, 1, kctx);
1153 
1154 	/*
1155 	 * Close up everything
1156 	 * Note: path space recovery handled by normal system
1157 	 * call envelope if not at last close.
1158 	 * Note there is no failure at this point since
1159 	 *   this represents closes due to exit of process,
1160 	 *   thus we always indicate successful closes.
1161 	 */
1162 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
1163 	    AUE_CLOSE, evmod);
1164 }
1165 
1166 /*
1167  * ROUTINE:	AUDIT_SET
1168  * PURPOSE:	Audit the file path and file attributes.
1169  * CALLBY:	SETF
1170  * NOTE:	SETF associate a file pointer with user area's open files.
1171  * TODO:
1172  * call audit_finish directly ???
1173  * QUESTION:
1174  */
1175 
1176 /*ARGSUSED*/
1177 void
1178 audit_setf(file_t *fp, int fd)
1179 {
1180 	f_audit_data_t *fad;
1181 	t_audit_data_t *tad;
1182 
1183 	if (fp == NULL)
1184 		return;
1185 
1186 	tad = T2A(curthread);
1187 	fad = F2A(fp);
1188 
1189 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat ||
1190 	    tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 ||
1191 	    tad->tad_scid == SYS_fsat))
1192 		return;
1193 
1194 	/* no path */
1195 	if (tad->tad_aupath == 0)
1196 		return;
1197 
1198 	/*
1199 	 * assign path information associated with file audit data
1200 	 * use tad hold
1201 	 */
1202 	fad->fad_aupath = tad->tad_aupath;
1203 	tad->tad_aupath = NULL;
1204 	tad->tad_vn = NULL;
1205 
1206 	if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) {
1207 	/* adjust event type */
1208 		switch (tad->tad_event) {
1209 		case AUE_OPEN_RC:
1210 			tad->tad_event = AUE_OPEN_R;
1211 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1212 			break;
1213 		case AUE_OPEN_RTC:
1214 			tad->tad_event = AUE_OPEN_RT;
1215 			break;
1216 		case AUE_OPEN_WC:
1217 			tad->tad_event = AUE_OPEN_W;
1218 			break;
1219 		case AUE_OPEN_WTC:
1220 			tad->tad_event = AUE_OPEN_WT;
1221 			break;
1222 		case AUE_OPEN_RWC:
1223 			tad->tad_event = AUE_OPEN_RW;
1224 			break;
1225 		case AUE_OPEN_RWTC:
1226 			tad->tad_event = AUE_OPEN_RWT;
1227 			break;
1228 		default:
1229 			break;
1230 		}
1231 	}
1232 }
1233 
1234 
1235 /*
1236  * ROUTINE:	AUDIT_COPEN
1237  * PURPOSE:
1238  * CALLBY:	COPEN
1239  * NOTE:
1240  * TODO:
1241  * QUESTION:
1242  */
1243 /*ARGSUSED*/
1244 void
1245 audit_copen(int fd, file_t *fp, vnode_t *vp)
1246 {
1247 }
1248 
1249 void
1250 audit_ipc(int type, int id, void *vp)
1251 {
1252 	/* if not auditing this event, then do nothing */
1253 	if (ad_flag == 0)
1254 		return;
1255 
1256 	switch (type) {
1257 	case AT_IPC_MSG:
1258 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1259 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1260 		break;
1261 	case AT_IPC_SEM:
1262 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1263 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1264 		break;
1265 	case AT_IPC_SHM:
1266 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
1267 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1268 		break;
1269 	}
1270 }
1271 
1272 void
1273 audit_ipcget(int type, void *vp)
1274 {
1275 	/* if not auditing this event, then do nothing */
1276 	if (ad_flag == 0)
1277 		return;
1278 
1279 	switch (type) {
1280 	case NULL:
1281 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
1282 		break;
1283 	case AT_IPC_MSG:
1284 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1285 		break;
1286 	case AT_IPC_SEM:
1287 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1288 		break;
1289 	case AT_IPC_SHM:
1290 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1291 		break;
1292 	}
1293 }
1294 
1295 /*
1296  * ROUTINE:	AUDIT_REBOOT
1297  * PURPOSE:
1298  * CALLBY:
1299  * NOTE:
1300  * At this point we know that the system call reboot will not return. We thus
1301  * have to complete the audit record generation and put it onto the queue.
1302  * This might be fairly useless if the auditing daemon is already dead....
1303  * TODO:
1304  * QUESTION:	who calls audit_reboot
1305  */
1306 
1307 void
1308 audit_reboot(void)
1309 {
1310 	int flag;
1311 	t_audit_data_t *tad;
1312 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1313 
1314 	if (kctx == NULL) {
1315 		zone_status_t zstate = zone_status_get(curproc->p_zone);
1316 		ASSERT(zstate != ZONE_IS_READY);
1317 		return;
1318 	}
1319 
1320 	tad = U2A(u);
1321 
1322 	/* if not auditing this event, then do nothing */
1323 	if (tad->tad_flag == 0)
1324 		return;
1325 
1326 	/* do preselection on success/failure */
1327 	if (flag = audit_success(kctx, tad, 0)) {
1328 		/* add a process token */
1329 
1330 		cred_t *cr = CRED();
1331 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1332 
1333 		if (ainfo == NULL)
1334 			return;
1335 
1336 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo);
1337 
1338 		/* add an optional group token */
1339 		AUDIT_SETGROUP(&(u_ad), cr, kctx);
1340 
1341 		/* add slabel token */
1342 		if (is_system_labeled())
1343 			au_uwrite(au_to_label(CR_SL(cr)));
1344 
1345 		/* add a return token */
1346 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1347 
1348 		AS_INC(as_generated, 1, kctx);
1349 		AS_INC(as_kernel, 1, kctx);
1350 	}
1351 
1352 	/*
1353 	 * Flow control useless here since we're going
1354 	 * to drop everything in the queue anyway. Why
1355 	 * block and wait. There aint anyone left alive to
1356 	 * read the records remaining anyway.
1357 	 */
1358 
1359 	/* Close up everything */
1360 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1361 	    tad->tad_event, tad->tad_evmod);
1362 }
1363 
1364 void
1365 audit_setfsat_path(int argnum)
1366 {
1367 	klwp_id_t clwp = ttolwp(curthread);
1368 	struct file  *fp;
1369 	uint32_t fd;
1370 	t_audit_data_t *tad;
1371 	struct f_audit_data *fad;
1372 	p_audit_data_t *pad;	/* current process */
1373 
1374 	struct b {
1375 		long arg1;
1376 		long arg2;
1377 		long arg3;
1378 		long arg4;
1379 		long arg5;
1380 	} *uap1;
1381 
1382 	if (clwp == NULL)
1383 		return;
1384 	uap1 = (struct b *)&clwp->lwp_ap[1];
1385 
1386 	tad = U2A(u);
1387 
1388 	ASSERT(tad != NULL);
1389 
1390 	if (tad->tad_scid != SYS_fsat)
1391 		return;
1392 
1393 	switch (argnum) {
1394 	case 1:
1395 		fd = (uint32_t)uap1->arg1;
1396 		break;
1397 	case 2:
1398 		fd = (uint32_t)uap1->arg2;
1399 		break;
1400 	case 3:
1401 		fd = (uint32_t)uap1->arg3;
1402 		break;
1403 	case 4:
1404 		fd = (uint32_t)uap1->arg4;
1405 		break;
1406 	case 5:
1407 		fd = (uint32_t)uap1->arg5;
1408 		break;
1409 	default:
1410 		return;
1411 	}
1412 
1413 	if (tad->tad_atpath != NULL) {
1414 		au_pathrele(tad->tad_atpath);
1415 		tad->tad_atpath = NULL;
1416 	}
1417 	if (fd != AT_FDCWD) {
1418 		if ((fp = getf(fd)) == NULL)
1419 			return;
1420 
1421 		fad = F2A(fp);
1422 		ASSERT(fad);
1423 		au_pathhold(fad->fad_aupath);
1424 		tad->tad_atpath = fad->fad_aupath;
1425 		releasef(fd);
1426 	} else {
1427 		pad = P2A(curproc);
1428 		mutex_enter(&pad->pad_lock);
1429 		au_pathhold(pad->pad_cwd);
1430 		tad->tad_atpath = pad->pad_cwd;
1431 		mutex_exit(&pad->pad_lock);
1432 	}
1433 }
1434 
1435 void
1436 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1437 {
1438 	t_audit_data_t *tad;
1439 	vnode_t	*vp;
1440 
1441 	tad = U2A(u);
1442 
1443 	/* if not auditing this event, then do nothing */
1444 	if (tad->tad_flag == 0)
1445 		return;
1446 
1447 	au_uwrite(au_to_text(target));
1448 
1449 	if (error)
1450 		return;
1451 
1452 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, NO_FOLLOW, NULL, CRED());
1453 	if (error == 0) {
1454 		audit_attributes(vp);
1455 		VN_RELE(vp);
1456 	}
1457 }
1458 
1459 /*
1460  * ROUTINE:	AUDIT_VNCREATE_START
1461  * PURPOSE:	set flag so path name lookup in create will not add attribute
1462  * CALLBY:	VN_CREATE
1463  * NOTE:
1464  * TODO:
1465  * QUESTION:
1466  */
1467 
1468 void
1469 audit_vncreate_start()
1470 {
1471 	t_audit_data_t *tad;
1472 
1473 	tad = U2A(u);
1474 	tad->tad_ctrl |= PAD_NOATTRB;
1475 }
1476 
1477 /*
1478  * ROUTINE:	AUDIT_VNCREATE_FINISH
1479  * PURPOSE:
1480  * CALLBY:	VN_CREATE
1481  * NOTE:
1482  * TODO:
1483  * QUESTION:
1484  */
1485 void
1486 audit_vncreate_finish(struct vnode *vp, int error)
1487 {
1488 	t_audit_data_t *tad;
1489 
1490 	if (error)
1491 		return;
1492 
1493 	tad = U2A(u);
1494 
1495 	/* if not auditing this event, then do nothing */
1496 	if (tad->tad_flag == 0)
1497 		return;
1498 
1499 	if (tad->tad_ctrl & PAD_TRUE_CREATE) {
1500 		audit_attributes(vp);
1501 	}
1502 
1503 	if (tad->tad_ctrl & PAD_CORE) {
1504 		audit_attributes(vp);
1505 		tad->tad_ctrl &= ~PAD_CORE;
1506 	}
1507 
1508 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1509 			(tad->tad_event == AUE_MKDIR))) {
1510 		audit_attributes(vp);
1511 	}
1512 
1513 	/* for case where multiple lookups in one syscall (rename) */
1514 	tad->tad_ctrl &= ~PAD_NOATTRB;
1515 }
1516 
1517 
1518 
1519 
1520 
1521 
1522 
1523 
1524 /*
1525  * ROUTINE:	AUDIT_EXEC
1526  * PURPOSE:	Records the function arguments and environment variables
1527  * CALLBY:	EXEC_ARGS
1528  * NOTE:
1529  * TODO:
1530  * QUESTION:
1531  */
1532 
1533 /*ARGSUSED*/
1534 void
1535 audit_exec(
1536 	const char *argstr,	/* argument strings */
1537 	const char *envstr,	/* environment strings */
1538 	ssize_t argc,		/* total # arguments */
1539 	ssize_t envc)		/* total # environment variables */
1540 {
1541 	t_audit_data_t *tad;
1542 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1543 
1544 	ASSERT(kctx != NULL);
1545 
1546 	tad = U2A(u);
1547 
1548 	/* if not auditing this event, then do nothing */
1549 	if (!tad->tad_flag)
1550 		return;
1551 
1552 	/* return if not interested in argv or environment variables */
1553 	if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE)))
1554 		return;
1555 
1556 	if (kctx->auk_policy & AUDIT_ARGV) {
1557 		au_uwrite(au_to_exec_args(argstr, argc));
1558 	}
1559 
1560 	if (kctx->auk_policy & AUDIT_ARGE) {
1561 		au_uwrite(au_to_exec_env(envstr, envc));
1562 	}
1563 }
1564 
1565 /*
1566  * ROUTINE:	AUDIT_ENTERPROM
1567  * PURPOSE:
1568  * CALLBY:	KBDINPUT
1569  *		ZSA_XSINT
1570  * NOTE:
1571  * TODO:
1572  * QUESTION:
1573  */
1574 void
1575 audit_enterprom(int flg)
1576 {
1577 	token_t *rp = NULL;
1578 	int sorf;
1579 
1580 	if (flg)
1581 		sorf = AUM_SUCC;
1582 	else
1583 		sorf = AUM_FAIL;
1584 
1585 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1586 
1587 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1588 
1589 	if (flg)
1590 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1591 	else
1592 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1593 
1594 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL);
1595 }
1596 
1597 
1598 /*
1599  * ROUTINE:	AUDIT_EXITPROM
1600  * PURPOSE:
1601  * CALLBY:	KBDINPUT
1602  *		ZSA_XSINT
1603  * NOTE:
1604  * TODO:
1605  * QUESTION:
1606  */
1607 void
1608 audit_exitprom(int flg)
1609 {
1610 	int sorf;
1611 	token_t *rp = NULL;
1612 
1613 	if (flg)
1614 		sorf = AUM_SUCC;
1615 	else
1616 		sorf = AUM_FAIL;
1617 
1618 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1619 
1620 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1621 
1622 	if (flg)
1623 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1624 	else
1625 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1626 
1627 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL);
1628 }
1629 
1630 struct fcntla {
1631 	int fdes;
1632 	int cmd;
1633 	intptr_t arg;
1634 };
1635 
1636 /*
1637  * ROUTINE:	AUDIT_C2_REVOKE
1638  * PURPOSE:
1639  * CALLBY:	FCNTL
1640  * NOTE:
1641  * TODO:
1642  * QUESTION:	are we keeping this func
1643  */
1644 
1645 /*ARGSUSED*/
1646 int
1647 audit_c2_revoke(struct fcntla *uap, rval_t *rvp)
1648 {
1649 	return (0);
1650 }
1651 
1652 
1653 /*
1654  * ROUTINE:	AUDIT_CHDIREC
1655  * PURPOSE:
1656  * CALLBY:	CHDIREC
1657  * NOTE:	The main function of CHDIREC
1658  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1659  * QUESTION:
1660  */
1661 
1662 /*ARGSUSED*/
1663 void
1664 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1665 {
1666 	int		chdir;
1667 	int		fchdir;
1668 	struct audit_path	**appp;
1669 	struct file	*fp;
1670 	f_audit_data_t *fad;
1671 	p_audit_data_t *pad = P2A(curproc);
1672 	t_audit_data_t *tad = T2A(curthread);
1673 
1674 	struct a {
1675 		long fd;
1676 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1677 
1678 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1679 		chdir = tad->tad_scid == SYS_chdir;
1680 		if (tad->tad_aupath) {
1681 			mutex_enter(&pad->pad_lock);
1682 			if (chdir)
1683 				appp = &(pad->pad_cwd);
1684 			else
1685 				appp = &(pad->pad_root);
1686 			au_pathrele(*appp);
1687 			/* use tad hold */
1688 			*appp = tad->tad_aupath;
1689 			tad->tad_aupath = NULL;
1690 			mutex_exit(&pad->pad_lock);
1691 		}
1692 	} else if ((tad->tad_scid == SYS_fchdir) ||
1693 	    (tad->tad_scid == SYS_fchroot)) {
1694 		fchdir = tad->tad_scid == SYS_fchdir;
1695 		if ((fp = getf(uap->fd)) == NULL)
1696 			return;
1697 		fad = F2A(fp);
1698 		if (fad->fad_aupath) {
1699 			au_pathhold(fad->fad_aupath);
1700 			mutex_enter(&pad->pad_lock);
1701 			if (fchdir)
1702 				appp = &(pad->pad_cwd);
1703 			else
1704 				appp = &(pad->pad_root);
1705 			au_pathrele(*appp);
1706 			*appp = fad->fad_aupath;
1707 			mutex_exit(&pad->pad_lock);
1708 			if (tad->tad_flag) {
1709 				au_uwrite(au_to_path(fad->fad_aupath));
1710 				audit_attributes(fp->f_vnode);
1711 			}
1712 		}
1713 		releasef(uap->fd);
1714 	}
1715 }
1716 
1717 /*
1718  * ROUTINE:	AUDIT_GETF
1719  * PURPOSE:
1720  * CALLBY:	GETF_INTERNAL
1721  * NOTE:	The main function of GETF_INTERNAL is to associate a given
1722  *		file descriptor with a file structure and increment the
1723  *		file pointer reference count.
1724  * TODO:	remove pass in of fpp.
1725  * increment a reference count so that even if a thread with same process delete
1726  * the same object, it will not panic our system
1727  * QUESTION:
1728  * where to decrement the f_count?????????????????
1729  * seems like I need to set a flag if f_count incrmented through audit_getf
1730  */
1731 
1732 /*ARGSUSED*/
1733 int
1734 audit_getf(int fd)
1735 {
1736 #ifdef NOTYET
1737 	t_audit_data_t *tad;
1738 
1739 	tad = T2A(curthread);
1740 
1741 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat))
1742 		return;
1743 #endif
1744 	return (0);
1745 }
1746 
1747 /*
1748  *	Audit hook for stream based socket and tli request.
1749  *	Note that we do not have user context while executing
1750  *	this code so we had to record them earlier during the
1751  *	putmsg/getmsg to figure out which user we are dealing with.
1752  */
1753 
1754 /*ARGSUSED*/
1755 void
1756 audit_sock(
1757 	int type,	/* type of tihdr.h header requests */
1758 	queue_t *q,	/* contains the process and thread audit data */
1759 	mblk_t *mp,	/* contains the tihdr.h header structures */
1760 	int from)	/* timod or sockmod request */
1761 {
1762 	int32_t    len;
1763 	int32_t    offset;
1764 	struct sockaddr_in *sock_data;
1765 	struct T_conn_req *conn_req;
1766 	struct T_conn_ind *conn_ind;
1767 	struct T_unitdata_req *unitdata_req;
1768 	struct T_unitdata_ind *unitdata_ind;
1769 	au_state_t estate;
1770 	t_audit_data_t *tad;
1771 	caddr_t saved_thread_ptr;
1772 	au_mask_t amask;
1773 	const auditinfo_addr_t *ainfo;
1774 	au_kcontext_t	*kctx;
1775 	zone_status_t	zstate;
1776 
1777 	if (q->q_stream == NULL)
1778 		return;
1779 	mutex_enter(&q->q_stream->sd_lock);
1780 	/* are we being audited */
1781 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1782 	/* no pointer to thread, nothing to do */
1783 	if (saved_thread_ptr == NULL) {
1784 		mutex_exit(&q->q_stream->sd_lock);
1785 		return;
1786 	}
1787 	/* only allow one addition of a record token */
1788 	q->q_stream->sd_t_audit_data = NULL;
1789 	/*
1790 	 * thread is not the one being audited, then nothing to do
1791 	 * This could be the stream thread handling the module
1792 	 * service routine. In this case, the context for the audit
1793 	 * record can no longer be assumed. Simplest to just drop
1794 	 * the operation.
1795 	 */
1796 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1797 		mutex_exit(&q->q_stream->sd_lock);
1798 		return;
1799 	}
1800 	if (curthread->t_sysnum >= SYS_so_socket &&
1801 	    curthread->t_sysnum <= SYS_sockconfig) {
1802 		mutex_exit(&q->q_stream->sd_lock);
1803 		return;
1804 	}
1805 	mutex_exit(&q->q_stream->sd_lock);
1806 	/*
1807 	 * we know that the thread that did the put/getmsg is the
1808 	 * one running. Now we can get the TAD and see if we should
1809 	 * add an audit token.
1810 	 */
1811 	tad = U2A(u);
1812 
1813 	kctx = SET_KCTX_PZ;
1814 	if (kctx == NULL) {
1815 		zstate = zone_status_get(curproc->p_zone);
1816 		ASSERT(zstate != ZONE_IS_READY);
1817 		return;
1818 	}
1819 
1820 	/* proceed ONLY if user is being audited */
1821 	if (!tad->tad_flag)
1822 		return;
1823 
1824 	ainfo = crgetauinfo(CRED());
1825 	if (ainfo == NULL)
1826 		return;
1827 	amask = ainfo->ai_mask;
1828 
1829 	/*
1830 	 * Figure out the type of stream networking request here.
1831 	 * Note that getmsg and putmsg are always preselected
1832 	 * because during the beginning of the system call we have
1833 	 * not yet figure out which of the socket or tli request
1834 	 * we are looking at until we are here. So we need to check
1835 	 * against that specific request and reset the type of event.
1836 	 */
1837 	switch (type) {
1838 	case T_CONN_REQ:	/* connection request */
1839 		conn_req = (struct T_conn_req *)mp->b_rptr;
1840 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1841 			return;
1842 		offset = conn_req->DEST_offset;
1843 		len = conn_req->DEST_length;
1844 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1845 		if (amask.as_success & estate || amask.as_failure & estate) {
1846 			tad->tad_event = AUE_SOCKCONNECT;
1847 			break;
1848 		} else {
1849 			return;
1850 		}
1851 	case T_CONN_IND:	 /* connectionless receive request */
1852 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1853 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1854 			return;
1855 		offset = conn_ind->SRC_offset;
1856 		len = conn_ind->SRC_length;
1857 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1858 		if (amask.as_success & estate || amask.as_failure & estate) {
1859 			tad->tad_event = AUE_SOCKACCEPT;
1860 			break;
1861 		} else {
1862 			return;
1863 		}
1864 	case T_UNITDATA_REQ:	 /* connectionless send request */
1865 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1866 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1867 			return;
1868 		offset = unitdata_req->DEST_offset;
1869 		len = unitdata_req->DEST_length;
1870 		estate = kctx->auk_ets[AUE_SOCKSEND];
1871 		if (amask.as_success & estate || amask.as_failure & estate) {
1872 			tad->tad_event = AUE_SOCKSEND;
1873 			break;
1874 		} else {
1875 			return;
1876 		}
1877 	case T_UNITDATA_IND:	 /* connectionless receive request */
1878 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1879 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1880 			return;
1881 		offset = unitdata_ind->SRC_offset;
1882 		len = unitdata_ind->SRC_length;
1883 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1884 		if (amask.as_success & estate || amask.as_failure & estate) {
1885 			tad->tad_event = AUE_SOCKRECEIVE;
1886 			break;
1887 		} else {
1888 			return;
1889 		}
1890 	default:
1891 		return;
1892 	}
1893 
1894 	/*
1895 	 * we are only interested in tcp stream connections,
1896 	 * not unix domain stuff
1897 	 */
1898 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1899 		tad->tad_event = AUE_GETMSG;
1900 		return;
1901 	}
1902 	/* skip over TPI header and point to the ip address */
1903 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1904 
1905 	switch (sock_data->sin_family) {
1906 	case AF_INET:
1907 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1908 		break;
1909 	default:	/* reset to AUE_PUTMSG if not a inet request */
1910 		tad->tad_event = AUE_GETMSG;
1911 		break;
1912 	}
1913 }
1914 
1915 void
1916 audit_lookupname()
1917 {
1918 }
1919 
1920 /*ARGSUSED*/
1921 int
1922 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr)
1923 {
1924 	return (0);
1925 }
1926 
1927 static void
1928 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1929 {
1930 	unsigned int sy_flags;
1931 
1932 #ifdef _SYSCALL32_IMPL
1933 	if (lwp_getdatamodel(
1934 		ttolwp(curthread)) == DATAMODEL_NATIVE)
1935 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1936 	else
1937 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1938 #else
1939 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1940 #endif
1941 
1942 	if (sy_flags == SE_64RVAL)
1943 		au_write(ad, au_to_return64(err, rval));
1944 	else
1945 		au_write(ad, au_to_return32(err, rval));
1946 
1947 }
1948 
1949 /*ARGSUSED*/
1950 void
1951 audit_fdsend(fd, fp, error)
1952 	int fd;
1953 	struct file *fp;
1954 	int error;		/* ignore for now */
1955 {
1956 	t_audit_data_t *tad;	/* current thread */
1957 	f_audit_data_t *fad;	/* per file audit structure */
1958 	struct vnode *vp;	/* for file attributes */
1959 
1960 	/* is this system call being audited */
1961 	tad = U2A(u);
1962 	ASSERT(tad != (t_audit_data_t *)0);
1963 	if (!tad->tad_flag)
1964 		return;
1965 
1966 	fad = F2A(fp);
1967 
1968 	/* add path and file attributes */
1969 	if (fad != NULL && fad->fad_aupath != NULL) {
1970 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1971 		au_uwrite(au_to_path(fad->fad_aupath));
1972 	} else {
1973 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1974 #ifdef _LP64
1975 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1976 #else
1977 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1978 #endif
1979 	}
1980 	vp = fp->f_vnode;	/* include vnode attributes */
1981 	audit_attributes(vp);
1982 }
1983 
1984 /*
1985  * Record privileges sucessfully used and we attempted to use but
1986  * didn't have.
1987  */
1988 void
1989 audit_priv(int priv, const priv_set_t *set, int flag)
1990 {
1991 	t_audit_data_t *tad;
1992 	int sbit;
1993 	priv_set_t *target;
1994 
1995 	/* Make sure this isn't being called in an interrupt context */
1996 	ASSERT(servicing_interrupt() == 0);
1997 
1998 	tad = U2A(u);
1999 
2000 	if (tad->tad_flag == 0)
2001 		return;
2002 
2003 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
2004 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
2005 
2006 	/* Tell audit_success() and audit_finish() that we saw this case */
2007 	if (!(tad->tad_evmod & sbit)) {
2008 		/* Clear set first time around */
2009 		priv_emptyset(target);
2010 		tad->tad_evmod |= sbit;
2011 	}
2012 
2013 	/* Save the privileges in the tad */
2014 	if (priv == PRIV_ALL) {
2015 		priv_fillset(target);
2016 	} else {
2017 		ASSERT(set != NULL || priv != PRIV_NONE);
2018 		if (set != NULL)
2019 			priv_union(set, target);
2020 		if (priv != PRIV_NONE)
2021 			priv_addset(target, priv);
2022 	}
2023 }
2024 
2025 /*
2026  * Audit the setpriv() system call; the operation, the set name and
2027  * the current value as well as the set argument are put in the
2028  * audit trail.
2029  */
2030 void
2031 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
2032 {
2033 	t_audit_data_t *tad;
2034 	const priv_set_t *oldpriv;
2035 	priv_set_t report;
2036 	const char *setname;
2037 
2038 	tad = U2A(u);
2039 
2040 	if (tad->tad_flag == 0)
2041 		return;
2042 
2043 	oldpriv = priv_getset(ocr, set);
2044 
2045 	/* Generate the actual record, include the before and after */
2046 	au_uwrite(au_to_arg32(2, "op", op));
2047 	setname = priv_getsetbynum(set);
2048 
2049 	switch (op) {
2050 	case PRIV_OFF:
2051 		/* Report privileges actually switched off */
2052 		report = *oldpriv;
2053 		priv_intersect(newpriv, &report);
2054 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
2055 		break;
2056 	case PRIV_ON:
2057 		/* Report privileges actually switched on */
2058 		report = *oldpriv;
2059 		priv_inverse(&report);
2060 		priv_intersect(newpriv, &report);
2061 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
2062 		break;
2063 	case PRIV_SET:
2064 		/* Report before and after */
2065 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
2066 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
2067 		break;
2068 	}
2069 }
2070 
2071 /*
2072  * Dump the full device policy setting in the audit trail.
2073  */
2074 void
2075 audit_devpolicy(int nitems, const devplcysys_t *items)
2076 {
2077 	t_audit_data_t *tad;
2078 	int i;
2079 
2080 	tad = U2A(u);
2081 
2082 	if (tad->tad_flag == 0)
2083 		return;
2084 
2085 	for (i = 0; i < nitems; i++) {
2086 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
2087 		if (items[i].dps_minornm[0] == '\0') {
2088 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
2089 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
2090 		} else
2091 			au_uwrite(au_to_text(items[i].dps_minornm));
2092 
2093 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
2094 		    AUT_PRIV, 0));
2095 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
2096 		    AUT_PRIV, 0));
2097 	}
2098 }
2099 
2100 /*ARGSUSED*/
2101 void
2102 audit_fdrecv(fd, fp)
2103 	int fd;
2104 	struct file *fp;
2105 {
2106 	t_audit_data_t *tad;	/* current thread */
2107 	f_audit_data_t *fad;	/* per file audit structure */
2108 	struct vnode *vp;	/* for file attributes */
2109 
2110 	/* is this system call being audited */
2111 	tad = U2A(u);
2112 	ASSERT(tad != (t_audit_data_t *)0);
2113 	if (!tad->tad_flag)
2114 		return;
2115 
2116 	fad = F2A(fp);
2117 
2118 	/* add path and file attributes */
2119 	if (fad != NULL && fad->fad_aupath != NULL) {
2120 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2121 		au_uwrite(au_to_path(fad->fad_aupath));
2122 	} else {
2123 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2124 #ifdef _LP64
2125 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
2126 #else
2127 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
2128 #endif
2129 	}
2130 	vp = fp->f_vnode;	/* include vnode attributes */
2131 	audit_attributes(vp);
2132 }
2133 
2134 /*
2135  * ROUTINE:	AUDIT_CRYPTOADM
2136  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
2137  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
2138  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
2139  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
2140  *		CRYPTO_LOAD_DOOR
2141  * NOTE:
2142  * TODO:
2143  * QUESTION:
2144  */
2145 
2146 void
2147 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
2148     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
2149 {
2150 	boolean_t		mech_list_required = B_FALSE;
2151 	cred_t			*cr = CRED();
2152 	t_audit_data_t		*tad;
2153 	token_t			*ad = NULL;
2154 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2155 	char			buffer[MAXNAMELEN * 2];
2156 	au_kcontext_t		*kctx = SET_KCTX_PZ;
2157 
2158 	ASSERT(kctx != NULL);
2159 
2160 	tad = U2A(u);
2161 	if (tad == NULL)
2162 		return;
2163 
2164 	if (ainfo == NULL)
2165 		return;
2166 
2167 	tad->tad_event = AUE_CRYPTOADM;
2168 
2169 	if (audit_success(kctx, tad, error) != AU_OK)
2170 		return;
2171 
2172 	/* Add a subject token */
2173 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo);
2174 
2175 	/* add an optional group token */
2176 	AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx);
2177 
2178 	/* add slabel token */
2179 	if (is_system_labeled())
2180 		au_write((caddr_t *)&ad, au_to_label(CR_SL(cr)));
2181 
2182 	switch (cmd) {
2183 	case CRYPTO_LOAD_DEV_DISABLED:
2184 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2185 			(void) snprintf(buffer, sizeof (buffer),
2186 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
2187 			    " dev_instance=%d",
2188 			    module_name, device_instance);
2189 			mech_list_required = B_TRUE;
2190 		} else {
2191 			(void) snprintf(buffer, sizeof (buffer),
2192 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
2193 		}
2194 		break;
2195 
2196 	case CRYPTO_LOAD_SOFT_DISABLED:
2197 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2198 			(void) snprintf(buffer, sizeof (buffer),
2199 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
2200 			    module_name);
2201 			mech_list_required = B_TRUE;
2202 		} else {
2203 			(void) snprintf(buffer, sizeof (buffer),
2204 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
2205 		}
2206 		break;
2207 
2208 	case CRYPTO_UNLOAD_SOFT_MODULE:
2209 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2210 			(void) snprintf(buffer, sizeof (buffer),
2211 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
2212 			    module_name);
2213 		} else {
2214 			(void) snprintf(buffer, sizeof (buffer),
2215 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
2216 		}
2217 		break;
2218 
2219 	case CRYPTO_LOAD_SOFT_CONFIG:
2220 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2221 			(void) snprintf(buffer, sizeof (buffer),
2222 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
2223 			    module_name);
2224 			mech_list_required = B_TRUE;
2225 		} else {
2226 			(void) snprintf(buffer, sizeof (buffer),
2227 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
2228 		}
2229 		break;
2230 
2231 	case CRYPTO_POOL_CREATE:
2232 		(void) snprintf(buffer, sizeof (buffer),
2233 		    "op=CRYPTO_POOL_CREATE");
2234 		break;
2235 
2236 	case CRYPTO_POOL_WAIT:
2237 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
2238 		break;
2239 
2240 	case CRYPTO_POOL_RUN:
2241 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
2242 		break;
2243 
2244 	case CRYPTO_LOAD_DOOR:
2245 		if (error == 0 && rv == CRYPTO_SUCCESS)
2246 			(void) snprintf(buffer, sizeof (buffer),
2247 			    "op=CRYPTO_LOAD_DOOR");
2248 		else
2249 			(void) snprintf(buffer, sizeof (buffer),
2250 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
2251 		break;
2252 
2253 	default:
2254 		return;
2255 	}
2256 
2257 	au_write((caddr_t *)&ad, au_to_text(buffer));
2258 
2259 	if (mech_list_required) {
2260 		int i;
2261 
2262 		if (mech_count == 0) {
2263 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
2264 		} else {
2265 			char	*pb = buffer;
2266 			size_t	l = sizeof (buffer);
2267 			size_t	n;
2268 			char	space[2] = ":";
2269 
2270 			n = snprintf(pb, l, "mech=");
2271 
2272 			for (i = 0; i < mech_count; i++) {
2273 				pb += n;
2274 				l -= n;
2275 				if (l < 0)
2276 					l = 0;
2277 
2278 				if (i == mech_count - 1)
2279 					(void) strcpy(space, "");
2280 
2281 				n = snprintf(pb, l, "%s%s", mech_names[i],
2282 				    space);
2283 			}
2284 			au_write((caddr_t *)&ad, au_to_text(buffer));
2285 		}
2286 	}
2287 
2288 	/* add a return token */
2289 	if (error || (rv != CRYPTO_SUCCESS))
2290 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
2291 	else
2292 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
2293 
2294 	AS_INC(as_generated, 1, kctx);
2295 	AS_INC(as_kernel, 1, kctx);
2296 
2297 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0);
2298 }
2299 
2300 /*
2301  * Audit the kernel SSL administration command. The address and the
2302  * port number for the SSL instance, and the proxy port are put in the
2303  * audit trail.
2304  */
2305 void
2306 audit_kssl(int cmd, void *params, int error)
2307 {
2308 	cred_t			*cr = CRED();
2309 	t_audit_data_t		*tad;
2310 	token_t			*ad = NULL;
2311 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2312 	au_kcontext_t		*kctx = SET_KCTX_PZ;
2313 
2314 	ASSERT(kctx != NULL);
2315 	tad = U2A(u);
2316 
2317 	if (ainfo == NULL)
2318 		return;
2319 
2320 	tad->tad_event = AUE_CONFIGKSSL;
2321 
2322 	if (audit_success(kctx, tad, error) != AU_OK)
2323 		return;
2324 
2325 	/* Add a subject token */
2326 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo);
2327 
2328 	/* add an optional group token */
2329 	AUDIT_SETGROUP((caddr_t *)&ad, cr, kctx);
2330 
2331 	/* Add slabel token */
2332 	if (is_system_labeled())
2333 		au_write(&(u_ad), au_to_label(CR_SL(cr)));
2334 
2335 	switch (cmd) {
2336 	case KSSL_ADD_ENTRY: {
2337 		char buf[32];
2338 		kssl_params_t *kp = (kssl_params_t *)params;
2339 		struct sockaddr_in *saddr = &(kp->kssl_addr);
2340 
2341 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2342 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2343 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2344 		    saddr->sin_port);
2345 		au_write((caddr_t *)&ad, au_to_text(buf));
2346 
2347 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
2348 		    kp->kssl_proxy_port);
2349 		au_write((caddr_t *)&ad, au_to_text(buf));
2350 		break;
2351 	}
2352 
2353 	case KSSL_DELETE_ENTRY: {
2354 		char buf[32];
2355 		struct sockaddr_in *saddr = (struct sockaddr_in *)params;
2356 
2357 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2358 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2359 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2360 		    saddr->sin_port);
2361 		au_write((caddr_t *)&ad, au_to_text(buf));
2362 		break;
2363 	}
2364 
2365 	default:
2366 		return;
2367 	}
2368 
2369 	/* add a return token */
2370 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2371 
2372 	AS_INC(as_generated, 1, kctx);
2373 	AS_INC(as_kernel, 1, kctx);
2374 
2375 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0);
2376 }
2377 
2378 /*
2379  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2380  * PURPOSE:	Add security attributes
2381  * CALLBY:	AUDIT_ATTRIBUTES
2382  *		AUDIT_CLOSEF
2383  *		AUS_CLOSE
2384  * NOTE:
2385  * TODO:
2386  * QUESTION:
2387  */
2388 
2389 void
2390 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2391 {
2392 	/* Dump the SL */
2393 	if (is_system_labeled()) {
2394 		ts_label_t	*tsl;
2395 		bslabel_t	*bsl;
2396 
2397 		tsl = getflabel(vp);
2398 		if (tsl == NULL)
2399 			return;			/* nothing else to do */
2400 
2401 		bsl = label2bslabel(tsl);
2402 		if (bsl == NULL)
2403 			return;			/* nothing else to do */
2404 		au_write(ad, au_to_label(bsl));
2405 		label_rele(tsl);
2406 	}
2407 
2408 }	/* AUDIT_SEC_ATTRIBUTES */
2409