xref: /illumos-gate/usr/src/uts/common/c2/audit.c (revision fc960aa7d5b64fecfb1cd068106eb0dc81cf5bf0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the audit hook support code for auditing.
28  */
29 
30 #include <sys/types.h>
31 #include <sys/proc.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/file.h>
35 #include <sys/user.h>
36 #include <sys/stropts.h>
37 #include <sys/systm.h>
38 #include <sys/pathname.h>
39 #include <sys/syscall.h>
40 #include <sys/fcntl.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/msg_impl.h>
43 #include <sys/sem_impl.h>
44 #include <sys/shm_impl.h>
45 #include <sys/kmem.h>		/* for KM_SLEEP */
46 #include <sys/socket.h>
47 #include <sys/cmn_err.h>	/* snprintf... */
48 #include <sys/debug.h>
49 #include <sys/thread.h>
50 #include <netinet/in.h>
51 #include <c2/audit.h>		/* needs to be included before user.h */
52 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_record.h>
55 #include <sys/strsubr.h>
56 #include <sys/tihdr.h>
57 #include <sys/tiuser.h>
58 #include <sys/timod.h>
59 #include <sys/model.h>		/* for model_t */
60 #include <sys/disp.h>		/* for servicing_interrupt() */
61 #include <sys/devpolicy.h>
62 #include <sys/crypto/ioctladmin.h>
63 #include <sys/cred_impl.h>
64 #include <inet/kssl/kssl.h>
65 #include <net/pfpolicy.h>
66 
67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68 
69 static void audit_pathbuild(struct pathname *pnp);
70 
71 /*
72  * ROUTINE:	AUDIT_NEWPROC
73  * PURPOSE:	initialize the child p_audit_data structure
74  * CALLBY:	GETPROC
75  * NOTE:	All threads for the parent process are locked at this point.
76  *		We are essentially running singled threaded for this reason.
77  *		GETPROC is called when system creates a new process.
78  *		By the time AUDIT_NEWPROC is called, the child proc
79  *		structure has already been initialized. What we need
80  *		to do is to allocate the child p_audit_data and
81  *		initialize it with the content of current parent process.
82  */
83 
84 void
85 audit_newproc(struct proc *cp)	/* initialized child proc structure */
86 {
87 	p_audit_data_t *pad;	/* child process audit data */
88 	p_audit_data_t *opad;	/* parent process audit data */
89 
90 	pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
91 
92 	P2A(cp) = pad;
93 
94 	opad = P2A(curproc);
95 
96 	/*
97 	 * copy the audit data. Note that all threads of current
98 	 *   process have been "held". Thus there is no race condition
99 	 *   here with mutiple threads trying to alter the cwrd
100 	 *   structure (such as releasing it).
101 	 *
102 	 *   The audit context in the cred is "duplicated" for the new
103 	 *   proc by elsewhere crhold'ing the parent's cred which it shares.
104 	 *
105 	 *   We still want to hold things since auditon() [A_SETUMASK,
106 	 *   A_SETSMASK] could be walking through the processes to
107 	 *   update things.
108 	 */
109 	mutex_enter(&opad->pad_lock);	/* lock opad structure during copy */
110 	pad->pad_data = opad->pad_data;	/* copy parent's process audit data */
111 	au_pathhold(pad->pad_root);
112 	au_pathhold(pad->pad_cwd);
113 	mutex_exit(&opad->pad_lock);	/* current proc will keep cwrd open */
114 
115 	/*
116 	 * finish auditing of parent here so that it will be done
117 	 * before child has a chance to run. We include the child
118 	 * pid since the return value in the return token is a dummy
119 	 * one and contains no useful information (it is included to
120 	 * make the audit record structure consistant).
121 	 *
122 	 * tad_flag is set if auditing is on
123 	 */
124 	if (((t_audit_data_t *)T2A(curthread))->tad_flag)
125 		au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
126 
127 	/*
128 	 * finish up audit record generation here because child process
129 	 * is set to run before parent process. We distinguish here
130 	 * between FORK, FORK1, or VFORK by the saved system call ID.
131 	 */
132 	audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
133 }
134 
135 /*
136  * ROUTINE:	AUDIT_PFREE
137  * PURPOSE:	deallocate the per-process udit data structure
138  * CALLBY:	EXIT
139  *		FORK_FAIL
140  * NOTE:	all lwp except current one have stopped in SEXITLWPS
141  * 		why we are single threaded?
142  *		. all lwp except current one have stopped in SEXITLWPS.
143  */
144 void
145 audit_pfree(struct proc *p)		/* proc structure to be freed */
146 
147 {	/* AUDIT_PFREE */
148 
149 	p_audit_data_t *pad;
150 
151 	pad = P2A(p);
152 
153 	/* better be a per process audit data structure */
154 	ASSERT(pad != (p_audit_data_t *)0);
155 
156 	if (pad == pad0) {
157 		return;
158 	}
159 
160 	/* deallocate all auditing resources for this process */
161 	au_pathrele(pad->pad_root);
162 	au_pathrele(pad->pad_cwd);
163 
164 	/*
165 	 * Since the pad structure is completely overwritten after alloc,
166 	 * we don't bother to clear it.
167 	 */
168 
169 	kmem_cache_free(au_pad_cache, pad);
170 }
171 
172 /*
173  * ROUTINE:	AUDIT_THREAD_CREATE
174  * PURPOSE:	allocate per-process thread audit data structure
175  * CALLBY:	THREAD_CREATE
176  * NOTE:	This is called just after *t was bzero'd.
177  *		We are single threaded in this routine.
178  * TODO:
179  * QUESTION:
180  */
181 
182 void
183 audit_thread_create(kthread_id_t t)
184 {
185 	t_audit_data_t *tad;	/* per-thread audit data */
186 
187 	tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
188 
189 	T2A(t) = tad;		/* set up thread audit data ptr */
190 	tad->tad_thread = t;	/* back ptr to thread: DEBUG */
191 }
192 
193 /*
194  * ROUTINE:	AUDIT_THREAD_FREE
195  * PURPOSE:	free the per-thread audit data structure
196  * CALLBY:	THREAD_FREE
197  * NOTE:	most thread data is clear after return
198  */
199 void
200 audit_thread_free(kthread_t *t)
201 {
202 	t_audit_data_t *tad;
203 	au_defer_info_t	*attr;
204 
205 	tad = T2A(t);
206 
207 	/* thread audit data must still be set */
208 
209 	if (tad == tad0) {
210 		return;
211 	}
212 
213 	if (tad == NULL) {
214 		return;
215 	}
216 
217 	t->t_audit_data = 0;
218 
219 	/* must not have any audit record residual */
220 	ASSERT(tad->tad_ad == NULL);
221 
222 	/* saved path must be empty */
223 	ASSERT(tad->tad_aupath == NULL);
224 
225 	if (tad->tad_atpath)
226 		au_pathrele(tad->tad_atpath);
227 
228 	attr = tad->tad_defer_head;
229 	while (attr != NULL) {
230 		au_defer_info_t	*tmp_attr = attr;
231 
232 		au_free_rec(attr->audi_ad);
233 
234 		attr = attr->audi_next;
235 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
236 	}
237 
238 	kmem_free(tad, sizeof (*tad));
239 }
240 
241 /*
242  * ROUTINE:	AUDIT_SAVEPATH
243  * PURPOSE:
244  * CALLBY:	LOOKUPPN
245  *
246  * NOTE:	We have reached the end of a path in fs/lookup.c.
247  *		We get two pieces of information here:
248  *		the vnode of the last component (vp) and
249  *		the status of the last access (flag).
250  * TODO:
251  * QUESTION:
252  */
253 
254 /*ARGSUSED*/
255 int
256 audit_savepath(
257 	struct pathname *pnp,		/* pathname to lookup */
258 	struct vnode *vp,		/* vnode of the last component */
259 	int    flag,			/* status of the last access */
260 	cred_t *cr)			/* cred of requestor */
261 {
262 
263 	t_audit_data_t *tad;	/* current thread */
264 	au_kcontext_t	*kctx = GET_KCTX_PZ;
265 
266 	tad = U2A(u);
267 
268 	/*
269 	 * this event being audited or do we need path information
270 	 * later? This might be for a chdir/chroot or open (add path
271 	 * to file pointer. If the path has already been found for an
272 	 * open/creat then we don't need to process the path.
273 	 *
274 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
275 	 *	chroot, chdir, open, creat system call processing. It determines
276 	 *	if audit_savepath() will discard the path or we need it later.
277 	 * PAD_PATHFND means path already included in this audit record. It
278 	 *	is used in cases where multiple path lookups are done per
279 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
280 	 *	paths are allowed.
281 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
282 	 *	exit processing to inhibit any paths that may be added due to
283 	 *	closes.
284 	 */
285 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
286 		((tad->tad_ctrl & PAD_PATHFND) &&
287 		!(kctx->auk_policy & AUDIT_PATH)) ||
288 		(tad->tad_ctrl & PAD_NOPATH)) {
289 			return (0);
290 	}
291 
292 	tad->tad_ctrl |= PAD_NOPATH;		/* prevent possible reentry */
293 
294 	audit_pathbuild(pnp);
295 	tad->tad_vn = vp;
296 
297 	/*
298 	 * are we auditing only if error, or if it is not open or create
299 	 * otherwise audit_setf will do it
300 	 */
301 
302 	if (tad->tad_flag) {
303 		if (flag && (tad->tad_scid == SYS_open ||
304 		    tad->tad_scid == SYS_open64 ||
305 		    tad->tad_scid == SYS_creat ||
306 		    tad->tad_scid == SYS_creat64 ||
307 		    tad->tad_scid == SYS_fsat)) {
308 			tad->tad_ctrl |= PAD_TRUE_CREATE;
309 		}
310 
311 		/* add token to audit record for this name */
312 		au_uwrite(au_to_path(tad->tad_aupath));
313 
314 		/* add the attributes of the object */
315 		if (vp) {
316 			/*
317 			 * only capture attributes when there is no error
318 			 * lookup will not return the vnode of the failing
319 			 * component.
320 			 *
321 			 * if there was a lookup error, then don't add
322 			 * attribute. if lookup in vn_create(),
323 			 * then don't add attribute,
324 			 * it will be added at end of vn_create().
325 			 */
326 			if (!flag && !(tad->tad_ctrl & PAD_NOATTRB))
327 				audit_attributes(vp);
328 		}
329 	}
330 
331 	/* free up space if we're not going to save path (open, crate) */
332 	if ((tad->tad_ctrl & PAD_SAVPATH) == 0) {
333 		if (tad->tad_aupath != NULL) {
334 			au_pathrele(tad->tad_aupath);
335 			tad->tad_aupath = NULL;
336 			tad->tad_vn = NULL;
337 		}
338 	}
339 	if (tad->tad_ctrl & PAD_MLD)
340 		tad->tad_ctrl |= PAD_PATHFND;
341 
342 	tad->tad_ctrl &= ~PAD_NOPATH;		/* restore */
343 	return (0);
344 }
345 
346 static void
347 audit_pathbuild(struct pathname *pnp)
348 {
349 	char *pp;	/* pointer to path */
350 	int len;	/* length of incoming segment */
351 	int newsect;	/* path requires a new section */
352 	struct audit_path	*pfxapp;	/* prefix for path */
353 	struct audit_path	*newapp;	/* new audit_path */
354 	t_audit_data_t *tad;	/* current thread */
355 	p_audit_data_t *pad;	/* current process */
356 
357 	tad = U2A(u);
358 	ASSERT(tad != NULL);
359 	pad = P2A(curproc);
360 	ASSERT(pad != NULL);
361 
362 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
363 	ASSERT(len > 0);
364 
365 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
366 	mutex_enter(&pad->pad_lock);
367 	if (tad->tad_aupath != NULL) {
368 		pfxapp = tad->tad_aupath;
369 	} else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') {
370 		ASSERT(tad->tad_atpath != NULL);
371 		pfxapp = tad->tad_atpath;
372 	} else if (tad->tad_ctrl & PAD_ABSPATH) {
373 		pfxapp = pad->pad_root;
374 	} else {
375 		pfxapp = pad->pad_cwd;
376 	}
377 	au_pathhold(pfxapp);
378 	mutex_exit(&pad->pad_lock);
379 
380 	/* get an expanded buffer to hold the anchored path */
381 	newsect = tad->tad_ctrl & PAD_ATPATH;
382 	newapp = au_pathdup(pfxapp, newsect, len);
383 	au_pathrele(pfxapp);
384 
385 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
386 	if (!newsect) {
387 		/* overlay previous NUL terminator */
388 		*(pp - 1) = '/';
389 	}
390 
391 	/* now add string of processed path */
392 	bcopy(pnp->pn_buf, pp, len);
393 	pp[len - 1] = '\0';
394 
395 	/* perform path simplification as necessary */
396 	audit_fixpath(newapp, len);
397 
398 	if (tad->tad_aupath)
399 		au_pathrele(tad->tad_aupath);
400 	tad->tad_aupath = newapp;
401 
402 	/* for case where multiple lookups in one syscall (rename) */
403 	tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH);
404 }
405 
406 
407 
408 /*ARGSUSED*/
409 
410 /*
411  * ROUTINE:	AUDIT_ADDCOMPONENT
412  * PURPOSE:	extend the path by the component accepted
413  * CALLBY:	LOOKUPPN
414  * NOTE:	This function is called only when there is an error in
415  *		parsing a path component
416  * TODO:	Add the error component to audit record
417  * QUESTION:	what is this for
418  */
419 
420 void
421 audit_addcomponent(struct pathname *pnp)
422 {
423 	au_kcontext_t	*kctx = GET_KCTX_PZ;
424 	t_audit_data_t *tad;
425 
426 	tad = U2A(u);
427 	/*
428 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
429 	 *	chroot, chdir, open, creat system call processing. It determines
430 	 *	if audit_savepath() will discard the path or we need it later.
431 	 * PAD_PATHFND means path already included in this audit record. It
432 	 *	is used in cases where multiple path lookups are done per
433 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
434 	 *	paths are allowed.
435 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
436 	 *	exit processing to inhibit any paths that may be added due to
437 	 *	closes.
438 	 */
439 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
440 		((tad->tad_ctrl & PAD_PATHFND) &&
441 		!(kctx->auk_policy & AUDIT_PATH)) ||
442 		(tad->tad_ctrl & PAD_NOPATH)) {
443 			return;
444 	}
445 
446 	return;
447 
448 }	/* AUDIT_ADDCOMPONENT */
449 
450 
451 
452 
453 
454 
455 
456 
457 /*
458  * ROUTINE:	AUDIT_ANCHORPATH
459  * PURPOSE:
460  * CALLBY:	LOOKUPPN
461  * NOTE:
462  * anchor path at "/". We have seen a symbolic link or entering for the
463  * first time we will throw away any saved path if path is anchored.
464  *
465  * flag = 0, path is relative.
466  * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH.
467  *
468  * If the (new) path is absolute, then we have to throw away whatever we have
469  * already accumulated since it is being superseded by new path which is
470  * anchored at the root.
471  *		Note that if the path is relative, this function does nothing
472  * TODO:
473  * QUESTION:
474  */
475 /*ARGSUSED*/
476 void
477 audit_anchorpath(struct pathname *pnp, int flag)
478 {
479 	au_kcontext_t	*kctx = GET_KCTX_PZ;
480 	t_audit_data_t *tad;
481 
482 	tad = U2A(u);
483 
484 	/*
485 	 * this event being audited or do we need path information
486 	 * later? This might be for a chdir/chroot or open (add path
487 	 * to file pointer. If the path has already been found for an
488 	 * open/creat then we don't need to process the path.
489 	 *
490 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
491 	 *	chroot, chdir, open, creat system call processing. It determines
492 	 *	if audit_savepath() will discard the path or we need it later.
493 	 * PAD_PATHFND means path already included in this audit record. It
494 	 *	is used in cases where multiple path lookups are done per
495 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
496 	 *	paths are allowed.
497 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
498 	 *	exit processing to inhibit any paths that may be added due to
499 	 *	closes.
500 	 */
501 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
502 		((tad->tad_ctrl & PAD_PATHFND) &&
503 		!(kctx->auk_policy & AUDIT_PATH)) ||
504 		(tad->tad_ctrl & PAD_NOPATH)) {
505 			return;
506 	}
507 
508 	if (flag) {
509 		tad->tad_ctrl |= PAD_ABSPATH;
510 		if (tad->tad_aupath != NULL) {
511 			au_pathrele(tad->tad_aupath);
512 			tad->tad_aupath = NULL;
513 			tad->tad_vn = NULL;
514 		}
515 	}
516 }
517 
518 
519 /*
520  * symbolic link. Save previous components.
521  *
522  * the path seen so far looks like this
523  *
524  *  +-----------------------+----------------+
525  *  | path processed so far | remaining path |
526  *  +-----------------------+----------------+
527  *  \-----------------------/
528  *	save this string if
529  *	symbolic link relative
530  *	(but don't include  symlink component)
531  */
532 
533 /*ARGSUSED*/
534 
535 
536 /*
537  * ROUTINE:	AUDIT_SYMLINK
538  * PURPOSE:
539  * CALLBY:	LOOKUPPN
540  * NOTE:
541  * TODO:
542  * QUESTION:
543  */
544 void
545 audit_symlink(struct pathname *pnp, struct pathname *sympath)
546 {
547 	char *sp;	/* saved initial pp */
548 	char *cp;	/* start of symlink path */
549 	uint_t len_path;	/* processed path before symlink */
550 	t_audit_data_t *tad;
551 	au_kcontext_t	*kctx = GET_KCTX_PZ;
552 
553 	tad = U2A(u);
554 
555 	/*
556 	 * this event being audited or do we need path information
557 	 * later? This might be for a chdir/chroot or open (add path
558 	 * to file pointer. If the path has already been found for an
559 	 * open/creat then we don't need to process the path.
560 	 *
561 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
562 	 *	chroot, chdir, open, creat system call processing. It determines
563 	 *	if audit_savepath() will discard the path or we need it later.
564 	 * PAD_PATHFND means path already included in this audit record. It
565 	 *	is used in cases where multiple path lookups are done per
566 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
567 	 *	paths are allowed.
568 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
569 	 *	exit processing to inhibit any paths that may be added due to
570 	 *	closes.
571 	 */
572 	if ((tad->tad_flag == 0 &&
573 		!(tad->tad_ctrl & PAD_SAVPATH)) ||
574 		((tad->tad_ctrl & PAD_PATHFND) &&
575 		!(kctx->auk_policy & AUDIT_PATH)) ||
576 		(tad->tad_ctrl & PAD_NOPATH)) {
577 			return;
578 	}
579 
580 	/*
581 	 * if symbolic link is anchored at / then do nothing.
582 	 * When we cycle back to begin: in lookuppn() we will
583 	 * call audit_anchorpath() with a flag indicating if the
584 	 * path is anchored at / or is relative. We will release
585 	 * any saved path at that point.
586 	 *
587 	 * Note In the event that an error occurs in pn_combine then
588 	 * we want to remain pointing at the component that caused the
589 	 * path to overflow the pnp structure.
590 	 */
591 	if (sympath->pn_buf[0] == '/')
592 		return;
593 
594 	/* backup over last component */
595 	sp = cp = pnp->pn_path;
596 	while (*--cp != '/' && cp > pnp->pn_buf)
597 		;
598 
599 	len_path = cp - pnp->pn_buf;
600 
601 	/* is there anything to save? */
602 	if (len_path) {
603 		pnp->pn_path = pnp->pn_buf;
604 		audit_pathbuild(pnp);
605 		pnp->pn_path = sp;
606 	}
607 }
608 
609 /*
610  * file_is_public : determine whether events for the file (corresponding to
611  * 			the specified file attr) should be audited or ignored.
612  *
613  * returns: 	1 - if audit policy and file attributes indicate that
614  *			file is effectively public. read events for
615  *			the file should not be audited.
616  *		0 - otherwise
617  *
618  * The required attributes to be considered a public object are:
619  * - owned by root, AND
620  * - world-readable (permissions for other include read), AND
621  * - NOT world-writeable (permissions for other don't
622  *	include write)
623  *   (mode doesn't need to be checked for symlinks)
624  */
625 int
626 file_is_public(struct vattr *attr)
627 {
628 	au_kcontext_t	*kctx = GET_KCTX_PZ;
629 
630 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
631 	    ((attr->va_type == VLNK) ||
632 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
633 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
634 		return (1);
635 	}
636 	return (0);
637 }
638 
639 
640 /*
641  * ROUTINE:	AUDIT_ATTRIBUTES
642  * PURPOSE:	Audit the attributes so we can tell why the error occurred
643  * CALLBY:	AUDIT_SAVEPATH
644  *		AUDIT_VNCREATE_FINISH
645  *		AUS_FCHOWN...audit_event.c...audit_path.c
646  * NOTE:
647  * TODO:
648  * QUESTION:
649  */
650 void
651 audit_attributes(struct vnode *vp)
652 {
653 	struct vattr attr;
654 	struct t_audit_data *tad;
655 
656 	tad = U2A(u);
657 
658 	if (vp) {
659 		attr.va_mask = AT_ALL;
660 		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
661 			return;
662 
663 		if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) {
664 			/*
665 			 * This is a public object and a "public" event
666 			 * (i.e., read only) -- either by definition
667 			 * (e.g., stat, access...) or by virtue of write access
668 			 * not being requested (e.g. mmap).
669 			 * Flag it in the tad to prevent this audit at the end.
670 			 */
671 			tad->tad_ctrl |= PAD_NOAUDIT;
672 		} else {
673 			au_uwrite(au_to_attr(&attr));
674 			audit_sec_attributes(&(u_ad), vp);
675 		}
676 	}
677 }
678 
679 
680 /*
681  * ROUTINE:	AUDIT_FALLOC
682  * PURPOSE:	allocating a new file structure
683  * CALLBY:	FALLOC
684  * NOTE:	file structure already initialized
685  * TODO:
686  * QUESTION:
687  */
688 
689 void
690 audit_falloc(struct file *fp)
691 {	/* AUDIT_FALLOC */
692 
693 	f_audit_data_t *fad;
694 
695 	/* allocate per file audit structure if there a'int any */
696 	ASSERT(F2A(fp) == NULL);
697 
698 	fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
699 
700 	F2A(fp) = fad;
701 
702 	fad->fad_thread = curthread; 	/* file audit data back ptr; DEBUG */
703 }
704 
705 /*
706  * ROUTINE:	AUDIT_UNFALLOC
707  * PURPOSE:	deallocate file audit data structure
708  * CALLBY:	CLOSEF
709  *		UNFALLOC
710  * NOTE:
711  * TODO:
712  * QUESTION:
713  */
714 
715 void
716 audit_unfalloc(struct file *fp)
717 {
718 	f_audit_data_t *fad;
719 
720 	fad = F2A(fp);
721 
722 	if (!fad) {
723 		return;
724 	}
725 	if (fad->fad_aupath != NULL) {
726 		au_pathrele(fad->fad_aupath);
727 	}
728 	fp->f_audit_data = 0;
729 	kmem_free(fad, sizeof (struct f_audit_data));
730 }
731 
732 /*
733  * ROUTINE:	AUDIT_EXIT
734  * PURPOSE:
735  * CALLBY:	EXIT
736  * NOTE:
737  * TODO:
738  * QUESTION:	why cmw code as offset by 2 but not here
739  */
740 /* ARGSUSED */
741 void
742 audit_exit(int code, int what)
743 {
744 	struct t_audit_data *tad;
745 	tad = U2A(u);
746 
747 	/*
748 	 * tad_scid will be set by audit_start even if we are not auditing
749 	 * the event.
750 	 */
751 	if (tad->tad_scid == SYS_exit) {
752 		/*
753 		 * if we are auditing the exit system call, then complete
754 		 * audit record generation (no return from system call).
755 		 */
756 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
757 			audit_finish(0, SYS_exit, 0, 0);
758 		return;
759 	}
760 
761 	/*
762 	 * Anyone auditing the system call that was aborted?
763 	 */
764 	if (tad->tad_flag) {
765 		au_uwrite(au_to_text("event aborted"));
766 		audit_finish(0, tad->tad_scid, 0, 0);
767 	}
768 
769 	/*
770 	 * Generate an audit record for process exit if preselected.
771 	 */
772 	(void) audit_start(0, SYS_exit, 0, 0);
773 	audit_finish(0, SYS_exit, 0, 0);
774 }
775 
776 /*
777  * ROUTINE:	AUDIT_CORE_START
778  * PURPOSE:
779  * CALLBY: 	PSIG
780  * NOTE:
781  * TODO:
782  */
783 void
784 audit_core_start(int sig)
785 {
786 	au_event_t event;
787 	au_state_t estate;
788 	t_audit_data_t *tad;
789 	au_kcontext_t	*kctx;
790 
791 	tad = U2A(u);
792 
793 	ASSERT(tad != (t_audit_data_t *)0);
794 
795 	ASSERT(tad->tad_scid == 0);
796 	ASSERT(tad->tad_event == 0);
797 	ASSERT(tad->tad_evmod == 0);
798 	ASSERT(tad->tad_ctrl == 0);
799 	ASSERT(tad->tad_flag == 0);
800 	ASSERT(tad->tad_aupath == NULL);
801 
802 	kctx = GET_KCTX_PZ;
803 
804 	/* get basic event for system call */
805 	event = AUE_CORE;
806 	estate = kctx->auk_ets[event];
807 
808 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
809 		return;
810 
811 	/* reset the flags for non-user attributable events */
812 	tad->tad_ctrl   = PAD_CORE;
813 	tad->tad_scid   = 0;
814 
815 	/* if auditing not enabled, then don't generate an audit record */
816 
817 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
818 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
819 	    kctx->auk_auditstate == AUC_NOSPACE)) {
820 		tad->tad_flag = 0;
821 		tad->tad_ctrl = 0;
822 		return;
823 	}
824 
825 	tad->tad_event  = event;
826 	tad->tad_evmod  = 0;
827 
828 	ASSERT(tad->tad_ad == NULL);
829 
830 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
831 }
832 
833 /*
834  * ROUTINE:	AUDIT_CORE_FINISH
835  * PURPOSE:
836  * CALLBY:	PSIG
837  * NOTE:
838  * TODO:
839  * QUESTION:
840  */
841 
842 /*ARGSUSED*/
843 void
844 audit_core_finish(int code)
845 {
846 	int flag;
847 	t_audit_data_t *tad;
848 	au_kcontext_t	*kctx;
849 
850 	tad = U2A(u);
851 
852 	ASSERT(tad != (t_audit_data_t *)0);
853 
854 	if ((flag = tad->tad_flag) == 0) {
855 		tad->tad_event = 0;
856 		tad->tad_evmod = 0;
857 		tad->tad_ctrl  = 0;
858 		ASSERT(tad->tad_aupath == NULL);
859 		return;
860 	}
861 	tad->tad_flag = 0;
862 
863 	kctx = GET_KCTX_PZ;
864 
865 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
866 	if (flag = audit_success(kctx, tad, 0, NULL)) {
867 		cred_t *cr = CRED();
868 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
869 
870 		ASSERT(ainfo != NULL);
871 
872 		/*
873 		 * Add subject information (no locks since our private copy of
874 		 * credential
875 		 */
876 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
877 
878 		/* Add a return token (should use f argument) */
879 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
880 
881 		AS_INC(as_generated, 1, kctx);
882 		AS_INC(as_kernel, 1, kctx);
883 	}
884 
885 	/* Close up everything */
886 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
887 
888 	/* free up any space remaining with the path's */
889 	if (tad->tad_aupath != NULL) {
890 		au_pathrele(tad->tad_aupath);
891 		tad->tad_aupath = NULL;
892 		tad->tad_vn = NULL;
893 	}
894 	tad->tad_event = 0;
895 	tad->tad_evmod = 0;
896 	tad->tad_ctrl  = 0;
897 }
898 
899 /*ARGSUSED*/
900 void
901 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp)
902 {
903 }
904 
905 /*ARGSUSED*/
906 void
907 audit_strclose(struct vnode *vp, int flag, cred_t *crp)
908 {
909 }
910 
911 /*ARGSUSED*/
912 void
913 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag,
914     int copyflag, cred_t *crp, int *rvalp)
915 {
916 }
917 
918 
919 /*ARGSUSED*/
920 void
921 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
922     unsigned char *pri, int *flag, int fmode)
923 {
924 	struct stdata *stp;
925 	t_audit_data_t *tad = U2A(u);
926 
927 	ASSERT(tad != (t_audit_data_t *)0);
928 
929 	stp = vp->v_stream;
930 
931 	/* lock stdata from audit_sock */
932 	mutex_enter(&stp->sd_lock);
933 
934 	/* proceed ONLY if user is being audited */
935 	if (!tad->tad_flag) {
936 		/*
937 		 * this is so we will not add audit data onto
938 		 * a thread that is not being audited.
939 		 */
940 		stp->sd_t_audit_data = NULL;
941 		mutex_exit(&stp->sd_lock);
942 		return;
943 	}
944 
945 	stp->sd_t_audit_data = (caddr_t)curthread;
946 	mutex_exit(&stp->sd_lock);
947 }
948 
949 /*ARGSUSED*/
950 void
951 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
952     unsigned char pri, int flag, int fmode)
953 {
954 	struct stdata *stp;
955 	t_audit_data_t *tad = U2A(u);
956 
957 	ASSERT(tad != (t_audit_data_t *)0);
958 
959 	stp = vp->v_stream;
960 
961 	/* lock stdata from audit_sock */
962 	mutex_enter(&stp->sd_lock);
963 
964 	/* proceed ONLY if user is being audited */
965 	if (!tad->tad_flag) {
966 		/*
967 		 * this is so we will not add audit data onto
968 		 * a thread that is not being audited.
969 		 */
970 		stp->sd_t_audit_data = NULL;
971 		mutex_exit(&stp->sd_lock);
972 		return;
973 	}
974 
975 	stp->sd_t_audit_data = (caddr_t)curthread;
976 	mutex_exit(&stp->sd_lock);
977 }
978 
979 /*
980  * ROUTINE:	AUDIT_CLOSEF
981  * PURPOSE:
982  * CALLBY:	CLOSEF
983  * NOTE:
984  * release per file audit resources when file structure is being released.
985  *
986  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
987  *	on the audit queue if it becomes full. This means
988  *	audit_closef can not be called when f_count == 0. Since
989  *	f_count == 0 indicates the file structure is free, another
990  *	process could attempt to use the file while we were still
991  *	asleep waiting on the audit queue. This would cause the
992  *	per file audit data to be corrupted when we finally do
993  *	wakeup.
994  * TODO:
995  * QUESTION:
996  */
997 
998 void
999 audit_closef(struct file *fp)
1000 {	/* AUDIT_CLOSEF */
1001 	f_audit_data_t *fad;
1002 	t_audit_data_t *tad;
1003 	int success;
1004 	au_state_t estate;
1005 	struct vnode *vp;
1006 	token_t *ad = NULL;
1007 	struct vattr attr;
1008 	au_emod_t evmod = 0;
1009 	const auditinfo_addr_t *ainfo;
1010 	int getattr_ret;
1011 	cred_t *cr;
1012 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1013 
1014 	fad = F2A(fp);
1015 	estate = kctx->auk_ets[AUE_CLOSE];
1016 	tad = U2A(u);
1017 	cr = CRED();
1018 
1019 	/* audit record already generated by system call envelope */
1020 	if (tad->tad_event == AUE_CLOSE) {
1021 		/* so close audit event will have bits set */
1022 		tad->tad_evmod |= (au_emod_t)fad->fad_flags;
1023 		return;
1024 	}
1025 
1026 	/* if auditing not enabled, then don't generate an audit record */
1027 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
1028 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
1029 	    kctx->auk_auditstate == AUC_NOSPACE))
1030 		return;
1031 
1032 	ainfo = crgetauinfo(cr);
1033 	if (ainfo == NULL)
1034 		return;
1035 
1036 	success = ainfo->ai_mask.as_success & estate;
1037 
1038 	/* not selected for this event */
1039 	if (success == 0)
1040 		return;
1041 
1042 	/*
1043 	 * can't use audit_attributes here since we use a private audit area
1044 	 * to build the audit record instead of the one off the thread.
1045 	 */
1046 	if ((vp = fp->f_vnode) != NULL) {
1047 		attr.va_mask = AT_ALL;
1048 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL);
1049 	}
1050 
1051 	/*
1052 	 * When write was not used and the file can be considered public,
1053 	 * then skip the audit.
1054 	 */
1055 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
1056 		if (file_is_public(&attr)) {
1057 			return;
1058 		}
1059 	}
1060 
1061 	evmod = (au_emod_t)fad->fad_flags;
1062 	if (fad->fad_aupath != NULL) {
1063 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
1064 	} else {
1065 #ifdef _LP64
1066 		au_write((caddr_t *)&(ad), au_to_arg64(
1067 			1, "no path: fp", (uint64_t)fp));
1068 #else
1069 		au_write((caddr_t *)&(ad), au_to_arg32(
1070 			1, "no path: fp", (uint32_t)fp));
1071 #endif
1072 	}
1073 
1074 	if (getattr_ret == 0) {
1075 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
1076 		audit_sec_attributes((caddr_t *)&(ad), vp);
1077 	}
1078 
1079 	/* Add subject information */
1080 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1081 
1082 	/* add a return token */
1083 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
1084 
1085 	AS_INC(as_generated, 1, kctx);
1086 	AS_INC(as_kernel, 1, kctx);
1087 
1088 	/*
1089 	 * Close up everything
1090 	 * Note: path space recovery handled by normal system
1091 	 * call envelope if not at last close.
1092 	 * Note there is no failure at this point since
1093 	 *   this represents closes due to exit of process,
1094 	 *   thus we always indicate successful closes.
1095 	 */
1096 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
1097 	    AUE_CLOSE, evmod);
1098 }
1099 
1100 /*
1101  * ROUTINE:	AUDIT_SET
1102  * PURPOSE:	Audit the file path and file attributes.
1103  * CALLBY:	SETF
1104  * NOTE:	SETF associate a file pointer with user area's open files.
1105  * TODO:
1106  * call audit_finish directly ???
1107  * QUESTION:
1108  */
1109 
1110 /*ARGSUSED*/
1111 void
1112 audit_setf(file_t *fp, int fd)
1113 {
1114 	f_audit_data_t *fad;
1115 	t_audit_data_t *tad;
1116 
1117 	if (fp == NULL)
1118 		return;
1119 
1120 	tad = T2A(curthread);
1121 	fad = F2A(fp);
1122 
1123 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat ||
1124 	    tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 ||
1125 	    tad->tad_scid == SYS_fsat))
1126 		return;
1127 
1128 	/* no path */
1129 	if (tad->tad_aupath == 0)
1130 		return;
1131 
1132 	/*
1133 	 * assign path information associated with file audit data
1134 	 * use tad hold
1135 	 */
1136 	fad->fad_aupath = tad->tad_aupath;
1137 	tad->tad_aupath = NULL;
1138 	tad->tad_vn = NULL;
1139 
1140 	if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) {
1141 	/* adjust event type */
1142 		switch (tad->tad_event) {
1143 		case AUE_OPEN_RC:
1144 			tad->tad_event = AUE_OPEN_R;
1145 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1146 			break;
1147 		case AUE_OPEN_RTC:
1148 			tad->tad_event = AUE_OPEN_RT;
1149 			break;
1150 		case AUE_OPEN_WC:
1151 			tad->tad_event = AUE_OPEN_W;
1152 			break;
1153 		case AUE_OPEN_WTC:
1154 			tad->tad_event = AUE_OPEN_WT;
1155 			break;
1156 		case AUE_OPEN_RWC:
1157 			tad->tad_event = AUE_OPEN_RW;
1158 			break;
1159 		case AUE_OPEN_RWTC:
1160 			tad->tad_event = AUE_OPEN_RWT;
1161 			break;
1162 		default:
1163 			break;
1164 		}
1165 	}
1166 }
1167 
1168 
1169 /*
1170  * ROUTINE:	AUDIT_COPEN
1171  * PURPOSE:
1172  * CALLBY:	COPEN
1173  * NOTE:
1174  * TODO:
1175  * QUESTION:
1176  */
1177 /*ARGSUSED*/
1178 void
1179 audit_copen(int fd, file_t *fp, vnode_t *vp)
1180 {
1181 }
1182 
1183 void
1184 audit_ipc(int type, int id, void *vp)
1185 {
1186 	/* if not auditing this event, then do nothing */
1187 	if (ad_flag == 0)
1188 		return;
1189 
1190 	switch (type) {
1191 	case AT_IPC_MSG:
1192 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1193 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1194 		break;
1195 	case AT_IPC_SEM:
1196 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1197 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1198 		break;
1199 	case AT_IPC_SHM:
1200 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
1201 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1202 		break;
1203 	}
1204 }
1205 
1206 void
1207 audit_ipcget(int type, void *vp)
1208 {
1209 	/* if not auditing this event, then do nothing */
1210 	if (ad_flag == 0)
1211 		return;
1212 
1213 	switch (type) {
1214 	case NULL:
1215 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
1216 		break;
1217 	case AT_IPC_MSG:
1218 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1219 		break;
1220 	case AT_IPC_SEM:
1221 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1222 		break;
1223 	case AT_IPC_SHM:
1224 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1225 		break;
1226 	}
1227 }
1228 
1229 /*
1230  * ROUTINE:	AUDIT_REBOOT
1231  * PURPOSE:
1232  * CALLBY:
1233  * NOTE:
1234  * At this point we know that the system call reboot will not return. We thus
1235  * have to complete the audit record generation and put it onto the queue.
1236  * This might be fairly useless if the auditing daemon is already dead....
1237  * TODO:
1238  * QUESTION:	who calls audit_reboot
1239  */
1240 
1241 void
1242 audit_reboot(void)
1243 {
1244 	int flag;
1245 	t_audit_data_t *tad;
1246 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1247 
1248 	tad = U2A(u);
1249 
1250 	/* if not auditing this event, then do nothing */
1251 	if (tad->tad_flag == 0)
1252 		return;
1253 
1254 	/* do preselection on success/failure */
1255 	if (flag = audit_success(kctx, tad, 0, NULL)) {
1256 		/* add a process token */
1257 
1258 		cred_t *cr = CRED();
1259 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1260 
1261 		if (ainfo == NULL)
1262 			return;
1263 
1264 		/* Add subject information */
1265 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
1266 
1267 		/* add a return token */
1268 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1269 
1270 		AS_INC(as_generated, 1, kctx);
1271 		AS_INC(as_kernel, 1, kctx);
1272 	}
1273 
1274 	/*
1275 	 * Flow control useless here since we're going
1276 	 * to drop everything in the queue anyway. Why
1277 	 * block and wait. There aint anyone left alive to
1278 	 * read the records remaining anyway.
1279 	 */
1280 
1281 	/* Close up everything */
1282 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1283 	    tad->tad_event, tad->tad_evmod);
1284 }
1285 
1286 void
1287 audit_setfsat_path(int argnum)
1288 {
1289 	klwp_id_t clwp = ttolwp(curthread);
1290 	struct file  *fp;
1291 	uint32_t fd;
1292 	t_audit_data_t *tad;
1293 	struct f_audit_data *fad;
1294 	p_audit_data_t *pad;	/* current process */
1295 	struct a {
1296 		long id;
1297 		long arg1;
1298 		long arg2;
1299 		long arg3;
1300 		long arg4;
1301 		long arg5;
1302 	} *uap;
1303 	struct b {
1304 		long arg1;
1305 		long arg2;
1306 		long arg3;
1307 		long arg4;
1308 		long arg5;
1309 	} *uap1;
1310 
1311 	if (clwp == NULL)
1312 		return;
1313 	uap1 = (struct b *)&clwp->lwp_ap[1];
1314 	uap = (struct a *)clwp->lwp_ap;
1315 
1316 	tad = U2A(u);
1317 
1318 	ASSERT(tad != NULL);
1319 
1320 	if (tad->tad_scid != SYS_fsat)
1321 		return;
1322 
1323 	switch (argnum) {
1324 	case 1:
1325 		fd = (uint32_t)uap1->arg1;
1326 		break;
1327 	case 2:
1328 		fd = (uint32_t)uap1->arg2;
1329 		break;
1330 	case 3:
1331 		fd = (uint32_t)uap1->arg3;
1332 		break;
1333 	case 4:
1334 		fd = (uint32_t)uap1->arg4;
1335 		break;
1336 	case 5:
1337 		fd = (uint32_t)uap1->arg5;
1338 		break;
1339 	default:
1340 		return;
1341 	}
1342 
1343 	if (uap->id == 9 && tad->tad_atpath != NULL) { /* openattrdir */
1344 		tad->tad_ctrl |= PAD_ATPATH;
1345 		return;
1346 	}
1347 	if (tad->tad_atpath != NULL) {
1348 		au_pathrele(tad->tad_atpath);
1349 		tad->tad_atpath = NULL;
1350 	}
1351 	if (fd != AT_FDCWD) {
1352 		if ((fp = getf(fd)) == NULL) {
1353 			tad->tad_ctrl |= PAD_NOPATH;
1354 			return;
1355 		}
1356 
1357 		fad = F2A(fp);
1358 		ASSERT(fad);
1359 		if (fad->fad_aupath == NULL) {
1360 			tad->tad_ctrl |= PAD_NOPATH;
1361 			releasef(fd);
1362 			return;
1363 		}
1364 		au_pathhold(fad->fad_aupath);
1365 		tad->tad_atpath = fad->fad_aupath;
1366 		releasef(fd);
1367 	} else {
1368 		pad = P2A(curproc);
1369 		mutex_enter(&pad->pad_lock);
1370 		au_pathhold(pad->pad_cwd);
1371 		tad->tad_atpath = pad->pad_cwd;
1372 		mutex_exit(&pad->pad_lock);
1373 	}
1374 }
1375 
1376 void
1377 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1378 {
1379 	t_audit_data_t *tad;
1380 	vnode_t	*vp;
1381 
1382 	tad = U2A(u);
1383 
1384 	/* if not auditing this event, then do nothing */
1385 	if (tad->tad_flag == 0)
1386 		return;
1387 
1388 	au_uwrite(au_to_text(target));
1389 
1390 	if (error)
1391 		return;
1392 
1393 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1394 			NULL, NULL, NULL);
1395 	if (error == 0) {
1396 		audit_attributes(vp);
1397 		VN_RELE(vp);
1398 	}
1399 }
1400 
1401 /*
1402  * ROUTINE:	AUDIT_VNCREATE_START
1403  * PURPOSE:	set flag so path name lookup in create will not add attribute
1404  * CALLBY:	VN_CREATE
1405  * NOTE:
1406  * TODO:
1407  * QUESTION:
1408  */
1409 
1410 void
1411 audit_vncreate_start()
1412 {
1413 	t_audit_data_t *tad;
1414 
1415 	tad = U2A(u);
1416 	tad->tad_ctrl |= PAD_NOATTRB;
1417 }
1418 
1419 /*
1420  * ROUTINE:	AUDIT_VNCREATE_FINISH
1421  * PURPOSE:
1422  * CALLBY:	VN_CREATE
1423  * NOTE:
1424  * TODO:
1425  * QUESTION:
1426  */
1427 void
1428 audit_vncreate_finish(struct vnode *vp, int error)
1429 {
1430 	t_audit_data_t *tad;
1431 
1432 	if (error)
1433 		return;
1434 
1435 	tad = U2A(u);
1436 
1437 	/* if not auditing this event, then do nothing */
1438 	if (tad->tad_flag == 0)
1439 		return;
1440 
1441 	if (tad->tad_ctrl & PAD_TRUE_CREATE) {
1442 		audit_attributes(vp);
1443 	}
1444 
1445 	if (tad->tad_ctrl & PAD_CORE) {
1446 		audit_attributes(vp);
1447 		tad->tad_ctrl &= ~PAD_CORE;
1448 	}
1449 
1450 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1451 			(tad->tad_event == AUE_MKDIR))) {
1452 		audit_attributes(vp);
1453 	}
1454 
1455 	/* for case where multiple lookups in one syscall (rename) */
1456 	tad->tad_ctrl &= ~PAD_NOATTRB;
1457 }
1458 
1459 
1460 
1461 
1462 
1463 
1464 
1465 
1466 /*
1467  * ROUTINE:	AUDIT_EXEC
1468  * PURPOSE:	Records the function arguments and environment variables
1469  * CALLBY:	EXEC_ARGS
1470  * NOTE:
1471  * TODO:
1472  * QUESTION:
1473  */
1474 
1475 /*ARGSUSED*/
1476 void
1477 audit_exec(
1478 	const char *argstr,	/* argument strings */
1479 	const char *envstr,	/* environment strings */
1480 	ssize_t argc,		/* total # arguments */
1481 	ssize_t envc)		/* total # environment variables */
1482 {
1483 	t_audit_data_t *tad;
1484 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1485 
1486 	tad = U2A(u);
1487 
1488 	/* if not auditing this event, then do nothing */
1489 	if (!tad->tad_flag)
1490 		return;
1491 
1492 	/* return if not interested in argv or environment variables */
1493 	if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE)))
1494 		return;
1495 
1496 	if (kctx->auk_policy & AUDIT_ARGV) {
1497 		au_uwrite(au_to_exec_args(argstr, argc));
1498 	}
1499 
1500 	if (kctx->auk_policy & AUDIT_ARGE) {
1501 		au_uwrite(au_to_exec_env(envstr, envc));
1502 	}
1503 }
1504 
1505 /*
1506  * ROUTINE:	AUDIT_ENTERPROM
1507  * PURPOSE:
1508  * CALLBY:	KBDINPUT
1509  *		ZSA_XSINT
1510  * NOTE:
1511  * TODO:
1512  * QUESTION:
1513  */
1514 void
1515 audit_enterprom(int flg)
1516 {
1517 	token_t *rp = NULL;
1518 	int sorf;
1519 
1520 	if (flg)
1521 		sorf = AUM_SUCC;
1522 	else
1523 		sorf = AUM_FAIL;
1524 
1525 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1526 
1527 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1528 
1529 	if (flg)
1530 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1531 	else
1532 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1533 
1534 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL);
1535 }
1536 
1537 
1538 /*
1539  * ROUTINE:	AUDIT_EXITPROM
1540  * PURPOSE:
1541  * CALLBY:	KBDINPUT
1542  *		ZSA_XSINT
1543  * NOTE:
1544  * TODO:
1545  * QUESTION:
1546  */
1547 void
1548 audit_exitprom(int flg)
1549 {
1550 	int sorf;
1551 	token_t *rp = NULL;
1552 
1553 	if (flg)
1554 		sorf = AUM_SUCC;
1555 	else
1556 		sorf = AUM_FAIL;
1557 
1558 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1559 
1560 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1561 
1562 	if (flg)
1563 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1564 	else
1565 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1566 
1567 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL);
1568 }
1569 
1570 struct fcntla {
1571 	int fdes;
1572 	int cmd;
1573 	intptr_t arg;
1574 };
1575 
1576 /*
1577  * ROUTINE:	AUDIT_C2_REVOKE
1578  * PURPOSE:
1579  * CALLBY:	FCNTL
1580  * NOTE:
1581  * TODO:
1582  * QUESTION:	are we keeping this func
1583  */
1584 
1585 /*ARGSUSED*/
1586 int
1587 audit_c2_revoke(struct fcntla *uap, rval_t *rvp)
1588 {
1589 	return (0);
1590 }
1591 
1592 
1593 /*
1594  * ROUTINE:	AUDIT_CHDIREC
1595  * PURPOSE:
1596  * CALLBY:	CHDIREC
1597  * NOTE:	The main function of CHDIREC
1598  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1599  * QUESTION:
1600  */
1601 
1602 /*ARGSUSED*/
1603 void
1604 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1605 {
1606 	int		chdir;
1607 	int		fchdir;
1608 	struct audit_path	**appp;
1609 	struct file	*fp;
1610 	f_audit_data_t *fad;
1611 	p_audit_data_t *pad = P2A(curproc);
1612 	t_audit_data_t *tad = T2A(curthread);
1613 
1614 	struct a {
1615 		long fd;
1616 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1617 
1618 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1619 		chdir = tad->tad_scid == SYS_chdir;
1620 		if (tad->tad_aupath) {
1621 			mutex_enter(&pad->pad_lock);
1622 			if (chdir)
1623 				appp = &(pad->pad_cwd);
1624 			else
1625 				appp = &(pad->pad_root);
1626 			au_pathrele(*appp);
1627 			/* use tad hold */
1628 			*appp = tad->tad_aupath;
1629 			tad->tad_aupath = NULL;
1630 			mutex_exit(&pad->pad_lock);
1631 		}
1632 	} else if ((tad->tad_scid == SYS_fchdir) ||
1633 	    (tad->tad_scid == SYS_fchroot)) {
1634 		fchdir = tad->tad_scid == SYS_fchdir;
1635 		if ((fp = getf(uap->fd)) == NULL)
1636 			return;
1637 		fad = F2A(fp);
1638 		if (fad->fad_aupath) {
1639 			au_pathhold(fad->fad_aupath);
1640 			mutex_enter(&pad->pad_lock);
1641 			if (fchdir)
1642 				appp = &(pad->pad_cwd);
1643 			else
1644 				appp = &(pad->pad_root);
1645 			au_pathrele(*appp);
1646 			*appp = fad->fad_aupath;
1647 			mutex_exit(&pad->pad_lock);
1648 			if (tad->tad_flag) {
1649 				au_uwrite(au_to_path(fad->fad_aupath));
1650 				audit_attributes(fp->f_vnode);
1651 			}
1652 		}
1653 		releasef(uap->fd);
1654 	}
1655 }
1656 
1657 /*
1658  * ROUTINE:	AUDIT_GETF
1659  * PURPOSE:
1660  * CALLBY:	GETF_INTERNAL
1661  * NOTE:	The main function of GETF_INTERNAL is to associate a given
1662  *		file descriptor with a file structure and increment the
1663  *		file pointer reference count.
1664  * TODO:	remove pass in of fpp.
1665  * increment a reference count so that even if a thread with same process delete
1666  * the same object, it will not panic our system
1667  * QUESTION:
1668  * where to decrement the f_count?????????????????
1669  * seems like I need to set a flag if f_count incremented through audit_getf
1670  */
1671 
1672 /*ARGSUSED*/
1673 int
1674 audit_getf(int fd)
1675 {
1676 #ifdef NOTYET
1677 	t_audit_data_t *tad;
1678 
1679 	tad = T2A(curthread);
1680 
1681 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat))
1682 		return;
1683 #endif
1684 	return (0);
1685 }
1686 
1687 /*
1688  *	Audit hook for stream based socket and tli request.
1689  *	Note that we do not have user context while executing
1690  *	this code so we had to record them earlier during the
1691  *	putmsg/getmsg to figure out which user we are dealing with.
1692  */
1693 
1694 /*ARGSUSED*/
1695 void
1696 audit_sock(
1697 	int type,	/* type of tihdr.h header requests */
1698 	queue_t *q,	/* contains the process and thread audit data */
1699 	mblk_t *mp,	/* contains the tihdr.h header structures */
1700 	int from)	/* timod or sockmod request */
1701 {
1702 	int32_t    len;
1703 	int32_t    offset;
1704 	struct sockaddr_in *sock_data;
1705 	struct T_conn_req *conn_req;
1706 	struct T_conn_ind *conn_ind;
1707 	struct T_unitdata_req *unitdata_req;
1708 	struct T_unitdata_ind *unitdata_ind;
1709 	au_state_t estate;
1710 	t_audit_data_t *tad;
1711 	caddr_t saved_thread_ptr;
1712 	au_mask_t amask;
1713 	const auditinfo_addr_t *ainfo;
1714 	au_kcontext_t	*kctx;
1715 
1716 	if (q->q_stream == NULL)
1717 		return;
1718 	mutex_enter(&q->q_stream->sd_lock);
1719 	/* are we being audited */
1720 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1721 	/* no pointer to thread, nothing to do */
1722 	if (saved_thread_ptr == NULL) {
1723 		mutex_exit(&q->q_stream->sd_lock);
1724 		return;
1725 	}
1726 	/* only allow one addition of a record token */
1727 	q->q_stream->sd_t_audit_data = NULL;
1728 	/*
1729 	 * thread is not the one being audited, then nothing to do
1730 	 * This could be the stream thread handling the module
1731 	 * service routine. In this case, the context for the audit
1732 	 * record can no longer be assumed. Simplest to just drop
1733 	 * the operation.
1734 	 */
1735 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1736 		mutex_exit(&q->q_stream->sd_lock);
1737 		return;
1738 	}
1739 	if (curthread->t_sysnum >= SYS_so_socket &&
1740 	    curthread->t_sysnum <= SYS_sockconfig) {
1741 		mutex_exit(&q->q_stream->sd_lock);
1742 		return;
1743 	}
1744 	mutex_exit(&q->q_stream->sd_lock);
1745 	/*
1746 	 * we know that the thread that did the put/getmsg is the
1747 	 * one running. Now we can get the TAD and see if we should
1748 	 * add an audit token.
1749 	 */
1750 	tad = U2A(u);
1751 
1752 	kctx = GET_KCTX_PZ;
1753 
1754 	/* proceed ONLY if user is being audited */
1755 	if (!tad->tad_flag)
1756 		return;
1757 
1758 	ainfo = crgetauinfo(CRED());
1759 	if (ainfo == NULL)
1760 		return;
1761 	amask = ainfo->ai_mask;
1762 
1763 	/*
1764 	 * Figure out the type of stream networking request here.
1765 	 * Note that getmsg and putmsg are always preselected
1766 	 * because during the beginning of the system call we have
1767 	 * not yet figure out which of the socket or tli request
1768 	 * we are looking at until we are here. So we need to check
1769 	 * against that specific request and reset the type of event.
1770 	 */
1771 	switch (type) {
1772 	case T_CONN_REQ:	/* connection request */
1773 		conn_req = (struct T_conn_req *)mp->b_rptr;
1774 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1775 			return;
1776 		offset = conn_req->DEST_offset;
1777 		len = conn_req->DEST_length;
1778 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1779 		if (amask.as_success & estate || amask.as_failure & estate) {
1780 			tad->tad_event = AUE_SOCKCONNECT;
1781 			break;
1782 		} else {
1783 			return;
1784 		}
1785 	case T_CONN_IND:	 /* connectionless receive request */
1786 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1787 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1788 			return;
1789 		offset = conn_ind->SRC_offset;
1790 		len = conn_ind->SRC_length;
1791 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1792 		if (amask.as_success & estate || amask.as_failure & estate) {
1793 			tad->tad_event = AUE_SOCKACCEPT;
1794 			break;
1795 		} else {
1796 			return;
1797 		}
1798 	case T_UNITDATA_REQ:	 /* connectionless send request */
1799 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1800 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1801 			return;
1802 		offset = unitdata_req->DEST_offset;
1803 		len = unitdata_req->DEST_length;
1804 		estate = kctx->auk_ets[AUE_SOCKSEND];
1805 		if (amask.as_success & estate || amask.as_failure & estate) {
1806 			tad->tad_event = AUE_SOCKSEND;
1807 			break;
1808 		} else {
1809 			return;
1810 		}
1811 	case T_UNITDATA_IND:	 /* connectionless receive request */
1812 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1813 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1814 			return;
1815 		offset = unitdata_ind->SRC_offset;
1816 		len = unitdata_ind->SRC_length;
1817 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1818 		if (amask.as_success & estate || amask.as_failure & estate) {
1819 			tad->tad_event = AUE_SOCKRECEIVE;
1820 			break;
1821 		} else {
1822 			return;
1823 		}
1824 	default:
1825 		return;
1826 	}
1827 
1828 	/*
1829 	 * we are only interested in tcp stream connections,
1830 	 * not unix domain stuff
1831 	 */
1832 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1833 		tad->tad_event = AUE_GETMSG;
1834 		return;
1835 	}
1836 	/* skip over TPI header and point to the ip address */
1837 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1838 
1839 	switch (sock_data->sin_family) {
1840 	case AF_INET:
1841 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1842 		break;
1843 	default:	/* reset to AUE_PUTMSG if not a inet request */
1844 		tad->tad_event = AUE_GETMSG;
1845 		break;
1846 	}
1847 }
1848 
1849 void
1850 audit_lookupname()
1851 {
1852 }
1853 
1854 /*ARGSUSED*/
1855 int
1856 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr)
1857 {
1858 	return (0);
1859 }
1860 
1861 static void
1862 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1863 {
1864 	unsigned int sy_flags;
1865 
1866 #ifdef _SYSCALL32_IMPL
1867 	/*
1868 	 * Guard against t_lwp being NULL when this function is called
1869 	 * from a kernel queue instead of from a direct system call.
1870 	 * In that case, assume the running kernel data model.
1871 	 */
1872 	if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1873 	    ttolwp(curthread)) == DATAMODEL_NATIVE))
1874 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1875 	else
1876 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1877 #else
1878 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1879 #endif
1880 
1881 	if (sy_flags == SE_64RVAL)
1882 		au_write(ad, au_to_return64(err, rval));
1883 	else
1884 		au_write(ad, au_to_return32(err, rval));
1885 
1886 }
1887 
1888 /*ARGSUSED*/
1889 void
1890 audit_fdsend(fd, fp, error)
1891 	int fd;
1892 	struct file *fp;
1893 	int error;		/* ignore for now */
1894 {
1895 	t_audit_data_t *tad;	/* current thread */
1896 	f_audit_data_t *fad;	/* per file audit structure */
1897 	struct vnode *vp;	/* for file attributes */
1898 
1899 	/* is this system call being audited */
1900 	tad = U2A(u);
1901 	ASSERT(tad != (t_audit_data_t *)0);
1902 	if (!tad->tad_flag)
1903 		return;
1904 
1905 	fad = F2A(fp);
1906 
1907 	/* add path and file attributes */
1908 	if (fad != NULL && fad->fad_aupath != NULL) {
1909 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1910 		au_uwrite(au_to_path(fad->fad_aupath));
1911 	} else {
1912 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1913 #ifdef _LP64
1914 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1915 #else
1916 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1917 #endif
1918 	}
1919 	vp = fp->f_vnode;	/* include vnode attributes */
1920 	audit_attributes(vp);
1921 }
1922 
1923 /*
1924  * Record privileges successfully used and we attempted to use but
1925  * didn't have.
1926  */
1927 void
1928 audit_priv(int priv, const priv_set_t *set, int flag)
1929 {
1930 	t_audit_data_t *tad;
1931 	int sbit;
1932 	priv_set_t *target;
1933 
1934 	/* Make sure this isn't being called in an interrupt context */
1935 	ASSERT(servicing_interrupt() == 0);
1936 
1937 	tad = U2A(u);
1938 
1939 	if (tad->tad_flag == 0)
1940 		return;
1941 
1942 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1943 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1944 
1945 	/* Tell audit_success() and audit_finish() that we saw this case */
1946 	if (!(tad->tad_evmod & sbit)) {
1947 		/* Clear set first time around */
1948 		priv_emptyset(target);
1949 		tad->tad_evmod |= sbit;
1950 	}
1951 
1952 	/* Save the privileges in the tad */
1953 	if (priv == PRIV_ALL) {
1954 		priv_fillset(target);
1955 	} else {
1956 		ASSERT(set != NULL || priv != PRIV_NONE);
1957 		if (set != NULL)
1958 			priv_union(set, target);
1959 		if (priv != PRIV_NONE)
1960 			priv_addset(target, priv);
1961 	}
1962 }
1963 
1964 /*
1965  * Audit the setpriv() system call; the operation, the set name and
1966  * the current value as well as the set argument are put in the
1967  * audit trail.
1968  */
1969 void
1970 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1971 {
1972 	t_audit_data_t *tad;
1973 	const priv_set_t *oldpriv;
1974 	priv_set_t report;
1975 	const char *setname;
1976 
1977 	tad = U2A(u);
1978 
1979 	if (tad->tad_flag == 0)
1980 		return;
1981 
1982 	oldpriv = priv_getset(ocr, set);
1983 
1984 	/* Generate the actual record, include the before and after */
1985 	au_uwrite(au_to_arg32(2, "op", op));
1986 	setname = priv_getsetbynum(set);
1987 
1988 	switch (op) {
1989 	case PRIV_OFF:
1990 		/* Report privileges actually switched off */
1991 		report = *oldpriv;
1992 		priv_intersect(newpriv, &report);
1993 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1994 		break;
1995 	case PRIV_ON:
1996 		/* Report privileges actually switched on */
1997 		report = *oldpriv;
1998 		priv_inverse(&report);
1999 		priv_intersect(newpriv, &report);
2000 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
2001 		break;
2002 	case PRIV_SET:
2003 		/* Report before and after */
2004 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
2005 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
2006 		break;
2007 	}
2008 }
2009 
2010 /*
2011  * Dump the full device policy setting in the audit trail.
2012  */
2013 void
2014 audit_devpolicy(int nitems, const devplcysys_t *items)
2015 {
2016 	t_audit_data_t *tad;
2017 	int i;
2018 
2019 	tad = U2A(u);
2020 
2021 	if (tad->tad_flag == 0)
2022 		return;
2023 
2024 	for (i = 0; i < nitems; i++) {
2025 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
2026 		if (items[i].dps_minornm[0] == '\0') {
2027 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
2028 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
2029 		} else
2030 			au_uwrite(au_to_text(items[i].dps_minornm));
2031 
2032 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
2033 		    AUT_PRIV, 0));
2034 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
2035 		    AUT_PRIV, 0));
2036 	}
2037 }
2038 
2039 /*ARGSUSED*/
2040 void
2041 audit_fdrecv(fd, fp)
2042 	int fd;
2043 	struct file *fp;
2044 {
2045 	t_audit_data_t *tad;	/* current thread */
2046 	f_audit_data_t *fad;	/* per file audit structure */
2047 	struct vnode *vp;	/* for file attributes */
2048 
2049 	/* is this system call being audited */
2050 	tad = U2A(u);
2051 	ASSERT(tad != (t_audit_data_t *)0);
2052 	if (!tad->tad_flag)
2053 		return;
2054 
2055 	fad = F2A(fp);
2056 
2057 	/* add path and file attributes */
2058 	if (fad != NULL && fad->fad_aupath != NULL) {
2059 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2060 		au_uwrite(au_to_path(fad->fad_aupath));
2061 	} else {
2062 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2063 #ifdef _LP64
2064 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
2065 #else
2066 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
2067 #endif
2068 	}
2069 	vp = fp->f_vnode;	/* include vnode attributes */
2070 	audit_attributes(vp);
2071 }
2072 
2073 /*
2074  * ROUTINE:	AUDIT_CRYPTOADM
2075  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
2076  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
2077  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
2078  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
2079  *		CRYPTO_LOAD_DOOR
2080  * NOTE:
2081  * TODO:
2082  * QUESTION:
2083  */
2084 
2085 void
2086 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
2087     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
2088 {
2089 	boolean_t		mech_list_required = B_FALSE;
2090 	cred_t			*cr = CRED();
2091 	t_audit_data_t		*tad;
2092 	token_t			*ad = NULL;
2093 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2094 	char			buffer[MAXNAMELEN * 2];
2095 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2096 
2097 	tad = U2A(u);
2098 	if (tad == NULL)
2099 		return;
2100 
2101 	if (ainfo == NULL)
2102 		return;
2103 
2104 	tad->tad_event = AUE_CRYPTOADM;
2105 
2106 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
2107 		return;
2108 
2109 	/* Add subject information */
2110 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
2111 
2112 	switch (cmd) {
2113 	case CRYPTO_LOAD_DEV_DISABLED:
2114 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2115 			(void) snprintf(buffer, sizeof (buffer),
2116 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
2117 			    " dev_instance=%d",
2118 			    module_name, device_instance);
2119 			mech_list_required = B_TRUE;
2120 		} else {
2121 			(void) snprintf(buffer, sizeof (buffer),
2122 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
2123 		}
2124 		break;
2125 
2126 	case CRYPTO_LOAD_SOFT_DISABLED:
2127 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2128 			(void) snprintf(buffer, sizeof (buffer),
2129 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
2130 			    module_name);
2131 			mech_list_required = B_TRUE;
2132 		} else {
2133 			(void) snprintf(buffer, sizeof (buffer),
2134 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
2135 		}
2136 		break;
2137 
2138 	case CRYPTO_UNLOAD_SOFT_MODULE:
2139 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2140 			(void) snprintf(buffer, sizeof (buffer),
2141 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
2142 			    module_name);
2143 		} else {
2144 			(void) snprintf(buffer, sizeof (buffer),
2145 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
2146 		}
2147 		break;
2148 
2149 	case CRYPTO_LOAD_SOFT_CONFIG:
2150 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2151 			(void) snprintf(buffer, sizeof (buffer),
2152 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
2153 			    module_name);
2154 			mech_list_required = B_TRUE;
2155 		} else {
2156 			(void) snprintf(buffer, sizeof (buffer),
2157 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
2158 		}
2159 		break;
2160 
2161 	case CRYPTO_POOL_CREATE:
2162 		(void) snprintf(buffer, sizeof (buffer),
2163 		    "op=CRYPTO_POOL_CREATE");
2164 		break;
2165 
2166 	case CRYPTO_POOL_WAIT:
2167 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
2168 		break;
2169 
2170 	case CRYPTO_POOL_RUN:
2171 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
2172 		break;
2173 
2174 	case CRYPTO_LOAD_DOOR:
2175 		if (error == 0 && rv == CRYPTO_SUCCESS)
2176 			(void) snprintf(buffer, sizeof (buffer),
2177 			    "op=CRYPTO_LOAD_DOOR");
2178 		else
2179 			(void) snprintf(buffer, sizeof (buffer),
2180 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
2181 		break;
2182 
2183 	default:
2184 		return;
2185 	}
2186 
2187 	au_write((caddr_t *)&ad, au_to_text(buffer));
2188 
2189 	if (mech_list_required) {
2190 		int i;
2191 
2192 		if (mech_count == 0) {
2193 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
2194 		} else {
2195 			char	*pb = buffer;
2196 			size_t	l = sizeof (buffer);
2197 			size_t	n;
2198 			char	space[2] = ":";
2199 
2200 			n = snprintf(pb, l, "mech=");
2201 
2202 			for (i = 0; i < mech_count; i++) {
2203 				pb += n;
2204 				l -= n;
2205 				if (l < 0)
2206 					l = 0;
2207 
2208 				if (i == mech_count - 1)
2209 					(void) strcpy(space, "");
2210 
2211 				n = snprintf(pb, l, "%s%s", mech_names[i],
2212 				    space);
2213 			}
2214 			au_write((caddr_t *)&ad, au_to_text(buffer));
2215 		}
2216 	}
2217 
2218 	/* add a return token */
2219 	if (error || (rv != CRYPTO_SUCCESS))
2220 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
2221 	else
2222 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
2223 
2224 	AS_INC(as_generated, 1, kctx);
2225 	AS_INC(as_kernel, 1, kctx);
2226 
2227 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0);
2228 }
2229 
2230 /*
2231  * Audit the kernel SSL administration command. The address and the
2232  * port number for the SSL instance, and the proxy port are put in the
2233  * audit trail.
2234  */
2235 void
2236 audit_kssl(int cmd, void *params, int error)
2237 {
2238 	cred_t			*cr = CRED();
2239 	t_audit_data_t		*tad;
2240 	token_t			*ad = NULL;
2241 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2242 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2243 
2244 	tad = U2A(u);
2245 
2246 	if (ainfo == NULL)
2247 		return;
2248 
2249 	tad->tad_event = AUE_CONFIGKSSL;
2250 
2251 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
2252 		return;
2253 
2254 	/* Add subject information */
2255 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2256 
2257 	switch (cmd) {
2258 	case KSSL_ADD_ENTRY: {
2259 		char buf[32];
2260 		kssl_params_t *kp = (kssl_params_t *)params;
2261 		struct sockaddr_in *saddr = &(kp->kssl_addr);
2262 
2263 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2264 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2265 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2266 		    saddr->sin_port);
2267 		au_write((caddr_t *)&ad, au_to_text(buf));
2268 
2269 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
2270 		    kp->kssl_proxy_port);
2271 		au_write((caddr_t *)&ad, au_to_text(buf));
2272 		break;
2273 	}
2274 
2275 	case KSSL_DELETE_ENTRY: {
2276 		char buf[32];
2277 		struct sockaddr_in *saddr = (struct sockaddr_in *)params;
2278 
2279 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2280 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2281 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2282 		    saddr->sin_port);
2283 		au_write((caddr_t *)&ad, au_to_text(buf));
2284 		break;
2285 	}
2286 
2287 	default:
2288 		return;
2289 	}
2290 
2291 	/* add a return token */
2292 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2293 
2294 	AS_INC(as_generated, 1, kctx);
2295 	AS_INC(as_kernel, 1, kctx);
2296 
2297 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0);
2298 }
2299 
2300 /*
2301  * Audit the kernel PF_POLICY administration commands.  Record command,
2302  * zone, policy type (global or tunnel, active or inactive)
2303  */
2304 /*
2305  * ROUTINE:	AUDIT_PF_POLICY
2306  * PURPOSE:	Records arguments to administrative ioctls on PF_POLICY socket
2307  * CALLBY:	SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2308  *		SPD_CLONE, SPD_FLIP
2309  * NOTE:
2310  * TODO:
2311  * QUESTION:
2312  */
2313 
2314 void
2315 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2316     boolean_t active, int error, pid_t pid)
2317 {
2318 	const auditinfo_addr_t	*ainfo;
2319 	t_audit_data_t		*tad;
2320 	token_t			*ad = NULL;
2321 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2322 	char			buf[80];
2323 	int			flag;
2324 
2325 	tad = U2A(u);
2326 	if (tad == NULL)
2327 		return;
2328 
2329 	ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2330 	if (ainfo == NULL)
2331 		return;
2332 
2333 	/*
2334 	 * Initialize some variables since these are only set
2335 	 * with system calls.
2336 	 */
2337 
2338 	switch (cmd) {
2339 	case SPD_ADDRULE: {
2340 		tad->tad_event = AUE_PF_POLICY_ADDRULE;
2341 		break;
2342 	}
2343 
2344 	case SPD_DELETERULE: {
2345 		tad->tad_event = AUE_PF_POLICY_DELRULE;
2346 		break;
2347 	}
2348 
2349 	case SPD_FLUSH: {
2350 		tad->tad_event = AUE_PF_POLICY_FLUSH;
2351 		break;
2352 	}
2353 
2354 	case SPD_UPDATEALGS: {
2355 		tad->tad_event = AUE_PF_POLICY_ALGS;
2356 		break;
2357 	}
2358 
2359 	case SPD_CLONE: {
2360 		tad->tad_event = AUE_PF_POLICY_CLONE;
2361 		break;
2362 	}
2363 
2364 	case SPD_FLIP: {
2365 		tad->tad_event = AUE_PF_POLICY_FLIP;
2366 		break;
2367 	}
2368 
2369 	default:
2370 		tad->tad_event = AUE_NULL;
2371 	}
2372 
2373 	tad->tad_evmod = 0;
2374 
2375 	if (flag = audit_success(kctx, tad, error, cred)) {
2376 		zone_t *nszone;
2377 
2378 		/*
2379 		 * For now, just audit that an event happened,
2380 		 * along with the error code.
2381 		 */
2382 		au_write((caddr_t *)&ad,
2383 		    au_to_arg32(1, "Policy Active?", (uint32_t)active));
2384 		au_write((caddr_t *)&ad,
2385 		    au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2386 
2387 		/* Supplemental data */
2388 
2389 		/*
2390 		 * Generate this zone token if the target zone differs
2391 		 * from the administrative zone.  If netstacks are expanded
2392 		 * to something other than a 1-1 relationship with zones,
2393 		 * the auditing framework should create a new token type
2394 		 * and audit it as a netstack instead.
2395 		 * Turn on general zone auditing to get the administrative zone.
2396 		 */
2397 
2398 		nszone = zone_find_by_id(netstackid_to_zoneid(
2399 		    ns->netstack_stackid));
2400 		if (nszone != NULL) {
2401 			if (strncmp(cred->cr_zone->zone_name, nszone->zone_name,
2402 			    ZONENAME_MAX) != 0) {
2403 				token_t *ztoken;
2404 
2405 				ztoken = au_to_zonename(0, nszone);
2406 				au_write((caddr_t *)&ad, ztoken);
2407 			}
2408 			zone_rele(nszone);
2409 		}
2410 
2411 		if (tun != NULL) {
2412 			/* write tunnel name - tun is bounded */
2413 			(void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2414 			    tun);
2415 			au_write((caddr_t *)&ad, au_to_text(buf));
2416 		}
2417 
2418 		/* Add subject information */
2419 		AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2420 		    ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2421 
2422 		/* add a return token */
2423 		add_return_token((caddr_t *)&ad, 0, error, 0);
2424 
2425 		AS_INC(as_generated, 1, kctx);
2426 		AS_INC(as_kernel, 1, kctx);
2427 
2428 	}
2429 	au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, 0);
2430 
2431 	/*
2432 	 * clear the ctrl flag so that we don't have spurious collection of
2433 	 * audit information.
2434 	 */
2435 	tad->tad_scid  = 0;
2436 	tad->tad_event = 0;
2437 	tad->tad_evmod = 0;
2438 	tad->tad_ctrl  = 0;
2439 }
2440 
2441 /*
2442  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2443  * PURPOSE:	Add security attributes
2444  * CALLBY:	AUDIT_ATTRIBUTES
2445  *		AUDIT_CLOSEF
2446  *		AUS_CLOSE
2447  * NOTE:
2448  * TODO:
2449  * QUESTION:
2450  */
2451 
2452 void
2453 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2454 {
2455 	/* Dump the SL */
2456 	if (is_system_labeled()) {
2457 		ts_label_t	*tsl;
2458 		bslabel_t	*bsl;
2459 
2460 		tsl = getflabel(vp);
2461 		if (tsl == NULL)
2462 			return;			/* nothing else to do */
2463 
2464 		bsl = label2bslabel(tsl);
2465 		if (bsl == NULL)
2466 			return;			/* nothing else to do */
2467 		au_write(ad, au_to_label(bsl));
2468 		label_rele(tsl);
2469 	}
2470 
2471 }	/* AUDIT_SEC_ATTRIBUTES */
2472