xref: /illumos-gate/usr/src/uts/common/c2/audit.c (revision 5633e4f8e97f7c73a0a130a449ccfd2c034561ce)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * This file contains the audit hook support code for auditing.
27  */
28 
29 #include <sys/types.h>
30 #include <sys/proc.h>
31 #include <sys/vnode.h>
32 #include <sys/vfs.h>
33 #include <sys/file.h>
34 #include <sys/user.h>
35 #include <sys/stropts.h>
36 #include <sys/systm.h>
37 #include <sys/pathname.h>
38 #include <sys/syscall.h>
39 #include <sys/fcntl.h>
40 #include <sys/ipc_impl.h>
41 #include <sys/msg_impl.h>
42 #include <sys/sem_impl.h>
43 #include <sys/shm_impl.h>
44 #include <sys/kmem.h>		/* for KM_SLEEP */
45 #include <sys/socket.h>
46 #include <sys/cmn_err.h>	/* snprintf... */
47 #include <sys/debug.h>
48 #include <sys/thread.h>
49 #include <netinet/in.h>
50 #include <c2/audit.h>		/* needs to be included before user.h */
51 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
52 #include <c2/audit_kevents.h>
53 #include <c2/audit_record.h>
54 #include <sys/strsubr.h>
55 #include <sys/tihdr.h>
56 #include <sys/tiuser.h>
57 #include <sys/timod.h>
58 #include <sys/model.h>		/* for model_t */
59 #include <sys/disp.h>		/* for servicing_interrupt() */
60 #include <sys/devpolicy.h>
61 #include <sys/crypto/ioctladmin.h>
62 #include <sys/cred_impl.h>
63 #include <inet/kssl/kssl.h>
64 #include <net/pfpolicy.h>
65 
66 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
67 
68 static void audit_pathbuild(struct pathname *pnp);
69 
70 
71 /*
72  * ROUTINE:	AUDIT_SAVEPATH
73  * PURPOSE:
74  * CALLBY:	LOOKUPPN
75  *
76  * NOTE:	We have reached the end of a path in fs/lookup.c.
77  *		We get two pieces of information here:
78  *		the vnode of the last component (vp) and
79  *		the status of the last access (flag).
80  * TODO:
81  * QUESTION:
82  */
83 
84 /*ARGSUSED*/
85 int
86 audit_savepath(
87 	struct pathname *pnp,		/* pathname to lookup */
88 	struct vnode *vp,		/* vnode of the last component */
89 	struct vnode *pvp,		/* vnode of the last parent component */
90 	int    flag,			/* status of the last access */
91 	cred_t *cr)			/* cred of requestor */
92 {
93 
94 	t_audit_data_t *tad;	/* current thread */
95 	au_kcontext_t	*kctx = GET_KCTX_PZ;
96 
97 	tad = U2A(u);
98 
99 	/*
100 	 * Noise elimination in audit trails - this event will be discarded if:
101 	 * - the public policy is not active AND
102 	 * - the system call is a public operation AND
103 	 * - the file was not found: VFS lookup failed with ENOENT error AND
104 	 * - the missing file would have been located in the public directory
105 	 *   owned by root if it had existed
106 	 */
107 	if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
108 	    (tad->tad_ctrl & TAD_PUBLIC_EV) &&
109 	    !(kctx->auk_policy & AUDIT_PUBLIC)) {
110 		struct vattr attr;
111 
112 		attr.va_mask = AT_ALL;
113 		if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
114 			if (object_is_public(&attr)) {
115 				tad->tad_ctrl |= TAD_NOAUDIT;
116 			}
117 		}
118 	}
119 
120 	/*
121 	 * this event being audited or do we need path information
122 	 * later? This might be for a chdir/chroot or open (add path
123 	 * to file pointer. If the path has already been found for an
124 	 * open/creat then we don't need to process the path.
125 	 *
126 	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
127 	 *	chroot, chdir, open, creat system call processing. It determines
128 	 *	if audit_savepath() will discard the path or we need it later.
129 	 * TAD_PATHFND means path already included in this audit record. It
130 	 *	is used in cases where multiple path lookups are done per
131 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
132 	 *	paths are allowed.
133 	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
134 	 *	exit processing to inhibit any paths that may be added due to
135 	 *	closes.
136 	 */
137 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
138 	    ((tad->tad_ctrl & TAD_PATHFND) &&
139 	    !(kctx->auk_policy & AUDIT_PATH)) ||
140 	    (tad->tad_ctrl & TAD_NOPATH)) {
141 		return (0);
142 	}
143 
144 	tad->tad_ctrl |= TAD_NOPATH;		/* prevent possible reentry */
145 
146 	audit_pathbuild(pnp);
147 
148 	/*
149 	 * are we auditing only if error, or if it is not open or create
150 	 * otherwise audit_setf will do it
151 	 */
152 
153 	if (tad->tad_flag) {
154 		if (flag &&
155 		    (tad->tad_scid == SYS_open ||
156 		    tad->tad_scid == SYS_open64 ||
157 		    tad->tad_scid == SYS_openat ||
158 		    tad->tad_scid == SYS_openat64)) {
159 			tad->tad_ctrl |= TAD_TRUE_CREATE;
160 		}
161 
162 		/* add token to audit record for this name */
163 		au_uwrite(au_to_path(tad->tad_aupath));
164 
165 		/* add the attributes of the object */
166 		if (vp) {
167 			/*
168 			 * only capture attributes when there is no error
169 			 * lookup will not return the vnode of the failing
170 			 * component.
171 			 *
172 			 * if there was a lookup error, then don't add
173 			 * attribute. if lookup in vn_create(),
174 			 * then don't add attribute,
175 			 * it will be added at end of vn_create().
176 			 */
177 			if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
178 				audit_attributes(vp);
179 		}
180 	}
181 
182 	/* free up space if we're not going to save path (open, creat) */
183 	if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
184 		if (tad->tad_aupath != NULL) {
185 			au_pathrele(tad->tad_aupath);
186 			tad->tad_aupath = NULL;
187 		}
188 	}
189 	if (tad->tad_ctrl & TAD_MLD)
190 		tad->tad_ctrl |= TAD_PATHFND;
191 
192 	tad->tad_ctrl &= ~TAD_NOPATH;		/* restore */
193 	return (0);
194 }
195 
196 static void
197 audit_pathbuild(struct pathname *pnp)
198 {
199 	char *pp;	/* pointer to path */
200 	int len;	/* length of incoming segment */
201 	int newsect;	/* path requires a new section */
202 	struct audit_path	*pfxapp;	/* prefix for path */
203 	struct audit_path	*newapp;	/* new audit_path */
204 	t_audit_data_t *tad;	/* current thread */
205 	p_audit_data_t *pad;	/* current process */
206 
207 	tad = U2A(u);
208 	ASSERT(tad != NULL);
209 	pad = P2A(curproc);
210 	ASSERT(pad != NULL);
211 
212 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
213 	ASSERT(len > 0);
214 
215 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
216 	mutex_enter(&pad->pad_lock);
217 	if (tad->tad_aupath != NULL) {
218 		pfxapp = tad->tad_aupath;
219 	} else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
220 		ASSERT(tad->tad_atpath != NULL);
221 		pfxapp = tad->tad_atpath;
222 	} else if (tad->tad_ctrl & TAD_ABSPATH) {
223 		pfxapp = pad->pad_root;
224 	} else {
225 		pfxapp = pad->pad_cwd;
226 	}
227 	au_pathhold(pfxapp);
228 	mutex_exit(&pad->pad_lock);
229 
230 	/* get an expanded buffer to hold the anchored path */
231 	newsect = tad->tad_ctrl & TAD_ATTPATH;
232 	newapp = au_pathdup(pfxapp, newsect, len);
233 	au_pathrele(pfxapp);
234 
235 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
236 	if (!newsect) {
237 		/* overlay previous NUL terminator */
238 		*(pp - 1) = '/';
239 	}
240 
241 	/* now add string of processed path */
242 	bcopy(pnp->pn_buf, pp, len);
243 	pp[len - 1] = '\0';
244 
245 	/* perform path simplification as necessary */
246 	audit_fixpath(newapp, len);
247 
248 	if (tad->tad_aupath)
249 		au_pathrele(tad->tad_aupath);
250 	tad->tad_aupath = newapp;
251 
252 	/* for case where multiple lookups in one syscall (rename) */
253 	tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
254 }
255 
256 
257 /*
258  * ROUTINE:	AUDIT_ANCHORPATH
259  * PURPOSE:
260  * CALLBY:	LOOKUPPN
261  * NOTE:
262  * anchor path at "/". We have seen a symbolic link or entering for the
263  * first time we will throw away any saved path if path is anchored.
264  *
265  * flag = 0, path is relative.
266  * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
267  *
268  * If the (new) path is absolute, then we have to throw away whatever we have
269  * already accumulated since it is being superseded by new path which is
270  * anchored at the root.
271  *		Note that if the path is relative, this function does nothing
272  * TODO:
273  * QUESTION:
274  */
275 /*ARGSUSED*/
276 void
277 audit_anchorpath(struct pathname *pnp, int flag)
278 {
279 	au_kcontext_t	*kctx = GET_KCTX_PZ;
280 	t_audit_data_t *tad;
281 
282 	tad = U2A(u);
283 
284 	/*
285 	 * this event being audited or do we need path information
286 	 * later? This might be for a chdir/chroot or open (add path
287 	 * to file pointer. If the path has already been found for an
288 	 * open/creat then we don't need to process the path.
289 	 *
290 	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
291 	 *	chroot, chdir, open, creat system call processing. It determines
292 	 *	if audit_savepath() will discard the path or we need it later.
293 	 * TAD_PATHFND means path already included in this audit record. It
294 	 *	is used in cases where multiple path lookups are done per
295 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
296 	 *	paths are allowed.
297 	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
298 	 *	exit processing to inhibit any paths that may be added due to
299 	 *	closes.
300 	 */
301 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
302 	    ((tad->tad_ctrl & TAD_PATHFND) &&
303 	    !(kctx->auk_policy & AUDIT_PATH)) ||
304 	    (tad->tad_ctrl & TAD_NOPATH)) {
305 		return;
306 	}
307 
308 	if (flag) {
309 		tad->tad_ctrl |= TAD_ABSPATH;
310 		if (tad->tad_aupath != NULL) {
311 			au_pathrele(tad->tad_aupath);
312 			tad->tad_aupath = NULL;
313 		}
314 	}
315 }
316 
317 
318 /*
319  * symbolic link. Save previous components.
320  *
321  * the path seen so far looks like this
322  *
323  *  +-----------------------+----------------+
324  *  | path processed so far | remaining path |
325  *  +-----------------------+----------------+
326  *  \-----------------------/
327  *	save this string if
328  *	symbolic link relative
329  *	(but don't include  symlink component)
330  */
331 
332 /*ARGSUSED*/
333 
334 
335 /*
336  * ROUTINE:	AUDIT_SYMLINK
337  * PURPOSE:
338  * CALLBY:	LOOKUPPN
339  * NOTE:
340  * TODO:
341  * QUESTION:
342  */
343 void
344 audit_symlink(struct pathname *pnp, struct pathname *sympath)
345 {
346 	char *sp;	/* saved initial pp */
347 	char *cp;	/* start of symlink path */
348 	uint_t len_path;	/* processed path before symlink */
349 	t_audit_data_t *tad;
350 	au_kcontext_t	*kctx = GET_KCTX_PZ;
351 
352 	tad = U2A(u);
353 
354 	/*
355 	 * this event being audited or do we need path information
356 	 * later? This might be for a chdir/chroot or open (add path
357 	 * to file pointer. If the path has already been found for an
358 	 * open/creat then we don't need to process the path.
359 	 *
360 	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
361 	 *	chroot, chdir, open, creat system call processing. It determines
362 	 *	if audit_savepath() will discard the path or we need it later.
363 	 * TAD_PATHFND means path already included in this audit record. It
364 	 *	is used in cases where multiple path lookups are done per
365 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
366 	 *	paths are allowed.
367 	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
368 	 *	exit processing to inhibit any paths that may be added due to
369 	 *	closes.
370 	 */
371 	if ((tad->tad_flag == 0 &&
372 	    !(tad->tad_ctrl & TAD_SAVPATH)) ||
373 	    ((tad->tad_ctrl & TAD_PATHFND) &&
374 	    !(kctx->auk_policy & AUDIT_PATH)) ||
375 	    (tad->tad_ctrl & TAD_NOPATH)) {
376 		return;
377 	}
378 
379 	/*
380 	 * if symbolic link is anchored at / then do nothing.
381 	 * When we cycle back to begin: in lookuppn() we will
382 	 * call audit_anchorpath() with a flag indicating if the
383 	 * path is anchored at / or is relative. We will release
384 	 * any saved path at that point.
385 	 *
386 	 * Note In the event that an error occurs in pn_combine then
387 	 * we want to remain pointing at the component that caused the
388 	 * path to overflow the pnp structure.
389 	 */
390 	if (sympath->pn_buf[0] == '/')
391 		return;
392 
393 	/* backup over last component */
394 	sp = cp = pnp->pn_path;
395 	while (*--cp != '/' && cp > pnp->pn_buf)
396 		;
397 
398 	len_path = cp - pnp->pn_buf;
399 
400 	/* is there anything to save? */
401 	if (len_path) {
402 		pnp->pn_path = pnp->pn_buf;
403 		audit_pathbuild(pnp);
404 		pnp->pn_path = sp;
405 	}
406 }
407 
408 /*
409  * object_is_public : determine whether events for the object (corresponding to
410  *			the specified file/directory attr) should be audited or
411  *			ignored.
412  *
413  * returns: 	1 - if audit policy and object attributes indicate that
414  *			file/directory is effectively public. read events for
415  *			the file should not be audited.
416  *		0 - otherwise
417  *
418  * The required attributes to be considered a public object are:
419  * - owned by root, AND
420  * - world-readable (permissions for other include read), AND
421  * - NOT world-writeable (permissions for other don't
422  *	include write)
423  *   (mode doesn't need to be checked for symlinks)
424  */
425 int
426 object_is_public(struct vattr *attr)
427 {
428 	au_kcontext_t	*kctx = GET_KCTX_PZ;
429 
430 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
431 	    ((attr->va_type == VLNK) ||
432 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
433 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
434 		return (1);
435 	}
436 	return (0);
437 }
438 
439 
440 /*
441  * ROUTINE:	AUDIT_ATTRIBUTES
442  * PURPOSE:	Audit the attributes so we can tell why the error occurred
443  * CALLBY:	AUDIT_SAVEPATH
444  *		AUDIT_VNCREATE_FINISH
445  *		AUS_FCHOWN...audit_event.c...audit_path.c
446  * NOTE:
447  * TODO:
448  * QUESTION:
449  */
450 void
451 audit_attributes(struct vnode *vp)
452 {
453 	struct vattr attr;
454 	struct t_audit_data *tad;
455 
456 	tad = U2A(u);
457 
458 	if (vp) {
459 		attr.va_mask = AT_ALL;
460 		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
461 			return;
462 
463 		if (object_is_public(&attr) &&
464 		    (tad->tad_ctrl & TAD_PUBLIC_EV)) {
465 			/*
466 			 * This is a public object and a "public" event
467 			 * (i.e., read only) -- either by definition
468 			 * (e.g., stat, access...) or by virtue of write access
469 			 * not being requested (e.g. mmap).
470 			 * Flag it in the tad to prevent this audit at the end.
471 			 */
472 			tad->tad_ctrl |= TAD_NOAUDIT;
473 		} else {
474 			au_uwrite(au_to_attr(&attr));
475 			audit_sec_attributes(&(u_ad), vp);
476 		}
477 	}
478 }
479 
480 
481 /*
482  * ROUTINE:	AUDIT_EXIT
483  * PURPOSE:
484  * CALLBY:	EXIT
485  * NOTE:
486  * TODO:
487  * QUESTION:	why cmw code as offset by 2 but not here
488  */
489 /* ARGSUSED */
490 void
491 audit_exit(int code, int what)
492 {
493 	struct t_audit_data *tad;
494 	tad = U2A(u);
495 
496 	/*
497 	 * tad_scid will be set by audit_start even if we are not auditing
498 	 * the event.
499 	 */
500 	if (tad->tad_scid == SYS_exit) {
501 		/*
502 		 * if we are auditing the exit system call, then complete
503 		 * audit record generation (no return from system call).
504 		 */
505 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
506 			audit_finish(0, SYS_exit, 0, 0);
507 		return;
508 	}
509 
510 	/*
511 	 * Anyone auditing the system call that was aborted?
512 	 */
513 	if (tad->tad_flag) {
514 		au_uwrite(au_to_text("event aborted"));
515 		audit_finish(0, tad->tad_scid, 0, 0);
516 	}
517 
518 	/*
519 	 * Generate an audit record for process exit if preselected.
520 	 */
521 	(void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
522 	audit_finish(0, SYS_exit, 0, 0);
523 }
524 
525 /*
526  * ROUTINE:	AUDIT_CORE_START
527  * PURPOSE:
528  * CALLBY: 	PSIG
529  * NOTE:
530  * TODO:
531  */
532 void
533 audit_core_start(int sig)
534 {
535 	au_event_t event;
536 	au_state_t estate;
537 	t_audit_data_t *tad;
538 	au_kcontext_t	*kctx;
539 
540 	tad = U2A(u);
541 
542 	ASSERT(tad != (t_audit_data_t *)0);
543 
544 	ASSERT(tad->tad_scid == 0);
545 	ASSERT(tad->tad_event == 0);
546 	ASSERT(tad->tad_evmod == 0);
547 	ASSERT(tad->tad_ctrl == 0);
548 	ASSERT(tad->tad_flag == 0);
549 	ASSERT(tad->tad_aupath == NULL);
550 
551 	kctx = GET_KCTX_PZ;
552 
553 	/* get basic event for system call */
554 	event = AUE_CORE;
555 	estate = kctx->auk_ets[event];
556 
557 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
558 		return;
559 
560 	/* reset the flags for non-user attributable events */
561 	tad->tad_ctrl   = TAD_CORE;
562 	tad->tad_scid   = 0;
563 
564 	/* if auditing not enabled, then don't generate an audit record */
565 
566 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
567 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
568 	    kctx->auk_auditstate == AUC_NOSPACE)) {
569 		tad->tad_flag = 0;
570 		tad->tad_ctrl = 0;
571 		return;
572 	}
573 
574 	tad->tad_event  = event;
575 	tad->tad_evmod  = 0;
576 
577 	ASSERT(tad->tad_ad == NULL);
578 
579 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
580 }
581 
582 /*
583  * ROUTINE:	AUDIT_CORE_FINISH
584  * PURPOSE:
585  * CALLBY:	PSIG
586  * NOTE:
587  * TODO:
588  * QUESTION:
589  */
590 
591 /*ARGSUSED*/
592 void
593 audit_core_finish(int code)
594 {
595 	int flag;
596 	t_audit_data_t *tad;
597 	au_kcontext_t	*kctx;
598 
599 	tad = U2A(u);
600 
601 	ASSERT(tad != (t_audit_data_t *)0);
602 
603 	if ((flag = tad->tad_flag) == 0) {
604 		tad->tad_event = 0;
605 		tad->tad_evmod = 0;
606 		tad->tad_ctrl  = 0;
607 		ASSERT(tad->tad_aupath == NULL);
608 		return;
609 	}
610 	tad->tad_flag = 0;
611 
612 	kctx = GET_KCTX_PZ;
613 
614 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
615 	if (flag = audit_success(kctx, tad, 0, NULL)) {
616 		cred_t *cr = CRED();
617 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
618 
619 		ASSERT(ainfo != NULL);
620 
621 		/*
622 		 * Add subject information (no locks since our private copy of
623 		 * credential
624 		 */
625 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
626 
627 		/* Add a return token (should use f argument) */
628 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
629 
630 		AS_INC(as_generated, 1, kctx);
631 		AS_INC(as_kernel, 1, kctx);
632 	}
633 
634 	/* Close up everything */
635 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
636 
637 	/* free up any space remaining with the path's */
638 	if (tad->tad_aupath != NULL) {
639 		au_pathrele(tad->tad_aupath);
640 		tad->tad_aupath = NULL;
641 	}
642 	tad->tad_event = 0;
643 	tad->tad_evmod = 0;
644 	tad->tad_ctrl  = 0;
645 }
646 
647 
648 /*ARGSUSED*/
649 void
650 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
651     unsigned char *pri, int *flag, int fmode)
652 {
653 	struct stdata *stp;
654 	t_audit_data_t *tad = U2A(u);
655 
656 	ASSERT(tad != (t_audit_data_t *)0);
657 
658 	stp = vp->v_stream;
659 
660 	/* lock stdata from audit_sock */
661 	mutex_enter(&stp->sd_lock);
662 
663 	/* proceed ONLY if user is being audited */
664 	if (!tad->tad_flag) {
665 		/*
666 		 * this is so we will not add audit data onto
667 		 * a thread that is not being audited.
668 		 */
669 		stp->sd_t_audit_data = NULL;
670 		mutex_exit(&stp->sd_lock);
671 		return;
672 	}
673 
674 	stp->sd_t_audit_data = (caddr_t)curthread;
675 	mutex_exit(&stp->sd_lock);
676 }
677 
678 /*ARGSUSED*/
679 void
680 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
681     unsigned char pri, int flag, int fmode)
682 {
683 	struct stdata *stp;
684 	t_audit_data_t *tad = U2A(u);
685 
686 	ASSERT(tad != (t_audit_data_t *)0);
687 
688 	stp = vp->v_stream;
689 
690 	/* lock stdata from audit_sock */
691 	mutex_enter(&stp->sd_lock);
692 
693 	/* proceed ONLY if user is being audited */
694 	if (!tad->tad_flag) {
695 		/*
696 		 * this is so we will not add audit data onto
697 		 * a thread that is not being audited.
698 		 */
699 		stp->sd_t_audit_data = NULL;
700 		mutex_exit(&stp->sd_lock);
701 		return;
702 	}
703 
704 	stp->sd_t_audit_data = (caddr_t)curthread;
705 	mutex_exit(&stp->sd_lock);
706 }
707 
708 /*
709  * ROUTINE:	AUDIT_CLOSEF
710  * PURPOSE:
711  * CALLBY:	CLOSEF
712  * NOTE:
713  * release per file audit resources when file structure is being released.
714  *
715  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
716  *	on the audit queue if it becomes full. This means
717  *	audit_closef can not be called when f_count == 0. Since
718  *	f_count == 0 indicates the file structure is free, another
719  *	process could attempt to use the file while we were still
720  *	asleep waiting on the audit queue. This would cause the
721  *	per file audit data to be corrupted when we finally do
722  *	wakeup.
723  * TODO:
724  * QUESTION:
725  */
726 
727 void
728 audit_closef(struct file *fp)
729 {	/* AUDIT_CLOSEF */
730 	f_audit_data_t *fad;
731 	t_audit_data_t *tad;
732 	int success;
733 	au_state_t estate;
734 	struct vnode *vp;
735 	token_t *ad = NULL;
736 	struct vattr attr;
737 	au_emod_t evmod = 0;
738 	const auditinfo_addr_t *ainfo;
739 	int getattr_ret;
740 	cred_t *cr;
741 	au_kcontext_t	*kctx = GET_KCTX_PZ;
742 	uint32_t auditing;
743 
744 	fad = F2A(fp);
745 	estate = kctx->auk_ets[AUE_CLOSE];
746 	tad = U2A(u);
747 	cr = CRED();
748 
749 	/* audit record already generated by system call envelope */
750 	if (tad->tad_event == AUE_CLOSE) {
751 		/* so close audit event will have bits set */
752 		tad->tad_evmod |= (au_emod_t)fad->fad_flags;
753 		return;
754 	}
755 
756 	/* if auditing not enabled, then don't generate an audit record */
757 	auditing = (tad->tad_audit == AUC_UNSET) ?
758 	    kctx->auk_auditstate : tad->tad_audit;
759 	if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
760 		return;
761 
762 	ainfo = crgetauinfo(cr);
763 	if (ainfo == NULL)
764 		return;
765 
766 	success = ainfo->ai_mask.as_success & estate;
767 
768 	/* not selected for this event */
769 	if (success == 0)
770 		return;
771 
772 	/*
773 	 * can't use audit_attributes here since we use a private audit area
774 	 * to build the audit record instead of the one off the thread.
775 	 */
776 	if ((vp = fp->f_vnode) != NULL) {
777 		attr.va_mask = AT_ALL;
778 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL);
779 	}
780 
781 	/*
782 	 * When write was not used and the file can be considered public,
783 	 * then skip the audit.
784 	 */
785 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
786 		if (object_is_public(&attr)) {
787 			return;
788 		}
789 	}
790 
791 	evmod = (au_emod_t)fad->fad_flags;
792 	if (fad->fad_aupath != NULL) {
793 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
794 	} else {
795 #ifdef _LP64
796 		au_write((caddr_t *)&(ad), au_to_arg64(
797 			1, "no path: fp", (uint64_t)fp));
798 #else
799 		au_write((caddr_t *)&(ad), au_to_arg32(
800 			1, "no path: fp", (uint32_t)fp));
801 #endif
802 	}
803 
804 	if (getattr_ret == 0) {
805 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
806 		audit_sec_attributes((caddr_t *)&(ad), vp);
807 	}
808 
809 	/* Add subject information */
810 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
811 
812 	/* add a return token */
813 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
814 
815 	AS_INC(as_generated, 1, kctx);
816 	AS_INC(as_kernel, 1, kctx);
817 
818 	/*
819 	 * Close up everything
820 	 * Note: path space recovery handled by normal system
821 	 * call envelope if not at last close.
822 	 * Note there is no failure at this point since
823 	 *   this represents closes due to exit of process,
824 	 *   thus we always indicate successful closes.
825 	 */
826 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
827 	    AUE_CLOSE, evmod, NULL);
828 }
829 
830 /*
831  * ROUTINE:	AUDIT_SET
832  * PURPOSE:	Audit the file path and file attributes.
833  * CALLBY:	SETF
834  * NOTE:	SETF associate a file pointer with user area's open files.
835  * TODO:
836  * call audit_finish directly ???
837  * QUESTION:
838  */
839 
840 /*ARGSUSED*/
841 void
842 audit_setf(file_t *fp, int fd)
843 {
844 	f_audit_data_t *fad;
845 	t_audit_data_t *tad;
846 
847 	if (fp == NULL)
848 		return;
849 
850 	tad = T2A(curthread);
851 	fad = F2A(fp);
852 
853 	if (!(tad->tad_scid == SYS_open ||
854 	    tad->tad_scid == SYS_open64 ||
855 	    tad->tad_scid == SYS_openat ||
856 	    tad->tad_scid == SYS_openat64))
857 		return;
858 
859 	/* no path */
860 	if (tad->tad_aupath == 0)
861 		return;
862 
863 	/*
864 	 * assign path information associated with file audit data
865 	 * use tad hold
866 	 */
867 	fad->fad_aupath = tad->tad_aupath;
868 	tad->tad_aupath = NULL;
869 
870 	if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
871 		/* adjust event type by dropping the 'creat' part */
872 		switch (tad->tad_event) {
873 		case AUE_OPEN_RC:
874 			tad->tad_event = AUE_OPEN_R;
875 			tad->tad_ctrl |= TAD_PUBLIC_EV;
876 			break;
877 		case AUE_OPEN_RTC:
878 			tad->tad_event = AUE_OPEN_RT;
879 			break;
880 		case AUE_OPEN_WC:
881 			tad->tad_event = AUE_OPEN_W;
882 			break;
883 		case AUE_OPEN_WTC:
884 			tad->tad_event = AUE_OPEN_WT;
885 			break;
886 		case AUE_OPEN_RWC:
887 			tad->tad_event = AUE_OPEN_RW;
888 			break;
889 		case AUE_OPEN_RWTC:
890 			tad->tad_event = AUE_OPEN_RWT;
891 			break;
892 		default:
893 			break;
894 		}
895 	}
896 }
897 
898 
899 void
900 audit_ipc(int type, int id, void *vp)
901 {
902 	/* if not auditing this event, then do nothing */
903 	if (ad_flag == 0)
904 		return;
905 
906 	switch (type) {
907 	case AT_IPC_MSG:
908 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
909 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
910 		break;
911 	case AT_IPC_SEM:
912 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
913 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
914 		break;
915 	case AT_IPC_SHM:
916 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
917 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
918 		break;
919 	}
920 }
921 
922 void
923 audit_ipcget(int type, void *vp)
924 {
925 	/* if not auditing this event, then do nothing */
926 	if (ad_flag == 0)
927 		return;
928 
929 	switch (type) {
930 	case NULL:
931 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
932 		break;
933 	case AT_IPC_MSG:
934 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
935 		break;
936 	case AT_IPC_SEM:
937 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
938 		break;
939 	case AT_IPC_SHM:
940 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
941 		break;
942 	}
943 }
944 
945 /*
946  * ROUTINE:	AUDIT_REBOOT
947  * PURPOSE:
948  * CALLBY:
949  * NOTE:
950  * At this point we know that the system call reboot will not return. We thus
951  * have to complete the audit record generation and put it onto the queue.
952  * This might be fairly useless if the auditing daemon is already dead....
953  * TODO:
954  * QUESTION:	who calls audit_reboot
955  */
956 
957 void
958 audit_reboot(void)
959 {
960 	int flag;
961 	t_audit_data_t *tad;
962 	au_kcontext_t	*kctx = GET_KCTX_PZ;
963 
964 	tad = U2A(u);
965 
966 	/* if not auditing this event, then do nothing */
967 	if (tad->tad_flag == 0)
968 		return;
969 
970 	/* do preselection on success/failure */
971 	if (flag = audit_success(kctx, tad, 0, NULL)) {
972 		/* add a process token */
973 
974 		cred_t *cr = CRED();
975 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
976 
977 		if (ainfo == NULL)
978 			return;
979 
980 		/* Add subject information */
981 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
982 
983 		/* add a return token */
984 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
985 
986 		AS_INC(as_generated, 1, kctx);
987 		AS_INC(as_kernel, 1, kctx);
988 	}
989 
990 	/*
991 	 * Flow control useless here since we're going
992 	 * to drop everything in the queue anyway. Why
993 	 * block and wait. There aint anyone left alive to
994 	 * read the records remaining anyway.
995 	 */
996 
997 	/* Close up everything */
998 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
999 	    tad->tad_event, tad->tad_evmod, NULL);
1000 }
1001 
1002 void
1003 audit_setfsat_path(int argnum)
1004 {
1005 	klwp_id_t clwp = ttolwp(curthread);
1006 	struct file  *fp;
1007 	uint32_t fd;
1008 	t_audit_data_t *tad;
1009 	struct f_audit_data *fad;
1010 	p_audit_data_t *pad;	/* current process */
1011 	uint_t fm;
1012 	struct a {
1013 		long arg1;
1014 		long arg2;
1015 		long arg3;
1016 		long arg4;
1017 		long arg5;
1018 	} *uap;
1019 
1020 	if (clwp == NULL)
1021 		return;
1022 	uap = (struct a *)clwp->lwp_ap;
1023 
1024 	tad = U2A(u);
1025 	ASSERT(tad != NULL);
1026 
1027 	switch (tad->tad_scid) {
1028 	case SYS_faccessat:
1029 	case SYS_fchownat:
1030 	case SYS_fstatat:
1031 	case SYS_fstatat64:
1032 	case SYS_openat:
1033 	case SYS_openat64:
1034 	case SYS_unlinkat:
1035 		fd = uap->arg1;
1036 		break;
1037 	case SYS_renameat:
1038 		if (argnum == 3)
1039 			fd = uap->arg3;
1040 		else
1041 			fd = uap->arg1;
1042 		break;
1043 	case SYS_utimesys:
1044 		fd = uap->arg2;
1045 		break;
1046 	case SYS_open:
1047 	case SYS_open64:
1048 		fd = AT_FDCWD;
1049 		break;
1050 	default:
1051 		return;
1052 	}
1053 
1054 	if (tad->tad_atpath != NULL) {
1055 		au_pathrele(tad->tad_atpath);
1056 		tad->tad_atpath = NULL;
1057 	}
1058 
1059 	if (fd != AT_FDCWD) {
1060 		tad->tad_ctrl |= TAD_ATCALL;
1061 
1062 		if (tad->tad_scid == SYS_openat ||
1063 		    tad->tad_scid == SYS_openat64) {
1064 			fm = (uint_t)uap->arg3;
1065 			if (fm & (FXATTR | FXATTRDIROPEN)) {
1066 				tad->tad_ctrl |= TAD_ATTPATH;
1067 			}
1068 		}
1069 
1070 		if ((fp = getf(fd)) == NULL) {
1071 			tad->tad_ctrl |= TAD_NOPATH;
1072 			return;
1073 		}
1074 		fad = F2A(fp);
1075 		ASSERT(fad);
1076 		if (fad->fad_aupath == NULL) {
1077 			tad->tad_ctrl |= TAD_NOPATH;
1078 			releasef(fd);
1079 			return;
1080 		}
1081 		au_pathhold(fad->fad_aupath);
1082 		tad->tad_atpath = fad->fad_aupath;
1083 		releasef(fd);
1084 	} else {
1085 		if (tad->tad_scid == SYS_open ||
1086 		    tad->tad_scid == SYS_open64) {
1087 			fm = (uint_t)uap->arg2;
1088 			if (fm & FXATTR) {
1089 				tad->tad_ctrl |= TAD_ATTPATH;
1090 			}
1091 			return;
1092 		}
1093 		pad = P2A(curproc);
1094 		mutex_enter(&pad->pad_lock);
1095 		au_pathhold(pad->pad_cwd);
1096 		tad->tad_atpath = pad->pad_cwd;
1097 		mutex_exit(&pad->pad_lock);
1098 	}
1099 }
1100 
1101 void
1102 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1103 {
1104 	t_audit_data_t *tad;
1105 	vnode_t	*vp;
1106 
1107 	tad = U2A(u);
1108 
1109 	/* if not auditing this event, then do nothing */
1110 	if (tad->tad_flag == 0)
1111 		return;
1112 
1113 	au_uwrite(au_to_text(target));
1114 
1115 	if (error)
1116 		return;
1117 
1118 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1119 	    NULL, NULL, NULL);
1120 	if (error == 0) {
1121 		audit_attributes(vp);
1122 		VN_RELE(vp);
1123 	}
1124 }
1125 
1126 /*
1127  * ROUTINE:	AUDIT_VNCREATE_START
1128  * PURPOSE:	set flag so path name lookup in create will not add attribute
1129  * CALLBY:	VN_CREATE
1130  * NOTE:
1131  * TODO:
1132  * QUESTION:
1133  */
1134 
1135 void
1136 audit_vncreate_start()
1137 {
1138 	t_audit_data_t *tad;
1139 
1140 	tad = U2A(u);
1141 	tad->tad_ctrl |= TAD_NOATTRB;
1142 }
1143 
1144 /*
1145  * ROUTINE:	AUDIT_VNCREATE_FINISH
1146  * PURPOSE:
1147  * CALLBY:	VN_CREATE
1148  * NOTE:
1149  * TODO:
1150  * QUESTION:
1151  */
1152 void
1153 audit_vncreate_finish(struct vnode *vp, int error)
1154 {
1155 	t_audit_data_t *tad;
1156 
1157 	if (error)
1158 		return;
1159 
1160 	tad = U2A(u);
1161 
1162 	/* if not auditing this event, then do nothing */
1163 	if (tad->tad_flag == 0)
1164 		return;
1165 
1166 	if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1167 		audit_attributes(vp);
1168 	}
1169 
1170 	if (tad->tad_ctrl & TAD_CORE) {
1171 		audit_attributes(vp);
1172 		tad->tad_ctrl &= ~TAD_CORE;
1173 	}
1174 
1175 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1176 	    (tad->tad_event == AUE_MKDIR))) {
1177 		audit_attributes(vp);
1178 	}
1179 
1180 	/* for case where multiple lookups in one syscall (rename) */
1181 	tad->tad_ctrl &= ~TAD_NOATTRB;
1182 }
1183 
1184 
1185 
1186 
1187 
1188 
1189 
1190 
1191 /*
1192  * ROUTINE:	AUDIT_EXEC
1193  * PURPOSE:	Records the function arguments and environment variables
1194  * CALLBY:	EXEC_ARGS
1195  * NOTE:
1196  * TODO:
1197  * QUESTION:
1198  */
1199 
1200 void
1201 audit_exec(
1202 	const char *argstr,	/* argument strings */
1203 	const char *envstr,	/* environment strings */
1204 	ssize_t argc,		/* total # arguments */
1205 	ssize_t envc,		/* total # environment variables */
1206 	cred_t *pfcred)		/* the additional privileges in a profile */
1207 {
1208 	t_audit_data_t *tad;
1209 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1210 
1211 	tad = U2A(u);
1212 
1213 	/* if not auditing this event, then do nothing */
1214 	if (!tad->tad_flag)
1215 		return;
1216 
1217 	if (pfcred != NULL) {
1218 		p_audit_data_t *pad;
1219 		cred_t *cr = CRED();
1220 		priv_set_t pset = CR_IPRIV(cr);
1221 
1222 		pad = P2A(curproc);
1223 
1224 		/* It's a different event. */
1225 		tad->tad_event = AUE_PFEXEC;
1226 
1227 		/* Add the current working directory to the audit trail. */
1228 		if (pad->pad_cwd != NULL)
1229 			au_uwrite(au_to_path(pad->pad_cwd));
1230 
1231 		/*
1232 		 * The new credential is not yet in place when audit_exec
1233 		 * is called.
1234 		 * Compute the additional bits available in the new credential
1235 		 * and the limit set.
1236 		 */
1237 		priv_inverse(&pset);
1238 		priv_intersect(&CR_IPRIV(pfcred), &pset);
1239 		if (!priv_isemptyset(&pset) ||
1240 		    !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1241 			au_uwrite(au_to_privset(
1242 			    priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1243 			    0));
1244 			au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1245 			    &CR_LPRIV(pfcred), AUT_PRIV, 0));
1246 		}
1247 		/*
1248 		 * Compare the uids & gids: create a process token if changed.
1249 		 */
1250 		if (crgetuid(cr) != crgetuid(pfcred) ||
1251 		    crgetruid(cr) != crgetruid(pfcred) ||
1252 		    crgetgid(cr) != crgetgid(pfcred) ||
1253 		    crgetrgid(cr) != crgetrgid(pfcred)) {
1254 			AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1255 		}
1256 	}
1257 
1258 	if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1259 		au_uwrite(au_to_exec_args(argstr, argc));
1260 
1261 	if (kctx->auk_policy & AUDIT_ARGE)
1262 		au_uwrite(au_to_exec_env(envstr, envc));
1263 }
1264 
1265 /*
1266  * ROUTINE:	AUDIT_ENTERPROM
1267  * PURPOSE:
1268  * CALLBY:	KBDINPUT
1269  *		ZSA_XSINT
1270  * NOTE:
1271  * TODO:
1272  * QUESTION:
1273  */
1274 void
1275 audit_enterprom(int flg)
1276 {
1277 	token_t *rp = NULL;
1278 	int sorf;
1279 
1280 	if (flg)
1281 		sorf = AUM_SUCC;
1282 	else
1283 		sorf = AUM_FAIL;
1284 
1285 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1286 
1287 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1288 
1289 	if (flg)
1290 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1291 	else
1292 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1293 
1294 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1295 }
1296 
1297 
1298 /*
1299  * ROUTINE:	AUDIT_EXITPROM
1300  * PURPOSE:
1301  * CALLBY:	KBDINPUT
1302  *		ZSA_XSINT
1303  * NOTE:
1304  * TODO:
1305  * QUESTION:
1306  */
1307 void
1308 audit_exitprom(int flg)
1309 {
1310 	int sorf;
1311 	token_t *rp = NULL;
1312 
1313 	if (flg)
1314 		sorf = AUM_SUCC;
1315 	else
1316 		sorf = AUM_FAIL;
1317 
1318 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1319 
1320 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1321 
1322 	if (flg)
1323 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1324 	else
1325 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1326 
1327 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1328 }
1329 
1330 struct fcntla {
1331 	int fdes;
1332 	int cmd;
1333 	intptr_t arg;
1334 };
1335 
1336 
1337 /*
1338  * ROUTINE:	AUDIT_CHDIREC
1339  * PURPOSE:
1340  * CALLBY:	CHDIREC
1341  * NOTE:	The main function of CHDIREC
1342  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1343  * QUESTION:
1344  */
1345 
1346 /*ARGSUSED*/
1347 void
1348 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1349 {
1350 	int		chdir;
1351 	int		fchdir;
1352 	struct audit_path	**appp;
1353 	struct file	*fp;
1354 	f_audit_data_t *fad;
1355 	p_audit_data_t *pad = P2A(curproc);
1356 	t_audit_data_t *tad = T2A(curthread);
1357 
1358 	struct a {
1359 		long fd;
1360 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1361 
1362 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1363 		chdir = tad->tad_scid == SYS_chdir;
1364 		if (tad->tad_aupath) {
1365 			mutex_enter(&pad->pad_lock);
1366 			if (chdir)
1367 				appp = &(pad->pad_cwd);
1368 			else
1369 				appp = &(pad->pad_root);
1370 			au_pathrele(*appp);
1371 			/* use tad hold */
1372 			*appp = tad->tad_aupath;
1373 			tad->tad_aupath = NULL;
1374 			mutex_exit(&pad->pad_lock);
1375 		}
1376 	} else if ((tad->tad_scid == SYS_fchdir) ||
1377 	    (tad->tad_scid == SYS_fchroot)) {
1378 		fchdir = tad->tad_scid == SYS_fchdir;
1379 		if ((fp = getf(uap->fd)) == NULL)
1380 			return;
1381 		fad = F2A(fp);
1382 		if (fad->fad_aupath) {
1383 			au_pathhold(fad->fad_aupath);
1384 			mutex_enter(&pad->pad_lock);
1385 			if (fchdir)
1386 				appp = &(pad->pad_cwd);
1387 			else
1388 				appp = &(pad->pad_root);
1389 			au_pathrele(*appp);
1390 			*appp = fad->fad_aupath;
1391 			mutex_exit(&pad->pad_lock);
1392 			if (tad->tad_flag) {
1393 				au_uwrite(au_to_path(fad->fad_aupath));
1394 				audit_attributes(fp->f_vnode);
1395 			}
1396 		}
1397 		releasef(uap->fd);
1398 	}
1399 }
1400 
1401 
1402 /*
1403  *	Audit hook for stream based socket and tli request.
1404  *	Note that we do not have user context while executing
1405  *	this code so we had to record them earlier during the
1406  *	putmsg/getmsg to figure out which user we are dealing with.
1407  */
1408 
1409 /*ARGSUSED*/
1410 void
1411 audit_sock(
1412 	int type,	/* type of tihdr.h header requests */
1413 	queue_t *q,	/* contains the process and thread audit data */
1414 	mblk_t *mp,	/* contains the tihdr.h header structures */
1415 	int from)	/* timod or sockmod request */
1416 {
1417 	int32_t    len;
1418 	int32_t    offset;
1419 	struct sockaddr_in *sock_data;
1420 	struct T_conn_req *conn_req;
1421 	struct T_conn_ind *conn_ind;
1422 	struct T_unitdata_req *unitdata_req;
1423 	struct T_unitdata_ind *unitdata_ind;
1424 	au_state_t estate;
1425 	t_audit_data_t *tad;
1426 	caddr_t saved_thread_ptr;
1427 	au_mask_t amask;
1428 	const auditinfo_addr_t *ainfo;
1429 	au_kcontext_t	*kctx;
1430 
1431 	if (q->q_stream == NULL)
1432 		return;
1433 	mutex_enter(&q->q_stream->sd_lock);
1434 	/* are we being audited */
1435 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1436 	/* no pointer to thread, nothing to do */
1437 	if (saved_thread_ptr == NULL) {
1438 		mutex_exit(&q->q_stream->sd_lock);
1439 		return;
1440 	}
1441 	/* only allow one addition of a record token */
1442 	q->q_stream->sd_t_audit_data = NULL;
1443 	/*
1444 	 * thread is not the one being audited, then nothing to do
1445 	 * This could be the stream thread handling the module
1446 	 * service routine. In this case, the context for the audit
1447 	 * record can no longer be assumed. Simplest to just drop
1448 	 * the operation.
1449 	 */
1450 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1451 		mutex_exit(&q->q_stream->sd_lock);
1452 		return;
1453 	}
1454 	if (curthread->t_sysnum >= SYS_so_socket &&
1455 	    curthread->t_sysnum <= SYS_sockconfig) {
1456 		mutex_exit(&q->q_stream->sd_lock);
1457 		return;
1458 	}
1459 	mutex_exit(&q->q_stream->sd_lock);
1460 	/*
1461 	 * we know that the thread that did the put/getmsg is the
1462 	 * one running. Now we can get the TAD and see if we should
1463 	 * add an audit token.
1464 	 */
1465 	tad = U2A(u);
1466 
1467 	kctx = GET_KCTX_PZ;
1468 
1469 	/* proceed ONLY if user is being audited */
1470 	if (!tad->tad_flag)
1471 		return;
1472 
1473 	ainfo = crgetauinfo(CRED());
1474 	if (ainfo == NULL)
1475 		return;
1476 	amask = ainfo->ai_mask;
1477 
1478 	/*
1479 	 * Figure out the type of stream networking request here.
1480 	 * Note that getmsg and putmsg are always preselected
1481 	 * because during the beginning of the system call we have
1482 	 * not yet figure out which of the socket or tli request
1483 	 * we are looking at until we are here. So we need to check
1484 	 * against that specific request and reset the type of event.
1485 	 */
1486 	switch (type) {
1487 	case T_CONN_REQ:	/* connection request */
1488 		conn_req = (struct T_conn_req *)mp->b_rptr;
1489 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1490 			return;
1491 		offset = conn_req->DEST_offset;
1492 		len = conn_req->DEST_length;
1493 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1494 		if (amask.as_success & estate || amask.as_failure & estate) {
1495 			tad->tad_event = AUE_SOCKCONNECT;
1496 			break;
1497 		} else {
1498 			return;
1499 		}
1500 	case T_CONN_IND:	 /* connectionless receive request */
1501 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1502 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1503 			return;
1504 		offset = conn_ind->SRC_offset;
1505 		len = conn_ind->SRC_length;
1506 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1507 		if (amask.as_success & estate || amask.as_failure & estate) {
1508 			tad->tad_event = AUE_SOCKACCEPT;
1509 			break;
1510 		} else {
1511 			return;
1512 		}
1513 	case T_UNITDATA_REQ:	 /* connectionless send request */
1514 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1515 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1516 			return;
1517 		offset = unitdata_req->DEST_offset;
1518 		len = unitdata_req->DEST_length;
1519 		estate = kctx->auk_ets[AUE_SOCKSEND];
1520 		if (amask.as_success & estate || amask.as_failure & estate) {
1521 			tad->tad_event = AUE_SOCKSEND;
1522 			break;
1523 		} else {
1524 			return;
1525 		}
1526 	case T_UNITDATA_IND:	 /* connectionless receive request */
1527 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1528 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1529 			return;
1530 		offset = unitdata_ind->SRC_offset;
1531 		len = unitdata_ind->SRC_length;
1532 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1533 		if (amask.as_success & estate || amask.as_failure & estate) {
1534 			tad->tad_event = AUE_SOCKRECEIVE;
1535 			break;
1536 		} else {
1537 			return;
1538 		}
1539 	default:
1540 		return;
1541 	}
1542 
1543 	/*
1544 	 * we are only interested in tcp stream connections,
1545 	 * not unix domain stuff
1546 	 */
1547 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1548 		tad->tad_event = AUE_GETMSG;
1549 		return;
1550 	}
1551 	/* skip over TPI header and point to the ip address */
1552 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1553 
1554 	switch (sock_data->sin_family) {
1555 	case AF_INET:
1556 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1557 		break;
1558 	default:	/* reset to AUE_PUTMSG if not a inet request */
1559 		tad->tad_event = AUE_GETMSG;
1560 		break;
1561 	}
1562 }
1563 
1564 
1565 static void
1566 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1567 {
1568 	unsigned int sy_flags;
1569 
1570 #ifdef _SYSCALL32_IMPL
1571 	/*
1572 	 * Guard against t_lwp being NULL when this function is called
1573 	 * from a kernel queue instead of from a direct system call.
1574 	 * In that case, assume the running kernel data model.
1575 	 */
1576 	if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1577 	    ttolwp(curthread)) == DATAMODEL_NATIVE))
1578 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1579 	else
1580 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1581 #else
1582 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1583 #endif
1584 
1585 	if (sy_flags == SE_64RVAL)
1586 		au_write(ad, au_to_return64(err, rval));
1587 	else
1588 		au_write(ad, au_to_return32(err, rval));
1589 
1590 }
1591 
1592 /*ARGSUSED*/
1593 void
1594 audit_fdsend(fd, fp, error)
1595 	int fd;
1596 	struct file *fp;
1597 	int error;		/* ignore for now */
1598 {
1599 	t_audit_data_t *tad;	/* current thread */
1600 	f_audit_data_t *fad;	/* per file audit structure */
1601 	struct vnode *vp;	/* for file attributes */
1602 
1603 	/* is this system call being audited */
1604 	tad = U2A(u);
1605 	ASSERT(tad != (t_audit_data_t *)0);
1606 	if (!tad->tad_flag)
1607 		return;
1608 
1609 	fad = F2A(fp);
1610 
1611 	/* add path and file attributes */
1612 	if (fad != NULL && fad->fad_aupath != NULL) {
1613 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1614 		au_uwrite(au_to_path(fad->fad_aupath));
1615 	} else {
1616 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1617 #ifdef _LP64
1618 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1619 #else
1620 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1621 #endif
1622 	}
1623 	vp = fp->f_vnode;	/* include vnode attributes */
1624 	audit_attributes(vp);
1625 }
1626 
1627 /*
1628  * Record privileges successfully used and we attempted to use but
1629  * didn't have.
1630  */
1631 void
1632 audit_priv(int priv, const priv_set_t *set, int flag)
1633 {
1634 	t_audit_data_t *tad;
1635 	int sbit;
1636 	priv_set_t *target;
1637 
1638 	/* Make sure this isn't being called in an interrupt context */
1639 	ASSERT(servicing_interrupt() == 0);
1640 
1641 	tad = U2A(u);
1642 
1643 	if (tad->tad_flag == 0)
1644 		return;
1645 
1646 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1647 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1648 
1649 	/* Tell audit_success() and audit_finish() that we saw this case */
1650 	if (!(tad->tad_evmod & sbit)) {
1651 		/* Clear set first time around */
1652 		priv_emptyset(target);
1653 		tad->tad_evmod |= sbit;
1654 	}
1655 
1656 	/* Save the privileges in the tad */
1657 	if (priv == PRIV_ALL) {
1658 		priv_fillset(target);
1659 	} else {
1660 		ASSERT(set != NULL || priv != PRIV_NONE);
1661 		if (set != NULL)
1662 			priv_union(set, target);
1663 		if (priv != PRIV_NONE)
1664 			priv_addset(target, priv);
1665 	}
1666 }
1667 
1668 /*
1669  * Audit the setpriv() system call; the operation, the set name and
1670  * the current value as well as the set argument are put in the
1671  * audit trail.
1672  */
1673 void
1674 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1675 {
1676 	t_audit_data_t *tad;
1677 	const priv_set_t *oldpriv;
1678 	priv_set_t report;
1679 	const char *setname;
1680 
1681 	tad = U2A(u);
1682 
1683 	if (tad->tad_flag == 0)
1684 		return;
1685 
1686 	oldpriv = priv_getset(ocr, set);
1687 
1688 	/* Generate the actual record, include the before and after */
1689 	au_uwrite(au_to_arg32(2, "op", op));
1690 	setname = priv_getsetbynum(set);
1691 
1692 	switch (op) {
1693 	case PRIV_OFF:
1694 		/* Report privileges actually switched off */
1695 		report = *oldpriv;
1696 		priv_intersect(newpriv, &report);
1697 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1698 		break;
1699 	case PRIV_ON:
1700 		/* Report privileges actually switched on */
1701 		report = *oldpriv;
1702 		priv_inverse(&report);
1703 		priv_intersect(newpriv, &report);
1704 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1705 		break;
1706 	case PRIV_SET:
1707 		/* Report before and after */
1708 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1709 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1710 		break;
1711 	}
1712 }
1713 
1714 /*
1715  * Dump the full device policy setting in the audit trail.
1716  */
1717 void
1718 audit_devpolicy(int nitems, const devplcysys_t *items)
1719 {
1720 	t_audit_data_t *tad;
1721 	int i;
1722 
1723 	tad = U2A(u);
1724 
1725 	if (tad->tad_flag == 0)
1726 		return;
1727 
1728 	for (i = 0; i < nitems; i++) {
1729 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1730 		if (items[i].dps_minornm[0] == '\0') {
1731 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1732 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1733 		} else
1734 			au_uwrite(au_to_text(items[i].dps_minornm));
1735 
1736 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1737 		    AUT_PRIV, 0));
1738 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1739 		    AUT_PRIV, 0));
1740 	}
1741 }
1742 
1743 /*ARGSUSED*/
1744 void
1745 audit_fdrecv(fd, fp)
1746 	int fd;
1747 	struct file *fp;
1748 {
1749 	t_audit_data_t *tad;	/* current thread */
1750 	f_audit_data_t *fad;	/* per file audit structure */
1751 	struct vnode *vp;	/* for file attributes */
1752 
1753 	/* is this system call being audited */
1754 	tad = U2A(u);
1755 	ASSERT(tad != (t_audit_data_t *)0);
1756 	if (!tad->tad_flag)
1757 		return;
1758 
1759 	fad = F2A(fp);
1760 
1761 	/* add path and file attributes */
1762 	if (fad != NULL && fad->fad_aupath != NULL) {
1763 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1764 		au_uwrite(au_to_path(fad->fad_aupath));
1765 	} else {
1766 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1767 #ifdef _LP64
1768 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1769 #else
1770 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1771 #endif
1772 	}
1773 	vp = fp->f_vnode;	/* include vnode attributes */
1774 	audit_attributes(vp);
1775 }
1776 
1777 /*
1778  * ROUTINE:	AUDIT_CRYPTOADM
1779  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
1780  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1781  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1782  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1783  *		CRYPTO_LOAD_DOOR
1784  * NOTE:
1785  * TODO:
1786  * QUESTION:
1787  */
1788 
1789 void
1790 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1791     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1792 {
1793 	boolean_t		mech_list_required = B_FALSE;
1794 	cred_t			*cr = CRED();
1795 	t_audit_data_t		*tad;
1796 	token_t			*ad = NULL;
1797 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
1798 	char			buffer[MAXNAMELEN * 2];
1799 	au_kcontext_t		*kctx = GET_KCTX_PZ;
1800 
1801 	tad = U2A(u);
1802 	if (tad == NULL)
1803 		return;
1804 
1805 	if (ainfo == NULL)
1806 		return;
1807 
1808 	tad->tad_event = AUE_CRYPTOADM;
1809 
1810 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
1811 		return;
1812 
1813 	/* Add subject information */
1814 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1815 
1816 	switch (cmd) {
1817 	case CRYPTO_LOAD_DEV_DISABLED:
1818 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1819 			(void) snprintf(buffer, sizeof (buffer),
1820 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1821 			    " dev_instance=%d",
1822 			    module_name, device_instance);
1823 			mech_list_required = B_TRUE;
1824 		} else {
1825 			(void) snprintf(buffer, sizeof (buffer),
1826 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1827 		}
1828 		break;
1829 
1830 	case CRYPTO_LOAD_SOFT_DISABLED:
1831 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1832 			(void) snprintf(buffer, sizeof (buffer),
1833 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1834 			    module_name);
1835 			mech_list_required = B_TRUE;
1836 		} else {
1837 			(void) snprintf(buffer, sizeof (buffer),
1838 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1839 		}
1840 		break;
1841 
1842 	case CRYPTO_UNLOAD_SOFT_MODULE:
1843 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1844 			(void) snprintf(buffer, sizeof (buffer),
1845 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1846 			    module_name);
1847 		} else {
1848 			(void) snprintf(buffer, sizeof (buffer),
1849 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1850 		}
1851 		break;
1852 
1853 	case CRYPTO_LOAD_SOFT_CONFIG:
1854 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1855 			(void) snprintf(buffer, sizeof (buffer),
1856 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1857 			    module_name);
1858 			mech_list_required = B_TRUE;
1859 		} else {
1860 			(void) snprintf(buffer, sizeof (buffer),
1861 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1862 		}
1863 		break;
1864 
1865 	case CRYPTO_POOL_CREATE:
1866 		(void) snprintf(buffer, sizeof (buffer),
1867 		    "op=CRYPTO_POOL_CREATE");
1868 		break;
1869 
1870 	case CRYPTO_POOL_WAIT:
1871 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1872 		break;
1873 
1874 	case CRYPTO_POOL_RUN:
1875 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1876 		break;
1877 
1878 	case CRYPTO_LOAD_DOOR:
1879 		if (error == 0 && rv == CRYPTO_SUCCESS)
1880 			(void) snprintf(buffer, sizeof (buffer),
1881 			    "op=CRYPTO_LOAD_DOOR");
1882 		else
1883 			(void) snprintf(buffer, sizeof (buffer),
1884 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1885 		break;
1886 
1887 	case CRYPTO_FIPS140_SET:
1888 		(void) snprintf(buffer, sizeof (buffer),
1889 		    "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1890 		break;
1891 
1892 	default:
1893 		return;
1894 	}
1895 
1896 	au_write((caddr_t *)&ad, au_to_text(buffer));
1897 
1898 	if (mech_list_required) {
1899 		int i;
1900 
1901 		if (mech_count == 0) {
1902 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1903 		} else {
1904 			char	*pb = buffer;
1905 			size_t	l = sizeof (buffer);
1906 			size_t	n;
1907 			char	space[2] = ":";
1908 
1909 			n = snprintf(pb, l, "mech=");
1910 
1911 			for (i = 0; i < mech_count; i++) {
1912 				pb += n;
1913 				l -= n;
1914 				if (l < 0)
1915 					l = 0;
1916 
1917 				if (i == mech_count - 1)
1918 					(void) strcpy(space, "");
1919 
1920 				n = snprintf(pb, l, "%s%s", mech_names[i],
1921 				    space);
1922 			}
1923 			au_write((caddr_t *)&ad, au_to_text(buffer));
1924 		}
1925 	}
1926 
1927 	/* add a return token */
1928 	if (error || (rv != CRYPTO_SUCCESS))
1929 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1930 	else
1931 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1932 
1933 	AS_INC(as_generated, 1, kctx);
1934 	AS_INC(as_kernel, 1, kctx);
1935 
1936 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
1937 	    NULL);
1938 }
1939 
1940 /*
1941  * Audit the kernel SSL administration command. The address and the
1942  * port number for the SSL instance, and the proxy port are put in the
1943  * audit trail.
1944  */
1945 void
1946 audit_kssl(int cmd, void *params, int error)
1947 {
1948 	cred_t			*cr = CRED();
1949 	t_audit_data_t		*tad;
1950 	token_t			*ad = NULL;
1951 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
1952 	au_kcontext_t		*kctx = GET_KCTX_PZ;
1953 
1954 	tad = U2A(u);
1955 
1956 	if (ainfo == NULL)
1957 		return;
1958 
1959 	tad->tad_event = AUE_CONFIGKSSL;
1960 
1961 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
1962 		return;
1963 
1964 	/* Add subject information */
1965 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
1966 
1967 	switch (cmd) {
1968 	case KSSL_ADD_ENTRY: {
1969 		char buf[32];
1970 		kssl_params_t *kp = (kssl_params_t *)params;
1971 		struct sockaddr_in6 *saddr = &kp->kssl_addr;
1972 
1973 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
1974 		au_write((caddr_t *)&ad,
1975 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1976 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
1977 		    saddr->sin6_port);
1978 		au_write((caddr_t *)&ad, au_to_text(buf));
1979 
1980 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
1981 		    kp->kssl_proxy_port);
1982 		au_write((caddr_t *)&ad, au_to_text(buf));
1983 		break;
1984 	}
1985 
1986 	case KSSL_DELETE_ENTRY: {
1987 		char buf[32];
1988 		struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
1989 
1990 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
1991 		au_write((caddr_t *)&ad,
1992 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1993 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
1994 		    saddr->sin6_port);
1995 		au_write((caddr_t *)&ad, au_to_text(buf));
1996 		break;
1997 	}
1998 
1999 	default:
2000 		return;
2001 	}
2002 
2003 	/* add a return token */
2004 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2005 
2006 	AS_INC(as_generated, 1, kctx);
2007 	AS_INC(as_kernel, 1, kctx);
2008 
2009 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2010 	    NULL);
2011 }
2012 
2013 /*
2014  * Audit the kernel PF_POLICY administration commands.  Record command,
2015  * zone, policy type (global or tunnel, active or inactive)
2016  */
2017 /*
2018  * ROUTINE:	AUDIT_PF_POLICY
2019  * PURPOSE:	Records arguments to administrative ioctls on PF_POLICY socket
2020  * CALLBY:	SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2021  *		SPD_CLONE, SPD_FLIP
2022  * NOTE:
2023  * TODO:
2024  * QUESTION:
2025  */
2026 
2027 void
2028 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2029     boolean_t active, int error, pid_t pid)
2030 {
2031 	const auditinfo_addr_t	*ainfo;
2032 	t_audit_data_t		*tad;
2033 	token_t			*ad = NULL;
2034 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2035 	char			buf[80];
2036 	int			flag;
2037 
2038 	tad = U2A(u);
2039 	if (tad == NULL)
2040 		return;
2041 
2042 	ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2043 	if (ainfo == NULL)
2044 		return;
2045 
2046 	/*
2047 	 * Initialize some variables since these are only set
2048 	 * with system calls.
2049 	 */
2050 
2051 	switch (cmd) {
2052 	case SPD_ADDRULE: {
2053 		tad->tad_event = AUE_PF_POLICY_ADDRULE;
2054 		break;
2055 	}
2056 
2057 	case SPD_DELETERULE: {
2058 		tad->tad_event = AUE_PF_POLICY_DELRULE;
2059 		break;
2060 	}
2061 
2062 	case SPD_FLUSH: {
2063 		tad->tad_event = AUE_PF_POLICY_FLUSH;
2064 		break;
2065 	}
2066 
2067 	case SPD_UPDATEALGS: {
2068 		tad->tad_event = AUE_PF_POLICY_ALGS;
2069 		break;
2070 	}
2071 
2072 	case SPD_CLONE: {
2073 		tad->tad_event = AUE_PF_POLICY_CLONE;
2074 		break;
2075 	}
2076 
2077 	case SPD_FLIP: {
2078 		tad->tad_event = AUE_PF_POLICY_FLIP;
2079 		break;
2080 	}
2081 
2082 	default:
2083 		tad->tad_event = AUE_NULL;
2084 	}
2085 
2086 	tad->tad_evmod = 0;
2087 
2088 	if (flag = audit_success(kctx, tad, error, cred)) {
2089 		zone_t *nszone;
2090 
2091 		/*
2092 		 * For now, just audit that an event happened,
2093 		 * along with the error code.
2094 		 */
2095 		au_write((caddr_t *)&ad,
2096 		    au_to_arg32(1, "Policy Active?", (uint32_t)active));
2097 		au_write((caddr_t *)&ad,
2098 		    au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2099 
2100 		/* Supplemental data */
2101 
2102 		/*
2103 		 * Generate this zone token if the target zone differs
2104 		 * from the administrative zone.  If netstacks are expanded
2105 		 * to something other than a 1-1 relationship with zones,
2106 		 * the auditing framework should create a new token type
2107 		 * and audit it as a netstack instead.
2108 		 * Turn on general zone auditing to get the administrative zone.
2109 		 */
2110 
2111 		nszone = zone_find_by_id(netstackid_to_zoneid(
2112 		    ns->netstack_stackid));
2113 		if (nszone != NULL) {
2114 			if (strncmp(crgetzone(cred)->zone_name,
2115 			    nszone->zone_name, ZONENAME_MAX) != 0) {
2116 				token_t *ztoken;
2117 
2118 				ztoken = au_to_zonename(0, nszone);
2119 				au_write((caddr_t *)&ad, ztoken);
2120 			}
2121 			zone_rele(nszone);
2122 		}
2123 
2124 		if (tun != NULL) {
2125 			/* write tunnel name - tun is bounded */
2126 			(void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2127 			    tun);
2128 			au_write((caddr_t *)&ad, au_to_text(buf));
2129 		}
2130 
2131 		/* Add subject information */
2132 		AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2133 		    ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2134 
2135 		/* add a return token */
2136 		add_return_token((caddr_t *)&ad, 0, error, 0);
2137 
2138 		AS_INC(as_generated, 1, kctx);
2139 		AS_INC(as_kernel, 1, kctx);
2140 
2141 	}
2142 	au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2143 	    NULL);
2144 
2145 	/*
2146 	 * clear the ctrl flag so that we don't have spurious collection of
2147 	 * audit information.
2148 	 */
2149 	tad->tad_scid  = 0;
2150 	tad->tad_event = 0;
2151 	tad->tad_evmod = 0;
2152 	tad->tad_ctrl  = 0;
2153 }
2154 
2155 /*
2156  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2157  * PURPOSE:	Add security attributes
2158  * CALLBY:	AUDIT_ATTRIBUTES
2159  *		AUDIT_CLOSEF
2160  *		AUS_CLOSE
2161  * NOTE:
2162  * TODO:
2163  * QUESTION:
2164  */
2165 
2166 void
2167 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2168 {
2169 	/* Dump the SL */
2170 	if (is_system_labeled()) {
2171 		ts_label_t	*tsl;
2172 		bslabel_t	*bsl;
2173 
2174 		tsl = getflabel(vp);
2175 		if (tsl == NULL)
2176 			return;			/* nothing else to do */
2177 
2178 		bsl = label2bslabel(tsl);
2179 		if (bsl == NULL)
2180 			return;			/* nothing else to do */
2181 		au_write(ad, au_to_label(bsl));
2182 		label_rele(tsl);
2183 	}
2184 
2185 }	/* AUDIT_SEC_ATTRIBUTES */
2186