xref: /illumos-gate/usr/src/uts/common/c2/audit_event.c (revision 1d9df23bbf4124f12ca7832d6eaaa600e0aa8eda)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <sys/tsol/label.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 int	au_naevent;
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_open(au_event_t);
84 static au_event_t	aui_fsat(au_event_t);
85 static au_event_t	aui_msgsys(au_event_t);
86 static au_event_t	aui_shmsys(au_event_t);
87 static au_event_t	aui_semsys(au_event_t);
88 static au_event_t	aui_utssys(au_event_t);
89 static au_event_t	aui_fcntl(au_event_t);
90 static au_event_t	aui_execv(au_event_t);
91 static au_event_t	aui_execve(au_event_t);
92 static au_event_t	aui_memcntl(au_event_t);
93 static au_event_t	aui_sysinfo(au_event_t);
94 static au_event_t	aui_portfs(au_event_t);
95 static au_event_t	aui_auditsys(au_event_t);
96 static au_event_t	aui_modctl(au_event_t);
97 static au_event_t	aui_acl(au_event_t);
98 static au_event_t	aui_doorfs(au_event_t);
99 static au_event_t	aui_privsys(au_event_t);
100 static au_event_t	aui_forksys(au_event_t);
101 
102 static void	aus_open(struct t_audit_data *);
103 static void	aus_acl(struct t_audit_data *);
104 static void	aus_acct(struct t_audit_data *);
105 static void	aus_chown(struct t_audit_data *);
106 static void	aus_fchown(struct t_audit_data *);
107 static void	aus_lchown(struct t_audit_data *);
108 static void	aus_chmod(struct t_audit_data *);
109 static void	aus_facl(struct t_audit_data *);
110 static void	aus_fchmod(struct t_audit_data *);
111 static void	aus_fcntl(struct t_audit_data *);
112 static void	aus_fsat(struct t_audit_data *);
113 static void	aus_mkdir(struct t_audit_data *);
114 static void	aus_mknod(struct t_audit_data *);
115 static void	aus_mount(struct t_audit_data *);
116 static void	aus_umount(struct t_audit_data *);
117 static void	aus_umount2(struct t_audit_data *);
118 static void	aus_msgsys(struct t_audit_data *);
119 static void	aus_semsys(struct t_audit_data *);
120 static void	aus_close(struct t_audit_data *);
121 static void	aus_fstatfs(struct t_audit_data *);
122 static void	aus_setgid(struct t_audit_data *);
123 static void	aus_setuid(struct t_audit_data *);
124 static void	aus_shmsys(struct t_audit_data *);
125 static void	aus_doorfs(struct t_audit_data *);
126 static void	aus_ioctl(struct t_audit_data *);
127 static void	aus_memcntl(struct t_audit_data *);
128 static void	aus_mmap(struct t_audit_data *);
129 static void	aus_munmap(struct t_audit_data *);
130 static void	aus_priocntlsys(struct t_audit_data *);
131 static void	aus_setegid(struct t_audit_data *);
132 static void	aus_setgroups(struct t_audit_data *);
133 static void	aus_seteuid(struct t_audit_data *);
134 static void	aus_putmsg(struct t_audit_data *);
135 static void	aus_putpmsg(struct t_audit_data *);
136 static void	aus_getmsg(struct t_audit_data *);
137 static void	aus_getpmsg(struct t_audit_data *);
138 static void	aus_auditsys(struct t_audit_data *);
139 static void	aus_sysinfo(struct t_audit_data *);
140 static void	aus_modctl(struct t_audit_data *);
141 static void	aus_kill(struct t_audit_data *);
142 static void	aus_xmknod(struct t_audit_data *);
143 static void	aus_setregid(struct t_audit_data *);
144 static void	aus_setreuid(struct t_audit_data *);
145 
146 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
147 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
148 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
149 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
150 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
151 static void	auf_read(struct t_audit_data *, int, rval_t *);
152 static void	auf_write(struct t_audit_data *, int, rval_t *);
153 
154 static void	aus_sigqueue(struct t_audit_data *);
155 static void	aus_p_online(struct t_audit_data *);
156 static void	aus_processor_bind(struct t_audit_data *);
157 static void	aus_inst_sync(struct t_audit_data *);
158 static void	aus_brandsys(struct t_audit_data *);
159 
160 static void	auf_accept(struct t_audit_data *, int, rval_t *);
161 
162 static void	auf_bind(struct t_audit_data *, int, rval_t *);
163 static void	auf_connect(struct t_audit_data *, int, rval_t *);
164 static void	aus_shutdown(struct t_audit_data *);
165 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
166 static void	aus_sockconfig(struct t_audit_data *);
167 static void	auf_recv(struct t_audit_data *, int, rval_t *);
168 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
169 static void	auf_send(struct t_audit_data *, int, rval_t *);
170 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
171 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
172 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
173 static void	aus_socket(struct t_audit_data *);
174 /*
175  * This table contains mapping information for converting system call numbers
176  * to audit event IDs. In several cases it is necessary to map a single system
177  * call to several events.
178  */
179 
180 #define	aui_null	NULL	/* NULL initialize function */
181 #define	aus_null	NULL	/* NULL start function */
182 #define	auf_null	NULL	/* NULL finish function */
183 
184 struct audit_s2e audit_s2e[] =
185 {
186 /*
187  * ----------	---------- 	----------	----------
188  * INITIAL	AUDIT		START		SYSTEM
189  * PROCESSING	EVENT		PROCESSING	CALL
190  * ----------	----------	----------	-----------
191  *		FINISH		EVENT
192  *		PROCESSING	CONTROL
193  * ----------------------------------------------------------
194  */
195 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
196 		auf_null,	0,
197 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
198 		auf_null,	S2E_NPT,
199 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
200 		auf_null,	0,
201 aui_null,	AUE_READ,	aus_null,	/* 3 read */
202 		auf_read,	S2E_PUB,
203 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
204 		auf_write,	0,
205 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
206 		auf_null,	S2E_SP,
207 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
208 		auf_null,	0,
209 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
210 		auf_null,	0,
211 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
212 		auf_null,	S2E_SP,
213 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
214 		auf_null,	0,
215 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
216 		auf_null,	0,
217 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
218 		auf_null,	S2E_MLD,
219 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
220 		auf_null,	S2E_SP,
221 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
222 		auf_null,	0,
223 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
224 		auf_mknod,	0,
225 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
226 		auf_null,	0,
227 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
228 		auf_null,	0,
229 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
230 		auf_null,	0,
231 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
232 		auf_null,	S2E_PUB,
233 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
234 		auf_null,	0,
235 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
236 		auf_null,	0,
237 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
238 		auf_null,	S2E_MLD,
239 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
240 		auf_null,	0,
241 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
242 		auf_null,	0,
243 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
244 		auf_null,	0,
245 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
246 		auf_null,	0,
247 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
248 		auf_null,	0,
249 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
254 		auf_null,	0,
255 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
260 		auf_null,	0,
261 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
262 		auf_null,	S2E_PUB,
263 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
264 		auf_null,	0,
265 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
266 		auf_null,	S2E_PUB,
267 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
268 		auf_null,	0,
269 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
270 		auf_null,	0,
271 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
272 		auf_null,	S2E_PUB,
273 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
274 		auf_null,	0,
275 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
276 		auf_null,	0,
277 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
278 		auf_null,	0,
279 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
286 						/*	was proc lock */
287 		auf_null,	0,
288 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
289 		auf_null,	0,
290 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
291 		auf_null,	0,
292 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
293 		auf_null,	0,
294 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
295 		auf_msgsys,	0,
296 #if defined(__x86)
297 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
298 		auf_null,	0,
299 #else
300 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
301 		auf_null,	0,
302 #endif /* __x86 */
303 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
304 		auf_null,	0,
305 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
306 		auf_shmsys,	0,
307 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
308 		auf_semsys,	0,
309 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
310 		auf_null,	0,
311 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
312 		auf_null,	0,
313 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
314 		auf_null,	0,
315 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
316 		auf_null,	0,
317 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
318 		auf_null,	0,
319 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
320 		auf_null,	S2E_MLD,
321 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
322 		auf_null,	0,
323 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
324 		auf_null,	S2E_SP,
325 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
326 		auf_null,	0,
327 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
328 		auf_null,	0,
329 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
330 		auf_null,	0,
331 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
332 		auf_null,	0,
333 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
334 		auf_null,	0,
335 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
336 						/*	file locking call */
337 		auf_null,	0,
338 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
339 						/*	local system calls */
340 		auf_null,	0,
341 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
342 		auf_null,	0,
343 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
344 		auf_null,	0,
345 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
346 		auf_null,	0,
347 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
348 		auf_null,	0,
349 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
350 		auf_null,	0,
351 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
352 		auf_null,	0,
353 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
354 						/*	was sigret (SunOS) */
355 		auf_null,	0,
356 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
361 		auf_null,	0,
362 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
363 		auf_null,	0,
364 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
365 		auf_null,	0,
366 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
367 		auf_null,	0,
368 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
369 						/*	was libattach */
370 		auf_null,	0,
371 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
372 						/*	was libdetach */
373 		auf_null,	0,
374 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
375 		auf_null,	0,
376 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
377 		auf_null,	0,
378 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
379 		auf_null,	0,
380 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
381 		auf_null,	0,
382 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
383 		auf_null,	S2E_PUB,
384 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
385 		auf_null,	0,
386 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
389 		auf_null,	0,
390 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
391 		auf_null,	0,
392 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
393 		auf_null,	0,
394 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
395 		auf_null,	0,
396 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
411 						/*	was evtrapret */
412 		auf_null,	0,
413 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
414 		auf_null,	S2E_PUB,
415 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
416 		auf_null,	0,
417 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
418 		auf_null,	0,
419 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
422 		auf_null,	0,
423 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
424 		auf_null,	0,
425 #if defined(__x86)
426 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
427 		auf_null,	0,
428 #else
429 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
430 		auf_null,	0,
431 #endif /* __x86 */
432 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
433 		auf_null,	0,
434 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
435 		auf_null,	0,
436 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
437 		auf_null,	0,		/* 112 priocntlsys */
438 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
439 		auf_null,	S2E_PUB,
440 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
441 		auf_null,	0,
442 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
443 		auf_null,	0,
444 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
445 		auf_null,	0,
446 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
447 		auf_null,	0,
448 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
449 		auf_null,	0,
450 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
451 		auf_null,	0,
452 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
453 		auf_null,	0,
454 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
455 		auf_read,	S2E_PUB,
456 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
457 		auf_write,	0,
458 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
459 		auf_null,	S2E_PUB,
460 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
461 		auf_null,	S2E_PUB,
462 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
463 		auf_null,	0,
464 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
465 		auf_xmknod,	0,
466 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
467 		auf_null,	0,
468 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
469 		auf_null,	0,
470 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
471 		auf_null,	0,
472 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
473 		auf_null,	0,
474 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
475 		auf_null,	0,
476 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
477 		auf_null,	0,
478 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
479 		auf_null,	0,
480 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
481 		auf_null,	0,
482 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
483 		auf_null,	0,
484 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
485 		auf_null,	0,
486 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
487 		auf_null,	0,
488 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
489 		auf_null,	0,
490 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
491 		auf_null,	0,
492 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
493 		auf_null,	0,
494 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
495 		auf_null,	0,
496 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
497 		auf_null,	0,
498 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
499 		auf_null,	0,
500 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
501 		auf_null,	0,
502 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
515 		auf_null,	0,
516 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
517 		auf_null,	0,
518 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
519 		auf_null,	0,
520 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
521 		auf_null,	0,
522 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
543 						/*	was lwp_setprivate */
544 		auf_null,	0,
545 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
546 						/*	was lwp_getprivate */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
555 		auf_null,	0,
556 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
557 		auf_null,	0,
558 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
559 		auf_null,	0,
560 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
561 		auf_read,	S2E_PUB,
562 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
563 		auf_write,	0,
564 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
565 		auf_null,	0,
566 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
567 						/* aus_inst_sync */
568 		auf_null,	0,
569 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
570 		auf_null,	0,
571 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
578 		auf_null,	0,
579 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
580 		auf_null,	0,
581 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
582 		auf_null,	0,
583 aui_null,	AUE_NULL,	aus_null,	/* 184 (loadable) tsolsys */
584 		auf_null,	0,
585 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
586 		auf_null,	0,
587 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
588 		auf_null,	0,
589 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
590 		auf_null,	0,		/* 187 processor_bind */
591 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
592 		auf_null,	0,
593 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
594 		auf_null,	0,
595 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
598 		auf_null,	0,
599 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
614 		auf_null,	0,
615 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
616 		auf_null,	0,
617 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
618 		auf_null,	0,
619 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
620 		auf_null,	0,
621 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
622 		auf_null,	0,
623 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
642 		auf_null,	0,
643 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
644 		auf_null,	0,
645 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
646 		auf_null,	S2E_PUB,
647 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
650 		auf_null,	0,
651 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
652 		auf_null,	S2E_PUB,
653 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
654 		auf_null,	0,
655 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
656 		auf_null,	0,
657 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
660 		auf_read,	S2E_PUB,
661 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
662 		auf_write,	0,
663 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
664 		auf_null,	S2E_SP,
665 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
666 		auf_null,	S2E_SP,
667 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
668 		auf_null,	0,
669 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
674 		auf_null,	0,
675 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
676 		auf_null,	0,
677 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
678 		auf_null,	0,
679 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
680 		auf_bind,	0,
681 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
682 		auf_null,	0,
683 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
684 		auf_accept,	0,
685 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
686 		auf_connect,	0,
687 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
688 		auf_null,	0,
689 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
690 		auf_recv,	0,
691 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
692 		auf_recvfrom,	0,
693 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
694 		auf_recvmsg,	0,
695 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
696 		auf_send,	0,
697 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
698 		auf_sendmsg,	0,
699 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
700 		auf_sendto,	0,
701 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
702 		auf_null,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
706 		auf_null,	0,
707 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
708 		auf_setsockopt,	0,
709 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
710 		auf_null,	0,
711 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
712 		auf_null,	0,
713 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
724 		auf_null,	0,
725 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
726 		auf_null,	0
727 };
728 
729 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
730 
731 
732 /* acct start function */
733 /*ARGSUSED*/
734 static void
735 aus_acct(struct t_audit_data *tad)
736 {
737 	klwp_t *clwp = ttolwp(curthread);
738 	uintptr_t fname;
739 
740 	struct a {
741 		long	fname;		/* char * */
742 	} *uap = (struct a *)clwp->lwp_ap;
743 
744 	fname = (uintptr_t)uap->fname;
745 
746 	if (fname == 0)
747 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
748 }
749 
750 /* chown start function */
751 /*ARGSUSED*/
752 static void
753 aus_chown(struct t_audit_data *tad)
754 {
755 	klwp_t *clwp = ttolwp(curthread);
756 	uint32_t uid, gid;
757 
758 	struct a {
759 		long	fname;		/* char * */
760 		long	uid;
761 		long	gid;
762 	} *uap = (struct a *)clwp->lwp_ap;
763 
764 	uid = (uint32_t)uap->uid;
765 	gid = (uint32_t)uap->gid;
766 
767 	au_uwrite(au_to_arg32(2, "new file uid", uid));
768 	au_uwrite(au_to_arg32(3, "new file gid", gid));
769 }
770 
771 /* fchown start function */
772 /*ARGSUSED*/
773 static void
774 aus_fchown(struct t_audit_data *tad)
775 {
776 	klwp_t *clwp = ttolwp(curthread);
777 	uint32_t uid, gid, fd;
778 	struct file  *fp;
779 	struct vnode *vp;
780 	struct f_audit_data *fad;
781 
782 	struct a {
783 		long fd;
784 		long uid;
785 		long gid;
786 	} *uap = (struct a *)clwp->lwp_ap;
787 
788 	fd  = (uint32_t)uap->fd;
789 	uid = (uint32_t)uap->uid;
790 	gid = (uint32_t)uap->gid;
791 
792 	au_uwrite(au_to_arg32(2, "new file uid", uid));
793 	au_uwrite(au_to_arg32(3, "new file gid", gid));
794 
795 		/*
796 		 * convert file pointer to file descriptor
797 		 *   Note: fd ref count incremented here.
798 		 */
799 	if ((fp = getf(fd)) == NULL)
800 		return;
801 
802 	/* get path from file struct here */
803 	fad = F2A(fp);
804 	if (fad->fad_aupath != NULL) {
805 		au_uwrite(au_to_path(fad->fad_aupath));
806 	} else {
807 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
808 	}
809 
810 	vp = fp->f_vnode;
811 	audit_attributes(vp);
812 
813 	/* decrement file descriptor reference count */
814 	releasef(fd);
815 }
816 
817 /*ARGSUSED*/
818 static void
819 aus_lchown(struct t_audit_data *tad)
820 {
821 	klwp_t *clwp = ttolwp(curthread);
822 	uint32_t uid, gid;
823 
824 
825 	struct a {
826 		long	fname;		/* char	* */
827 		long	uid;
828 		long	gid;
829 	} *uap = (struct a *)clwp->lwp_ap;
830 
831 	uid = (uint32_t)uap->uid;
832 	gid = (uint32_t)uap->gid;
833 
834 	au_uwrite(au_to_arg32(2, "new file uid", uid));
835 	au_uwrite(au_to_arg32(3, "new file gid", gid));
836 }
837 
838 /* chmod start function */
839 /*ARGSUSED*/
840 static void
841 aus_chmod(struct t_audit_data *tad)
842 {
843 	klwp_t *clwp = ttolwp(curthread);
844 	uint32_t fmode;
845 
846 	struct a {
847 		long	fname;		/* char	* */
848 		long	fmode;
849 	} *uap = (struct a *)clwp->lwp_ap;
850 
851 	fmode = (uint32_t)uap->fmode;
852 
853 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
854 }
855 
856 /* chmod start function */
857 /*ARGSUSED*/
858 static void
859 aus_fchmod(struct t_audit_data *tad)
860 {
861 	klwp_t *clwp = ttolwp(curthread);
862 	uint32_t fmode, fd;
863 	struct file  *fp;
864 	struct vnode *vp;
865 	struct f_audit_data *fad;
866 
867 	struct a {
868 		long	fd;
869 		long	fmode;
870 	} *uap = (struct a *)clwp->lwp_ap;
871 
872 	fd = (uint32_t)uap->fd;
873 	fmode = (uint32_t)uap->fmode;
874 
875 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
876 
877 		/*
878 		 * convert file pointer to file descriptor
879 		 *   Note: fd ref count incremented here.
880 		 */
881 	if ((fp = getf(fd)) == NULL)
882 		return;
883 
884 		/* get path from file struct here */
885 	fad = F2A(fp);
886 	if (fad->fad_aupath != NULL) {
887 		au_uwrite(au_to_path(fad->fad_aupath));
888 	} else {
889 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
890 	}
891 
892 	vp = fp->f_vnode;
893 	audit_attributes(vp);
894 
895 	/* decrement file descriptor reference count */
896 	releasef(fd);
897 }
898 
899 
900 /* convert open to appropriate event */
901 static au_event_t
902 aui_open(au_event_t e)
903 {
904 	klwp_t *clwp = ttolwp(curthread);
905 	uint_t fm;
906 
907 	struct a {
908 		long	fnamep;		/* char	* */
909 		long	fmode;
910 		long	cmode;
911 	} *uap = (struct a *)clwp->lwp_ap;
912 
913 	fm = (uint_t)uap->fmode;
914 
915 	if (fm & O_WRONLY)
916 		e = AUE_OPEN_W;
917 	else if (fm & O_RDWR)
918 		e = AUE_OPEN_RW;
919 	else
920 		e = AUE_OPEN_R;
921 
922 	if (fm & O_CREAT)
923 		e += 1;
924 	if (fm & O_TRUNC)
925 		e += 2;
926 
927 	return (e);
928 }
929 
930 /*ARGSUSED*/
931 static void
932 aus_open(struct t_audit_data *tad)
933 {
934 	klwp_t *clwp = ttolwp(curthread);
935 	uint_t fm;
936 
937 	struct a {
938 		long	fnamep;		/* char	* */
939 		long	fmode;
940 		long	cmode;
941 	} *uap = (struct a *)clwp->lwp_ap;
942 
943 	fm = (uint_t)uap->fmode;
944 
945 	/* If no write, create, or trunc modes, mark as a public op */
946 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
947 		tad->tad_ctrl |= PAD_PUBLIC_EV;
948 }
949 
950 /* convert openat(2) to appropriate event */
951 static au_event_t
952 aui_fsat(au_event_t e)
953 {
954 	t_audit_data_t	*tad = U2A(u);
955 	klwp_t *clwp = ttolwp(curthread);
956 	uint_t fmcode, fm;
957 	struct a {
958 		long id;
959 		long arg1;
960 		long arg2;
961 		long arg3;
962 		long arg4;
963 		long arg5;
964 	} *uap = (struct a *)clwp->lwp_ap;
965 
966 	fmcode  = (uint_t)uap->id;
967 
968 	switch (fmcode) {
969 
970 	case 0: /* openat */
971 	case 1: /* openat64 */
972 		fm = (uint_t)uap->arg3;
973 		if (fm & O_WRONLY)
974 			e = AUE_OPENAT_W;
975 		else if (fm & O_RDWR)
976 			e = AUE_OPENAT_RW;
977 		else
978 			e = AUE_OPENAT_R;
979 
980 		/*
981 		 * openat modes are defined in the following order:
982 		 * Read only
983 		 * Read|Create
984 		 * Read|Trunc
985 		 * Read|Create|Trunc
986 		 * Write Only
987 		 * Write|Create
988 		 * Write|Trunc
989 		 * Write|Create|Trunc * RW Only
990 		 * RW|Create
991 		 * RW|Trunc
992 		 * RW|Create|Trunc
993 		 */
994 		if (fm & O_CREAT)
995 			e += 1;		/* increment to include CREAT in mode */
996 		if (fm & O_TRUNC)
997 			e += 2;		/* increment to include TRUNC in mode */
998 
999 		/* convert to appropriate au_ctrl */
1000 		tad->tad_ctrl |= PAD_SAVPATH;
1001 		if (fm & FXATTR)
1002 			tad->tad_ctrl |= PAD_ATPATH;
1003 
1004 
1005 		break;
1006 	case 2: /* fstatat64 */
1007 	case 3: /* fstatat */
1008 		e = AUE_FSTATAT;
1009 		break;
1010 	case 4: /* fchownat */
1011 		e = AUE_FCHOWNAT;
1012 		break;
1013 	case 5: /* unlinkat */
1014 		e = AUE_UNLINKAT;
1015 		break;
1016 	case 6: /* futimesat */
1017 		e = AUE_FUTIMESAT;
1018 		break;
1019 	case 7: /* renameat */
1020 		e = AUE_RENAMEAT;
1021 		break;
1022 	case 9: /* __openattrdirat */
1023 		tad->tad_ctrl |= PAD_SAVPATH;
1024 		/*FALLTHROUGH*/
1025 	default:
1026 		e = AUE_NULL;
1027 		break;
1028 	}
1029 
1030 	return (e);
1031 }
1032 
1033 /*ARGSUSED*/
1034 static void
1035 aus_fsat(struct t_audit_data *tad)
1036 {
1037 	klwp_t *clwp = ttolwp(curthread);
1038 	uint_t fmcode, fm;
1039 	struct a {
1040 		long id;
1041 		long arg1;
1042 		long arg2;
1043 		long arg3;
1044 		long arg4;
1045 		long arg5;
1046 	} *uap = (struct a *)clwp->lwp_ap;
1047 
1048 	fmcode  = (uint_t)uap->id;
1049 
1050 	switch (fmcode) {
1051 
1052 	case 0: /* openat */
1053 	case 1: /* openat64 */
1054 		fm = (uint_t)uap->arg3;
1055 		/* If no write, create, or trunc modes, mark as a public op */
1056 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1057 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1058 
1059 		break;
1060 	case 2: /* fstatat64 */
1061 	case 3: /* fstatat */
1062 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1063 		break;
1064 	default:
1065 		break;
1066 	}
1067 }
1068 
1069 /* msgsys */
1070 static au_event_t
1071 aui_msgsys(au_event_t e)
1072 {
1073 	klwp_t *clwp = ttolwp(curthread);
1074 	uint_t fm;
1075 
1076 	struct a {
1077 		long	id;	/* function code id */
1078 		long	ap;	/* arg pointer for recvmsg */
1079 	} *uap = (struct a *)clwp->lwp_ap;
1080 
1081 	struct b {
1082 		long	msgid;
1083 		long	cmd;
1084 		long	buf;	/* struct msqid_ds * */
1085 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1086 
1087 	fm  = (uint_t)uap->id;
1088 
1089 	switch (fm) {
1090 	case 0:		/* msgget */
1091 		e = AUE_MSGGET;
1092 		break;
1093 	case 1:		/* msgctl */
1094 		switch ((uint_t)uap1->cmd) {
1095 		case IPC_RMID:
1096 			e = AUE_MSGCTL_RMID;
1097 			break;
1098 		case IPC_SET:
1099 			e = AUE_MSGCTL_SET;
1100 			break;
1101 		case IPC_STAT:
1102 			e = AUE_MSGCTL_STAT;
1103 			break;
1104 		default:
1105 			e = AUE_MSGCTL;
1106 			break;
1107 		}
1108 		break;
1109 	case 2:		/* msgrcv */
1110 		e = AUE_MSGRCV;
1111 		break;
1112 	case 3:		/* msgsnd */
1113 		e = AUE_MSGSND;
1114 		break;
1115 	default:	/* illegal system call */
1116 		e = AUE_NULL;
1117 		break;
1118 	}
1119 
1120 	return (e);
1121 }
1122 
1123 
1124 /* shmsys */
1125 static au_event_t
1126 aui_shmsys(au_event_t e)
1127 {
1128 	klwp_t *clwp = ttolwp(curthread);
1129 	int fm;
1130 
1131 	struct a {		/* shmsys */
1132 		long	id;	/* function code id */
1133 	} *uap = (struct a *)clwp->lwp_ap;
1134 
1135 	struct b {		/* ctrl */
1136 		long	shmid;
1137 		long	cmd;
1138 		long	arg;		/* struct shmid_ds * */
1139 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1140 	fm  = (uint_t)uap->id;
1141 
1142 	switch (fm) {
1143 	case 0:		/* shmat */
1144 		e = AUE_SHMAT;
1145 		break;
1146 	case 1:		/* shmctl */
1147 		switch ((uint_t)uap1->cmd) {
1148 		case IPC_RMID:
1149 			e = AUE_SHMCTL_RMID;
1150 			break;
1151 		case IPC_SET:
1152 			e = AUE_SHMCTL_SET;
1153 			break;
1154 		case IPC_STAT:
1155 			e = AUE_SHMCTL_STAT;
1156 			break;
1157 		default:
1158 			e = AUE_SHMCTL;
1159 			break;
1160 		}
1161 		break;
1162 	case 2:		/* shmdt */
1163 		e = AUE_SHMDT;
1164 		break;
1165 	case 3:		/* shmget */
1166 		e = AUE_SHMGET;
1167 		break;
1168 	default:	/* illegal system call */
1169 		e = AUE_NULL;
1170 		break;
1171 	}
1172 
1173 	return (e);
1174 }
1175 
1176 
1177 /* semsys */
1178 static au_event_t
1179 aui_semsys(au_event_t e)
1180 {
1181 	klwp_t *clwp = ttolwp(curthread);
1182 	uint_t fm;
1183 
1184 	struct a {		/* semsys */
1185 		long	id;
1186 	} *uap = (struct a *)clwp->lwp_ap;
1187 
1188 	struct b {		/* ctrl */
1189 		long	semid;
1190 		long	semnum;
1191 		long	cmd;
1192 		long	arg;
1193 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1194 
1195 	fm = (uint_t)uap->id;
1196 
1197 	switch (fm) {
1198 	case 0:		/* semctl */
1199 		switch ((uint_t)uap1->cmd) {
1200 		case IPC_RMID:
1201 			e = AUE_SEMCTL_RMID;
1202 			break;
1203 		case IPC_SET:
1204 			e = AUE_SEMCTL_SET;
1205 			break;
1206 		case IPC_STAT:
1207 			e = AUE_SEMCTL_STAT;
1208 			break;
1209 		case GETNCNT:
1210 			e = AUE_SEMCTL_GETNCNT;
1211 			break;
1212 		case GETPID:
1213 			e = AUE_SEMCTL_GETPID;
1214 			break;
1215 		case GETVAL:
1216 			e = AUE_SEMCTL_GETVAL;
1217 			break;
1218 		case GETALL:
1219 			e = AUE_SEMCTL_GETALL;
1220 			break;
1221 		case GETZCNT:
1222 			e = AUE_SEMCTL_GETZCNT;
1223 			break;
1224 		case SETVAL:
1225 			e = AUE_SEMCTL_SETVAL;
1226 			break;
1227 		case SETALL:
1228 			e = AUE_SEMCTL_SETALL;
1229 			break;
1230 		default:
1231 			e = AUE_SEMCTL;
1232 			break;
1233 		}
1234 		break;
1235 	case 1:		/* semget */
1236 		e = AUE_SEMGET;
1237 		break;
1238 	case 2:		/* semop */
1239 		e = AUE_SEMOP;
1240 		break;
1241 	default:	/* illegal system call */
1242 		e = AUE_NULL;
1243 		break;
1244 	}
1245 
1246 	return (e);
1247 }
1248 
1249 /* utssys - uname(2), ustat(2), fusers(2) */
1250 static au_event_t
1251 aui_utssys(au_event_t e)
1252 {
1253 	klwp_t *clwp = ttolwp(curthread);
1254 	uint_t type;
1255 
1256 	struct a {
1257 		union {
1258 			long	cbuf;		/* char * */
1259 			long	ubuf;		/* struct stat * */
1260 		} ub;
1261 		union {
1262 			long	mv;	/* for USTAT */
1263 			long	flags;	/* for FUSERS */
1264 		} un;
1265 		long	type;
1266 		long	outbp;		/* char * for FUSERS */
1267 	} *uap = (struct a *)clwp->lwp_ap;
1268 
1269 	type = (uint_t)uap->type;
1270 
1271 	if (type == UTS_FUSERS)
1272 		return (e);
1273 	else
1274 		return ((au_event_t)AUE_NULL);
1275 }
1276 
1277 static au_event_t
1278 aui_fcntl(au_event_t e)
1279 {
1280 	klwp_t *clwp = ttolwp(curthread);
1281 	uint_t cmd;
1282 
1283 	struct a {
1284 		long	fdes;
1285 		long	cmd;
1286 		long	arg;
1287 	} *uap = (struct a *)clwp->lwp_ap;
1288 
1289 	cmd = (uint_t)uap->cmd;
1290 
1291 	switch (cmd) {
1292 	case F_GETLK:
1293 	case F_SETLK:
1294 	case F_SETLKW:
1295 		break;
1296 	case F_SETFL:
1297 	case F_GETFL:
1298 	case F_GETFD:
1299 		break;
1300 	default:
1301 		e = (au_event_t)AUE_NULL;
1302 		break;
1303 	}
1304 	return ((au_event_t)e);
1305 }
1306 
1307 /* null function for now */
1308 static au_event_t
1309 aui_execv(au_event_t e)
1310 {
1311 	return (e);
1312 }
1313 
1314 /* null function for now */
1315 static au_event_t
1316 aui_execve(au_event_t e)
1317 {
1318 	return (e);
1319 }
1320 
1321 /*ARGSUSED*/
1322 static void
1323 aus_fcntl(struct t_audit_data *tad)
1324 {
1325 	klwp_t *clwp = ttolwp(curthread);
1326 	uint32_t cmd, fd;
1327 	struct file  *fp;
1328 	struct vnode *vp;
1329 	struct f_audit_data *fad;
1330 
1331 	struct a {
1332 		long	fd;
1333 		long	cmd;
1334 		long	arg;
1335 	} *uap = (struct a *)clwp->lwp_ap;
1336 
1337 	cmd = (uint32_t)uap->cmd;
1338 	fd  = (uint32_t)uap->fd;
1339 
1340 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1341 
1342 		/*
1343 		 * convert file pointer to file descriptor
1344 		 *   Note: fd ref count incremented here.
1345 		 */
1346 	if ((fp = getf(fd)) == NULL)
1347 		return;
1348 
1349 	/* get path from file struct here */
1350 	fad = F2A(fp);
1351 	if (fad->fad_aupath != NULL) {
1352 		au_uwrite(au_to_path(fad->fad_aupath));
1353 	} else {
1354 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1355 	}
1356 
1357 	vp = fp->f_vnode;
1358 	audit_attributes(vp);
1359 
1360 	/* decrement file descriptor reference count */
1361 	releasef(fd);
1362 }
1363 
1364 /*ARGSUSED*/
1365 static void
1366 aus_kill(struct t_audit_data *tad)
1367 {
1368 	klwp_t *clwp = ttolwp(curthread);
1369 	struct proc *p;
1370 	uint32_t signo;
1371 	uid_t uid, ruid;
1372 	gid_t gid, rgid;
1373 	pid_t pid;
1374 	const auditinfo_addr_t *ainfo;
1375 	cred_t *cr;
1376 
1377 	struct a {
1378 		long	pid;
1379 		long	signo;
1380 	} *uap = (struct a *)clwp->lwp_ap;
1381 
1382 	pid   = (pid_t)uap->pid;
1383 	signo = (uint32_t)uap->signo;
1384 
1385 	au_uwrite(au_to_arg32(2, "signal", signo));
1386 	if (pid > 0) {
1387 		mutex_enter(&pidlock);
1388 		if (((p = prfind(pid)) == (struct proc *)0) ||
1389 		    (p->p_stat == SIDL)) {
1390 			mutex_exit(&pidlock);
1391 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1392 			return;
1393 		}
1394 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1395 		mutex_exit(&pidlock);
1396 
1397 		mutex_enter(&p->p_crlock);
1398 		crhold(cr = p->p_cred);
1399 		mutex_exit(&p->p_crlock);
1400 		mutex_exit(&p->p_lock);
1401 
1402 		ainfo = crgetauinfo(cr);
1403 		if (ainfo == NULL) {
1404 			crfree(cr);
1405 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1406 			return;
1407 		}
1408 
1409 		uid  = crgetuid(cr);
1410 		gid  = crgetgid(cr);
1411 		ruid = crgetruid(cr);
1412 		rgid = crgetrgid(cr);
1413 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1414 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1415 
1416 		if (is_system_labeled())
1417 			au_uwrite(au_to_label(CR_SL(cr)));
1418 
1419 		crfree(cr);
1420 	}
1421 	else
1422 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1423 }
1424 
1425 /*ARGSUSED*/
1426 static void
1427 aus_mkdir(struct t_audit_data *tad)
1428 {
1429 	klwp_t *clwp = ttolwp(curthread);
1430 	uint32_t dmode;
1431 
1432 	struct a {
1433 		long	dirnamep;		/* char * */
1434 		long	dmode;
1435 	} *uap = (struct a *)clwp->lwp_ap;
1436 
1437 	dmode = (uint32_t)uap->dmode;
1438 
1439 	au_uwrite(au_to_arg32(2, "mode", dmode));
1440 }
1441 
1442 /*ARGSUSED*/
1443 static void
1444 aus_mknod(struct t_audit_data *tad)
1445 {
1446 	klwp_t *clwp = ttolwp(curthread);
1447 	uint32_t fmode;
1448 	dev_t dev;
1449 
1450 	struct a {
1451 		long	pnamep;		/* char * */
1452 		long	fmode;
1453 		long	dev;
1454 	} *uap = (struct a *)clwp->lwp_ap;
1455 
1456 	fmode = (uint32_t)uap->fmode;
1457 	dev   = (dev_t)uap->dev;
1458 
1459 	au_uwrite(au_to_arg32(2, "mode", fmode));
1460 #ifdef _LP64
1461 	au_uwrite(au_to_arg64(3, "dev", dev));
1462 #else
1463 	au_uwrite(au_to_arg32(3, "dev", dev));
1464 #endif
1465 }
1466 
1467 /*ARGSUSED*/
1468 static void
1469 aus_xmknod(struct t_audit_data *tad)
1470 {
1471 	klwp_t *clwp = ttolwp(curthread);
1472 	uint32_t fmode;
1473 	dev_t dev;
1474 
1475 	struct a {
1476 		long	version;	/* version */
1477 		long	pnamep;		/* char * */
1478 		long	fmode;
1479 		long	dev;
1480 	} *uap = (struct a *)clwp->lwp_ap;
1481 
1482 	fmode = (uint32_t)uap->fmode;
1483 	dev   = (dev_t)uap->dev;
1484 
1485 	au_uwrite(au_to_arg32(2, "mode", fmode));
1486 #ifdef _LP64
1487 	au_uwrite(au_to_arg64(3, "dev", dev));
1488 #else
1489 	au_uwrite(au_to_arg32(3, "dev", dev));
1490 #endif
1491 }
1492 
1493 /*ARGSUSED*/
1494 static void
1495 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1496 {
1497 	klwp_t *clwp = ttolwp(curthread);
1498 	vnode_t	*dvp;
1499 	caddr_t pnamep;
1500 
1501 	struct a {
1502 		long	pnamep;		/* char * */
1503 		long	fmode;
1504 		long	dev;
1505 	} *uap = (struct a *)clwp->lwp_ap;
1506 
1507 	/* no error, then already path token in audit record */
1508 	if (error != EPERM)
1509 		return;
1510 
1511 	/* not auditing this event, nothing then to do */
1512 	if (tad->tad_flag == 0)
1513 		return;
1514 
1515 	/* do the lookup to force generation of path token */
1516 	pnamep = (caddr_t)uap->pnamep;
1517 	tad->tad_ctrl |= PAD_NOATTRB;
1518 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1519 	if (error == 0)
1520 		VN_RELE(dvp);
1521 }
1522 
1523 /*ARGSUSED*/
1524 static void
1525 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1526 {
1527 	klwp_t *clwp = ttolwp(curthread);
1528 	vnode_t	*dvp;
1529 	caddr_t pnamep;
1530 
1531 	struct a {
1532 		long	version;	/* version */
1533 		long	pnamep;		/* char * */
1534 		long	fmode;
1535 		long	dev;
1536 	} *uap = (struct a *)clwp->lwp_arg;
1537 
1538 
1539 	/* no error, then already path token in audit record */
1540 	if (error != EPERM)
1541 		return;
1542 
1543 	/* not auditing this event, nothing then to do */
1544 	if (tad->tad_flag == 0)
1545 		return;
1546 
1547 	/* do the lookup to force generation of path token */
1548 	pnamep = (caddr_t)uap->pnamep;
1549 	tad->tad_ctrl |= PAD_NOATTRB;
1550 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1551 	if (error == 0)
1552 		VN_RELE(dvp);
1553 }
1554 
1555 /*ARGSUSED*/
1556 static void
1557 aus_mount(struct t_audit_data *tad)
1558 {	/* AUS_START */
1559 	klwp_t *clwp = ttolwp(curthread);
1560 	uint32_t flags;
1561 	uintptr_t u_fstype, dataptr;
1562 	STRUCT_DECL(nfs_args, nfsargs);
1563 	size_t len;
1564 	char *fstype, *hostname;
1565 
1566 	struct a {
1567 		long	spec;		/* char    * */
1568 		long	dir;		/* char    * */
1569 		long	flags;
1570 		long	fstype;		/* char    * */
1571 		long	dataptr;	/* char    * */
1572 		long	datalen;
1573 	} *uap = (struct a *)clwp->lwp_ap;
1574 
1575 	u_fstype = (uintptr_t)uap->fstype;
1576 	flags    = (uint32_t)uap->flags;
1577 	dataptr  = (uintptr_t)uap->dataptr;
1578 
1579 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1580 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1581 		goto mount_free_fstype;
1582 
1583 	au_uwrite(au_to_arg32(3, "flags", flags));
1584 	au_uwrite(au_to_text(fstype));
1585 
1586 	if (strncmp(fstype, "nfs", 3) == 0) {
1587 
1588 		STRUCT_INIT(nfsargs, get_udatamodel());
1589 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1590 
1591 		if (copyin((caddr_t)dataptr,
1592 				STRUCT_BUF(nfsargs),
1593 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1594 			/* DEBUG debug_enter((char *)NULL); */
1595 			goto mount_free_fstype;
1596 		}
1597 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1598 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1599 				(caddr_t)hostname,
1600 				MAXNAMELEN, &len)) {
1601 			goto mount_free_hostname;
1602 		}
1603 		au_uwrite(au_to_text(hostname));
1604 		au_uwrite(au_to_arg32(3, "internal flags",
1605 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1606 
1607 mount_free_hostname:
1608 		kmem_free(hostname, MAXNAMELEN);
1609 	}
1610 
1611 mount_free_fstype:
1612 	kmem_free(fstype, MAXNAMELEN);
1613 }	/* AUS_MOUNT */
1614 
1615 static void
1616 aus_umount_path(caddr_t umount_dir)
1617 {
1618 	char			*dir_path;
1619 	struct audit_path	*path;
1620 	size_t			path_len, dir_len;
1621 
1622 	/* length alloc'd for two string pointers */
1623 	path_len = sizeof (struct audit_path) + sizeof (char *);
1624 	path = kmem_alloc(path_len, KM_SLEEP);
1625 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1626 
1627 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1628 	    MAXPATHLEN, &dir_len))
1629 		goto umount2_free_dir;
1630 
1631 	/*
1632 	 * the audit_path struct assumes that the buffer pointed to
1633 	 * by audp_sect[n] contains string 0 immediatedly followed
1634 	 * by string 1.
1635 	 */
1636 	path->audp_sect[0] = dir_path;
1637 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1638 	path->audp_size = path_len;
1639 	path->audp_ref = 1;		/* not used */
1640 	path->audp_cnt = 1;		/* one path string */
1641 
1642 	au_uwrite(au_to_path(path));
1643 
1644 umount2_free_dir:
1645 	kmem_free(dir_path, MAXPATHLEN);
1646 	kmem_free(path, path_len);
1647 }
1648 
1649 /*
1650  * the umount syscall is implemented as a call to umount2, but the args
1651  * are different...
1652  */
1653 
1654 /*ARGSUSED*/
1655 static void
1656 aus_umount(struct t_audit_data *tad)
1657 {
1658 	klwp_t			*clwp = ttolwp(curthread);
1659 	struct a {
1660 		long	dir;		/* char    * */
1661 	} *uap = (struct a *)clwp->lwp_ap;
1662 
1663 	aus_umount_path((caddr_t)uap->dir);
1664 }
1665 
1666 /*ARGSUSED*/
1667 static void
1668 aus_umount2(struct t_audit_data *tad)
1669 {
1670 	klwp_t			*clwp = ttolwp(curthread);
1671 	struct a {
1672 		long	dir;		/* char    * */
1673 		long	flags;
1674 	} *uap = (struct a *)clwp->lwp_ap;
1675 
1676 	aus_umount_path((caddr_t)uap->dir);
1677 
1678 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1679 }
1680 
1681 static void
1682 aus_msgsys(struct t_audit_data *tad)
1683 {
1684 	klwp_t *clwp = ttolwp(curthread);
1685 	uint32_t msgid;
1686 
1687 	struct b {
1688 		long	msgid;
1689 		long	cmd;
1690 		long	buf;		/* struct msqid_ds * */
1691 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1692 
1693 	msgid = (uint32_t)uap1->msgid;
1694 
1695 
1696 	switch (tad->tad_event) {
1697 	case AUE_MSGGET:		/* msgget */
1698 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1699 		break;
1700 	case AUE_MSGCTL:		/* msgctl */
1701 	case AUE_MSGCTL_RMID:		/* msgctl */
1702 	case AUE_MSGCTL_STAT:		/* msgctl */
1703 	case AUE_MSGRCV:		/* msgrcv */
1704 	case AUE_MSGSND:		/* msgsnd */
1705 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1706 		break;
1707 	case AUE_MSGCTL_SET:		/* msgctl */
1708 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1709 		break;
1710 	}
1711 }
1712 
1713 /*ARGSUSED*/
1714 static void
1715 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1716 {
1717 	int id;
1718 
1719 	if (error != 0)
1720 		return;
1721 	if (tad->tad_event == AUE_MSGGET) {
1722 		uint32_t scid;
1723 		uint32_t sy_flags;
1724 
1725 		/* need to determine type of executing binary */
1726 		scid = tad->tad_scid;
1727 #ifdef _SYSCALL32_IMPL
1728 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1729 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1730 		else
1731 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1732 #else
1733 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1734 #endif
1735 		if (sy_flags == SE_32RVAL1)
1736 			id = rval->r_val1;
1737 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1738 			id = rval->r_val1;
1739 		if (sy_flags == SE_64RVAL)
1740 			id = (int)rval->r_vals;
1741 
1742 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1743 	}
1744 }
1745 
1746 static void
1747 aus_semsys(struct t_audit_data *tad)
1748 {
1749 	klwp_t *clwp = ttolwp(curthread);
1750 	uint32_t semid;
1751 
1752 	struct b {		/* ctrl */
1753 		long	semid;
1754 		long	semnum;
1755 		long	cmd;
1756 		long	arg;
1757 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1758 
1759 	semid = (uint32_t)uap1->semid;
1760 
1761 	switch (tad->tad_event) {
1762 	case AUE_SEMCTL_RMID:
1763 	case AUE_SEMCTL_STAT:
1764 	case AUE_SEMCTL_GETNCNT:
1765 	case AUE_SEMCTL_GETPID:
1766 	case AUE_SEMCTL_GETVAL:
1767 	case AUE_SEMCTL_GETALL:
1768 	case AUE_SEMCTL_GETZCNT:
1769 	case AUE_SEMCTL_SETVAL:
1770 	case AUE_SEMCTL_SETALL:
1771 	case AUE_SEMCTL:
1772 	case AUE_SEMOP:
1773 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1774 		break;
1775 	case AUE_SEMCTL_SET:
1776 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1777 		break;
1778 	case AUE_SEMGET:
1779 		au_uwrite(au_to_arg32(1, "sem key", semid));
1780 		break;
1781 	}
1782 }
1783 
1784 /*ARGSUSED*/
1785 static void
1786 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1787 {
1788 	int id;
1789 
1790 	if (error != 0)
1791 		return;
1792 	if (tad->tad_event == AUE_SEMGET) {
1793 		uint32_t scid;
1794 		uint32_t sy_flags;
1795 
1796 		/* need to determine type of executing binary */
1797 		scid = tad->tad_scid;
1798 #ifdef _SYSCALL32_IMPL
1799 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1800 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1801 		else
1802 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1803 #else
1804 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1805 #endif
1806 		if (sy_flags == SE_32RVAL1)
1807 			id = rval->r_val1;
1808 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1809 			id = rval->r_val1;
1810 		if (sy_flags == SE_64RVAL)
1811 			id = (int)rval->r_vals;
1812 
1813 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1814 	}
1815 }
1816 
1817 /*ARGSUSED*/
1818 static void
1819 aus_close(struct t_audit_data *tad)
1820 {
1821 	klwp_t *clwp = ttolwp(curthread);
1822 	uint32_t fd;
1823 	struct file *fp;
1824 	struct f_audit_data *fad;
1825 	struct vnode *vp;
1826 	struct vattr attr;
1827 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1828 
1829 	struct a {
1830 		long	i;
1831 	} *uap = (struct a *)clwp->lwp_ap;
1832 
1833 	fd = (uint32_t)uap->i;
1834 
1835 	attr.va_mask = 0;
1836 	au_uwrite(au_to_arg32(1, "fd", fd));
1837 
1838 		/*
1839 		 * convert file pointer to file descriptor
1840 		 *   Note: fd ref count incremented here.
1841 		 */
1842 	if ((fp = getf(fd)) == NULL)
1843 		return;
1844 
1845 	fad = F2A(fp);
1846 	tad->tad_evmod = (short)fad->fad_flags;
1847 	if (fad->fad_aupath != NULL) {
1848 		au_uwrite(au_to_path(fad->fad_aupath));
1849 		if ((vp = fp->f_vnode) != NULL) {
1850 			attr.va_mask = AT_ALL;
1851 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1852 				/*
1853 				 * When write was not used and the file can be
1854 				 * considered public, skip the audit.
1855 				 */
1856 				if (((fp->f_flag & FWRITE) == 0) &&
1857 				    file_is_public(&attr)) {
1858 					tad->tad_flag = 0;
1859 					tad->tad_evmod = 0;
1860 					/* free any residual audit data */
1861 					au_close(kctx, &(u_ad), 0, 0, 0);
1862 					releasef(fd);
1863 					return;
1864 				}
1865 				au_uwrite(au_to_attr(&attr));
1866 				audit_sec_attributes(&(u_ad), vp);
1867 			}
1868 		}
1869 	}
1870 
1871 	/* decrement file descriptor reference count */
1872 	releasef(fd);
1873 }
1874 
1875 /*ARGSUSED*/
1876 static void
1877 aus_fstatfs(struct t_audit_data *tad)
1878 {
1879 	klwp_t *clwp = ttolwp(curthread);
1880 	uint32_t fd;
1881 	struct file  *fp;
1882 	struct vnode *vp;
1883 	struct f_audit_data *fad;
1884 
1885 	struct a {
1886 		long	fd;
1887 		long	buf;		/* struct statfs * */
1888 	} *uap = (struct a *)clwp->lwp_ap;
1889 
1890 	fd = (uint_t)uap->fd;
1891 
1892 		/*
1893 		 * convert file pointer to file descriptor
1894 		 *   Note: fd ref count incremented here.
1895 		 */
1896 	if ((fp = getf(fd)) == NULL)
1897 		return;
1898 
1899 		/* get path from file struct here */
1900 	fad = F2A(fp);
1901 	if (fad->fad_aupath != NULL) {
1902 		au_uwrite(au_to_path(fad->fad_aupath));
1903 	} else {
1904 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1905 	}
1906 
1907 	vp = fp->f_vnode;
1908 	audit_attributes(vp);
1909 
1910 	/* decrement file descriptor reference count */
1911 	releasef(fd);
1912 }
1913 
1914 #ifdef NOTYET
1915 /*ARGSUSED*/
1916 static void
1917 aus_setpgrp(struct t_audit_data *tad)
1918 {
1919 	klwp_t *clwp = ttolwp(curthread);
1920 	uint32_t pgrp;
1921 	struct proc *p;
1922 	uid_t uid, ruid;
1923 	gid_t gid, rgid;
1924 	pid_t pid;
1925 	const auditinfo_addr_t *ainfo;
1926 	cred_t *cr;
1927 
1928 	struct a {
1929 		long	pid;
1930 		long	pgrp;
1931 	} *uap = (struct a *)clwp->lwp_ap;
1932 
1933 	pid  = (pid_t)uap->pid;
1934 	pgrp = (uint32_t)uap->pgrp;
1935 
1936 		/* current process? */
1937 	if (pid == 0)
1938 		(return);
1939 
1940 	mutex_enter(&pidlock);
1941 	p = prfind(pid);
1942 	if (p == NULL || p->p_as == &kas) {
1943 		mutex_exit(&pidlock);
1944 		return;
1945 	}
1946 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1947 	mutex_exit(&pidlock);
1948 
1949 	mutex_enter(&p->p_crlock);
1950 	crhold(cr = p->p_cred);
1951 	mutex_exit(&p->p_crlock);
1952 	mutex_exit(&p->p_lock);
1953 
1954 	ainfo = crgetauinfo(cr);
1955 	if (ainfo == NULL) {
1956 		crfree(cr);
1957 		return;
1958 	}
1959 
1960 	uid  = crgetuid(cr);
1961 	gid  = crgetgid(cr);
1962 	ruid = crgetruid(cr);
1963 	rgid = crgetrgid(cr);
1964 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1965 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1966 	crfree(cr);
1967 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1968 }
1969 #endif
1970 
1971 /*ARGSUSED*/
1972 static void
1973 aus_setregid(struct t_audit_data *tad)
1974 {
1975 	klwp_t *clwp = ttolwp(curthread);
1976 	uint32_t rgid, egid;
1977 
1978 	struct a {
1979 		long	 rgid;
1980 		long	 egid;
1981 	} *uap = (struct a *)clwp->lwp_ap;
1982 
1983 	rgid  = (uint32_t)uap->rgid;
1984 	egid  = (uint32_t)uap->egid;
1985 
1986 	au_uwrite(au_to_arg32(1, "rgid", rgid));
1987 	au_uwrite(au_to_arg32(2, "egid", egid));
1988 }
1989 
1990 /*ARGSUSED*/
1991 static void
1992 aus_setgid(struct t_audit_data *tad)
1993 {
1994 	klwp_t *clwp = ttolwp(curthread);
1995 	uint32_t gid;
1996 
1997 	struct a {
1998 		long	gid;
1999 	} *uap = (struct a *)clwp->lwp_ap;
2000 
2001 	gid = (uint32_t)uap->gid;
2002 
2003 	au_uwrite(au_to_arg32(1, "gid", gid));
2004 }
2005 
2006 
2007 /*ARGSUSED*/
2008 static void
2009 aus_setreuid(struct t_audit_data *tad)
2010 {
2011 	klwp_t *clwp = ttolwp(curthread);
2012 	uint32_t ruid, euid;
2013 
2014 	struct a {
2015 		long	ruid;
2016 		long	euid;
2017 	} *uap = (struct a *)clwp->lwp_ap;
2018 
2019 	ruid = (uint32_t)uap->ruid;
2020 	euid  = (uint32_t)uap->euid;
2021 
2022 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2023 	au_uwrite(au_to_arg32(2, "euid", euid));
2024 }
2025 
2026 
2027 /*ARGSUSED*/
2028 static void
2029 aus_setuid(struct t_audit_data *tad)
2030 {
2031 	klwp_t *clwp = ttolwp(curthread);
2032 	uint32_t uid;
2033 
2034 	struct a {
2035 		long	uid;
2036 	} *uap = (struct a *)clwp->lwp_ap;
2037 
2038 	uid = (uint32_t)uap->uid;
2039 
2040 	au_uwrite(au_to_arg32(1, "uid", uid));
2041 }
2042 
2043 /*ARGSUSED*/
2044 static void
2045 aus_shmsys(struct t_audit_data *tad)
2046 {
2047 	klwp_t *clwp = ttolwp(curthread);
2048 	uint32_t id, cmd;
2049 
2050 	struct b {
2051 		long	id;
2052 		long	cmd;
2053 		long	buf;		/* struct shmid_ds * */
2054 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2055 
2056 	id  = (uint32_t)uap1->id;
2057 	cmd = (uint32_t)uap1->cmd;
2058 
2059 	switch (tad->tad_event) {
2060 	case AUE_SHMGET:			/* shmget */
2061 		au_uwrite(au_to_arg32(1, "shm key", id));
2062 		break;
2063 	case AUE_SHMCTL:			/* shmctl */
2064 	case AUE_SHMCTL_RMID:			/* shmctl */
2065 	case AUE_SHMCTL_STAT:			/* shmctl */
2066 	case AUE_SHMCTL_SET:			/* shmctl */
2067 		au_uwrite(au_to_arg32(1, "shm ID", id));
2068 		break;
2069 	case AUE_SHMDT:				/* shmdt */
2070 		au_uwrite(au_to_arg32(1, "shm adr", id));
2071 		break;
2072 	case AUE_SHMAT:				/* shmat */
2073 		au_uwrite(au_to_arg32(1, "shm ID", id));
2074 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2075 		break;
2076 	}
2077 }
2078 
2079 /*ARGSUSED*/
2080 static void
2081 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2082 {
2083 	int id;
2084 
2085 	if (error != 0)
2086 		return;
2087 	if (tad->tad_event == AUE_SHMGET) {
2088 		uint32_t scid;
2089 		uint32_t sy_flags;
2090 
2091 		/* need to determine type of executing binary */
2092 		scid = tad->tad_scid;
2093 #ifdef _SYSCALL32_IMPL
2094 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2095 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2096 		else
2097 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2098 #else
2099 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2100 #endif
2101 		if (sy_flags == SE_32RVAL1)
2102 			id = rval->r_val1;
2103 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2104 			id = rval->r_val1;
2105 		if (sy_flags == SE_64RVAL)
2106 			id = (int)rval->r_vals;
2107 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2108 	}
2109 }
2110 
2111 
2112 /*ARGSUSED*/
2113 static void
2114 aus_ioctl(struct t_audit_data *tad)
2115 {
2116 	klwp_t *clwp = ttolwp(curthread);
2117 	struct file *fp;
2118 	struct vnode *vp;
2119 	struct f_audit_data *fad;
2120 	uint32_t fd, cmd;
2121 	uintptr_t cmarg;
2122 
2123 	/* XX64 */
2124 	struct a {
2125 		long	fd;
2126 		long	cmd;
2127 		long	cmarg;		/* caddr_t */
2128 	} *uap = (struct a *)clwp->lwp_ap;
2129 
2130 	fd    = (uint32_t)uap->fd;
2131 	cmd   = (uint32_t)uap->cmd;
2132 	cmarg = (uintptr_t)uap->cmarg;
2133 
2134 		/*
2135 		 * convert file pointer to file descriptor
2136 		 *   Note: fd ref count incremented here.
2137 		 */
2138 	if ((fp = getf(fd)) == NULL) {
2139 		au_uwrite(au_to_arg32(1, "fd", fd));
2140 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2141 #ifndef _LP64
2142 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2143 #else
2144 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2145 #endif
2146 		return;
2147 	}
2148 
2149 	/* get path from file struct here */
2150 	fad = F2A(fp);
2151 	if (fad->fad_aupath != NULL) {
2152 		au_uwrite(au_to_path(fad->fad_aupath));
2153 	} else {
2154 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2155 	}
2156 
2157 	vp = fp->f_vnode;
2158 	audit_attributes(vp);
2159 
2160 	/* decrement file descriptor reference count */
2161 	releasef(fd);
2162 
2163 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2164 #ifndef _LP64
2165 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2166 #else
2167 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2168 #endif
2169 }
2170 
2171 /*
2172  * null function for memcntl for now. We might want to limit memcntl()
2173  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2174  * require privileges.
2175  */
2176 static au_event_t
2177 aui_memcntl(au_event_t e)
2178 {
2179 	return (e);
2180 }
2181 
2182 /*ARGSUSED*/
2183 static au_event_t
2184 aui_privsys(au_event_t e)
2185 {
2186 	klwp_t *clwp = ttolwp(curthread);
2187 
2188 	struct a {
2189 		long	opcode;
2190 	} *uap = (struct a *)clwp->lwp_ap;
2191 
2192 	switch (uap->opcode) {
2193 	case PRIVSYS_SETPPRIV:
2194 		return (AUE_SETPPRIV);
2195 	default:
2196 		return (AUE_NULL);
2197 	}
2198 }
2199 
2200 /*ARGSUSED*/
2201 static void
2202 aus_memcntl(struct t_audit_data *tad)
2203 {
2204 	klwp_t *clwp = ttolwp(curthread);
2205 
2206 	struct a {
2207 		long	addr;
2208 		long	len;
2209 		long	cmd;
2210 		long	arg;
2211 		long	attr;
2212 		long	mask;
2213 	} *uap = (struct a *)clwp->lwp_ap;
2214 
2215 #ifdef _LP64
2216 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2217 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2218 #else
2219 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2220 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2221 #endif
2222 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2223 #ifdef _LP64
2224 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2225 #else
2226 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2227 #endif
2228 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2229 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2230 }
2231 
2232 /*ARGSUSED*/
2233 static void
2234 aus_mmap(struct t_audit_data *tad)
2235 {
2236 	klwp_t *clwp = ttolwp(curthread);
2237 	struct file *fp;
2238 	struct f_audit_data *fad;
2239 	struct vnode *vp;
2240 	uint32_t fd;
2241 
2242 	struct a {
2243 		long	addr;
2244 		long	len;
2245 		long	prot;
2246 		long	flags;
2247 		long	fd;
2248 		long	pos;
2249 	} *uap = (struct a *)clwp->lwp_ap;
2250 
2251 	fd = (uint32_t)uap->fd;
2252 
2253 #ifdef _LP64
2254 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2255 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2256 #else
2257 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2258 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2259 #endif
2260 
2261 	if ((fp = getf(fd)) == NULL) {
2262 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2263 		return;
2264 	}
2265 
2266 	/*
2267 	 * Mark in the tad if write access is NOT requested... if
2268 	 * this is later detected (in audit_attributes) to be a
2269 	 * public object, the mmap event may be discarded.
2270 	 */
2271 	if (((uap->prot) & PROT_WRITE) == 0) {
2272 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2273 	}
2274 
2275 	fad = F2A(fp);
2276 	if (fad->fad_aupath != NULL) {
2277 		au_uwrite(au_to_path(fad->fad_aupath));
2278 	} else {
2279 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2280 	}
2281 
2282 	vp = (struct vnode *)fp->f_vnode;
2283 	audit_attributes(vp);
2284 
2285 	/* mark READ/WRITE since we can't predict access */
2286 	if (uap->prot & PROT_READ)
2287 		fad->fad_flags |= FAD_READ;
2288 	if (uap->prot & PROT_WRITE)
2289 		fad->fad_flags |= FAD_WRITE;
2290 
2291 	/* decrement file descriptor reference count */
2292 	releasef(fd);
2293 
2294 }	/* AUS_MMAP */
2295 
2296 
2297 
2298 
2299 /*ARGSUSED*/
2300 static void
2301 aus_munmap(struct t_audit_data *tad)
2302 {
2303 	klwp_t *clwp = ttolwp(curthread);
2304 
2305 	struct a {
2306 		long	addr;
2307 		long	len;
2308 	} *uap = (struct a *)clwp->lwp_ap;
2309 
2310 #ifdef _LP64
2311 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2312 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2313 #else
2314 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2315 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2316 #endif
2317 
2318 }	/* AUS_MUNMAP */
2319 
2320 
2321 
2322 
2323 
2324 
2325 
2326 /*ARGSUSED*/
2327 static void
2328 aus_priocntlsys(struct t_audit_data *tad)
2329 {
2330 	klwp_t *clwp = ttolwp(curthread);
2331 
2332 	struct a {
2333 		long	pc_version;
2334 		long	psp;		/* procset_t */
2335 		long	cmd;
2336 		long	arg;
2337 	} *uap = (struct a *)clwp->lwp_ap;
2338 
2339 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2340 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2341 
2342 }	/* AUS_PRIOCNTLSYS */
2343 
2344 
2345 /*ARGSUSED*/
2346 static void
2347 aus_setegid(struct t_audit_data *tad)
2348 {
2349 	klwp_t *clwp = ttolwp(curthread);
2350 	uint32_t gid;
2351 
2352 	struct a {
2353 		long	gid;
2354 	} *uap = (struct a *)clwp->lwp_ap;
2355 
2356 	gid = (uint32_t)uap->gid;
2357 
2358 	au_uwrite(au_to_arg32(1, "gid", gid));
2359 }	/* AUS_SETEGID */
2360 
2361 
2362 
2363 
2364 /*ARGSUSED*/
2365 static void
2366 aus_setgroups(struct t_audit_data *tad)
2367 {
2368 	klwp_t *clwp = ttolwp(curthread);
2369 	int i;
2370 	int gidsetsize;
2371 	uintptr_t gidset;
2372 	gid_t *gidlist;
2373 
2374 	struct a {
2375 		long	gidsetsize;
2376 		long	gidset;
2377 	} *uap = (struct a *)clwp->lwp_ap;
2378 
2379 	gidsetsize = (uint_t)uap->gidsetsize;
2380 	gidset = (uintptr_t)uap->gidset;
2381 
2382 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2383 		return;
2384 	if (gidsetsize != 0) {
2385 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2386 		    KM_SLEEP);
2387 		if (copyin((caddr_t)gidset, gidlist,
2388 		    gidsetsize * sizeof (gid_t)) == 0)
2389 			for (i = 0; i < gidsetsize; i++)
2390 				au_uwrite(au_to_arg32(1, "setgroups",
2391 				    (uint32_t)gidlist[i]));
2392 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2393 	} else
2394 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2395 
2396 }	/* AUS_SETGROUPS */
2397 
2398 
2399 
2400 
2401 
2402 /*ARGSUSED*/
2403 static void
2404 aus_seteuid(struct t_audit_data *tad)
2405 {
2406 	klwp_t *clwp = ttolwp(curthread);
2407 	uint32_t uid;
2408 
2409 	struct a {
2410 		long	uid;
2411 	} *uap = (struct a *)clwp->lwp_ap;
2412 
2413 	uid = (uint32_t)uap->uid;
2414 
2415 	au_uwrite(au_to_arg32(1, "euid", uid));
2416 
2417 }	/* AUS_SETEUID */
2418 
2419 /*ARGSUSED*/
2420 static void
2421 aus_putmsg(struct t_audit_data *tad)
2422 {
2423 	klwp_t *clwp = ttolwp(curthread);
2424 	uint32_t fd, pri;
2425 	struct file *fp;
2426 	struct f_audit_data *fad;
2427 
2428 	struct a {
2429 		long	fdes;
2430 		long	ctl;		/* struct strbuf * */
2431 		long	data;		/* struct strbuf * */
2432 		long	pri;
2433 	} *uap = (struct a *)clwp->lwp_ap;
2434 
2435 	fd  = (uint32_t)uap->fdes;
2436 	pri = (uint32_t)uap->pri;
2437 
2438 	au_uwrite(au_to_arg32(1, "fd", fd));
2439 
2440 	if ((fp = getf(fd)) != NULL) {
2441 		fad = F2A(fp);
2442 
2443 		fad->fad_flags |= FAD_WRITE;
2444 
2445 		/* add path name to audit record */
2446 		if (fad->fad_aupath != NULL) {
2447 			au_uwrite(au_to_path(fad->fad_aupath));
2448 		}
2449 		audit_attributes(fp->f_vnode);
2450 
2451 		releasef(fd);
2452 	}
2453 
2454 	au_uwrite(au_to_arg32(4, "pri", pri));
2455 }
2456 
2457 /*ARGSUSED*/
2458 static void
2459 aus_putpmsg(struct t_audit_data *tad)
2460 {
2461 	klwp_t *clwp = ttolwp(curthread);
2462 	uint32_t fd, pri, flags;
2463 	struct file *fp;
2464 	struct f_audit_data *fad;
2465 
2466 	struct a {
2467 		long	fdes;
2468 		long	ctl;		/* struct strbuf * */
2469 		long	data;		/* struct strbuf * */
2470 		long	pri;
2471 		long	flags;
2472 	} *uap = (struct a *)clwp->lwp_ap;
2473 
2474 	fd = (uint32_t)uap->fdes;
2475 	pri  = (uint32_t)uap->pri;
2476 	flags  = (uint32_t)uap->flags;
2477 
2478 	au_uwrite(au_to_arg32(1, "fd", fd));
2479 
2480 	if ((fp = getf(fd)) != NULL) {
2481 		fad = F2A(fp);
2482 
2483 		fad->fad_flags |= FAD_WRITE;
2484 
2485 		/* add path name to audit record */
2486 		if (fad->fad_aupath != NULL) {
2487 			au_uwrite(au_to_path(fad->fad_aupath));
2488 		}
2489 		audit_attributes(fp->f_vnode);
2490 
2491 		releasef(fd);
2492 	}
2493 
2494 
2495 	au_uwrite(au_to_arg32(4, "pri", pri));
2496 	au_uwrite(au_to_arg32(5, "flags", flags));
2497 }
2498 
2499 /*ARGSUSED*/
2500 static void
2501 aus_getmsg(struct t_audit_data *tad)
2502 {
2503 	klwp_t *clwp = ttolwp(curthread);
2504 	uint32_t fd, pri;
2505 	struct file *fp;
2506 	struct f_audit_data *fad;
2507 
2508 	struct a {
2509 		long	fdes;
2510 		long	ctl;		/* struct strbuf * */
2511 		long	data;		/* struct strbuf * */
2512 		long	pri;
2513 	} *uap = (struct a *)clwp->lwp_ap;
2514 
2515 	fd  = (uint32_t)uap->fdes;
2516 	pri = (uint32_t)uap->pri;
2517 
2518 	au_uwrite(au_to_arg32(1, "fd", fd));
2519 
2520 	if ((fp = getf(fd)) != NULL) {
2521 		fad = F2A(fp);
2522 
2523 		/*
2524 		 * read operation on this object
2525 		 */
2526 		fad->fad_flags |= FAD_READ;
2527 
2528 		/* add path name to audit record */
2529 		if (fad->fad_aupath != NULL) {
2530 			au_uwrite(au_to_path(fad->fad_aupath));
2531 		}
2532 		audit_attributes(fp->f_vnode);
2533 
2534 		releasef(fd);
2535 	}
2536 
2537 	au_uwrite(au_to_arg32(4, "pri", pri));
2538 }
2539 
2540 /*ARGSUSED*/
2541 static void
2542 aus_getpmsg(struct t_audit_data *tad)
2543 {
2544 	klwp_t *clwp = ttolwp(curthread);
2545 	uint32_t fd;
2546 	struct file *fp;
2547 	struct f_audit_data *fad;
2548 
2549 	struct a {
2550 		long	fdes;
2551 		long	ctl;		/* struct strbuf * */
2552 		long	data;		/* struct strbuf * */
2553 		long	pri;
2554 		long	flags;
2555 	} *uap = (struct a *)clwp->lwp_ap;
2556 
2557 	fd = (uint32_t)uap->fdes;
2558 
2559 	au_uwrite(au_to_arg32(1, "fd", fd));
2560 
2561 	if ((fp = getf(fd)) != NULL) {
2562 		fad = F2A(fp);
2563 
2564 		/*
2565 		 * read operation on this object
2566 		 */
2567 		fad->fad_flags |= FAD_READ;
2568 
2569 		/* add path name to audit record */
2570 		if (fad->fad_aupath != NULL) {
2571 			au_uwrite(au_to_path(fad->fad_aupath));
2572 		}
2573 		audit_attributes(fp->f_vnode);
2574 
2575 		releasef(fd);
2576 	}
2577 }
2578 
2579 static au_event_t
2580 aui_auditsys(au_event_t e)
2581 {
2582 	klwp_t *clwp = ttolwp(curthread);
2583 	uint32_t code;
2584 
2585 	struct a {
2586 		long	code;
2587 		long	a1;
2588 		long	a2;
2589 		long	a3;
2590 		long	a4;
2591 		long	a5;
2592 		long	a6;
2593 		long	a7;
2594 	} *uap = (struct a *)clwp->lwp_ap;
2595 
2596 	code = (uint32_t)uap->code;
2597 
2598 	switch (code) {
2599 
2600 	case BSM_GETAUID:
2601 		e = AUE_GETAUID;
2602 		break;
2603 	case BSM_SETAUID:
2604 		e = AUE_SETAUID;
2605 		break;
2606 	case BSM_GETAUDIT:
2607 		e = AUE_GETAUDIT;
2608 		break;
2609 	case BSM_GETAUDIT_ADDR:
2610 		e = AUE_GETAUDIT_ADDR;
2611 		break;
2612 	case BSM_SETAUDIT:
2613 		e = AUE_SETAUDIT;
2614 		break;
2615 	case BSM_SETAUDIT_ADDR:
2616 		e = AUE_SETAUDIT_ADDR;
2617 		break;
2618 	case BSM_AUDIT:
2619 		e = AUE_AUDIT;
2620 		break;
2621 	case BSM_GETPORTAUDIT:
2622 		e = AUE_GETPORTAUDIT;
2623 		break;
2624 	case BSM_AUDITON:
2625 	case BSM_AUDITCTL:
2626 
2627 		switch ((uint_t)uap->a1) {
2628 
2629 		case A_GETPOLICY:
2630 			e = AUE_AUDITON_GPOLICY;
2631 			break;
2632 		case A_SETPOLICY:
2633 			e = AUE_AUDITON_SPOLICY;
2634 			break;
2635 		case A_GETKMASK:
2636 			e = AUE_AUDITON_GETKMASK;
2637 			break;
2638 		case A_SETKMASK:
2639 			e = AUE_AUDITON_SETKMASK;
2640 			break;
2641 		case A_GETQCTRL:
2642 			e = AUE_AUDITON_GQCTRL;
2643 			break;
2644 		case A_SETQCTRL:
2645 			e = AUE_AUDITON_SQCTRL;
2646 			break;
2647 		case A_GETCWD:
2648 			e = AUE_AUDITON_GETCWD;
2649 			break;
2650 		case A_GETCAR:
2651 			e = AUE_AUDITON_GETCAR;
2652 			break;
2653 		case A_GETSTAT:
2654 			e = AUE_AUDITON_GETSTAT;
2655 			break;
2656 		case A_SETSTAT:
2657 			e = AUE_AUDITON_SETSTAT;
2658 			break;
2659 		case A_SETUMASK:
2660 			e = AUE_AUDITON_SETUMASK;
2661 			break;
2662 		case A_SETSMASK:
2663 			e = AUE_AUDITON_SETSMASK;
2664 			break;
2665 		case A_GETCOND:
2666 			e = AUE_AUDITON_GETCOND;
2667 			break;
2668 		case A_SETCOND:
2669 			e = AUE_AUDITON_SETCOND;
2670 			break;
2671 		case A_GETCLASS:
2672 			e = AUE_AUDITON_GETCLASS;
2673 			break;
2674 		case A_SETCLASS:
2675 			e = AUE_AUDITON_SETCLASS;
2676 			break;
2677 		default:
2678 			e = AUE_NULL;
2679 			break;
2680 		}
2681 		break;
2682 	default:
2683 		e = AUE_NULL;
2684 		break;
2685 	}
2686 
2687 	return (e);
2688 
2689 
2690 
2691 
2692 }	/* AUI_AUDITSYS */
2693 
2694 
2695 
2696 
2697 
2698 
2699 
2700 static void
2701 aus_auditsys(struct t_audit_data *tad)
2702 {
2703 	klwp_t *clwp = ttolwp(curthread);
2704 	uintptr_t a1, a2;
2705 	STRUCT_DECL(auditinfo, ainfo);
2706 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2707 	au_evclass_map_t event;
2708 	au_mask_t mask;
2709 	int auditstate, policy;
2710 	au_id_t auid;
2711 
2712 
2713 	struct a {
2714 		long	code;
2715 		long	a1;
2716 		long	a2;
2717 		long	a3;
2718 		long	a4;
2719 		long	a5;
2720 		long	a6;
2721 		long	a7;
2722 	} *uap = (struct a *)clwp->lwp_ap;
2723 
2724 	a1   = (uintptr_t)uap->a1;
2725 	a2   = (uintptr_t)uap->a2;
2726 
2727 	switch (tad->tad_event) {
2728 	case AUE_SETAUID:
2729 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2730 				return;
2731 		au_uwrite(au_to_arg32(2, "setauid", auid));
2732 		break;
2733 	case AUE_SETAUDIT:
2734 		STRUCT_INIT(ainfo, get_udatamodel());
2735 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2736 		    STRUCT_SIZE(ainfo))) {
2737 				return;
2738 		}
2739 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2740 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2741 #ifdef _LP64
2742 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2743 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2744 #else
2745 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2746 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2747 #endif
2748 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2749 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2750 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2751 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2752 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2753 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2754 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2755 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2756 		break;
2757 	case AUE_SETAUDIT_ADDR:
2758 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2759 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2760 		    STRUCT_SIZE(ainfo_addr))) {
2761 				return;
2762 		}
2763 		au_uwrite(au_to_arg32((char)1, "auid",
2764 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2765 #ifdef _LP64
2766 		au_uwrite(au_to_arg64((char)1, "port",
2767 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2768 #else
2769 		au_uwrite(au_to_arg32((char)1, "port",
2770 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2771 #endif
2772 		au_uwrite(au_to_arg32((char)1, "type",
2773 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2774 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2775 		    AU_IPv4) {
2776 			au_uwrite(au_to_in_addr(
2777 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2778 			    ai_termid.at_addr)));
2779 		} else {
2780 			au_uwrite(au_to_in_addr_ex(
2781 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2782 			    ai_termid.at_addr)));
2783 		}
2784 		au_uwrite(au_to_arg32((char)1, "as_success",
2785 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2786 		au_uwrite(au_to_arg32((char)1, "as_failure",
2787 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2788 		au_uwrite(au_to_arg32((char)1, "asid",
2789 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2790 		break;
2791 	case AUE_AUDITON_SETKMASK:
2792 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2793 				return;
2794 		au_uwrite(au_to_arg32(
2795 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2796 		au_uwrite(au_to_arg32(
2797 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2798 		break;
2799 	case AUE_AUDITON_SPOLICY:
2800 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2801 			return;
2802 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2803 		break;
2804 	case AUE_AUDITON_SQCTRL: {
2805 		STRUCT_DECL(au_qctrl, qctrl);
2806 		model_t model;
2807 
2808 		model = get_udatamodel();
2809 		STRUCT_INIT(qctrl, model);
2810 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2811 				return;
2812 		if (model == DATAMODEL_ILP32) {
2813 			au_uwrite(au_to_arg32(
2814 			    3, "setqctrl:aq_hiwater",
2815 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2816 			au_uwrite(au_to_arg32(
2817 			    3, "setqctrl:aq_lowater",
2818 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2819 			au_uwrite(au_to_arg32(
2820 			    3, "setqctrl:aq_bufsz",
2821 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2822 			au_uwrite(au_to_arg32(
2823 			    3, "setqctrl:aq_delay",
2824 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2825 		} else {
2826 			au_uwrite(au_to_arg64(
2827 			    3, "setqctrl:aq_hiwater",
2828 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2829 			au_uwrite(au_to_arg64(
2830 			    3, "setqctrl:aq_lowater",
2831 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2832 			au_uwrite(au_to_arg64(
2833 			    3, "setqctrl:aq_bufsz",
2834 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2835 			au_uwrite(au_to_arg64(
2836 			    3, "setqctrl:aq_delay",
2837 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2838 		}
2839 		break;
2840 	}
2841 	case AUE_AUDITON_SETUMASK:
2842 		STRUCT_INIT(ainfo, get_udatamodel());
2843 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2844 		    STRUCT_SIZE(ainfo))) {
2845 			return;
2846 		}
2847 		au_uwrite(au_to_arg32(3, "setumask:as_success",
2848 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2849 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
2850 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2851 		break;
2852 	case AUE_AUDITON_SETSMASK:
2853 		STRUCT_INIT(ainfo, get_udatamodel());
2854 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2855 		    STRUCT_SIZE(ainfo))) {
2856 			return;
2857 		}
2858 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
2859 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2860 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
2861 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2862 		break;
2863 	case AUE_AUDITON_SETCOND:
2864 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
2865 			return;
2866 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
2867 		break;
2868 	case AUE_AUDITON_SETCLASS:
2869 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
2870 			return;
2871 		au_uwrite(au_to_arg32(
2872 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
2873 		au_uwrite(au_to_arg32(
2874 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
2875 		break;
2876 	case AUE_GETAUID:
2877 	case AUE_GETAUDIT:
2878 	case AUE_GETAUDIT_ADDR:
2879 	case AUE_AUDIT:
2880 	case AUE_GETPORTAUDIT:
2881 	case AUE_AUDITON_GPOLICY:
2882 	case AUE_AUDITON_GQCTRL:
2883 	case AUE_AUDITON_GETKMASK:
2884 	case AUE_AUDITON_GETCWD:
2885 	case AUE_AUDITON_GETCAR:
2886 	case AUE_AUDITON_GETSTAT:
2887 	case AUE_AUDITON_SETSTAT:
2888 	case AUE_AUDITON_GETCOND:
2889 	case AUE_AUDITON_GETCLASS:
2890 		break;
2891 	default:
2892 		break;
2893 	}
2894 
2895 }	/* AUS_AUDITSYS */
2896 
2897 
2898 /* only audit privileged operations for systeminfo(2) system call */
2899 static au_event_t
2900 aui_sysinfo(au_event_t e)
2901 {
2902 	klwp_t *clwp = ttolwp(curthread);
2903 	uint32_t command;
2904 
2905 	struct a {
2906 		long	command;
2907 		long	buf;		/* char * */
2908 		long	count;
2909 	} *uap = (struct a *)clwp->lwp_ap;
2910 
2911 	command = (uint32_t)uap->command;
2912 
2913 	switch (command) {
2914 	case SI_SET_HOSTNAME:
2915 	case SI_SET_SRPC_DOMAIN:
2916 		e = (au_event_t)AUE_SYSINFO;
2917 		break;
2918 	default:
2919 		e = (au_event_t)AUE_NULL;
2920 		break;
2921 	}
2922 	return (e);
2923 }
2924 
2925 /*ARGSUSED*/
2926 static void
2927 aus_sysinfo(struct t_audit_data *tad)
2928 {
2929 	klwp_t *clwp = ttolwp(curthread);
2930 	uint32_t command;
2931 	size_t len, maxlen;
2932 	char *name;
2933 	uintptr_t buf;
2934 
2935 	struct a {
2936 		long	command;
2937 		long	buf;		/* char * */
2938 		long	count;
2939 	} *uap = (struct a *)clwp->lwp_ap;
2940 
2941 	command = (uint32_t)uap->command;
2942 	buf = (uintptr_t)uap->buf;
2943 
2944 	au_uwrite(au_to_arg32(1, "cmd", command));
2945 
2946 	switch (command) {
2947 	case SI_SET_HOSTNAME:
2948 	{
2949 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
2950 			return;
2951 
2952 		maxlen = SYS_NMLN;
2953 		name = kmem_alloc(maxlen, KM_SLEEP);
2954 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
2955 			break;
2956 
2957 		/*
2958 		 * Must be non-NULL string and string
2959 		 * must be less than SYS_NMLN chars.
2960 		 */
2961 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
2962 			break;
2963 
2964 		au_uwrite(au_to_text(name));
2965 		break;
2966 	}
2967 
2968 	case SI_SET_SRPC_DOMAIN:
2969 	{
2970 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
2971 			return;
2972 
2973 		maxlen = SYS_NMLN;
2974 		name = kmem_alloc(maxlen, KM_SLEEP);
2975 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
2976 			break;
2977 
2978 		/*
2979 		 * If string passed in is longer than length
2980 		 * allowed for domain name, fail.
2981 		 */
2982 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
2983 			break;
2984 
2985 		au_uwrite(au_to_text(name));
2986 		break;
2987 	}
2988 
2989 	default:
2990 		return;
2991 	}
2992 
2993 	kmem_free(name, maxlen);
2994 }
2995 
2996 static au_event_t
2997 aui_modctl(au_event_t e)
2998 {
2999 	klwp_t *clwp = ttolwp(curthread);
3000 	uint_t cmd;
3001 
3002 	struct a {
3003 		long	cmd;
3004 	} *uap = (struct a *)clwp->lwp_ap;
3005 
3006 	cmd = (uint_t)uap->cmd;
3007 
3008 	switch (cmd) {
3009 	case MODLOAD:
3010 		e = AUE_MODLOAD;
3011 		break;
3012 	case MODUNLOAD:
3013 		e = AUE_MODUNLOAD;
3014 		break;
3015 	case MODADDMAJBIND:
3016 		e = AUE_MODADDMAJ;
3017 		break;
3018 	case MODSETDEVPOLICY:
3019 		e = AUE_MODDEVPLCY;
3020 		break;
3021 	case MODALLOCPRIV:
3022 		e = AUE_MODADDPRIV;
3023 		break;
3024 	default:
3025 		e = AUE_NULL;
3026 		break;
3027 	}
3028 	return (e);
3029 }
3030 
3031 
3032 /*ARGSUSED*/
3033 static void
3034 aus_modctl(struct t_audit_data *tad)
3035 {
3036 	klwp_t *clwp = ttolwp(curthread);
3037 	void *a	= clwp->lwp_ap;
3038 	uint_t use_path;
3039 
3040 	switch (tad->tad_event) {
3041 	case AUE_MODLOAD: {
3042 		typedef struct {
3043 			long	cmd;
3044 			long	use_path;
3045 			long	filename;		/* char * */
3046 		} modloada_t;
3047 
3048 		char *filenamep;
3049 		uintptr_t fname;
3050 		extern char *default_path;
3051 
3052 		fname = (uintptr_t)((modloada_t *)a)->filename;
3053 		use_path = (uint_t)((modloada_t *)a)->use_path;
3054 
3055 			/* space to hold path */
3056 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3057 			/* get string */
3058 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3059 				/* free allocated path */
3060 			kmem_free(filenamep, MOD_MAXPATH);
3061 			return;
3062 		}
3063 			/* ensure it's null terminated */
3064 		filenamep[MOD_MAXPATH - 1] = 0;
3065 
3066 		if (use_path)
3067 			au_uwrite(au_to_text(default_path));
3068 		au_uwrite(au_to_text(filenamep));
3069 
3070 			/* release temporary memory */
3071 		kmem_free(filenamep, MOD_MAXPATH);
3072 		break;
3073 	}
3074 	case AUE_MODUNLOAD: {
3075 		typedef struct {
3076 			long	cmd;
3077 			long	id;
3078 		} modunloada_t;
3079 
3080 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3081 
3082 		au_uwrite(au_to_arg32(1, "id", id));
3083 		break;
3084 	}
3085 	case AUE_MODADDMAJ: {
3086 		STRUCT_DECL(modconfig, mc);
3087 		typedef struct {
3088 			long	cmd;
3089 			long	subcmd;
3090 			long	data;		/* int * */
3091 		} modconfiga_t;
3092 
3093 		STRUCT_DECL(aliases, alias);
3094 		caddr_t ap;
3095 		int i, num_aliases;
3096 		char *drvname, *mc_drvname;
3097 		char *name;
3098 		extern char *ddi_major_to_name(major_t);
3099 		model_t model;
3100 
3101 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3102 
3103 		model = get_udatamodel();
3104 		STRUCT_INIT(mc, model);
3105 			/* sanitize buffer */
3106 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3107 			/* get user arguments */
3108 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3109 		    STRUCT_SIZE(mc)) != 0)
3110 			return;
3111 
3112 		mc_drvname = STRUCT_FGET(mc, drvname);
3113 		if ((drvname = ddi_major_to_name(
3114 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3115 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3116 				/* safety */
3117 			if (mc_drvname[0] != '\0') {
3118 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3119 				au_uwrite(au_to_text(mc_drvname));
3120 			}
3121 				/* drvname != NULL from test above */
3122 			au_uwrite(au_to_text(drvname));
3123 			return;
3124 		}
3125 
3126 		if (mc_drvname[0] != '\0') {
3127 				/* safety */
3128 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3129 			au_uwrite(au_to_text(mc_drvname));
3130 		} else
3131 			au_uwrite(au_to_text("no drvname"));
3132 
3133 		num_aliases = STRUCT_FGET(mc, num_aliases);
3134 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3135 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3136 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3137 		STRUCT_INIT(alias, model);
3138 		for (i = 0; i < num_aliases; i++) {
3139 			bzero((caddr_t)STRUCT_BUF(alias),
3140 			    STRUCT_SIZE(alias));
3141 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3142 			    STRUCT_SIZE(alias)) != 0)
3143 				break;
3144 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3145 			    MAXMODCONFNAME, NULL) != 0) {
3146 				break;
3147 			}
3148 
3149 			au_uwrite(au_to_text(name));
3150 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3151 		}
3152 		kmem_free(name, MAXMODCONFNAME);
3153 		break;
3154 	}
3155 	default:
3156 		break;
3157 	}
3158 }
3159 
3160 
3161 /*ARGSUSED*/
3162 static void
3163 auf_accept(
3164 	struct t_audit_data *tad,
3165 	int	error,
3166 	rval_t	*rval)
3167 {
3168 	uint32_t scid;
3169 	uint32_t sy_flags;
3170 	int fd;
3171 	struct sonode *so;
3172 	char so_laddr[sizeof (struct sockaddr_in6)];
3173 	char so_faddr[sizeof (struct sockaddr_in6)];
3174 	int err;
3175 	int len;
3176 	short so_family, so_type;
3177 	int add_sock_token = 0;
3178 
3179 	/* need to determine type of executing binary */
3180 	scid = tad->tad_scid;
3181 #ifdef _SYSCALL32_IMPL
3182 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3183 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3184 	else
3185 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3186 #else
3187 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3188 #endif
3189 	if (sy_flags == SE_32RVAL1)
3190 		fd = rval->r_val1;
3191 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3192 		fd = rval->r_val1;
3193 	if (sy_flags == SE_64RVAL)
3194 		fd = (int)rval->r_vals;
3195 
3196 	if (error) {
3197 		/* can't trust socket contents. Just return */
3198 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3199 		return;
3200 	}
3201 
3202 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3203 		/*
3204 		 * not security relevant if doing a accept from non socket
3205 		 * so no extra tokens. Should probably turn off audit record
3206 		 * generation here.
3207 		 */
3208 		return;
3209 	}
3210 
3211 	so_family = so->so_family;
3212 	so_type   = so->so_type;
3213 
3214 	switch (so_family) {
3215 	case AF_INET:
3216 	case AF_INET6:
3217 		/*
3218 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3219 		 */
3220 		if (so->so_type == SOCK_STREAM) {
3221 
3222 			bzero((void *)so_laddr, sizeof (so_laddr));
3223 			bzero((void *)so_faddr, sizeof (so_faddr));
3224 
3225 			/*
3226 			 * no local address then need to get it from lower
3227 			 * levels. only put out record on first read ala
3228 			 * AUE_WRITE.
3229 			 */
3230 			if (so->so_state & SS_ISBOUND) {
3231 				/* only done once on a connection */
3232 				(void) SOP_GETSOCKNAME(so);
3233 				(void) SOP_GETPEERNAME(so);
3234 
3235 				/* get local and foreign addresses */
3236 				mutex_enter(&so->so_lock);
3237 				len = min(so->so_laddr_len, sizeof (so_laddr));
3238 				bcopy(so->so_laddr_sa, so_laddr, len);
3239 				len = min(so->so_faddr_len, sizeof (so_faddr));
3240 				bcopy(so->so_faddr_sa, so_faddr, len);
3241 				mutex_exit(&so->so_lock);
3242 			}
3243 
3244 			add_sock_token = 1;
3245 		}
3246 		break;
3247 
3248 	default:
3249 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3250 		break;
3251 	}
3252 
3253 	releasef(fd);
3254 
3255 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3256 
3257 	if (add_sock_token == 0) {
3258 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3259 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3260 		return;
3261 	}
3262 
3263 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3264 
3265 }
3266 
3267 /*ARGSUSED*/
3268 static void
3269 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3270 {
3271 	struct a {
3272 		long	fd;
3273 		long	addr;
3274 		long	len;
3275 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3276 
3277 	struct sonode *so;
3278 	char so_laddr[sizeof (struct sockaddr_in6)];
3279 	char so_faddr[sizeof (struct sockaddr_in6)];
3280 	int err, fd;
3281 	int len;
3282 	short so_family, so_type;
3283 	int add_sock_token = 0;
3284 
3285 	fd = (int)uap->fd;
3286 
3287 	/*
3288 	 * bind failed, then nothing extra to add to audit record.
3289 	 */
3290 	if (error) {
3291 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3292 		/* XXX may want to add failed address some day */
3293 		return;
3294 	}
3295 
3296 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3297 		/*
3298 		 * not security relevant if doing a bind from non socket
3299 		 * so no extra tokens. Should probably turn off audit record
3300 		 * generation here.
3301 		 */
3302 		return;
3303 	}
3304 
3305 	so_family = so->so_family;
3306 	so_type   = so->so_type;
3307 
3308 	switch (so_family) {
3309 	case AF_INET:
3310 	case AF_INET6:
3311 
3312 		bzero(so_faddr, sizeof (so_faddr));
3313 
3314 		if (so->so_state & SS_ISBOUND) {
3315 			/* only done once on a connection */
3316 			(void) SOP_GETSOCKNAME(so);
3317 		}
3318 
3319 		mutex_enter(&so->so_lock);
3320 		len = min(so->so_laddr_len, sizeof (so_laddr));
3321 		bcopy(so->so_laddr_sa, so_laddr, len);
3322 		mutex_exit(&so->so_lock);
3323 
3324 		add_sock_token = 1;
3325 
3326 		break;
3327 
3328 	case AF_UNIX:
3329 		/* token added by lookup */
3330 		break;
3331 	default:
3332 		/* AF_ROUTE, AF_KEY do not support accept */
3333 		break;
3334 	}
3335 
3336 	releasef(fd);
3337 
3338 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3339 
3340 	if (add_sock_token == 0) {
3341 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3342 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3343 		return;
3344 	}
3345 
3346 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3347 
3348 }
3349 
3350 /*ARGSUSED*/
3351 static void
3352 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3353 {
3354 	struct a {
3355 		long	fd;
3356 		long	addr;
3357 		long	len;
3358 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3359 
3360 	struct sonode *so;
3361 	char so_laddr[sizeof (struct sockaddr_in6)];
3362 	char so_faddr[sizeof (struct sockaddr_in6)];
3363 	int err, fd;
3364 	int len;
3365 	short so_family, so_type;
3366 	int add_sock_token = 0;
3367 
3368 	fd = (int)uap->fd;
3369 
3370 
3371 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3372 		/*
3373 		 * not security relevant if doing a connect from non socket
3374 		 * so no extra tokens. Should probably turn off audit record
3375 		 * generation here.
3376 		 */
3377 		return;
3378 	}
3379 
3380 	so_family = so->so_family;
3381 	so_type   = so->so_type;
3382 
3383 	switch (so_family) {
3384 	case AF_INET:
3385 	case AF_INET6:
3386 		/*
3387 		 * no local address then need to get it from lower
3388 		 * levels.
3389 		 */
3390 		if (so->so_state & SS_ISBOUND) {
3391 			/* only done once on a connection */
3392 			(void) SOP_GETSOCKNAME(so);
3393 			(void) SOP_GETPEERNAME(so);
3394 		}
3395 
3396 		bzero(so_laddr, sizeof (so_laddr));
3397 		bzero(so_faddr, sizeof (so_faddr));
3398 
3399 		mutex_enter(&so->so_lock);
3400 		len = min(so->so_laddr_len, sizeof (so_laddr));
3401 		bcopy(so->so_laddr_sa, so_laddr, len);
3402 		if (error) {
3403 			mutex_exit(&so->so_lock);
3404 			if (uap->addr == NULL)
3405 				break;
3406 			if (uap->len <= 0)
3407 				break;
3408 			len = min(uap->len, sizeof (so_faddr));
3409 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3410 				break;
3411 #ifdef NOTYET
3412 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3413 #endif
3414 		} else {
3415 			/* sanity check on length */
3416 			len = min(so->so_faddr_len, sizeof (so_faddr));
3417 			bcopy(so->so_faddr_sa, so_faddr, len);
3418 			mutex_exit(&so->so_lock);
3419 		}
3420 
3421 		add_sock_token = 1;
3422 
3423 		break;
3424 
3425 	case AF_UNIX:
3426 		/* does a lookup on name */
3427 		break;
3428 
3429 	default:
3430 		/* AF_ROUTE, AF_KEY do not support accept */
3431 		break;
3432 	}
3433 
3434 	releasef(fd);
3435 
3436 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3437 
3438 	if (add_sock_token == 0) {
3439 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3440 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3441 		return;
3442 	}
3443 
3444 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3445 
3446 }
3447 
3448 /*ARGSUSED*/
3449 static void
3450 aus_shutdown(struct t_audit_data *tad)
3451 {
3452 	struct a {
3453 		long	fd;
3454 		long	how;
3455 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3456 
3457 	struct sonode *so;
3458 	char so_laddr[sizeof (struct sockaddr_in6)];
3459 	char so_faddr[sizeof (struct sockaddr_in6)];
3460 	int err, fd;
3461 	int len;
3462 	short so_family, so_type;
3463 	int add_sock_token = 0;
3464 	file_t *fp;				/* unix domain sockets */
3465 	struct f_audit_data *fad;		/* unix domain sockets */
3466 
3467 	fd = (int)uap->fd;
3468 
3469 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3470 		/*
3471 		 * not security relevant if doing a shutdown using non socket
3472 		 * so no extra tokens. Should probably turn off audit record
3473 		 * generation here.
3474 		 */
3475 		return;
3476 	}
3477 
3478 	so_family = so->so_family;
3479 	so_type   = so->so_type;
3480 
3481 	switch (so_family) {
3482 	case AF_INET:
3483 	case AF_INET6:
3484 
3485 		bzero(so_laddr, sizeof (so_laddr));
3486 		bzero(so_faddr, sizeof (so_faddr));
3487 
3488 		if (so->so_state & SS_ISBOUND) {
3489 			/*
3490 			 * no local address then need to get it from lower
3491 			 * levels.
3492 			 */
3493 			if (so->so_laddr_len == 0)
3494 				(void) SOP_GETSOCKNAME(so);
3495 			if (so->so_faddr_len == 0)
3496 				(void) SOP_GETPEERNAME(so);
3497 		}
3498 
3499 		mutex_enter(&so->so_lock);
3500 		len = min(so->so_laddr_len, sizeof (so_laddr));
3501 		bcopy(so->so_laddr_sa, so_laddr, len);
3502 		len = min(so->so_faddr_len, sizeof (so_faddr));
3503 		bcopy(so->so_faddr_sa, so_faddr, len);
3504 		mutex_exit(&so->so_lock);
3505 
3506 		add_sock_token = 1;
3507 
3508 		break;
3509 
3510 	case AF_UNIX:
3511 
3512 		/* get path from file struct here */
3513 		fad = F2A(fp);
3514 		ASSERT(fad);
3515 
3516 		if (fad->fad_aupath != NULL) {
3517 			au_uwrite(au_to_path(fad->fad_aupath));
3518 		} else {
3519 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3520 		}
3521 
3522 		audit_attributes(fp->f_vnode);
3523 
3524 		break;
3525 
3526 	default:
3527 		/*
3528 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3529 		 * added.
3530 		 */
3531 		break;
3532 	}
3533 
3534 	releasef(fd);
3535 
3536 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3537 
3538 	if (add_sock_token == 0) {
3539 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3540 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3541 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3542 		return;
3543 	}
3544 
3545 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3546 
3547 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3548 
3549 }
3550 
3551 /*ARGSUSED*/
3552 static void
3553 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3554 {
3555 	struct a {
3556 		long	fd;
3557 		long	level;
3558 		long	optname;
3559 		long	*optval;
3560 		long	optlen;
3561 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3562 
3563 	struct sonode	*so;
3564 	char so_laddr[sizeof (struct sockaddr_in6)];
3565 	char so_faddr[sizeof (struct sockaddr_in6)];
3566 	char		val[AU_BUFSIZE];
3567 	int		err, fd;
3568 	int		len;
3569 	short so_family, so_type;
3570 	int		add_sock_token = 0;
3571 	file_t *fp;				/* unix domain sockets */
3572 	struct f_audit_data *fad;		/* unix domain sockets */
3573 
3574 	fd = (int)uap->fd;
3575 
3576 	if (error) {
3577 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3578 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3579 		/* XXX may want to include other arguments */
3580 		return;
3581 	}
3582 
3583 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3584 		/*
3585 		 * not security relevant if doing a setsockopt from non socket
3586 		 * so no extra tokens. Should probably turn off audit record
3587 		 * generation here.
3588 		 */
3589 		return;
3590 	}
3591 
3592 	so_family = so->so_family;
3593 	so_type   = so->so_type;
3594 
3595 	switch (so_family) {
3596 	case AF_INET:
3597 	case AF_INET6:
3598 
3599 		bzero((void *)so_laddr, sizeof (so_laddr));
3600 		bzero((void *)so_faddr, sizeof (so_faddr));
3601 
3602 		if (so->so_state & SS_ISBOUND) {
3603 			if (so->so_laddr_len == 0)
3604 				(void) SOP_GETSOCKNAME(so);
3605 			if (so->so_faddr_len == 0)
3606 				(void) SOP_GETPEERNAME(so);
3607 		}
3608 
3609 		/* get local and foreign addresses */
3610 		mutex_enter(&so->so_lock);
3611 		len = min(so->so_laddr_len, sizeof (so_laddr));
3612 		bcopy(so->so_laddr_sa, so_laddr, len);
3613 		len = min(so->so_faddr_len, sizeof (so_faddr));
3614 		bcopy(so->so_faddr_sa, so_faddr, len);
3615 		mutex_exit(&so->so_lock);
3616 
3617 		add_sock_token = 1;
3618 
3619 		break;
3620 
3621 	case AF_UNIX:
3622 
3623 		/* get path from file struct here */
3624 		fad = F2A(fp);
3625 		ASSERT(fad);
3626 
3627 		if (fad->fad_aupath != NULL) {
3628 			au_uwrite(au_to_path(fad->fad_aupath));
3629 		} else {
3630 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3631 		}
3632 
3633 		audit_attributes(fp->f_vnode);
3634 
3635 		break;
3636 
3637 	default:
3638 		/*
3639 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3640 		 * added.
3641 		 */
3642 		break;
3643 	}
3644 
3645 	releasef(fd);
3646 
3647 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3648 
3649 	if (add_sock_token == 0) {
3650 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3651 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3652 	}
3653 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3654 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3655 
3656 	bzero(val, sizeof (val));
3657 	len = min(uap->optlen, sizeof (val));
3658 	if ((len > 0) &&
3659 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3660 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3661 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3662 	}
3663 
3664 	if (add_sock_token == 0)
3665 		return;
3666 
3667 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3668 
3669 }
3670 
3671 /*ARGSUSED*/
3672 static void
3673 aus_sockconfig(tad)
3674 	struct t_audit_data *tad;
3675 {
3676 	struct a {
3677 		long	domain;
3678 		long	type;
3679 		long	protocol;
3680 		long	devpath;
3681 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3682 
3683 	char	*kdevpath;
3684 	int	kdevpathlen = MAXPATHLEN + 1;
3685 	size_t	size;
3686 
3687 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3688 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3689 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3690 
3691 	if (uap->devpath == 0) {
3692 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3693 	} else {
3694 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3695 
3696 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3697 			&size)) {
3698 			kmem_free(kdevpath, kdevpathlen);
3699 			return;
3700 		}
3701 
3702 		if (size > MAXPATHLEN) {
3703 			kmem_free(kdevpath, kdevpathlen);
3704 			return;
3705 		}
3706 
3707 		au_uwrite(au_to_text(kdevpath));
3708 		kmem_free(kdevpath, kdevpathlen);
3709 	}
3710 }
3711 
3712 /*
3713  * only audit recvmsg when the system call represents the creation of a new
3714  * circuit. This effectively occurs for all UDP packets and may occur for
3715  * special TCP situations where the local host has not set a local address
3716  * in the socket structure.
3717  */
3718 /*ARGSUSED*/
3719 static void
3720 auf_recvmsg(
3721 	struct t_audit_data *tad,
3722 	int error,
3723 	rval_t *rvp)
3724 {
3725 	struct a {
3726 		long	fd;
3727 		long	msg;	/* struct msghdr */
3728 		long	flags;
3729 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3730 
3731 	struct sonode	*so;
3732 	STRUCT_DECL(msghdr, msg);
3733 	caddr_t msg_name;
3734 	socklen_t msg_namelen;
3735 	int fd;
3736 	int err;
3737 	char so_laddr[sizeof (struct sockaddr_in6)];
3738 	char so_faddr[sizeof (struct sockaddr_in6)];
3739 	int len;
3740 	file_t *fp;				/* unix domain sockets */
3741 	struct f_audit_data *fad;		/* unix domain sockets */
3742 	short so_family, so_type;
3743 	int add_sock_token = 0;
3744 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3745 
3746 	fd = (int)uap->fd;
3747 
3748 	/* bail if an error */
3749 	if (error) {
3750 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3751 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3752 		return;
3753 	}
3754 
3755 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3756 		/*
3757 		 * not security relevant if doing a recvmsg from non socket
3758 		 * so no extra tokens. Should probably turn off audit record
3759 		 * generation here.
3760 		 */
3761 		return;
3762 	}
3763 
3764 	so_family = so->so_family;
3765 	so_type   = so->so_type;
3766 
3767 	/*
3768 	 * only putout SOCKET_EX token if INET/INET6 family.
3769 	 * XXX - what do we do about other families?
3770 	 */
3771 
3772 	switch (so_family) {
3773 	case AF_INET:
3774 	case AF_INET6:
3775 
3776 		/*
3777 		 * if datagram type socket, then just use what is in
3778 		 * socket structure for local address.
3779 		 * XXX - what do we do for other types?
3780 		 */
3781 		if ((so->so_type == SOCK_DGRAM) ||
3782 		    (so->so_type == SOCK_RAW)) {
3783 			add_sock_token = 1;
3784 
3785 			bzero((void *)so_laddr, sizeof (so_laddr));
3786 			bzero((void *)so_faddr, sizeof (so_faddr));
3787 
3788 			/* get local address */
3789 			mutex_enter(&so->so_lock);
3790 			len = min(so->so_laddr_len, sizeof (so_laddr));
3791 			bcopy(so->so_laddr_sa, so_laddr, len);
3792 			mutex_exit(&so->so_lock);
3793 
3794 			/* get peer address */
3795 			STRUCT_INIT(msg, get_udatamodel());
3796 
3797 			if (copyin((caddr_t)(uap->msg),
3798 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3799 				break;
3800 			}
3801 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3802 			if (msg_name == NULL) {
3803 				break;
3804 			}
3805 
3806 			/* length is value from recvmsg - sanity check */
3807 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3808 			if (msg_namelen == 0) {
3809 				break;
3810 			}
3811 			if (copyin(msg_name, so_faddr,
3812 			    sizeof (so_faddr)) != 0) {
3813 				break;
3814 			}
3815 
3816 		} else if (so->so_type == SOCK_STREAM) {
3817 
3818 			/* get path from file struct here */
3819 			fad = F2A(fp);
3820 			ASSERT(fad);
3821 
3822 			/*
3823 			 * already processed this file for read attempt
3824 			 */
3825 			if (fad->fad_flags & FAD_READ) {
3826 				/* don't want to audit every recvmsg attempt */
3827 				tad->tad_flag = 0;
3828 				/* free any residual audit data */
3829 				au_close(kctx, &(u_ad), 0, 0, 0);
3830 				releasef(fd);
3831 				return;
3832 			}
3833 			/*
3834 			 * mark things so we know what happened and don't
3835 			 * repeat things
3836 			 */
3837 			fad->fad_flags |= FAD_READ;
3838 
3839 			bzero((void *)so_laddr, sizeof (so_laddr));
3840 			bzero((void *)so_faddr, sizeof (so_faddr));
3841 
3842 			if (so->so_state & SS_ISBOUND) {
3843 
3844 				if (so->so_laddr_len == 0)
3845 					(void) SOP_GETSOCKNAME(so);
3846 				if (so->so_faddr_len == 0)
3847 					(void) SOP_GETPEERNAME(so);
3848 
3849 				/* get local and foreign addresses */
3850 				mutex_enter(&so->so_lock);
3851 				len = min(so->so_laddr_len, sizeof (so_laddr));
3852 				bcopy(so->so_laddr_sa, so_laddr, len);
3853 				len = min(so->so_faddr_len, sizeof (so_faddr));
3854 				bcopy(so->so_faddr_sa, so_faddr, len);
3855 				mutex_exit(&so->so_lock);
3856 			}
3857 
3858 			add_sock_token = 1;
3859 		}
3860 
3861 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3862 
3863 		break;
3864 
3865 	case AF_UNIX:
3866 		/*
3867 		 * first check if this is first time through. Too much
3868 		 * duplicate code to put this in an aui_ routine.
3869 		 */
3870 
3871 		/* get path from file struct here */
3872 		fad = F2A(fp);
3873 		ASSERT(fad);
3874 
3875 		/*
3876 		 * already processed this file for read attempt
3877 		 */
3878 		if (fad->fad_flags & FAD_READ) {
3879 			releasef(fd);
3880 			/* don't want to audit every recvmsg attempt */
3881 			tad->tad_flag = 0;
3882 			/* free any residual audit data */
3883 			au_close(kctx, &(u_ad), 0, 0, 0);
3884 			return;
3885 		}
3886 		/*
3887 		 * mark things so we know what happened and don't
3888 		 * repeat things
3889 		 */
3890 		fad->fad_flags |= FAD_READ;
3891 
3892 		if (fad->fad_aupath != NULL) {
3893 			au_uwrite(au_to_path(fad->fad_aupath));
3894 		} else {
3895 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3896 		}
3897 
3898 		audit_attributes(fp->f_vnode);
3899 
3900 		releasef(fd);
3901 
3902 		return;
3903 
3904 	default:
3905 		break;
3906 
3907 	}
3908 
3909 	releasef(fd);
3910 
3911 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3912 
3913 	if (add_sock_token == 0) {
3914 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
3915 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
3916 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3917 		return;
3918 	}
3919 
3920 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3921 
3922 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3923 
3924 }
3925 
3926 /*ARGSUSED*/
3927 static void
3928 auf_recvfrom(
3929 	struct t_audit_data *tad,
3930 	int error,
3931 	rval_t *rvp)
3932 {
3933 
3934 	struct a {
3935 		long	fd;
3936 		long	msg;	/* char */
3937 		long	len;
3938 		long	flags;
3939 		long	from;	/* struct sockaddr */
3940 		long	fromlen;
3941 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3942 
3943 	socklen_t	fromlen;
3944 	struct sonode	*so;
3945 	char so_laddr[sizeof (struct sockaddr_in6)];
3946 	char so_faddr[sizeof (struct sockaddr_in6)];
3947 	int		fd;
3948 	short so_family, so_type;
3949 	int add_sock_token = 0;
3950 	int len;
3951 	int err;
3952 	struct file *fp;
3953 	struct f_audit_data *fad;		/* unix domain sockets */
3954 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3955 
3956 	fd = (int)uap->fd;
3957 
3958 	/* bail if an error */
3959 	if (error) {
3960 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3961 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3962 		return;
3963 	}
3964 
3965 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3966 		/*
3967 		 * not security relevant if doing a recvmsg from non socket
3968 		 * so no extra tokens. Should probably turn off audit record
3969 		 * generation here.
3970 		 */
3971 		return;
3972 	}
3973 
3974 	so_family = so->so_family;
3975 	so_type   = so->so_type;
3976 
3977 	/*
3978 	 * only putout SOCKET_EX token if INET/INET6 family.
3979 	 * XXX - what do we do about other families?
3980 	 */
3981 
3982 	switch (so_family) {
3983 	case AF_INET:
3984 	case AF_INET6:
3985 
3986 		/*
3987 		 * if datagram type socket, then just use what is in
3988 		 * socket structure for local address.
3989 		 * XXX - what do we do for other types?
3990 		 */
3991 		if ((so->so_type == SOCK_DGRAM) ||
3992 		    (so->so_type == SOCK_RAW)) {
3993 			add_sock_token = 1;
3994 
3995 			/* get local address */
3996 			mutex_enter(&so->so_lock);
3997 			len = min(so->so_laddr_len, sizeof (so_laddr));
3998 			bcopy(so->so_laddr_sa, so_laddr, len);
3999 			mutex_exit(&so->so_lock);
4000 
4001 			/* get peer address */
4002 			bzero((void *)so_faddr, sizeof (so_faddr));
4003 
4004 			/* sanity check */
4005 			if (uap->from == NULL)
4006 				break;
4007 
4008 			/* sanity checks */
4009 			if (uap->fromlen == 0)
4010 				break;
4011 
4012 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4013 			    sizeof (fromlen)) != 0)
4014 				break;
4015 
4016 			if (fromlen == 0)
4017 				break;
4018 
4019 			/* enforce maximum size */
4020 			if (fromlen > sizeof (so_faddr))
4021 				fromlen = sizeof (so_faddr);
4022 
4023 			if (copyin((caddr_t)(uap->from), so_faddr,
4024 			    fromlen) != 0)
4025 				break;
4026 
4027 		} else if (so->so_type == SOCK_STREAM) {
4028 
4029 			/* get path from file struct here */
4030 			fad = F2A(fp);
4031 			ASSERT(fad);
4032 
4033 			/*
4034 			 * already processed this file for read attempt
4035 			 */
4036 			if (fad->fad_flags & FAD_READ) {
4037 				/* don't want to audit every recvfrom attempt */
4038 				tad->tad_flag = 0;
4039 				/* free any residual audit data */
4040 				au_close(kctx, &(u_ad), 0, 0, 0);
4041 				releasef(fd);
4042 				return;
4043 			}
4044 			/*
4045 			 * mark things so we know what happened and don't
4046 			 * repeat things
4047 			 */
4048 			fad->fad_flags |= FAD_READ;
4049 
4050 			bzero((void *)so_laddr, sizeof (so_laddr));
4051 			bzero((void *)so_faddr, sizeof (so_faddr));
4052 
4053 			if (so->so_state & SS_ISBOUND) {
4054 
4055 				if (so->so_laddr_len == 0)
4056 					(void) SOP_GETSOCKNAME(so);
4057 				if (so->so_faddr_len == 0)
4058 					(void) SOP_GETPEERNAME(so);
4059 
4060 				/* get local and foreign addresses */
4061 				mutex_enter(&so->so_lock);
4062 				len = min(so->so_laddr_len, sizeof (so_laddr));
4063 				bcopy(so->so_laddr_sa, so_laddr, len);
4064 				len = min(so->so_faddr_len, sizeof (so_faddr));
4065 				bcopy(so->so_faddr_sa, so_faddr, len);
4066 				mutex_exit(&so->so_lock);
4067 			}
4068 
4069 			add_sock_token = 1;
4070 		}
4071 
4072 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4073 
4074 		break;
4075 
4076 	case AF_UNIX:
4077 		/*
4078 		 * first check if this is first time through. Too much
4079 		 * duplicate code to put this in an aui_ routine.
4080 		 */
4081 
4082 		/* get path from file struct here */
4083 		fad = F2A(fp);
4084 		ASSERT(fad);
4085 
4086 		/*
4087 		 * already processed this file for read attempt
4088 		 */
4089 		if (fad->fad_flags & FAD_READ) {
4090 			/* don't want to audit every recvfrom attempt */
4091 			tad->tad_flag = 0;
4092 			/* free any residual audit data */
4093 			au_close(kctx, &(u_ad), 0, 0, 0);
4094 			releasef(fd);
4095 			return;
4096 		}
4097 		/*
4098 		 * mark things so we know what happened and don't
4099 		 * repeat things
4100 		 */
4101 		fad->fad_flags |= FAD_READ;
4102 
4103 		if (fad->fad_aupath != NULL) {
4104 			au_uwrite(au_to_path(fad->fad_aupath));
4105 		} else {
4106 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4107 		}
4108 
4109 		audit_attributes(fp->f_vnode);
4110 
4111 		releasef(fd);
4112 
4113 		return;
4114 
4115 	default:
4116 		break;
4117 
4118 	}
4119 
4120 	releasef(fd);
4121 
4122 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4123 
4124 	if (add_sock_token == 0) {
4125 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4126 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4127 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4128 		return;
4129 	}
4130 
4131 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4132 
4133 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4134 }
4135 
4136 /*ARGSUSED*/
4137 static void
4138 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4139 {
4140 	struct a {
4141 		long	fd;
4142 		long	msg;	/* struct msghdr */
4143 		long	flags;
4144 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4145 
4146 	struct sonode	*so;
4147 	char so_laddr[sizeof (struct sockaddr_in6)];
4148 	char so_faddr[sizeof (struct sockaddr_in6)];
4149 	int		err;
4150 	int		fd;
4151 	short so_family, so_type;
4152 	int		add_sock_token = 0;
4153 	int		len;
4154 	struct file	*fp;
4155 	struct f_audit_data *fad;
4156 	caddr_t		msg_name;
4157 	socklen_t	msg_namelen;
4158 	STRUCT_DECL(msghdr, msg);
4159 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4160 
4161 	fd = (int)uap->fd;
4162 
4163 	/* bail if an error */
4164 	if (error) {
4165 		/* XXX include destination address from system call arguments */
4166 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4167 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4168 		return;
4169 	}
4170 
4171 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4172 		/*
4173 		 * not security relevant if doing a sendmsg from non socket
4174 		 * so no extra tokens. Should probably turn off audit record
4175 		 * generation here.
4176 		 */
4177 		return;
4178 	}
4179 
4180 	so_family = so->so_family;
4181 	so_type   = so->so_type;
4182 
4183 	switch (so_family) {
4184 	case AF_INET:
4185 	case AF_INET6:
4186 		/*
4187 		 * if datagram type socket, then just use what is in
4188 		 * socket structure for local address.
4189 		 * XXX - what do we do for other types?
4190 		 */
4191 		if ((so->so_type == SOCK_DGRAM) ||
4192 		    (so->so_type == SOCK_RAW)) {
4193 
4194 			bzero((void *)so_laddr, sizeof (so_laddr));
4195 			bzero((void *)so_faddr, sizeof (so_faddr));
4196 
4197 			/* get local address */
4198 			mutex_enter(&so->so_lock);
4199 			len = min(so->so_laddr_len, sizeof (so_laddr));
4200 			bcopy(so->so_laddr_sa, so_laddr, len);
4201 			mutex_exit(&so->so_lock);
4202 
4203 			/* get peer address */
4204 			STRUCT_INIT(msg, get_udatamodel());
4205 
4206 			if (copyin((caddr_t)(uap->msg),
4207 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4208 				break;
4209 			}
4210 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4211 			if (msg_name == NULL)
4212 				break;
4213 
4214 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4215 			/* length is value from recvmsg - sanity check */
4216 			if (msg_namelen == 0)
4217 				break;
4218 
4219 			if (copyin(msg_name, so_faddr,
4220 			    sizeof (so_faddr)) != 0)
4221 				break;
4222 
4223 			add_sock_token = 1;
4224 
4225 		} else if (so->so_type == SOCK_STREAM) {
4226 
4227 			/* get path from file struct here */
4228 			fad = F2A(fp);
4229 			ASSERT(fad);
4230 
4231 			/*
4232 			 * already processed this file for write attempt
4233 			 */
4234 			if (fad->fad_flags & FAD_WRITE) {
4235 				releasef(fd);
4236 				/* don't want to audit every sendmsg attempt */
4237 				tad->tad_flag = 0;
4238 				/* free any residual audit data */
4239 				au_close(kctx, &(u_ad), 0, 0, 0);
4240 				return;
4241 			}
4242 
4243 			/*
4244 			 * mark things so we know what happened and don't
4245 			 * repeat things
4246 			 */
4247 			fad->fad_flags |= FAD_WRITE;
4248 
4249 			bzero((void *)so_laddr, sizeof (so_laddr));
4250 			bzero((void *)so_faddr, sizeof (so_faddr));
4251 
4252 			if (so->so_state & SS_ISBOUND) {
4253 
4254 				if (so->so_laddr_len == 0)
4255 					(void) SOP_GETSOCKNAME(so);
4256 				if (so->so_faddr_len == 0)
4257 					(void) SOP_GETPEERNAME(so);
4258 
4259 				/* get local and foreign addresses */
4260 				mutex_enter(&so->so_lock);
4261 				len = min(so->so_laddr_len, sizeof (so_laddr));
4262 				bcopy(so->so_laddr_sa, so_laddr, len);
4263 				len = min(so->so_faddr_len, sizeof (so_faddr));
4264 				bcopy(so->so_faddr_sa, so_faddr, len);
4265 				mutex_exit(&so->so_lock);
4266 			}
4267 
4268 			add_sock_token = 1;
4269 		}
4270 
4271 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4272 
4273 		break;
4274 
4275 	case AF_UNIX:
4276 		/*
4277 		 * first check if this is first time through. Too much
4278 		 * duplicate code to put this in an aui_ routine.
4279 		 */
4280 
4281 		/* get path from file struct here */
4282 		fad = F2A(fp);
4283 		ASSERT(fad);
4284 
4285 		/*
4286 		 * already processed this file for write attempt
4287 		 */
4288 		if (fad->fad_flags & FAD_WRITE) {
4289 			releasef(fd);
4290 			/* don't want to audit every sendmsg attempt */
4291 			tad->tad_flag = 0;
4292 			/* free any residual audit data */
4293 			au_close(kctx, &(u_ad), 0, 0, 0);
4294 			return;
4295 		}
4296 		/*
4297 		 * mark things so we know what happened and don't
4298 		 * repeat things
4299 		 */
4300 		fad->fad_flags |= FAD_WRITE;
4301 
4302 		if (fad->fad_aupath != NULL) {
4303 			au_uwrite(au_to_path(fad->fad_aupath));
4304 		} else {
4305 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4306 		}
4307 
4308 		audit_attributes(fp->f_vnode);
4309 
4310 		releasef(fd);
4311 
4312 		return;
4313 
4314 	default:
4315 		break;
4316 	}
4317 
4318 	releasef(fd);
4319 
4320 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4321 
4322 	if (add_sock_token == 0) {
4323 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4324 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4325 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4326 		return;
4327 	}
4328 
4329 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4330 
4331 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4332 }
4333 
4334 /*ARGSUSED*/
4335 static void
4336 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4337 {
4338 	struct a {
4339 		long	fd;
4340 		long	msg;	/* char */
4341 		long	len;
4342 		long	flags;
4343 		long	to;	/* struct sockaddr */
4344 		long	tolen;
4345 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4346 
4347 	struct sonode	*so;
4348 	char so_laddr[sizeof (struct sockaddr_in6)];
4349 	char so_faddr[sizeof (struct sockaddr_in6)];
4350 	socklen_t	tolen;
4351 	int		err;
4352 	int		fd;
4353 	int		len;
4354 	short so_family, so_type;
4355 	int		add_sock_token = 0;
4356 	struct file	*fp;
4357 	struct f_audit_data *fad;
4358 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4359 
4360 	fd = (int)uap->fd;
4361 
4362 	/* bail if an error */
4363 	if (error) {
4364 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4365 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4366 		/* XXX include destination address from system call arguments */
4367 		return;
4368 	}
4369 
4370 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4371 		/*
4372 		 * not security relevant if doing a sendto using non socket
4373 		 * so no extra tokens. Should probably turn off audit record
4374 		 * generation here.
4375 		 */
4376 		return;
4377 	}
4378 
4379 	so_family = so->so_family;
4380 	so_type   = so->so_type;
4381 
4382 	/*
4383 	 * only putout SOCKET_EX token if INET/INET6 family.
4384 	 * XXX - what do we do about other families?
4385 	 */
4386 
4387 	switch (so_family) {
4388 	case AF_INET:
4389 	case AF_INET6:
4390 
4391 		/*
4392 		 * if datagram type socket, then just use what is in
4393 		 * socket structure for local address.
4394 		 * XXX - what do we do for other types?
4395 		 */
4396 		if ((so->so_type == SOCK_DGRAM) ||
4397 		    (so->so_type == SOCK_RAW)) {
4398 
4399 			bzero((void *)so_laddr, sizeof (so_laddr));
4400 			bzero((void *)so_faddr, sizeof (so_faddr));
4401 
4402 			/* get local address */
4403 			mutex_enter(&so->so_lock);
4404 			len = min(so->so_laddr_len, sizeof (so_laddr));
4405 			bcopy(so->so_laddr_sa, so_laddr, len);
4406 			mutex_exit(&so->so_lock);
4407 
4408 			/* get peer address */
4409 
4410 			/* sanity check */
4411 			if (uap->to == NULL)
4412 				break;
4413 
4414 			/* sanity checks */
4415 			if (uap->tolen == 0)
4416 				break;
4417 
4418 			tolen = (socklen_t)uap->tolen;
4419 
4420 			/* enforce maximum size */
4421 			if (tolen > sizeof (so_faddr))
4422 				tolen = sizeof (so_faddr);
4423 
4424 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4425 				break;
4426 
4427 			add_sock_token = 1;
4428 		} else {
4429 			/*
4430 			 * check if this is first time through.
4431 			 */
4432 
4433 			/* get path from file struct here */
4434 			fad = F2A(fp);
4435 			ASSERT(fad);
4436 
4437 			/*
4438 			 * already processed this file for write attempt
4439 			 */
4440 			if (fad->fad_flags & FAD_WRITE) {
4441 				/* don't want to audit every sendto attempt */
4442 				tad->tad_flag = 0;
4443 				/* free any residual audit data */
4444 				au_close(kctx, &(u_ad), 0, 0, 0);
4445 				releasef(fd);
4446 				return;
4447 			}
4448 			/*
4449 			 * mark things so we know what happened and don't
4450 			 * repeat things
4451 			 */
4452 			fad->fad_flags |= FAD_WRITE;
4453 
4454 			bzero((void *)so_laddr, sizeof (so_laddr));
4455 			bzero((void *)so_faddr, sizeof (so_faddr));
4456 
4457 			if (so->so_state & SS_ISBOUND) {
4458 
4459 				if (so->so_laddr_len == 0)
4460 					(void) SOP_GETSOCKNAME(so);
4461 				if (so->so_faddr_len == 0)
4462 					(void) SOP_GETPEERNAME(so);
4463 
4464 				/* get local and foreign addresses */
4465 				mutex_enter(&so->so_lock);
4466 				len = min(so->so_laddr_len, sizeof (so_laddr));
4467 				bcopy(so->so_laddr_sa, so_laddr, len);
4468 				len = min(so->so_faddr_len, sizeof (so_faddr));
4469 				bcopy(so->so_faddr_sa, so_faddr, len);
4470 				mutex_exit(&so->so_lock);
4471 			}
4472 
4473 			add_sock_token = 1;
4474 		}
4475 
4476 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4477 
4478 		break;
4479 
4480 	case AF_UNIX:
4481 		/*
4482 		 * first check if this is first time through. Too much
4483 		 * duplicate code to put this in an aui_ routine.
4484 		 */
4485 
4486 		/* get path from file struct here */
4487 		fad = F2A(fp);
4488 		ASSERT(fad);
4489 
4490 		/*
4491 		 * already processed this file for write attempt
4492 		 */
4493 		if (fad->fad_flags & FAD_WRITE) {
4494 			/* don't want to audit every sendto attempt */
4495 			tad->tad_flag = 0;
4496 			/* free any residual audit data */
4497 			au_close(kctx, &(u_ad), 0, 0, 0);
4498 			releasef(fd);
4499 			return;
4500 		}
4501 		/*
4502 		 * mark things so we know what happened and don't
4503 		 * repeat things
4504 		 */
4505 		fad->fad_flags |= FAD_WRITE;
4506 
4507 		if (fad->fad_aupath != NULL) {
4508 			au_uwrite(au_to_path(fad->fad_aupath));
4509 		} else {
4510 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4511 		}
4512 
4513 		audit_attributes(fp->f_vnode);
4514 
4515 		releasef(fd);
4516 
4517 		return;
4518 
4519 	default:
4520 		break;
4521 
4522 	}
4523 
4524 	releasef(fd);
4525 
4526 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4527 
4528 	if (add_sock_token == 0) {
4529 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4530 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4531 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4532 		return;
4533 	}
4534 
4535 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4536 
4537 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4538 
4539 }
4540 
4541 /*
4542  * XXX socket(2) may be equivalent to open(2) on a unix domain
4543  * socket. This needs investigation.
4544  */
4545 
4546 /*ARGSUSED*/
4547 static void
4548 aus_socket(struct t_audit_data *tad)
4549 {
4550 	struct a {
4551 		long	domain;
4552 		long	type;
4553 		long	protocol;
4554 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4555 
4556 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4557 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4558 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4559 }
4560 
4561 /*ARGSUSED*/
4562 static void
4563 aus_sigqueue(struct t_audit_data *tad)
4564 {
4565 	struct a {
4566 		long	pid;
4567 		long	signo;
4568 		long	*val;
4569 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4570 	struct proc *p;
4571 	uid_t uid, ruid;
4572 	gid_t gid, rgid;
4573 	pid_t pid;
4574 	const auditinfo_addr_t *ainfo;
4575 	cred_t *cr;
4576 
4577 	pid = (pid_t)uap->pid;
4578 
4579 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4580 	if (pid > 0) {
4581 		mutex_enter(&pidlock);
4582 		if ((p = prfind(pid)) == (struct proc *)0) {
4583 			mutex_exit(&pidlock);
4584 			return;
4585 		}
4586 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4587 		mutex_exit(&pidlock);
4588 
4589 		mutex_enter(&p->p_crlock);
4590 		crhold(cr = p->p_cred);
4591 		mutex_exit(&p->p_crlock);
4592 		mutex_exit(&p->p_lock);
4593 
4594 		ainfo = crgetauinfo(cr);
4595 		if (ainfo == NULL) {
4596 			crfree(cr);
4597 			return;
4598 		}
4599 
4600 		uid  = crgetuid(cr);
4601 		gid  = crgetgid(cr);
4602 		ruid = crgetruid(cr);
4603 		rgid = crgetrgid(cr);
4604 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4605 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4606 		crfree(cr);
4607 	}
4608 	else
4609 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4610 }
4611 
4612 /*ARGSUSED*/
4613 static void
4614 aus_inst_sync(struct t_audit_data *tad)
4615 {
4616 	struct a {
4617 		long	name;	/* char */
4618 		long	flags;
4619 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4620 
4621 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4622 }
4623 
4624 /*ARGSUSED*/
4625 static void
4626 aus_brandsys(struct t_audit_data *tad)
4627 {
4628 	klwp_t *clwp = ttolwp(curthread);
4629 
4630 	struct a {
4631 		long	cmd;
4632 		long	arg1;
4633 		long	arg2;
4634 		long	arg3;
4635 		long	arg4;
4636 		long	arg5;
4637 		long	arg6;
4638 	} *uap = (struct a *)clwp->lwp_ap;
4639 
4640 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4641 #ifdef _LP64
4642 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4643 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4644 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4645 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4646 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4647 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4648 #else
4649 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4650 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4651 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4652 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4653 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4654 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4655 #endif
4656 }
4657 
4658 /*ARGSUSED*/
4659 static void
4660 aus_p_online(struct t_audit_data *tad)
4661 {
4662 	struct a {
4663 		long	processor_id;
4664 		long	flag;
4665 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4666 
4667 	struct flags {
4668 			int	flag;
4669 			char	*cflag;
4670 	} aflags[6] = {
4671 			{ P_ONLINE, "P_ONLINE"},
4672 			{ P_OFFLINE, "P_OFFLINE"},
4673 			{ P_NOINTR, "P_NOINTR"},
4674 			{ P_SPARE, "P_SPARE"},
4675 			{ P_FAULTED, "P_FAULTED"},
4676 			{ P_STATUS, "P_STATUS"}
4677 	};
4678 	int i;
4679 	char *cflag;
4680 
4681 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4682 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4683 
4684 	for (i = 0; i < 6; i++) {
4685 		if (aflags[i].flag == uap->flag)
4686 			break;
4687 	}
4688 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4689 
4690 	au_uwrite(au_to_text(cflag));
4691 }
4692 
4693 /*ARGSUSED*/
4694 static void
4695 aus_processor_bind(struct t_audit_data *tad)
4696 {
4697 	struct a {
4698 		long	id_type;
4699 		long	id;
4700 		long	processor_id;
4701 		long	obind;
4702 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4703 
4704 	struct proc *p;
4705 	int lwpcnt;
4706 	uid_t uid, ruid;
4707 	gid_t gid, rgid;
4708 	pid_t pid;
4709 	const auditinfo_addr_t *ainfo;
4710 	cred_t *cr;
4711 
4712 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4713 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4714 	if (uap->processor_id == PBIND_NONE)
4715 		au_uwrite(au_to_text("PBIND_NONE"));
4716 	else
4717 		au_uwrite(au_to_arg32(3, "processor_id",
4718 		    (uint32_t)uap->processor_id));
4719 
4720 	switch (uap->id_type) {
4721 	case P_MYID:
4722 	case P_LWPID:
4723 		mutex_enter(&pidlock);
4724 		p = ttoproc(curthread);
4725 		if (p == NULL || p->p_as == &kas) {
4726 			mutex_exit(&pidlock);
4727 			return;
4728 		}
4729 		mutex_enter(&p->p_lock);
4730 		mutex_exit(&pidlock);
4731 		lwpcnt = p->p_lwpcnt;
4732 		pid  = p->p_pid;
4733 
4734 		mutex_enter(&p->p_crlock);
4735 		crhold(cr = p->p_cred);
4736 		mutex_exit(&p->p_crlock);
4737 		mutex_exit(&p->p_lock);
4738 
4739 		ainfo = crgetauinfo(cr);
4740 		if (ainfo == NULL) {
4741 			crfree(cr);
4742 			return;
4743 		}
4744 
4745 		uid  = crgetuid(cr);
4746 		gid  = crgetgid(cr);
4747 		ruid = crgetruid(cr);
4748 		rgid = crgetrgid(cr);
4749 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4750 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4751 		crfree(cr);
4752 		break;
4753 	case P_PID:
4754 		mutex_enter(&pidlock);
4755 		p = prfind(uap->id);
4756 		if (p == NULL || p->p_as == &kas) {
4757 			mutex_exit(&pidlock);
4758 			return;
4759 		}
4760 		mutex_enter(&p->p_lock);
4761 		mutex_exit(&pidlock);
4762 		lwpcnt = p->p_lwpcnt;
4763 		pid  = p->p_pid;
4764 
4765 		mutex_enter(&p->p_crlock);
4766 		crhold(cr = p->p_cred);
4767 		mutex_exit(&p->p_crlock);
4768 		mutex_exit(&p->p_lock);
4769 
4770 		ainfo = crgetauinfo(cr);
4771 		if (ainfo == NULL) {
4772 			crfree(cr);
4773 			return;
4774 		}
4775 
4776 		uid  = crgetuid(cr);
4777 		gid  = crgetgid(cr);
4778 		ruid = crgetruid(cr);
4779 		rgid = crgetrgid(cr);
4780 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4781 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4782 		crfree(cr);
4783 
4784 		break;
4785 	default:
4786 		return;
4787 	}
4788 
4789 	if (uap->processor_id == PBIND_NONE &&
4790 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4791 		au_uwrite(au_to_text("PBIND_NONE for process"));
4792 	else
4793 		au_uwrite(au_to_arg32(3, "processor_id",
4794 		    (uint32_t)uap->processor_id));
4795 }
4796 
4797 /*ARGSUSED*/
4798 static au_event_t
4799 aui_doorfs(au_event_t e)
4800 {
4801 	uint32_t code;
4802 
4803 	struct a {		/* doorfs */
4804 		long	a1;
4805 		long	a2;
4806 		long	a3;
4807 		long	a4;
4808 		long	a5;
4809 		long	code;
4810 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4811 
4812 	/*
4813 	 *	audit formats for several of the
4814 	 *	door calls have not yet been determined
4815 	 */
4816 	code = (uint32_t)uap->code;
4817 	switch (code) {
4818 	case DOOR_CALL:
4819 		e = AUE_DOORFS_DOOR_CALL;
4820 		break;
4821 	case DOOR_RETURN:
4822 		e = AUE_NULL;
4823 		break;
4824 	case DOOR_CREATE:
4825 		e = AUE_DOORFS_DOOR_CREATE;
4826 		break;
4827 	case DOOR_REVOKE:
4828 		e = AUE_DOORFS_DOOR_REVOKE;
4829 		break;
4830 	case DOOR_INFO:
4831 		e = AUE_NULL;
4832 		break;
4833 	case DOOR_UCRED:
4834 		e = AUE_NULL;
4835 		break;
4836 	case DOOR_BIND:
4837 		e = AUE_NULL;
4838 		break;
4839 	case DOOR_UNBIND:
4840 		e = AUE_NULL;
4841 		break;
4842 	case DOOR_GETPARAM:
4843 		e = AUE_NULL;
4844 		break;
4845 	case DOOR_SETPARAM:
4846 		e = AUE_NULL;
4847 		break;
4848 	default:	/* illegal system call */
4849 		e = AUE_NULL;
4850 		break;
4851 	}
4852 
4853 	return (e);
4854 }
4855 
4856 static door_node_t *
4857 au_door_lookup(int did)
4858 {
4859 	vnode_t	*vp;
4860 	file_t *fp;
4861 
4862 	if ((fp = getf(did)) == NULL)
4863 		return (NULL);
4864 	/*
4865 	 * Use the underlying vnode (we may be namefs mounted)
4866 	 */
4867 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
4868 		vp = fp->f_vnode;
4869 
4870 	if (vp == NULL || vp->v_type != VDOOR) {
4871 		releasef(did);
4872 		return (NULL);
4873 	}
4874 
4875 	return (VTOD(vp));
4876 }
4877 
4878 /*ARGSUSED*/
4879 static void
4880 aus_doorfs(struct t_audit_data *tad)
4881 {
4882 
4883 	struct a {		/* doorfs */
4884 		long	a1;
4885 		long	a2;
4886 		long	a3;
4887 		long	a4;
4888 		long	a5;
4889 		long	code;
4890 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4891 
4892 	door_node_t	*dp;
4893 	struct proc	*p;
4894 	uint32_t	did;
4895 	uid_t uid, ruid;
4896 	gid_t gid, rgid;
4897 	pid_t pid;
4898 	const auditinfo_addr_t *ainfo;
4899 	cred_t *cr;
4900 
4901 	did = (uint32_t)uap->a1;
4902 
4903 	switch (tad->tad_event) {
4904 	case AUE_DOORFS_DOOR_CALL:
4905 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4906 		if ((dp = au_door_lookup(did)) == NULL)
4907 			break;
4908 
4909 		if (DOOR_INVALID(dp)) {
4910 			releasef(did);
4911 			break;
4912 		}
4913 
4914 		if ((p = dp->door_target) == NULL) {
4915 			releasef(did);
4916 			break;
4917 		}
4918 		mutex_enter(&p->p_lock);
4919 		releasef(did);
4920 
4921 		pid  = p->p_pid;
4922 
4923 		mutex_enter(&p->p_crlock);
4924 		crhold(cr = p->p_cred);
4925 		mutex_exit(&p->p_crlock);
4926 		mutex_exit(&p->p_lock);
4927 
4928 		ainfo = crgetauinfo(cr);
4929 		if (ainfo == NULL) {
4930 			crfree(cr);
4931 			return;
4932 		}
4933 		uid  = crgetuid(cr);
4934 		gid  = crgetgid(cr);
4935 		ruid = crgetruid(cr);
4936 		rgid = crgetrgid(cr);
4937 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4938 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4939 		crfree(cr);
4940 		break;
4941 	case AUE_DOORFS_DOOR_RETURN:
4942 		/*
4943 		 * We may want to write information about
4944 		 * all doors (if any) which will be copied
4945 		 * by this call to the user space
4946 		 */
4947 		break;
4948 	case AUE_DOORFS_DOOR_CREATE:
4949 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
4950 		break;
4951 	case AUE_DOORFS_DOOR_REVOKE:
4952 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4953 		break;
4954 	case AUE_DOORFS_DOOR_INFO:
4955 		break;
4956 	case AUE_DOORFS_DOOR_CRED:
4957 		break;
4958 	case AUE_DOORFS_DOOR_BIND:
4959 		break;
4960 	case AUE_DOORFS_DOOR_UNBIND: {
4961 		break;
4962 	}
4963 	default:	/* illegal system call */
4964 		break;
4965 	}
4966 }
4967 
4968 /*ARGSUSED*/
4969 static au_event_t
4970 aui_acl(au_event_t e)
4971 {
4972 	struct a {
4973 		union {
4974 			long	name;	/* char */
4975 			long	fd;
4976 		}		obj;
4977 
4978 		long		cmd;
4979 		long		nentries;
4980 		long		arg;	/* aclent_t */
4981 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4982 
4983 	switch (uap->cmd) {
4984 	case SETACL:
4985 	case ACE_SETACL:
4986 		/*
4987 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
4988 		 * are expected.
4989 		 */
4990 		break;
4991 	case GETACL:
4992 	case GETACLCNT:
4993 	case ACE_GETACLCNT:
4994 		/* do nothing for these two values. */
4995 		e = AUE_NULL;
4996 		break;
4997 	default:
4998 		/* illegal system call */
4999 		break;
5000 	}
5001 
5002 	return (e);
5003 }
5004 
5005 static void
5006 au_acl(int cmd, int nentries, caddr_t bufp)
5007 {
5008 	size_t		a_size;
5009 	aclent_t	*aclbufp;
5010 	ace_t		*acebufp;
5011 	int		i;
5012 
5013 	switch (cmd) {
5014 	case GETACL:
5015 	case GETACLCNT:
5016 		break;
5017 	case SETACL:
5018 		if (nentries < 3)
5019 			break;
5020 
5021 		a_size = nentries * sizeof (aclent_t);
5022 
5023 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5024 			break;
5025 		if (copyin(bufp, aclbufp, a_size)) {
5026 			kmem_free(aclbufp, a_size);
5027 			break;
5028 		}
5029 		for (i = 0; i < nentries; i++) {
5030 			au_uwrite(au_to_acl(aclbufp + i));
5031 		}
5032 		kmem_free(aclbufp, a_size);
5033 		break;
5034 
5035 	case ACE_SETACL:
5036 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5037 			break;
5038 
5039 		a_size = nentries * sizeof (ace_t);
5040 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5041 			break;
5042 		if (copyin(bufp, acebufp, a_size)) {
5043 			kmem_free(acebufp, a_size);
5044 			break;
5045 		}
5046 		for (i = 0; i < nentries; i++) {
5047 			au_uwrite(au_to_ace(acebufp + i));
5048 		}
5049 		kmem_free(acebufp, a_size);
5050 		break;
5051 	default:
5052 		break;
5053 	}
5054 }
5055 
5056 /*ARGSUSED*/
5057 static void
5058 aus_acl(struct t_audit_data *tad)
5059 {
5060 	struct a {
5061 		long	fname;
5062 		long	cmd;
5063 		long	nentries;
5064 		long	aclbufp;
5065 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5066 
5067 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5068 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5069 
5070 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5071 }
5072 
5073 /*ARGSUSED*/
5074 static void
5075 aus_facl(struct t_audit_data *tad)
5076 {
5077 	struct a {
5078 		long	fd;
5079 		long	cmd;
5080 		long	nentries;
5081 		long	aclbufp;
5082 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5083 	struct file  *fp;
5084 	struct vnode *vp;
5085 	struct f_audit_data *fad;
5086 	int fd;
5087 
5088 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5089 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5090 
5091 	fd = (int)uap->fd;
5092 
5093 	if ((fp = getf(fd)) == NULL)
5094 		return;
5095 
5096 	/* get path from file struct here */
5097 	fad = F2A(fp);
5098 	if (fad->fad_aupath != NULL) {
5099 		au_uwrite(au_to_path(fad->fad_aupath));
5100 	} else {
5101 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5102 	}
5103 
5104 	vp = fp->f_vnode;
5105 	audit_attributes(vp);
5106 
5107 	/* decrement file descriptor reference count */
5108 	releasef(fd);
5109 
5110 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5111 }
5112 
5113 /*ARGSUSED*/
5114 static void
5115 auf_read(tad, error, rval)
5116 	struct t_audit_data *tad;
5117 	int error;
5118 	rval_t *rval;
5119 {
5120 	struct file *fp;
5121 	struct f_audit_data *fad;
5122 	int fd;
5123 	register struct a {
5124 		long	fd;
5125 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5126 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5127 
5128 	fd = (int)uap->fd;
5129 
5130 	/*
5131 	 * convert file pointer to file descriptor
5132 	 *   Note: fd ref count incremented here.
5133 	 */
5134 	if ((fp = getf(fd)) == NULL)
5135 		return;
5136 
5137 	/* get path from file struct here */
5138 	fad = F2A(fp);
5139 	ASSERT(fad);
5140 
5141 	/*
5142 	 * already processed this file for read attempt
5143 	 *
5144 	 * XXX might be better to turn off auditing in a aui_read() routine.
5145 	 */
5146 	if (fad->fad_flags & FAD_READ) {
5147 		/* don't really want to audit every read attempt */
5148 		tad->tad_flag = 0;
5149 		/* free any residual audit data */
5150 		au_close(kctx, &(u_ad), 0, 0, 0);
5151 		releasef(fd);
5152 		return;
5153 	}
5154 	/* mark things so we know what happened and don't repeat things */
5155 	fad->fad_flags |= FAD_READ;
5156 
5157 	if (fad->fad_aupath != NULL) {
5158 		au_uwrite(au_to_path(fad->fad_aupath));
5159 	} else {
5160 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5161 	}
5162 
5163 	/* include attributes */
5164 	audit_attributes(fp->f_vnode);
5165 
5166 	/* decrement file descriptor reference count */
5167 	releasef(fd);
5168 }
5169 
5170 /*ARGSUSED*/
5171 static void
5172 auf_write(tad, error, rval)
5173 	struct t_audit_data *tad;
5174 	int error;
5175 	rval_t *rval;
5176 {
5177 	struct file *fp;
5178 	struct f_audit_data *fad;
5179 	int fd;
5180 	register struct a {
5181 		long	fd;
5182 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5183 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5184 
5185 	fd = (int)uap->fd;
5186 
5187 	/*
5188 	 * convert file pointer to file descriptor
5189 	 *   Note: fd ref count incremented here.
5190 	 */
5191 	if ((fp = getf(fd)) == NULL)
5192 		return;
5193 
5194 	/* get path from file struct here */
5195 	fad = F2A(fp);
5196 	ASSERT(fad);
5197 
5198 	/*
5199 	 * already processed this file for write attempt
5200 	 *
5201 	 * XXX might be better to turn off auditing in a aus_write() routine.
5202 	 */
5203 	if (fad->fad_flags & FAD_WRITE) {
5204 		/* don't really want to audit every write attempt */
5205 		tad->tad_flag = 0;
5206 		/* free any residual audit data */
5207 		au_close(kctx, &(u_ad), 0, 0, 0);
5208 		releasef(fd);
5209 		return;
5210 	}
5211 	/* mark things so we know what happened and don't repeat things */
5212 	fad->fad_flags |= FAD_WRITE;
5213 
5214 	if (fad->fad_aupath != NULL) {
5215 		au_uwrite(au_to_path(fad->fad_aupath));
5216 	} else {
5217 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5218 	}
5219 
5220 	/* include attributes */
5221 	audit_attributes(fp->f_vnode);
5222 
5223 	/* decrement file descriptor reference count */
5224 	releasef(fd);
5225 }
5226 
5227 /*ARGSUSED*/
5228 static void
5229 auf_recv(tad, error, rval)
5230 	struct t_audit_data *tad;
5231 	int error;
5232 	rval_t *rval;
5233 {
5234 	struct sonode *so;
5235 	char so_laddr[sizeof (struct sockaddr_in6)];
5236 	char so_faddr[sizeof (struct sockaddr_in6)];
5237 	struct file *fp;
5238 	struct f_audit_data *fad;
5239 	int fd;
5240 	int err;
5241 	int len;
5242 	short so_family, so_type;
5243 	register struct a {
5244 		long	fd;
5245 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5246 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5247 
5248 	/*
5249 	 * If there was an error, then nothing to do. Only generate
5250 	 * audit record on first successful recv.
5251 	 */
5252 	if (error) {
5253 		/* Turn off audit record generation here. */
5254 		tad->tad_flag = 0;
5255 		/* free any residual audit data */
5256 		au_close(kctx, &(u_ad), 0, 0, 0);
5257 		return;
5258 	}
5259 
5260 	fd = (int)uap->fd;
5261 
5262 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5263 		/* Turn off audit record generation here. */
5264 		tad->tad_flag = 0;
5265 		/* free any residual audit data */
5266 		au_close(kctx, &(u_ad), 0, 0, 0);
5267 		return;
5268 	}
5269 
5270 	/* get path from file struct here */
5271 	fad = F2A(fp);
5272 	ASSERT(fad);
5273 
5274 	/*
5275 	 * already processed this file for read attempt
5276 	 */
5277 	if (fad->fad_flags & FAD_READ) {
5278 		releasef(fd);
5279 		/* don't really want to audit every recv call */
5280 		tad->tad_flag = 0;
5281 		/* free any residual audit data */
5282 		au_close(kctx, &(u_ad), 0, 0, 0);
5283 		return;
5284 	}
5285 
5286 	/* mark things so we know what happened and don't repeat things */
5287 	fad->fad_flags |= FAD_READ;
5288 
5289 	so_family = so->so_family;
5290 	so_type   = so->so_type;
5291 
5292 	switch (so_family) {
5293 	case AF_INET:
5294 	case AF_INET6:
5295 		/*
5296 		 * Only for connections.
5297 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5298 		 */
5299 		if (so->so_state & SS_ISBOUND) {
5300 
5301 			bzero((void *)so_laddr, sizeof (so_laddr));
5302 			bzero((void *)so_faddr, sizeof (so_faddr));
5303 
5304 			/* only done once on a connection */
5305 			(void) SOP_GETSOCKNAME(so);
5306 			(void) SOP_GETPEERNAME(so);
5307 
5308 			/* get local and foreign addresses */
5309 			mutex_enter(&so->so_lock);
5310 			len = min(so->so_laddr_len, sizeof (so_laddr));
5311 			bcopy(so->so_laddr_sa, so_laddr, len);
5312 			len = min(so->so_faddr_len, sizeof (so_faddr));
5313 			bcopy(so->so_faddr_sa, so_faddr, len);
5314 			mutex_exit(&so->so_lock);
5315 
5316 			/*
5317 			 * only way to drop out of switch. Note that we
5318 			 * we release fd below.
5319 			 */
5320 
5321 			break;
5322 		}
5323 
5324 		releasef(fd);
5325 
5326 		/* don't really want to audit every recv call */
5327 		tad->tad_flag = 0;
5328 		/* free any residual audit data */
5329 		au_close(kctx, &(u_ad), 0, 0, 0);
5330 
5331 		return;
5332 
5333 	case AF_UNIX:
5334 
5335 		if (fad->fad_aupath != NULL) {
5336 			au_uwrite(au_to_path(fad->fad_aupath));
5337 		} else {
5338 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5339 		}
5340 
5341 		audit_attributes(fp->f_vnode);
5342 
5343 		releasef(fd);
5344 
5345 		return;
5346 
5347 	default:
5348 		releasef(fd);
5349 
5350 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5351 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5352 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5353 
5354 		return;
5355 	}
5356 
5357 	releasef(fd);
5358 
5359 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5360 
5361 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5362 
5363 }
5364 
5365 /*ARGSUSED*/
5366 static void
5367 auf_send(tad, error, rval)
5368 	struct t_audit_data *tad;
5369 	int error;
5370 	rval_t *rval;
5371 {
5372 	struct sonode *so;
5373 	char so_laddr[sizeof (struct sockaddr_in6)];
5374 	char so_faddr[sizeof (struct sockaddr_in6)];
5375 	struct file *fp;
5376 	struct f_audit_data *fad;
5377 	int fd;
5378 	int err;
5379 	int len;
5380 	short so_family, so_type;
5381 	register struct a {
5382 		long	fd;
5383 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5384 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5385 
5386 	fd = (int)uap->fd;
5387 
5388 	/*
5389 	 * If there was an error, then nothing to do. Only generate
5390 	 * audit record on first successful send.
5391 	 */
5392 	if (error != 0) {
5393 		/* Turn off audit record generation here. */
5394 		tad->tad_flag = 0;
5395 		/* free any residual audit data */
5396 		au_close(kctx, &(u_ad), 0, 0, 0);
5397 		return;
5398 	}
5399 
5400 	fd = (int)uap->fd;
5401 
5402 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5403 		/* Turn off audit record generation here. */
5404 		tad->tad_flag = 0;
5405 		/* free any residual audit data */
5406 		au_close(kctx, &(u_ad), 0, 0, 0);
5407 		return;
5408 	}
5409 
5410 	/* get path from file struct here */
5411 	fad = F2A(fp);
5412 	ASSERT(fad);
5413 
5414 	/*
5415 	 * already processed this file for write attempt
5416 	 */
5417 	if (fad->fad_flags & FAD_WRITE) {
5418 		releasef(fd);
5419 		/* don't really want to audit every send call */
5420 		tad->tad_flag = 0;
5421 		/* free any residual audit data */
5422 		au_close(kctx, &(u_ad), 0, 0, 0);
5423 		return;
5424 	}
5425 
5426 	/* mark things so we know what happened and don't repeat things */
5427 	fad->fad_flags |= FAD_WRITE;
5428 
5429 	so_family = so->so_family;
5430 	so_type   = so->so_type;
5431 
5432 	switch (so_family) {
5433 	case AF_INET:
5434 	case AF_INET6:
5435 		/*
5436 		 * Only for connections.
5437 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5438 		 */
5439 		if (so->so_state & SS_ISBOUND) {
5440 
5441 			bzero((void *)so_laddr, sizeof (so_laddr));
5442 			bzero((void *)so_faddr, sizeof (so_faddr));
5443 
5444 			/* only done once on a connection */
5445 			(void) SOP_GETSOCKNAME(so);
5446 			(void) SOP_GETPEERNAME(so);
5447 
5448 			/* get local and foreign addresses */
5449 			mutex_enter(&so->so_lock);
5450 			len = min(so->so_laddr_len, sizeof (so_laddr));
5451 			bcopy(so->so_laddr_sa, so_laddr, len);
5452 			len = min(so->so_faddr_len, sizeof (so_faddr));
5453 			bcopy(so->so_faddr_sa, so_faddr, len);
5454 			mutex_exit(&so->so_lock);
5455 
5456 			/*
5457 			 * only way to drop out of switch. Note that we
5458 			 * we release fd below.
5459 			 */
5460 
5461 			break;
5462 		}
5463 
5464 		releasef(fd);
5465 		/* don't really want to audit every send call */
5466 		tad->tad_flag = 0;
5467 		/* free any residual audit data */
5468 		au_close(kctx, &(u_ad), 0, 0, 0);
5469 
5470 		return;
5471 
5472 	case AF_UNIX:
5473 
5474 		if (fad->fad_aupath != NULL) {
5475 			au_uwrite(au_to_path(fad->fad_aupath));
5476 		} else {
5477 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5478 		}
5479 
5480 		audit_attributes(fp->f_vnode);
5481 
5482 		releasef(fd);
5483 
5484 		return;
5485 
5486 	default:
5487 		releasef(fd);
5488 
5489 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5490 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5491 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5492 
5493 		return;
5494 	}
5495 
5496 	releasef(fd);
5497 
5498 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5499 
5500 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5501 }
5502 
5503 static au_event_t
5504 aui_forksys(au_event_t e)
5505 {
5506 	struct a {
5507 		long	subcode;
5508 		long	flags;
5509 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5510 
5511 	switch ((uint_t)uap->subcode) {
5512 	case 0:
5513 		e = AUE_FORK1;
5514 		break;
5515 	case 1:
5516 		e = AUE_FORKALL;
5517 		break;
5518 	case 2:
5519 		e = AUE_VFORK;
5520 		break;
5521 	default:
5522 		e = AUE_NULL;
5523 		break;
5524 	}
5525 
5526 	return (e);
5527 }
5528 
5529 /*ARGSUSED*/
5530 static au_event_t
5531 aui_portfs(au_event_t e)
5532 {
5533 	struct a {		/* portfs */
5534 		long	a1;
5535 		long	a2;
5536 		long	a3;
5537 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5538 
5539 	/*
5540 	 * check opcode
5541 	 */
5542 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5543 	case PORT_ASSOCIATE:
5544 	case PORT_DISSOCIATE:
5545 		/*
5546 		 * check source
5547 		 */
5548 		if ((uint_t)uap->a3 == PORT_SOURCE_FILE) {
5549 			e = AUE_PORTFS;
5550 		} else {
5551 			e = AUE_NULL;
5552 		}
5553 		break;
5554 	default:
5555 		e = AUE_NULL;
5556 	}
5557 	return (e);
5558 }
5559