xref: /illumos-gate/usr/src/uts/common/c2/audit.c (revision 6d02032db7b674f185405d42cc8bf10a46a9ab3a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the audit hook support code for auditing.
28  */
29 
30 #include <sys/types.h>
31 #include <sys/proc.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/file.h>
35 #include <sys/user.h>
36 #include <sys/stropts.h>
37 #include <sys/systm.h>
38 #include <sys/pathname.h>
39 #include <sys/syscall.h>
40 #include <sys/fcntl.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/msg_impl.h>
43 #include <sys/sem_impl.h>
44 #include <sys/shm_impl.h>
45 #include <sys/kmem.h>		/* for KM_SLEEP */
46 #include <sys/socket.h>
47 #include <sys/cmn_err.h>	/* snprintf... */
48 #include <sys/debug.h>
49 #include <sys/thread.h>
50 #include <netinet/in.h>
51 #include <c2/audit.h>		/* needs to be included before user.h */
52 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_record.h>
55 #include <sys/strsubr.h>
56 #include <sys/tihdr.h>
57 #include <sys/tiuser.h>
58 #include <sys/timod.h>
59 #include <sys/model.h>		/* for model_t */
60 #include <sys/disp.h>		/* for servicing_interrupt() */
61 #include <sys/devpolicy.h>
62 #include <sys/crypto/ioctladmin.h>
63 #include <sys/cred.h>
64 #include <inet/kssl/kssl.h>
65 #include <net/pfpolicy.h>
66 
67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68 
69 static void audit_pathbuild(struct pathname *pnp);
70 
71 
72 /*
73  * ROUTINE:	AUDIT_SAVEPATH
74  * PURPOSE:
75  * CALLBY:	LOOKUPPN
76  *
77  * NOTE:	We have reached the end of a path in fs/lookup.c.
78  *		We get two pieces of information here:
79  *		the vnode of the last component (vp) and
80  *		the status of the last access (flag).
81  * TODO:
82  * QUESTION:
83  */
84 
85 /*ARGSUSED*/
86 int
87 audit_savepath(
88 	struct pathname *pnp,		/* pathname to lookup */
89 	struct vnode *vp,		/* vnode of the last component */
90 	int    flag,			/* status of the last access */
91 	cred_t *cr)			/* cred of requestor */
92 {
93 
94 	t_audit_data_t *tad;	/* current thread */
95 	au_kcontext_t	*kctx = GET_KCTX_PZ;
96 
97 	tad = U2A(u);
98 
99 	/*
100 	 * this event being audited or do we need path information
101 	 * later? This might be for a chdir/chroot or open (add path
102 	 * to file pointer. If the path has already been found for an
103 	 * open/creat then we don't need to process the path.
104 	 *
105 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
106 	 *	chroot, chdir, open, creat system call processing. It determines
107 	 *	if audit_savepath() will discard the path or we need it later.
108 	 * PAD_PATHFND means path already included in this audit record. It
109 	 *	is used in cases where multiple path lookups are done per
110 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
111 	 *	paths are allowed.
112 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
113 	 *	exit processing to inhibit any paths that may be added due to
114 	 *	closes.
115 	 */
116 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
117 	    ((tad->tad_ctrl & PAD_PATHFND) &&
118 	    !(kctx->auk_policy & AUDIT_PATH)) ||
119 	    (tad->tad_ctrl & PAD_NOPATH)) {
120 		return (0);
121 	}
122 
123 	tad->tad_ctrl |= PAD_NOPATH;		/* prevent possible reentry */
124 
125 	audit_pathbuild(pnp);
126 	tad->tad_vn = vp;
127 
128 	/*
129 	 * are we auditing only if error, or if it is not open or create
130 	 * otherwise audit_setf will do it
131 	 */
132 
133 	if (tad->tad_flag) {
134 		if (flag &&
135 		    (tad->tad_scid == SYS_open ||
136 		    tad->tad_scid == SYS_open64 ||
137 		    tad->tad_scid == SYS_openat ||
138 		    tad->tad_scid == SYS_openat64)) {
139 			tad->tad_ctrl |= PAD_TRUE_CREATE;
140 		}
141 
142 		/* add token to audit record for this name */
143 		au_uwrite(au_to_path(tad->tad_aupath));
144 
145 		/* add the attributes of the object */
146 		if (vp) {
147 			/*
148 			 * only capture attributes when there is no error
149 			 * lookup will not return the vnode of the failing
150 			 * component.
151 			 *
152 			 * if there was a lookup error, then don't add
153 			 * attribute. if lookup in vn_create(),
154 			 * then don't add attribute,
155 			 * it will be added at end of vn_create().
156 			 */
157 			if (!flag && !(tad->tad_ctrl & PAD_NOATTRB))
158 				audit_attributes(vp);
159 		}
160 	}
161 
162 	/* free up space if we're not going to save path (open, creat) */
163 	if ((tad->tad_ctrl & PAD_SAVPATH) == 0) {
164 		if (tad->tad_aupath != NULL) {
165 			au_pathrele(tad->tad_aupath);
166 			tad->tad_aupath = NULL;
167 			tad->tad_vn = NULL;
168 		}
169 	}
170 	if (tad->tad_ctrl & PAD_MLD)
171 		tad->tad_ctrl |= PAD_PATHFND;
172 
173 	tad->tad_ctrl &= ~PAD_NOPATH;		/* restore */
174 	return (0);
175 }
176 
177 static void
178 audit_pathbuild(struct pathname *pnp)
179 {
180 	char *pp;	/* pointer to path */
181 	int len;	/* length of incoming segment */
182 	int newsect;	/* path requires a new section */
183 	struct audit_path	*pfxapp;	/* prefix for path */
184 	struct audit_path	*newapp;	/* new audit_path */
185 	t_audit_data_t *tad;	/* current thread */
186 	p_audit_data_t *pad;	/* current process */
187 
188 	tad = U2A(u);
189 	ASSERT(tad != NULL);
190 	pad = P2A(curproc);
191 	ASSERT(pad != NULL);
192 
193 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
194 	ASSERT(len > 0);
195 
196 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
197 	mutex_enter(&pad->pad_lock);
198 	if (tad->tad_aupath != NULL) {
199 		pfxapp = tad->tad_aupath;
200 	} else if ((tad->tad_ctrl & PAD_ATCALL) && pnp->pn_buf[0] != '/') {
201 		ASSERT(tad->tad_atpath != NULL);
202 		pfxapp = tad->tad_atpath;
203 	} else if (tad->tad_ctrl & PAD_ABSPATH) {
204 		pfxapp = pad->pad_root;
205 	} else {
206 		pfxapp = pad->pad_cwd;
207 	}
208 	au_pathhold(pfxapp);
209 	mutex_exit(&pad->pad_lock);
210 
211 	/* get an expanded buffer to hold the anchored path */
212 	newsect = tad->tad_ctrl & PAD_ATTPATH;
213 	newapp = au_pathdup(pfxapp, newsect, len);
214 	au_pathrele(pfxapp);
215 
216 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
217 	if (!newsect) {
218 		/* overlay previous NUL terminator */
219 		*(pp - 1) = '/';
220 	}
221 
222 	/* now add string of processed path */
223 	bcopy(pnp->pn_buf, pp, len);
224 	pp[len - 1] = '\0';
225 
226 	/* perform path simplification as necessary */
227 	audit_fixpath(newapp, len);
228 
229 	if (tad->tad_aupath)
230 		au_pathrele(tad->tad_aupath);
231 	tad->tad_aupath = newapp;
232 
233 	/* for case where multiple lookups in one syscall (rename) */
234 	tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATTPATH);
235 }
236 
237 
238 
239 /*ARGSUSED*/
240 
241 /*
242  * ROUTINE:	AUDIT_ADDCOMPONENT
243  * PURPOSE:	extend the path by the component accepted
244  * CALLBY:	LOOKUPPN
245  * NOTE:	This function is called only when there is an error in
246  *		parsing a path component
247  * TODO:	Add the error component to audit record
248  * QUESTION:	what is this for
249  */
250 
251 void
252 audit_addcomponent(struct pathname *pnp)
253 {
254 	au_kcontext_t	*kctx = GET_KCTX_PZ;
255 	t_audit_data_t *tad;
256 
257 	tad = U2A(u);
258 	/*
259 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
260 	 *	chroot, chdir, open, creat system call processing. It determines
261 	 *	if audit_savepath() will discard the path or we need it later.
262 	 * PAD_PATHFND means path already included in this audit record. It
263 	 *	is used in cases where multiple path lookups are done per
264 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
265 	 *	paths are allowed.
266 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
267 	 *	exit processing to inhibit any paths that may be added due to
268 	 *	closes.
269 	 */
270 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
271 	    ((tad->tad_ctrl & PAD_PATHFND) &&
272 	    !(kctx->auk_policy & AUDIT_PATH)) ||
273 	    (tad->tad_ctrl & PAD_NOPATH)) {
274 		return;
275 	}
276 
277 	return;
278 
279 }	/* AUDIT_ADDCOMPONENT */
280 
281 
282 /*
283  * ROUTINE:	AUDIT_ANCHORPATH
284  * PURPOSE:
285  * CALLBY:	LOOKUPPN
286  * NOTE:
287  * anchor path at "/". We have seen a symbolic link or entering for the
288  * first time we will throw away any saved path if path is anchored.
289  *
290  * flag = 0, path is relative.
291  * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH.
292  *
293  * If the (new) path is absolute, then we have to throw away whatever we have
294  * already accumulated since it is being superseded by new path which is
295  * anchored at the root.
296  *		Note that if the path is relative, this function does nothing
297  * TODO:
298  * QUESTION:
299  */
300 /*ARGSUSED*/
301 void
302 audit_anchorpath(struct pathname *pnp, int flag)
303 {
304 	au_kcontext_t	*kctx = GET_KCTX_PZ;
305 	t_audit_data_t *tad;
306 
307 	tad = U2A(u);
308 
309 	/*
310 	 * this event being audited or do we need path information
311 	 * later? This might be for a chdir/chroot or open (add path
312 	 * to file pointer. If the path has already been found for an
313 	 * open/creat then we don't need to process the path.
314 	 *
315 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
316 	 *	chroot, chdir, open, creat system call processing. It determines
317 	 *	if audit_savepath() will discard the path or we need it later.
318 	 * PAD_PATHFND means path already included in this audit record. It
319 	 *	is used in cases where multiple path lookups are done per
320 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
321 	 *	paths are allowed.
322 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
323 	 *	exit processing to inhibit any paths that may be added due to
324 	 *	closes.
325 	 */
326 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
327 	    ((tad->tad_ctrl & PAD_PATHFND) &&
328 	    !(kctx->auk_policy & AUDIT_PATH)) ||
329 	    (tad->tad_ctrl & PAD_NOPATH)) {
330 		return;
331 	}
332 
333 	if (flag) {
334 		tad->tad_ctrl |= PAD_ABSPATH;
335 		if (tad->tad_aupath != NULL) {
336 			au_pathrele(tad->tad_aupath);
337 			tad->tad_aupath = NULL;
338 			tad->tad_vn = NULL;
339 		}
340 	}
341 }
342 
343 
344 /*
345  * symbolic link. Save previous components.
346  *
347  * the path seen so far looks like this
348  *
349  *  +-----------------------+----------------+
350  *  | path processed so far | remaining path |
351  *  +-----------------------+----------------+
352  *  \-----------------------/
353  *	save this string if
354  *	symbolic link relative
355  *	(but don't include  symlink component)
356  */
357 
358 /*ARGSUSED*/
359 
360 
361 /*
362  * ROUTINE:	AUDIT_SYMLINK
363  * PURPOSE:
364  * CALLBY:	LOOKUPPN
365  * NOTE:
366  * TODO:
367  * QUESTION:
368  */
369 void
370 audit_symlink(struct pathname *pnp, struct pathname *sympath)
371 {
372 	char *sp;	/* saved initial pp */
373 	char *cp;	/* start of symlink path */
374 	uint_t len_path;	/* processed path before symlink */
375 	t_audit_data_t *tad;
376 	au_kcontext_t	*kctx = GET_KCTX_PZ;
377 
378 	tad = U2A(u);
379 
380 	/*
381 	 * this event being audited or do we need path information
382 	 * later? This might be for a chdir/chroot or open (add path
383 	 * to file pointer. If the path has already been found for an
384 	 * open/creat then we don't need to process the path.
385 	 *
386 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
387 	 *	chroot, chdir, open, creat system call processing. It determines
388 	 *	if audit_savepath() will discard the path or we need it later.
389 	 * PAD_PATHFND means path already included in this audit record. It
390 	 *	is used in cases where multiple path lookups are done per
391 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
392 	 *	paths are allowed.
393 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
394 	 *	exit processing to inhibit any paths that may be added due to
395 	 *	closes.
396 	 */
397 	if ((tad->tad_flag == 0 &&
398 	    !(tad->tad_ctrl & PAD_SAVPATH)) ||
399 	    ((tad->tad_ctrl & PAD_PATHFND) &&
400 	    !(kctx->auk_policy & AUDIT_PATH)) ||
401 	    (tad->tad_ctrl & PAD_NOPATH)) {
402 		return;
403 	}
404 
405 	/*
406 	 * if symbolic link is anchored at / then do nothing.
407 	 * When we cycle back to begin: in lookuppn() we will
408 	 * call audit_anchorpath() with a flag indicating if the
409 	 * path is anchored at / or is relative. We will release
410 	 * any saved path at that point.
411 	 *
412 	 * Note In the event that an error occurs in pn_combine then
413 	 * we want to remain pointing at the component that caused the
414 	 * path to overflow the pnp structure.
415 	 */
416 	if (sympath->pn_buf[0] == '/')
417 		return;
418 
419 	/* backup over last component */
420 	sp = cp = pnp->pn_path;
421 	while (*--cp != '/' && cp > pnp->pn_buf)
422 		;
423 
424 	len_path = cp - pnp->pn_buf;
425 
426 	/* is there anything to save? */
427 	if (len_path) {
428 		pnp->pn_path = pnp->pn_buf;
429 		audit_pathbuild(pnp);
430 		pnp->pn_path = sp;
431 	}
432 }
433 
434 /*
435  * file_is_public : determine whether events for the file (corresponding to
436  * 			the specified file attr) should be audited or ignored.
437  *
438  * returns: 	1 - if audit policy and file attributes indicate that
439  *			file is effectively public. read events for
440  *			the file should not be audited.
441  *		0 - otherwise
442  *
443  * The required attributes to be considered a public object are:
444  * - owned by root, AND
445  * - world-readable (permissions for other include read), AND
446  * - NOT world-writeable (permissions for other don't
447  *	include write)
448  *   (mode doesn't need to be checked for symlinks)
449  */
450 int
451 file_is_public(struct vattr *attr)
452 {
453 	au_kcontext_t	*kctx = GET_KCTX_PZ;
454 
455 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
456 	    ((attr->va_type == VLNK) ||
457 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
458 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
459 		return (1);
460 	}
461 	return (0);
462 }
463 
464 
465 /*
466  * ROUTINE:	AUDIT_ATTRIBUTES
467  * PURPOSE:	Audit the attributes so we can tell why the error occurred
468  * CALLBY:	AUDIT_SAVEPATH
469  *		AUDIT_VNCREATE_FINISH
470  *		AUS_FCHOWN...audit_event.c...audit_path.c
471  * NOTE:
472  * TODO:
473  * QUESTION:
474  */
475 void
476 audit_attributes(struct vnode *vp)
477 {
478 	struct vattr attr;
479 	struct t_audit_data *tad;
480 
481 	tad = U2A(u);
482 
483 	if (vp) {
484 		attr.va_mask = AT_ALL;
485 		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
486 			return;
487 
488 		if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) {
489 			/*
490 			 * This is a public object and a "public" event
491 			 * (i.e., read only) -- either by definition
492 			 * (e.g., stat, access...) or by virtue of write access
493 			 * not being requested (e.g. mmap).
494 			 * Flag it in the tad to prevent this audit at the end.
495 			 */
496 			tad->tad_ctrl |= PAD_NOAUDIT;
497 		} else {
498 			au_uwrite(au_to_attr(&attr));
499 			audit_sec_attributes(&(u_ad), vp);
500 		}
501 	}
502 }
503 
504 
505 /*
506  * ROUTINE:	AUDIT_EXIT
507  * PURPOSE:
508  * CALLBY:	EXIT
509  * NOTE:
510  * TODO:
511  * QUESTION:	why cmw code as offset by 2 but not here
512  */
513 /* ARGSUSED */
514 void
515 audit_exit(int code, int what)
516 {
517 	struct t_audit_data *tad;
518 	tad = U2A(u);
519 
520 	/*
521 	 * tad_scid will be set by audit_start even if we are not auditing
522 	 * the event.
523 	 */
524 	if (tad->tad_scid == SYS_exit) {
525 		/*
526 		 * if we are auditing the exit system call, then complete
527 		 * audit record generation (no return from system call).
528 		 */
529 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
530 			audit_finish(0, SYS_exit, 0, 0);
531 		return;
532 	}
533 
534 	/*
535 	 * Anyone auditing the system call that was aborted?
536 	 */
537 	if (tad->tad_flag) {
538 		au_uwrite(au_to_text("event aborted"));
539 		audit_finish(0, tad->tad_scid, 0, 0);
540 	}
541 
542 	/*
543 	 * Generate an audit record for process exit if preselected.
544 	 */
545 	(void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
546 	audit_finish(0, SYS_exit, 0, 0);
547 }
548 
549 /*
550  * ROUTINE:	AUDIT_CORE_START
551  * PURPOSE:
552  * CALLBY: 	PSIG
553  * NOTE:
554  * TODO:
555  */
556 void
557 audit_core_start(int sig)
558 {
559 	au_event_t event;
560 	au_state_t estate;
561 	t_audit_data_t *tad;
562 	au_kcontext_t	*kctx;
563 
564 	tad = U2A(u);
565 
566 	ASSERT(tad != (t_audit_data_t *)0);
567 
568 	ASSERT(tad->tad_scid == 0);
569 	ASSERT(tad->tad_event == 0);
570 	ASSERT(tad->tad_evmod == 0);
571 	ASSERT(tad->tad_ctrl == 0);
572 	ASSERT(tad->tad_flag == 0);
573 	ASSERT(tad->tad_aupath == NULL);
574 
575 	kctx = GET_KCTX_PZ;
576 
577 	/* get basic event for system call */
578 	event = AUE_CORE;
579 	estate = kctx->auk_ets[event];
580 
581 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
582 		return;
583 
584 	/* reset the flags for non-user attributable events */
585 	tad->tad_ctrl   = PAD_CORE;
586 	tad->tad_scid   = 0;
587 
588 	/* if auditing not enabled, then don't generate an audit record */
589 
590 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
591 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
592 	    kctx->auk_auditstate == AUC_NOSPACE)) {
593 		tad->tad_flag = 0;
594 		tad->tad_ctrl = 0;
595 		return;
596 	}
597 
598 	tad->tad_event  = event;
599 	tad->tad_evmod  = 0;
600 
601 	ASSERT(tad->tad_ad == NULL);
602 
603 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
604 }
605 
606 /*
607  * ROUTINE:	AUDIT_CORE_FINISH
608  * PURPOSE:
609  * CALLBY:	PSIG
610  * NOTE:
611  * TODO:
612  * QUESTION:
613  */
614 
615 /*ARGSUSED*/
616 void
617 audit_core_finish(int code)
618 {
619 	int flag;
620 	t_audit_data_t *tad;
621 	au_kcontext_t	*kctx;
622 
623 	tad = U2A(u);
624 
625 	ASSERT(tad != (t_audit_data_t *)0);
626 
627 	if ((flag = tad->tad_flag) == 0) {
628 		tad->tad_event = 0;
629 		tad->tad_evmod = 0;
630 		tad->tad_ctrl  = 0;
631 		ASSERT(tad->tad_aupath == NULL);
632 		return;
633 	}
634 	tad->tad_flag = 0;
635 
636 	kctx = GET_KCTX_PZ;
637 
638 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
639 	if (flag = audit_success(kctx, tad, 0, NULL)) {
640 		cred_t *cr = CRED();
641 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
642 
643 		ASSERT(ainfo != NULL);
644 
645 		/*
646 		 * Add subject information (no locks since our private copy of
647 		 * credential
648 		 */
649 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
650 
651 		/* Add a return token (should use f argument) */
652 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
653 
654 		AS_INC(as_generated, 1, kctx);
655 		AS_INC(as_kernel, 1, kctx);
656 	}
657 
658 	/* Close up everything */
659 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
660 
661 	/* free up any space remaining with the path's */
662 	if (tad->tad_aupath != NULL) {
663 		au_pathrele(tad->tad_aupath);
664 		tad->tad_aupath = NULL;
665 		tad->tad_vn = NULL;
666 	}
667 	tad->tad_event = 0;
668 	tad->tad_evmod = 0;
669 	tad->tad_ctrl  = 0;
670 }
671 
672 /*ARGSUSED*/
673 void
674 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp)
675 {
676 }
677 
678 /*ARGSUSED*/
679 void
680 audit_strclose(struct vnode *vp, int flag, cred_t *crp)
681 {
682 }
683 
684 /*ARGSUSED*/
685 void
686 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag,
687     int copyflag, cred_t *crp, int *rvalp)
688 {
689 }
690 
691 
692 /*ARGSUSED*/
693 void
694 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
695     unsigned char *pri, int *flag, int fmode)
696 {
697 	struct stdata *stp;
698 	t_audit_data_t *tad = U2A(u);
699 
700 	ASSERT(tad != (t_audit_data_t *)0);
701 
702 	stp = vp->v_stream;
703 
704 	/* lock stdata from audit_sock */
705 	mutex_enter(&stp->sd_lock);
706 
707 	/* proceed ONLY if user is being audited */
708 	if (!tad->tad_flag) {
709 		/*
710 		 * this is so we will not add audit data onto
711 		 * a thread that is not being audited.
712 		 */
713 		stp->sd_t_audit_data = NULL;
714 		mutex_exit(&stp->sd_lock);
715 		return;
716 	}
717 
718 	stp->sd_t_audit_data = (caddr_t)curthread;
719 	mutex_exit(&stp->sd_lock);
720 }
721 
722 /*ARGSUSED*/
723 void
724 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
725     unsigned char pri, int flag, int fmode)
726 {
727 	struct stdata *stp;
728 	t_audit_data_t *tad = U2A(u);
729 
730 	ASSERT(tad != (t_audit_data_t *)0);
731 
732 	stp = vp->v_stream;
733 
734 	/* lock stdata from audit_sock */
735 	mutex_enter(&stp->sd_lock);
736 
737 	/* proceed ONLY if user is being audited */
738 	if (!tad->tad_flag) {
739 		/*
740 		 * this is so we will not add audit data onto
741 		 * a thread that is not being audited.
742 		 */
743 		stp->sd_t_audit_data = NULL;
744 		mutex_exit(&stp->sd_lock);
745 		return;
746 	}
747 
748 	stp->sd_t_audit_data = (caddr_t)curthread;
749 	mutex_exit(&stp->sd_lock);
750 }
751 
752 /*
753  * ROUTINE:	AUDIT_CLOSEF
754  * PURPOSE:
755  * CALLBY:	CLOSEF
756  * NOTE:
757  * release per file audit resources when file structure is being released.
758  *
759  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
760  *	on the audit queue if it becomes full. This means
761  *	audit_closef can not be called when f_count == 0. Since
762  *	f_count == 0 indicates the file structure is free, another
763  *	process could attempt to use the file while we were still
764  *	asleep waiting on the audit queue. This would cause the
765  *	per file audit data to be corrupted when we finally do
766  *	wakeup.
767  * TODO:
768  * QUESTION:
769  */
770 
771 void
772 audit_closef(struct file *fp)
773 {	/* AUDIT_CLOSEF */
774 	f_audit_data_t *fad;
775 	t_audit_data_t *tad;
776 	int success;
777 	au_state_t estate;
778 	struct vnode *vp;
779 	token_t *ad = NULL;
780 	struct vattr attr;
781 	au_emod_t evmod = 0;
782 	const auditinfo_addr_t *ainfo;
783 	int getattr_ret;
784 	cred_t *cr;
785 	au_kcontext_t	*kctx = GET_KCTX_PZ;
786 	uint32_t auditing;
787 
788 	fad = F2A(fp);
789 	estate = kctx->auk_ets[AUE_CLOSE];
790 	tad = U2A(u);
791 	cr = CRED();
792 
793 	/* audit record already generated by system call envelope */
794 	if (tad->tad_event == AUE_CLOSE) {
795 		/* so close audit event will have bits set */
796 		tad->tad_evmod |= (au_emod_t)fad->fad_flags;
797 		return;
798 	}
799 
800 	/* if auditing not enabled, then don't generate an audit record */
801 	auditing = (tad->tad_audit == AUC_UNSET) ?
802 	    kctx->auk_auditstate : tad->tad_audit;
803 	if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
804 		return;
805 
806 	ainfo = crgetauinfo(cr);
807 	if (ainfo == NULL)
808 		return;
809 
810 	success = ainfo->ai_mask.as_success & estate;
811 
812 	/* not selected for this event */
813 	if (success == 0)
814 		return;
815 
816 	/*
817 	 * can't use audit_attributes here since we use a private audit area
818 	 * to build the audit record instead of the one off the thread.
819 	 */
820 	if ((vp = fp->f_vnode) != NULL) {
821 		attr.va_mask = AT_ALL;
822 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL);
823 	}
824 
825 	/*
826 	 * When write was not used and the file can be considered public,
827 	 * then skip the audit.
828 	 */
829 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
830 		if (file_is_public(&attr)) {
831 			return;
832 		}
833 	}
834 
835 	evmod = (au_emod_t)fad->fad_flags;
836 	if (fad->fad_aupath != NULL) {
837 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
838 	} else {
839 #ifdef _LP64
840 		au_write((caddr_t *)&(ad), au_to_arg64(
841 			1, "no path: fp", (uint64_t)fp));
842 #else
843 		au_write((caddr_t *)&(ad), au_to_arg32(
844 			1, "no path: fp", (uint32_t)fp));
845 #endif
846 	}
847 
848 	if (getattr_ret == 0) {
849 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
850 		audit_sec_attributes((caddr_t *)&(ad), vp);
851 	}
852 
853 	/* Add subject information */
854 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
855 
856 	/* add a return token */
857 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
858 
859 	AS_INC(as_generated, 1, kctx);
860 	AS_INC(as_kernel, 1, kctx);
861 
862 	/*
863 	 * Close up everything
864 	 * Note: path space recovery handled by normal system
865 	 * call envelope if not at last close.
866 	 * Note there is no failure at this point since
867 	 *   this represents closes due to exit of process,
868 	 *   thus we always indicate successful closes.
869 	 */
870 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
871 	    AUE_CLOSE, evmod, NULL);
872 }
873 
874 /*
875  * ROUTINE:	AUDIT_SET
876  * PURPOSE:	Audit the file path and file attributes.
877  * CALLBY:	SETF
878  * NOTE:	SETF associate a file pointer with user area's open files.
879  * TODO:
880  * call audit_finish directly ???
881  * QUESTION:
882  */
883 
884 /*ARGSUSED*/
885 void
886 audit_setf(file_t *fp, int fd)
887 {
888 	f_audit_data_t *fad;
889 	t_audit_data_t *tad;
890 
891 	if (fp == NULL)
892 		return;
893 
894 	tad = T2A(curthread);
895 	fad = F2A(fp);
896 
897 	if (!(tad->tad_scid == SYS_open ||
898 	    tad->tad_scid == SYS_open64 ||
899 	    tad->tad_scid == SYS_openat ||
900 	    tad->tad_scid == SYS_openat64))
901 		return;
902 
903 	/* no path */
904 	if (tad->tad_aupath == 0)
905 		return;
906 
907 	/*
908 	 * assign path information associated with file audit data
909 	 * use tad hold
910 	 */
911 	fad->fad_aupath = tad->tad_aupath;
912 	tad->tad_aupath = NULL;
913 	tad->tad_vn = NULL;
914 
915 	if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) {
916 		/* adjust event type by dropping the 'creat' part */
917 		switch (tad->tad_event) {
918 		case AUE_OPEN_RC:
919 			tad->tad_event = AUE_OPEN_R;
920 			tad->tad_ctrl |= PAD_PUBLIC_EV;
921 			break;
922 		case AUE_OPEN_RTC:
923 			tad->tad_event = AUE_OPEN_RT;
924 			break;
925 		case AUE_OPEN_WC:
926 			tad->tad_event = AUE_OPEN_W;
927 			break;
928 		case AUE_OPEN_WTC:
929 			tad->tad_event = AUE_OPEN_WT;
930 			break;
931 		case AUE_OPEN_RWC:
932 			tad->tad_event = AUE_OPEN_RW;
933 			break;
934 		case AUE_OPEN_RWTC:
935 			tad->tad_event = AUE_OPEN_RWT;
936 			break;
937 		default:
938 			break;
939 		}
940 	}
941 }
942 
943 
944 /*
945  * ROUTINE:	AUDIT_COPEN
946  * PURPOSE:
947  * CALLBY:	COPEN
948  * NOTE:
949  * TODO:
950  * QUESTION:
951  */
952 /*ARGSUSED*/
953 void
954 audit_copen(int fd, file_t *fp, vnode_t *vp)
955 {
956 }
957 
958 void
959 audit_ipc(int type, int id, void *vp)
960 {
961 	/* if not auditing this event, then do nothing */
962 	if (ad_flag == 0)
963 		return;
964 
965 	switch (type) {
966 	case AT_IPC_MSG:
967 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
968 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
969 		break;
970 	case AT_IPC_SEM:
971 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
972 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
973 		break;
974 	case AT_IPC_SHM:
975 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
976 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
977 		break;
978 	}
979 }
980 
981 void
982 audit_ipcget(int type, void *vp)
983 {
984 	/* if not auditing this event, then do nothing */
985 	if (ad_flag == 0)
986 		return;
987 
988 	switch (type) {
989 	case NULL:
990 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
991 		break;
992 	case AT_IPC_MSG:
993 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
994 		break;
995 	case AT_IPC_SEM:
996 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
997 		break;
998 	case AT_IPC_SHM:
999 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1000 		break;
1001 	}
1002 }
1003 
1004 /*
1005  * ROUTINE:	AUDIT_REBOOT
1006  * PURPOSE:
1007  * CALLBY:
1008  * NOTE:
1009  * At this point we know that the system call reboot will not return. We thus
1010  * have to complete the audit record generation and put it onto the queue.
1011  * This might be fairly useless if the auditing daemon is already dead....
1012  * TODO:
1013  * QUESTION:	who calls audit_reboot
1014  */
1015 
1016 void
1017 audit_reboot(void)
1018 {
1019 	int flag;
1020 	t_audit_data_t *tad;
1021 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1022 
1023 	tad = U2A(u);
1024 
1025 	/* if not auditing this event, then do nothing */
1026 	if (tad->tad_flag == 0)
1027 		return;
1028 
1029 	/* do preselection on success/failure */
1030 	if (flag = audit_success(kctx, tad, 0, NULL)) {
1031 		/* add a process token */
1032 
1033 		cred_t *cr = CRED();
1034 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1035 
1036 		if (ainfo == NULL)
1037 			return;
1038 
1039 		/* Add subject information */
1040 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
1041 
1042 		/* add a return token */
1043 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1044 
1045 		AS_INC(as_generated, 1, kctx);
1046 		AS_INC(as_kernel, 1, kctx);
1047 	}
1048 
1049 	/*
1050 	 * Flow control useless here since we're going
1051 	 * to drop everything in the queue anyway. Why
1052 	 * block and wait. There aint anyone left alive to
1053 	 * read the records remaining anyway.
1054 	 */
1055 
1056 	/* Close up everything */
1057 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1058 	    tad->tad_event, tad->tad_evmod, NULL);
1059 }
1060 
1061 void
1062 audit_setfsat_path(int argnum)
1063 {
1064 	klwp_id_t clwp = ttolwp(curthread);
1065 	struct file  *fp;
1066 	uint32_t fd;
1067 	t_audit_data_t *tad;
1068 	struct f_audit_data *fad;
1069 	p_audit_data_t *pad;	/* current process */
1070 	struct a {
1071 		long arg1;
1072 		long arg2;
1073 		long arg3;
1074 		long arg4;
1075 		long arg5;
1076 	} *uap;
1077 
1078 	if (clwp == NULL)
1079 		return;
1080 	uap = (struct a *)clwp->lwp_ap;
1081 
1082 	tad = U2A(u);
1083 	ASSERT(tad != NULL);
1084 
1085 	switch (tad->tad_scid) {
1086 	case SYS_faccessat:
1087 	case SYS_fchownat:
1088 	case SYS_fstatat:
1089 	case SYS_fstatat64:
1090 	case SYS_openat:
1091 	case SYS_openat64:
1092 	case SYS_unlinkat:
1093 		fd = uap->arg1;
1094 		break;
1095 	case SYS_renameat:
1096 		if (argnum == 3)
1097 			fd = uap->arg3;
1098 		else
1099 			fd = uap->arg1;
1100 		break;
1101 	case SYS_utimesys:
1102 		fd = uap->arg2;
1103 		break;
1104 	default:
1105 		return;
1106 	}
1107 
1108 	if (tad->tad_atpath != NULL) {
1109 		au_pathrele(tad->tad_atpath);
1110 		tad->tad_atpath = NULL;
1111 	}
1112 	if (fd != AT_FDCWD) {
1113 		if ((fp = getf(fd)) == NULL) {
1114 			tad->tad_ctrl |= PAD_NOPATH;
1115 			return;
1116 		}
1117 		fad = F2A(fp);
1118 		ASSERT(fad);
1119 		if (fad->fad_aupath == NULL) {
1120 			tad->tad_ctrl |= PAD_NOPATH;
1121 			releasef(fd);
1122 			return;
1123 		}
1124 		au_pathhold(fad->fad_aupath);
1125 		tad->tad_atpath = fad->fad_aupath;
1126 		releasef(fd);
1127 	} else {
1128 		pad = P2A(curproc);
1129 		mutex_enter(&pad->pad_lock);
1130 		au_pathhold(pad->pad_cwd);
1131 		tad->tad_atpath = pad->pad_cwd;
1132 		mutex_exit(&pad->pad_lock);
1133 	}
1134 }
1135 
1136 void
1137 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1138 {
1139 	t_audit_data_t *tad;
1140 	vnode_t	*vp;
1141 
1142 	tad = U2A(u);
1143 
1144 	/* if not auditing this event, then do nothing */
1145 	if (tad->tad_flag == 0)
1146 		return;
1147 
1148 	au_uwrite(au_to_text(target));
1149 
1150 	if (error)
1151 		return;
1152 
1153 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1154 	    NULL, NULL, NULL);
1155 	if (error == 0) {
1156 		audit_attributes(vp);
1157 		VN_RELE(vp);
1158 	}
1159 }
1160 
1161 /*
1162  * ROUTINE:	AUDIT_VNCREATE_START
1163  * PURPOSE:	set flag so path name lookup in create will not add attribute
1164  * CALLBY:	VN_CREATE
1165  * NOTE:
1166  * TODO:
1167  * QUESTION:
1168  */
1169 
1170 void
1171 audit_vncreate_start()
1172 {
1173 	t_audit_data_t *tad;
1174 
1175 	tad = U2A(u);
1176 	tad->tad_ctrl |= PAD_NOATTRB;
1177 }
1178 
1179 /*
1180  * ROUTINE:	AUDIT_VNCREATE_FINISH
1181  * PURPOSE:
1182  * CALLBY:	VN_CREATE
1183  * NOTE:
1184  * TODO:
1185  * QUESTION:
1186  */
1187 void
1188 audit_vncreate_finish(struct vnode *vp, int error)
1189 {
1190 	t_audit_data_t *tad;
1191 
1192 	if (error)
1193 		return;
1194 
1195 	tad = U2A(u);
1196 
1197 	/* if not auditing this event, then do nothing */
1198 	if (tad->tad_flag == 0)
1199 		return;
1200 
1201 	if (tad->tad_ctrl & PAD_TRUE_CREATE) {
1202 		audit_attributes(vp);
1203 	}
1204 
1205 	if (tad->tad_ctrl & PAD_CORE) {
1206 		audit_attributes(vp);
1207 		tad->tad_ctrl &= ~PAD_CORE;
1208 	}
1209 
1210 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1211 	    (tad->tad_event == AUE_MKDIR))) {
1212 		audit_attributes(vp);
1213 	}
1214 
1215 	/* for case where multiple lookups in one syscall (rename) */
1216 	tad->tad_ctrl &= ~PAD_NOATTRB;
1217 }
1218 
1219 
1220 
1221 
1222 
1223 
1224 
1225 
1226 /*
1227  * ROUTINE:	AUDIT_EXEC
1228  * PURPOSE:	Records the function arguments and environment variables
1229  * CALLBY:	EXEC_ARGS
1230  * NOTE:
1231  * TODO:
1232  * QUESTION:
1233  */
1234 
1235 /*ARGSUSED*/
1236 void
1237 audit_exec(
1238 	const char *argstr,	/* argument strings */
1239 	const char *envstr,	/* environment strings */
1240 	ssize_t argc,		/* total # arguments */
1241 	ssize_t envc)		/* total # environment variables */
1242 {
1243 	t_audit_data_t *tad;
1244 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1245 
1246 	tad = U2A(u);
1247 
1248 	/* if not auditing this event, then do nothing */
1249 	if (!tad->tad_flag)
1250 		return;
1251 
1252 	/* return if not interested in argv or environment variables */
1253 	if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE)))
1254 		return;
1255 
1256 	if (kctx->auk_policy & AUDIT_ARGV) {
1257 		au_uwrite(au_to_exec_args(argstr, argc));
1258 	}
1259 
1260 	if (kctx->auk_policy & AUDIT_ARGE) {
1261 		au_uwrite(au_to_exec_env(envstr, envc));
1262 	}
1263 }
1264 
1265 /*
1266  * ROUTINE:	AUDIT_ENTERPROM
1267  * PURPOSE:
1268  * CALLBY:	KBDINPUT
1269  *		ZSA_XSINT
1270  * NOTE:
1271  * TODO:
1272  * QUESTION:
1273  */
1274 void
1275 audit_enterprom(int flg)
1276 {
1277 	token_t *rp = NULL;
1278 	int sorf;
1279 
1280 	if (flg)
1281 		sorf = AUM_SUCC;
1282 	else
1283 		sorf = AUM_FAIL;
1284 
1285 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1286 
1287 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1288 
1289 	if (flg)
1290 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1291 	else
1292 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1293 
1294 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1295 }
1296 
1297 
1298 /*
1299  * ROUTINE:	AUDIT_EXITPROM
1300  * PURPOSE:
1301  * CALLBY:	KBDINPUT
1302  *		ZSA_XSINT
1303  * NOTE:
1304  * TODO:
1305  * QUESTION:
1306  */
1307 void
1308 audit_exitprom(int flg)
1309 {
1310 	int sorf;
1311 	token_t *rp = NULL;
1312 
1313 	if (flg)
1314 		sorf = AUM_SUCC;
1315 	else
1316 		sorf = AUM_FAIL;
1317 
1318 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1319 
1320 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1321 
1322 	if (flg)
1323 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1324 	else
1325 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1326 
1327 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1328 }
1329 
1330 struct fcntla {
1331 	int fdes;
1332 	int cmd;
1333 	intptr_t arg;
1334 };
1335 
1336 /*
1337  * ROUTINE:	AUDIT_C2_REVOKE
1338  * PURPOSE:
1339  * CALLBY:	FCNTL
1340  * NOTE:
1341  * TODO:
1342  * QUESTION:	are we keeping this func
1343  */
1344 
1345 /*ARGSUSED*/
1346 int
1347 audit_c2_revoke(struct fcntla *uap, rval_t *rvp)
1348 {
1349 	return (0);
1350 }
1351 
1352 
1353 /*
1354  * ROUTINE:	AUDIT_CHDIREC
1355  * PURPOSE:
1356  * CALLBY:	CHDIREC
1357  * NOTE:	The main function of CHDIREC
1358  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1359  * QUESTION:
1360  */
1361 
1362 /*ARGSUSED*/
1363 void
1364 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1365 {
1366 	int		chdir;
1367 	int		fchdir;
1368 	struct audit_path	**appp;
1369 	struct file	*fp;
1370 	f_audit_data_t *fad;
1371 	p_audit_data_t *pad = P2A(curproc);
1372 	t_audit_data_t *tad = T2A(curthread);
1373 
1374 	struct a {
1375 		long fd;
1376 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1377 
1378 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1379 		chdir = tad->tad_scid == SYS_chdir;
1380 		if (tad->tad_aupath) {
1381 			mutex_enter(&pad->pad_lock);
1382 			if (chdir)
1383 				appp = &(pad->pad_cwd);
1384 			else
1385 				appp = &(pad->pad_root);
1386 			au_pathrele(*appp);
1387 			/* use tad hold */
1388 			*appp = tad->tad_aupath;
1389 			tad->tad_aupath = NULL;
1390 			mutex_exit(&pad->pad_lock);
1391 		}
1392 	} else if ((tad->tad_scid == SYS_fchdir) ||
1393 	    (tad->tad_scid == SYS_fchroot)) {
1394 		fchdir = tad->tad_scid == SYS_fchdir;
1395 		if ((fp = getf(uap->fd)) == NULL)
1396 			return;
1397 		fad = F2A(fp);
1398 		if (fad->fad_aupath) {
1399 			au_pathhold(fad->fad_aupath);
1400 			mutex_enter(&pad->pad_lock);
1401 			if (fchdir)
1402 				appp = &(pad->pad_cwd);
1403 			else
1404 				appp = &(pad->pad_root);
1405 			au_pathrele(*appp);
1406 			*appp = fad->fad_aupath;
1407 			mutex_exit(&pad->pad_lock);
1408 			if (tad->tad_flag) {
1409 				au_uwrite(au_to_path(fad->fad_aupath));
1410 				audit_attributes(fp->f_vnode);
1411 			}
1412 		}
1413 		releasef(uap->fd);
1414 	}
1415 }
1416 
1417 /*
1418  * ROUTINE:	AUDIT_GETF
1419  * PURPOSE:
1420  * CALLBY:	GETF_INTERNAL
1421  * NOTE:	The main function of GETF_INTERNAL is to associate a given
1422  *		file descriptor with a file structure and increment the
1423  *		file pointer reference count.
1424  * TODO:	remove pass in of fpp.
1425  * increment a reference count so that even if a thread with same process delete
1426  * the same object, it will not panic our system
1427  * QUESTION:
1428  * where to decrement the f_count?????????????????
1429  * seems like I need to set a flag if f_count incremented through audit_getf
1430  */
1431 
1432 /*ARGSUSED*/
1433 int
1434 audit_getf(int fd)
1435 {
1436 #ifdef NOTYET
1437 	t_audit_data_t *tad;
1438 
1439 	tad = T2A(curthread);
1440 
1441 	if (!(tad->tad_scid == SYS_openat ||
1442 	    tad->tad_scid == SYS_openat64 ||
1443 	    tad->tad_scid == SYS_open ||
1444 	    tad->tad_scid == SYS_open64))
1445 		return (0);
1446 #endif
1447 	return (0);
1448 }
1449 
1450 /*
1451  *	Audit hook for stream based socket and tli request.
1452  *	Note that we do not have user context while executing
1453  *	this code so we had to record them earlier during the
1454  *	putmsg/getmsg to figure out which user we are dealing with.
1455  */
1456 
1457 /*ARGSUSED*/
1458 void
1459 audit_sock(
1460 	int type,	/* type of tihdr.h header requests */
1461 	queue_t *q,	/* contains the process and thread audit data */
1462 	mblk_t *mp,	/* contains the tihdr.h header structures */
1463 	int from)	/* timod or sockmod request */
1464 {
1465 	int32_t    len;
1466 	int32_t    offset;
1467 	struct sockaddr_in *sock_data;
1468 	struct T_conn_req *conn_req;
1469 	struct T_conn_ind *conn_ind;
1470 	struct T_unitdata_req *unitdata_req;
1471 	struct T_unitdata_ind *unitdata_ind;
1472 	au_state_t estate;
1473 	t_audit_data_t *tad;
1474 	caddr_t saved_thread_ptr;
1475 	au_mask_t amask;
1476 	const auditinfo_addr_t *ainfo;
1477 	au_kcontext_t	*kctx;
1478 
1479 	if (q->q_stream == NULL)
1480 		return;
1481 	mutex_enter(&q->q_stream->sd_lock);
1482 	/* are we being audited */
1483 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1484 	/* no pointer to thread, nothing to do */
1485 	if (saved_thread_ptr == NULL) {
1486 		mutex_exit(&q->q_stream->sd_lock);
1487 		return;
1488 	}
1489 	/* only allow one addition of a record token */
1490 	q->q_stream->sd_t_audit_data = NULL;
1491 	/*
1492 	 * thread is not the one being audited, then nothing to do
1493 	 * This could be the stream thread handling the module
1494 	 * service routine. In this case, the context for the audit
1495 	 * record can no longer be assumed. Simplest to just drop
1496 	 * the operation.
1497 	 */
1498 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1499 		mutex_exit(&q->q_stream->sd_lock);
1500 		return;
1501 	}
1502 	if (curthread->t_sysnum >= SYS_so_socket &&
1503 	    curthread->t_sysnum <= SYS_sockconfig) {
1504 		mutex_exit(&q->q_stream->sd_lock);
1505 		return;
1506 	}
1507 	mutex_exit(&q->q_stream->sd_lock);
1508 	/*
1509 	 * we know that the thread that did the put/getmsg is the
1510 	 * one running. Now we can get the TAD and see if we should
1511 	 * add an audit token.
1512 	 */
1513 	tad = U2A(u);
1514 
1515 	kctx = GET_KCTX_PZ;
1516 
1517 	/* proceed ONLY if user is being audited */
1518 	if (!tad->tad_flag)
1519 		return;
1520 
1521 	ainfo = crgetauinfo(CRED());
1522 	if (ainfo == NULL)
1523 		return;
1524 	amask = ainfo->ai_mask;
1525 
1526 	/*
1527 	 * Figure out the type of stream networking request here.
1528 	 * Note that getmsg and putmsg are always preselected
1529 	 * because during the beginning of the system call we have
1530 	 * not yet figure out which of the socket or tli request
1531 	 * we are looking at until we are here. So we need to check
1532 	 * against that specific request and reset the type of event.
1533 	 */
1534 	switch (type) {
1535 	case T_CONN_REQ:	/* connection request */
1536 		conn_req = (struct T_conn_req *)mp->b_rptr;
1537 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1538 			return;
1539 		offset = conn_req->DEST_offset;
1540 		len = conn_req->DEST_length;
1541 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1542 		if (amask.as_success & estate || amask.as_failure & estate) {
1543 			tad->tad_event = AUE_SOCKCONNECT;
1544 			break;
1545 		} else {
1546 			return;
1547 		}
1548 	case T_CONN_IND:	 /* connectionless receive request */
1549 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1550 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1551 			return;
1552 		offset = conn_ind->SRC_offset;
1553 		len = conn_ind->SRC_length;
1554 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1555 		if (amask.as_success & estate || amask.as_failure & estate) {
1556 			tad->tad_event = AUE_SOCKACCEPT;
1557 			break;
1558 		} else {
1559 			return;
1560 		}
1561 	case T_UNITDATA_REQ:	 /* connectionless send request */
1562 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1563 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1564 			return;
1565 		offset = unitdata_req->DEST_offset;
1566 		len = unitdata_req->DEST_length;
1567 		estate = kctx->auk_ets[AUE_SOCKSEND];
1568 		if (amask.as_success & estate || amask.as_failure & estate) {
1569 			tad->tad_event = AUE_SOCKSEND;
1570 			break;
1571 		} else {
1572 			return;
1573 		}
1574 	case T_UNITDATA_IND:	 /* connectionless receive request */
1575 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1576 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1577 			return;
1578 		offset = unitdata_ind->SRC_offset;
1579 		len = unitdata_ind->SRC_length;
1580 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1581 		if (amask.as_success & estate || amask.as_failure & estate) {
1582 			tad->tad_event = AUE_SOCKRECEIVE;
1583 			break;
1584 		} else {
1585 			return;
1586 		}
1587 	default:
1588 		return;
1589 	}
1590 
1591 	/*
1592 	 * we are only interested in tcp stream connections,
1593 	 * not unix domain stuff
1594 	 */
1595 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1596 		tad->tad_event = AUE_GETMSG;
1597 		return;
1598 	}
1599 	/* skip over TPI header and point to the ip address */
1600 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1601 
1602 	switch (sock_data->sin_family) {
1603 	case AF_INET:
1604 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1605 		break;
1606 	default:	/* reset to AUE_PUTMSG if not a inet request */
1607 		tad->tad_event = AUE_GETMSG;
1608 		break;
1609 	}
1610 }
1611 
1612 void
1613 audit_lookupname()
1614 {
1615 }
1616 
1617 /*ARGSUSED*/
1618 int
1619 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr)
1620 {
1621 	return (0);
1622 }
1623 
1624 static void
1625 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1626 {
1627 	unsigned int sy_flags;
1628 
1629 #ifdef _SYSCALL32_IMPL
1630 	/*
1631 	 * Guard against t_lwp being NULL when this function is called
1632 	 * from a kernel queue instead of from a direct system call.
1633 	 * In that case, assume the running kernel data model.
1634 	 */
1635 	if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1636 	    ttolwp(curthread)) == DATAMODEL_NATIVE))
1637 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1638 	else
1639 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1640 #else
1641 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1642 #endif
1643 
1644 	if (sy_flags == SE_64RVAL)
1645 		au_write(ad, au_to_return64(err, rval));
1646 	else
1647 		au_write(ad, au_to_return32(err, rval));
1648 
1649 }
1650 
1651 /*ARGSUSED*/
1652 void
1653 audit_fdsend(fd, fp, error)
1654 	int fd;
1655 	struct file *fp;
1656 	int error;		/* ignore for now */
1657 {
1658 	t_audit_data_t *tad;	/* current thread */
1659 	f_audit_data_t *fad;	/* per file audit structure */
1660 	struct vnode *vp;	/* for file attributes */
1661 
1662 	/* is this system call being audited */
1663 	tad = U2A(u);
1664 	ASSERT(tad != (t_audit_data_t *)0);
1665 	if (!tad->tad_flag)
1666 		return;
1667 
1668 	fad = F2A(fp);
1669 
1670 	/* add path and file attributes */
1671 	if (fad != NULL && fad->fad_aupath != NULL) {
1672 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1673 		au_uwrite(au_to_path(fad->fad_aupath));
1674 	} else {
1675 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1676 #ifdef _LP64
1677 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1678 #else
1679 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1680 #endif
1681 	}
1682 	vp = fp->f_vnode;	/* include vnode attributes */
1683 	audit_attributes(vp);
1684 }
1685 
1686 /*
1687  * Record privileges successfully used and we attempted to use but
1688  * didn't have.
1689  */
1690 void
1691 audit_priv(int priv, const priv_set_t *set, int flag)
1692 {
1693 	t_audit_data_t *tad;
1694 	int sbit;
1695 	priv_set_t *target;
1696 
1697 	/* Make sure this isn't being called in an interrupt context */
1698 	ASSERT(servicing_interrupt() == 0);
1699 
1700 	tad = U2A(u);
1701 
1702 	if (tad->tad_flag == 0)
1703 		return;
1704 
1705 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1706 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1707 
1708 	/* Tell audit_success() and audit_finish() that we saw this case */
1709 	if (!(tad->tad_evmod & sbit)) {
1710 		/* Clear set first time around */
1711 		priv_emptyset(target);
1712 		tad->tad_evmod |= sbit;
1713 	}
1714 
1715 	/* Save the privileges in the tad */
1716 	if (priv == PRIV_ALL) {
1717 		priv_fillset(target);
1718 	} else {
1719 		ASSERT(set != NULL || priv != PRIV_NONE);
1720 		if (set != NULL)
1721 			priv_union(set, target);
1722 		if (priv != PRIV_NONE)
1723 			priv_addset(target, priv);
1724 	}
1725 }
1726 
1727 /*
1728  * Audit the setpriv() system call; the operation, the set name and
1729  * the current value as well as the set argument are put in the
1730  * audit trail.
1731  */
1732 void
1733 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1734 {
1735 	t_audit_data_t *tad;
1736 	const priv_set_t *oldpriv;
1737 	priv_set_t report;
1738 	const char *setname;
1739 
1740 	tad = U2A(u);
1741 
1742 	if (tad->tad_flag == 0)
1743 		return;
1744 
1745 	oldpriv = priv_getset(ocr, set);
1746 
1747 	/* Generate the actual record, include the before and after */
1748 	au_uwrite(au_to_arg32(2, "op", op));
1749 	setname = priv_getsetbynum(set);
1750 
1751 	switch (op) {
1752 	case PRIV_OFF:
1753 		/* Report privileges actually switched off */
1754 		report = *oldpriv;
1755 		priv_intersect(newpriv, &report);
1756 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1757 		break;
1758 	case PRIV_ON:
1759 		/* Report privileges actually switched on */
1760 		report = *oldpriv;
1761 		priv_inverse(&report);
1762 		priv_intersect(newpriv, &report);
1763 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1764 		break;
1765 	case PRIV_SET:
1766 		/* Report before and after */
1767 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1768 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1769 		break;
1770 	}
1771 }
1772 
1773 /*
1774  * Dump the full device policy setting in the audit trail.
1775  */
1776 void
1777 audit_devpolicy(int nitems, const devplcysys_t *items)
1778 {
1779 	t_audit_data_t *tad;
1780 	int i;
1781 
1782 	tad = U2A(u);
1783 
1784 	if (tad->tad_flag == 0)
1785 		return;
1786 
1787 	for (i = 0; i < nitems; i++) {
1788 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1789 		if (items[i].dps_minornm[0] == '\0') {
1790 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1791 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1792 		} else
1793 			au_uwrite(au_to_text(items[i].dps_minornm));
1794 
1795 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1796 		    AUT_PRIV, 0));
1797 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1798 		    AUT_PRIV, 0));
1799 	}
1800 }
1801 
1802 /*ARGSUSED*/
1803 void
1804 audit_fdrecv(fd, fp)
1805 	int fd;
1806 	struct file *fp;
1807 {
1808 	t_audit_data_t *tad;	/* current thread */
1809 	f_audit_data_t *fad;	/* per file audit structure */
1810 	struct vnode *vp;	/* for file attributes */
1811 
1812 	/* is this system call being audited */
1813 	tad = U2A(u);
1814 	ASSERT(tad != (t_audit_data_t *)0);
1815 	if (!tad->tad_flag)
1816 		return;
1817 
1818 	fad = F2A(fp);
1819 
1820 	/* add path and file attributes */
1821 	if (fad != NULL && fad->fad_aupath != NULL) {
1822 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1823 		au_uwrite(au_to_path(fad->fad_aupath));
1824 	} else {
1825 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1826 #ifdef _LP64
1827 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1828 #else
1829 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1830 #endif
1831 	}
1832 	vp = fp->f_vnode;	/* include vnode attributes */
1833 	audit_attributes(vp);
1834 }
1835 
1836 /*
1837  * ROUTINE:	AUDIT_CRYPTOADM
1838  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
1839  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1840  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1841  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1842  *		CRYPTO_LOAD_DOOR
1843  * NOTE:
1844  * TODO:
1845  * QUESTION:
1846  */
1847 
1848 void
1849 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1850     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1851 {
1852 	boolean_t		mech_list_required = B_FALSE;
1853 	cred_t			*cr = CRED();
1854 	t_audit_data_t		*tad;
1855 	token_t			*ad = NULL;
1856 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
1857 	char			buffer[MAXNAMELEN * 2];
1858 	au_kcontext_t		*kctx = GET_KCTX_PZ;
1859 
1860 	tad = U2A(u);
1861 	if (tad == NULL)
1862 		return;
1863 
1864 	if (ainfo == NULL)
1865 		return;
1866 
1867 	tad->tad_event = AUE_CRYPTOADM;
1868 
1869 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
1870 		return;
1871 
1872 	/* Add subject information */
1873 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1874 
1875 	switch (cmd) {
1876 	case CRYPTO_LOAD_DEV_DISABLED:
1877 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1878 			(void) snprintf(buffer, sizeof (buffer),
1879 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1880 			    " dev_instance=%d",
1881 			    module_name, device_instance);
1882 			mech_list_required = B_TRUE;
1883 		} else {
1884 			(void) snprintf(buffer, sizeof (buffer),
1885 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1886 		}
1887 		break;
1888 
1889 	case CRYPTO_LOAD_SOFT_DISABLED:
1890 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1891 			(void) snprintf(buffer, sizeof (buffer),
1892 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1893 			    module_name);
1894 			mech_list_required = B_TRUE;
1895 		} else {
1896 			(void) snprintf(buffer, sizeof (buffer),
1897 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1898 		}
1899 		break;
1900 
1901 	case CRYPTO_UNLOAD_SOFT_MODULE:
1902 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1903 			(void) snprintf(buffer, sizeof (buffer),
1904 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1905 			    module_name);
1906 		} else {
1907 			(void) snprintf(buffer, sizeof (buffer),
1908 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1909 		}
1910 		break;
1911 
1912 	case CRYPTO_LOAD_SOFT_CONFIG:
1913 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1914 			(void) snprintf(buffer, sizeof (buffer),
1915 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1916 			    module_name);
1917 			mech_list_required = B_TRUE;
1918 		} else {
1919 			(void) snprintf(buffer, sizeof (buffer),
1920 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1921 		}
1922 		break;
1923 
1924 	case CRYPTO_POOL_CREATE:
1925 		(void) snprintf(buffer, sizeof (buffer),
1926 		    "op=CRYPTO_POOL_CREATE");
1927 		break;
1928 
1929 	case CRYPTO_POOL_WAIT:
1930 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1931 		break;
1932 
1933 	case CRYPTO_POOL_RUN:
1934 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1935 		break;
1936 
1937 	case CRYPTO_LOAD_DOOR:
1938 		if (error == 0 && rv == CRYPTO_SUCCESS)
1939 			(void) snprintf(buffer, sizeof (buffer),
1940 			    "op=CRYPTO_LOAD_DOOR");
1941 		else
1942 			(void) snprintf(buffer, sizeof (buffer),
1943 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1944 		break;
1945 
1946 	case CRYPTO_FIPS140_SET:
1947 		(void) snprintf(buffer, sizeof (buffer),
1948 		    "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1949 		break;
1950 
1951 	default:
1952 		return;
1953 	}
1954 
1955 	au_write((caddr_t *)&ad, au_to_text(buffer));
1956 
1957 	if (mech_list_required) {
1958 		int i;
1959 
1960 		if (mech_count == 0) {
1961 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1962 		} else {
1963 			char	*pb = buffer;
1964 			size_t	l = sizeof (buffer);
1965 			size_t	n;
1966 			char	space[2] = ":";
1967 
1968 			n = snprintf(pb, l, "mech=");
1969 
1970 			for (i = 0; i < mech_count; i++) {
1971 				pb += n;
1972 				l -= n;
1973 				if (l < 0)
1974 					l = 0;
1975 
1976 				if (i == mech_count - 1)
1977 					(void) strcpy(space, "");
1978 
1979 				n = snprintf(pb, l, "%s%s", mech_names[i],
1980 				    space);
1981 			}
1982 			au_write((caddr_t *)&ad, au_to_text(buffer));
1983 		}
1984 	}
1985 
1986 	/* add a return token */
1987 	if (error || (rv != CRYPTO_SUCCESS))
1988 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1989 	else
1990 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1991 
1992 	AS_INC(as_generated, 1, kctx);
1993 	AS_INC(as_kernel, 1, kctx);
1994 
1995 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
1996 	    NULL);
1997 }
1998 
1999 /*
2000  * Audit the kernel SSL administration command. The address and the
2001  * port number for the SSL instance, and the proxy port are put in the
2002  * audit trail.
2003  */
2004 void
2005 audit_kssl(int cmd, void *params, int error)
2006 {
2007 	cred_t			*cr = CRED();
2008 	t_audit_data_t		*tad;
2009 	token_t			*ad = NULL;
2010 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2011 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2012 
2013 	tad = U2A(u);
2014 
2015 	if (ainfo == NULL)
2016 		return;
2017 
2018 	tad->tad_event = AUE_CONFIGKSSL;
2019 
2020 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
2021 		return;
2022 
2023 	/* Add subject information */
2024 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2025 
2026 	switch (cmd) {
2027 	case KSSL_ADD_ENTRY: {
2028 		char buf[32];
2029 		kssl_params_t *kp = (kssl_params_t *)params;
2030 		struct sockaddr_in6 *saddr = &kp->kssl_addr;
2031 
2032 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2033 		au_write((caddr_t *)&ad,
2034 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2035 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2036 		    saddr->sin6_port);
2037 		au_write((caddr_t *)&ad, au_to_text(buf));
2038 
2039 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
2040 		    kp->kssl_proxy_port);
2041 		au_write((caddr_t *)&ad, au_to_text(buf));
2042 		break;
2043 	}
2044 
2045 	case KSSL_DELETE_ENTRY: {
2046 		char buf[32];
2047 		struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
2048 
2049 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2050 		au_write((caddr_t *)&ad,
2051 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2052 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2053 		    saddr->sin6_port);
2054 		au_write((caddr_t *)&ad, au_to_text(buf));
2055 		break;
2056 	}
2057 
2058 	default:
2059 		return;
2060 	}
2061 
2062 	/* add a return token */
2063 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2064 
2065 	AS_INC(as_generated, 1, kctx);
2066 	AS_INC(as_kernel, 1, kctx);
2067 
2068 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2069 	    NULL);
2070 }
2071 
2072 /*
2073  * Audit the kernel PF_POLICY administration commands.  Record command,
2074  * zone, policy type (global or tunnel, active or inactive)
2075  */
2076 /*
2077  * ROUTINE:	AUDIT_PF_POLICY
2078  * PURPOSE:	Records arguments to administrative ioctls on PF_POLICY socket
2079  * CALLBY:	SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2080  *		SPD_CLONE, SPD_FLIP
2081  * NOTE:
2082  * TODO:
2083  * QUESTION:
2084  */
2085 
2086 void
2087 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2088     boolean_t active, int error, pid_t pid)
2089 {
2090 	const auditinfo_addr_t	*ainfo;
2091 	t_audit_data_t		*tad;
2092 	token_t			*ad = NULL;
2093 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2094 	char			buf[80];
2095 	int			flag;
2096 
2097 	tad = U2A(u);
2098 	if (tad == NULL)
2099 		return;
2100 
2101 	ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2102 	if (ainfo == NULL)
2103 		return;
2104 
2105 	/*
2106 	 * Initialize some variables since these are only set
2107 	 * with system calls.
2108 	 */
2109 
2110 	switch (cmd) {
2111 	case SPD_ADDRULE: {
2112 		tad->tad_event = AUE_PF_POLICY_ADDRULE;
2113 		break;
2114 	}
2115 
2116 	case SPD_DELETERULE: {
2117 		tad->tad_event = AUE_PF_POLICY_DELRULE;
2118 		break;
2119 	}
2120 
2121 	case SPD_FLUSH: {
2122 		tad->tad_event = AUE_PF_POLICY_FLUSH;
2123 		break;
2124 	}
2125 
2126 	case SPD_UPDATEALGS: {
2127 		tad->tad_event = AUE_PF_POLICY_ALGS;
2128 		break;
2129 	}
2130 
2131 	case SPD_CLONE: {
2132 		tad->tad_event = AUE_PF_POLICY_CLONE;
2133 		break;
2134 	}
2135 
2136 	case SPD_FLIP: {
2137 		tad->tad_event = AUE_PF_POLICY_FLIP;
2138 		break;
2139 	}
2140 
2141 	default:
2142 		tad->tad_event = AUE_NULL;
2143 	}
2144 
2145 	tad->tad_evmod = 0;
2146 
2147 	if (flag = audit_success(kctx, tad, error, cred)) {
2148 		zone_t *nszone;
2149 
2150 		/*
2151 		 * For now, just audit that an event happened,
2152 		 * along with the error code.
2153 		 */
2154 		au_write((caddr_t *)&ad,
2155 		    au_to_arg32(1, "Policy Active?", (uint32_t)active));
2156 		au_write((caddr_t *)&ad,
2157 		    au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2158 
2159 		/* Supplemental data */
2160 
2161 		/*
2162 		 * Generate this zone token if the target zone differs
2163 		 * from the administrative zone.  If netstacks are expanded
2164 		 * to something other than a 1-1 relationship with zones,
2165 		 * the auditing framework should create a new token type
2166 		 * and audit it as a netstack instead.
2167 		 * Turn on general zone auditing to get the administrative zone.
2168 		 */
2169 
2170 		nszone = zone_find_by_id(netstackid_to_zoneid(
2171 		    ns->netstack_stackid));
2172 		if (nszone != NULL) {
2173 			if (strncmp(crgetzone(cred)->zone_name,
2174 			    nszone->zone_name, ZONENAME_MAX) != 0) {
2175 				token_t *ztoken;
2176 
2177 				ztoken = au_to_zonename(0, nszone);
2178 				au_write((caddr_t *)&ad, ztoken);
2179 			}
2180 			zone_rele(nszone);
2181 		}
2182 
2183 		if (tun != NULL) {
2184 			/* write tunnel name - tun is bounded */
2185 			(void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2186 			    tun);
2187 			au_write((caddr_t *)&ad, au_to_text(buf));
2188 		}
2189 
2190 		/* Add subject information */
2191 		AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2192 		    ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2193 
2194 		/* add a return token */
2195 		add_return_token((caddr_t *)&ad, 0, error, 0);
2196 
2197 		AS_INC(as_generated, 1, kctx);
2198 		AS_INC(as_kernel, 1, kctx);
2199 
2200 	}
2201 	au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2202 	    NULL);
2203 
2204 	/*
2205 	 * clear the ctrl flag so that we don't have spurious collection of
2206 	 * audit information.
2207 	 */
2208 	tad->tad_scid  = 0;
2209 	tad->tad_event = 0;
2210 	tad->tad_evmod = 0;
2211 	tad->tad_ctrl  = 0;
2212 }
2213 
2214 /*
2215  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2216  * PURPOSE:	Add security attributes
2217  * CALLBY:	AUDIT_ATTRIBUTES
2218  *		AUDIT_CLOSEF
2219  *		AUS_CLOSE
2220  * NOTE:
2221  * TODO:
2222  * QUESTION:
2223  */
2224 
2225 void
2226 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2227 {
2228 	/* Dump the SL */
2229 	if (is_system_labeled()) {
2230 		ts_label_t	*tsl;
2231 		bslabel_t	*bsl;
2232 
2233 		tsl = getflabel(vp);
2234 		if (tsl == NULL)
2235 			return;			/* nothing else to do */
2236 
2237 		bsl = label2bslabel(tsl);
2238 		if (bsl == NULL)
2239 			return;			/* nothing else to do */
2240 		au_write(ad, au_to_label(bsl));
2241 		label_rele(tsl);
2242 	}
2243 
2244 }	/* AUDIT_SEC_ATTRIBUTES */
2245