xref: /illumos-gate/usr/src/uts/common/c2/audit.c (revision d2ec54f7875f7e05edd56195adbeb593c947763f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the audit hook support code for auditing.
28  */
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #include <sys/types.h>
33 #include <sys/proc.h>
34 #include <sys/vnode.h>
35 #include <sys/vfs.h>
36 #include <sys/file.h>
37 #include <sys/user.h>
38 #include <sys/stropts.h>
39 #include <sys/systm.h>
40 #include <sys/pathname.h>
41 #include <sys/syscall.h>
42 #include <sys/fcntl.h>
43 #include <sys/ipc_impl.h>
44 #include <sys/msg_impl.h>
45 #include <sys/sem_impl.h>
46 #include <sys/shm_impl.h>
47 #include <sys/kmem.h>		/* for KM_SLEEP */
48 #include <sys/socket.h>
49 #include <sys/cmn_err.h>	/* snprintf... */
50 #include <sys/debug.h>
51 #include <sys/thread.h>
52 #include <netinet/in.h>
53 #include <c2/audit.h>		/* needs to be included before user.h */
54 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
55 #include <c2/audit_kevents.h>
56 #include <c2/audit_record.h>
57 #include <sys/strsubr.h>
58 #include <sys/tihdr.h>
59 #include <sys/tiuser.h>
60 #include <sys/timod.h>
61 #include <sys/model.h>		/* for model_t */
62 #include <sys/disp.h>		/* for servicing_interrupt() */
63 #include <sys/devpolicy.h>
64 #include <sys/crypto/ioctladmin.h>
65 #include <sys/cred_impl.h>
66 #include <inet/kssl/kssl.h>
67 #include <net/pfpolicy.h>
68 
69 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
70 
71 static void audit_pathbuild(struct pathname *pnp);
72 
73 /*
74  * ROUTINE:	AUDIT_NEWPROC
75  * PURPOSE:	initialize the child p_audit_data structure
76  * CALLBY:	GETPROC
77  * NOTE:	All threads for the parent process are locked at this point.
78  *		We are essentially running singled threaded for this reason.
79  *		GETPROC is called when system creates a new process.
80  *		By the time AUDIT_NEWPROC is called, the child proc
81  *		structure has already been initialized. What we need
82  *		to do is to allocate the child p_audit_data and
83  *		initialize it with the content of current parent process.
84  */
85 
86 void
87 audit_newproc(struct proc *cp)	/* initialized child proc structure */
88 {
89 	p_audit_data_t *pad;	/* child process audit data */
90 	p_audit_data_t *opad;	/* parent process audit data */
91 
92 	pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
93 
94 	P2A(cp) = pad;
95 
96 	opad = P2A(curproc);
97 
98 	/*
99 	 * copy the audit data. Note that all threads of current
100 	 *   process have been "held". Thus there is no race condition
101 	 *   here with mutiple threads trying to alter the cwrd
102 	 *   structure (such as releasing it).
103 	 *
104 	 *   The audit context in the cred is "duplicated" for the new
105 	 *   proc by elsewhere crhold'ing the parent's cred which it shares.
106 	 *
107 	 *   We still want to hold things since auditon() [A_SETUMASK,
108 	 *   A_SETSMASK] could be walking through the processes to
109 	 *   update things.
110 	 */
111 	mutex_enter(&opad->pad_lock);	/* lock opad structure during copy */
112 	pad->pad_data = opad->pad_data;	/* copy parent's process audit data */
113 	au_pathhold(pad->pad_root);
114 	au_pathhold(pad->pad_cwd);
115 	mutex_exit(&opad->pad_lock);	/* current proc will keep cwrd open */
116 
117 	/*
118 	 * finish auditing of parent here so that it will be done
119 	 * before child has a chance to run. We include the child
120 	 * pid since the return value in the return token is a dummy
121 	 * one and contains no useful information (it is included to
122 	 * make the audit record structure consistant).
123 	 *
124 	 * tad_flag is set if auditing is on
125 	 */
126 	if (((t_audit_data_t *)T2A(curthread))->tad_flag)
127 		au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
128 
129 	/*
130 	 * finish up audit record generation here because child process
131 	 * is set to run before parent process. We distinguish here
132 	 * between FORK, FORK1, or VFORK by the saved system call ID.
133 	 */
134 	audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
135 }
136 
137 /*
138  * ROUTINE:	AUDIT_PFREE
139  * PURPOSE:	deallocate the per-process udit data structure
140  * CALLBY:	EXIT
141  *		FORK_FAIL
142  * NOTE:	all lwp except current one have stopped in SEXITLWPS
143  * 		why we are single threaded?
144  *		. all lwp except current one have stopped in SEXITLWPS.
145  */
146 void
147 audit_pfree(struct proc *p)		/* proc structure to be freed */
148 
149 {	/* AUDIT_PFREE */
150 
151 	p_audit_data_t *pad;
152 
153 	pad = P2A(p);
154 
155 	/* better be a per process audit data structure */
156 	ASSERT(pad != (p_audit_data_t *)0);
157 
158 	if (pad == pad0) {
159 		return;
160 	}
161 
162 	/* deallocate all auditing resources for this process */
163 	au_pathrele(pad->pad_root);
164 	au_pathrele(pad->pad_cwd);
165 
166 	/*
167 	 * Since the pad structure is completely overwritten after alloc,
168 	 * we don't bother to clear it.
169 	 */
170 
171 	kmem_cache_free(au_pad_cache, pad);
172 }
173 
174 /*
175  * ROUTINE:	AUDIT_THREAD_CREATE
176  * PURPOSE:	allocate per-process thread audit data structure
177  * CALLBY:	THREAD_CREATE
178  * NOTE:	This is called just after *t was bzero'd.
179  *		We are single threaded in this routine.
180  * TODO:
181  * QUESTION:
182  */
183 
184 void
185 audit_thread_create(kthread_id_t t)
186 {
187 	t_audit_data_t *tad;	/* per-thread audit data */
188 
189 	tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
190 
191 	T2A(t) = tad;		/* set up thread audit data ptr */
192 	tad->tad_thread = t;	/* back ptr to thread: DEBUG */
193 }
194 
195 /*
196  * ROUTINE:	AUDIT_THREAD_FREE
197  * PURPOSE:	free the per-thread audit data structure
198  * CALLBY:	THREAD_FREE
199  * NOTE:	most thread data is clear after return
200  */
201 void
202 audit_thread_free(kthread_t *t)
203 {
204 	t_audit_data_t *tad;
205 	au_defer_info_t	*attr;
206 
207 	tad = T2A(t);
208 
209 	/* thread audit data must still be set */
210 
211 	if (tad == tad0) {
212 		return;
213 	}
214 
215 	if (tad == NULL) {
216 		return;
217 	}
218 
219 	t->t_audit_data = 0;
220 
221 	/* must not have any audit record residual */
222 	ASSERT(tad->tad_ad == NULL);
223 
224 	/* saved path must be empty */
225 	ASSERT(tad->tad_aupath == NULL);
226 
227 	if (tad->tad_atpath)
228 		au_pathrele(tad->tad_atpath);
229 
230 	attr = tad->tad_defer_head;
231 	while (attr != NULL) {
232 		au_defer_info_t	*tmp_attr = attr;
233 
234 		au_free_rec(attr->audi_ad);
235 
236 		attr = attr->audi_next;
237 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
238 	}
239 
240 	kmem_free(tad, sizeof (*tad));
241 }
242 
243 /*
244  * ROUTINE:	AUDIT_SAVEPATH
245  * PURPOSE:
246  * CALLBY:	LOOKUPPN
247  *
248  * NOTE:	We have reached the end of a path in fs/lookup.c.
249  *		We get two pieces of information here:
250  *		the vnode of the last component (vp) and
251  *		the status of the last access (flag).
252  * TODO:
253  * QUESTION:
254  */
255 
256 /*ARGSUSED*/
257 int
258 audit_savepath(
259 	struct pathname *pnp,		/* pathname to lookup */
260 	struct vnode *vp,		/* vnode of the last component */
261 	int    flag,			/* status of the last access */
262 	cred_t *cr)			/* cred of requestor */
263 {
264 
265 	t_audit_data_t *tad;	/* current thread */
266 	au_kcontext_t	*kctx = GET_KCTX_PZ;
267 
268 	tad = U2A(u);
269 
270 	/*
271 	 * this event being audited or do we need path information
272 	 * later? This might be for a chdir/chroot or open (add path
273 	 * to file pointer. If the path has already been found for an
274 	 * open/creat then we don't need to process the path.
275 	 *
276 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
277 	 *	chroot, chdir, open, creat system call processing. It determines
278 	 *	if audit_savepath() will discard the path or we need it later.
279 	 * PAD_PATHFND means path already included in this audit record. It
280 	 *	is used in cases where multiple path lookups are done per
281 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
282 	 *	paths are allowed.
283 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
284 	 *	exit processing to inhibit any paths that may be added due to
285 	 *	closes.
286 	 */
287 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
288 		((tad->tad_ctrl & PAD_PATHFND) &&
289 		!(kctx->auk_policy & AUDIT_PATH)) ||
290 		(tad->tad_ctrl & PAD_NOPATH)) {
291 			return (0);
292 	}
293 
294 	tad->tad_ctrl |= PAD_NOPATH;		/* prevent possible reentry */
295 
296 	audit_pathbuild(pnp);
297 	tad->tad_vn = vp;
298 
299 	/*
300 	 * are we auditing only if error, or if it is not open or create
301 	 * otherwise audit_setf will do it
302 	 */
303 
304 	if (tad->tad_flag) {
305 		if (flag && (tad->tad_scid == SYS_open ||
306 		    tad->tad_scid == SYS_open64 ||
307 		    tad->tad_scid == SYS_creat ||
308 		    tad->tad_scid == SYS_creat64 ||
309 		    tad->tad_scid == SYS_fsat)) {
310 			tad->tad_ctrl |= PAD_TRUE_CREATE;
311 		}
312 
313 		/* add token to audit record for this name */
314 		au_uwrite(au_to_path(tad->tad_aupath));
315 
316 		/* add the attributes of the object */
317 		if (vp) {
318 			/*
319 			 * only capture attributes when there is no error
320 			 * lookup will not return the vnode of the failing
321 			 * component.
322 			 *
323 			 * if there was a lookup error, then don't add
324 			 * attribute. if lookup in vn_create(),
325 			 * then don't add attribute,
326 			 * it will be added at end of vn_create().
327 			 */
328 			if (!flag && !(tad->tad_ctrl & PAD_NOATTRB))
329 				audit_attributes(vp);
330 		}
331 	}
332 
333 	/* free up space if we're not going to save path (open, crate) */
334 	if ((tad->tad_ctrl & PAD_SAVPATH) == 0) {
335 		if (tad->tad_aupath != NULL) {
336 			au_pathrele(tad->tad_aupath);
337 			tad->tad_aupath = NULL;
338 			tad->tad_vn = NULL;
339 		}
340 	}
341 	if (tad->tad_ctrl & PAD_MLD)
342 		tad->tad_ctrl |= PAD_PATHFND;
343 
344 	tad->tad_ctrl &= ~PAD_NOPATH;		/* restore */
345 	return (0);
346 }
347 
348 static void
349 audit_pathbuild(struct pathname *pnp)
350 {
351 	char *pp;	/* pointer to path */
352 	int len;	/* length of incoming segment */
353 	int newsect;	/* path requires a new section */
354 	struct audit_path	*pfxapp;	/* prefix for path */
355 	struct audit_path	*newapp;	/* new audit_path */
356 	t_audit_data_t *tad;	/* current thread */
357 	p_audit_data_t *pad;	/* current process */
358 
359 	tad = U2A(u);
360 	ASSERT(tad != NULL);
361 	pad = P2A(curproc);
362 	ASSERT(pad != NULL);
363 
364 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
365 	ASSERT(len > 0);
366 
367 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
368 	mutex_enter(&pad->pad_lock);
369 	if (tad->tad_aupath != NULL) {
370 		pfxapp = tad->tad_aupath;
371 	} else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') {
372 		ASSERT(tad->tad_atpath != NULL);
373 		pfxapp = tad->tad_atpath;
374 	} else if (tad->tad_ctrl & PAD_ABSPATH) {
375 		pfxapp = pad->pad_root;
376 	} else {
377 		pfxapp = pad->pad_cwd;
378 	}
379 	au_pathhold(pfxapp);
380 	mutex_exit(&pad->pad_lock);
381 
382 	/* get an expanded buffer to hold the anchored path */
383 	newsect = tad->tad_ctrl & PAD_ATPATH;
384 	newapp = au_pathdup(pfxapp, newsect, len);
385 	au_pathrele(pfxapp);
386 
387 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
388 	if (!newsect) {
389 		/* overlay previous NUL terminator */
390 		*(pp - 1) = '/';
391 	}
392 
393 	/* now add string of processed path */
394 	bcopy(pnp->pn_buf, pp, len);
395 	pp[len - 1] = '\0';
396 
397 	/* perform path simplification as necessary */
398 	audit_fixpath(newapp, len);
399 
400 	if (tad->tad_aupath)
401 		au_pathrele(tad->tad_aupath);
402 	tad->tad_aupath = newapp;
403 
404 	/* for case where multiple lookups in one syscall (rename) */
405 	tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH);
406 }
407 
408 
409 
410 /*ARGSUSED*/
411 
412 /*
413  * ROUTINE:	AUDIT_ADDCOMPONENT
414  * PURPOSE:	extend the path by the component accepted
415  * CALLBY:	LOOKUPPN
416  * NOTE:	This function is called only when there is an error in
417  *		parsing a path component
418  * TODO:	Add the error component to audit record
419  * QUESTION:	what is this for
420  */
421 
422 void
423 audit_addcomponent(struct pathname *pnp)
424 {
425 	au_kcontext_t	*kctx = GET_KCTX_PZ;
426 	t_audit_data_t *tad;
427 
428 	tad = U2A(u);
429 	/*
430 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
431 	 *	chroot, chdir, open, creat system call processing. It determines
432 	 *	if audit_savepath() will discard the path or we need it later.
433 	 * PAD_PATHFND means path already included in this audit record. It
434 	 *	is used in cases where multiple path lookups are done per
435 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
436 	 *	paths are allowed.
437 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
438 	 *	exit processing to inhibit any paths that may be added due to
439 	 *	closes.
440 	 */
441 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
442 		((tad->tad_ctrl & PAD_PATHFND) &&
443 		!(kctx->auk_policy & AUDIT_PATH)) ||
444 		(tad->tad_ctrl & PAD_NOPATH)) {
445 			return;
446 	}
447 
448 	return;
449 
450 }	/* AUDIT_ADDCOMPONENT */
451 
452 
453 
454 
455 
456 
457 
458 
459 /*
460  * ROUTINE:	AUDIT_ANCHORPATH
461  * PURPOSE:
462  * CALLBY:	LOOKUPPN
463  * NOTE:
464  * anchor path at "/". We have seen a symbolic link or entering for the
465  * first time we will throw away any saved path if path is anchored.
466  *
467  * flag = 0, path is relative.
468  * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH.
469  *
470  * If the (new) path is absolute, then we have to throw away whatever we have
471  * already accumulated since it is being superseded by new path which is
472  * anchored at the root.
473  *		Note that if the path is relative, this function does nothing
474  * TODO:
475  * QUESTION:
476  */
477 /*ARGSUSED*/
478 void
479 audit_anchorpath(struct pathname *pnp, int flag)
480 {
481 	au_kcontext_t	*kctx = GET_KCTX_PZ;
482 	t_audit_data_t *tad;
483 
484 	tad = U2A(u);
485 
486 	/*
487 	 * this event being audited or do we need path information
488 	 * later? This might be for a chdir/chroot or open (add path
489 	 * to file pointer. If the path has already been found for an
490 	 * open/creat then we don't need to process the path.
491 	 *
492 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
493 	 *	chroot, chdir, open, creat system call processing. It determines
494 	 *	if audit_savepath() will discard the path or we need it later.
495 	 * PAD_PATHFND means path already included in this audit record. It
496 	 *	is used in cases where multiple path lookups are done per
497 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
498 	 *	paths are allowed.
499 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
500 	 *	exit processing to inhibit any paths that may be added due to
501 	 *	closes.
502 	 */
503 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
504 		((tad->tad_ctrl & PAD_PATHFND) &&
505 		!(kctx->auk_policy & AUDIT_PATH)) ||
506 		(tad->tad_ctrl & PAD_NOPATH)) {
507 			return;
508 	}
509 
510 	if (flag) {
511 		tad->tad_ctrl |= PAD_ABSPATH;
512 		if (tad->tad_aupath != NULL) {
513 			au_pathrele(tad->tad_aupath);
514 			tad->tad_aupath = NULL;
515 			tad->tad_vn = NULL;
516 		}
517 	}
518 }
519 
520 
521 /*
522  * symbolic link. Save previous components.
523  *
524  * the path seen so far looks like this
525  *
526  *  +-----------------------+----------------+
527  *  | path processed so far | remaining path |
528  *  +-----------------------+----------------+
529  *  \-----------------------/
530  *	save this string if
531  *	symbolic link relative
532  *	(but don't include  symlink component)
533  */
534 
535 /*ARGSUSED*/
536 
537 
538 /*
539  * ROUTINE:	AUDIT_SYMLINK
540  * PURPOSE:
541  * CALLBY:	LOOKUPPN
542  * NOTE:
543  * TODO:
544  * QUESTION:
545  */
546 void
547 audit_symlink(struct pathname *pnp, struct pathname *sympath)
548 {
549 	char *sp;	/* saved initial pp */
550 	char *cp;	/* start of symlink path */
551 	uint_t len_path;	/* processed path before symlink */
552 	t_audit_data_t *tad;
553 	au_kcontext_t	*kctx = GET_KCTX_PZ;
554 
555 	tad = U2A(u);
556 
557 	/*
558 	 * this event being audited or do we need path information
559 	 * later? This might be for a chdir/chroot or open (add path
560 	 * to file pointer. If the path has already been found for an
561 	 * open/creat then we don't need to process the path.
562 	 *
563 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
564 	 *	chroot, chdir, open, creat system call processing. It determines
565 	 *	if audit_savepath() will discard the path or we need it later.
566 	 * PAD_PATHFND means path already included in this audit record. It
567 	 *	is used in cases where multiple path lookups are done per
568 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
569 	 *	paths are allowed.
570 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
571 	 *	exit processing to inhibit any paths that may be added due to
572 	 *	closes.
573 	 */
574 	if ((tad->tad_flag == 0 &&
575 		!(tad->tad_ctrl & PAD_SAVPATH)) ||
576 		((tad->tad_ctrl & PAD_PATHFND) &&
577 		!(kctx->auk_policy & AUDIT_PATH)) ||
578 		(tad->tad_ctrl & PAD_NOPATH)) {
579 			return;
580 	}
581 
582 	/*
583 	 * if symbolic link is anchored at / then do nothing.
584 	 * When we cycle back to begin: in lookuppn() we will
585 	 * call audit_anchorpath() with a flag indicating if the
586 	 * path is anchored at / or is relative. We will release
587 	 * any saved path at that point.
588 	 *
589 	 * Note In the event that an error occurs in pn_combine then
590 	 * we want to remain pointing at the component that caused the
591 	 * path to overflow the pnp structure.
592 	 */
593 	if (sympath->pn_buf[0] == '/')
594 		return;
595 
596 	/* backup over last component */
597 	sp = cp = pnp->pn_path;
598 	while (*--cp != '/' && cp > pnp->pn_buf)
599 		;
600 
601 	len_path = cp - pnp->pn_buf;
602 
603 	/* is there anything to save? */
604 	if (len_path) {
605 		pnp->pn_path = pnp->pn_buf;
606 		audit_pathbuild(pnp);
607 		pnp->pn_path = sp;
608 	}
609 }
610 
611 /*
612  * file_is_public : determine whether events for the file (corresponding to
613  * 			the specified file attr) should be audited or ignored.
614  *
615  * returns: 	1 - if audit policy and file attributes indicate that
616  *			file is effectively public. read events for
617  *			the file should not be audited.
618  *		0 - otherwise
619  *
620  * The required attributes to be considered a public object are:
621  * - owned by root, AND
622  * - world-readable (permissions for other include read), AND
623  * - NOT world-writeable (permissions for other don't
624  *	include write)
625  *   (mode doesn't need to be checked for symlinks)
626  */
627 int
628 file_is_public(struct vattr *attr)
629 {
630 	au_kcontext_t	*kctx = GET_KCTX_PZ;
631 
632 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
633 	    ((attr->va_type == VLNK) ||
634 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
635 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
636 		return (1);
637 	}
638 	return (0);
639 }
640 
641 
642 /*
643  * ROUTINE:	AUDIT_ATTRIBUTES
644  * PURPOSE:	Audit the attributes so we can tell why the error occurred
645  * CALLBY:	AUDIT_SAVEPATH
646  *		AUDIT_VNCREATE_FINISH
647  *		AUS_FCHOWN...audit_event.c...audit_path.c
648  * NOTE:
649  * TODO:
650  * QUESTION:
651  */
652 void
653 audit_attributes(struct vnode *vp)
654 {
655 	struct vattr attr;
656 	struct t_audit_data *tad;
657 
658 	tad = U2A(u);
659 
660 	if (vp) {
661 		attr.va_mask = AT_ALL;
662 		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
663 			return;
664 
665 		if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) {
666 			/*
667 			 * This is a public object and a "public" event
668 			 * (i.e., read only) -- either by definition
669 			 * (e.g., stat, access...) or by virtue of write access
670 			 * not being requested (e.g. mmap).
671 			 * Flag it in the tad to prevent this audit at the end.
672 			 */
673 			tad->tad_ctrl |= PAD_NOAUDIT;
674 		} else {
675 			au_uwrite(au_to_attr(&attr));
676 			audit_sec_attributes(&(u_ad), vp);
677 		}
678 	}
679 }
680 
681 
682 /*
683  * ROUTINE:	AUDIT_FALLOC
684  * PURPOSE:	allocating a new file structure
685  * CALLBY:	FALLOC
686  * NOTE:	file structure already initialized
687  * TODO:
688  * QUESTION:
689  */
690 
691 void
692 audit_falloc(struct file *fp)
693 {	/* AUDIT_FALLOC */
694 
695 	f_audit_data_t *fad;
696 
697 	/* allocate per file audit structure if there a'int any */
698 	ASSERT(F2A(fp) == NULL);
699 
700 	fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
701 
702 	F2A(fp) = fad;
703 
704 	fad->fad_thread = curthread; 	/* file audit data back ptr; DEBUG */
705 }
706 
707 /*
708  * ROUTINE:	AUDIT_UNFALLOC
709  * PURPOSE:	deallocate file audit data structure
710  * CALLBY:	CLOSEF
711  *		UNFALLOC
712  * NOTE:
713  * TODO:
714  * QUESTION:
715  */
716 
717 void
718 audit_unfalloc(struct file *fp)
719 {
720 	f_audit_data_t *fad;
721 
722 	fad = F2A(fp);
723 
724 	if (!fad) {
725 		return;
726 	}
727 	if (fad->fad_aupath != NULL) {
728 		au_pathrele(fad->fad_aupath);
729 	}
730 	fp->f_audit_data = 0;
731 	kmem_free(fad, sizeof (struct f_audit_data));
732 }
733 
734 /*
735  * ROUTINE:	AUDIT_EXIT
736  * PURPOSE:
737  * CALLBY:	EXIT
738  * NOTE:
739  * TODO:
740  * QUESTION:	why cmw code as offset by 2 but not here
741  */
742 /* ARGSUSED */
743 void
744 audit_exit(int code, int what)
745 {
746 	struct t_audit_data *tad;
747 	tad = U2A(u);
748 
749 	/*
750 	 * tad_scid will be set by audit_start even if we are not auditing
751 	 * the event.
752 	 */
753 	if (tad->tad_scid == SYS_exit) {
754 		/*
755 		 * if we are auditing the exit system call, then complete
756 		 * audit record generation (no return from system call).
757 		 */
758 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
759 			audit_finish(0, SYS_exit, 0, 0);
760 		return;
761 	}
762 
763 	/*
764 	 * Anyone auditing the system call that was aborted?
765 	 */
766 	if (tad->tad_flag) {
767 		au_uwrite(au_to_text("event aborted"));
768 		audit_finish(0, tad->tad_scid, 0, 0);
769 	}
770 
771 	/*
772 	 * Generate an audit record for process exit if preselected.
773 	 */
774 	(void) audit_start(0, SYS_exit, 0, 0);
775 	audit_finish(0, SYS_exit, 0, 0);
776 }
777 
778 /*
779  * ROUTINE:	AUDIT_CORE_START
780  * PURPOSE:
781  * CALLBY: 	PSIG
782  * NOTE:
783  * TODO:
784  */
785 void
786 audit_core_start(int sig)
787 {
788 	au_event_t event;
789 	au_state_t estate;
790 	t_audit_data_t *tad;
791 	au_kcontext_t	*kctx;
792 
793 	tad = U2A(u);
794 
795 	ASSERT(tad != (t_audit_data_t *)0);
796 
797 	ASSERT(tad->tad_scid == 0);
798 	ASSERT(tad->tad_event == 0);
799 	ASSERT(tad->tad_evmod == 0);
800 	ASSERT(tad->tad_ctrl == 0);
801 	ASSERT(tad->tad_flag == 0);
802 	ASSERT(tad->tad_aupath == NULL);
803 
804 	kctx = GET_KCTX_PZ;
805 
806 	/* get basic event for system call */
807 	event = AUE_CORE;
808 	estate = kctx->auk_ets[event];
809 
810 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
811 		return;
812 
813 	/* reset the flags for non-user attributable events */
814 	tad->tad_ctrl   = PAD_CORE;
815 	tad->tad_scid   = 0;
816 
817 	/* if auditing not enabled, then don't generate an audit record */
818 
819 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
820 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
821 	    kctx->auk_auditstate == AUC_NOSPACE)) {
822 		tad->tad_flag = 0;
823 		tad->tad_ctrl = 0;
824 		return;
825 	}
826 
827 	tad->tad_event  = event;
828 	tad->tad_evmod  = 0;
829 
830 	ASSERT(tad->tad_ad == NULL);
831 
832 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
833 }
834 
835 /*
836  * ROUTINE:	AUDIT_CORE_FINISH
837  * PURPOSE:
838  * CALLBY:	PSIG
839  * NOTE:
840  * TODO:
841  * QUESTION:
842  */
843 
844 /*ARGSUSED*/
845 void
846 audit_core_finish(int code)
847 {
848 	int flag;
849 	t_audit_data_t *tad;
850 	au_kcontext_t	*kctx;
851 
852 	tad = U2A(u);
853 
854 	ASSERT(tad != (t_audit_data_t *)0);
855 
856 	if ((flag = tad->tad_flag) == 0) {
857 		tad->tad_event = 0;
858 		tad->tad_evmod = 0;
859 		tad->tad_ctrl  = 0;
860 		ASSERT(tad->tad_aupath == NULL);
861 		return;
862 	}
863 	tad->tad_flag = 0;
864 
865 	kctx = GET_KCTX_PZ;
866 
867 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
868 	if (flag = audit_success(kctx, tad, 0, NULL)) {
869 		cred_t *cr = CRED();
870 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
871 
872 		ASSERT(ainfo != NULL);
873 
874 		/*
875 		 * Add subject information (no locks since our private copy of
876 		 * credential
877 		 */
878 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
879 
880 		/* Add a return token (should use f argument) */
881 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
882 
883 		AS_INC(as_generated, 1, kctx);
884 		AS_INC(as_kernel, 1, kctx);
885 	}
886 
887 	/* Close up everything */
888 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
889 
890 	/* free up any space remaining with the path's */
891 	if (tad->tad_aupath != NULL) {
892 		au_pathrele(tad->tad_aupath);
893 		tad->tad_aupath = NULL;
894 		tad->tad_vn = NULL;
895 	}
896 	tad->tad_event = 0;
897 	tad->tad_evmod = 0;
898 	tad->tad_ctrl  = 0;
899 }
900 
901 /*ARGSUSED*/
902 void
903 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp)
904 {
905 }
906 
907 /*ARGSUSED*/
908 void
909 audit_strclose(struct vnode *vp, int flag, cred_t *crp)
910 {
911 }
912 
913 /*ARGSUSED*/
914 void
915 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag,
916     int copyflag, cred_t *crp, int *rvalp)
917 {
918 }
919 
920 
921 /*ARGSUSED*/
922 void
923 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
924     unsigned char *pri, int *flag, int fmode)
925 {
926 	struct stdata *stp;
927 	t_audit_data_t *tad = U2A(u);
928 
929 	ASSERT(tad != (t_audit_data_t *)0);
930 
931 	stp = vp->v_stream;
932 
933 	/* lock stdata from audit_sock */
934 	mutex_enter(&stp->sd_lock);
935 
936 	/* proceed ONLY if user is being audited */
937 	if (!tad->tad_flag) {
938 		/*
939 		 * this is so we will not add audit data onto
940 		 * a thread that is not being audited.
941 		 */
942 		stp->sd_t_audit_data = NULL;
943 		mutex_exit(&stp->sd_lock);
944 		return;
945 	}
946 
947 	stp->sd_t_audit_data = (caddr_t)curthread;
948 	mutex_exit(&stp->sd_lock);
949 }
950 
951 /*ARGSUSED*/
952 void
953 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
954     unsigned char pri, int flag, int fmode)
955 {
956 	struct stdata *stp;
957 	t_audit_data_t *tad = U2A(u);
958 
959 	ASSERT(tad != (t_audit_data_t *)0);
960 
961 	stp = vp->v_stream;
962 
963 	/* lock stdata from audit_sock */
964 	mutex_enter(&stp->sd_lock);
965 
966 	/* proceed ONLY if user is being audited */
967 	if (!tad->tad_flag) {
968 		/*
969 		 * this is so we will not add audit data onto
970 		 * a thread that is not being audited.
971 		 */
972 		stp->sd_t_audit_data = NULL;
973 		mutex_exit(&stp->sd_lock);
974 		return;
975 	}
976 
977 	stp->sd_t_audit_data = (caddr_t)curthread;
978 	mutex_exit(&stp->sd_lock);
979 }
980 
981 /*
982  * ROUTINE:	AUDIT_CLOSEF
983  * PURPOSE:
984  * CALLBY:	CLOSEF
985  * NOTE:
986  * release per file audit resources when file structure is being released.
987  *
988  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
989  *	on the audit queue if it becomes full. This means
990  *	audit_closef can not be called when f_count == 0. Since
991  *	f_count == 0 indicates the file structure is free, another
992  *	process could attempt to use the file while we were still
993  *	asleep waiting on the audit queue. This would cause the
994  *	per file audit data to be corrupted when we finally do
995  *	wakeup.
996  * TODO:
997  * QUESTION:
998  */
999 
1000 void
1001 audit_closef(struct file *fp)
1002 {	/* AUDIT_CLOSEF */
1003 	f_audit_data_t *fad;
1004 	t_audit_data_t *tad;
1005 	int success;
1006 	au_state_t estate;
1007 	struct vnode *vp;
1008 	token_t *ad = NULL;
1009 	struct vattr attr;
1010 	short evmod = 0;
1011 	const auditinfo_addr_t *ainfo;
1012 	int getattr_ret;
1013 	cred_t *cr;
1014 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1015 
1016 	fad = F2A(fp);
1017 	estate = kctx->auk_ets[AUE_CLOSE];
1018 	tad = U2A(u);
1019 	cr = CRED();
1020 
1021 	/* audit record already generated by system call envelope */
1022 	if (tad->tad_event == AUE_CLOSE) {
1023 		/* so close audit event will have bits set */
1024 		tad->tad_evmod |= (short)fad->fad_flags;
1025 		return;
1026 	}
1027 
1028 	/* if auditing not enabled, then don't generate an audit record */
1029 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
1030 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
1031 	    kctx->auk_auditstate == AUC_NOSPACE))
1032 		return;
1033 
1034 	ainfo = crgetauinfo(cr);
1035 	if (ainfo == NULL)
1036 		return;
1037 
1038 	success = ainfo->ai_mask.as_success & estate;
1039 
1040 	/* not selected for this event */
1041 	if (success == 0)
1042 		return;
1043 
1044 	/*
1045 	 * can't use audit_attributes here since we use a private audit area
1046 	 * to build the audit record instead of the one off the thread.
1047 	 */
1048 	if ((vp = fp->f_vnode) != NULL) {
1049 		attr.va_mask = AT_ALL;
1050 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL);
1051 	}
1052 
1053 	/*
1054 	 * When write was not used and the file can be considered public,
1055 	 * then skip the audit.
1056 	 */
1057 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
1058 		if (file_is_public(&attr)) {
1059 			return;
1060 		}
1061 	}
1062 
1063 	evmod = (short)fad->fad_flags;
1064 	if (fad->fad_aupath != NULL) {
1065 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
1066 	} else {
1067 #ifdef _LP64
1068 		au_write((caddr_t *)&(ad), au_to_arg64(
1069 			1, "no path: fp", (uint64_t)fp));
1070 #else
1071 		au_write((caddr_t *)&(ad), au_to_arg32(
1072 			1, "no path: fp", (uint32_t)fp));
1073 #endif
1074 	}
1075 
1076 	if (getattr_ret == 0) {
1077 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
1078 		audit_sec_attributes((caddr_t *)&(ad), vp);
1079 	}
1080 
1081 	/* Add subject information */
1082 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1083 
1084 	/* add a return token */
1085 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
1086 
1087 	AS_INC(as_generated, 1, kctx);
1088 	AS_INC(as_kernel, 1, kctx);
1089 
1090 	/*
1091 	 * Close up everything
1092 	 * Note: path space recovery handled by normal system
1093 	 * call envelope if not at last close.
1094 	 * Note there is no failure at this point since
1095 	 *   this represents closes due to exit of process,
1096 	 *   thus we always indicate successful closes.
1097 	 */
1098 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
1099 	    AUE_CLOSE, evmod);
1100 }
1101 
1102 /*
1103  * ROUTINE:	AUDIT_SET
1104  * PURPOSE:	Audit the file path and file attributes.
1105  * CALLBY:	SETF
1106  * NOTE:	SETF associate a file pointer with user area's open files.
1107  * TODO:
1108  * call audit_finish directly ???
1109  * QUESTION:
1110  */
1111 
1112 /*ARGSUSED*/
1113 void
1114 audit_setf(file_t *fp, int fd)
1115 {
1116 	f_audit_data_t *fad;
1117 	t_audit_data_t *tad;
1118 
1119 	if (fp == NULL)
1120 		return;
1121 
1122 	tad = T2A(curthread);
1123 	fad = F2A(fp);
1124 
1125 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat ||
1126 	    tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 ||
1127 	    tad->tad_scid == SYS_fsat))
1128 		return;
1129 
1130 	/* no path */
1131 	if (tad->tad_aupath == 0)
1132 		return;
1133 
1134 	/*
1135 	 * assign path information associated with file audit data
1136 	 * use tad hold
1137 	 */
1138 	fad->fad_aupath = tad->tad_aupath;
1139 	tad->tad_aupath = NULL;
1140 	tad->tad_vn = NULL;
1141 
1142 	if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) {
1143 	/* adjust event type */
1144 		switch (tad->tad_event) {
1145 		case AUE_OPEN_RC:
1146 			tad->tad_event = AUE_OPEN_R;
1147 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1148 			break;
1149 		case AUE_OPEN_RTC:
1150 			tad->tad_event = AUE_OPEN_RT;
1151 			break;
1152 		case AUE_OPEN_WC:
1153 			tad->tad_event = AUE_OPEN_W;
1154 			break;
1155 		case AUE_OPEN_WTC:
1156 			tad->tad_event = AUE_OPEN_WT;
1157 			break;
1158 		case AUE_OPEN_RWC:
1159 			tad->tad_event = AUE_OPEN_RW;
1160 			break;
1161 		case AUE_OPEN_RWTC:
1162 			tad->tad_event = AUE_OPEN_RWT;
1163 			break;
1164 		default:
1165 			break;
1166 		}
1167 	}
1168 }
1169 
1170 
1171 /*
1172  * ROUTINE:	AUDIT_COPEN
1173  * PURPOSE:
1174  * CALLBY:	COPEN
1175  * NOTE:
1176  * TODO:
1177  * QUESTION:
1178  */
1179 /*ARGSUSED*/
1180 void
1181 audit_copen(int fd, file_t *fp, vnode_t *vp)
1182 {
1183 }
1184 
1185 void
1186 audit_ipc(int type, int id, void *vp)
1187 {
1188 	/* if not auditing this event, then do nothing */
1189 	if (ad_flag == 0)
1190 		return;
1191 
1192 	switch (type) {
1193 	case AT_IPC_MSG:
1194 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1195 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1196 		break;
1197 	case AT_IPC_SEM:
1198 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1199 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1200 		break;
1201 	case AT_IPC_SHM:
1202 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
1203 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1204 		break;
1205 	}
1206 }
1207 
1208 void
1209 audit_ipcget(int type, void *vp)
1210 {
1211 	/* if not auditing this event, then do nothing */
1212 	if (ad_flag == 0)
1213 		return;
1214 
1215 	switch (type) {
1216 	case NULL:
1217 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
1218 		break;
1219 	case AT_IPC_MSG:
1220 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1221 		break;
1222 	case AT_IPC_SEM:
1223 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1224 		break;
1225 	case AT_IPC_SHM:
1226 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1227 		break;
1228 	}
1229 }
1230 
1231 /*
1232  * ROUTINE:	AUDIT_REBOOT
1233  * PURPOSE:
1234  * CALLBY:
1235  * NOTE:
1236  * At this point we know that the system call reboot will not return. We thus
1237  * have to complete the audit record generation and put it onto the queue.
1238  * This might be fairly useless if the auditing daemon is already dead....
1239  * TODO:
1240  * QUESTION:	who calls audit_reboot
1241  */
1242 
1243 void
1244 audit_reboot(void)
1245 {
1246 	int flag;
1247 	t_audit_data_t *tad;
1248 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1249 
1250 	tad = U2A(u);
1251 
1252 	/* if not auditing this event, then do nothing */
1253 	if (tad->tad_flag == 0)
1254 		return;
1255 
1256 	/* do preselection on success/failure */
1257 	if (flag = audit_success(kctx, tad, 0, NULL)) {
1258 		/* add a process token */
1259 
1260 		cred_t *cr = CRED();
1261 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1262 
1263 		if (ainfo == NULL)
1264 			return;
1265 
1266 		/* Add subject information */
1267 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
1268 
1269 		/* add a return token */
1270 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1271 
1272 		AS_INC(as_generated, 1, kctx);
1273 		AS_INC(as_kernel, 1, kctx);
1274 	}
1275 
1276 	/*
1277 	 * Flow control useless here since we're going
1278 	 * to drop everything in the queue anyway. Why
1279 	 * block and wait. There aint anyone left alive to
1280 	 * read the records remaining anyway.
1281 	 */
1282 
1283 	/* Close up everything */
1284 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1285 	    tad->tad_event, tad->tad_evmod);
1286 }
1287 
1288 void
1289 audit_setfsat_path(int argnum)
1290 {
1291 	klwp_id_t clwp = ttolwp(curthread);
1292 	struct file  *fp;
1293 	uint32_t fd;
1294 	t_audit_data_t *tad;
1295 	struct f_audit_data *fad;
1296 	p_audit_data_t *pad;	/* current process */
1297 	struct a {
1298 		long id;
1299 		long arg1;
1300 		long arg2;
1301 		long arg3;
1302 		long arg4;
1303 		long arg5;
1304 	} *uap;
1305 	struct b {
1306 		long arg1;
1307 		long arg2;
1308 		long arg3;
1309 		long arg4;
1310 		long arg5;
1311 	} *uap1;
1312 
1313 	if (clwp == NULL)
1314 		return;
1315 	uap1 = (struct b *)&clwp->lwp_ap[1];
1316 	uap = (struct a *)clwp->lwp_ap;
1317 
1318 	tad = U2A(u);
1319 
1320 	ASSERT(tad != NULL);
1321 
1322 	if (tad->tad_scid != SYS_fsat)
1323 		return;
1324 
1325 	switch (argnum) {
1326 	case 1:
1327 		fd = (uint32_t)uap1->arg1;
1328 		break;
1329 	case 2:
1330 		fd = (uint32_t)uap1->arg2;
1331 		break;
1332 	case 3:
1333 		fd = (uint32_t)uap1->arg3;
1334 		break;
1335 	case 4:
1336 		fd = (uint32_t)uap1->arg4;
1337 		break;
1338 	case 5:
1339 		fd = (uint32_t)uap1->arg5;
1340 		break;
1341 	default:
1342 		return;
1343 	}
1344 
1345 	if (uap->id == 9 && tad->tad_atpath != NULL) { /* openattrdir */
1346 		tad->tad_ctrl |= PAD_ATPATH;
1347 		return;
1348 	}
1349 	if (tad->tad_atpath != NULL) {
1350 		au_pathrele(tad->tad_atpath);
1351 		tad->tad_atpath = NULL;
1352 	}
1353 	if (fd != AT_FDCWD) {
1354 		if ((fp = getf(fd)) == NULL)
1355 			return;
1356 
1357 		fad = F2A(fp);
1358 		ASSERT(fad);
1359 		au_pathhold(fad->fad_aupath);
1360 		tad->tad_atpath = fad->fad_aupath;
1361 		releasef(fd);
1362 	} else {
1363 		pad = P2A(curproc);
1364 		mutex_enter(&pad->pad_lock);
1365 		au_pathhold(pad->pad_cwd);
1366 		tad->tad_atpath = pad->pad_cwd;
1367 		mutex_exit(&pad->pad_lock);
1368 	}
1369 }
1370 
1371 void
1372 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1373 {
1374 	t_audit_data_t *tad;
1375 	vnode_t	*vp;
1376 
1377 	tad = U2A(u);
1378 
1379 	/* if not auditing this event, then do nothing */
1380 	if (tad->tad_flag == 0)
1381 		return;
1382 
1383 	au_uwrite(au_to_text(target));
1384 
1385 	if (error)
1386 		return;
1387 
1388 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1389 			NULL, NULL, NULL);
1390 	if (error == 0) {
1391 		audit_attributes(vp);
1392 		VN_RELE(vp);
1393 	}
1394 }
1395 
1396 /*
1397  * ROUTINE:	AUDIT_VNCREATE_START
1398  * PURPOSE:	set flag so path name lookup in create will not add attribute
1399  * CALLBY:	VN_CREATE
1400  * NOTE:
1401  * TODO:
1402  * QUESTION:
1403  */
1404 
1405 void
1406 audit_vncreate_start()
1407 {
1408 	t_audit_data_t *tad;
1409 
1410 	tad = U2A(u);
1411 	tad->tad_ctrl |= PAD_NOATTRB;
1412 }
1413 
1414 /*
1415  * ROUTINE:	AUDIT_VNCREATE_FINISH
1416  * PURPOSE:
1417  * CALLBY:	VN_CREATE
1418  * NOTE:
1419  * TODO:
1420  * QUESTION:
1421  */
1422 void
1423 audit_vncreate_finish(struct vnode *vp, int error)
1424 {
1425 	t_audit_data_t *tad;
1426 
1427 	if (error)
1428 		return;
1429 
1430 	tad = U2A(u);
1431 
1432 	/* if not auditing this event, then do nothing */
1433 	if (tad->tad_flag == 0)
1434 		return;
1435 
1436 	if (tad->tad_ctrl & PAD_TRUE_CREATE) {
1437 		audit_attributes(vp);
1438 	}
1439 
1440 	if (tad->tad_ctrl & PAD_CORE) {
1441 		audit_attributes(vp);
1442 		tad->tad_ctrl &= ~PAD_CORE;
1443 	}
1444 
1445 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1446 			(tad->tad_event == AUE_MKDIR))) {
1447 		audit_attributes(vp);
1448 	}
1449 
1450 	/* for case where multiple lookups in one syscall (rename) */
1451 	tad->tad_ctrl &= ~PAD_NOATTRB;
1452 }
1453 
1454 
1455 
1456 
1457 
1458 
1459 
1460 
1461 /*
1462  * ROUTINE:	AUDIT_EXEC
1463  * PURPOSE:	Records the function arguments and environment variables
1464  * CALLBY:	EXEC_ARGS
1465  * NOTE:
1466  * TODO:
1467  * QUESTION:
1468  */
1469 
1470 /*ARGSUSED*/
1471 void
1472 audit_exec(
1473 	const char *argstr,	/* argument strings */
1474 	const char *envstr,	/* environment strings */
1475 	ssize_t argc,		/* total # arguments */
1476 	ssize_t envc)		/* total # environment variables */
1477 {
1478 	t_audit_data_t *tad;
1479 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1480 
1481 	tad = U2A(u);
1482 
1483 	/* if not auditing this event, then do nothing */
1484 	if (!tad->tad_flag)
1485 		return;
1486 
1487 	/* return if not interested in argv or environment variables */
1488 	if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE)))
1489 		return;
1490 
1491 	if (kctx->auk_policy & AUDIT_ARGV) {
1492 		au_uwrite(au_to_exec_args(argstr, argc));
1493 	}
1494 
1495 	if (kctx->auk_policy & AUDIT_ARGE) {
1496 		au_uwrite(au_to_exec_env(envstr, envc));
1497 	}
1498 }
1499 
1500 /*
1501  * ROUTINE:	AUDIT_ENTERPROM
1502  * PURPOSE:
1503  * CALLBY:	KBDINPUT
1504  *		ZSA_XSINT
1505  * NOTE:
1506  * TODO:
1507  * QUESTION:
1508  */
1509 void
1510 audit_enterprom(int flg)
1511 {
1512 	token_t *rp = NULL;
1513 	int sorf;
1514 
1515 	if (flg)
1516 		sorf = AUM_SUCC;
1517 	else
1518 		sorf = AUM_FAIL;
1519 
1520 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1521 
1522 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1523 
1524 	if (flg)
1525 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1526 	else
1527 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1528 
1529 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL);
1530 }
1531 
1532 
1533 /*
1534  * ROUTINE:	AUDIT_EXITPROM
1535  * PURPOSE:
1536  * CALLBY:	KBDINPUT
1537  *		ZSA_XSINT
1538  * NOTE:
1539  * TODO:
1540  * QUESTION:
1541  */
1542 void
1543 audit_exitprom(int flg)
1544 {
1545 	int sorf;
1546 	token_t *rp = NULL;
1547 
1548 	if (flg)
1549 		sorf = AUM_SUCC;
1550 	else
1551 		sorf = AUM_FAIL;
1552 
1553 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1554 
1555 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1556 
1557 	if (flg)
1558 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1559 	else
1560 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1561 
1562 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL);
1563 }
1564 
1565 struct fcntla {
1566 	int fdes;
1567 	int cmd;
1568 	intptr_t arg;
1569 };
1570 
1571 /*
1572  * ROUTINE:	AUDIT_C2_REVOKE
1573  * PURPOSE:
1574  * CALLBY:	FCNTL
1575  * NOTE:
1576  * TODO:
1577  * QUESTION:	are we keeping this func
1578  */
1579 
1580 /*ARGSUSED*/
1581 int
1582 audit_c2_revoke(struct fcntla *uap, rval_t *rvp)
1583 {
1584 	return (0);
1585 }
1586 
1587 
1588 /*
1589  * ROUTINE:	AUDIT_CHDIREC
1590  * PURPOSE:
1591  * CALLBY:	CHDIREC
1592  * NOTE:	The main function of CHDIREC
1593  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1594  * QUESTION:
1595  */
1596 
1597 /*ARGSUSED*/
1598 void
1599 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1600 {
1601 	int		chdir;
1602 	int		fchdir;
1603 	struct audit_path	**appp;
1604 	struct file	*fp;
1605 	f_audit_data_t *fad;
1606 	p_audit_data_t *pad = P2A(curproc);
1607 	t_audit_data_t *tad = T2A(curthread);
1608 
1609 	struct a {
1610 		long fd;
1611 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1612 
1613 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1614 		chdir = tad->tad_scid == SYS_chdir;
1615 		if (tad->tad_aupath) {
1616 			mutex_enter(&pad->pad_lock);
1617 			if (chdir)
1618 				appp = &(pad->pad_cwd);
1619 			else
1620 				appp = &(pad->pad_root);
1621 			au_pathrele(*appp);
1622 			/* use tad hold */
1623 			*appp = tad->tad_aupath;
1624 			tad->tad_aupath = NULL;
1625 			mutex_exit(&pad->pad_lock);
1626 		}
1627 	} else if ((tad->tad_scid == SYS_fchdir) ||
1628 	    (tad->tad_scid == SYS_fchroot)) {
1629 		fchdir = tad->tad_scid == SYS_fchdir;
1630 		if ((fp = getf(uap->fd)) == NULL)
1631 			return;
1632 		fad = F2A(fp);
1633 		if (fad->fad_aupath) {
1634 			au_pathhold(fad->fad_aupath);
1635 			mutex_enter(&pad->pad_lock);
1636 			if (fchdir)
1637 				appp = &(pad->pad_cwd);
1638 			else
1639 				appp = &(pad->pad_root);
1640 			au_pathrele(*appp);
1641 			*appp = fad->fad_aupath;
1642 			mutex_exit(&pad->pad_lock);
1643 			if (tad->tad_flag) {
1644 				au_uwrite(au_to_path(fad->fad_aupath));
1645 				audit_attributes(fp->f_vnode);
1646 			}
1647 		}
1648 		releasef(uap->fd);
1649 	}
1650 }
1651 
1652 /*
1653  * ROUTINE:	AUDIT_GETF
1654  * PURPOSE:
1655  * CALLBY:	GETF_INTERNAL
1656  * NOTE:	The main function of GETF_INTERNAL is to associate a given
1657  *		file descriptor with a file structure and increment the
1658  *		file pointer reference count.
1659  * TODO:	remove pass in of fpp.
1660  * increment a reference count so that even if a thread with same process delete
1661  * the same object, it will not panic our system
1662  * QUESTION:
1663  * where to decrement the f_count?????????????????
1664  * seems like I need to set a flag if f_count incremented through audit_getf
1665  */
1666 
1667 /*ARGSUSED*/
1668 int
1669 audit_getf(int fd)
1670 {
1671 #ifdef NOTYET
1672 	t_audit_data_t *tad;
1673 
1674 	tad = T2A(curthread);
1675 
1676 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat))
1677 		return;
1678 #endif
1679 	return (0);
1680 }
1681 
1682 /*
1683  *	Audit hook for stream based socket and tli request.
1684  *	Note that we do not have user context while executing
1685  *	this code so we had to record them earlier during the
1686  *	putmsg/getmsg to figure out which user we are dealing with.
1687  */
1688 
1689 /*ARGSUSED*/
1690 void
1691 audit_sock(
1692 	int type,	/* type of tihdr.h header requests */
1693 	queue_t *q,	/* contains the process and thread audit data */
1694 	mblk_t *mp,	/* contains the tihdr.h header structures */
1695 	int from)	/* timod or sockmod request */
1696 {
1697 	int32_t    len;
1698 	int32_t    offset;
1699 	struct sockaddr_in *sock_data;
1700 	struct T_conn_req *conn_req;
1701 	struct T_conn_ind *conn_ind;
1702 	struct T_unitdata_req *unitdata_req;
1703 	struct T_unitdata_ind *unitdata_ind;
1704 	au_state_t estate;
1705 	t_audit_data_t *tad;
1706 	caddr_t saved_thread_ptr;
1707 	au_mask_t amask;
1708 	const auditinfo_addr_t *ainfo;
1709 	au_kcontext_t	*kctx;
1710 
1711 	if (q->q_stream == NULL)
1712 		return;
1713 	mutex_enter(&q->q_stream->sd_lock);
1714 	/* are we being audited */
1715 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1716 	/* no pointer to thread, nothing to do */
1717 	if (saved_thread_ptr == NULL) {
1718 		mutex_exit(&q->q_stream->sd_lock);
1719 		return;
1720 	}
1721 	/* only allow one addition of a record token */
1722 	q->q_stream->sd_t_audit_data = NULL;
1723 	/*
1724 	 * thread is not the one being audited, then nothing to do
1725 	 * This could be the stream thread handling the module
1726 	 * service routine. In this case, the context for the audit
1727 	 * record can no longer be assumed. Simplest to just drop
1728 	 * the operation.
1729 	 */
1730 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1731 		mutex_exit(&q->q_stream->sd_lock);
1732 		return;
1733 	}
1734 	if (curthread->t_sysnum >= SYS_so_socket &&
1735 	    curthread->t_sysnum <= SYS_sockconfig) {
1736 		mutex_exit(&q->q_stream->sd_lock);
1737 		return;
1738 	}
1739 	mutex_exit(&q->q_stream->sd_lock);
1740 	/*
1741 	 * we know that the thread that did the put/getmsg is the
1742 	 * one running. Now we can get the TAD and see if we should
1743 	 * add an audit token.
1744 	 */
1745 	tad = U2A(u);
1746 
1747 	kctx = GET_KCTX_PZ;
1748 
1749 	/* proceed ONLY if user is being audited */
1750 	if (!tad->tad_flag)
1751 		return;
1752 
1753 	ainfo = crgetauinfo(CRED());
1754 	if (ainfo == NULL)
1755 		return;
1756 	amask = ainfo->ai_mask;
1757 
1758 	/*
1759 	 * Figure out the type of stream networking request here.
1760 	 * Note that getmsg and putmsg are always preselected
1761 	 * because during the beginning of the system call we have
1762 	 * not yet figure out which of the socket or tli request
1763 	 * we are looking at until we are here. So we need to check
1764 	 * against that specific request and reset the type of event.
1765 	 */
1766 	switch (type) {
1767 	case T_CONN_REQ:	/* connection request */
1768 		conn_req = (struct T_conn_req *)mp->b_rptr;
1769 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1770 			return;
1771 		offset = conn_req->DEST_offset;
1772 		len = conn_req->DEST_length;
1773 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1774 		if (amask.as_success & estate || amask.as_failure & estate) {
1775 			tad->tad_event = AUE_SOCKCONNECT;
1776 			break;
1777 		} else {
1778 			return;
1779 		}
1780 	case T_CONN_IND:	 /* connectionless receive request */
1781 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1782 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1783 			return;
1784 		offset = conn_ind->SRC_offset;
1785 		len = conn_ind->SRC_length;
1786 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1787 		if (amask.as_success & estate || amask.as_failure & estate) {
1788 			tad->tad_event = AUE_SOCKACCEPT;
1789 			break;
1790 		} else {
1791 			return;
1792 		}
1793 	case T_UNITDATA_REQ:	 /* connectionless send request */
1794 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1795 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1796 			return;
1797 		offset = unitdata_req->DEST_offset;
1798 		len = unitdata_req->DEST_length;
1799 		estate = kctx->auk_ets[AUE_SOCKSEND];
1800 		if (amask.as_success & estate || amask.as_failure & estate) {
1801 			tad->tad_event = AUE_SOCKSEND;
1802 			break;
1803 		} else {
1804 			return;
1805 		}
1806 	case T_UNITDATA_IND:	 /* connectionless receive request */
1807 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1808 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1809 			return;
1810 		offset = unitdata_ind->SRC_offset;
1811 		len = unitdata_ind->SRC_length;
1812 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1813 		if (amask.as_success & estate || amask.as_failure & estate) {
1814 			tad->tad_event = AUE_SOCKRECEIVE;
1815 			break;
1816 		} else {
1817 			return;
1818 		}
1819 	default:
1820 		return;
1821 	}
1822 
1823 	/*
1824 	 * we are only interested in tcp stream connections,
1825 	 * not unix domain stuff
1826 	 */
1827 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1828 		tad->tad_event = AUE_GETMSG;
1829 		return;
1830 	}
1831 	/* skip over TPI header and point to the ip address */
1832 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1833 
1834 	switch (sock_data->sin_family) {
1835 	case AF_INET:
1836 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1837 		break;
1838 	default:	/* reset to AUE_PUTMSG if not a inet request */
1839 		tad->tad_event = AUE_GETMSG;
1840 		break;
1841 	}
1842 }
1843 
1844 void
1845 audit_lookupname()
1846 {
1847 }
1848 
1849 /*ARGSUSED*/
1850 int
1851 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr)
1852 {
1853 	return (0);
1854 }
1855 
1856 static void
1857 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1858 {
1859 	unsigned int sy_flags;
1860 
1861 #ifdef _SYSCALL32_IMPL
1862 	if (lwp_getdatamodel(
1863 		ttolwp(curthread)) == DATAMODEL_NATIVE)
1864 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1865 	else
1866 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1867 #else
1868 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869 #endif
1870 
1871 	if (sy_flags == SE_64RVAL)
1872 		au_write(ad, au_to_return64(err, rval));
1873 	else
1874 		au_write(ad, au_to_return32(err, rval));
1875 
1876 }
1877 
1878 /*ARGSUSED*/
1879 void
1880 audit_fdsend(fd, fp, error)
1881 	int fd;
1882 	struct file *fp;
1883 	int error;		/* ignore for now */
1884 {
1885 	t_audit_data_t *tad;	/* current thread */
1886 	f_audit_data_t *fad;	/* per file audit structure */
1887 	struct vnode *vp;	/* for file attributes */
1888 
1889 	/* is this system call being audited */
1890 	tad = U2A(u);
1891 	ASSERT(tad != (t_audit_data_t *)0);
1892 	if (!tad->tad_flag)
1893 		return;
1894 
1895 	fad = F2A(fp);
1896 
1897 	/* add path and file attributes */
1898 	if (fad != NULL && fad->fad_aupath != NULL) {
1899 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1900 		au_uwrite(au_to_path(fad->fad_aupath));
1901 	} else {
1902 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1903 #ifdef _LP64
1904 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1905 #else
1906 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1907 #endif
1908 	}
1909 	vp = fp->f_vnode;	/* include vnode attributes */
1910 	audit_attributes(vp);
1911 }
1912 
1913 /*
1914  * Record privileges successfully used and we attempted to use but
1915  * didn't have.
1916  */
1917 void
1918 audit_priv(int priv, const priv_set_t *set, int flag)
1919 {
1920 	t_audit_data_t *tad;
1921 	int sbit;
1922 	priv_set_t *target;
1923 
1924 	/* Make sure this isn't being called in an interrupt context */
1925 	ASSERT(servicing_interrupt() == 0);
1926 
1927 	tad = U2A(u);
1928 
1929 	if (tad->tad_flag == 0)
1930 		return;
1931 
1932 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1933 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1934 
1935 	/* Tell audit_success() and audit_finish() that we saw this case */
1936 	if (!(tad->tad_evmod & sbit)) {
1937 		/* Clear set first time around */
1938 		priv_emptyset(target);
1939 		tad->tad_evmod |= sbit;
1940 	}
1941 
1942 	/* Save the privileges in the tad */
1943 	if (priv == PRIV_ALL) {
1944 		priv_fillset(target);
1945 	} else {
1946 		ASSERT(set != NULL || priv != PRIV_NONE);
1947 		if (set != NULL)
1948 			priv_union(set, target);
1949 		if (priv != PRIV_NONE)
1950 			priv_addset(target, priv);
1951 	}
1952 }
1953 
1954 /*
1955  * Audit the setpriv() system call; the operation, the set name and
1956  * the current value as well as the set argument are put in the
1957  * audit trail.
1958  */
1959 void
1960 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1961 {
1962 	t_audit_data_t *tad;
1963 	const priv_set_t *oldpriv;
1964 	priv_set_t report;
1965 	const char *setname;
1966 
1967 	tad = U2A(u);
1968 
1969 	if (tad->tad_flag == 0)
1970 		return;
1971 
1972 	oldpriv = priv_getset(ocr, set);
1973 
1974 	/* Generate the actual record, include the before and after */
1975 	au_uwrite(au_to_arg32(2, "op", op));
1976 	setname = priv_getsetbynum(set);
1977 
1978 	switch (op) {
1979 	case PRIV_OFF:
1980 		/* Report privileges actually switched off */
1981 		report = *oldpriv;
1982 		priv_intersect(newpriv, &report);
1983 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1984 		break;
1985 	case PRIV_ON:
1986 		/* Report privileges actually switched on */
1987 		report = *oldpriv;
1988 		priv_inverse(&report);
1989 		priv_intersect(newpriv, &report);
1990 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1991 		break;
1992 	case PRIV_SET:
1993 		/* Report before and after */
1994 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1995 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1996 		break;
1997 	}
1998 }
1999 
2000 /*
2001  * Dump the full device policy setting in the audit trail.
2002  */
2003 void
2004 audit_devpolicy(int nitems, const devplcysys_t *items)
2005 {
2006 	t_audit_data_t *tad;
2007 	int i;
2008 
2009 	tad = U2A(u);
2010 
2011 	if (tad->tad_flag == 0)
2012 		return;
2013 
2014 	for (i = 0; i < nitems; i++) {
2015 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
2016 		if (items[i].dps_minornm[0] == '\0') {
2017 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
2018 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
2019 		} else
2020 			au_uwrite(au_to_text(items[i].dps_minornm));
2021 
2022 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
2023 		    AUT_PRIV, 0));
2024 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
2025 		    AUT_PRIV, 0));
2026 	}
2027 }
2028 
2029 /*ARGSUSED*/
2030 void
2031 audit_fdrecv(fd, fp)
2032 	int fd;
2033 	struct file *fp;
2034 {
2035 	t_audit_data_t *tad;	/* current thread */
2036 	f_audit_data_t *fad;	/* per file audit structure */
2037 	struct vnode *vp;	/* for file attributes */
2038 
2039 	/* is this system call being audited */
2040 	tad = U2A(u);
2041 	ASSERT(tad != (t_audit_data_t *)0);
2042 	if (!tad->tad_flag)
2043 		return;
2044 
2045 	fad = F2A(fp);
2046 
2047 	/* add path and file attributes */
2048 	if (fad != NULL && fad->fad_aupath != NULL) {
2049 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2050 		au_uwrite(au_to_path(fad->fad_aupath));
2051 	} else {
2052 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2053 #ifdef _LP64
2054 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
2055 #else
2056 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
2057 #endif
2058 	}
2059 	vp = fp->f_vnode;	/* include vnode attributes */
2060 	audit_attributes(vp);
2061 }
2062 
2063 /*
2064  * ROUTINE:	AUDIT_CRYPTOADM
2065  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
2066  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
2067  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
2068  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
2069  *		CRYPTO_LOAD_DOOR
2070  * NOTE:
2071  * TODO:
2072  * QUESTION:
2073  */
2074 
2075 void
2076 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
2077     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
2078 {
2079 	boolean_t		mech_list_required = B_FALSE;
2080 	cred_t			*cr = CRED();
2081 	t_audit_data_t		*tad;
2082 	token_t			*ad = NULL;
2083 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2084 	char			buffer[MAXNAMELEN * 2];
2085 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2086 
2087 	tad = U2A(u);
2088 	if (tad == NULL)
2089 		return;
2090 
2091 	if (ainfo == NULL)
2092 		return;
2093 
2094 	tad->tad_event = AUE_CRYPTOADM;
2095 
2096 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
2097 		return;
2098 
2099 	/* Add subject information */
2100 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
2101 
2102 	switch (cmd) {
2103 	case CRYPTO_LOAD_DEV_DISABLED:
2104 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2105 			(void) snprintf(buffer, sizeof (buffer),
2106 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
2107 			    " dev_instance=%d",
2108 			    module_name, device_instance);
2109 			mech_list_required = B_TRUE;
2110 		} else {
2111 			(void) snprintf(buffer, sizeof (buffer),
2112 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
2113 		}
2114 		break;
2115 
2116 	case CRYPTO_LOAD_SOFT_DISABLED:
2117 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2118 			(void) snprintf(buffer, sizeof (buffer),
2119 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
2120 			    module_name);
2121 			mech_list_required = B_TRUE;
2122 		} else {
2123 			(void) snprintf(buffer, sizeof (buffer),
2124 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
2125 		}
2126 		break;
2127 
2128 	case CRYPTO_UNLOAD_SOFT_MODULE:
2129 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2130 			(void) snprintf(buffer, sizeof (buffer),
2131 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
2132 			    module_name);
2133 		} else {
2134 			(void) snprintf(buffer, sizeof (buffer),
2135 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
2136 		}
2137 		break;
2138 
2139 	case CRYPTO_LOAD_SOFT_CONFIG:
2140 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2141 			(void) snprintf(buffer, sizeof (buffer),
2142 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
2143 			    module_name);
2144 			mech_list_required = B_TRUE;
2145 		} else {
2146 			(void) snprintf(buffer, sizeof (buffer),
2147 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
2148 		}
2149 		break;
2150 
2151 	case CRYPTO_POOL_CREATE:
2152 		(void) snprintf(buffer, sizeof (buffer),
2153 		    "op=CRYPTO_POOL_CREATE");
2154 		break;
2155 
2156 	case CRYPTO_POOL_WAIT:
2157 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
2158 		break;
2159 
2160 	case CRYPTO_POOL_RUN:
2161 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
2162 		break;
2163 
2164 	case CRYPTO_LOAD_DOOR:
2165 		if (error == 0 && rv == CRYPTO_SUCCESS)
2166 			(void) snprintf(buffer, sizeof (buffer),
2167 			    "op=CRYPTO_LOAD_DOOR");
2168 		else
2169 			(void) snprintf(buffer, sizeof (buffer),
2170 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
2171 		break;
2172 
2173 	default:
2174 		return;
2175 	}
2176 
2177 	au_write((caddr_t *)&ad, au_to_text(buffer));
2178 
2179 	if (mech_list_required) {
2180 		int i;
2181 
2182 		if (mech_count == 0) {
2183 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
2184 		} else {
2185 			char	*pb = buffer;
2186 			size_t	l = sizeof (buffer);
2187 			size_t	n;
2188 			char	space[2] = ":";
2189 
2190 			n = snprintf(pb, l, "mech=");
2191 
2192 			for (i = 0; i < mech_count; i++) {
2193 				pb += n;
2194 				l -= n;
2195 				if (l < 0)
2196 					l = 0;
2197 
2198 				if (i == mech_count - 1)
2199 					(void) strcpy(space, "");
2200 
2201 				n = snprintf(pb, l, "%s%s", mech_names[i],
2202 				    space);
2203 			}
2204 			au_write((caddr_t *)&ad, au_to_text(buffer));
2205 		}
2206 	}
2207 
2208 	/* add a return token */
2209 	if (error || (rv != CRYPTO_SUCCESS))
2210 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
2211 	else
2212 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
2213 
2214 	AS_INC(as_generated, 1, kctx);
2215 	AS_INC(as_kernel, 1, kctx);
2216 
2217 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0);
2218 }
2219 
2220 /*
2221  * Audit the kernel SSL administration command. The address and the
2222  * port number for the SSL instance, and the proxy port are put in the
2223  * audit trail.
2224  */
2225 void
2226 audit_kssl(int cmd, void *params, int error)
2227 {
2228 	cred_t			*cr = CRED();
2229 	t_audit_data_t		*tad;
2230 	token_t			*ad = NULL;
2231 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2232 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2233 
2234 	tad = U2A(u);
2235 
2236 	if (ainfo == NULL)
2237 		return;
2238 
2239 	tad->tad_event = AUE_CONFIGKSSL;
2240 
2241 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
2242 		return;
2243 
2244 	/* Add subject information */
2245 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2246 
2247 	switch (cmd) {
2248 	case KSSL_ADD_ENTRY: {
2249 		char buf[32];
2250 		kssl_params_t *kp = (kssl_params_t *)params;
2251 		struct sockaddr_in *saddr = &(kp->kssl_addr);
2252 
2253 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2254 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2255 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2256 		    saddr->sin_port);
2257 		au_write((caddr_t *)&ad, au_to_text(buf));
2258 
2259 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
2260 		    kp->kssl_proxy_port);
2261 		au_write((caddr_t *)&ad, au_to_text(buf));
2262 		break;
2263 	}
2264 
2265 	case KSSL_DELETE_ENTRY: {
2266 		char buf[32];
2267 		struct sockaddr_in *saddr = (struct sockaddr_in *)params;
2268 
2269 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2270 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2271 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2272 		    saddr->sin_port);
2273 		au_write((caddr_t *)&ad, au_to_text(buf));
2274 		break;
2275 	}
2276 
2277 	default:
2278 		return;
2279 	}
2280 
2281 	/* add a return token */
2282 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2283 
2284 	AS_INC(as_generated, 1, kctx);
2285 	AS_INC(as_kernel, 1, kctx);
2286 
2287 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0);
2288 }
2289 
2290 /*
2291  * Audit the kernel PF_POLICY administration commands.  Record command,
2292  * zone, policy type (global or tunnel, active or inactive)
2293  */
2294 /*
2295  * ROUTINE:	AUDIT_PF_POLICY
2296  * PURPOSE:	Records arguments to administrative ioctls on PF_POLICY socket
2297  * CALLBY:	SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2298  *		SPD_CLONE, SPD_FLIP
2299  * NOTE:
2300  * TODO:
2301  * QUESTION:
2302  */
2303 
2304 void
2305 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2306     boolean_t active, int error, pid_t pid)
2307 {
2308 	const auditinfo_addr_t	*ainfo;
2309 	t_audit_data_t		*tad;
2310 	token_t			*ad = NULL;
2311 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2312 	char			buf[80];
2313 	int			flag;
2314 
2315 	tad = U2A(u);
2316 	if (tad == NULL)
2317 		return;
2318 
2319 	ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2320 	if (ainfo == NULL)
2321 		return;
2322 
2323 	/*
2324 	 * Initialize some variables since these are only set
2325 	 * with system calls.
2326 	 */
2327 
2328 	switch (cmd) {
2329 	case SPD_ADDRULE: {
2330 		tad->tad_event = AUE_PF_POLICY_ADDRULE;
2331 		break;
2332 	}
2333 
2334 	case SPD_DELETERULE: {
2335 		tad->tad_event = AUE_PF_POLICY_DELRULE;
2336 		break;
2337 	}
2338 
2339 	case SPD_FLUSH: {
2340 		tad->tad_event = AUE_PF_POLICY_FLUSH;
2341 		break;
2342 	}
2343 
2344 	case SPD_UPDATEALGS: {
2345 		tad->tad_event = AUE_PF_POLICY_ALGS;
2346 		break;
2347 	}
2348 
2349 	case SPD_CLONE: {
2350 		tad->tad_event = AUE_PF_POLICY_CLONE;
2351 		break;
2352 	}
2353 
2354 	case SPD_FLIP: {
2355 		tad->tad_event = AUE_PF_POLICY_FLIP;
2356 		break;
2357 	}
2358 
2359 	default:
2360 		tad->tad_event = AUE_NULL;
2361 	}
2362 
2363 	tad->tad_evmod = 0;
2364 
2365 	if (flag = audit_success(kctx, tad, error, cred)) {
2366 		zone_t *nszone;
2367 
2368 		/*
2369 		 * For now, just audit that an event happened,
2370 		 * along with the error code.
2371 		 */
2372 		au_write((caddr_t *)&ad,
2373 		    au_to_arg32(1, "Policy Active?", (uint32_t)active));
2374 		au_write((caddr_t *)&ad,
2375 		    au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2376 
2377 		/* Supplemental data */
2378 
2379 		/*
2380 		 * Generate this zone token if the target zone differs
2381 		 * from the administrative zone.  If netstacks are expanded
2382 		 * to something other than a 1-1 relationship with zones,
2383 		 * the auditing framework should create a new token type
2384 		 * and audit it as a netstack instead.
2385 		 * Turn on general zone auditing to get the administrative zone.
2386 		 */
2387 
2388 		nszone = zone_find_by_id(netstackid_to_zoneid(
2389 		    ns->netstack_stackid));
2390 		if (strncmp(cred->cr_zone->zone_name, nszone->zone_name,
2391 		    ZONENAME_MAX) != 0) {
2392 			token_t *ztoken;
2393 
2394 			ztoken = au_to_zonename(0, nszone);
2395 			au_write((caddr_t *)&ad, ztoken);
2396 		}
2397 
2398 		if (tun != NULL) {
2399 			/* write tunnel name - tun is bounded */
2400 			(void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2401 			    tun);
2402 			au_write((caddr_t *)&ad, au_to_text(buf));
2403 		}
2404 
2405 		/* Add subject information */
2406 		AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2407 		    ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2408 
2409 		/* add a return token */
2410 		add_return_token((caddr_t *)&ad, 0, error, 0);
2411 
2412 		AS_INC(as_generated, 1, kctx);
2413 		AS_INC(as_kernel, 1, kctx);
2414 
2415 	}
2416 	au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, 0);
2417 
2418 	/*
2419 	 * clear the ctrl flag so that we don't have spurious collection of
2420 	 * audit information.
2421 	 */
2422 	tad->tad_scid  = 0;
2423 	tad->tad_event = 0;
2424 	tad->tad_evmod = 0;
2425 	tad->tad_ctrl  = 0;
2426 }
2427 
2428 /*
2429  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2430  * PURPOSE:	Add security attributes
2431  * CALLBY:	AUDIT_ATTRIBUTES
2432  *		AUDIT_CLOSEF
2433  *		AUS_CLOSE
2434  * NOTE:
2435  * TODO:
2436  * QUESTION:
2437  */
2438 
2439 void
2440 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2441 {
2442 	/* Dump the SL */
2443 	if (is_system_labeled()) {
2444 		ts_label_t	*tsl;
2445 		bslabel_t	*bsl;
2446 
2447 		tsl = getflabel(vp);
2448 		if (tsl == NULL)
2449 			return;			/* nothing else to do */
2450 
2451 		bsl = label2bslabel(tsl);
2452 		if (bsl == NULL)
2453 			return;			/* nothing else to do */
2454 		au_write(ad, au_to_label(bsl));
2455 		label_rele(tsl);
2456 	}
2457 
2458 }	/* AUDIT_SEC_ATTRIBUTES */
2459