1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains the audit event table used to control the production 28 * of audit records for each system call. 29 */ 30 31 #include <sys/policy.h> 32 #include <sys/cred.h> 33 #include <sys/types.h> 34 #include <sys/systm.h> 35 #include <sys/systeminfo.h> /* for sysinfo auditing */ 36 #include <sys/utsname.h> /* for sysinfo auditing */ 37 #include <sys/proc.h> 38 #include <sys/vnode.h> 39 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 40 #include <sys/fcntl.h> 41 #include <sys/modctl.h> /* for modctl auditing */ 42 #include <sys/vnode.h> 43 #include <sys/user.h> 44 #include <sys/types.h> 45 #include <sys/processor.h> 46 #include <sys/procset.h> 47 #include <sys/acl.h> 48 #include <sys/ipc.h> 49 #include <sys/door.h> 50 #include <sys/sem.h> 51 #include <sys/msg.h> 52 #include <sys/shm.h> 53 #include <sys/kmem.h> 54 #include <sys/file.h> /* for accept */ 55 #include <sys/utssys.h> /* for fuser */ 56 #include <sys/tsol/label.h> 57 #include <sys/tsol/tndb.h> 58 #include <sys/tsol/tsyscall.h> 59 #include <c2/audit.h> 60 #include <c2/audit_kernel.h> 61 #include <c2/audit_kevents.h> 62 #include <c2/audit_record.h> 63 #include <sys/procset.h> 64 #include <nfs/mount.h> 65 #include <sys/param.h> 66 #include <sys/debug.h> 67 #include <sys/sysmacros.h> 68 #include <sys/stream.h> 69 #include <sys/strsubr.h> 70 #include <sys/stropts.h> 71 #include <sys/tihdr.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/vfs_opreg.h> 75 #include <fs/sockfs/sockcommon.h> 76 #include <netinet/in.h> 77 #include <sys/ddi.h> 78 #include <sys/port_impl.h> 79 80 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_fchownat(au_event_t); 84 static au_event_t aui_fchmodat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 static void aus_exit(struct t_audit_data *); 108 static void aus_open(struct t_audit_data *); 109 static void aus_openat(struct t_audit_data *); 110 static void aus_acl(struct t_audit_data *); 111 static void aus_acct(struct t_audit_data *); 112 static void aus_chown(struct t_audit_data *); 113 static void aus_fchown(struct t_audit_data *); 114 static void aus_lchown(struct t_audit_data *); 115 static void aus_fchownat(struct t_audit_data *); 116 static void aus_chmod(struct t_audit_data *); 117 static void aus_facl(struct t_audit_data *); 118 static void aus_fchmod(struct t_audit_data *); 119 static void aus_fchmodat(struct t_audit_data *); 120 static void aus_fcntl(struct t_audit_data *); 121 static void aus_mkdir(struct t_audit_data *); 122 static void aus_mkdirat(struct t_audit_data *); 123 static void aus_mknod(struct t_audit_data *); 124 static void aus_mknodat(struct t_audit_data *); 125 static void aus_mount(struct t_audit_data *); 126 static void aus_umount2(struct t_audit_data *); 127 static void aus_msgsys(struct t_audit_data *); 128 static void aus_semsys(struct t_audit_data *); 129 static void aus_close(struct t_audit_data *); 130 static void aus_fstatfs(struct t_audit_data *); 131 static void aus_setgid(struct t_audit_data *); 132 static void aus_setpgrp(struct t_audit_data *); 133 static void aus_setuid(struct t_audit_data *); 134 static void aus_shmsys(struct t_audit_data *); 135 static void aus_doorfs(struct t_audit_data *); 136 static void aus_ioctl(struct t_audit_data *); 137 static void aus_memcntl(struct t_audit_data *); 138 static void aus_mmap(struct t_audit_data *); 139 static void aus_munmap(struct t_audit_data *); 140 static void aus_priocntlsys(struct t_audit_data *); 141 static void aus_setegid(struct t_audit_data *); 142 static void aus_setgroups(struct t_audit_data *); 143 static void aus_seteuid(struct t_audit_data *); 144 static void aus_putmsg(struct t_audit_data *); 145 static void aus_putpmsg(struct t_audit_data *); 146 static void aus_getmsg(struct t_audit_data *); 147 static void aus_getpmsg(struct t_audit_data *); 148 static void aus_auditsys(struct t_audit_data *); 149 static void aus_sysinfo(struct t_audit_data *); 150 static void aus_modctl(struct t_audit_data *); 151 static void aus_kill(struct t_audit_data *); 152 static void aus_setregid(struct t_audit_data *); 153 static void aus_setreuid(struct t_audit_data *); 154 static void aus_labelsys(struct t_audit_data *); 155 156 static void auf_mknod(struct t_audit_data *, int, rval_t *); 157 static void auf_mknodat(struct t_audit_data *, int, rval_t *); 158 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 159 static void auf_semsys(struct t_audit_data *, int, rval_t *); 160 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 161 static void auf_read(struct t_audit_data *, int, rval_t *); 162 static void auf_write(struct t_audit_data *, int, rval_t *); 163 164 static void aus_sigqueue(struct t_audit_data *); 165 static void aus_p_online(struct t_audit_data *); 166 static void aus_processor_bind(struct t_audit_data *); 167 static void aus_inst_sync(struct t_audit_data *); 168 static void aus_brandsys(struct t_audit_data *); 169 170 static void auf_accept(struct t_audit_data *, int, rval_t *); 171 172 static void auf_bind(struct t_audit_data *, int, rval_t *); 173 static void auf_connect(struct t_audit_data *, int, rval_t *); 174 static void aus_shutdown(struct t_audit_data *); 175 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 176 static void aus_sockconfig(struct t_audit_data *); 177 static void auf_recv(struct t_audit_data *, int, rval_t *); 178 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 179 static void auf_send(struct t_audit_data *, int, rval_t *); 180 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 181 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 182 static void auf_sendto(struct t_audit_data *, int, rval_t *); 183 static void aus_socket(struct t_audit_data *); 184 /* 185 * This table contains mapping information for converting system call numbers 186 * to audit event IDs. In several cases it is necessary to map a single system 187 * call to several events. 188 */ 189 190 #define aui_null NULL /* NULL initialize function */ 191 #define aus_null NULL /* NULL start function */ 192 #define auf_null NULL /* NULL finish function */ 193 194 struct audit_s2e audit_s2e[] = 195 { 196 /* 197 * ---------- ---------- ---------- ---------- 198 * INITIAL AUDIT START SYSTEM 199 * PROCESSING EVENT PROCESSING CALL 200 * ---------- ---------- ---------- ----------- 201 * FINISH EVENT 202 * PROCESSING CONTROL 203 * ---------------------------------------------------------- 204 */ 205 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 206 auf_null, 0, 207 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 208 auf_null, S2E_NPT, 209 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 210 auf_null, 0, 211 aui_null, AUE_READ, aus_null, /* 3 read */ 212 auf_read, S2E_PUB, 213 aui_null, AUE_WRITE, aus_null, /* 4 write */ 214 auf_write, 0, 215 aui_open, AUE_OPEN, aus_open, /* 5 open */ 216 auf_null, S2E_SP, 217 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 218 auf_null, 0, 219 aui_null, AUE_LINK, aus_null, /* 7 linkat */ 220 auf_null, 0, 221 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 222 auf_null, 0, 223 aui_null, AUE_LINK, aus_null, /* 9 link */ 224 auf_null, 0, 225 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 226 auf_null, 0, 227 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */ 228 auf_null, 0, 229 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 230 auf_null, S2E_SP, 231 aui_null, AUE_NULL, aus_null, /* 13 time */ 232 auf_null, 0, 233 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 234 auf_mknod, S2E_MLD, 235 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 236 auf_null, 0, 237 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 17 brk */ 240 auf_null, 0, 241 aui_null, AUE_STAT, aus_null, /* 18 stat */ 242 auf_null, S2E_PUB, 243 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 246 auf_null, 0, 247 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 248 auf_null, S2E_MLD, 249 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */ 250 auf_null, S2E_PUB, 251 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 254 auf_null, 0, 255 aui_null, AUE_STIME, aus_null, /* 25 stime */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 29 pause */ 264 auf_null, 0, 265 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 266 auf_null, 0, 267 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 268 auf_null, 0, 269 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 270 auf_null, 0, 271 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 272 auf_null, S2E_PUB, 273 aui_null, AUE_NICE, aus_null, /* 34 nice */ 274 auf_null, 0, 275 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 276 auf_null, S2E_PUB, 277 aui_null, AUE_NULL, aus_null, /* 36 sync */ 278 auf_null, 0, 279 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 280 auf_null, 0, 281 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 282 auf_null, S2E_PUB, 283 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 288 auf_null, 0, 289 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 43 times */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 44 profil */ 294 auf_null, 0, 295 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 296 auf_null, S2E_PUB, 297 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 298 auf_null, 0, 299 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 300 auf_null, 0, 301 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */ 302 auf_mknodat, S2E_MLD, 303 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 304 auf_msgsys, 0, 305 #if defined(__x86) 306 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 307 auf_null, 0, 308 #else 309 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 310 auf_null, 0, 311 #endif /* __x86 */ 312 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 313 auf_null, 0, 314 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 315 auf_shmsys, 0, 316 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 317 auf_semsys, 0, 318 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 321 auf_null, 0, 322 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 323 auf_null, 0, 324 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 325 auf_null, 0, 326 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 327 auf_null, 0, 328 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 329 auf_null, S2E_MLD, 330 aui_null, AUE_NULL, aus_null, /* 60 umask */ 331 auf_null, 0, 332 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 333 auf_null, S2E_SP, 334 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 337 auf_null, 0, 338 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 339 auf_null, 0, 340 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 341 auf_null, 0, 342 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 343 auf_null, S2E_PUB, 344 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 345 auf_null, S2E_PUB, 346 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 347 auf_null, S2E_SP, 348 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 349 auf_null, S2E_SP, 350 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 367 auf_null, 0, 368 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 369 auf_null, 0, 370 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 373 auf_null, 0, 374 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 379 auf_null, 0, 380 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 381 auf_null, 0, 382 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 383 auf_null, 0, 384 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 385 auf_null, 0, 386 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 389 auf_null, 0, 390 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 391 auf_null, S2E_PUB, 392 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 395 auf_null, 0, 396 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 397 auf_null, 0, 398 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 411 auf_null, 0, 412 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */ 413 auf_null, 0, 414 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */ 415 auf_null, 0, 416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 417 auf_null, S2E_PUB, 418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 427 auf_null, 0, 428 #if defined(__x86) 429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 430 auf_null, 0, 431 #else 432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 433 auf_null, 0, 434 #endif /* __x86 */ 435 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 436 auf_null, 0, 437 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 438 auf_null, 0, 439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 440 auf_null, 0, 441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 442 auf_null, S2E_PUB, 443 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 444 auf_null, 0, 445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 448 auf_null, 0, 449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 450 auf_null, 0, 451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 452 auf_null, 0, 453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 454 auf_null, 0, 455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 456 auf_null, 0, 457 aui_null, AUE_READ, aus_null, /* 121 readv */ 458 auf_read, S2E_PUB, 459 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 460 auf_write, 0, 461 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 464 auf_null, 0, 465 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 468 auf_null, 0, 469 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 470 auf_null, 0, 471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 472 auf_null, 0, 473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 474 auf_null, 0, 475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 476 auf_null, 0, 477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 478 auf_null, 0, 479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 480 auf_null, 0, 481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 482 auf_null, 0, 483 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 135 uname */ 486 auf_null, 0, 487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 490 auf_null, 0, 491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 492 auf_null, 0, 493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 496 auf_null, 0, 497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 498 auf_null, 0, 499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 146 yield */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 510 /* was lwp_sema_wait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 519 auf_null, 0, 520 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 521 auf_null, 0, 522 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 555 /* was lwp_mutex_lock */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 562 auf_null, 0, 563 aui_null, AUE_READ, aus_null, /* 173 pread */ 564 auf_read, S2E_PUB, 565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 566 auf_write, 0, 567 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 568 auf_null, 0, 569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 570 auf_null, 0, 571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 580 auf_null, 0, 581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 582 auf_null, S2E_MLD, 583 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 584 auf_null, 0, 585 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 586 auf_null, 0, 587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 588 auf_null, 0, 589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 590 auf_null, 0, 591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 594 auf_null, 0, 595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 600 auf_null, 0, 601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 616 auf_null, 0, 617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 618 auf_null, 0, 619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 620 auf_null, 0, 621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 622 auf_null, 0, 623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 644 auf_null, 0, 645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 646 auf_null, 0, 647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 652 auf_null, 0, 653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 656 auf_null, 0, 657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 662 auf_read, S2E_PUB, 663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 664 auf_write, 0, 665 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 666 auf_null, 0, 667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 668 auf_null, S2E_SP, 669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 227 zone */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 676 auf_null, 0, 677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 680 auf_null, 0, 681 aui_null, AUE_BIND, aus_null, /* 232 bind */ 682 auf_bind, 0, 683 aui_null, AUE_NULL, aus_null, /* 233 listen */ 684 auf_null, 0, 685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 686 auf_accept, 0, 687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 688 auf_connect, 0, 689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 690 auf_null, 0, 691 aui_null, AUE_READ, aus_null, /* 237 recv */ 692 auf_recv, 0, 693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 694 auf_recvfrom, 0, 695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 696 auf_recvmsg, 0, 697 aui_null, AUE_WRITE, aus_null, /* 240 send */ 698 auf_send, 0, 699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 700 auf_sendmsg, 0, 701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 702 auf_sendto, 0, 703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 708 auf_null, 0, 709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 710 auf_setsockopt, 0, 711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 714 auf_null, 0, 715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 726 auf_null, 0, 727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 728 auf_null, 0 729 }; 730 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 732 733 734 /* exit start function */ 735 /*ARGSUSED*/ 736 static void 737 aus_exit(struct t_audit_data *tad) 738 { 739 uint32_t rval; 740 struct a { 741 long rval; 742 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 743 744 rval = (uint32_t)uap->rval; 745 au_uwrite(au_to_arg32(1, "exit status", rval)); 746 } 747 748 /* acct start function */ 749 /*ARGSUSED*/ 750 static void 751 aus_acct(struct t_audit_data *tad) 752 { 753 klwp_t *clwp = ttolwp(curthread); 754 uintptr_t fname; 755 756 struct a { 757 long fname; /* char * */ 758 } *uap = (struct a *)clwp->lwp_ap; 759 760 fname = (uintptr_t)uap->fname; 761 762 if (fname == 0) 763 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 764 } 765 766 /* chown start function */ 767 /*ARGSUSED*/ 768 static void 769 aus_chown(struct t_audit_data *tad) 770 { 771 klwp_t *clwp = ttolwp(curthread); 772 uint32_t uid, gid; 773 774 struct a { 775 long fname; /* char * */ 776 long uid; 777 long gid; 778 } *uap = (struct a *)clwp->lwp_ap; 779 780 uid = (uint32_t)uap->uid; 781 gid = (uint32_t)uap->gid; 782 783 au_uwrite(au_to_arg32(2, "new file uid", uid)); 784 au_uwrite(au_to_arg32(3, "new file gid", gid)); 785 } 786 787 /* fchown start function */ 788 /*ARGSUSED*/ 789 static void 790 aus_fchown(struct t_audit_data *tad) 791 { 792 klwp_t *clwp = ttolwp(curthread); 793 uint32_t uid, gid, fd; 794 struct file *fp; 795 struct vnode *vp; 796 struct f_audit_data *fad; 797 798 struct a { 799 long fd; 800 long uid; 801 long gid; 802 } *uap = (struct a *)clwp->lwp_ap; 803 804 fd = (uint32_t)uap->fd; 805 uid = (uint32_t)uap->uid; 806 gid = (uint32_t)uap->gid; 807 808 au_uwrite(au_to_arg32(2, "new file uid", uid)); 809 au_uwrite(au_to_arg32(3, "new file gid", gid)); 810 811 /* 812 * convert file pointer to file descriptor 813 * Note: fd ref count incremented here. 814 */ 815 if ((fp = getf(fd)) == NULL) 816 return; 817 818 /* get path from file struct here */ 819 fad = F2A(fp); 820 if (fad->fad_aupath != NULL) { 821 au_uwrite(au_to_path(fad->fad_aupath)); 822 } else { 823 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 824 } 825 826 vp = fp->f_vnode; 827 audit_attributes(vp); 828 829 /* decrement file descriptor reference count */ 830 releasef(fd); 831 } 832 833 /*ARGSUSED*/ 834 static void 835 aus_lchown(struct t_audit_data *tad) 836 { 837 klwp_t *clwp = ttolwp(curthread); 838 uint32_t uid, gid; 839 840 841 struct a { 842 long fname; /* char * */ 843 long uid; 844 long gid; 845 } *uap = (struct a *)clwp->lwp_ap; 846 847 uid = (uint32_t)uap->uid; 848 gid = (uint32_t)uap->gid; 849 850 au_uwrite(au_to_arg32(2, "new file uid", uid)); 851 au_uwrite(au_to_arg32(3, "new file gid", gid)); 852 } 853 854 static au_event_t 855 aui_fchownat(au_event_t e) 856 { 857 klwp_t *clwp = ttolwp(curthread); 858 859 struct a { 860 long fd; 861 long fname; /* char * */ 862 long uid; 863 long gid; 864 long flags; 865 } *uap = (struct a *)clwp->lwp_ap; 866 867 if (uap->fname == NULL) 868 e = AUE_FCHOWN; 869 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 870 e = AUE_LCHOWN; 871 else 872 e = AUE_CHOWN; 873 874 return (e); 875 } 876 877 /*ARGSUSED*/ 878 static void 879 aus_fchownat(struct t_audit_data *tad) 880 { 881 klwp_t *clwp = ttolwp(curthread); 882 uint32_t uid, gid; 883 884 struct a { 885 long fd; 886 long fname; /* char * */ 887 long uid; 888 long gid; 889 long flags; 890 } *uap = (struct a *)clwp->lwp_ap; 891 892 uid = (uint32_t)uap->uid; 893 gid = (uint32_t)uap->gid; 894 895 au_uwrite(au_to_arg32(3, "new file uid", uid)); 896 au_uwrite(au_to_arg32(4, "new file gid", gid)); 897 } 898 899 /*ARGSUSED*/ 900 static void 901 aus_chmod(struct t_audit_data *tad) 902 { 903 klwp_t *clwp = ttolwp(curthread); 904 uint32_t fmode; 905 906 struct a { 907 long fname; /* char * */ 908 long fmode; 909 } *uap = (struct a *)clwp->lwp_ap; 910 911 fmode = (uint32_t)uap->fmode; 912 913 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 914 } 915 916 /*ARGSUSED*/ 917 static void 918 aus_fchmod(struct t_audit_data *tad) 919 { 920 klwp_t *clwp = ttolwp(curthread); 921 uint32_t fmode, fd; 922 struct file *fp; 923 struct vnode *vp; 924 struct f_audit_data *fad; 925 926 struct a { 927 long fd; 928 long fmode; 929 } *uap = (struct a *)clwp->lwp_ap; 930 931 fd = (uint32_t)uap->fd; 932 fmode = (uint32_t)uap->fmode; 933 934 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 935 936 /* 937 * convert file pointer to file descriptor 938 * Note: fd ref count incremented here. 939 */ 940 if ((fp = getf(fd)) == NULL) 941 return; 942 943 /* get path from file struct here */ 944 fad = F2A(fp); 945 if (fad->fad_aupath != NULL) { 946 au_uwrite(au_to_path(fad->fad_aupath)); 947 } else { 948 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 949 } 950 951 vp = fp->f_vnode; 952 audit_attributes(vp); 953 954 /* decrement file descriptor reference count */ 955 releasef(fd); 956 } 957 958 static au_event_t 959 aui_fchmodat(au_event_t e) 960 { 961 klwp_t *clwp = ttolwp(curthread); 962 963 struct a { 964 long fd; 965 long fname; /* char * */ 966 long fmode; 967 long flag; 968 } *uap = (struct a *)clwp->lwp_ap; 969 970 if (uap->fname == NULL) 971 e = AUE_FCHMOD; 972 else 973 e = AUE_CHMOD; 974 975 return (e); 976 } 977 978 /*ARGSUSED*/ 979 static void 980 aus_fchmodat(struct t_audit_data *tad) 981 { 982 klwp_t *clwp = ttolwp(curthread); 983 uint32_t fmode; 984 uint32_t fd; 985 struct file *fp; 986 struct vnode *vp; 987 struct f_audit_data *fad; 988 989 struct a { 990 long fd; 991 long fname; /* char * */ 992 long fmode; 993 long flag; 994 } *uap = (struct a *)clwp->lwp_ap; 995 996 fd = (uint32_t)uap->fd; 997 fmode = (uint32_t)uap->fmode; 998 999 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 1000 1001 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */ 1002 return; 1003 1004 /* 1005 * convert file pointer to file descriptor 1006 * Note: fd ref count incremented here. 1007 */ 1008 if ((fp = getf(fd)) == NULL) 1009 return; 1010 1011 /* get path from file struct here */ 1012 fad = F2A(fp); 1013 if (fad->fad_aupath != NULL) { 1014 au_uwrite(au_to_path(fad->fad_aupath)); 1015 } else { 1016 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1017 } 1018 1019 vp = fp->f_vnode; 1020 audit_attributes(vp); 1021 1022 /* decrement file descriptor reference count */ 1023 releasef(fd); 1024 } 1025 1026 /* 1027 * convert open mode to appropriate open event 1028 */ 1029 au_event_t 1030 open_event(uint_t fm) 1031 { 1032 au_event_t e; 1033 1034 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) { 1035 case O_RDONLY: 1036 e = AUE_OPEN_R; 1037 break; 1038 case O_RDONLY | O_CREAT: 1039 e = AUE_OPEN_RC; 1040 break; 1041 case O_RDONLY | O_TRUNC: 1042 e = AUE_OPEN_RT; 1043 break; 1044 case O_RDONLY | O_TRUNC | O_CREAT: 1045 e = AUE_OPEN_RTC; 1046 break; 1047 case O_WRONLY: 1048 e = AUE_OPEN_W; 1049 break; 1050 case O_WRONLY | O_CREAT: 1051 e = AUE_OPEN_WC; 1052 break; 1053 case O_WRONLY | O_TRUNC: 1054 e = AUE_OPEN_WT; 1055 break; 1056 case O_WRONLY | O_TRUNC | O_CREAT: 1057 e = AUE_OPEN_WTC; 1058 break; 1059 case O_RDWR: 1060 e = AUE_OPEN_RW; 1061 break; 1062 case O_RDWR | O_CREAT: 1063 e = AUE_OPEN_RWC; 1064 break; 1065 case O_RDWR | O_TRUNC: 1066 e = AUE_OPEN_RWT; 1067 break; 1068 case O_RDWR | O_TRUNC | O_CREAT: 1069 e = AUE_OPEN_RWTC; 1070 break; 1071 case O_SEARCH: 1072 e = AUE_OPEN_S; 1073 break; 1074 case O_EXEC: 1075 e = AUE_OPEN_E; 1076 break; 1077 default: 1078 e = AUE_NULL; 1079 break; 1080 } 1081 1082 return (e); 1083 } 1084 1085 /* ARGSUSED */ 1086 static au_event_t 1087 aui_open(au_event_t e) 1088 { 1089 klwp_t *clwp = ttolwp(curthread); 1090 uint_t fm; 1091 1092 struct a { 1093 long fnamep; /* char * */ 1094 long fmode; 1095 long cmode; 1096 } *uap = (struct a *)clwp->lwp_ap; 1097 1098 fm = (uint_t)uap->fmode; 1099 1100 return (open_event(fm)); 1101 } 1102 1103 static void 1104 aus_open(struct t_audit_data *tad) 1105 { 1106 klwp_t *clwp = ttolwp(curthread); 1107 uint_t fm; 1108 1109 struct a { 1110 long fnamep; /* char * */ 1111 long fmode; 1112 long cmode; 1113 } *uap = (struct a *)clwp->lwp_ap; 1114 1115 fm = (uint_t)uap->fmode; 1116 1117 /* If no write, create, or trunc modes, mark as a public op */ 1118 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1119 tad->tad_ctrl |= TAD_PUBLIC_EV; 1120 } 1121 1122 /* ARGSUSED */ 1123 static au_event_t 1124 aui_openat(au_event_t e) 1125 { 1126 t_audit_data_t *tad = T2A(curthread); 1127 klwp_t *clwp = ttolwp(curthread); 1128 uint_t fm; 1129 1130 struct a { 1131 long filedes; 1132 long fnamep; /* char * */ 1133 long fmode; 1134 long cmode; 1135 } *uap = (struct a *)clwp->lwp_ap; 1136 1137 fm = (uint_t)uap->fmode; 1138 1139 /* 1140 * __openattrdirat() does an extra pathname lookup in order to 1141 * enter the extended system attribute namespace of the referenced 1142 * extended attribute filename. 1143 */ 1144 if (fm & FXATTRDIROPEN) 1145 tad->tad_ctrl |= TAD_MLD; 1146 1147 return (open_event(fm)); 1148 } 1149 1150 static void 1151 aus_openat(struct t_audit_data *tad) 1152 { 1153 klwp_t *clwp = ttolwp(curthread); 1154 uint_t fm; 1155 1156 struct a { 1157 long filedes; 1158 long fnamep; /* char * */ 1159 long fmode; 1160 long cmode; 1161 } *uap = (struct a *)clwp->lwp_ap; 1162 1163 fm = (uint_t)uap->fmode; 1164 1165 /* If no write, create, or trunc modes, mark as a public op */ 1166 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1167 tad->tad_ctrl |= TAD_PUBLIC_EV; 1168 } 1169 1170 static au_event_t 1171 aui_unlinkat(au_event_t e) 1172 { 1173 klwp_t *clwp = ttolwp(curthread); 1174 1175 struct a { 1176 long filedes; 1177 long fnamep; /* char * */ 1178 long flags; 1179 } *uap = (struct a *)clwp->lwp_ap; 1180 1181 if (uap->flags & AT_REMOVEDIR) 1182 e = AUE_RMDIR; 1183 else 1184 e = AUE_UNLINK; 1185 1186 return (e); 1187 } 1188 1189 static au_event_t 1190 aui_fstatat(au_event_t e) 1191 { 1192 klwp_t *clwp = ttolwp(curthread); 1193 1194 struct a { 1195 long filedes; 1196 long fnamep; /* char * */ 1197 long statb; 1198 long flags; 1199 } *uap = (struct a *)clwp->lwp_ap; 1200 1201 if (uap->fnamep == NULL) 1202 e = AUE_FSTAT; 1203 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1204 e = AUE_LSTAT; 1205 else 1206 e = AUE_STAT; 1207 1208 return (e); 1209 } 1210 1211 /* msgsys */ 1212 static au_event_t 1213 aui_msgsys(au_event_t e) 1214 { 1215 klwp_t *clwp = ttolwp(curthread); 1216 uint_t fm; 1217 1218 struct a { 1219 long id; /* function code id */ 1220 long ap; /* arg pointer for recvmsg */ 1221 } *uap = (struct a *)clwp->lwp_ap; 1222 1223 struct b { 1224 long msgid; 1225 long cmd; 1226 long buf; /* struct msqid_ds * */ 1227 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1228 1229 fm = (uint_t)uap->id; 1230 1231 switch (fm) { 1232 case 0: /* msgget */ 1233 e = AUE_MSGGET; 1234 break; 1235 case 1: /* msgctl */ 1236 switch ((uint_t)uap1->cmd) { 1237 case IPC_RMID: 1238 e = AUE_MSGCTL_RMID; 1239 break; 1240 case IPC_SET: 1241 e = AUE_MSGCTL_SET; 1242 break; 1243 case IPC_STAT: 1244 e = AUE_MSGCTL_STAT; 1245 break; 1246 default: 1247 e = AUE_MSGCTL; 1248 break; 1249 } 1250 break; 1251 case 2: /* msgrcv */ 1252 e = AUE_MSGRCV; 1253 break; 1254 case 3: /* msgsnd */ 1255 e = AUE_MSGSND; 1256 break; 1257 default: /* illegal system call */ 1258 e = AUE_NULL; 1259 break; 1260 } 1261 1262 return (e); 1263 } 1264 1265 1266 /* shmsys */ 1267 static au_event_t 1268 aui_shmsys(au_event_t e) 1269 { 1270 klwp_t *clwp = ttolwp(curthread); 1271 int fm; 1272 1273 struct a { /* shmsys */ 1274 long id; /* function code id */ 1275 } *uap = (struct a *)clwp->lwp_ap; 1276 1277 struct b { /* ctrl */ 1278 long shmid; 1279 long cmd; 1280 long arg; /* struct shmid_ds * */ 1281 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1282 fm = (uint_t)uap->id; 1283 1284 switch (fm) { 1285 case 0: /* shmat */ 1286 e = AUE_SHMAT; 1287 break; 1288 case 1: /* shmctl */ 1289 switch ((uint_t)uap1->cmd) { 1290 case IPC_RMID: 1291 e = AUE_SHMCTL_RMID; 1292 break; 1293 case IPC_SET: 1294 e = AUE_SHMCTL_SET; 1295 break; 1296 case IPC_STAT: 1297 e = AUE_SHMCTL_STAT; 1298 break; 1299 default: 1300 e = AUE_SHMCTL; 1301 break; 1302 } 1303 break; 1304 case 2: /* shmdt */ 1305 e = AUE_SHMDT; 1306 break; 1307 case 3: /* shmget */ 1308 e = AUE_SHMGET; 1309 break; 1310 default: /* illegal system call */ 1311 e = AUE_NULL; 1312 break; 1313 } 1314 1315 return (e); 1316 } 1317 1318 1319 /* semsys */ 1320 static au_event_t 1321 aui_semsys(au_event_t e) 1322 { 1323 klwp_t *clwp = ttolwp(curthread); 1324 uint_t fm; 1325 1326 struct a { /* semsys */ 1327 long id; 1328 } *uap = (struct a *)clwp->lwp_ap; 1329 1330 struct b { /* ctrl */ 1331 long semid; 1332 long semnum; 1333 long cmd; 1334 long arg; 1335 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1336 1337 fm = (uint_t)uap->id; 1338 1339 switch (fm) { 1340 case 0: /* semctl */ 1341 switch ((uint_t)uap1->cmd) { 1342 case IPC_RMID: 1343 e = AUE_SEMCTL_RMID; 1344 break; 1345 case IPC_SET: 1346 e = AUE_SEMCTL_SET; 1347 break; 1348 case IPC_STAT: 1349 e = AUE_SEMCTL_STAT; 1350 break; 1351 case GETNCNT: 1352 e = AUE_SEMCTL_GETNCNT; 1353 break; 1354 case GETPID: 1355 e = AUE_SEMCTL_GETPID; 1356 break; 1357 case GETVAL: 1358 e = AUE_SEMCTL_GETVAL; 1359 break; 1360 case GETALL: 1361 e = AUE_SEMCTL_GETALL; 1362 break; 1363 case GETZCNT: 1364 e = AUE_SEMCTL_GETZCNT; 1365 break; 1366 case SETVAL: 1367 e = AUE_SEMCTL_SETVAL; 1368 break; 1369 case SETALL: 1370 e = AUE_SEMCTL_SETALL; 1371 break; 1372 default: 1373 e = AUE_SEMCTL; 1374 break; 1375 } 1376 break; 1377 case 1: /* semget */ 1378 e = AUE_SEMGET; 1379 break; 1380 case 2: /* semop */ 1381 e = AUE_SEMOP; 1382 break; 1383 default: /* illegal system call */ 1384 e = AUE_NULL; 1385 break; 1386 } 1387 1388 return (e); 1389 } 1390 1391 /* utssys - uname(2), ustat(2), fusers(2) */ 1392 static au_event_t 1393 aui_utssys(au_event_t e) 1394 { 1395 klwp_t *clwp = ttolwp(curthread); 1396 uint_t type; 1397 1398 struct a { 1399 union { 1400 long cbuf; /* char * */ 1401 long ubuf; /* struct stat * */ 1402 } ub; 1403 union { 1404 long mv; /* for USTAT */ 1405 long flags; /* for FUSERS */ 1406 } un; 1407 long type; 1408 long outbp; /* char * for FUSERS */ 1409 } *uap = (struct a *)clwp->lwp_ap; 1410 1411 type = (uint_t)uap->type; 1412 1413 if (type == UTS_FUSERS) 1414 return (e); 1415 else 1416 return ((au_event_t)AUE_NULL); 1417 } 1418 1419 static au_event_t 1420 aui_fcntl(au_event_t e) 1421 { 1422 klwp_t *clwp = ttolwp(curthread); 1423 uint_t cmd; 1424 1425 struct a { 1426 long fdes; 1427 long cmd; 1428 long arg; 1429 } *uap = (struct a *)clwp->lwp_ap; 1430 1431 cmd = (uint_t)uap->cmd; 1432 1433 switch (cmd) { 1434 case F_GETLK: 1435 case F_SETLK: 1436 case F_SETLKW: 1437 break; 1438 case F_SETFL: 1439 case F_GETFL: 1440 case F_GETFD: 1441 break; 1442 default: 1443 e = (au_event_t)AUE_NULL; 1444 break; 1445 } 1446 return ((au_event_t)e); 1447 } 1448 1449 /* null function for now */ 1450 static au_event_t 1451 aui_execve(au_event_t e) 1452 { 1453 return (e); 1454 } 1455 1456 /*ARGSUSED*/ 1457 static void 1458 aus_fcntl(struct t_audit_data *tad) 1459 { 1460 klwp_t *clwp = ttolwp(curthread); 1461 uint32_t cmd, fd, flags; 1462 struct file *fp; 1463 struct vnode *vp; 1464 struct f_audit_data *fad; 1465 1466 struct a { 1467 long fd; 1468 long cmd; 1469 long arg; 1470 } *uap = (struct a *)clwp->lwp_ap; 1471 1472 cmd = (uint32_t)uap->cmd; 1473 fd = (uint32_t)uap->fd; 1474 flags = (uint32_t)uap->arg; 1475 1476 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1477 1478 if (cmd == F_SETFL) 1479 au_uwrite(au_to_arg32(3, "flags", flags)); 1480 1481 /* 1482 * convert file pointer to file descriptor 1483 * Note: fd ref count incremented here. 1484 */ 1485 if ((fp = getf(fd)) == NULL) 1486 return; 1487 1488 /* get path from file struct here */ 1489 fad = F2A(fp); 1490 if (fad->fad_aupath != NULL) { 1491 au_uwrite(au_to_path(fad->fad_aupath)); 1492 } else { 1493 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1494 } 1495 1496 vp = fp->f_vnode; 1497 audit_attributes(vp); 1498 1499 /* decrement file descriptor reference count */ 1500 releasef(fd); 1501 } 1502 1503 /*ARGSUSED*/ 1504 static void 1505 aus_kill(struct t_audit_data *tad) 1506 { 1507 klwp_t *clwp = ttolwp(curthread); 1508 struct proc *p; 1509 uint32_t signo; 1510 uid_t uid, ruid; 1511 gid_t gid, rgid; 1512 pid_t pid; 1513 const auditinfo_addr_t *ainfo; 1514 cred_t *cr; 1515 1516 struct a { 1517 long pid; 1518 long signo; 1519 } *uap = (struct a *)clwp->lwp_ap; 1520 1521 pid = (pid_t)uap->pid; 1522 signo = (uint32_t)uap->signo; 1523 1524 au_uwrite(au_to_arg32(2, "signal", signo)); 1525 if (pid > 0) { 1526 mutex_enter(&pidlock); 1527 if (((p = prfind(pid)) == (struct proc *)0) || 1528 (p->p_stat == SIDL)) { 1529 mutex_exit(&pidlock); 1530 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1531 return; 1532 } 1533 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1534 mutex_exit(&pidlock); 1535 1536 mutex_enter(&p->p_crlock); 1537 crhold(cr = p->p_cred); 1538 mutex_exit(&p->p_crlock); 1539 mutex_exit(&p->p_lock); 1540 1541 ainfo = crgetauinfo(cr); 1542 if (ainfo == NULL) { 1543 crfree(cr); 1544 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1545 return; 1546 } 1547 1548 uid = crgetuid(cr); 1549 gid = crgetgid(cr); 1550 ruid = crgetruid(cr); 1551 rgid = crgetrgid(cr); 1552 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1553 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1554 1555 if (is_system_labeled()) 1556 au_uwrite(au_to_label(CR_SL(cr))); 1557 1558 crfree(cr); 1559 } 1560 else 1561 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1562 } 1563 1564 /*ARGSUSED*/ 1565 static void 1566 aus_mkdir(struct t_audit_data *tad) 1567 { 1568 klwp_t *clwp = ttolwp(curthread); 1569 uint32_t dmode; 1570 1571 struct a { 1572 long dirnamep; /* char * */ 1573 long dmode; 1574 } *uap = (struct a *)clwp->lwp_ap; 1575 1576 dmode = (uint32_t)uap->dmode; 1577 1578 au_uwrite(au_to_arg32(2, "mode", dmode)); 1579 } 1580 1581 /*ARGSUSED*/ 1582 static void 1583 aus_mkdirat(struct t_audit_data *tad) 1584 { 1585 klwp_t *clwp = ttolwp(curthread); 1586 uint32_t dmode; 1587 1588 struct a { 1589 long fd; 1590 long dirnamep; /* char * */ 1591 long dmode; 1592 } *uap = (struct a *)clwp->lwp_ap; 1593 1594 dmode = (uint32_t)uap->dmode; 1595 1596 au_uwrite(au_to_arg32(2, "mode", dmode)); 1597 } 1598 1599 /*ARGSUSED*/ 1600 static void 1601 aus_mknod(struct t_audit_data *tad) 1602 { 1603 klwp_t *clwp = ttolwp(curthread); 1604 uint32_t fmode; 1605 dev_t dev; 1606 1607 struct a { 1608 long pnamep; /* char * */ 1609 long fmode; 1610 long dev; 1611 } *uap = (struct a *)clwp->lwp_ap; 1612 1613 fmode = (uint32_t)uap->fmode; 1614 dev = (dev_t)uap->dev; 1615 1616 au_uwrite(au_to_arg32(2, "mode", fmode)); 1617 #ifdef _LP64 1618 au_uwrite(au_to_arg64(3, "dev", dev)); 1619 #else 1620 au_uwrite(au_to_arg32(3, "dev", dev)); 1621 #endif 1622 } 1623 1624 /*ARGSUSED*/ 1625 static void 1626 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1627 { 1628 klwp_t *clwp = ttolwp(curthread); 1629 vnode_t *dvp; 1630 caddr_t pnamep; 1631 1632 struct a { 1633 long pnamep; /* char * */ 1634 long fmode; 1635 long dev; 1636 } *uap = (struct a *)clwp->lwp_ap; 1637 1638 /* no error, then already path token in audit record */ 1639 if (error != EPERM && error != EINVAL) 1640 return; 1641 1642 /* do the lookup to force generation of path token */ 1643 pnamep = (caddr_t)uap->pnamep; 1644 tad->tad_ctrl |= TAD_NOATTRB; 1645 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1646 if (error == 0) 1647 VN_RELE(dvp); 1648 } 1649 1650 /*ARGSUSED*/ 1651 static void 1652 aus_mknodat(struct t_audit_data *tad) 1653 { 1654 klwp_t *clwp = ttolwp(curthread); 1655 uint32_t fmode; 1656 dev_t dev; 1657 1658 struct a { 1659 long fd; 1660 long pnamep; /* char * */ 1661 long fmode; 1662 long dev; 1663 } *uap = (struct a *)clwp->lwp_ap; 1664 1665 fmode = (uint32_t)uap->fmode; 1666 dev = (dev_t)uap->dev; 1667 1668 au_uwrite(au_to_arg32(2, "mode", fmode)); 1669 #ifdef _LP64 1670 au_uwrite(au_to_arg64(3, "dev", dev)); 1671 #else 1672 au_uwrite(au_to_arg32(3, "dev", dev)); 1673 #endif 1674 } 1675 1676 /*ARGSUSED*/ 1677 static void 1678 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval) 1679 { 1680 klwp_t *clwp = ttolwp(curthread); 1681 vnode_t *startvp; 1682 vnode_t *dvp; 1683 caddr_t pnamep; 1684 int fd; 1685 1686 struct a { 1687 long fd; 1688 long pnamep; /* char * */ 1689 long fmode; 1690 long dev; 1691 } *uap = (struct a *)clwp->lwp_ap; 1692 1693 /* no error, then already path token in audit record */ 1694 if (error != EPERM && error != EINVAL) 1695 return; 1696 1697 /* do the lookup to force generation of path token */ 1698 fd = (int)uap->fd; 1699 pnamep = (caddr_t)uap->pnamep; 1700 if (pnamep == NULL || 1701 fgetstartvp(fd, pnamep, &startvp) != 0) 1702 return; 1703 tad->tad_ctrl |= TAD_NOATTRB; 1704 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP, 1705 startvp); 1706 if (error == 0) 1707 VN_RELE(dvp); 1708 if (startvp != NULL) 1709 VN_RELE(startvp); 1710 } 1711 1712 /*ARGSUSED*/ 1713 static void 1714 aus_mount(struct t_audit_data *tad) 1715 { /* AUS_START */ 1716 klwp_t *clwp = ttolwp(curthread); 1717 uint32_t flags; 1718 uintptr_t u_fstype, dataptr; 1719 STRUCT_DECL(nfs_args, nfsargs); 1720 size_t len; 1721 char *fstype, *hostname; 1722 1723 struct a { 1724 long spec; /* char * */ 1725 long dir; /* char * */ 1726 long flags; 1727 long fstype; /* char * */ 1728 long dataptr; /* char * */ 1729 long datalen; 1730 } *uap = (struct a *)clwp->lwp_ap; 1731 1732 u_fstype = (uintptr_t)uap->fstype; 1733 flags = (uint32_t)uap->flags; 1734 dataptr = (uintptr_t)uap->dataptr; 1735 1736 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1737 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1738 goto mount_free_fstype; 1739 1740 au_uwrite(au_to_arg32(3, "flags", flags)); 1741 au_uwrite(au_to_text(fstype)); 1742 1743 if (strncmp(fstype, "nfs", 3) == 0) { 1744 1745 STRUCT_INIT(nfsargs, get_udatamodel()); 1746 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1747 1748 if (copyin((caddr_t)dataptr, 1749 STRUCT_BUF(nfsargs), 1750 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1751 /* DEBUG debug_enter((char *)NULL); */ 1752 goto mount_free_fstype; 1753 } 1754 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1755 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1756 (caddr_t)hostname, 1757 MAXNAMELEN, &len)) { 1758 goto mount_free_hostname; 1759 } 1760 au_uwrite(au_to_text(hostname)); 1761 au_uwrite(au_to_arg32(3, "internal flags", 1762 (uint_t)STRUCT_FGET(nfsargs, flags))); 1763 1764 mount_free_hostname: 1765 kmem_free(hostname, MAXNAMELEN); 1766 } 1767 1768 mount_free_fstype: 1769 kmem_free(fstype, MAXNAMELEN); 1770 } /* AUS_MOUNT */ 1771 1772 static void 1773 aus_umount_path(caddr_t umount_dir) 1774 { 1775 char *dir_path; 1776 struct audit_path *path; 1777 size_t path_len, dir_len; 1778 1779 /* length alloc'd for two string pointers */ 1780 path_len = sizeof (struct audit_path) + sizeof (char *); 1781 path = kmem_alloc(path_len, KM_SLEEP); 1782 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1783 1784 if (copyinstr(umount_dir, (caddr_t)dir_path, 1785 MAXPATHLEN, &dir_len)) 1786 goto umount2_free_dir; 1787 1788 /* 1789 * the audit_path struct assumes that the buffer pointed to 1790 * by audp_sect[n] contains string 0 immediatedly followed 1791 * by string 1. 1792 */ 1793 path->audp_sect[0] = dir_path; 1794 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1795 path->audp_size = path_len; 1796 path->audp_ref = 1; /* not used */ 1797 path->audp_cnt = 1; /* one path string */ 1798 1799 au_uwrite(au_to_path(path)); 1800 1801 umount2_free_dir: 1802 kmem_free(dir_path, MAXPATHLEN); 1803 kmem_free(path, path_len); 1804 } 1805 1806 /*ARGSUSED*/ 1807 static void 1808 aus_umount2(struct t_audit_data *tad) 1809 { 1810 klwp_t *clwp = ttolwp(curthread); 1811 struct a { 1812 long dir; /* char * */ 1813 long flags; 1814 } *uap = (struct a *)clwp->lwp_ap; 1815 1816 aus_umount_path((caddr_t)uap->dir); 1817 1818 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1819 } 1820 1821 static void 1822 aus_msgsys(struct t_audit_data *tad) 1823 { 1824 klwp_t *clwp = ttolwp(curthread); 1825 uint32_t msgid; 1826 1827 struct b { 1828 long msgid; 1829 long cmd; 1830 long buf; /* struct msqid_ds * */ 1831 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1832 1833 msgid = (uint32_t)uap1->msgid; 1834 1835 1836 switch (tad->tad_event) { 1837 case AUE_MSGGET: /* msgget */ 1838 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1839 break; 1840 case AUE_MSGCTL: /* msgctl */ 1841 case AUE_MSGCTL_RMID: /* msgctl */ 1842 case AUE_MSGCTL_SET: /* msgctl */ 1843 case AUE_MSGCTL_STAT: /* msgctl */ 1844 case AUE_MSGRCV: /* msgrcv */ 1845 case AUE_MSGSND: /* msgsnd */ 1846 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1847 break; 1848 } 1849 } 1850 1851 /*ARGSUSED*/ 1852 static void 1853 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1854 { 1855 int id; 1856 1857 if (error != 0) 1858 return; 1859 if (tad->tad_event == AUE_MSGGET) { 1860 uint32_t scid; 1861 uint32_t sy_flags; 1862 1863 /* need to determine type of executing binary */ 1864 scid = tad->tad_scid; 1865 #ifdef _SYSCALL32_IMPL 1866 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1867 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1868 else 1869 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1870 #else 1871 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1872 #endif 1873 if (sy_flags == SE_32RVAL1) 1874 id = rval->r_val1; 1875 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1876 id = rval->r_val1; 1877 if (sy_flags == SE_64RVAL) 1878 id = (int)rval->r_vals; 1879 1880 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1881 } 1882 } 1883 1884 static void 1885 aus_semsys(struct t_audit_data *tad) 1886 { 1887 klwp_t *clwp = ttolwp(curthread); 1888 uint32_t semid; 1889 1890 struct b { /* ctrl */ 1891 long semid; 1892 long semnum; 1893 long cmd; 1894 long arg; 1895 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1896 1897 semid = (uint32_t)uap1->semid; 1898 1899 switch (tad->tad_event) { 1900 case AUE_SEMCTL_RMID: 1901 case AUE_SEMCTL_STAT: 1902 case AUE_SEMCTL_GETNCNT: 1903 case AUE_SEMCTL_GETPID: 1904 case AUE_SEMCTL_GETVAL: 1905 case AUE_SEMCTL_GETALL: 1906 case AUE_SEMCTL_GETZCNT: 1907 case AUE_SEMCTL_SET: 1908 case AUE_SEMCTL_SETVAL: 1909 case AUE_SEMCTL_SETALL: 1910 case AUE_SEMCTL: 1911 case AUE_SEMOP: 1912 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1913 break; 1914 case AUE_SEMGET: 1915 au_uwrite(au_to_arg32(1, "sem key", semid)); 1916 break; 1917 } 1918 } 1919 1920 /*ARGSUSED*/ 1921 static void 1922 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1923 { 1924 int id; 1925 1926 if (error != 0) 1927 return; 1928 if (tad->tad_event == AUE_SEMGET) { 1929 uint32_t scid; 1930 uint32_t sy_flags; 1931 1932 /* need to determine type of executing binary */ 1933 scid = tad->tad_scid; 1934 #ifdef _SYSCALL32_IMPL 1935 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1936 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1937 else 1938 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1939 #else 1940 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1941 #endif 1942 if (sy_flags == SE_32RVAL1) 1943 id = rval->r_val1; 1944 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1945 id = rval->r_val1; 1946 if (sy_flags == SE_64RVAL) 1947 id = (int)rval->r_vals; 1948 1949 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1950 } 1951 } 1952 1953 /*ARGSUSED*/ 1954 static void 1955 aus_close(struct t_audit_data *tad) 1956 { 1957 klwp_t *clwp = ttolwp(curthread); 1958 uint32_t fd; 1959 struct file *fp; 1960 struct f_audit_data *fad; 1961 struct vnode *vp; 1962 struct vattr attr; 1963 au_kcontext_t *kctx = GET_KCTX_PZ; 1964 1965 struct a { 1966 long i; 1967 } *uap = (struct a *)clwp->lwp_ap; 1968 1969 fd = (uint32_t)uap->i; 1970 1971 attr.va_mask = 0; 1972 au_uwrite(au_to_arg32(1, "fd", fd)); 1973 1974 /* 1975 * convert file pointer to file descriptor 1976 * Note: fd ref count incremented here. 1977 */ 1978 if ((fp = getf(fd)) == NULL) 1979 return; 1980 1981 fad = F2A(fp); 1982 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1983 if (fad->fad_aupath != NULL) { 1984 au_uwrite(au_to_path(fad->fad_aupath)); 1985 if ((vp = fp->f_vnode) != NULL) { 1986 attr.va_mask = AT_ALL; 1987 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1988 /* 1989 * When write was not used and the file can be 1990 * considered public, skip the audit. 1991 */ 1992 if (((fp->f_flag & FWRITE) == 0) && 1993 object_is_public(&attr)) { 1994 tad->tad_flag = 0; 1995 tad->tad_evmod = 0; 1996 /* free any residual audit data */ 1997 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1998 releasef(fd); 1999 return; 2000 } 2001 au_uwrite(au_to_attr(&attr)); 2002 audit_sec_attributes(&(u_ad), vp); 2003 } 2004 } 2005 } 2006 2007 /* decrement file descriptor reference count */ 2008 releasef(fd); 2009 } 2010 2011 /*ARGSUSED*/ 2012 static void 2013 aus_fstatfs(struct t_audit_data *tad) 2014 { 2015 klwp_t *clwp = ttolwp(curthread); 2016 uint32_t fd; 2017 struct file *fp; 2018 struct vnode *vp; 2019 struct f_audit_data *fad; 2020 2021 struct a { 2022 long fd; 2023 long buf; /* struct statfs * */ 2024 } *uap = (struct a *)clwp->lwp_ap; 2025 2026 fd = (uint_t)uap->fd; 2027 2028 /* 2029 * convert file pointer to file descriptor 2030 * Note: fd ref count incremented here. 2031 */ 2032 if ((fp = getf(fd)) == NULL) 2033 return; 2034 2035 /* get path from file struct here */ 2036 fad = F2A(fp); 2037 if (fad->fad_aupath != NULL) { 2038 au_uwrite(au_to_path(fad->fad_aupath)); 2039 } else { 2040 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2041 } 2042 2043 vp = fp->f_vnode; 2044 audit_attributes(vp); 2045 2046 /* decrement file descriptor reference count */ 2047 releasef(fd); 2048 } 2049 2050 static au_event_t 2051 aui_setpgrp(au_event_t e) 2052 { 2053 klwp_t *clwp = ttolwp(curthread); 2054 int flag; 2055 2056 struct a { 2057 long flag; 2058 long pid; 2059 long pgid; 2060 } *uap = (struct a *)clwp->lwp_ap; 2061 2062 flag = (int)uap->flag; 2063 2064 2065 switch (flag) { 2066 2067 case 1: /* setpgrp() */ 2068 e = AUE_SETPGRP; 2069 break; 2070 2071 case 3: /* setsid() */ 2072 e = AUE_SETSID; 2073 break; 2074 2075 case 5: /* setpgid() */ 2076 e = AUE_SETPGID; 2077 break; 2078 2079 case 0: /* getpgrp() - not security relevant */ 2080 case 2: /* getsid() - not security relevant */ 2081 case 4: /* getpgid() - not security relevant */ 2082 e = AUE_NULL; 2083 break; 2084 2085 default: 2086 e = AUE_NULL; 2087 break; 2088 } 2089 2090 return (e); 2091 } 2092 2093 /*ARGSUSED*/ 2094 static void 2095 aus_setpgrp(struct t_audit_data *tad) 2096 { 2097 klwp_t *clwp = ttolwp(curthread); 2098 pid_t pgid; 2099 struct proc *p; 2100 uid_t uid, ruid; 2101 gid_t gid, rgid; 2102 pid_t pid; 2103 cred_t *cr; 2104 int flag; 2105 const auditinfo_addr_t *ainfo; 2106 2107 struct a { 2108 long flag; 2109 long pid; 2110 long pgid; 2111 } *uap = (struct a *)clwp->lwp_ap; 2112 2113 flag = (int)uap->flag; 2114 pid = (pid_t)uap->pid; 2115 pgid = (pid_t)uap->pgid; 2116 2117 2118 switch (flag) { 2119 2120 case 0: /* getpgrp() */ 2121 case 1: /* setpgrp() */ 2122 case 2: /* getsid() */ 2123 case 3: /* setsid() */ 2124 case 4: /* getpgid() */ 2125 break; 2126 2127 case 5: /* setpgid() */ 2128 2129 /* current process? */ 2130 if (pid == 0) { 2131 return; 2132 } 2133 2134 mutex_enter(&pidlock); 2135 p = prfind(pid); 2136 if (p == NULL || p->p_as == &kas || 2137 p->p_stat == SIDL || p->p_stat == SZOMB) { 2138 mutex_exit(&pidlock); 2139 return; 2140 } 2141 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2142 mutex_exit(&pidlock); 2143 2144 mutex_enter(&p->p_crlock); 2145 crhold(cr = p->p_cred); 2146 mutex_exit(&p->p_crlock); 2147 mutex_exit(&p->p_lock); 2148 2149 ainfo = crgetauinfo(cr); 2150 if (ainfo == NULL) { 2151 crfree(cr); 2152 return; 2153 } 2154 2155 uid = crgetuid(cr); 2156 gid = crgetgid(cr); 2157 ruid = crgetruid(cr); 2158 rgid = crgetrgid(cr); 2159 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2160 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2161 crfree(cr); 2162 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2163 break; 2164 2165 default: 2166 break; 2167 } 2168 } 2169 2170 2171 /*ARGSUSED*/ 2172 static void 2173 aus_setregid(struct t_audit_data *tad) 2174 { 2175 klwp_t *clwp = ttolwp(curthread); 2176 uint32_t rgid, egid; 2177 2178 struct a { 2179 long rgid; 2180 long egid; 2181 } *uap = (struct a *)clwp->lwp_ap; 2182 2183 rgid = (uint32_t)uap->rgid; 2184 egid = (uint32_t)uap->egid; 2185 2186 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2187 au_uwrite(au_to_arg32(2, "egid", egid)); 2188 } 2189 2190 /*ARGSUSED*/ 2191 static void 2192 aus_setgid(struct t_audit_data *tad) 2193 { 2194 klwp_t *clwp = ttolwp(curthread); 2195 uint32_t gid; 2196 2197 struct a { 2198 long gid; 2199 } *uap = (struct a *)clwp->lwp_ap; 2200 2201 gid = (uint32_t)uap->gid; 2202 2203 au_uwrite(au_to_arg32(1, "gid", gid)); 2204 } 2205 2206 2207 /*ARGSUSED*/ 2208 static void 2209 aus_setreuid(struct t_audit_data *tad) 2210 { 2211 klwp_t *clwp = ttolwp(curthread); 2212 uint32_t ruid, euid; 2213 2214 struct a { 2215 long ruid; 2216 long euid; 2217 } *uap = (struct a *)clwp->lwp_ap; 2218 2219 ruid = (uint32_t)uap->ruid; 2220 euid = (uint32_t)uap->euid; 2221 2222 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2223 au_uwrite(au_to_arg32(2, "euid", euid)); 2224 } 2225 2226 2227 /*ARGSUSED*/ 2228 static void 2229 aus_setuid(struct t_audit_data *tad) 2230 { 2231 klwp_t *clwp = ttolwp(curthread); 2232 uint32_t uid; 2233 2234 struct a { 2235 long uid; 2236 } *uap = (struct a *)clwp->lwp_ap; 2237 2238 uid = (uint32_t)uap->uid; 2239 2240 au_uwrite(au_to_arg32(1, "uid", uid)); 2241 } 2242 2243 /*ARGSUSED*/ 2244 static void 2245 aus_shmsys(struct t_audit_data *tad) 2246 { 2247 klwp_t *clwp = ttolwp(curthread); 2248 uint32_t id, cmd; 2249 2250 struct b { 2251 long id; 2252 long cmd; 2253 long buf; /* struct shmid_ds * */ 2254 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2255 2256 id = (uint32_t)uap1->id; 2257 cmd = (uint32_t)uap1->cmd; 2258 2259 switch (tad->tad_event) { 2260 case AUE_SHMGET: /* shmget */ 2261 au_uwrite(au_to_arg32(1, "shm key", id)); 2262 break; 2263 case AUE_SHMCTL: /* shmctl */ 2264 case AUE_SHMCTL_RMID: /* shmctl */ 2265 case AUE_SHMCTL_STAT: /* shmctl */ 2266 case AUE_SHMCTL_SET: /* shmctl */ 2267 au_uwrite(au_to_arg32(1, "shm ID", id)); 2268 break; 2269 case AUE_SHMDT: /* shmdt */ 2270 au_uwrite(au_to_arg32(1, "shm adr", id)); 2271 break; 2272 case AUE_SHMAT: /* shmat */ 2273 au_uwrite(au_to_arg32(1, "shm ID", id)); 2274 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2275 break; 2276 } 2277 } 2278 2279 /*ARGSUSED*/ 2280 static void 2281 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2282 { 2283 int id; 2284 2285 if (error != 0) 2286 return; 2287 if (tad->tad_event == AUE_SHMGET) { 2288 uint32_t scid; 2289 uint32_t sy_flags; 2290 2291 /* need to determine type of executing binary */ 2292 scid = tad->tad_scid; 2293 #ifdef _SYSCALL32_IMPL 2294 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2295 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2296 else 2297 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2298 #else 2299 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2300 #endif 2301 if (sy_flags == SE_32RVAL1) 2302 id = rval->r_val1; 2303 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2304 id = rval->r_val1; 2305 if (sy_flags == SE_64RVAL) 2306 id = (int)rval->r_vals; 2307 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2308 } 2309 } 2310 2311 2312 /*ARGSUSED*/ 2313 static void 2314 aus_ioctl(struct t_audit_data *tad) 2315 { 2316 klwp_t *clwp = ttolwp(curthread); 2317 struct file *fp; 2318 struct vnode *vp; 2319 struct f_audit_data *fad; 2320 uint32_t fd, cmd; 2321 uintptr_t cmarg; 2322 2323 /* XX64 */ 2324 struct a { 2325 long fd; 2326 long cmd; 2327 long cmarg; /* caddr_t */ 2328 } *uap = (struct a *)clwp->lwp_ap; 2329 2330 fd = (uint32_t)uap->fd; 2331 cmd = (uint32_t)uap->cmd; 2332 cmarg = (uintptr_t)uap->cmarg; 2333 2334 /* 2335 * convert file pointer to file descriptor 2336 * Note: fd ref count incremented here. 2337 */ 2338 if ((fp = getf(fd)) == NULL) { 2339 au_uwrite(au_to_arg32(1, "fd", fd)); 2340 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2341 #ifndef _LP64 2342 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2343 #else 2344 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2345 #endif 2346 return; 2347 } 2348 2349 /* get path from file struct here */ 2350 fad = F2A(fp); 2351 if (fad->fad_aupath != NULL) { 2352 au_uwrite(au_to_path(fad->fad_aupath)); 2353 } else { 2354 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2355 } 2356 2357 vp = fp->f_vnode; 2358 audit_attributes(vp); 2359 2360 /* decrement file descriptor reference count */ 2361 releasef(fd); 2362 2363 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2364 #ifndef _LP64 2365 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2366 #else 2367 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2368 #endif 2369 } 2370 2371 /* 2372 * null function for memcntl for now. We might want to limit memcntl() 2373 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2374 * require privileges. 2375 */ 2376 static au_event_t 2377 aui_memcntl(au_event_t e) 2378 { 2379 return (e); 2380 } 2381 2382 /*ARGSUSED*/ 2383 static au_event_t 2384 aui_privsys(au_event_t e) 2385 { 2386 klwp_t *clwp = ttolwp(curthread); 2387 2388 struct a { 2389 long opcode; 2390 } *uap = (struct a *)clwp->lwp_ap; 2391 2392 switch (uap->opcode) { 2393 case PRIVSYS_SETPPRIV: 2394 return (AUE_SETPPRIV); 2395 default: 2396 return (AUE_NULL); 2397 } 2398 } 2399 2400 /*ARGSUSED*/ 2401 static void 2402 aus_memcntl(struct t_audit_data *tad) 2403 { 2404 klwp_t *clwp = ttolwp(curthread); 2405 2406 struct a { 2407 long addr; 2408 long len; 2409 long cmd; 2410 long arg; 2411 long attr; 2412 long mask; 2413 } *uap = (struct a *)clwp->lwp_ap; 2414 2415 #ifdef _LP64 2416 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2417 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2418 #else 2419 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2420 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2421 #endif 2422 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2423 #ifdef _LP64 2424 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2425 #else 2426 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2427 #endif 2428 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2429 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2430 } 2431 2432 /*ARGSUSED*/ 2433 static void 2434 aus_mmap(struct t_audit_data *tad) 2435 { 2436 klwp_t *clwp = ttolwp(curthread); 2437 struct file *fp; 2438 struct f_audit_data *fad; 2439 struct vnode *vp; 2440 uint32_t fd; 2441 2442 struct a { 2443 long addr; 2444 long len; 2445 long prot; 2446 long flags; 2447 long fd; 2448 long pos; 2449 } *uap = (struct a *)clwp->lwp_ap; 2450 2451 fd = (uint32_t)uap->fd; 2452 2453 #ifdef _LP64 2454 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2455 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2456 #else 2457 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2458 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2459 #endif 2460 2461 if ((fp = getf(fd)) == NULL) { 2462 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2463 return; 2464 } 2465 2466 /* 2467 * Mark in the tad if write access is NOT requested... if 2468 * this is later detected (in audit_attributes) to be a 2469 * public object, the mmap event may be discarded. 2470 */ 2471 if (((uap->prot) & PROT_WRITE) == 0) { 2472 tad->tad_ctrl |= TAD_PUBLIC_EV; 2473 } 2474 2475 fad = F2A(fp); 2476 if (fad->fad_aupath != NULL) { 2477 au_uwrite(au_to_path(fad->fad_aupath)); 2478 } else { 2479 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2480 } 2481 2482 vp = (struct vnode *)fp->f_vnode; 2483 audit_attributes(vp); 2484 2485 /* mark READ/WRITE since we can't predict access */ 2486 if (uap->prot & PROT_READ) 2487 fad->fad_flags |= FAD_READ; 2488 if (uap->prot & PROT_WRITE) 2489 fad->fad_flags |= FAD_WRITE; 2490 2491 /* decrement file descriptor reference count */ 2492 releasef(fd); 2493 2494 } /* AUS_MMAP */ 2495 2496 2497 2498 2499 /*ARGSUSED*/ 2500 static void 2501 aus_munmap(struct t_audit_data *tad) 2502 { 2503 klwp_t *clwp = ttolwp(curthread); 2504 2505 struct a { 2506 long addr; 2507 long len; 2508 } *uap = (struct a *)clwp->lwp_ap; 2509 2510 #ifdef _LP64 2511 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2512 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2513 #else 2514 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2515 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2516 #endif 2517 2518 } /* AUS_MUNMAP */ 2519 2520 2521 2522 2523 2524 2525 2526 /*ARGSUSED*/ 2527 static void 2528 aus_priocntlsys(struct t_audit_data *tad) 2529 { 2530 klwp_t *clwp = ttolwp(curthread); 2531 2532 struct a { 2533 long pc_version; 2534 long psp; /* procset_t */ 2535 long cmd; 2536 long arg; 2537 } *uap = (struct a *)clwp->lwp_ap; 2538 2539 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2540 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2541 2542 } /* AUS_PRIOCNTLSYS */ 2543 2544 2545 /*ARGSUSED*/ 2546 static void 2547 aus_setegid(struct t_audit_data *tad) 2548 { 2549 klwp_t *clwp = ttolwp(curthread); 2550 uint32_t gid; 2551 2552 struct a { 2553 long gid; 2554 } *uap = (struct a *)clwp->lwp_ap; 2555 2556 gid = (uint32_t)uap->gid; 2557 2558 au_uwrite(au_to_arg32(1, "gid", gid)); 2559 } /* AUS_SETEGID */ 2560 2561 2562 2563 2564 /*ARGSUSED*/ 2565 static void 2566 aus_setgroups(struct t_audit_data *tad) 2567 { 2568 klwp_t *clwp = ttolwp(curthread); 2569 int i; 2570 int gidsetsize; 2571 uintptr_t gidset; 2572 gid_t *gidlist; 2573 2574 struct a { 2575 long gidsetsize; 2576 long gidset; 2577 } *uap = (struct a *)clwp->lwp_ap; 2578 2579 gidsetsize = (uint_t)uap->gidsetsize; 2580 gidset = (uintptr_t)uap->gidset; 2581 2582 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2583 return; 2584 if (gidsetsize != 0) { 2585 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2586 KM_SLEEP); 2587 if (copyin((caddr_t)gidset, gidlist, 2588 gidsetsize * sizeof (gid_t)) == 0) 2589 for (i = 0; i < gidsetsize; i++) 2590 au_uwrite(au_to_arg32(1, "setgroups", 2591 (uint32_t)gidlist[i])); 2592 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2593 } else 2594 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2595 2596 } /* AUS_SETGROUPS */ 2597 2598 2599 2600 2601 2602 /*ARGSUSED*/ 2603 static void 2604 aus_seteuid(struct t_audit_data *tad) 2605 { 2606 klwp_t *clwp = ttolwp(curthread); 2607 uint32_t uid; 2608 2609 struct a { 2610 long uid; 2611 } *uap = (struct a *)clwp->lwp_ap; 2612 2613 uid = (uint32_t)uap->uid; 2614 2615 au_uwrite(au_to_arg32(1, "euid", uid)); 2616 2617 } /* AUS_SETEUID */ 2618 2619 /*ARGSUSED*/ 2620 static void 2621 aus_putmsg(struct t_audit_data *tad) 2622 { 2623 klwp_t *clwp = ttolwp(curthread); 2624 uint32_t fd, pri; 2625 struct file *fp; 2626 struct f_audit_data *fad; 2627 2628 struct a { 2629 long fdes; 2630 long ctl; /* struct strbuf * */ 2631 long data; /* struct strbuf * */ 2632 long pri; 2633 } *uap = (struct a *)clwp->lwp_ap; 2634 2635 fd = (uint32_t)uap->fdes; 2636 pri = (uint32_t)uap->pri; 2637 2638 au_uwrite(au_to_arg32(1, "fd", fd)); 2639 2640 if ((fp = getf(fd)) != NULL) { 2641 fad = F2A(fp); 2642 2643 fad->fad_flags |= FAD_WRITE; 2644 2645 /* add path name to audit record */ 2646 if (fad->fad_aupath != NULL) { 2647 au_uwrite(au_to_path(fad->fad_aupath)); 2648 } 2649 audit_attributes(fp->f_vnode); 2650 2651 releasef(fd); 2652 } 2653 2654 au_uwrite(au_to_arg32(4, "pri", pri)); 2655 } 2656 2657 /*ARGSUSED*/ 2658 static void 2659 aus_putpmsg(struct t_audit_data *tad) 2660 { 2661 klwp_t *clwp = ttolwp(curthread); 2662 uint32_t fd, pri, flags; 2663 struct file *fp; 2664 struct f_audit_data *fad; 2665 2666 struct a { 2667 long fdes; 2668 long ctl; /* struct strbuf * */ 2669 long data; /* struct strbuf * */ 2670 long pri; 2671 long flags; 2672 } *uap = (struct a *)clwp->lwp_ap; 2673 2674 fd = (uint32_t)uap->fdes; 2675 pri = (uint32_t)uap->pri; 2676 flags = (uint32_t)uap->flags; 2677 2678 au_uwrite(au_to_arg32(1, "fd", fd)); 2679 2680 if ((fp = getf(fd)) != NULL) { 2681 fad = F2A(fp); 2682 2683 fad->fad_flags |= FAD_WRITE; 2684 2685 /* add path name to audit record */ 2686 if (fad->fad_aupath != NULL) { 2687 au_uwrite(au_to_path(fad->fad_aupath)); 2688 } 2689 audit_attributes(fp->f_vnode); 2690 2691 releasef(fd); 2692 } 2693 2694 2695 au_uwrite(au_to_arg32(4, "pri", pri)); 2696 au_uwrite(au_to_arg32(5, "flags", flags)); 2697 } 2698 2699 /*ARGSUSED*/ 2700 static void 2701 aus_getmsg(struct t_audit_data *tad) 2702 { 2703 klwp_t *clwp = ttolwp(curthread); 2704 uint32_t fd, pri; 2705 struct file *fp; 2706 struct f_audit_data *fad; 2707 2708 struct a { 2709 long fdes; 2710 long ctl; /* struct strbuf * */ 2711 long data; /* struct strbuf * */ 2712 long pri; 2713 } *uap = (struct a *)clwp->lwp_ap; 2714 2715 fd = (uint32_t)uap->fdes; 2716 pri = (uint32_t)uap->pri; 2717 2718 au_uwrite(au_to_arg32(1, "fd", fd)); 2719 2720 if ((fp = getf(fd)) != NULL) { 2721 fad = F2A(fp); 2722 2723 /* 2724 * read operation on this object 2725 */ 2726 fad->fad_flags |= FAD_READ; 2727 2728 /* add path name to audit record */ 2729 if (fad->fad_aupath != NULL) { 2730 au_uwrite(au_to_path(fad->fad_aupath)); 2731 } 2732 audit_attributes(fp->f_vnode); 2733 2734 releasef(fd); 2735 } 2736 2737 au_uwrite(au_to_arg32(4, "pri", pri)); 2738 } 2739 2740 /*ARGSUSED*/ 2741 static void 2742 aus_getpmsg(struct t_audit_data *tad) 2743 { 2744 klwp_t *clwp = ttolwp(curthread); 2745 uint32_t fd; 2746 struct file *fp; 2747 struct f_audit_data *fad; 2748 2749 struct a { 2750 long fdes; 2751 long ctl; /* struct strbuf * */ 2752 long data; /* struct strbuf * */ 2753 long pri; 2754 long flags; 2755 } *uap = (struct a *)clwp->lwp_ap; 2756 2757 fd = (uint32_t)uap->fdes; 2758 2759 au_uwrite(au_to_arg32(1, "fd", fd)); 2760 2761 if ((fp = getf(fd)) != NULL) { 2762 fad = F2A(fp); 2763 2764 /* 2765 * read operation on this object 2766 */ 2767 fad->fad_flags |= FAD_READ; 2768 2769 /* add path name to audit record */ 2770 if (fad->fad_aupath != NULL) { 2771 au_uwrite(au_to_path(fad->fad_aupath)); 2772 } 2773 audit_attributes(fp->f_vnode); 2774 2775 releasef(fd); 2776 } 2777 } 2778 2779 static au_event_t 2780 aui_labelsys(au_event_t e) 2781 { 2782 klwp_t *clwp = ttolwp(curthread); 2783 uint32_t code; 2784 uint32_t cmd; 2785 2786 struct a { 2787 long code; 2788 long cmd; 2789 } *uap = (struct a *)clwp->lwp_ap; 2790 2791 code = (uint32_t)uap->code; 2792 cmd = (uint32_t)uap->cmd; 2793 2794 /* not security relevant if not changing kernel cache */ 2795 if (cmd == TNDB_GET) 2796 return (AUE_NULL); 2797 2798 switch (code) { 2799 case TSOL_TNRH: 2800 e = AUE_LABELSYS_TNRH; 2801 break; 2802 case TSOL_TNRHTP: 2803 e = AUE_LABELSYS_TNRHTP; 2804 break; 2805 case TSOL_TNMLP: 2806 e = AUE_LABELSYS_TNMLP; 2807 break; 2808 default: 2809 e = AUE_NULL; 2810 break; 2811 } 2812 2813 return (e); 2814 2815 } 2816 2817 static void 2818 aus_labelsys(struct t_audit_data *tad) 2819 { 2820 klwp_t *clwp = ttolwp(curthread); 2821 uint32_t cmd; 2822 uintptr_t a2; 2823 2824 struct a { 2825 long code; 2826 long cmd; 2827 long a2; 2828 } *uap = (struct a *)clwp->lwp_ap; 2829 2830 cmd = (uint32_t)uap->cmd; 2831 a2 = (uintptr_t)uap->a2; 2832 2833 switch (tad->tad_event) { 2834 case AUE_LABELSYS_TNRH: 2835 { 2836 tsol_rhent_t *rhent; 2837 tnaddr_t *rh_addr; 2838 2839 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2840 2841 /* Remaining args don't apply for FLUSH, so skip */ 2842 if (cmd == TNDB_FLUSH) 2843 break; 2844 2845 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2846 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2847 kmem_free(rhent, sizeof (tsol_rhent_t)); 2848 return; 2849 } 2850 2851 rh_addr = &rhent->rh_address; 2852 if (rh_addr->ta_family == AF_INET) { 2853 struct in_addr *ipaddr; 2854 2855 ipaddr = &(rh_addr->ta_addr_v4); 2856 au_uwrite(au_to_in_addr(ipaddr)); 2857 } else if (rh_addr->ta_family == AF_INET6) { 2858 int32_t *ipaddr; 2859 2860 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2861 au_uwrite(au_to_in_addr_ex(ipaddr)); 2862 } 2863 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2864 2865 kmem_free(rhent, sizeof (tsol_rhent_t)); 2866 2867 break; 2868 } 2869 case AUE_LABELSYS_TNRHTP: 2870 { 2871 tsol_tpent_t *tpent; 2872 2873 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2874 2875 /* Remaining args don't apply for FLUSH, so skip */ 2876 if (cmd == TNDB_FLUSH) 2877 break; 2878 2879 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2880 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2881 kmem_free(tpent, sizeof (tsol_tpent_t)); 2882 return; 2883 } 2884 2885 /* Make sure that the template name is null-terminated. */ 2886 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2887 2888 au_uwrite(au_to_text(tpent->name)); 2889 kmem_free(tpent, sizeof (tsol_tpent_t)); 2890 2891 break; 2892 } 2893 case AUE_LABELSYS_TNMLP: 2894 { 2895 tsol_mlpent_t *mlpent; 2896 2897 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2898 2899 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2900 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2901 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2902 return; 2903 } 2904 2905 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2906 au_uwrite(au_to_text("shared")); 2907 } else { 2908 zone_t *zone; 2909 2910 zone = zone_find_by_id(mlpent->tsme_zoneid); 2911 if (zone != NULL) { 2912 au_uwrite(au_to_text(zone->zone_name)); 2913 zone_rele(zone); 2914 } 2915 } 2916 2917 /* Remaining args don't apply for FLUSH, so skip */ 2918 if (cmd == TNDB_FLUSH) { 2919 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2920 break; 2921 } 2922 2923 au_uwrite(au_to_arg32(2, "proto num", 2924 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2925 au_uwrite(au_to_arg32(2, "mlp_port", 2926 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2927 2928 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2929 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2930 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2931 2932 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2933 2934 break; 2935 } 2936 default: 2937 break; 2938 } 2939 } 2940 2941 2942 static au_event_t 2943 aui_auditsys(au_event_t e) 2944 { 2945 klwp_t *clwp = ttolwp(curthread); 2946 uint32_t code; 2947 2948 struct a { 2949 long code; 2950 long a1; 2951 long a2; 2952 long a3; 2953 long a4; 2954 long a5; 2955 long a6; 2956 long a7; 2957 } *uap = (struct a *)clwp->lwp_ap; 2958 2959 code = (uint32_t)uap->code; 2960 2961 switch (code) { 2962 2963 case BSM_GETAUID: 2964 e = AUE_GETAUID; 2965 break; 2966 case BSM_SETAUID: 2967 e = AUE_SETAUID; 2968 break; 2969 case BSM_GETAUDIT: 2970 e = AUE_GETAUDIT; 2971 break; 2972 case BSM_GETAUDIT_ADDR: 2973 e = AUE_GETAUDIT_ADDR; 2974 break; 2975 case BSM_SETAUDIT: 2976 e = AUE_SETAUDIT; 2977 break; 2978 case BSM_SETAUDIT_ADDR: 2979 e = AUE_SETAUDIT_ADDR; 2980 break; 2981 case BSM_AUDIT: 2982 e = AUE_AUDIT; 2983 break; 2984 case BSM_AUDITCTL: 2985 switch ((uint_t)uap->a1) { 2986 2987 case A_GETPOLICY: 2988 e = AUE_AUDITON_GPOLICY; 2989 break; 2990 case A_SETPOLICY: 2991 e = AUE_AUDITON_SPOLICY; 2992 break; 2993 case A_GETAMASK: 2994 e = AUE_AUDITON_GETAMASK; 2995 break; 2996 case A_SETAMASK: 2997 e = AUE_AUDITON_SETAMASK; 2998 break; 2999 case A_GETKMASK: 3000 e = AUE_AUDITON_GETKMASK; 3001 break; 3002 case A_SETKMASK: 3003 e = AUE_AUDITON_SETKMASK; 3004 break; 3005 case A_GETQCTRL: 3006 e = AUE_AUDITON_GQCTRL; 3007 break; 3008 case A_SETQCTRL: 3009 e = AUE_AUDITON_SQCTRL; 3010 break; 3011 case A_GETCWD: 3012 e = AUE_AUDITON_GETCWD; 3013 break; 3014 case A_GETCAR: 3015 e = AUE_AUDITON_GETCAR; 3016 break; 3017 case A_GETSTAT: 3018 e = AUE_AUDITON_GETSTAT; 3019 break; 3020 case A_SETSTAT: 3021 e = AUE_AUDITON_SETSTAT; 3022 break; 3023 case A_SETUMASK: 3024 e = AUE_AUDITON_SETUMASK; 3025 break; 3026 case A_SETSMASK: 3027 e = AUE_AUDITON_SETSMASK; 3028 break; 3029 case A_GETCOND: 3030 e = AUE_AUDITON_GETCOND; 3031 break; 3032 case A_SETCOND: 3033 e = AUE_AUDITON_SETCOND; 3034 break; 3035 case A_GETCLASS: 3036 e = AUE_AUDITON_GETCLASS; 3037 break; 3038 case A_SETCLASS: 3039 e = AUE_AUDITON_SETCLASS; 3040 break; 3041 default: 3042 e = AUE_NULL; 3043 break; 3044 } 3045 break; 3046 default: 3047 e = AUE_NULL; 3048 break; 3049 } 3050 3051 return (e); 3052 3053 } /* AUI_AUDITSYS */ 3054 3055 3056 static void 3057 aus_auditsys(struct t_audit_data *tad) 3058 { 3059 klwp_t *clwp = ttolwp(curthread); 3060 uintptr_t a1, a2; 3061 STRUCT_DECL(auditinfo, ainfo); 3062 STRUCT_DECL(auditinfo_addr, ainfo_addr); 3063 au_evclass_map_t event; 3064 au_mask_t mask; 3065 int auditstate, policy; 3066 au_id_t auid; 3067 3068 3069 struct a { 3070 long code; 3071 long a1; 3072 long a2; 3073 long a3; 3074 long a4; 3075 long a5; 3076 long a6; 3077 long a7; 3078 } *uap = (struct a *)clwp->lwp_ap; 3079 3080 a1 = (uintptr_t)uap->a1; 3081 a2 = (uintptr_t)uap->a2; 3082 3083 switch (tad->tad_event) { 3084 case AUE_SETAUID: 3085 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 3086 return; 3087 au_uwrite(au_to_arg32(2, "setauid", auid)); 3088 break; 3089 case AUE_SETAUDIT: 3090 STRUCT_INIT(ainfo, get_udatamodel()); 3091 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 3092 STRUCT_SIZE(ainfo))) { 3093 return; 3094 } 3095 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 3096 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 3097 #ifdef _LP64 3098 au_uwrite(au_to_arg64((char)1, "setaudit:port", 3099 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 3100 #else 3101 au_uwrite(au_to_arg32((char)1, "setaudit:port", 3102 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 3103 #endif 3104 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 3105 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 3106 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 3107 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3108 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 3109 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3110 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 3111 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 3112 break; 3113 case AUE_SETAUDIT_ADDR: 3114 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3115 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3116 STRUCT_SIZE(ainfo_addr))) { 3117 return; 3118 } 3119 au_uwrite(au_to_arg32((char)1, "auid", 3120 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3121 #ifdef _LP64 3122 au_uwrite(au_to_arg64((char)1, "port", 3123 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3124 #else 3125 au_uwrite(au_to_arg32((char)1, "port", 3126 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3127 #endif 3128 au_uwrite(au_to_arg32((char)1, "type", 3129 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3130 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3131 AU_IPv4) { 3132 au_uwrite(au_to_in_addr( 3133 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3134 ai_termid.at_addr))); 3135 } else { 3136 au_uwrite(au_to_in_addr_ex( 3137 (int32_t *)STRUCT_FGETP(ainfo_addr, 3138 ai_termid.at_addr))); 3139 } 3140 au_uwrite(au_to_arg32((char)1, "as_success", 3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3142 au_uwrite(au_to_arg32((char)1, "as_failure", 3143 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3144 au_uwrite(au_to_arg32((char)1, "asid", 3145 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3146 break; 3147 case AUE_AUDITON_SETAMASK: 3148 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3149 return; 3150 au_uwrite(au_to_arg32( 3151 2, "setamask:as_success", (uint32_t)mask.as_success)); 3152 au_uwrite(au_to_arg32( 3153 2, "setamask:as_failure", (uint32_t)mask.as_failure)); 3154 break; 3155 case AUE_AUDITON_SETKMASK: 3156 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3157 return; 3158 au_uwrite(au_to_arg32( 3159 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3160 au_uwrite(au_to_arg32( 3161 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3162 break; 3163 case AUE_AUDITON_SPOLICY: 3164 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3165 return; 3166 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3167 break; 3168 case AUE_AUDITON_SQCTRL: { 3169 STRUCT_DECL(au_qctrl, qctrl); 3170 model_t model; 3171 3172 model = get_udatamodel(); 3173 STRUCT_INIT(qctrl, model); 3174 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3175 return; 3176 if (model == DATAMODEL_ILP32) { 3177 au_uwrite(au_to_arg32( 3178 3, "setqctrl:aq_hiwater", 3179 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3180 au_uwrite(au_to_arg32( 3181 3, "setqctrl:aq_lowater", 3182 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3183 au_uwrite(au_to_arg32( 3184 3, "setqctrl:aq_bufsz", 3185 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3186 au_uwrite(au_to_arg32( 3187 3, "setqctrl:aq_delay", 3188 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3189 } else { 3190 au_uwrite(au_to_arg64( 3191 3, "setqctrl:aq_hiwater", 3192 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3193 au_uwrite(au_to_arg64( 3194 3, "setqctrl:aq_lowater", 3195 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3196 au_uwrite(au_to_arg64( 3197 3, "setqctrl:aq_bufsz", 3198 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3199 au_uwrite(au_to_arg64( 3200 3, "setqctrl:aq_delay", 3201 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3202 } 3203 break; 3204 } 3205 case AUE_AUDITON_SETUMASK: 3206 STRUCT_INIT(ainfo, get_udatamodel()); 3207 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3208 STRUCT_SIZE(ainfo))) { 3209 return; 3210 } 3211 au_uwrite(au_to_arg32(3, "setumask:as_success", 3212 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3213 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3214 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3215 break; 3216 case AUE_AUDITON_SETSMASK: 3217 STRUCT_INIT(ainfo, get_udatamodel()); 3218 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3219 STRUCT_SIZE(ainfo))) { 3220 return; 3221 } 3222 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3223 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3224 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3225 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3226 break; 3227 case AUE_AUDITON_SETCOND: 3228 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3229 return; 3230 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3231 break; 3232 case AUE_AUDITON_SETCLASS: 3233 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3234 return; 3235 au_uwrite(au_to_arg32( 3236 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3237 au_uwrite(au_to_arg32( 3238 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3239 break; 3240 case AUE_GETAUID: 3241 case AUE_GETAUDIT: 3242 case AUE_GETAUDIT_ADDR: 3243 case AUE_AUDIT: 3244 case AUE_AUDITON_GPOLICY: 3245 case AUE_AUDITON_GQCTRL: 3246 case AUE_AUDITON_GETAMASK: 3247 case AUE_AUDITON_GETKMASK: 3248 case AUE_AUDITON_GETCWD: 3249 case AUE_AUDITON_GETCAR: 3250 case AUE_AUDITON_GETSTAT: 3251 case AUE_AUDITON_SETSTAT: 3252 case AUE_AUDITON_GETCOND: 3253 case AUE_AUDITON_GETCLASS: 3254 break; 3255 default: 3256 break; 3257 } 3258 3259 } /* AUS_AUDITSYS */ 3260 3261 3262 /* only audit privileged operations for systeminfo(2) system call */ 3263 static au_event_t 3264 aui_sysinfo(au_event_t e) 3265 { 3266 klwp_t *clwp = ttolwp(curthread); 3267 uint32_t command; 3268 3269 struct a { 3270 long command; 3271 long buf; /* char * */ 3272 long count; 3273 } *uap = (struct a *)clwp->lwp_ap; 3274 3275 command = (uint32_t)uap->command; 3276 3277 switch (command) { 3278 case SI_SET_HOSTNAME: 3279 case SI_SET_SRPC_DOMAIN: 3280 e = (au_event_t)AUE_SYSINFO; 3281 break; 3282 default: 3283 e = (au_event_t)AUE_NULL; 3284 break; 3285 } 3286 return (e); 3287 } 3288 3289 /*ARGSUSED*/ 3290 static void 3291 aus_sysinfo(struct t_audit_data *tad) 3292 { 3293 klwp_t *clwp = ttolwp(curthread); 3294 uint32_t command; 3295 size_t len, maxlen; 3296 char *name; 3297 uintptr_t buf; 3298 3299 struct a { 3300 long command; 3301 long buf; /* char * */ 3302 long count; 3303 } *uap = (struct a *)clwp->lwp_ap; 3304 3305 command = (uint32_t)uap->command; 3306 buf = (uintptr_t)uap->buf; 3307 3308 au_uwrite(au_to_arg32(1, "cmd", command)); 3309 3310 switch (command) { 3311 case SI_SET_HOSTNAME: 3312 { 3313 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3314 return; 3315 3316 maxlen = SYS_NMLN; 3317 name = kmem_alloc(maxlen, KM_SLEEP); 3318 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3319 break; 3320 3321 /* 3322 * Must be non-NULL string and string 3323 * must be less than SYS_NMLN chars. 3324 */ 3325 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3326 break; 3327 3328 au_uwrite(au_to_text(name)); 3329 break; 3330 } 3331 3332 case SI_SET_SRPC_DOMAIN: 3333 { 3334 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3335 return; 3336 3337 maxlen = SYS_NMLN; 3338 name = kmem_alloc(maxlen, KM_SLEEP); 3339 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3340 break; 3341 3342 /* 3343 * If string passed in is longer than length 3344 * allowed for domain name, fail. 3345 */ 3346 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3347 break; 3348 3349 au_uwrite(au_to_text(name)); 3350 break; 3351 } 3352 3353 default: 3354 return; 3355 } 3356 3357 kmem_free(name, maxlen); 3358 } 3359 3360 static au_event_t 3361 aui_modctl(au_event_t e) 3362 { 3363 klwp_t *clwp = ttolwp(curthread); 3364 uint_t cmd; 3365 3366 struct a { 3367 long cmd; 3368 } *uap = (struct a *)clwp->lwp_ap; 3369 3370 cmd = (uint_t)uap->cmd; 3371 3372 switch (cmd) { 3373 case MODLOAD: 3374 e = AUE_MODLOAD; 3375 break; 3376 case MODUNLOAD: 3377 e = AUE_MODUNLOAD; 3378 break; 3379 case MODADDMAJBIND: 3380 e = AUE_MODADDMAJ; 3381 break; 3382 case MODSETDEVPOLICY: 3383 e = AUE_MODDEVPLCY; 3384 break; 3385 case MODALLOCPRIV: 3386 e = AUE_MODADDPRIV; 3387 break; 3388 default: 3389 e = AUE_NULL; 3390 break; 3391 } 3392 return (e); 3393 } 3394 3395 3396 /*ARGSUSED*/ 3397 static void 3398 aus_modctl(struct t_audit_data *tad) 3399 { 3400 klwp_t *clwp = ttolwp(curthread); 3401 void *a = clwp->lwp_ap; 3402 uint_t use_path; 3403 3404 switch (tad->tad_event) { 3405 case AUE_MODLOAD: { 3406 typedef struct { 3407 long cmd; 3408 long use_path; 3409 long filename; /* char * */ 3410 } modloada_t; 3411 3412 char *filenamep; 3413 uintptr_t fname; 3414 extern char *default_path; 3415 3416 fname = (uintptr_t)((modloada_t *)a)->filename; 3417 use_path = (uint_t)((modloada_t *)a)->use_path; 3418 3419 /* space to hold path */ 3420 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3421 /* get string */ 3422 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3423 /* free allocated path */ 3424 kmem_free(filenamep, MOD_MAXPATH); 3425 return; 3426 } 3427 /* ensure it's null terminated */ 3428 filenamep[MOD_MAXPATH - 1] = 0; 3429 3430 if (use_path) 3431 au_uwrite(au_to_text(default_path)); 3432 au_uwrite(au_to_text(filenamep)); 3433 3434 /* release temporary memory */ 3435 kmem_free(filenamep, MOD_MAXPATH); 3436 break; 3437 } 3438 case AUE_MODUNLOAD: { 3439 typedef struct { 3440 long cmd; 3441 long id; 3442 } modunloada_t; 3443 3444 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3445 3446 au_uwrite(au_to_arg32(1, "id", id)); 3447 break; 3448 } 3449 case AUE_MODADDMAJ: { 3450 STRUCT_DECL(modconfig, mc); 3451 typedef struct { 3452 long cmd; 3453 long subcmd; 3454 long data; /* int * */ 3455 } modconfiga_t; 3456 3457 STRUCT_DECL(aliases, alias); 3458 caddr_t ap; 3459 int i, num_aliases; 3460 char *drvname, *mc_drvname; 3461 char *name; 3462 extern char *ddi_major_to_name(major_t); 3463 model_t model; 3464 3465 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3466 3467 model = get_udatamodel(); 3468 STRUCT_INIT(mc, model); 3469 /* sanitize buffer */ 3470 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3471 /* get user arguments */ 3472 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3473 STRUCT_SIZE(mc)) != 0) 3474 return; 3475 3476 mc_drvname = STRUCT_FGET(mc, drvname); 3477 if ((drvname = ddi_major_to_name( 3478 (major_t)STRUCT_FGET(mc, major))) != NULL && 3479 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3480 /* safety */ 3481 if (mc_drvname[0] != '\0') { 3482 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3483 au_uwrite(au_to_text(mc_drvname)); 3484 } 3485 /* drvname != NULL from test above */ 3486 au_uwrite(au_to_text(drvname)); 3487 return; 3488 } 3489 3490 if (mc_drvname[0] != '\0') { 3491 /* safety */ 3492 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3493 au_uwrite(au_to_text(mc_drvname)); 3494 } else 3495 au_uwrite(au_to_text("no drvname")); 3496 3497 num_aliases = STRUCT_FGET(mc, num_aliases); 3498 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3499 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3500 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3501 STRUCT_INIT(alias, model); 3502 for (i = 0; i < num_aliases; i++) { 3503 bzero((caddr_t)STRUCT_BUF(alias), 3504 STRUCT_SIZE(alias)); 3505 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3506 STRUCT_SIZE(alias)) != 0) 3507 break; 3508 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3509 MAXMODCONFNAME, NULL) != 0) { 3510 break; 3511 } 3512 3513 au_uwrite(au_to_text(name)); 3514 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3515 } 3516 kmem_free(name, MAXMODCONFNAME); 3517 break; 3518 } 3519 default: 3520 break; 3521 } 3522 } 3523 3524 3525 /*ARGSUSED*/ 3526 static void 3527 auf_accept( 3528 struct t_audit_data *tad, 3529 int error, 3530 rval_t *rval) 3531 { 3532 uint32_t scid; 3533 uint32_t sy_flags; 3534 int fd; 3535 struct sonode *so; 3536 char so_laddr[sizeof (struct sockaddr_in6)]; 3537 char so_faddr[sizeof (struct sockaddr_in6)]; 3538 int err; 3539 short so_family, so_type; 3540 int add_sock_token = 0; 3541 3542 /* need to determine type of executing binary */ 3543 scid = tad->tad_scid; 3544 #ifdef _SYSCALL32_IMPL 3545 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3546 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3547 else 3548 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3549 #else 3550 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3551 #endif 3552 if (sy_flags == SE_32RVAL1) 3553 fd = rval->r_val1; 3554 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3555 fd = rval->r_val1; 3556 if (sy_flags == SE_64RVAL) 3557 fd = (int)rval->r_vals; 3558 3559 if (error) { 3560 /* can't trust socket contents. Just return */ 3561 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3562 return; 3563 } 3564 3565 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3566 /* 3567 * not security relevant if doing a accept from non socket 3568 * so no extra tokens. Should probably turn off audit record 3569 * generation here. 3570 */ 3571 return; 3572 } 3573 3574 so_family = so->so_family; 3575 so_type = so->so_type; 3576 3577 switch (so_family) { 3578 case AF_INET: 3579 case AF_INET6: 3580 /* 3581 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3582 */ 3583 if (so->so_type == SOCK_STREAM) { 3584 socklen_t len; 3585 3586 bzero((void *)so_laddr, sizeof (so_laddr)); 3587 bzero((void *)so_faddr, sizeof (so_faddr)); 3588 3589 len = sizeof (so_laddr); 3590 (void) socket_getsockname(so, 3591 (struct sockaddr *)so_laddr, &len, CRED()); 3592 len = sizeof (so_faddr); 3593 (void) socket_getpeername(so, 3594 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3595 3596 add_sock_token = 1; 3597 } 3598 break; 3599 3600 default: 3601 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3602 break; 3603 } 3604 3605 releasef(fd); 3606 3607 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3608 3609 if (add_sock_token == 0) { 3610 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3611 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3612 return; 3613 } 3614 3615 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3616 3617 } 3618 3619 /*ARGSUSED*/ 3620 static void 3621 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3622 { 3623 struct a { 3624 long fd; 3625 long addr; 3626 long len; 3627 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3628 3629 struct sonode *so; 3630 char so_laddr[sizeof (struct sockaddr_in6)]; 3631 char so_faddr[sizeof (struct sockaddr_in6)]; 3632 int err, fd; 3633 socklen_t len; 3634 short so_family, so_type; 3635 int add_sock_token = 0; 3636 3637 fd = (int)uap->fd; 3638 3639 /* 3640 * bind failed, then nothing extra to add to audit record. 3641 */ 3642 if (error) { 3643 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3644 /* XXX may want to add failed address some day */ 3645 return; 3646 } 3647 3648 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3649 /* 3650 * not security relevant if doing a bind from non socket 3651 * so no extra tokens. Should probably turn off audit record 3652 * generation here. 3653 */ 3654 return; 3655 } 3656 3657 so_family = so->so_family; 3658 so_type = so->so_type; 3659 3660 switch (so_family) { 3661 case AF_INET: 3662 case AF_INET6: 3663 3664 bzero(so_faddr, sizeof (so_faddr)); 3665 len = sizeof (so_faddr); 3666 3667 (void) socket_getpeername(so, 3668 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3669 add_sock_token = 1; 3670 3671 break; 3672 3673 case AF_UNIX: 3674 /* token added by lookup */ 3675 break; 3676 default: 3677 /* AF_ROUTE, AF_KEY do not support accept */ 3678 break; 3679 } 3680 3681 releasef(fd); 3682 3683 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3684 3685 if (add_sock_token == 0) { 3686 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3687 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3688 return; 3689 } 3690 3691 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3692 3693 } 3694 3695 /*ARGSUSED*/ 3696 static void 3697 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3698 { 3699 struct a { 3700 long fd; 3701 long addr; 3702 long len; 3703 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3704 3705 struct sonode *so; 3706 char so_laddr[sizeof (struct sockaddr_in6)]; 3707 char so_faddr[sizeof (struct sockaddr_in6)]; 3708 int err, fd; 3709 socklen_t len; 3710 short so_family, so_type; 3711 int add_sock_token = 0; 3712 3713 fd = (int)uap->fd; 3714 3715 3716 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3717 /* 3718 * not security relevant if doing a connect from non socket 3719 * so no extra tokens. Should probably turn off audit record 3720 * generation here. 3721 */ 3722 return; 3723 } 3724 3725 so_family = so->so_family; 3726 so_type = so->so_type; 3727 3728 switch (so_family) { 3729 case AF_INET: 3730 case AF_INET6: 3731 3732 bzero(so_laddr, sizeof (so_laddr)); 3733 bzero(so_faddr, sizeof (so_faddr)); 3734 3735 len = sizeof (so_laddr); 3736 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3737 &len, CRED()); 3738 if (error) { 3739 if (uap->addr == NULL) 3740 break; 3741 if (uap->len <= 0) 3742 break; 3743 len = min(uap->len, sizeof (so_faddr)); 3744 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3745 break; 3746 #ifdef NOTYET 3747 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3748 #endif 3749 } else { 3750 /* sanity check on length */ 3751 len = sizeof (so_faddr); 3752 (void) socket_getpeername(so, 3753 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3754 } 3755 3756 add_sock_token = 1; 3757 3758 break; 3759 3760 case AF_UNIX: 3761 /* does a lookup on name */ 3762 break; 3763 3764 default: 3765 /* AF_ROUTE, AF_KEY do not support accept */ 3766 break; 3767 } 3768 3769 releasef(fd); 3770 3771 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3772 3773 if (add_sock_token == 0) { 3774 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3775 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3776 return; 3777 } 3778 3779 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3780 3781 } 3782 3783 /*ARGSUSED*/ 3784 static void 3785 aus_shutdown(struct t_audit_data *tad) 3786 { 3787 struct a { 3788 long fd; 3789 long how; 3790 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3791 3792 struct sonode *so; 3793 char so_laddr[sizeof (struct sockaddr_in6)]; 3794 char so_faddr[sizeof (struct sockaddr_in6)]; 3795 int err, fd; 3796 socklen_t len; 3797 short so_family, so_type; 3798 int add_sock_token = 0; 3799 file_t *fp; /* unix domain sockets */ 3800 struct f_audit_data *fad; /* unix domain sockets */ 3801 3802 fd = (int)uap->fd; 3803 3804 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3805 /* 3806 * not security relevant if doing a shutdown using non socket 3807 * so no extra tokens. Should probably turn off audit record 3808 * generation here. 3809 */ 3810 return; 3811 } 3812 3813 so_family = so->so_family; 3814 so_type = so->so_type; 3815 3816 switch (so_family) { 3817 case AF_INET: 3818 case AF_INET6: 3819 3820 bzero(so_laddr, sizeof (so_laddr)); 3821 bzero(so_faddr, sizeof (so_faddr)); 3822 3823 len = sizeof (so_laddr); 3824 (void) socket_getsockname(so, 3825 (struct sockaddr *)so_laddr, &len, CRED()); 3826 len = sizeof (so_faddr); 3827 (void) socket_getpeername(so, 3828 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3829 3830 add_sock_token = 1; 3831 3832 break; 3833 3834 case AF_UNIX: 3835 3836 /* get path from file struct here */ 3837 fad = F2A(fp); 3838 ASSERT(fad); 3839 3840 if (fad->fad_aupath != NULL) { 3841 au_uwrite(au_to_path(fad->fad_aupath)); 3842 } else { 3843 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3844 } 3845 3846 audit_attributes(fp->f_vnode); 3847 3848 break; 3849 3850 default: 3851 /* 3852 * AF_KEY and AF_ROUTE support shutdown. No socket token 3853 * added. 3854 */ 3855 break; 3856 } 3857 3858 releasef(fd); 3859 3860 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3861 3862 if (add_sock_token == 0) { 3863 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3864 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3865 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3866 return; 3867 } 3868 3869 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3870 3871 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3872 3873 } 3874 3875 /*ARGSUSED*/ 3876 static void 3877 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3878 { 3879 struct a { 3880 long fd; 3881 long level; 3882 long optname; 3883 long *optval; 3884 long optlen; 3885 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3886 3887 struct sonode *so; 3888 char so_laddr[sizeof (struct sockaddr_in6)]; 3889 char so_faddr[sizeof (struct sockaddr_in6)]; 3890 char val[AU_BUFSIZE]; 3891 int err, fd; 3892 socklen_t len; 3893 short so_family, so_type; 3894 int add_sock_token = 0; 3895 file_t *fp; /* unix domain sockets */ 3896 struct f_audit_data *fad; /* unix domain sockets */ 3897 3898 fd = (int)uap->fd; 3899 3900 if (error) { 3901 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3902 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3903 /* XXX may want to include other arguments */ 3904 return; 3905 } 3906 3907 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3908 /* 3909 * not security relevant if doing a setsockopt from non socket 3910 * so no extra tokens. Should probably turn off audit record 3911 * generation here. 3912 */ 3913 return; 3914 } 3915 3916 so_family = so->so_family; 3917 so_type = so->so_type; 3918 3919 switch (so_family) { 3920 case AF_INET: 3921 case AF_INET6: 3922 bzero((void *)so_laddr, sizeof (so_laddr)); 3923 bzero((void *)so_faddr, sizeof (so_faddr)); 3924 3925 /* get local and foreign addresses */ 3926 len = sizeof (so_laddr); 3927 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3928 &len, CRED()); 3929 len = sizeof (so_faddr); 3930 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3931 &len, B_FALSE, CRED()); 3932 3933 add_sock_token = 1; 3934 3935 break; 3936 3937 case AF_UNIX: 3938 3939 /* get path from file struct here */ 3940 fad = F2A(fp); 3941 ASSERT(fad); 3942 3943 if (fad->fad_aupath != NULL) { 3944 au_uwrite(au_to_path(fad->fad_aupath)); 3945 } else { 3946 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3947 } 3948 3949 audit_attributes(fp->f_vnode); 3950 3951 break; 3952 3953 default: 3954 /* 3955 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3956 * added. 3957 */ 3958 break; 3959 } 3960 3961 releasef(fd); 3962 3963 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3964 3965 if (add_sock_token == 0) { 3966 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3967 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3968 } 3969 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3970 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3971 3972 bzero(val, sizeof (val)); 3973 len = min(uap->optlen, sizeof (val)); 3974 if ((len > 0) && 3975 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3976 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3977 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3978 } 3979 3980 if (add_sock_token == 0) 3981 return; 3982 3983 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3984 3985 } 3986 3987 /*ARGSUSED*/ 3988 static void 3989 aus_sockconfig(tad) 3990 struct t_audit_data *tad; 3991 { 3992 struct a { 3993 long cmd; 3994 long arg1; 3995 long arg2; 3996 long arg3; 3997 long arg4; 3998 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3999 4000 char *buf; 4001 int buflen; 4002 size_t size; 4003 4004 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4005 switch (uap->cmd) { 4006 case SOCKCONFIG_ADD_SOCK: 4007 case SOCKCONFIG_REMOVE_SOCK: 4008 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 4009 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 4010 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 4011 4012 if (uap->arg4 == 0) { 4013 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 4014 } else { 4015 buflen = MAXPATHLEN + 1; 4016 buf = kmem_alloc(buflen, KM_SLEEP); 4017 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 4018 &size)) { 4019 kmem_free(buf, buflen); 4020 return; 4021 } 4022 4023 if (size > MAXPATHLEN) { 4024 kmem_free(buf, buflen); 4025 return; 4026 } 4027 4028 au_uwrite(au_to_text(buf)); 4029 kmem_free(buf, buflen); 4030 } 4031 break; 4032 case SOCKCONFIG_ADD_FILTER: 4033 case SOCKCONFIG_REMOVE_FILTER: 4034 buflen = FILNAME_MAX; 4035 buf = kmem_alloc(buflen, KM_SLEEP); 4036 4037 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 4038 kmem_free(buf, buflen); 4039 return; 4040 } 4041 4042 au_uwrite(au_to_text(buf)); 4043 kmem_free(buf, buflen); 4044 break; 4045 default: 4046 break; 4047 } 4048 } 4049 4050 /* 4051 * only audit recvmsg when the system call represents the creation of a new 4052 * circuit. This effectively occurs for all UDP packets and may occur for 4053 * special TCP situations where the local host has not set a local address 4054 * in the socket structure. 4055 */ 4056 /*ARGSUSED*/ 4057 static void 4058 auf_recvmsg( 4059 struct t_audit_data *tad, 4060 int error, 4061 rval_t *rvp) 4062 { 4063 struct a { 4064 long fd; 4065 long msg; /* struct msghdr */ 4066 long flags; 4067 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4068 4069 struct sonode *so; 4070 STRUCT_DECL(msghdr, msg); 4071 caddr_t msg_name; 4072 socklen_t msg_namelen; 4073 int fd; 4074 int err; 4075 char so_laddr[sizeof (struct sockaddr_in6)]; 4076 char so_faddr[sizeof (struct sockaddr_in6)]; 4077 socklen_t len; 4078 file_t *fp; /* unix domain sockets */ 4079 struct f_audit_data *fad; /* unix domain sockets */ 4080 short so_family, so_type; 4081 int add_sock_token = 0; 4082 au_kcontext_t *kctx = GET_KCTX_PZ; 4083 4084 fd = (int)uap->fd; 4085 4086 /* bail if an error */ 4087 if (error) { 4088 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4089 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4090 return; 4091 } 4092 4093 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4094 /* 4095 * not security relevant if doing a recvmsg from non socket 4096 * so no extra tokens. Should probably turn off audit record 4097 * generation here. 4098 */ 4099 return; 4100 } 4101 4102 so_family = so->so_family; 4103 so_type = so->so_type; 4104 4105 /* 4106 * only putout SOCKET_EX token if INET/INET6 family. 4107 * XXX - what do we do about other families? 4108 */ 4109 4110 switch (so_family) { 4111 case AF_INET: 4112 case AF_INET6: 4113 4114 /* 4115 * if datagram type socket, then just use what is in 4116 * socket structure for local address. 4117 * XXX - what do we do for other types? 4118 */ 4119 if ((so->so_type == SOCK_DGRAM) || 4120 (so->so_type == SOCK_RAW)) { 4121 add_sock_token = 1; 4122 4123 bzero((void *)so_laddr, sizeof (so_laddr)); 4124 bzero((void *)so_faddr, sizeof (so_faddr)); 4125 4126 /* get local address */ 4127 len = sizeof (so_laddr); 4128 (void) socket_getsockname(so, 4129 (struct sockaddr *)so_laddr, &len, CRED()); 4130 4131 /* get peer address */ 4132 STRUCT_INIT(msg, get_udatamodel()); 4133 4134 if (copyin((caddr_t)(uap->msg), 4135 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4136 break; 4137 } 4138 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4139 if (msg_name == NULL) { 4140 break; 4141 } 4142 4143 /* length is value from recvmsg - sanity check */ 4144 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4145 if (msg_namelen == 0) { 4146 break; 4147 } 4148 if (copyin(msg_name, so_faddr, 4149 sizeof (so_faddr)) != 0) { 4150 break; 4151 } 4152 4153 } else if (so->so_type == SOCK_STREAM) { 4154 4155 /* get path from file struct here */ 4156 fad = F2A(fp); 4157 ASSERT(fad); 4158 4159 /* 4160 * already processed this file for read attempt 4161 */ 4162 if (fad->fad_flags & FAD_READ) { 4163 /* don't want to audit every recvmsg attempt */ 4164 tad->tad_flag = 0; 4165 /* free any residual audit data */ 4166 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4167 releasef(fd); 4168 return; 4169 } 4170 /* 4171 * mark things so we know what happened and don't 4172 * repeat things 4173 */ 4174 fad->fad_flags |= FAD_READ; 4175 4176 bzero((void *)so_laddr, sizeof (so_laddr)); 4177 bzero((void *)so_faddr, sizeof (so_faddr)); 4178 4179 /* get local and foreign addresses */ 4180 len = sizeof (so_laddr); 4181 (void) socket_getsockname(so, 4182 (struct sockaddr *)so_laddr, &len, CRED()); 4183 len = sizeof (so_faddr); 4184 (void) socket_getpeername(so, 4185 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4186 4187 add_sock_token = 1; 4188 } 4189 4190 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4191 4192 break; 4193 4194 case AF_UNIX: 4195 /* 4196 * first check if this is first time through. Too much 4197 * duplicate code to put this in an aui_ routine. 4198 */ 4199 4200 /* get path from file struct here */ 4201 fad = F2A(fp); 4202 ASSERT(fad); 4203 4204 /* 4205 * already processed this file for read attempt 4206 */ 4207 if (fad->fad_flags & FAD_READ) { 4208 releasef(fd); 4209 /* don't want to audit every recvmsg attempt */ 4210 tad->tad_flag = 0; 4211 /* free any residual audit data */ 4212 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4213 return; 4214 } 4215 /* 4216 * mark things so we know what happened and don't 4217 * repeat things 4218 */ 4219 fad->fad_flags |= FAD_READ; 4220 4221 if (fad->fad_aupath != NULL) { 4222 au_uwrite(au_to_path(fad->fad_aupath)); 4223 } else { 4224 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4225 } 4226 4227 audit_attributes(fp->f_vnode); 4228 4229 releasef(fd); 4230 4231 return; 4232 4233 default: 4234 break; 4235 4236 } 4237 4238 releasef(fd); 4239 4240 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4241 4242 if (add_sock_token == 0) { 4243 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4244 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4245 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4246 return; 4247 } 4248 4249 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4250 4251 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4252 4253 } 4254 4255 /*ARGSUSED*/ 4256 static void 4257 auf_recvfrom( 4258 struct t_audit_data *tad, 4259 int error, 4260 rval_t *rvp) 4261 { 4262 4263 struct a { 4264 long fd; 4265 long msg; /* char */ 4266 long len; 4267 long flags; 4268 long from; /* struct sockaddr */ 4269 long fromlen; 4270 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4271 4272 socklen_t fromlen; 4273 struct sonode *so; 4274 char so_laddr[sizeof (struct sockaddr_in6)]; 4275 char so_faddr[sizeof (struct sockaddr_in6)]; 4276 int fd; 4277 short so_family, so_type; 4278 int add_sock_token = 0; 4279 socklen_t len; 4280 int err; 4281 struct file *fp; 4282 struct f_audit_data *fad; /* unix domain sockets */ 4283 au_kcontext_t *kctx = GET_KCTX_PZ; 4284 4285 fd = (int)uap->fd; 4286 4287 /* bail if an error */ 4288 if (error) { 4289 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4290 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4291 return; 4292 } 4293 4294 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4295 /* 4296 * not security relevant if doing a recvmsg from non socket 4297 * so no extra tokens. Should probably turn off audit record 4298 * generation here. 4299 */ 4300 return; 4301 } 4302 4303 so_family = so->so_family; 4304 so_type = so->so_type; 4305 4306 /* 4307 * only putout SOCKET_EX token if INET/INET6 family. 4308 * XXX - what do we do about other families? 4309 */ 4310 4311 switch (so_family) { 4312 case AF_INET: 4313 case AF_INET6: 4314 4315 /* 4316 * if datagram type socket, then just use what is in 4317 * socket structure for local address. 4318 * XXX - what do we do for other types? 4319 */ 4320 if ((so->so_type == SOCK_DGRAM) || 4321 (so->so_type == SOCK_RAW)) { 4322 add_sock_token = 1; 4323 4324 /* get local address */ 4325 len = sizeof (so_laddr); 4326 (void) socket_getsockname(so, 4327 (struct sockaddr *)so_laddr, &len, CRED()); 4328 4329 /* get peer address */ 4330 bzero((void *)so_faddr, sizeof (so_faddr)); 4331 4332 /* sanity check */ 4333 if (uap->from == NULL) 4334 break; 4335 4336 /* sanity checks */ 4337 if (uap->fromlen == 0) 4338 break; 4339 4340 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4341 sizeof (fromlen)) != 0) 4342 break; 4343 4344 if (fromlen == 0) 4345 break; 4346 4347 /* enforce maximum size */ 4348 if (fromlen > sizeof (so_faddr)) 4349 fromlen = sizeof (so_faddr); 4350 4351 if (copyin((caddr_t)(uap->from), so_faddr, 4352 fromlen) != 0) 4353 break; 4354 4355 } else if (so->so_type == SOCK_STREAM) { 4356 4357 /* get path from file struct here */ 4358 fad = F2A(fp); 4359 ASSERT(fad); 4360 4361 /* 4362 * already processed this file for read attempt 4363 */ 4364 if (fad->fad_flags & FAD_READ) { 4365 /* don't want to audit every recvfrom attempt */ 4366 tad->tad_flag = 0; 4367 /* free any residual audit data */ 4368 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4369 releasef(fd); 4370 return; 4371 } 4372 /* 4373 * mark things so we know what happened and don't 4374 * repeat things 4375 */ 4376 fad->fad_flags |= FAD_READ; 4377 4378 bzero((void *)so_laddr, sizeof (so_laddr)); 4379 bzero((void *)so_faddr, sizeof (so_faddr)); 4380 4381 /* get local and foreign addresses */ 4382 len = sizeof (so_laddr); 4383 (void) socket_getsockname(so, 4384 (struct sockaddr *)so_laddr, &len, CRED()); 4385 len = sizeof (so_faddr); 4386 (void) socket_getpeername(so, 4387 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4388 4389 add_sock_token = 1; 4390 } 4391 4392 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4393 4394 break; 4395 4396 case AF_UNIX: 4397 /* 4398 * first check if this is first time through. Too much 4399 * duplicate code to put this in an aui_ routine. 4400 */ 4401 4402 /* get path from file struct here */ 4403 fad = F2A(fp); 4404 ASSERT(fad); 4405 4406 /* 4407 * already processed this file for read attempt 4408 */ 4409 if (fad->fad_flags & FAD_READ) { 4410 /* don't want to audit every recvfrom attempt */ 4411 tad->tad_flag = 0; 4412 /* free any residual audit data */ 4413 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4414 releasef(fd); 4415 return; 4416 } 4417 /* 4418 * mark things so we know what happened and don't 4419 * repeat things 4420 */ 4421 fad->fad_flags |= FAD_READ; 4422 4423 if (fad->fad_aupath != NULL) { 4424 au_uwrite(au_to_path(fad->fad_aupath)); 4425 } else { 4426 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4427 } 4428 4429 audit_attributes(fp->f_vnode); 4430 4431 releasef(fd); 4432 4433 return; 4434 4435 default: 4436 break; 4437 4438 } 4439 4440 releasef(fd); 4441 4442 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4443 4444 if (add_sock_token == 0) { 4445 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4446 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4447 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4448 return; 4449 } 4450 4451 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4452 4453 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4454 } 4455 4456 /*ARGSUSED*/ 4457 static void 4458 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4459 { 4460 struct a { 4461 long fd; 4462 long msg; /* struct msghdr */ 4463 long flags; 4464 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4465 4466 struct sonode *so; 4467 char so_laddr[sizeof (struct sockaddr_in6)]; 4468 char so_faddr[sizeof (struct sockaddr_in6)]; 4469 int err; 4470 int fd; 4471 short so_family, so_type; 4472 int add_sock_token = 0; 4473 socklen_t len; 4474 struct file *fp; 4475 struct f_audit_data *fad; 4476 caddr_t msg_name; 4477 socklen_t msg_namelen; 4478 STRUCT_DECL(msghdr, msg); 4479 au_kcontext_t *kctx = GET_KCTX_PZ; 4480 4481 fd = (int)uap->fd; 4482 4483 /* bail if an error */ 4484 if (error) { 4485 /* XXX include destination address from system call arguments */ 4486 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4487 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4488 return; 4489 } 4490 4491 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4492 /* 4493 * not security relevant if doing a sendmsg from non socket 4494 * so no extra tokens. Should probably turn off audit record 4495 * generation here. 4496 */ 4497 return; 4498 } 4499 4500 so_family = so->so_family; 4501 so_type = so->so_type; 4502 4503 switch (so_family) { 4504 case AF_INET: 4505 case AF_INET6: 4506 /* 4507 * if datagram type socket, then just use what is in 4508 * socket structure for local address. 4509 * XXX - what do we do for other types? 4510 */ 4511 if ((so->so_type == SOCK_DGRAM) || 4512 (so->so_type == SOCK_RAW)) { 4513 4514 bzero((void *)so_laddr, sizeof (so_laddr)); 4515 bzero((void *)so_faddr, sizeof (so_faddr)); 4516 4517 /* get local address */ 4518 len = sizeof (so_laddr); 4519 (void) socket_getsockname(so, 4520 (struct sockaddr *)so_laddr, &len, CRED()); 4521 4522 /* get peer address */ 4523 STRUCT_INIT(msg, get_udatamodel()); 4524 4525 if (copyin((caddr_t)(uap->msg), 4526 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4527 break; 4528 } 4529 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4530 if (msg_name == NULL) 4531 break; 4532 4533 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4534 /* length is value from recvmsg - sanity check */ 4535 if (msg_namelen == 0) 4536 break; 4537 4538 if (copyin(msg_name, so_faddr, 4539 sizeof (so_faddr)) != 0) 4540 break; 4541 4542 add_sock_token = 1; 4543 4544 } else if (so->so_type == SOCK_STREAM) { 4545 4546 /* get path from file struct here */ 4547 fad = F2A(fp); 4548 ASSERT(fad); 4549 4550 /* 4551 * already processed this file for write attempt 4552 */ 4553 if (fad->fad_flags & FAD_WRITE) { 4554 releasef(fd); 4555 /* don't want to audit every sendmsg attempt */ 4556 tad->tad_flag = 0; 4557 /* free any residual audit data */ 4558 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4559 return; 4560 } 4561 4562 /* 4563 * mark things so we know what happened and don't 4564 * repeat things 4565 */ 4566 fad->fad_flags |= FAD_WRITE; 4567 4568 bzero((void *)so_laddr, sizeof (so_laddr)); 4569 bzero((void *)so_faddr, sizeof (so_faddr)); 4570 4571 /* get local and foreign addresses */ 4572 len = sizeof (so_laddr); 4573 (void) socket_getsockname(so, 4574 (struct sockaddr *)so_laddr, &len, CRED()); 4575 len = sizeof (so_faddr); 4576 (void) socket_getpeername(so, 4577 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4578 4579 add_sock_token = 1; 4580 } 4581 4582 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4583 4584 break; 4585 4586 case AF_UNIX: 4587 /* 4588 * first check if this is first time through. Too much 4589 * duplicate code to put this in an aui_ routine. 4590 */ 4591 4592 /* get path from file struct here */ 4593 fad = F2A(fp); 4594 ASSERT(fad); 4595 4596 /* 4597 * already processed this file for write attempt 4598 */ 4599 if (fad->fad_flags & FAD_WRITE) { 4600 releasef(fd); 4601 /* don't want to audit every sendmsg attempt */ 4602 tad->tad_flag = 0; 4603 /* free any residual audit data */ 4604 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4605 return; 4606 } 4607 /* 4608 * mark things so we know what happened and don't 4609 * repeat things 4610 */ 4611 fad->fad_flags |= FAD_WRITE; 4612 4613 if (fad->fad_aupath != NULL) { 4614 au_uwrite(au_to_path(fad->fad_aupath)); 4615 } else { 4616 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4617 } 4618 4619 audit_attributes(fp->f_vnode); 4620 4621 releasef(fd); 4622 4623 return; 4624 4625 default: 4626 break; 4627 } 4628 4629 releasef(fd); 4630 4631 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4632 4633 if (add_sock_token == 0) { 4634 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4635 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4636 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4637 return; 4638 } 4639 4640 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4641 4642 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4643 } 4644 4645 /*ARGSUSED*/ 4646 static void 4647 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4648 { 4649 struct a { 4650 long fd; 4651 long msg; /* char */ 4652 long len; 4653 long flags; 4654 long to; /* struct sockaddr */ 4655 long tolen; 4656 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4657 4658 struct sonode *so; 4659 char so_laddr[sizeof (struct sockaddr_in6)]; 4660 char so_faddr[sizeof (struct sockaddr_in6)]; 4661 socklen_t tolen; 4662 int err; 4663 int fd; 4664 socklen_t len; 4665 short so_family, so_type; 4666 int add_sock_token = 0; 4667 struct file *fp; 4668 struct f_audit_data *fad; 4669 au_kcontext_t *kctx = GET_KCTX_PZ; 4670 4671 fd = (int)uap->fd; 4672 4673 /* bail if an error */ 4674 if (error) { 4675 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4676 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4677 /* XXX include destination address from system call arguments */ 4678 return; 4679 } 4680 4681 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4682 /* 4683 * not security relevant if doing a sendto using non socket 4684 * so no extra tokens. Should probably turn off audit record 4685 * generation here. 4686 */ 4687 return; 4688 } 4689 4690 so_family = so->so_family; 4691 so_type = so->so_type; 4692 4693 /* 4694 * only putout SOCKET_EX token if INET/INET6 family. 4695 * XXX - what do we do about other families? 4696 */ 4697 4698 switch (so_family) { 4699 case AF_INET: 4700 case AF_INET6: 4701 4702 /* 4703 * if datagram type socket, then just use what is in 4704 * socket structure for local address. 4705 * XXX - what do we do for other types? 4706 */ 4707 if ((so->so_type == SOCK_DGRAM) || 4708 (so->so_type == SOCK_RAW)) { 4709 4710 bzero((void *)so_laddr, sizeof (so_laddr)); 4711 bzero((void *)so_faddr, sizeof (so_faddr)); 4712 4713 /* get local address */ 4714 len = sizeof (so_laddr); 4715 (void) socket_getsockname(so, 4716 (struct sockaddr *)so_laddr, &len, CRED()); 4717 4718 /* get peer address */ 4719 4720 /* sanity check */ 4721 if (uap->to == NULL) 4722 break; 4723 4724 /* sanity checks */ 4725 if (uap->tolen == 0) 4726 break; 4727 4728 tolen = (socklen_t)uap->tolen; 4729 4730 /* enforce maximum size */ 4731 if (tolen > sizeof (so_faddr)) 4732 tolen = sizeof (so_faddr); 4733 4734 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4735 break; 4736 4737 add_sock_token = 1; 4738 } else { 4739 /* 4740 * check if this is first time through. 4741 */ 4742 4743 /* get path from file struct here */ 4744 fad = F2A(fp); 4745 ASSERT(fad); 4746 4747 /* 4748 * already processed this file for write attempt 4749 */ 4750 if (fad->fad_flags & FAD_WRITE) { 4751 /* don't want to audit every sendto attempt */ 4752 tad->tad_flag = 0; 4753 /* free any residual audit data */ 4754 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4755 releasef(fd); 4756 return; 4757 } 4758 /* 4759 * mark things so we know what happened and don't 4760 * repeat things 4761 */ 4762 fad->fad_flags |= FAD_WRITE; 4763 4764 bzero((void *)so_laddr, sizeof (so_laddr)); 4765 bzero((void *)so_faddr, sizeof (so_faddr)); 4766 4767 /* get local and foreign addresses */ 4768 len = sizeof (so_laddr); 4769 (void) socket_getsockname(so, 4770 (struct sockaddr *)so_laddr, &len, CRED()); 4771 len = sizeof (so_faddr); 4772 (void) socket_getpeername(so, 4773 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4774 4775 add_sock_token = 1; 4776 } 4777 4778 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4779 4780 break; 4781 4782 case AF_UNIX: 4783 /* 4784 * first check if this is first time through. Too much 4785 * duplicate code to put this in an aui_ routine. 4786 */ 4787 4788 /* get path from file struct here */ 4789 fad = F2A(fp); 4790 ASSERT(fad); 4791 4792 /* 4793 * already processed this file for write attempt 4794 */ 4795 if (fad->fad_flags & FAD_WRITE) { 4796 /* don't want to audit every sendto attempt */ 4797 tad->tad_flag = 0; 4798 /* free any residual audit data */ 4799 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4800 releasef(fd); 4801 return; 4802 } 4803 /* 4804 * mark things so we know what happened and don't 4805 * repeat things 4806 */ 4807 fad->fad_flags |= FAD_WRITE; 4808 4809 if (fad->fad_aupath != NULL) { 4810 au_uwrite(au_to_path(fad->fad_aupath)); 4811 } else { 4812 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4813 } 4814 4815 audit_attributes(fp->f_vnode); 4816 4817 releasef(fd); 4818 4819 return; 4820 4821 default: 4822 break; 4823 4824 } 4825 4826 releasef(fd); 4827 4828 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4829 4830 if (add_sock_token == 0) { 4831 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4832 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4833 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4834 return; 4835 } 4836 4837 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4838 4839 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4840 4841 } 4842 4843 /* 4844 * XXX socket(2) may be equivalent to open(2) on a unix domain 4845 * socket. This needs investigation. 4846 */ 4847 4848 /*ARGSUSED*/ 4849 static void 4850 aus_socket(struct t_audit_data *tad) 4851 { 4852 struct a { 4853 long domain; 4854 long type; 4855 long protocol; 4856 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4857 4858 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4859 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4860 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4861 } 4862 4863 /*ARGSUSED*/ 4864 static void 4865 aus_sigqueue(struct t_audit_data *tad) 4866 { 4867 struct a { 4868 long pid; 4869 long signo; 4870 long *val; 4871 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4872 struct proc *p; 4873 uid_t uid, ruid; 4874 gid_t gid, rgid; 4875 pid_t pid; 4876 const auditinfo_addr_t *ainfo; 4877 cred_t *cr; 4878 4879 pid = (pid_t)uap->pid; 4880 4881 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4882 if (pid > 0) { 4883 mutex_enter(&pidlock); 4884 if ((p = prfind(pid)) == (struct proc *)0) { 4885 mutex_exit(&pidlock); 4886 return; 4887 } 4888 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4889 mutex_exit(&pidlock); 4890 4891 mutex_enter(&p->p_crlock); 4892 crhold(cr = p->p_cred); 4893 mutex_exit(&p->p_crlock); 4894 mutex_exit(&p->p_lock); 4895 4896 ainfo = crgetauinfo(cr); 4897 if (ainfo == NULL) { 4898 crfree(cr); 4899 return; 4900 } 4901 4902 uid = crgetuid(cr); 4903 gid = crgetgid(cr); 4904 ruid = crgetruid(cr); 4905 rgid = crgetrgid(cr); 4906 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4907 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4908 crfree(cr); 4909 } 4910 else 4911 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4912 } 4913 4914 /*ARGSUSED*/ 4915 static void 4916 aus_inst_sync(struct t_audit_data *tad) 4917 { 4918 struct a { 4919 long name; /* char */ 4920 long flags; 4921 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4922 4923 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4924 } 4925 4926 /*ARGSUSED*/ 4927 static void 4928 aus_brandsys(struct t_audit_data *tad) 4929 { 4930 klwp_t *clwp = ttolwp(curthread); 4931 4932 struct a { 4933 long cmd; 4934 long arg1; 4935 long arg2; 4936 long arg3; 4937 long arg4; 4938 long arg5; 4939 long arg6; 4940 } *uap = (struct a *)clwp->lwp_ap; 4941 4942 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4943 #ifdef _LP64 4944 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4945 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4946 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4947 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4948 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4949 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4950 #else 4951 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4952 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4953 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4954 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4955 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4956 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4957 #endif 4958 } 4959 4960 /*ARGSUSED*/ 4961 static void 4962 aus_p_online(struct t_audit_data *tad) 4963 { 4964 struct a { 4965 long processor_id; 4966 long flag; 4967 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4968 4969 struct flags { 4970 int flag; 4971 char *cflag; 4972 } aflags[6] = { 4973 { P_ONLINE, "P_ONLINE"}, 4974 { P_OFFLINE, "P_OFFLINE"}, 4975 { P_NOINTR, "P_NOINTR"}, 4976 { P_SPARE, "P_SPARE"}, 4977 { P_FAULTED, "P_FAULTED"}, 4978 { P_STATUS, "P_STATUS"} 4979 }; 4980 int i; 4981 char *cflag; 4982 4983 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4984 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4985 4986 for (i = 0; i < 6; i++) { 4987 if (aflags[i].flag == uap->flag) 4988 break; 4989 } 4990 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4991 4992 au_uwrite(au_to_text(cflag)); 4993 } 4994 4995 /*ARGSUSED*/ 4996 static void 4997 aus_processor_bind(struct t_audit_data *tad) 4998 { 4999 struct a { 5000 long id_type; 5001 long id; 5002 long processor_id; 5003 long obind; 5004 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5005 5006 struct proc *p; 5007 int lwpcnt; 5008 uid_t uid, ruid; 5009 gid_t gid, rgid; 5010 pid_t pid; 5011 const auditinfo_addr_t *ainfo; 5012 cred_t *cr; 5013 5014 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 5015 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 5016 if (uap->processor_id == PBIND_NONE) 5017 au_uwrite(au_to_text("PBIND_NONE")); 5018 else 5019 au_uwrite(au_to_arg32(3, "processor_id", 5020 (uint32_t)uap->processor_id)); 5021 5022 switch (uap->id_type) { 5023 case P_MYID: 5024 case P_LWPID: 5025 mutex_enter(&pidlock); 5026 p = ttoproc(curthread); 5027 if (p == NULL || p->p_as == &kas) { 5028 mutex_exit(&pidlock); 5029 return; 5030 } 5031 mutex_enter(&p->p_lock); 5032 mutex_exit(&pidlock); 5033 lwpcnt = p->p_lwpcnt; 5034 pid = p->p_pid; 5035 5036 mutex_enter(&p->p_crlock); 5037 crhold(cr = p->p_cred); 5038 mutex_exit(&p->p_crlock); 5039 mutex_exit(&p->p_lock); 5040 5041 ainfo = crgetauinfo(cr); 5042 if (ainfo == NULL) { 5043 crfree(cr); 5044 return; 5045 } 5046 5047 uid = crgetuid(cr); 5048 gid = crgetgid(cr); 5049 ruid = crgetruid(cr); 5050 rgid = crgetrgid(cr); 5051 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5052 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5053 crfree(cr); 5054 break; 5055 case P_PID: 5056 mutex_enter(&pidlock); 5057 p = prfind(uap->id); 5058 if (p == NULL || p->p_as == &kas) { 5059 mutex_exit(&pidlock); 5060 return; 5061 } 5062 mutex_enter(&p->p_lock); 5063 mutex_exit(&pidlock); 5064 lwpcnt = p->p_lwpcnt; 5065 pid = p->p_pid; 5066 5067 mutex_enter(&p->p_crlock); 5068 crhold(cr = p->p_cred); 5069 mutex_exit(&p->p_crlock); 5070 mutex_exit(&p->p_lock); 5071 5072 ainfo = crgetauinfo(cr); 5073 if (ainfo == NULL) { 5074 crfree(cr); 5075 return; 5076 } 5077 5078 uid = crgetuid(cr); 5079 gid = crgetgid(cr); 5080 ruid = crgetruid(cr); 5081 rgid = crgetrgid(cr); 5082 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5083 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5084 crfree(cr); 5085 5086 break; 5087 default: 5088 return; 5089 } 5090 5091 if (uap->processor_id == PBIND_NONE && 5092 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 5093 au_uwrite(au_to_text("PBIND_NONE for process")); 5094 else 5095 au_uwrite(au_to_arg32(3, "processor_id", 5096 (uint32_t)uap->processor_id)); 5097 } 5098 5099 /*ARGSUSED*/ 5100 static au_event_t 5101 aui_doorfs(au_event_t e) 5102 { 5103 uint32_t code; 5104 5105 struct a { /* doorfs */ 5106 long a1; 5107 long a2; 5108 long a3; 5109 long a4; 5110 long a5; 5111 long code; 5112 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5113 5114 /* 5115 * audit formats for several of the 5116 * door calls have not yet been determined 5117 */ 5118 code = (uint32_t)uap->code; 5119 switch (code) { 5120 case DOOR_CALL: 5121 e = AUE_DOORFS_DOOR_CALL; 5122 break; 5123 case DOOR_RETURN: 5124 e = AUE_NULL; 5125 break; 5126 case DOOR_CREATE: 5127 e = AUE_DOORFS_DOOR_CREATE; 5128 break; 5129 case DOOR_REVOKE: 5130 e = AUE_DOORFS_DOOR_REVOKE; 5131 break; 5132 case DOOR_INFO: 5133 e = AUE_NULL; 5134 break; 5135 case DOOR_UCRED: 5136 e = AUE_NULL; 5137 break; 5138 case DOOR_BIND: 5139 e = AUE_NULL; 5140 break; 5141 case DOOR_UNBIND: 5142 e = AUE_NULL; 5143 break; 5144 case DOOR_GETPARAM: 5145 e = AUE_NULL; 5146 break; 5147 case DOOR_SETPARAM: 5148 e = AUE_NULL; 5149 break; 5150 default: /* illegal system call */ 5151 e = AUE_NULL; 5152 break; 5153 } 5154 5155 return (e); 5156 } 5157 5158 static door_node_t * 5159 au_door_lookup(int did) 5160 { 5161 vnode_t *vp; 5162 file_t *fp; 5163 5164 if ((fp = getf(did)) == NULL) 5165 return (NULL); 5166 /* 5167 * Use the underlying vnode (we may be namefs mounted) 5168 */ 5169 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5170 vp = fp->f_vnode; 5171 5172 if (vp == NULL || vp->v_type != VDOOR) { 5173 releasef(did); 5174 return (NULL); 5175 } 5176 5177 return (VTOD(vp)); 5178 } 5179 5180 /*ARGSUSED*/ 5181 static void 5182 aus_doorfs(struct t_audit_data *tad) 5183 { 5184 5185 struct a { /* doorfs */ 5186 long a1; 5187 long a2; 5188 long a3; 5189 long a4; 5190 long a5; 5191 long code; 5192 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5193 5194 door_node_t *dp; 5195 struct proc *p; 5196 uint32_t did; 5197 uid_t uid, ruid; 5198 gid_t gid, rgid; 5199 pid_t pid; 5200 const auditinfo_addr_t *ainfo; 5201 cred_t *cr; 5202 5203 did = (uint32_t)uap->a1; 5204 5205 switch (tad->tad_event) { 5206 case AUE_DOORFS_DOOR_CALL: 5207 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5208 if ((dp = au_door_lookup(did)) == NULL) 5209 break; 5210 5211 if (DOOR_INVALID(dp)) { 5212 releasef(did); 5213 break; 5214 } 5215 5216 if ((p = dp->door_target) == NULL) { 5217 releasef(did); 5218 break; 5219 } 5220 mutex_enter(&p->p_lock); 5221 releasef(did); 5222 5223 pid = p->p_pid; 5224 5225 mutex_enter(&p->p_crlock); 5226 crhold(cr = p->p_cred); 5227 mutex_exit(&p->p_crlock); 5228 mutex_exit(&p->p_lock); 5229 5230 ainfo = crgetauinfo(cr); 5231 if (ainfo == NULL) { 5232 crfree(cr); 5233 return; 5234 } 5235 uid = crgetuid(cr); 5236 gid = crgetgid(cr); 5237 ruid = crgetruid(cr); 5238 rgid = crgetrgid(cr); 5239 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5240 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5241 crfree(cr); 5242 break; 5243 case AUE_DOORFS_DOOR_RETURN: 5244 /* 5245 * We may want to write information about 5246 * all doors (if any) which will be copied 5247 * by this call to the user space 5248 */ 5249 break; 5250 case AUE_DOORFS_DOOR_CREATE: 5251 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5252 break; 5253 case AUE_DOORFS_DOOR_REVOKE: 5254 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5255 break; 5256 case AUE_DOORFS_DOOR_INFO: 5257 break; 5258 case AUE_DOORFS_DOOR_CRED: 5259 break; 5260 case AUE_DOORFS_DOOR_BIND: 5261 break; 5262 case AUE_DOORFS_DOOR_UNBIND: { 5263 break; 5264 } 5265 default: /* illegal system call */ 5266 break; 5267 } 5268 } 5269 5270 /*ARGSUSED*/ 5271 static au_event_t 5272 aui_acl(au_event_t e) 5273 { 5274 struct a { 5275 union { 5276 long name; /* char */ 5277 long fd; 5278 } obj; 5279 5280 long cmd; 5281 long nentries; 5282 long arg; /* aclent_t */ 5283 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5284 5285 switch (uap->cmd) { 5286 case SETACL: 5287 case ACE_SETACL: 5288 /* 5289 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5290 * are expected. 5291 */ 5292 break; 5293 case GETACL: 5294 case GETACLCNT: 5295 case ACE_GETACL: 5296 case ACE_GETACLCNT: 5297 /* do nothing for these four values. */ 5298 e = AUE_NULL; 5299 break; 5300 default: 5301 /* illegal system call */ 5302 break; 5303 } 5304 5305 return (e); 5306 } 5307 5308 static void 5309 au_acl(int cmd, int nentries, caddr_t bufp) 5310 { 5311 size_t a_size; 5312 aclent_t *aclbufp; 5313 ace_t *acebufp; 5314 int i; 5315 5316 switch (cmd) { 5317 case GETACL: 5318 case GETACLCNT: 5319 break; 5320 case SETACL: 5321 if (nentries < 3) 5322 break; 5323 5324 a_size = nentries * sizeof (aclent_t); 5325 5326 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5327 break; 5328 if (copyin(bufp, aclbufp, a_size)) { 5329 kmem_free(aclbufp, a_size); 5330 break; 5331 } 5332 for (i = 0; i < nentries; i++) { 5333 au_uwrite(au_to_acl(aclbufp + i)); 5334 } 5335 kmem_free(aclbufp, a_size); 5336 break; 5337 5338 case ACE_SETACL: 5339 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5340 break; 5341 5342 a_size = nentries * sizeof (ace_t); 5343 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5344 break; 5345 if (copyin(bufp, acebufp, a_size)) { 5346 kmem_free(acebufp, a_size); 5347 break; 5348 } 5349 for (i = 0; i < nentries; i++) { 5350 au_uwrite(au_to_ace(acebufp + i)); 5351 } 5352 kmem_free(acebufp, a_size); 5353 break; 5354 default: 5355 break; 5356 } 5357 } 5358 5359 /*ARGSUSED*/ 5360 static void 5361 aus_acl(struct t_audit_data *tad) 5362 { 5363 struct a { 5364 long fname; 5365 long cmd; 5366 long nentries; 5367 long aclbufp; 5368 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5369 5370 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5371 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5372 5373 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5374 } 5375 5376 /*ARGSUSED*/ 5377 static void 5378 aus_facl(struct t_audit_data *tad) 5379 { 5380 struct a { 5381 long fd; 5382 long cmd; 5383 long nentries; 5384 long aclbufp; 5385 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5386 struct file *fp; 5387 struct vnode *vp; 5388 struct f_audit_data *fad; 5389 int fd; 5390 5391 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5392 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5393 5394 fd = (int)uap->fd; 5395 5396 if ((fp = getf(fd)) == NULL) 5397 return; 5398 5399 /* get path from file struct here */ 5400 fad = F2A(fp); 5401 if (fad->fad_aupath != NULL) { 5402 au_uwrite(au_to_path(fad->fad_aupath)); 5403 } else { 5404 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5405 } 5406 5407 vp = fp->f_vnode; 5408 audit_attributes(vp); 5409 5410 /* decrement file descriptor reference count */ 5411 releasef(fd); 5412 5413 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5414 } 5415 5416 /*ARGSUSED*/ 5417 static void 5418 auf_read(tad, error, rval) 5419 struct t_audit_data *tad; 5420 int error; 5421 rval_t *rval; 5422 { 5423 struct file *fp; 5424 struct f_audit_data *fad; 5425 int fd; 5426 register struct a { 5427 long fd; 5428 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5429 au_kcontext_t *kctx = GET_KCTX_PZ; 5430 5431 fd = (int)uap->fd; 5432 5433 /* 5434 * convert file pointer to file descriptor 5435 * Note: fd ref count incremented here. 5436 */ 5437 if ((fp = getf(fd)) == NULL) 5438 return; 5439 5440 /* get path from file struct here */ 5441 fad = F2A(fp); 5442 ASSERT(fad); 5443 5444 /* 5445 * already processed this file for read attempt 5446 * 5447 * XXX might be better to turn off auditing in a aui_read() routine. 5448 */ 5449 if (fad->fad_flags & FAD_READ) { 5450 /* don't really want to audit every read attempt */ 5451 tad->tad_flag = 0; 5452 /* free any residual audit data */ 5453 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5454 releasef(fd); 5455 return; 5456 } 5457 /* mark things so we know what happened and don't repeat things */ 5458 fad->fad_flags |= FAD_READ; 5459 5460 if (fad->fad_aupath != NULL) { 5461 au_uwrite(au_to_path(fad->fad_aupath)); 5462 } else { 5463 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5464 } 5465 5466 /* include attributes */ 5467 audit_attributes(fp->f_vnode); 5468 5469 /* decrement file descriptor reference count */ 5470 releasef(fd); 5471 } 5472 5473 /*ARGSUSED*/ 5474 static void 5475 auf_write(tad, error, rval) 5476 struct t_audit_data *tad; 5477 int error; 5478 rval_t *rval; 5479 { 5480 struct file *fp; 5481 struct f_audit_data *fad; 5482 int fd; 5483 register struct a { 5484 long fd; 5485 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5486 au_kcontext_t *kctx = GET_KCTX_PZ; 5487 5488 fd = (int)uap->fd; 5489 5490 /* 5491 * convert file pointer to file descriptor 5492 * Note: fd ref count incremented here. 5493 */ 5494 if ((fp = getf(fd)) == NULL) 5495 return; 5496 5497 /* get path from file struct here */ 5498 fad = F2A(fp); 5499 ASSERT(fad); 5500 5501 /* 5502 * already processed this file for write attempt 5503 * 5504 * XXX might be better to turn off auditing in a aus_write() routine. 5505 */ 5506 if (fad->fad_flags & FAD_WRITE) { 5507 /* don't really want to audit every write attempt */ 5508 tad->tad_flag = 0; 5509 /* free any residual audit data */ 5510 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5511 releasef(fd); 5512 return; 5513 } 5514 /* mark things so we know what happened and don't repeat things */ 5515 fad->fad_flags |= FAD_WRITE; 5516 5517 if (fad->fad_aupath != NULL) { 5518 au_uwrite(au_to_path(fad->fad_aupath)); 5519 } else { 5520 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5521 } 5522 5523 /* include attributes */ 5524 audit_attributes(fp->f_vnode); 5525 5526 /* decrement file descriptor reference count */ 5527 releasef(fd); 5528 } 5529 5530 /*ARGSUSED*/ 5531 static void 5532 auf_recv(tad, error, rval) 5533 struct t_audit_data *tad; 5534 int error; 5535 rval_t *rval; 5536 { 5537 struct sonode *so; 5538 char so_laddr[sizeof (struct sockaddr_in6)]; 5539 char so_faddr[sizeof (struct sockaddr_in6)]; 5540 struct file *fp; 5541 struct f_audit_data *fad; 5542 int fd; 5543 int err; 5544 socklen_t len; 5545 short so_family, so_type; 5546 register struct a { 5547 long fd; 5548 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5549 au_kcontext_t *kctx = GET_KCTX_PZ; 5550 5551 /* 5552 * If there was an error, then nothing to do. Only generate 5553 * audit record on first successful recv. 5554 */ 5555 if (error) { 5556 /* Turn off audit record generation here. */ 5557 tad->tad_flag = 0; 5558 /* free any residual audit data */ 5559 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5560 return; 5561 } 5562 5563 fd = (int)uap->fd; 5564 5565 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5566 /* Turn off audit record generation here. */ 5567 tad->tad_flag = 0; 5568 /* free any residual audit data */ 5569 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5570 return; 5571 } 5572 5573 /* get path from file struct here */ 5574 fad = F2A(fp); 5575 ASSERT(fad); 5576 5577 /* 5578 * already processed this file for read attempt 5579 */ 5580 if (fad->fad_flags & FAD_READ) { 5581 releasef(fd); 5582 /* don't really want to audit every recv call */ 5583 tad->tad_flag = 0; 5584 /* free any residual audit data */ 5585 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5586 return; 5587 } 5588 5589 /* mark things so we know what happened and don't repeat things */ 5590 fad->fad_flags |= FAD_READ; 5591 5592 so_family = so->so_family; 5593 so_type = so->so_type; 5594 5595 switch (so_family) { 5596 case AF_INET: 5597 case AF_INET6: 5598 /* 5599 * Only for connections. 5600 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5601 */ 5602 if (so->so_state & SS_ISBOUND) { 5603 5604 bzero((void *)so_laddr, sizeof (so_laddr)); 5605 bzero((void *)so_faddr, sizeof (so_faddr)); 5606 5607 /* get local and foreign addresses */ 5608 len = sizeof (so_laddr); 5609 (void) socket_getsockname(so, 5610 (struct sockaddr *)so_laddr, &len, CRED()); 5611 len = sizeof (so_faddr); 5612 (void) socket_getpeername(so, 5613 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5614 5615 /* 5616 * only way to drop out of switch. Note that we 5617 * we release fd below. 5618 */ 5619 5620 break; 5621 } 5622 5623 releasef(fd); 5624 5625 /* don't really want to audit every recv call */ 5626 tad->tad_flag = 0; 5627 /* free any residual audit data */ 5628 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5629 5630 return; 5631 5632 case AF_UNIX: 5633 5634 if (fad->fad_aupath != NULL) { 5635 au_uwrite(au_to_path(fad->fad_aupath)); 5636 } else { 5637 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5638 } 5639 5640 audit_attributes(fp->f_vnode); 5641 5642 releasef(fd); 5643 5644 return; 5645 5646 default: 5647 releasef(fd); 5648 5649 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5650 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5651 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5652 5653 return; 5654 } 5655 5656 releasef(fd); 5657 5658 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5659 5660 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5661 5662 } 5663 5664 /*ARGSUSED*/ 5665 static void 5666 auf_send(tad, error, rval) 5667 struct t_audit_data *tad; 5668 int error; 5669 rval_t *rval; 5670 { 5671 struct sonode *so; 5672 char so_laddr[sizeof (struct sockaddr_in6)]; 5673 char so_faddr[sizeof (struct sockaddr_in6)]; 5674 struct file *fp; 5675 struct f_audit_data *fad; 5676 int fd; 5677 int err; 5678 socklen_t len; 5679 short so_family, so_type; 5680 register struct a { 5681 long fd; 5682 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5683 au_kcontext_t *kctx = GET_KCTX_PZ; 5684 5685 fd = (int)uap->fd; 5686 5687 /* 5688 * If there was an error, then nothing to do. Only generate 5689 * audit record on first successful send. 5690 */ 5691 if (error != 0) { 5692 /* Turn off audit record generation here. */ 5693 tad->tad_flag = 0; 5694 /* free any residual audit data */ 5695 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5696 return; 5697 } 5698 5699 fd = (int)uap->fd; 5700 5701 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5702 /* Turn off audit record generation here. */ 5703 tad->tad_flag = 0; 5704 /* free any residual audit data */ 5705 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5706 return; 5707 } 5708 5709 /* get path from file struct here */ 5710 fad = F2A(fp); 5711 ASSERT(fad); 5712 5713 /* 5714 * already processed this file for write attempt 5715 */ 5716 if (fad->fad_flags & FAD_WRITE) { 5717 releasef(fd); 5718 /* don't really want to audit every send call */ 5719 tad->tad_flag = 0; 5720 /* free any residual audit data */ 5721 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5722 return; 5723 } 5724 5725 /* mark things so we know what happened and don't repeat things */ 5726 fad->fad_flags |= FAD_WRITE; 5727 5728 so_family = so->so_family; 5729 so_type = so->so_type; 5730 5731 switch (so_family) { 5732 case AF_INET: 5733 case AF_INET6: 5734 /* 5735 * Only for connections. 5736 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5737 */ 5738 if (so->so_state & SS_ISBOUND) { 5739 5740 bzero((void *)so_laddr, sizeof (so_laddr)); 5741 bzero((void *)so_faddr, sizeof (so_faddr)); 5742 5743 /* get local and foreign addresses */ 5744 len = sizeof (so_laddr); 5745 (void) socket_getsockname(so, 5746 (struct sockaddr *)so_laddr, &len, CRED()); 5747 len = sizeof (so_faddr); 5748 (void) socket_getpeername(so, 5749 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5750 5751 /* 5752 * only way to drop out of switch. Note that we 5753 * we release fd below. 5754 */ 5755 5756 break; 5757 } 5758 5759 releasef(fd); 5760 /* don't really want to audit every send call */ 5761 tad->tad_flag = 0; 5762 /* free any residual audit data */ 5763 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5764 5765 return; 5766 5767 case AF_UNIX: 5768 5769 if (fad->fad_aupath != NULL) { 5770 au_uwrite(au_to_path(fad->fad_aupath)); 5771 } else { 5772 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5773 } 5774 5775 audit_attributes(fp->f_vnode); 5776 5777 releasef(fd); 5778 5779 return; 5780 5781 default: 5782 releasef(fd); 5783 5784 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5785 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5786 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5787 5788 return; 5789 } 5790 5791 releasef(fd); 5792 5793 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5794 5795 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5796 } 5797 5798 static au_event_t 5799 aui_forksys(au_event_t e) 5800 { 5801 struct a { 5802 long subcode; 5803 long flags; 5804 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5805 5806 switch ((uint_t)uap->subcode) { 5807 case 0: 5808 e = AUE_FORK1; 5809 break; 5810 case 1: 5811 e = AUE_FORKALL; 5812 break; 5813 case 2: 5814 e = AUE_VFORK; 5815 break; 5816 default: 5817 e = AUE_NULL; 5818 break; 5819 } 5820 5821 return (e); 5822 } 5823 5824 /*ARGSUSED*/ 5825 static au_event_t 5826 aui_portfs(au_event_t e) 5827 { 5828 struct a { /* portfs */ 5829 long a1; 5830 long a2; 5831 long a3; 5832 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5833 5834 /* 5835 * check opcode 5836 */ 5837 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5838 case PORT_ASSOCIATE: 5839 /* check source */ 5840 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5841 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5842 e = AUE_PORTFS_ASSOCIATE; 5843 } else { 5844 e = AUE_NULL; 5845 } 5846 break; 5847 case PORT_DISSOCIATE: 5848 /* check source */ 5849 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5850 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5851 e = AUE_PORTFS_DISSOCIATE; 5852 } else { 5853 e = AUE_NULL; 5854 } 5855 break; 5856 default: 5857 e = AUE_NULL; 5858 } 5859 return (e); 5860 } 5861