xref: /illumos-gate/usr/src/uts/common/c2/audit_event.c (revision 5243e3342f14ea9f300eadae1c8524571a933a1b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25  * Copyright (c) 2018, Joyent, Inc.
26  */
27 
28 /*
29  * This file contains the audit event table used to control the production
30  * of audit records for each system call.
31  */
32 
33 #include <sys/policy.h>
34 #include <sys/cred.h>
35 #include <sys/types.h>
36 #include <sys/systm.h>
37 #include <sys/systeminfo.h>	/* for sysinfo auditing */
38 #include <sys/utsname.h>	/* for sysinfo auditing */
39 #include <sys/proc.h>
40 #include <sys/vnode.h>
41 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
42 #include <sys/fcntl.h>
43 #include <sys/modctl.h>		/* for modctl auditing */
44 #include <sys/vnode.h>
45 #include <sys/user.h>
46 #include <sys/types.h>
47 #include <sys/processor.h>
48 #include <sys/procset.h>
49 #include <sys/acl.h>
50 #include <sys/ipc.h>
51 #include <sys/door.h>
52 #include <sys/sem.h>
53 #include <sys/msg.h>
54 #include <sys/shm.h>
55 #include <sys/kmem.h>
56 #include <sys/file.h>		/* for accept */
57 #include <sys/utssys.h>		/* for fuser */
58 #include <sys/tsol/label.h>
59 #include <sys/tsol/tndb.h>
60 #include <sys/tsol/tsyscall.h>
61 #include <c2/audit.h>
62 #include <c2/audit_kernel.h>
63 #include <c2/audit_kevents.h>
64 #include <c2/audit_record.h>
65 #include <sys/procset.h>
66 #include <nfs/mount.h>
67 #include <sys/param.h>
68 #include <sys/debug.h>
69 #include <sys/sysmacros.h>
70 #include <sys/stream.h>
71 #include <sys/strsubr.h>
72 #include <sys/stropts.h>
73 #include <sys/tihdr.h>
74 #include <sys/socket.h>
75 #include <sys/socketvar.h>
76 #include <sys/vfs_opreg.h>
77 #include <fs/sockfs/sockcommon.h>
78 #include <netinet/in.h>
79 #include <sys/ddi.h>
80 #include <sys/port_impl.h>
81 #include <sys/secflags.h>
82 
83 static au_event_t	aui_fchownat(au_event_t);
84 static au_event_t	aui_fchmodat(au_event_t);
85 static au_event_t	aui_open(au_event_t);
86 static au_event_t	aui_openat(au_event_t);
87 static au_event_t	aui_unlinkat(au_event_t);
88 static au_event_t	aui_fstatat(au_event_t);
89 static au_event_t	aui_msgsys(au_event_t);
90 static au_event_t	aui_shmsys(au_event_t);
91 static au_event_t	aui_semsys(au_event_t);
92 static au_event_t	aui_utssys(au_event_t);
93 static au_event_t	aui_fcntl(au_event_t);
94 static au_event_t	aui_execve(au_event_t);
95 static au_event_t	aui_memcntl(au_event_t);
96 static au_event_t	aui_sysinfo(au_event_t);
97 static au_event_t	aui_portfs(au_event_t);
98 static au_event_t	aui_auditsys(au_event_t);
99 static au_event_t	aui_modctl(au_event_t);
100 static au_event_t	aui_acl(au_event_t);
101 static au_event_t	aui_doorfs(au_event_t);
102 static au_event_t	aui_privsys(au_event_t);
103 static au_event_t	aui_forksys(au_event_t);
104 static au_event_t	aui_labelsys(au_event_t);
105 static au_event_t	aui_setpgrp(au_event_t);
106 
107 
108 static void	aus_exit(struct t_audit_data *);
109 static void	aus_open(struct t_audit_data *);
110 static void	aus_openat(struct t_audit_data *);
111 static void	aus_acl(struct t_audit_data *);
112 static void	aus_acct(struct t_audit_data *);
113 static void	aus_chown(struct t_audit_data *);
114 static void	aus_fchown(struct t_audit_data *);
115 static void	aus_lchown(struct t_audit_data *);
116 static void	aus_fchownat(struct t_audit_data *);
117 static void	aus_chmod(struct t_audit_data *);
118 static void	aus_facl(struct t_audit_data *);
119 static void	aus_fchmod(struct t_audit_data *);
120 static void	aus_fchmodat(struct t_audit_data *);
121 static void	aus_fcntl(struct t_audit_data *);
122 static void	aus_mkdir(struct t_audit_data *);
123 static void	aus_mkdirat(struct t_audit_data *);
124 static void	aus_mknod(struct t_audit_data *);
125 static void	aus_mknodat(struct t_audit_data *);
126 static void	aus_mount(struct t_audit_data *);
127 static void	aus_umount2(struct t_audit_data *);
128 static void	aus_msgsys(struct t_audit_data *);
129 static void	aus_semsys(struct t_audit_data *);
130 static void	aus_close(struct t_audit_data *);
131 static void	aus_fstatfs(struct t_audit_data *);
132 static void	aus_setgid(struct t_audit_data *);
133 static void	aus_setpgrp(struct t_audit_data *);
134 static void	aus_setuid(struct t_audit_data *);
135 static void	aus_shmsys(struct t_audit_data *);
136 static void	aus_doorfs(struct t_audit_data *);
137 static void	aus_ioctl(struct t_audit_data *);
138 static void	aus_memcntl(struct t_audit_data *);
139 static void	aus_mmap(struct t_audit_data *);
140 static void	aus_munmap(struct t_audit_data *);
141 static void	aus_priocntlsys(struct t_audit_data *);
142 static void	aus_setegid(struct t_audit_data *);
143 static void	aus_setgroups(struct t_audit_data *);
144 static void	aus_seteuid(struct t_audit_data *);
145 static void	aus_putmsg(struct t_audit_data *);
146 static void	aus_putpmsg(struct t_audit_data *);
147 static void	aus_getmsg(struct t_audit_data *);
148 static void	aus_getpmsg(struct t_audit_data *);
149 static void	aus_auditsys(struct t_audit_data *);
150 static void	aus_sysinfo(struct t_audit_data *);
151 static void	aus_modctl(struct t_audit_data *);
152 static void	aus_kill(struct t_audit_data *);
153 static void	aus_setregid(struct t_audit_data *);
154 static void	aus_setreuid(struct t_audit_data *);
155 static void	aus_labelsys(struct t_audit_data *);
156 
157 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
158 static void	auf_mknodat(struct t_audit_data *, int, rval_t *);
159 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
160 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
161 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
162 static void	auf_read(struct t_audit_data *, int, rval_t *);
163 static void	auf_write(struct t_audit_data *, int, rval_t *);
164 
165 static void	aus_sigqueue(struct t_audit_data *);
166 static void	aus_p_online(struct t_audit_data *);
167 static void	aus_processor_bind(struct t_audit_data *);
168 static void	aus_inst_sync(struct t_audit_data *);
169 static void	aus_brandsys(struct t_audit_data *);
170 
171 static void	auf_accept(struct t_audit_data *, int, rval_t *);
172 
173 static void	auf_bind(struct t_audit_data *, int, rval_t *);
174 static void	auf_connect(struct t_audit_data *, int, rval_t *);
175 static void	aus_shutdown(struct t_audit_data *);
176 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
177 static void	aus_sockconfig(struct t_audit_data *);
178 static void	auf_recv(struct t_audit_data *, int, rval_t *);
179 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
180 static void	auf_send(struct t_audit_data *, int, rval_t *);
181 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
182 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
183 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
184 static void	aus_socket(struct t_audit_data *);
185 /*
186  * This table contains mapping information for converting system call numbers
187  * to audit event IDs. In several cases it is necessary to map a single system
188  * call to several events.
189  */
190 
191 #define	aui_null	NULL	/* NULL initialize function */
192 #define	aus_null	NULL	/* NULL start function */
193 #define	auf_null	NULL	/* NULL finish function */
194 
195 struct audit_s2e audit_s2e[] =
196 {
197 /*
198  * ----------	---------- 	----------	----------
199  * INITIAL	AUDIT		START		SYSTEM
200  * PROCESSING	EVENT		PROCESSING	CALL
201  * ----------	----------	----------	-----------
202  *		FINISH		EVENT
203  *		PROCESSING	CONTROL
204  * ----------------------------------------------------------
205  */
206 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
207 		auf_null,	0,
208 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
209 		auf_null,	S2E_NPT,
210 aui_null,	AUE_PSECFLAGS,	aus_null,	/* 2 psecflags */
211 		auf_null,	0,
212 aui_null,	AUE_READ,	aus_null,	/* 3 read */
213 		auf_read,	S2E_PUB,
214 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
215 		auf_write,	0,
216 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
217 		auf_null,	S2E_SP,
218 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
219 		auf_null,	0,
220 aui_null,	AUE_LINK,	aus_null,	/* 7 linkat */
221 		auf_null,	0,
222 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
223 		auf_null,	0,
224 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
225 		auf_null,	0,
226 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
227 		auf_null,	0,
228 aui_null,	AUE_SYMLINK,	aus_null,	/* 11 symlinkat */
229 		auf_null,	0,
230 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
231 		auf_null,	S2E_SP,
232 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
233 		auf_null,	0,
234 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
235 		auf_mknod,	S2E_MLD,
236 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
237 		auf_null,	0,
238 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
239 		auf_null,	0,
240 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
241 		auf_null,	0,
242 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
243 		auf_null,	S2E_PUB,
244 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
245 		auf_null,	0,
246 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
247 		auf_null,	0,
248 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
249 		auf_null,	S2E_MLD,
250 aui_null,	AUE_READLINK,	aus_null,	/* 22 readlinkat */
251 		auf_null,	S2E_PUB,
252 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
253 		auf_null,	0,
254 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
255 		auf_null,	0,
256 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
257 		auf_null,	0,
258 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
259 		auf_null,	0,
260 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
261 		auf_null,	0,
262 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
263 		auf_null,	0,
264 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
265 		auf_null,	0,
266 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
267 		auf_null,	0,
268 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
269 		auf_null,	0,
270 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
271 		auf_null,	0,
272 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
273 		auf_null,	S2E_PUB,
274 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
275 		auf_null,	0,
276 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
277 		auf_null,	S2E_PUB,
278 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
279 		auf_null,	0,
280 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
281 		auf_null,	0,
282 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
283 		auf_null,	S2E_PUB,
284 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
285 		auf_null,	0,
286 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
287 		auf_null,	0,
288 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
289 		auf_null,	0,
290 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
291 		auf_null,	0,
292 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
293 		auf_null,	0,
294 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
295 		auf_null,	0,
296 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
297 		auf_null,	S2E_PUB,
298 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
299 		auf_null,	0,
300 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
301 		auf_null,	0,
302 aui_null,	AUE_MKNOD,	aus_mknodat,	/* 48 mknodat */
303 		auf_mknodat,	S2E_MLD,
304 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
305 		auf_msgsys,	0,
306 #if defined(__x86)
307 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
308 		auf_null,	0,
309 #else
310 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
311 		auf_null,	0,
312 #endif /* __x86 */
313 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
314 		auf_null,	0,
315 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
316 		auf_shmsys,	0,
317 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
318 		auf_semsys,	0,
319 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
320 		auf_null,	0,
321 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
322 		auf_null,	0,
323 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
324 		auf_null,	0,
325 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
326 		auf_null,	0,
327 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
328 		auf_null,	0,
329 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
330 		auf_null,	S2E_MLD,
331 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
332 		auf_null,	0,
333 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
334 		auf_null,	S2E_SP,
335 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
336 		auf_null,	0,
337 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
338 		auf_null,	0,
339 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
340 		auf_null,	0,
341 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
342 		auf_null,	0,
343 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
344 		auf_null,	S2E_PUB,
345 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
346 		auf_null,	S2E_PUB,
347 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
348 		auf_null,	S2E_SP,
349 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
350 		auf_null,	S2E_SP,
351 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
352 		auf_null,	0,
353 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
354 		auf_null,	0,
355 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
356 		auf_null,	0,
357 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
358 		auf_null,	0,
359 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
360 		auf_null,	0,
361 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
362 		auf_null,	0,
363 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
364 		auf_null,	0,
365 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
366 		auf_null,	0,
367 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
368 		auf_null,	0,
369 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
370 		auf_null,	0,
371 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
372 		auf_null,	0,
373 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
374 		auf_null,	0,
375 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
376 		auf_null,	0,
377 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
378 		auf_null,	0,
379 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
380 		auf_null,	0,
381 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
382 		auf_null,	0,
383 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
384 		auf_null,	0,
385 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
386 		auf_null,	0,
387 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
388 		auf_null,	S2E_PUB,
389 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
390 		auf_null,	0,
391 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
392 		auf_null,	S2E_PUB,
393 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
394 		auf_null,	0,
395 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
396 		auf_null,	0,
397 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
398 		auf_null,	0,
399 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
400 		auf_null,	0,
401 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
402 		auf_null,	0,
403 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
404 		auf_null,	0,
405 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
406 		auf_null,	0,
407 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
408 		auf_null,	0,
409 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
410 		auf_null,	0,
411 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
412 		auf_null,	0,
413 aui_fchmodat,	AUE_NULL,	aus_fchmodat,	/* 101 fchmodat */
414 		auf_null,	0,
415 aui_null,	AUE_MKDIR,	aus_mkdirat,	/* 102 mkdirat */
416 		auf_null,	0,
417 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
418 		auf_null,	S2E_PUB,
419 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
422 		auf_null,	0,
423 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
424 		auf_null,	0,
425 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
426 		auf_null,	0,
427 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
428 		auf_null,	0,
429 #if defined(__x86)
430 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
431 		auf_null,	0,
432 #else
433 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
434 		auf_null,	0,
435 #endif /* __x86 */
436 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
437 		auf_null,	0,
438 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
439 		auf_null,	0,
440 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
441 		auf_null,	0,
442 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
443 		auf_null,	S2E_PUB,
444 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
445 		auf_null,	0,
446 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
447 		auf_null,	0,
448 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
449 		auf_null,	0,
450 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
451 		auf_null,	0,
452 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
453 		auf_null,	0,
454 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
455 		auf_null,	0,
456 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
457 		auf_null,	0,
458 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
459 		auf_read,	S2E_PUB,
460 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
461 		auf_write,	0,
462 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
463 		auf_null,	0,
464 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
465 		auf_null,	0,
466 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
467 		auf_null,	0,
468 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
469 		auf_null,	0,
470 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
471 		auf_null,	0,
472 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
473 		auf_null,	0,
474 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
475 		auf_null,	0,
476 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
477 		auf_null,	0,
478 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
479 		auf_null,	0,
480 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
481 		auf_null,	0,
482 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
483 		auf_null,	0,
484 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
485 		auf_null,	0,
486 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
487 		auf_null,	0,
488 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
489 		auf_null,	0,
490 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
491 		auf_null,	0,
492 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
493 		auf_null,	0,
494 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
495 		auf_null,	0,
496 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
497 		auf_null,	0,
498 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
499 		auf_null,	0,
500 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
501 		auf_null,	0,
502 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
511 						/*	was lwp_sema_wait */
512 		auf_null,	0,
513 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
514 		auf_null,	0,
515 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
516 		auf_null,	0,
517 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
518 		auf_null,	0,
519 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
520 		auf_null,	0,
521 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
522 		auf_null,	0,
523 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
524 		auf_null,	0,
525 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
526 		auf_null,	0,
527 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
528 		auf_null,	0,
529 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
530 		auf_null,	0,
531 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
532 		auf_null,	0,
533 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
534 		auf_null,	0,
535 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
536 		auf_null,	0,
537 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
538 		auf_null,	0,
539 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
540 		auf_null,	0,
541 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
542 		auf_null,	0,
543 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
544 		auf_null,	0,
545 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
546 		auf_null,	0,
547 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
548 		auf_null,	0,
549 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
550 		auf_null,	0,
551 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
556 						/*	was lwp_mutex_lock */
557 		auf_null,	0,
558 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
559 		auf_null,	0,
560 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
561 		auf_null,	0,
562 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
563 		auf_null,	0,
564 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
565 		auf_read,	S2E_PUB,
566 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
567 		auf_write,	0,
568 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
569 		auf_null,	0,
570 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
571 		auf_null,	0,
572 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
573 		auf_null,	0,
574 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
575 		auf_null,	0,
576 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
577 		auf_null,	0,
578 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
579 		auf_null,	0,
580 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
581 		auf_null,	0,
582 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
583 		auf_null,	S2E_MLD,
584 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
585 		auf_null,	0,
586 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
587 		auf_null,	0,
588 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
589 		auf_null,	0,
590 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
591 		auf_null,	0,
592 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
593 		auf_null,	0,
594 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
595 		auf_null,	0,
596 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
597 		auf_null,	0,
598 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
599 		auf_null,	0,
600 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
601 		auf_null,	0,
602 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
603 		auf_null,	0,
604 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
605 		auf_null,	0,
606 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
607 		auf_null,	0,
608 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
609 		auf_null,	0,
610 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
611 		auf_null,	0,
612 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
613 		auf_null,	0,
614 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
615 		auf_null,	0,
616 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
617 		auf_null,	0,
618 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
619 		auf_null,	0,
620 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
621 		auf_null,	0,
622 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
623 		auf_null,	0,
624 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
625 		auf_null,	0,
626 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
627 		auf_null,	0,
628 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
629 		auf_null,	0,
630 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
631 		auf_null,	0,
632 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
633 		auf_null,	0,
634 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
635 		auf_null,	0,
636 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
637 		auf_null,	0,
638 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
639 		auf_null,	0,
640 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
641 		auf_null,	0,
642 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
643 		auf_null,	0,
644 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
645 		auf_null,	0,
646 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
647 		auf_null,	0,
648 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
649 		auf_null,	S2E_PUB,
650 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
651 		auf_null,	S2E_PUB,
652 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
653 		auf_null,	0,
654 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
655 		auf_null,	S2E_PUB,
656 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
657 		auf_null,	0,
658 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
659 		auf_null,	0,
660 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
661 		auf_null,	0,
662 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
663 		auf_read,	S2E_PUB,
664 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
665 		auf_write,	0,
666 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
667 		auf_null,	0,
668 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
669 		auf_null,	S2E_SP,
670 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
671 		auf_null,	0,
672 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
673 		auf_null,	0,
674 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
675 		auf_null,	0,
676 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
677 		auf_null,	0,
678 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
679 		auf_null,	0,
680 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
681 		auf_null,	0,
682 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
683 		auf_bind,	0,
684 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
685 		auf_null,	0,
686 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
687 		auf_accept,	0,
688 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
689 		auf_connect,	0,
690 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
691 		auf_null,	0,
692 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
693 		auf_recv,	0,
694 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
695 		auf_recvfrom,	0,
696 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
697 		auf_recvmsg,	0,
698 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
699 		auf_send,	0,
700 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
701 		auf_sendmsg,	0,
702 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
703 		auf_sendto,	0,
704 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
705 		auf_null,	0,
706 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
707 		auf_null,	0,
708 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
709 		auf_null,	0,
710 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
711 		auf_setsockopt,	0,
712 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
713 		auf_null,	0,
714 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
715 		auf_null,	0,
716 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
717 		auf_null,	0,
718 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
719 		auf_null,	0,
720 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
721 		auf_null,	0,
722 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
723 		auf_null,	0,
724 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
725 		auf_null,	0,
726 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
727 		auf_null,	0,
728 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
729 		auf_null,	0
730 };
731 
732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
733 
734 
735 /* exit start function */
736 /*ARGSUSED*/
737 static void
738 aus_exit(struct t_audit_data *tad)
739 {
740 	uint32_t rval;
741 	struct a {
742 		long rval;
743 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
744 
745 	rval = (uint32_t)uap->rval;
746 	au_uwrite(au_to_arg32(1, "exit status", rval));
747 }
748 
749 
750 /* acct start function */
751 /*ARGSUSED*/
752 static void
753 aus_acct(struct t_audit_data *tad)
754 {
755 	klwp_t *clwp = ttolwp(curthread);
756 	uintptr_t fname;
757 
758 	struct a {
759 		long	fname;		/* char * */
760 	} *uap = (struct a *)clwp->lwp_ap;
761 
762 	fname = (uintptr_t)uap->fname;
763 
764 	if (fname == 0)
765 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
766 }
767 
768 /* chown start function */
769 /*ARGSUSED*/
770 static void
771 aus_chown(struct t_audit_data *tad)
772 {
773 	klwp_t *clwp = ttolwp(curthread);
774 	uint32_t uid, gid;
775 
776 	struct a {
777 		long	fname;		/* char * */
778 		long	uid;
779 		long	gid;
780 	} *uap = (struct a *)clwp->lwp_ap;
781 
782 	uid = (uint32_t)uap->uid;
783 	gid = (uint32_t)uap->gid;
784 
785 	au_uwrite(au_to_arg32(2, "new file uid", uid));
786 	au_uwrite(au_to_arg32(3, "new file gid", gid));
787 }
788 
789 /* fchown start function */
790 /*ARGSUSED*/
791 static void
792 aus_fchown(struct t_audit_data *tad)
793 {
794 	klwp_t *clwp = ttolwp(curthread);
795 	uint32_t uid, gid, fd;
796 	struct file  *fp;
797 	struct vnode *vp;
798 	struct f_audit_data *fad;
799 
800 	struct a {
801 		long fd;
802 		long uid;
803 		long gid;
804 	} *uap = (struct a *)clwp->lwp_ap;
805 
806 	fd  = (uint32_t)uap->fd;
807 	uid = (uint32_t)uap->uid;
808 	gid = (uint32_t)uap->gid;
809 
810 	au_uwrite(au_to_arg32(2, "new file uid", uid));
811 	au_uwrite(au_to_arg32(3, "new file gid", gid));
812 
813 		/*
814 		 * convert file pointer to file descriptor
815 		 *   Note: fd ref count incremented here.
816 		 */
817 	if ((fp = getf(fd)) == NULL)
818 		return;
819 
820 	/* get path from file struct here */
821 	fad = F2A(fp);
822 	if (fad->fad_aupath != NULL) {
823 		au_uwrite(au_to_path(fad->fad_aupath));
824 	} else {
825 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
826 	}
827 
828 	vp = fp->f_vnode;
829 	audit_attributes(vp);
830 
831 	/* decrement file descriptor reference count */
832 	releasef(fd);
833 }
834 
835 /*ARGSUSED*/
836 static void
837 aus_lchown(struct t_audit_data *tad)
838 {
839 	klwp_t *clwp = ttolwp(curthread);
840 	uint32_t uid, gid;
841 
842 
843 	struct a {
844 		long	fname;		/* char	* */
845 		long	uid;
846 		long	gid;
847 	} *uap = (struct a *)clwp->lwp_ap;
848 
849 	uid = (uint32_t)uap->uid;
850 	gid = (uint32_t)uap->gid;
851 
852 	au_uwrite(au_to_arg32(2, "new file uid", uid));
853 	au_uwrite(au_to_arg32(3, "new file gid", gid));
854 }
855 
856 static au_event_t
857 aui_fchownat(au_event_t e)
858 {
859 	klwp_t *clwp = ttolwp(curthread);
860 
861 	struct a {
862 		long	fd;
863 		long	fname;		/* char * */
864 		long	uid;
865 		long	gid;
866 		long	flags;
867 	} *uap = (struct a *)clwp->lwp_ap;
868 
869 	if (uap->fname == NULL)
870 		e = AUE_FCHOWN;
871 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
872 		e = AUE_LCHOWN;
873 	else
874 		e = AUE_CHOWN;
875 
876 	return (e);
877 }
878 
879 /*ARGSUSED*/
880 static void
881 aus_fchownat(struct t_audit_data *tad)
882 {
883 	klwp_t *clwp = ttolwp(curthread);
884 	uint32_t uid, gid;
885 
886 	struct a {
887 		long	fd;
888 		long	fname;		/* char * */
889 		long	uid;
890 		long	gid;
891 		long	flags;
892 	} *uap = (struct a *)clwp->lwp_ap;
893 
894 	uid = (uint32_t)uap->uid;
895 	gid = (uint32_t)uap->gid;
896 
897 	au_uwrite(au_to_arg32(3, "new file uid", uid));
898 	au_uwrite(au_to_arg32(4, "new file gid", gid));
899 }
900 
901 /*ARGSUSED*/
902 static void
903 aus_chmod(struct t_audit_data *tad)
904 {
905 	klwp_t *clwp = ttolwp(curthread);
906 	uint32_t fmode;
907 
908 	struct a {
909 		long	fname;		/* char	* */
910 		long	fmode;
911 	} *uap = (struct a *)clwp->lwp_ap;
912 
913 	fmode = (uint32_t)uap->fmode;
914 
915 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
916 }
917 
918 /*ARGSUSED*/
919 static void
920 aus_fchmod(struct t_audit_data *tad)
921 {
922 	klwp_t *clwp = ttolwp(curthread);
923 	uint32_t fmode, fd;
924 	struct file  *fp;
925 	struct vnode *vp;
926 	struct f_audit_data *fad;
927 
928 	struct a {
929 		long	fd;
930 		long	fmode;
931 	} *uap = (struct a *)clwp->lwp_ap;
932 
933 	fd = (uint32_t)uap->fd;
934 	fmode = (uint32_t)uap->fmode;
935 
936 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
937 
938 	/*
939 	 * convert file pointer to file descriptor
940 	 *   Note: fd ref count incremented here.
941 	 */
942 	if ((fp = getf(fd)) == NULL)
943 		return;
944 
945 	/* get path from file struct here */
946 	fad = F2A(fp);
947 	if (fad->fad_aupath != NULL) {
948 		au_uwrite(au_to_path(fad->fad_aupath));
949 	} else {
950 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
951 	}
952 
953 	vp = fp->f_vnode;
954 	audit_attributes(vp);
955 
956 	/* decrement file descriptor reference count */
957 	releasef(fd);
958 }
959 
960 static au_event_t
961 aui_fchmodat(au_event_t e)
962 {
963 	klwp_t *clwp = ttolwp(curthread);
964 
965 	struct a {
966 		long	fd;
967 		long	fname;		/* char	* */
968 		long	fmode;
969 		long	flag;
970 	} *uap = (struct a *)clwp->lwp_ap;
971 
972 	if (uap->fname == NULL)
973 		e = AUE_FCHMOD;
974 	else
975 		e = AUE_CHMOD;
976 
977 	return (e);
978 }
979 
980 /*ARGSUSED*/
981 static void
982 aus_fchmodat(struct t_audit_data *tad)
983 {
984 	klwp_t *clwp = ttolwp(curthread);
985 	uint32_t fmode;
986 	uint32_t fd;
987 	struct file  *fp;
988 	struct vnode *vp;
989 	struct f_audit_data *fad;
990 
991 	struct a {
992 		long	fd;
993 		long	fname;		/* char	* */
994 		long	fmode;
995 		long	flag;
996 	} *uap = (struct a *)clwp->lwp_ap;
997 
998 	fd = (uint32_t)uap->fd;
999 	fmode = (uint32_t)uap->fmode;
1000 
1001 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1002 
1003 	if (fd == AT_FDCWD || uap->fname != NULL)	/* same as chmod() */
1004 		return;
1005 
1006 	/*
1007 	 * convert file pointer to file descriptor
1008 	 *   Note: fd ref count incremented here.
1009 	 */
1010 	if ((fp = getf(fd)) == NULL)
1011 		return;
1012 
1013 	/* get path from file struct here */
1014 	fad = F2A(fp);
1015 	if (fad->fad_aupath != NULL) {
1016 		au_uwrite(au_to_path(fad->fad_aupath));
1017 	} else {
1018 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1019 	}
1020 
1021 	vp = fp->f_vnode;
1022 	audit_attributes(vp);
1023 
1024 	/* decrement file descriptor reference count */
1025 	releasef(fd);
1026 }
1027 
1028 /*
1029  * convert open mode to appropriate open event
1030  */
1031 au_event_t
1032 open_event(uint_t fm)
1033 {
1034 	au_event_t e;
1035 
1036 	switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1037 	case O_RDONLY:
1038 		e = AUE_OPEN_R;
1039 		break;
1040 	case O_RDONLY | O_CREAT:
1041 		e = AUE_OPEN_RC;
1042 		break;
1043 	case O_RDONLY | O_TRUNC:
1044 		e = AUE_OPEN_RT;
1045 		break;
1046 	case O_RDONLY | O_TRUNC | O_CREAT:
1047 		e = AUE_OPEN_RTC;
1048 		break;
1049 	case O_WRONLY:
1050 		e = AUE_OPEN_W;
1051 		break;
1052 	case O_WRONLY | O_CREAT:
1053 		e = AUE_OPEN_WC;
1054 		break;
1055 	case O_WRONLY | O_TRUNC:
1056 		e = AUE_OPEN_WT;
1057 		break;
1058 	case O_WRONLY | O_TRUNC | O_CREAT:
1059 		e = AUE_OPEN_WTC;
1060 		break;
1061 	case O_RDWR:
1062 		e = AUE_OPEN_RW;
1063 		break;
1064 	case O_RDWR | O_CREAT:
1065 		e = AUE_OPEN_RWC;
1066 		break;
1067 	case O_RDWR | O_TRUNC:
1068 		e = AUE_OPEN_RWT;
1069 		break;
1070 	case O_RDWR | O_TRUNC | O_CREAT:
1071 		e = AUE_OPEN_RWTC;
1072 		break;
1073 	case O_SEARCH:
1074 		e = AUE_OPEN_S;
1075 		break;
1076 	case O_EXEC:
1077 		e = AUE_OPEN_E;
1078 		break;
1079 	default:
1080 		e = AUE_NULL;
1081 		break;
1082 	}
1083 
1084 	return (e);
1085 }
1086 
1087 /* ARGSUSED */
1088 static au_event_t
1089 aui_open(au_event_t e)
1090 {
1091 	klwp_t *clwp = ttolwp(curthread);
1092 	uint_t fm;
1093 
1094 	struct a {
1095 		long	fnamep;		/* char	* */
1096 		long	fmode;
1097 		long	cmode;
1098 	} *uap = (struct a *)clwp->lwp_ap;
1099 
1100 	fm = (uint_t)uap->fmode;
1101 
1102 	return (open_event(fm));
1103 }
1104 
1105 static void
1106 aus_open(struct t_audit_data *tad)
1107 {
1108 	klwp_t *clwp = ttolwp(curthread);
1109 	uint_t fm;
1110 
1111 	struct a {
1112 		long	fnamep;		/* char	* */
1113 		long	fmode;
1114 		long	cmode;
1115 	} *uap = (struct a *)clwp->lwp_ap;
1116 
1117 	fm = (uint_t)uap->fmode;
1118 
1119 	/* If no write, create, or trunc modes, mark as a public op */
1120 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1121 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1122 }
1123 
1124 /* ARGSUSED */
1125 static au_event_t
1126 aui_openat(au_event_t e)
1127 {
1128 	t_audit_data_t *tad = T2A(curthread);
1129 	klwp_t *clwp = ttolwp(curthread);
1130 	uint_t fm;
1131 
1132 	struct a {
1133 		long	filedes;
1134 		long	fnamep;		/* char	* */
1135 		long	fmode;
1136 		long	cmode;
1137 	} *uap = (struct a *)clwp->lwp_ap;
1138 
1139 	fm = (uint_t)uap->fmode;
1140 
1141 	/*
1142 	 * __openattrdirat() does an extra pathname lookup in order to
1143 	 * enter the extended system attribute namespace of the referenced
1144 	 * extended attribute filename.
1145 	 */
1146 	if (fm & FXATTRDIROPEN)
1147 		tad->tad_ctrl |= TAD_MLD;
1148 
1149 	return (open_event(fm));
1150 }
1151 
1152 static void
1153 aus_openat(struct t_audit_data *tad)
1154 {
1155 	klwp_t *clwp = ttolwp(curthread);
1156 	uint_t fm;
1157 
1158 	struct a {
1159 		long	filedes;
1160 		long	fnamep;		/* char	* */
1161 		long	fmode;
1162 		long	cmode;
1163 	} *uap = (struct a *)clwp->lwp_ap;
1164 
1165 	fm = (uint_t)uap->fmode;
1166 
1167 	/* If no write, create, or trunc modes, mark as a public op */
1168 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1169 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1170 }
1171 
1172 static au_event_t
1173 aui_unlinkat(au_event_t e)
1174 {
1175 	klwp_t *clwp = ttolwp(curthread);
1176 
1177 	struct a {
1178 		long	filedes;
1179 		long	fnamep;		/* char	* */
1180 		long	flags;
1181 	} *uap = (struct a *)clwp->lwp_ap;
1182 
1183 	if (uap->flags & AT_REMOVEDIR)
1184 		e = AUE_RMDIR;
1185 	else
1186 		e = AUE_UNLINK;
1187 
1188 	return (e);
1189 }
1190 
1191 static au_event_t
1192 aui_fstatat(au_event_t e)
1193 {
1194 	klwp_t *clwp = ttolwp(curthread);
1195 
1196 	struct a {
1197 		long	filedes;
1198 		long	fnamep;		/* char	* */
1199 		long	statb;
1200 		long	flags;
1201 	} *uap = (struct a *)clwp->lwp_ap;
1202 
1203 	if (uap->fnamep == NULL)
1204 		e = AUE_FSTAT;
1205 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1206 		e = AUE_LSTAT;
1207 	else
1208 		e = AUE_STAT;
1209 
1210 	return (e);
1211 }
1212 
1213 /* msgsys */
1214 static au_event_t
1215 aui_msgsys(au_event_t e)
1216 {
1217 	klwp_t *clwp = ttolwp(curthread);
1218 	uint_t fm;
1219 
1220 	struct a {
1221 		long	id;	/* function code id */
1222 		long	ap;	/* arg pointer for recvmsg */
1223 	} *uap = (struct a *)clwp->lwp_ap;
1224 
1225 	struct b {
1226 		long	msgid;
1227 		long	cmd;
1228 		long	buf;	/* struct msqid_ds * */
1229 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1230 
1231 	fm  = (uint_t)uap->id;
1232 
1233 	switch (fm) {
1234 	case 0:		/* msgget */
1235 		e = AUE_MSGGET;
1236 		break;
1237 	case 1:		/* msgctl */
1238 		switch ((uint_t)uap1->cmd) {
1239 		case IPC_RMID:
1240 			e = AUE_MSGCTL_RMID;
1241 			break;
1242 		case IPC_SET:
1243 			e = AUE_MSGCTL_SET;
1244 			break;
1245 		case IPC_STAT:
1246 			e = AUE_MSGCTL_STAT;
1247 			break;
1248 		default:
1249 			e = AUE_MSGCTL;
1250 			break;
1251 		}
1252 		break;
1253 	case 2:		/* msgrcv */
1254 		e = AUE_MSGRCV;
1255 		break;
1256 	case 3:		/* msgsnd */
1257 		e = AUE_MSGSND;
1258 		break;
1259 	default:	/* illegal system call */
1260 		e = AUE_NULL;
1261 		break;
1262 	}
1263 
1264 	return (e);
1265 }
1266 
1267 
1268 /* shmsys */
1269 static au_event_t
1270 aui_shmsys(au_event_t e)
1271 {
1272 	klwp_t *clwp = ttolwp(curthread);
1273 	int fm;
1274 
1275 	struct a {		/* shmsys */
1276 		long	id;	/* function code id */
1277 	} *uap = (struct a *)clwp->lwp_ap;
1278 
1279 	struct b {		/* ctrl */
1280 		long	shmid;
1281 		long	cmd;
1282 		long	arg;		/* struct shmid_ds * */
1283 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1284 	fm  = (uint_t)uap->id;
1285 
1286 	switch (fm) {
1287 	case 0:		/* shmat */
1288 		e = AUE_SHMAT;
1289 		break;
1290 	case 1:		/* shmctl */
1291 		switch ((uint_t)uap1->cmd) {
1292 		case IPC_RMID:
1293 			e = AUE_SHMCTL_RMID;
1294 			break;
1295 		case IPC_SET:
1296 			e = AUE_SHMCTL_SET;
1297 			break;
1298 		case IPC_STAT:
1299 			e = AUE_SHMCTL_STAT;
1300 			break;
1301 		default:
1302 			e = AUE_SHMCTL;
1303 			break;
1304 		}
1305 		break;
1306 	case 2:		/* shmdt */
1307 		e = AUE_SHMDT;
1308 		break;
1309 	case 3:		/* shmget */
1310 		e = AUE_SHMGET;
1311 		break;
1312 	default:	/* illegal system call */
1313 		e = AUE_NULL;
1314 		break;
1315 	}
1316 
1317 	return (e);
1318 }
1319 
1320 
1321 /* semsys */
1322 static au_event_t
1323 aui_semsys(au_event_t e)
1324 {
1325 	klwp_t *clwp = ttolwp(curthread);
1326 	uint_t fm;
1327 
1328 	struct a {		/* semsys */
1329 		long	id;
1330 	} *uap = (struct a *)clwp->lwp_ap;
1331 
1332 	struct b {		/* ctrl */
1333 		long	semid;
1334 		long	semnum;
1335 		long	cmd;
1336 		long	arg;
1337 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1338 
1339 	fm = (uint_t)uap->id;
1340 
1341 	switch (fm) {
1342 	case 0:		/* semctl */
1343 		switch ((uint_t)uap1->cmd) {
1344 		case IPC_RMID:
1345 			e = AUE_SEMCTL_RMID;
1346 			break;
1347 		case IPC_SET:
1348 			e = AUE_SEMCTL_SET;
1349 			break;
1350 		case IPC_STAT:
1351 			e = AUE_SEMCTL_STAT;
1352 			break;
1353 		case GETNCNT:
1354 			e = AUE_SEMCTL_GETNCNT;
1355 			break;
1356 		case GETPID:
1357 			e = AUE_SEMCTL_GETPID;
1358 			break;
1359 		case GETVAL:
1360 			e = AUE_SEMCTL_GETVAL;
1361 			break;
1362 		case GETALL:
1363 			e = AUE_SEMCTL_GETALL;
1364 			break;
1365 		case GETZCNT:
1366 			e = AUE_SEMCTL_GETZCNT;
1367 			break;
1368 		case SETVAL:
1369 			e = AUE_SEMCTL_SETVAL;
1370 			break;
1371 		case SETALL:
1372 			e = AUE_SEMCTL_SETALL;
1373 			break;
1374 		default:
1375 			e = AUE_SEMCTL;
1376 			break;
1377 		}
1378 		break;
1379 	case 1:		/* semget */
1380 		e = AUE_SEMGET;
1381 		break;
1382 	case 2:		/* semop */
1383 		e = AUE_SEMOP;
1384 		break;
1385 	default:	/* illegal system call */
1386 		e = AUE_NULL;
1387 		break;
1388 	}
1389 
1390 	return (e);
1391 }
1392 
1393 /* utssys - uname(2), ustat(2), fusers(2) */
1394 static au_event_t
1395 aui_utssys(au_event_t e)
1396 {
1397 	klwp_t *clwp = ttolwp(curthread);
1398 	uint_t type;
1399 
1400 	struct a {
1401 		union {
1402 			long	cbuf;		/* char * */
1403 			long	ubuf;		/* struct stat * */
1404 		} ub;
1405 		union {
1406 			long	mv;	/* for USTAT */
1407 			long	flags;	/* for FUSERS */
1408 		} un;
1409 		long	type;
1410 		long	outbp;		/* char * for FUSERS */
1411 	} *uap = (struct a *)clwp->lwp_ap;
1412 
1413 	type = (uint_t)uap->type;
1414 
1415 	if (type == UTS_FUSERS)
1416 		return (e);
1417 	else
1418 		return ((au_event_t)AUE_NULL);
1419 }
1420 
1421 static au_event_t
1422 aui_fcntl(au_event_t e)
1423 {
1424 	klwp_t *clwp = ttolwp(curthread);
1425 	uint_t cmd;
1426 
1427 	struct a {
1428 		long	fdes;
1429 		long	cmd;
1430 		long	arg;
1431 	} *uap = (struct a *)clwp->lwp_ap;
1432 
1433 	cmd = (uint_t)uap->cmd;
1434 
1435 	switch (cmd) {
1436 	case F_GETLK:
1437 	case F_SETLK:
1438 	case F_SETLKW:
1439 		break;
1440 	case F_SETFL:
1441 	case F_GETFL:
1442 	case F_GETFD:
1443 		break;
1444 	default:
1445 		e = (au_event_t)AUE_NULL;
1446 		break;
1447 	}
1448 	return ((au_event_t)e);
1449 }
1450 
1451 /* null function for now */
1452 static au_event_t
1453 aui_execve(au_event_t e)
1454 {
1455 	return (e);
1456 }
1457 
1458 /*ARGSUSED*/
1459 static void
1460 aus_fcntl(struct t_audit_data *tad)
1461 {
1462 	klwp_t *clwp = ttolwp(curthread);
1463 	uint32_t cmd, fd, flags;
1464 	struct file  *fp;
1465 	struct vnode *vp;
1466 	struct f_audit_data *fad;
1467 
1468 	struct a {
1469 		long	fd;
1470 		long	cmd;
1471 		long	arg;
1472 	} *uap = (struct a *)clwp->lwp_ap;
1473 
1474 	cmd	= (uint32_t)uap->cmd;
1475 	fd	= (uint32_t)uap->fd;
1476 	flags	= (uint32_t)uap->arg;
1477 
1478 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1479 
1480 	if (cmd == F_SETFL)
1481 		au_uwrite(au_to_arg32(3, "flags", flags));
1482 
1483 		/*
1484 		 * convert file pointer to file descriptor
1485 		 *   Note: fd ref count incremented here.
1486 		 */
1487 	if ((fp = getf(fd)) == NULL)
1488 		return;
1489 
1490 	/* get path from file struct here */
1491 	fad = F2A(fp);
1492 	if (fad->fad_aupath != NULL) {
1493 		au_uwrite(au_to_path(fad->fad_aupath));
1494 	} else {
1495 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1496 	}
1497 
1498 	vp = fp->f_vnode;
1499 	audit_attributes(vp);
1500 
1501 	/* decrement file descriptor reference count */
1502 	releasef(fd);
1503 }
1504 
1505 /*ARGSUSED*/
1506 static void
1507 aus_kill(struct t_audit_data *tad)
1508 {
1509 	klwp_t *clwp = ttolwp(curthread);
1510 	struct proc *p;
1511 	uint32_t signo;
1512 	uid_t uid, ruid;
1513 	gid_t gid, rgid;
1514 	pid_t pid;
1515 	const auditinfo_addr_t *ainfo;
1516 	cred_t *cr;
1517 
1518 	struct a {
1519 		long	pid;
1520 		long	signo;
1521 	} *uap = (struct a *)clwp->lwp_ap;
1522 
1523 	pid   = (pid_t)uap->pid;
1524 	signo = (uint32_t)uap->signo;
1525 
1526 	au_uwrite(au_to_arg32(2, "signal", signo));
1527 	if (pid > 0) {
1528 		mutex_enter(&pidlock);
1529 		if (((p = prfind(pid)) == (struct proc *)0) ||
1530 		    (p->p_stat == SIDL)) {
1531 			mutex_exit(&pidlock);
1532 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1533 			return;
1534 		}
1535 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1536 		mutex_exit(&pidlock);
1537 
1538 		mutex_enter(&p->p_crlock);
1539 		crhold(cr = p->p_cred);
1540 		mutex_exit(&p->p_crlock);
1541 		mutex_exit(&p->p_lock);
1542 
1543 		ainfo = crgetauinfo(cr);
1544 		if (ainfo == NULL) {
1545 			crfree(cr);
1546 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1547 			return;
1548 		}
1549 
1550 		uid  = crgetuid(cr);
1551 		gid  = crgetgid(cr);
1552 		ruid = crgetruid(cr);
1553 		rgid = crgetrgid(cr);
1554 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1555 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1556 
1557 		if (is_system_labeled())
1558 			au_uwrite(au_to_label(CR_SL(cr)));
1559 
1560 		crfree(cr);
1561 	}
1562 	else
1563 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1564 }
1565 
1566 /*ARGSUSED*/
1567 static void
1568 aus_mkdir(struct t_audit_data *tad)
1569 {
1570 	klwp_t *clwp = ttolwp(curthread);
1571 	uint32_t dmode;
1572 
1573 	struct a {
1574 		long	dirnamep;		/* char * */
1575 		long	dmode;
1576 	} *uap = (struct a *)clwp->lwp_ap;
1577 
1578 	dmode = (uint32_t)uap->dmode;
1579 
1580 	au_uwrite(au_to_arg32(2, "mode", dmode));
1581 }
1582 
1583 /*ARGSUSED*/
1584 static void
1585 aus_mkdirat(struct t_audit_data *tad)
1586 {
1587 	klwp_t *clwp = ttolwp(curthread);
1588 	uint32_t dmode;
1589 
1590 	struct a {
1591 		long	fd;
1592 		long	dirnamep;		/* char * */
1593 		long	dmode;
1594 	} *uap = (struct a *)clwp->lwp_ap;
1595 
1596 	dmode = (uint32_t)uap->dmode;
1597 
1598 	au_uwrite(au_to_arg32(2, "mode", dmode));
1599 }
1600 
1601 /*ARGSUSED*/
1602 static void
1603 aus_mknod(struct t_audit_data *tad)
1604 {
1605 	klwp_t *clwp = ttolwp(curthread);
1606 	uint32_t fmode;
1607 	dev_t dev;
1608 
1609 	struct a {
1610 		long	pnamep;		/* char * */
1611 		long	fmode;
1612 		long	dev;
1613 	} *uap = (struct a *)clwp->lwp_ap;
1614 
1615 	fmode = (uint32_t)uap->fmode;
1616 	dev   = (dev_t)uap->dev;
1617 
1618 	au_uwrite(au_to_arg32(2, "mode", fmode));
1619 #ifdef _LP64
1620 	au_uwrite(au_to_arg64(3, "dev", dev));
1621 #else
1622 	au_uwrite(au_to_arg32(3, "dev", dev));
1623 #endif
1624 }
1625 
1626 /*ARGSUSED*/
1627 static void
1628 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1629 {
1630 	klwp_t *clwp = ttolwp(curthread);
1631 	vnode_t	*dvp;
1632 	caddr_t pnamep;
1633 
1634 	struct a {
1635 		long	pnamep;		/* char * */
1636 		long	fmode;
1637 		long	dev;
1638 	} *uap = (struct a *)clwp->lwp_ap;
1639 
1640 	/* no error, then already path token in audit record */
1641 	if (error != EPERM && error != EINVAL)
1642 		return;
1643 
1644 	/* do the lookup to force generation of path token */
1645 	pnamep = (caddr_t)uap->pnamep;
1646 	tad->tad_ctrl |= TAD_NOATTRB;
1647 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1648 	if (error == 0)
1649 		VN_RELE(dvp);
1650 }
1651 
1652 /*ARGSUSED*/
1653 static void
1654 aus_mknodat(struct t_audit_data *tad)
1655 {
1656 	klwp_t *clwp = ttolwp(curthread);
1657 	uint32_t fmode;
1658 	dev_t dev;
1659 
1660 	struct a {
1661 		long	fd;
1662 		long	pnamep;		/* char * */
1663 		long	fmode;
1664 		long	dev;
1665 	} *uap = (struct a *)clwp->lwp_ap;
1666 
1667 	fmode = (uint32_t)uap->fmode;
1668 	dev   = (dev_t)uap->dev;
1669 
1670 	au_uwrite(au_to_arg32(2, "mode", fmode));
1671 #ifdef _LP64
1672 	au_uwrite(au_to_arg64(3, "dev", dev));
1673 #else
1674 	au_uwrite(au_to_arg32(3, "dev", dev));
1675 #endif
1676 }
1677 
1678 /*ARGSUSED*/
1679 static void
1680 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1681 {
1682 	klwp_t *clwp = ttolwp(curthread);
1683 	vnode_t	*startvp;
1684 	vnode_t	*dvp;
1685 	caddr_t pnamep;
1686 	int fd;
1687 
1688 	struct a {
1689 		long	fd;
1690 		long	pnamep;		/* char * */
1691 		long	fmode;
1692 		long	dev;
1693 	} *uap = (struct a *)clwp->lwp_ap;
1694 
1695 	/* no error, then already path token in audit record */
1696 	if (error != EPERM && error != EINVAL)
1697 		return;
1698 
1699 	/* do the lookup to force generation of path token */
1700 	fd = (int)uap->fd;
1701 	pnamep = (caddr_t)uap->pnamep;
1702 	if (pnamep == NULL ||
1703 	    fgetstartvp(fd, pnamep, &startvp) != 0)
1704 		return;
1705 	tad->tad_ctrl |= TAD_NOATTRB;
1706 	error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1707 	    startvp);
1708 	if (error == 0)
1709 		VN_RELE(dvp);
1710 	if (startvp != NULL)
1711 		VN_RELE(startvp);
1712 }
1713 
1714 /*ARGSUSED*/
1715 static void
1716 aus_mount(struct t_audit_data *tad)
1717 {	/* AUS_START */
1718 	klwp_t *clwp = ttolwp(curthread);
1719 	uint32_t flags;
1720 	uintptr_t u_fstype, dataptr;
1721 	STRUCT_DECL(nfs_args, nfsargs);
1722 	size_t len;
1723 	char *fstype, *hostname;
1724 
1725 	struct a {
1726 		long	spec;		/* char    * */
1727 		long	dir;		/* char    * */
1728 		long	flags;
1729 		long	fstype;		/* char    * */
1730 		long	dataptr;	/* char    * */
1731 		long	datalen;
1732 	} *uap = (struct a *)clwp->lwp_ap;
1733 
1734 	u_fstype = (uintptr_t)uap->fstype;
1735 	flags    = (uint32_t)uap->flags;
1736 	dataptr  = (uintptr_t)uap->dataptr;
1737 
1738 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1739 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1740 		goto mount_free_fstype;
1741 
1742 	au_uwrite(au_to_arg32(3, "flags", flags));
1743 	au_uwrite(au_to_text(fstype));
1744 
1745 	if (strncmp(fstype, "nfs", 3) == 0) {
1746 
1747 		STRUCT_INIT(nfsargs, get_udatamodel());
1748 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1749 
1750 		if (copyin((caddr_t)dataptr,
1751 				STRUCT_BUF(nfsargs),
1752 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1753 			/* DEBUG debug_enter((char *)NULL); */
1754 			goto mount_free_fstype;
1755 		}
1756 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1757 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1758 				(caddr_t)hostname,
1759 				MAXNAMELEN, &len)) {
1760 			goto mount_free_hostname;
1761 		}
1762 		au_uwrite(au_to_text(hostname));
1763 		au_uwrite(au_to_arg32(3, "internal flags",
1764 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1765 
1766 mount_free_hostname:
1767 		kmem_free(hostname, MAXNAMELEN);
1768 	}
1769 
1770 mount_free_fstype:
1771 	kmem_free(fstype, MAXNAMELEN);
1772 }	/* AUS_MOUNT */
1773 
1774 static void
1775 aus_umount_path(caddr_t umount_dir)
1776 {
1777 	char			*dir_path;
1778 	struct audit_path	*path;
1779 	size_t			path_len, dir_len;
1780 
1781 	/* length alloc'd for two string pointers */
1782 	path_len = sizeof (struct audit_path) + sizeof (char *);
1783 	path = kmem_alloc(path_len, KM_SLEEP);
1784 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1785 
1786 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1787 	    MAXPATHLEN, &dir_len))
1788 		goto umount2_free_dir;
1789 
1790 	/*
1791 	 * the audit_path struct assumes that the buffer pointed to
1792 	 * by audp_sect[n] contains string 0 immediatedly followed
1793 	 * by string 1.
1794 	 */
1795 	path->audp_sect[0] = dir_path;
1796 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1797 	path->audp_size = path_len;
1798 	path->audp_ref = 1;		/* not used */
1799 	path->audp_cnt = 1;		/* one path string */
1800 
1801 	au_uwrite(au_to_path(path));
1802 
1803 umount2_free_dir:
1804 	kmem_free(dir_path, MAXPATHLEN);
1805 	kmem_free(path, path_len);
1806 }
1807 
1808 /*ARGSUSED*/
1809 static void
1810 aus_umount2(struct t_audit_data *tad)
1811 {
1812 	klwp_t			*clwp = ttolwp(curthread);
1813 	struct a {
1814 		long	dir;		/* char    * */
1815 		long	flags;
1816 	} *uap = (struct a *)clwp->lwp_ap;
1817 
1818 	aus_umount_path((caddr_t)uap->dir);
1819 
1820 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1821 }
1822 
1823 static void
1824 aus_msgsys(struct t_audit_data *tad)
1825 {
1826 	klwp_t *clwp = ttolwp(curthread);
1827 	uint32_t msgid;
1828 
1829 	struct b {
1830 		long	msgid;
1831 		long	cmd;
1832 		long	buf;		/* struct msqid_ds * */
1833 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1834 
1835 	msgid = (uint32_t)uap1->msgid;
1836 
1837 
1838 	switch (tad->tad_event) {
1839 	case AUE_MSGGET:		/* msgget */
1840 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1841 		break;
1842 	case AUE_MSGCTL:		/* msgctl */
1843 	case AUE_MSGCTL_RMID:		/* msgctl */
1844 	case AUE_MSGCTL_SET:		/* msgctl */
1845 	case AUE_MSGCTL_STAT:		/* msgctl */
1846 	case AUE_MSGRCV:		/* msgrcv */
1847 	case AUE_MSGSND:		/* msgsnd */
1848 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1849 		break;
1850 	}
1851 }
1852 
1853 /*ARGSUSED*/
1854 static void
1855 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1856 {
1857 	int id;
1858 
1859 	if (error != 0)
1860 		return;
1861 	if (tad->tad_event == AUE_MSGGET) {
1862 		uint32_t scid;
1863 		uint32_t sy_flags;
1864 
1865 		/* need to determine type of executing binary */
1866 		scid = tad->tad_scid;
1867 #ifdef _SYSCALL32_IMPL
1868 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1869 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1870 		else
1871 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1872 #else
1873 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1874 #endif
1875 		if (sy_flags == SE_32RVAL1)
1876 			id = rval->r_val1;
1877 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1878 			id = rval->r_val1;
1879 		if (sy_flags == SE_64RVAL)
1880 			id = (int)rval->r_vals;
1881 
1882 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1883 	}
1884 }
1885 
1886 static void
1887 aus_semsys(struct t_audit_data *tad)
1888 {
1889 	klwp_t *clwp = ttolwp(curthread);
1890 	uint32_t semid;
1891 
1892 	struct b {		/* ctrl */
1893 		long	semid;
1894 		long	semnum;
1895 		long	cmd;
1896 		long	arg;
1897 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1898 
1899 	semid = (uint32_t)uap1->semid;
1900 
1901 	switch (tad->tad_event) {
1902 	case AUE_SEMCTL_RMID:
1903 	case AUE_SEMCTL_STAT:
1904 	case AUE_SEMCTL_GETNCNT:
1905 	case AUE_SEMCTL_GETPID:
1906 	case AUE_SEMCTL_GETVAL:
1907 	case AUE_SEMCTL_GETALL:
1908 	case AUE_SEMCTL_GETZCNT:
1909 	case AUE_SEMCTL_SET:
1910 	case AUE_SEMCTL_SETVAL:
1911 	case AUE_SEMCTL_SETALL:
1912 	case AUE_SEMCTL:
1913 	case AUE_SEMOP:
1914 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1915 		break;
1916 	case AUE_SEMGET:
1917 		au_uwrite(au_to_arg32(1, "sem key", semid));
1918 		break;
1919 	}
1920 }
1921 
1922 /*ARGSUSED*/
1923 static void
1924 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1925 {
1926 	int id;
1927 
1928 	if (error != 0)
1929 		return;
1930 	if (tad->tad_event == AUE_SEMGET) {
1931 		uint32_t scid;
1932 		uint32_t sy_flags;
1933 
1934 		/* need to determine type of executing binary */
1935 		scid = tad->tad_scid;
1936 #ifdef _SYSCALL32_IMPL
1937 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1938 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1939 		else
1940 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1941 #else
1942 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1943 #endif
1944 		if (sy_flags == SE_32RVAL1)
1945 			id = rval->r_val1;
1946 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1947 			id = rval->r_val1;
1948 		if (sy_flags == SE_64RVAL)
1949 			id = (int)rval->r_vals;
1950 
1951 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1952 	}
1953 }
1954 
1955 /*ARGSUSED*/
1956 static void
1957 aus_close(struct t_audit_data *tad)
1958 {
1959 	klwp_t *clwp = ttolwp(curthread);
1960 	uint32_t fd;
1961 	struct file *fp;
1962 	struct f_audit_data *fad;
1963 	struct vnode *vp;
1964 	struct vattr attr;
1965 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1966 
1967 	struct a {
1968 		long	i;
1969 	} *uap = (struct a *)clwp->lwp_ap;
1970 
1971 	fd = (uint32_t)uap->i;
1972 
1973 	attr.va_mask = 0;
1974 	au_uwrite(au_to_arg32(1, "fd", fd));
1975 
1976 		/*
1977 		 * convert file pointer to file descriptor
1978 		 *   Note: fd ref count incremented here.
1979 		 */
1980 	if ((fp = getf(fd)) == NULL)
1981 		return;
1982 
1983 	fad = F2A(fp);
1984 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1985 	if (fad->fad_aupath != NULL) {
1986 		au_uwrite(au_to_path(fad->fad_aupath));
1987 		if ((vp = fp->f_vnode) != NULL) {
1988 			attr.va_mask = AT_ALL;
1989 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1990 				/*
1991 				 * When write was not used and the file can be
1992 				 * considered public, skip the audit.
1993 				 */
1994 				if (((fp->f_flag & FWRITE) == 0) &&
1995 				    object_is_public(&attr)) {
1996 					tad->tad_flag = 0;
1997 					tad->tad_evmod = 0;
1998 					/* free any residual audit data */
1999 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
2000 					releasef(fd);
2001 					return;
2002 				}
2003 				au_uwrite(au_to_attr(&attr));
2004 				audit_sec_attributes(&(u_ad), vp);
2005 			}
2006 		}
2007 	}
2008 
2009 	/* decrement file descriptor reference count */
2010 	releasef(fd);
2011 }
2012 
2013 /*ARGSUSED*/
2014 static void
2015 aus_fstatfs(struct t_audit_data *tad)
2016 {
2017 	klwp_t *clwp = ttolwp(curthread);
2018 	uint32_t fd;
2019 	struct file  *fp;
2020 	struct vnode *vp;
2021 	struct f_audit_data *fad;
2022 
2023 	struct a {
2024 		long	fd;
2025 		long	buf;		/* struct statfs * */
2026 	} *uap = (struct a *)clwp->lwp_ap;
2027 
2028 	fd = (uint_t)uap->fd;
2029 
2030 		/*
2031 		 * convert file pointer to file descriptor
2032 		 *   Note: fd ref count incremented here.
2033 		 */
2034 	if ((fp = getf(fd)) == NULL)
2035 		return;
2036 
2037 		/* get path from file struct here */
2038 	fad = F2A(fp);
2039 	if (fad->fad_aupath != NULL) {
2040 		au_uwrite(au_to_path(fad->fad_aupath));
2041 	} else {
2042 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2043 	}
2044 
2045 	vp = fp->f_vnode;
2046 	audit_attributes(vp);
2047 
2048 	/* decrement file descriptor reference count */
2049 	releasef(fd);
2050 }
2051 
2052 static au_event_t
2053 aui_setpgrp(au_event_t e)
2054 {
2055 	klwp_t *clwp = ttolwp(curthread);
2056 	int flag;
2057 
2058 	struct a {
2059 		long	flag;
2060 		long	pid;
2061 		long	pgid;
2062 	} *uap = (struct a *)clwp->lwp_ap;
2063 
2064 	flag = (int)uap->flag;
2065 
2066 
2067 	switch (flag) {
2068 
2069 	case 1:	/* setpgrp() */
2070 		e = AUE_SETPGRP;
2071 		break;
2072 
2073 	case 3: /* setsid() */
2074 		e = AUE_SETSID;
2075 		break;
2076 
2077 	case 5: /* setpgid() */
2078 		e = AUE_SETPGID;
2079 		break;
2080 
2081 	case 0: /* getpgrp()	- not security relevant */
2082 	case 2: /* getsid()	- not security relevant */
2083 	case 4: /* getpgid() 	- not security relevant */
2084 		e = AUE_NULL;
2085 		break;
2086 
2087 	default:
2088 		e = AUE_NULL;
2089 		break;
2090 	}
2091 
2092 	return (e);
2093 }
2094 
2095 /*ARGSUSED*/
2096 static void
2097 aus_setpgrp(struct t_audit_data *tad)
2098 {
2099 	klwp_t		*clwp = ttolwp(curthread);
2100 	pid_t		pgid;
2101 	struct proc	*p;
2102 	uid_t		uid, ruid;
2103 	gid_t		gid, rgid;
2104 	pid_t		pid;
2105 	cred_t		*cr;
2106 	int		flag;
2107 	const auditinfo_addr_t	*ainfo;
2108 
2109 	struct a {
2110 		long	flag;
2111 		long	pid;
2112 		long	pgid;
2113 	} *uap = (struct a *)clwp->lwp_ap;
2114 
2115 	flag = (int)uap->flag;
2116 	pid  = (pid_t)uap->pid;
2117 	pgid = (pid_t)uap->pgid;
2118 
2119 
2120 	switch (flag) {
2121 
2122 	case 0: /* getpgrp() */
2123 	case 1: /* setpgrp() */
2124 	case 2: /* getsid() */
2125 	case 3: /* setsid() */
2126 	case 4: /* getpgid() */
2127 		break;
2128 
2129 	case 5: /* setpgid() */
2130 
2131 		/* current process? */
2132 		if (pid == 0) {
2133 			return;
2134 		}
2135 
2136 		mutex_enter(&pidlock);
2137 		p = prfind(pid);
2138 		if (p == NULL || p->p_as == &kas ||
2139 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
2140 			mutex_exit(&pidlock);
2141 			return;
2142 		}
2143 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
2144 		mutex_exit(&pidlock);
2145 
2146 		mutex_enter(&p->p_crlock);
2147 		crhold(cr = p->p_cred);
2148 		mutex_exit(&p->p_crlock);
2149 		mutex_exit(&p->p_lock);
2150 
2151 		ainfo = crgetauinfo(cr);
2152 		if (ainfo == NULL) {
2153 			crfree(cr);
2154 			return;
2155 		}
2156 
2157 		uid  = crgetuid(cr);
2158 		gid  = crgetgid(cr);
2159 		ruid = crgetruid(cr);
2160 		rgid = crgetrgid(cr);
2161 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2162 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2163 		crfree(cr);
2164 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2165 		break;
2166 
2167 	default:
2168 		break;
2169 	}
2170 }
2171 
2172 
2173 /*ARGSUSED*/
2174 static void
2175 aus_setregid(struct t_audit_data *tad)
2176 {
2177 	klwp_t *clwp = ttolwp(curthread);
2178 	uint32_t rgid, egid;
2179 
2180 	struct a {
2181 		long	 rgid;
2182 		long	 egid;
2183 	} *uap = (struct a *)clwp->lwp_ap;
2184 
2185 	rgid  = (uint32_t)uap->rgid;
2186 	egid  = (uint32_t)uap->egid;
2187 
2188 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2189 	au_uwrite(au_to_arg32(2, "egid", egid));
2190 }
2191 
2192 /*ARGSUSED*/
2193 static void
2194 aus_setgid(struct t_audit_data *tad)
2195 {
2196 	klwp_t *clwp = ttolwp(curthread);
2197 	uint32_t gid;
2198 
2199 	struct a {
2200 		long	gid;
2201 	} *uap = (struct a *)clwp->lwp_ap;
2202 
2203 	gid = (uint32_t)uap->gid;
2204 
2205 	au_uwrite(au_to_arg32(1, "gid", gid));
2206 }
2207 
2208 
2209 /*ARGSUSED*/
2210 static void
2211 aus_setreuid(struct t_audit_data *tad)
2212 {
2213 	klwp_t *clwp = ttolwp(curthread);
2214 	uint32_t ruid, euid;
2215 
2216 	struct a {
2217 		long	ruid;
2218 		long	euid;
2219 	} *uap = (struct a *)clwp->lwp_ap;
2220 
2221 	ruid = (uint32_t)uap->ruid;
2222 	euid  = (uint32_t)uap->euid;
2223 
2224 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2225 	au_uwrite(au_to_arg32(2, "euid", euid));
2226 }
2227 
2228 
2229 /*ARGSUSED*/
2230 static void
2231 aus_setuid(struct t_audit_data *tad)
2232 {
2233 	klwp_t *clwp = ttolwp(curthread);
2234 	uint32_t uid;
2235 
2236 	struct a {
2237 		long	uid;
2238 	} *uap = (struct a *)clwp->lwp_ap;
2239 
2240 	uid = (uint32_t)uap->uid;
2241 
2242 	au_uwrite(au_to_arg32(1, "uid", uid));
2243 }
2244 
2245 /*ARGSUSED*/
2246 static void
2247 aus_shmsys(struct t_audit_data *tad)
2248 {
2249 	klwp_t *clwp = ttolwp(curthread);
2250 	uint32_t id, cmd;
2251 
2252 	struct b {
2253 		long	id;
2254 		long	cmd;
2255 		long	buf;		/* struct shmid_ds * */
2256 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2257 
2258 	id  = (uint32_t)uap1->id;
2259 	cmd = (uint32_t)uap1->cmd;
2260 
2261 	switch (tad->tad_event) {
2262 	case AUE_SHMGET:			/* shmget */
2263 		au_uwrite(au_to_arg32(1, "shm key", id));
2264 		break;
2265 	case AUE_SHMCTL:			/* shmctl */
2266 	case AUE_SHMCTL_RMID:			/* shmctl */
2267 	case AUE_SHMCTL_STAT:			/* shmctl */
2268 	case AUE_SHMCTL_SET:			/* shmctl */
2269 		au_uwrite(au_to_arg32(1, "shm ID", id));
2270 		break;
2271 	case AUE_SHMDT:				/* shmdt */
2272 		au_uwrite(au_to_arg32(1, "shm adr", id));
2273 		break;
2274 	case AUE_SHMAT:				/* shmat */
2275 		au_uwrite(au_to_arg32(1, "shm ID", id));
2276 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2277 		break;
2278 	}
2279 }
2280 
2281 /*ARGSUSED*/
2282 static void
2283 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2284 {
2285 	int id;
2286 
2287 	if (error != 0)
2288 		return;
2289 	if (tad->tad_event == AUE_SHMGET) {
2290 		uint32_t scid;
2291 		uint32_t sy_flags;
2292 
2293 		/* need to determine type of executing binary */
2294 		scid = tad->tad_scid;
2295 #ifdef _SYSCALL32_IMPL
2296 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2297 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2298 		else
2299 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2300 #else
2301 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2302 #endif
2303 		if (sy_flags == SE_32RVAL1)
2304 			id = rval->r_val1;
2305 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2306 			id = rval->r_val1;
2307 		if (sy_flags == SE_64RVAL)
2308 			id = (int)rval->r_vals;
2309 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2310 	}
2311 }
2312 
2313 
2314 /*ARGSUSED*/
2315 static void
2316 aus_ioctl(struct t_audit_data *tad)
2317 {
2318 	klwp_t *clwp = ttolwp(curthread);
2319 	struct file *fp;
2320 	struct vnode *vp;
2321 	struct f_audit_data *fad;
2322 	uint32_t fd, cmd;
2323 	uintptr_t cmarg;
2324 
2325 	/* XX64 */
2326 	struct a {
2327 		long	fd;
2328 		long	cmd;
2329 		long	cmarg;		/* caddr_t */
2330 	} *uap = (struct a *)clwp->lwp_ap;
2331 
2332 	fd    = (uint32_t)uap->fd;
2333 	cmd   = (uint32_t)uap->cmd;
2334 	cmarg = (uintptr_t)uap->cmarg;
2335 
2336 		/*
2337 		 * convert file pointer to file descriptor
2338 		 *   Note: fd ref count incremented here.
2339 		 */
2340 	if ((fp = getf(fd)) == NULL) {
2341 		au_uwrite(au_to_arg32(1, "fd", fd));
2342 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2343 #ifndef _LP64
2344 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2345 #else
2346 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2347 #endif
2348 		return;
2349 	}
2350 
2351 	/* get path from file struct here */
2352 	fad = F2A(fp);
2353 	if (fad->fad_aupath != NULL) {
2354 		au_uwrite(au_to_path(fad->fad_aupath));
2355 	} else {
2356 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2357 	}
2358 
2359 	vp = fp->f_vnode;
2360 	audit_attributes(vp);
2361 
2362 	/* decrement file descriptor reference count */
2363 	releasef(fd);
2364 
2365 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2366 #ifndef _LP64
2367 	au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2368 #else
2369 	au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2370 #endif
2371 }
2372 
2373 /*
2374  * null function for memcntl for now. We might want to limit memcntl()
2375  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2376  * require privileges.
2377  */
2378 static au_event_t
2379 aui_memcntl(au_event_t e)
2380 {
2381 	return (e);
2382 }
2383 
2384 /*ARGSUSED*/
2385 static au_event_t
2386 aui_privsys(au_event_t e)
2387 {
2388 	klwp_t *clwp = ttolwp(curthread);
2389 
2390 	struct a {
2391 		long	opcode;
2392 	} *uap = (struct a *)clwp->lwp_ap;
2393 
2394 	switch (uap->opcode) {
2395 	case PRIVSYS_SETPPRIV:
2396 		return (AUE_SETPPRIV);
2397 	default:
2398 		return (AUE_NULL);
2399 	}
2400 }
2401 
2402 /*ARGSUSED*/
2403 static void
2404 aus_memcntl(struct t_audit_data *tad)
2405 {
2406 	klwp_t *clwp = ttolwp(curthread);
2407 
2408 	struct a {
2409 		long	addr;
2410 		long	len;
2411 		long	cmd;
2412 		long	arg;
2413 		long	attr;
2414 		long	mask;
2415 	} *uap = (struct a *)clwp->lwp_ap;
2416 
2417 #ifdef _LP64
2418 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2419 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2420 #else
2421 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2422 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2423 #endif
2424 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2425 #ifdef _LP64
2426 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2427 #else
2428 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2429 #endif
2430 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2431 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2432 }
2433 
2434 /*ARGSUSED*/
2435 static void
2436 aus_mmap(struct t_audit_data *tad)
2437 {
2438 	klwp_t *clwp = ttolwp(curthread);
2439 	struct file *fp;
2440 	struct f_audit_data *fad;
2441 	struct vnode *vp;
2442 	uint32_t fd;
2443 
2444 	struct a {
2445 		long	addr;
2446 		long	len;
2447 		long	prot;
2448 		long	flags;
2449 		long	fd;
2450 		long	pos;
2451 	} *uap = (struct a *)clwp->lwp_ap;
2452 
2453 	fd = (uint32_t)uap->fd;
2454 
2455 #ifdef _LP64
2456 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2457 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2458 #else
2459 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2460 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2461 #endif
2462 
2463 	if ((fp = getf(fd)) == NULL) {
2464 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2465 		return;
2466 	}
2467 
2468 	/*
2469 	 * Mark in the tad if write access is NOT requested... if
2470 	 * this is later detected (in audit_attributes) to be a
2471 	 * public object, the mmap event may be discarded.
2472 	 */
2473 	if (((uap->prot) & PROT_WRITE) == 0) {
2474 		tad->tad_ctrl |= TAD_PUBLIC_EV;
2475 	}
2476 
2477 	fad = F2A(fp);
2478 	if (fad->fad_aupath != NULL) {
2479 		au_uwrite(au_to_path(fad->fad_aupath));
2480 	} else {
2481 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2482 	}
2483 
2484 	vp = (struct vnode *)fp->f_vnode;
2485 	audit_attributes(vp);
2486 
2487 	/* mark READ/WRITE since we can't predict access */
2488 	if (uap->prot & PROT_READ)
2489 		fad->fad_flags |= FAD_READ;
2490 	if (uap->prot & PROT_WRITE)
2491 		fad->fad_flags |= FAD_WRITE;
2492 
2493 	/* decrement file descriptor reference count */
2494 	releasef(fd);
2495 
2496 }	/* AUS_MMAP */
2497 
2498 
2499 
2500 
2501 /*ARGSUSED*/
2502 static void
2503 aus_munmap(struct t_audit_data *tad)
2504 {
2505 	klwp_t *clwp = ttolwp(curthread);
2506 
2507 	struct a {
2508 		long	addr;
2509 		long	len;
2510 	} *uap = (struct a *)clwp->lwp_ap;
2511 
2512 #ifdef _LP64
2513 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2514 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2515 #else
2516 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2517 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2518 #endif
2519 
2520 }	/* AUS_MUNMAP */
2521 
2522 
2523 
2524 
2525 
2526 
2527 
2528 /*ARGSUSED*/
2529 static void
2530 aus_priocntlsys(struct t_audit_data *tad)
2531 {
2532 	klwp_t *clwp = ttolwp(curthread);
2533 
2534 	struct a {
2535 		long	pc_version;
2536 		long	psp;		/* procset_t */
2537 		long	cmd;
2538 		long	arg;
2539 	} *uap = (struct a *)clwp->lwp_ap;
2540 
2541 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2542 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2543 
2544 }	/* AUS_PRIOCNTLSYS */
2545 
2546 
2547 /*ARGSUSED*/
2548 static void
2549 aus_setegid(struct t_audit_data *tad)
2550 {
2551 	klwp_t *clwp = ttolwp(curthread);
2552 	uint32_t gid;
2553 
2554 	struct a {
2555 		long	gid;
2556 	} *uap = (struct a *)clwp->lwp_ap;
2557 
2558 	gid = (uint32_t)uap->gid;
2559 
2560 	au_uwrite(au_to_arg32(1, "gid", gid));
2561 }	/* AUS_SETEGID */
2562 
2563 
2564 
2565 
2566 /*ARGSUSED*/
2567 static void
2568 aus_setgroups(struct t_audit_data *tad)
2569 {
2570 	klwp_t *clwp = ttolwp(curthread);
2571 	int i;
2572 	int gidsetsize;
2573 	uintptr_t gidset;
2574 	gid_t *gidlist;
2575 
2576 	struct a {
2577 		long	gidsetsize;
2578 		long	gidset;
2579 	} *uap = (struct a *)clwp->lwp_ap;
2580 
2581 	gidsetsize = (uint_t)uap->gidsetsize;
2582 	gidset = (uintptr_t)uap->gidset;
2583 
2584 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2585 		return;
2586 	if (gidsetsize != 0) {
2587 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2588 		    KM_SLEEP);
2589 		if (copyin((caddr_t)gidset, gidlist,
2590 		    gidsetsize * sizeof (gid_t)) == 0)
2591 			for (i = 0; i < gidsetsize; i++)
2592 				au_uwrite(au_to_arg32(1, "setgroups",
2593 				    (uint32_t)gidlist[i]));
2594 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2595 	} else
2596 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2597 
2598 }	/* AUS_SETGROUPS */
2599 
2600 
2601 
2602 
2603 
2604 /*ARGSUSED*/
2605 static void
2606 aus_seteuid(struct t_audit_data *tad)
2607 {
2608 	klwp_t *clwp = ttolwp(curthread);
2609 	uint32_t uid;
2610 
2611 	struct a {
2612 		long	uid;
2613 	} *uap = (struct a *)clwp->lwp_ap;
2614 
2615 	uid = (uint32_t)uap->uid;
2616 
2617 	au_uwrite(au_to_arg32(1, "euid", uid));
2618 
2619 }	/* AUS_SETEUID */
2620 
2621 /*ARGSUSED*/
2622 static void
2623 aus_putmsg(struct t_audit_data *tad)
2624 {
2625 	klwp_t *clwp = ttolwp(curthread);
2626 	uint32_t fd, pri;
2627 	struct file *fp;
2628 	struct f_audit_data *fad;
2629 
2630 	struct a {
2631 		long	fdes;
2632 		long	ctl;		/* struct strbuf * */
2633 		long	data;		/* struct strbuf * */
2634 		long	pri;
2635 	} *uap = (struct a *)clwp->lwp_ap;
2636 
2637 	fd  = (uint32_t)uap->fdes;
2638 	pri = (uint32_t)uap->pri;
2639 
2640 	au_uwrite(au_to_arg32(1, "fd", fd));
2641 
2642 	if ((fp = getf(fd)) != NULL) {
2643 		fad = F2A(fp);
2644 
2645 		fad->fad_flags |= FAD_WRITE;
2646 
2647 		/* add path name to audit record */
2648 		if (fad->fad_aupath != NULL) {
2649 			au_uwrite(au_to_path(fad->fad_aupath));
2650 		}
2651 		audit_attributes(fp->f_vnode);
2652 
2653 		releasef(fd);
2654 	}
2655 
2656 	au_uwrite(au_to_arg32(4, "pri", pri));
2657 }
2658 
2659 /*ARGSUSED*/
2660 static void
2661 aus_putpmsg(struct t_audit_data *tad)
2662 {
2663 	klwp_t *clwp = ttolwp(curthread);
2664 	uint32_t fd, pri, flags;
2665 	struct file *fp;
2666 	struct f_audit_data *fad;
2667 
2668 	struct a {
2669 		long	fdes;
2670 		long	ctl;		/* struct strbuf * */
2671 		long	data;		/* struct strbuf * */
2672 		long	pri;
2673 		long	flags;
2674 	} *uap = (struct a *)clwp->lwp_ap;
2675 
2676 	fd = (uint32_t)uap->fdes;
2677 	pri  = (uint32_t)uap->pri;
2678 	flags  = (uint32_t)uap->flags;
2679 
2680 	au_uwrite(au_to_arg32(1, "fd", fd));
2681 
2682 	if ((fp = getf(fd)) != NULL) {
2683 		fad = F2A(fp);
2684 
2685 		fad->fad_flags |= FAD_WRITE;
2686 
2687 		/* add path name to audit record */
2688 		if (fad->fad_aupath != NULL) {
2689 			au_uwrite(au_to_path(fad->fad_aupath));
2690 		}
2691 		audit_attributes(fp->f_vnode);
2692 
2693 		releasef(fd);
2694 	}
2695 
2696 
2697 	au_uwrite(au_to_arg32(4, "pri", pri));
2698 	au_uwrite(au_to_arg32(5, "flags", flags));
2699 }
2700 
2701 /*ARGSUSED*/
2702 static void
2703 aus_getmsg(struct t_audit_data *tad)
2704 {
2705 	klwp_t *clwp = ttolwp(curthread);
2706 	uint32_t fd, pri;
2707 	struct file *fp;
2708 	struct f_audit_data *fad;
2709 
2710 	struct a {
2711 		long	fdes;
2712 		long	ctl;		/* struct strbuf * */
2713 		long	data;		/* struct strbuf * */
2714 		long	pri;
2715 	} *uap = (struct a *)clwp->lwp_ap;
2716 
2717 	fd  = (uint32_t)uap->fdes;
2718 	pri = (uint32_t)uap->pri;
2719 
2720 	au_uwrite(au_to_arg32(1, "fd", fd));
2721 
2722 	if ((fp = getf(fd)) != NULL) {
2723 		fad = F2A(fp);
2724 
2725 		/*
2726 		 * read operation on this object
2727 		 */
2728 		fad->fad_flags |= FAD_READ;
2729 
2730 		/* add path name to audit record */
2731 		if (fad->fad_aupath != NULL) {
2732 			au_uwrite(au_to_path(fad->fad_aupath));
2733 		}
2734 		audit_attributes(fp->f_vnode);
2735 
2736 		releasef(fd);
2737 	}
2738 
2739 	au_uwrite(au_to_arg32(4, "pri", pri));
2740 }
2741 
2742 /*ARGSUSED*/
2743 static void
2744 aus_getpmsg(struct t_audit_data *tad)
2745 {
2746 	klwp_t *clwp = ttolwp(curthread);
2747 	uint32_t fd;
2748 	struct file *fp;
2749 	struct f_audit_data *fad;
2750 
2751 	struct a {
2752 		long	fdes;
2753 		long	ctl;		/* struct strbuf * */
2754 		long	data;		/* struct strbuf * */
2755 		long	pri;
2756 		long	flags;
2757 	} *uap = (struct a *)clwp->lwp_ap;
2758 
2759 	fd = (uint32_t)uap->fdes;
2760 
2761 	au_uwrite(au_to_arg32(1, "fd", fd));
2762 
2763 	if ((fp = getf(fd)) != NULL) {
2764 		fad = F2A(fp);
2765 
2766 		/*
2767 		 * read operation on this object
2768 		 */
2769 		fad->fad_flags |= FAD_READ;
2770 
2771 		/* add path name to audit record */
2772 		if (fad->fad_aupath != NULL) {
2773 			au_uwrite(au_to_path(fad->fad_aupath));
2774 		}
2775 		audit_attributes(fp->f_vnode);
2776 
2777 		releasef(fd);
2778 	}
2779 }
2780 
2781 static au_event_t
2782 aui_labelsys(au_event_t e)
2783 {
2784 	klwp_t *clwp = ttolwp(curthread);
2785 	uint32_t code;
2786 	uint32_t cmd;
2787 
2788 	struct a {
2789 		long	code;
2790 		long	cmd;
2791 	} *uap = (struct a *)clwp->lwp_ap;
2792 
2793 	code = (uint32_t)uap->code;
2794 	cmd = (uint32_t)uap->cmd;
2795 
2796 	/* not security relevant if not changing kernel cache */
2797 	if (cmd == TNDB_GET)
2798 		return (AUE_NULL);
2799 
2800 	switch (code) {
2801 	case TSOL_TNRH:
2802 		e = AUE_LABELSYS_TNRH;
2803 		break;
2804 	case TSOL_TNRHTP:
2805 		e = AUE_LABELSYS_TNRHTP;
2806 		break;
2807 	case TSOL_TNMLP:
2808 		e = AUE_LABELSYS_TNMLP;
2809 		break;
2810 	default:
2811 		e = AUE_NULL;
2812 		break;
2813 	}
2814 
2815 	return (e);
2816 
2817 }
2818 
2819 static void
2820 aus_labelsys(struct t_audit_data *tad)
2821 {
2822 	klwp_t *clwp = ttolwp(curthread);
2823 	uint32_t cmd;
2824 	uintptr_t a2;
2825 
2826 	struct a {
2827 		long	code;
2828 		long	cmd;
2829 		long	a2;
2830 	} *uap = (struct a *)clwp->lwp_ap;
2831 
2832 	cmd = (uint32_t)uap->cmd;
2833 	a2 = (uintptr_t)uap->a2;
2834 
2835 	switch (tad->tad_event) {
2836 	case AUE_LABELSYS_TNRH:
2837 	{
2838 		tsol_rhent_t	*rhent;
2839 		tnaddr_t	*rh_addr;
2840 
2841 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2842 
2843 		/* Remaining args don't apply for FLUSH, so skip */
2844 		if (cmd == TNDB_FLUSH)
2845 			break;
2846 
2847 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2848 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2849 			kmem_free(rhent, sizeof (tsol_rhent_t));
2850 			return;
2851 		}
2852 
2853 		rh_addr = &rhent->rh_address;
2854 		if (rh_addr->ta_family == AF_INET) {
2855 			struct in_addr	*ipaddr;
2856 
2857 			ipaddr = &(rh_addr->ta_addr_v4);
2858 			au_uwrite(au_to_in_addr(ipaddr));
2859 		} else if (rh_addr->ta_family == AF_INET6) {
2860 			int32_t		*ipaddr;
2861 
2862 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2863 			au_uwrite(au_to_in_addr_ex(ipaddr));
2864 		}
2865 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2866 
2867 		kmem_free(rhent, sizeof (tsol_rhent_t));
2868 
2869 		break;
2870 	}
2871 	case AUE_LABELSYS_TNRHTP:
2872 	{
2873 		tsol_tpent_t	*tpent;
2874 
2875 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2876 
2877 		/* Remaining args don't apply for FLUSH, so skip */
2878 		if (cmd == TNDB_FLUSH)
2879 			break;
2880 
2881 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2882 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2883 			kmem_free(tpent, sizeof (tsol_tpent_t));
2884 			return;
2885 		}
2886 
2887 		/* Make sure that the template name is null-terminated. */
2888 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2889 
2890 		au_uwrite(au_to_text(tpent->name));
2891 		kmem_free(tpent, sizeof (tsol_tpent_t));
2892 
2893 		break;
2894 	}
2895 	case AUE_LABELSYS_TNMLP:
2896 	{
2897 		tsol_mlpent_t	*mlpent;
2898 
2899 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2900 
2901 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2902 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2903 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2904 			return;
2905 		}
2906 
2907 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2908 			au_uwrite(au_to_text("shared"));
2909 		} else {
2910 			zone_t	*zone;
2911 
2912 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2913 			if (zone != NULL) {
2914 				au_uwrite(au_to_text(zone->zone_name));
2915 				zone_rele(zone);
2916 			}
2917 		}
2918 
2919 		/* Remaining args don't apply for FLUSH, so skip */
2920 		if (cmd == TNDB_FLUSH) {
2921 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2922 			break;
2923 		}
2924 
2925 		au_uwrite(au_to_arg32(2, "proto num",
2926 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2927 		au_uwrite(au_to_arg32(2, "mlp_port",
2928 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2929 
2930 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2931 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2932 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2933 
2934 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2935 
2936 		break;
2937 	}
2938 	default:
2939 		break;
2940 	}
2941 }
2942 
2943 
2944 static au_event_t
2945 aui_auditsys(au_event_t e)
2946 {
2947 	klwp_t *clwp = ttolwp(curthread);
2948 	uint32_t code;
2949 
2950 	struct a {
2951 		long	code;
2952 		long	a1;
2953 		long	a2;
2954 		long	a3;
2955 		long	a4;
2956 		long	a5;
2957 		long	a6;
2958 		long	a7;
2959 	} *uap = (struct a *)clwp->lwp_ap;
2960 
2961 	code = (uint32_t)uap->code;
2962 
2963 	switch (code) {
2964 
2965 	case BSM_GETAUID:
2966 		e = AUE_GETAUID;
2967 		break;
2968 	case BSM_SETAUID:
2969 		e = AUE_SETAUID;
2970 		break;
2971 	case BSM_GETAUDIT:
2972 		e = AUE_GETAUDIT;
2973 		break;
2974 	case BSM_GETAUDIT_ADDR:
2975 		e = AUE_GETAUDIT_ADDR;
2976 		break;
2977 	case BSM_SETAUDIT:
2978 		e = AUE_SETAUDIT;
2979 		break;
2980 	case BSM_SETAUDIT_ADDR:
2981 		e = AUE_SETAUDIT_ADDR;
2982 		break;
2983 	case BSM_AUDIT:
2984 		e = AUE_AUDIT;
2985 		break;
2986 	case BSM_AUDITCTL:
2987 		switch ((uint_t)uap->a1) {
2988 
2989 		case A_GETPOLICY:
2990 			e = AUE_AUDITON_GPOLICY;
2991 			break;
2992 		case A_SETPOLICY:
2993 			e = AUE_AUDITON_SPOLICY;
2994 			break;
2995 		case A_GETAMASK:
2996 			e = AUE_AUDITON_GETAMASK;
2997 			break;
2998 		case A_SETAMASK:
2999 			e = AUE_AUDITON_SETAMASK;
3000 			break;
3001 		case A_GETKMASK:
3002 			e = AUE_AUDITON_GETKMASK;
3003 			break;
3004 		case A_SETKMASK:
3005 			e = AUE_AUDITON_SETKMASK;
3006 			break;
3007 		case A_GETQCTRL:
3008 			e = AUE_AUDITON_GQCTRL;
3009 			break;
3010 		case A_SETQCTRL:
3011 			e = AUE_AUDITON_SQCTRL;
3012 			break;
3013 		case A_GETCWD:
3014 			e = AUE_AUDITON_GETCWD;
3015 			break;
3016 		case A_GETCAR:
3017 			e = AUE_AUDITON_GETCAR;
3018 			break;
3019 		case A_GETSTAT:
3020 			e = AUE_AUDITON_GETSTAT;
3021 			break;
3022 		case A_SETSTAT:
3023 			e = AUE_AUDITON_SETSTAT;
3024 			break;
3025 		case A_SETUMASK:
3026 			e = AUE_AUDITON_SETUMASK;
3027 			break;
3028 		case A_SETSMASK:
3029 			e = AUE_AUDITON_SETSMASK;
3030 			break;
3031 		case A_GETCOND:
3032 			e = AUE_AUDITON_GETCOND;
3033 			break;
3034 		case A_SETCOND:
3035 			e = AUE_AUDITON_SETCOND;
3036 			break;
3037 		case A_GETCLASS:
3038 			e = AUE_AUDITON_GETCLASS;
3039 			break;
3040 		case A_SETCLASS:
3041 			e = AUE_AUDITON_SETCLASS;
3042 			break;
3043 		default:
3044 			e = AUE_NULL;
3045 			break;
3046 		}
3047 		break;
3048 	default:
3049 		e = AUE_NULL;
3050 		break;
3051 	}
3052 
3053 	return (e);
3054 
3055 }	/* AUI_AUDITSYS */
3056 
3057 
3058 static void
3059 aus_auditsys(struct t_audit_data *tad)
3060 {
3061 	klwp_t *clwp = ttolwp(curthread);
3062 	uintptr_t a1, a2;
3063 	STRUCT_DECL(auditinfo, ainfo);
3064 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
3065 	au_evclass_map_t event;
3066 	au_mask_t mask;
3067 	int auditstate, policy;
3068 	au_id_t auid;
3069 
3070 
3071 	struct a {
3072 		long	code;
3073 		long	a1;
3074 		long	a2;
3075 		long	a3;
3076 		long	a4;
3077 		long	a5;
3078 		long	a6;
3079 		long	a7;
3080 	} *uap = (struct a *)clwp->lwp_ap;
3081 
3082 	a1   = (uintptr_t)uap->a1;
3083 	a2   = (uintptr_t)uap->a2;
3084 
3085 	switch (tad->tad_event) {
3086 	case AUE_SETAUID:
3087 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3088 				return;
3089 		au_uwrite(au_to_arg32(2, "setauid", auid));
3090 		break;
3091 	case AUE_SETAUDIT:
3092 		STRUCT_INIT(ainfo, get_udatamodel());
3093 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3094 		    STRUCT_SIZE(ainfo))) {
3095 				return;
3096 		}
3097 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3098 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3099 #ifdef _LP64
3100 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
3101 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3102 #else
3103 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
3104 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3105 #endif
3106 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3107 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3108 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3109 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3110 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3111 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3112 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3113 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3114 		break;
3115 	case AUE_SETAUDIT_ADDR:
3116 		STRUCT_INIT(ainfo_addr, get_udatamodel());
3117 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3118 		    STRUCT_SIZE(ainfo_addr))) {
3119 				return;
3120 		}
3121 		au_uwrite(au_to_arg32((char)1, "auid",
3122 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3123 #ifdef _LP64
3124 		au_uwrite(au_to_arg64((char)1, "port",
3125 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3126 #else
3127 		au_uwrite(au_to_arg32((char)1, "port",
3128 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3129 #endif
3130 		au_uwrite(au_to_arg32((char)1, "type",
3131 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3132 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3133 		    AU_IPv4) {
3134 			au_uwrite(au_to_in_addr(
3135 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3136 			    ai_termid.at_addr)));
3137 		} else {
3138 			au_uwrite(au_to_in_addr_ex(
3139 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
3140 			    ai_termid.at_addr)));
3141 		}
3142 		au_uwrite(au_to_arg32((char)1, "as_success",
3143 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3144 		au_uwrite(au_to_arg32((char)1, "as_failure",
3145 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3146 		au_uwrite(au_to_arg32((char)1, "asid",
3147 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3148 		break;
3149 	case AUE_AUDITON_SETAMASK:
3150 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3151 				return;
3152 		au_uwrite(au_to_arg32(
3153 		    2, "setamask:as_success", (uint32_t)mask.as_success));
3154 		au_uwrite(au_to_arg32(
3155 		    2, "setamask:as_failure", (uint32_t)mask.as_failure));
3156 		break;
3157 	case AUE_AUDITON_SETKMASK:
3158 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3159 				return;
3160 		au_uwrite(au_to_arg32(
3161 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
3162 		au_uwrite(au_to_arg32(
3163 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3164 		break;
3165 	case AUE_AUDITON_SPOLICY:
3166 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3167 			return;
3168 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3169 		break;
3170 	case AUE_AUDITON_SQCTRL: {
3171 		STRUCT_DECL(au_qctrl, qctrl);
3172 		model_t model;
3173 
3174 		model = get_udatamodel();
3175 		STRUCT_INIT(qctrl, model);
3176 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3177 				return;
3178 		if (model == DATAMODEL_ILP32) {
3179 			au_uwrite(au_to_arg32(
3180 			    3, "setqctrl:aq_hiwater",
3181 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3182 			au_uwrite(au_to_arg32(
3183 			    3, "setqctrl:aq_lowater",
3184 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3185 			au_uwrite(au_to_arg32(
3186 			    3, "setqctrl:aq_bufsz",
3187 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3188 			au_uwrite(au_to_arg32(
3189 			    3, "setqctrl:aq_delay",
3190 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3191 		} else {
3192 			au_uwrite(au_to_arg64(
3193 			    3, "setqctrl:aq_hiwater",
3194 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3195 			au_uwrite(au_to_arg64(
3196 			    3, "setqctrl:aq_lowater",
3197 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3198 			au_uwrite(au_to_arg64(
3199 			    3, "setqctrl:aq_bufsz",
3200 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3201 			au_uwrite(au_to_arg64(
3202 			    3, "setqctrl:aq_delay",
3203 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3204 		}
3205 		break;
3206 	}
3207 	case AUE_AUDITON_SETUMASK:
3208 		STRUCT_INIT(ainfo, get_udatamodel());
3209 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3210 		    STRUCT_SIZE(ainfo))) {
3211 			return;
3212 		}
3213 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3214 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3215 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3216 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3217 		break;
3218 	case AUE_AUDITON_SETSMASK:
3219 		STRUCT_INIT(ainfo, get_udatamodel());
3220 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3221 		    STRUCT_SIZE(ainfo))) {
3222 			return;
3223 		}
3224 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3225 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3226 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3227 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3228 		break;
3229 	case AUE_AUDITON_SETCOND:
3230 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3231 			return;
3232 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3233 		break;
3234 	case AUE_AUDITON_SETCLASS:
3235 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3236 			return;
3237 		au_uwrite(au_to_arg32(
3238 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3239 		au_uwrite(au_to_arg32(
3240 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3241 		break;
3242 	case AUE_GETAUID:
3243 	case AUE_GETAUDIT:
3244 	case AUE_GETAUDIT_ADDR:
3245 	case AUE_AUDIT:
3246 	case AUE_AUDITON_GPOLICY:
3247 	case AUE_AUDITON_GQCTRL:
3248 	case AUE_AUDITON_GETAMASK:
3249 	case AUE_AUDITON_GETKMASK:
3250 	case AUE_AUDITON_GETCWD:
3251 	case AUE_AUDITON_GETCAR:
3252 	case AUE_AUDITON_GETSTAT:
3253 	case AUE_AUDITON_SETSTAT:
3254 	case AUE_AUDITON_GETCOND:
3255 	case AUE_AUDITON_GETCLASS:
3256 		break;
3257 	default:
3258 		break;
3259 	}
3260 
3261 }	/* AUS_AUDITSYS */
3262 
3263 
3264 /* only audit privileged operations for systeminfo(2) system call */
3265 static au_event_t
3266 aui_sysinfo(au_event_t e)
3267 {
3268 	klwp_t *clwp = ttolwp(curthread);
3269 	uint32_t command;
3270 
3271 	struct a {
3272 		long	command;
3273 		long	buf;		/* char * */
3274 		long	count;
3275 	} *uap = (struct a *)clwp->lwp_ap;
3276 
3277 	command = (uint32_t)uap->command;
3278 
3279 	switch (command) {
3280 	case SI_SET_HOSTNAME:
3281 	case SI_SET_SRPC_DOMAIN:
3282 		e = (au_event_t)AUE_SYSINFO;
3283 		break;
3284 	default:
3285 		e = (au_event_t)AUE_NULL;
3286 		break;
3287 	}
3288 	return (e);
3289 }
3290 
3291 /*ARGSUSED*/
3292 static void
3293 aus_sysinfo(struct t_audit_data *tad)
3294 {
3295 	klwp_t *clwp = ttolwp(curthread);
3296 	uint32_t command;
3297 	size_t len, maxlen;
3298 	char *name;
3299 	uintptr_t buf;
3300 
3301 	struct a {
3302 		long	command;
3303 		long	buf;		/* char * */
3304 		long	count;
3305 	} *uap = (struct a *)clwp->lwp_ap;
3306 
3307 	command = (uint32_t)uap->command;
3308 	buf = (uintptr_t)uap->buf;
3309 
3310 	au_uwrite(au_to_arg32(1, "cmd", command));
3311 
3312 	switch (command) {
3313 	case SI_SET_HOSTNAME:
3314 	{
3315 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3316 			return;
3317 
3318 		maxlen = SYS_NMLN;
3319 		name = kmem_alloc(maxlen, KM_SLEEP);
3320 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3321 			break;
3322 
3323 		/*
3324 		 * Must be non-NULL string and string
3325 		 * must be less than SYS_NMLN chars.
3326 		 */
3327 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3328 			break;
3329 
3330 		au_uwrite(au_to_text(name));
3331 		break;
3332 	}
3333 
3334 	case SI_SET_SRPC_DOMAIN:
3335 	{
3336 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3337 			return;
3338 
3339 		maxlen = SYS_NMLN;
3340 		name = kmem_alloc(maxlen, KM_SLEEP);
3341 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3342 			break;
3343 
3344 		/*
3345 		 * If string passed in is longer than length
3346 		 * allowed for domain name, fail.
3347 		 */
3348 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3349 			break;
3350 
3351 		au_uwrite(au_to_text(name));
3352 		break;
3353 	}
3354 
3355 	default:
3356 		return;
3357 	}
3358 
3359 	kmem_free(name, maxlen);
3360 }
3361 
3362 static au_event_t
3363 aui_modctl(au_event_t e)
3364 {
3365 	klwp_t *clwp = ttolwp(curthread);
3366 	uint_t cmd;
3367 
3368 	struct a {
3369 		long	cmd;
3370 	} *uap = (struct a *)clwp->lwp_ap;
3371 
3372 	cmd = (uint_t)uap->cmd;
3373 
3374 	switch (cmd) {
3375 	case MODLOAD:
3376 		e = AUE_MODLOAD;
3377 		break;
3378 	case MODUNLOAD:
3379 		e = AUE_MODUNLOAD;
3380 		break;
3381 	case MODADDMAJBIND:
3382 		e = AUE_MODADDMAJ;
3383 		break;
3384 	case MODSETDEVPOLICY:
3385 		e = AUE_MODDEVPLCY;
3386 		break;
3387 	case MODALLOCPRIV:
3388 		e = AUE_MODADDPRIV;
3389 		break;
3390 	default:
3391 		e = AUE_NULL;
3392 		break;
3393 	}
3394 	return (e);
3395 }
3396 
3397 
3398 /*ARGSUSED*/
3399 static void
3400 aus_modctl(struct t_audit_data *tad)
3401 {
3402 	klwp_t *clwp = ttolwp(curthread);
3403 	void *a	= clwp->lwp_ap;
3404 	uint_t use_path;
3405 
3406 	switch (tad->tad_event) {
3407 	case AUE_MODLOAD: {
3408 		typedef struct {
3409 			long	cmd;
3410 			long	use_path;
3411 			long	filename;		/* char * */
3412 		} modloada_t;
3413 
3414 		char *filenamep;
3415 		uintptr_t fname;
3416 		extern char *default_path;
3417 
3418 		fname = (uintptr_t)((modloada_t *)a)->filename;
3419 		use_path = (uint_t)((modloada_t *)a)->use_path;
3420 
3421 			/* space to hold path */
3422 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3423 			/* get string */
3424 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3425 				/* free allocated path */
3426 			kmem_free(filenamep, MOD_MAXPATH);
3427 			return;
3428 		}
3429 			/* ensure it's null terminated */
3430 		filenamep[MOD_MAXPATH - 1] = 0;
3431 
3432 		if (use_path)
3433 			au_uwrite(au_to_text(default_path));
3434 		au_uwrite(au_to_text(filenamep));
3435 
3436 			/* release temporary memory */
3437 		kmem_free(filenamep, MOD_MAXPATH);
3438 		break;
3439 	}
3440 	case AUE_MODUNLOAD: {
3441 		typedef struct {
3442 			long	cmd;
3443 			long	id;
3444 		} modunloada_t;
3445 
3446 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3447 
3448 		au_uwrite(au_to_arg32(1, "id", id));
3449 		break;
3450 	}
3451 	case AUE_MODADDMAJ: {
3452 		STRUCT_DECL(modconfig, mc);
3453 		typedef struct {
3454 			long	cmd;
3455 			long	subcmd;
3456 			long	data;		/* int * */
3457 		} modconfiga_t;
3458 
3459 		STRUCT_DECL(aliases, alias);
3460 		caddr_t ap;
3461 		int i, num_aliases;
3462 		char *drvname, *mc_drvname;
3463 		char *name;
3464 		extern char *ddi_major_to_name(major_t);
3465 		model_t model;
3466 
3467 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3468 
3469 		model = get_udatamodel();
3470 		STRUCT_INIT(mc, model);
3471 			/* sanitize buffer */
3472 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3473 			/* get user arguments */
3474 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3475 		    STRUCT_SIZE(mc)) != 0)
3476 			return;
3477 
3478 		mc_drvname = STRUCT_FGET(mc, drvname);
3479 		if ((drvname = ddi_major_to_name(
3480 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3481 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3482 				/* safety */
3483 			if (mc_drvname[0] != '\0') {
3484 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3485 				au_uwrite(au_to_text(mc_drvname));
3486 			}
3487 				/* drvname != NULL from test above */
3488 			au_uwrite(au_to_text(drvname));
3489 			return;
3490 		}
3491 
3492 		if (mc_drvname[0] != '\0') {
3493 				/* safety */
3494 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3495 			au_uwrite(au_to_text(mc_drvname));
3496 		} else
3497 			au_uwrite(au_to_text("no drvname"));
3498 
3499 		num_aliases = STRUCT_FGET(mc, num_aliases);
3500 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3501 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3502 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3503 		STRUCT_INIT(alias, model);
3504 		for (i = 0; i < num_aliases; i++) {
3505 			bzero((caddr_t)STRUCT_BUF(alias),
3506 			    STRUCT_SIZE(alias));
3507 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3508 			    STRUCT_SIZE(alias)) != 0)
3509 				break;
3510 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3511 			    MAXMODCONFNAME, NULL) != 0) {
3512 				break;
3513 			}
3514 
3515 			au_uwrite(au_to_text(name));
3516 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3517 		}
3518 		kmem_free(name, MAXMODCONFNAME);
3519 		break;
3520 	}
3521 	default:
3522 		break;
3523 	}
3524 }
3525 
3526 
3527 /*ARGSUSED*/
3528 static void
3529 auf_accept(
3530 	struct t_audit_data *tad,
3531 	int	error,
3532 	rval_t	*rval)
3533 {
3534 	uint32_t scid;
3535 	uint32_t sy_flags;
3536 	int fd;
3537 	struct sonode *so;
3538 	char so_laddr[sizeof (struct sockaddr_in6)];
3539 	char so_faddr[sizeof (struct sockaddr_in6)];
3540 	int err;
3541 	short so_family, so_type;
3542 	int add_sock_token = 0;
3543 
3544 	/* need to determine type of executing binary */
3545 	scid = tad->tad_scid;
3546 #ifdef _SYSCALL32_IMPL
3547 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3548 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3549 	else
3550 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3551 #else
3552 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3553 #endif
3554 	switch (sy_flags) {
3555 	case SE_32RVAL1:
3556 		/* FALLTHRU */
3557 	case SE_32RVAL2|SE_32RVAL1:
3558 		fd = rval->r_val1;
3559 		break;
3560 	case SE_64RVAL:
3561 		fd = (int)rval->r_vals;
3562 		break;
3563 	default:
3564 		/*
3565 		 * should never happen, seems to be an internal error
3566 		 * in sysent => no fd, nothing to audit here, returning
3567 		 */
3568 		return;
3569 	}
3570 
3571 	if (error) {
3572 		/* can't trust socket contents. Just return */
3573 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3574 		return;
3575 	}
3576 
3577 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3578 		/*
3579 		 * not security relevant if doing a accept from non socket
3580 		 * so no extra tokens. Should probably turn off audit record
3581 		 * generation here.
3582 		 */
3583 		return;
3584 	}
3585 
3586 	so_family = so->so_family;
3587 	so_type   = so->so_type;
3588 
3589 	switch (so_family) {
3590 	case AF_INET:
3591 	case AF_INET6:
3592 		/*
3593 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3594 		 */
3595 		if (so->so_type == SOCK_STREAM) {
3596 			socklen_t len;
3597 
3598 			bzero((void *)so_laddr, sizeof (so_laddr));
3599 			bzero((void *)so_faddr, sizeof (so_faddr));
3600 
3601 			len = sizeof (so_laddr);
3602 			(void) socket_getsockname(so,
3603 			    (struct sockaddr *)so_laddr, &len, CRED());
3604 			len = sizeof (so_faddr);
3605 			(void) socket_getpeername(so,
3606 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3607 
3608 			add_sock_token = 1;
3609 		}
3610 		break;
3611 
3612 	default:
3613 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3614 		break;
3615 	}
3616 
3617 	releasef(fd);
3618 
3619 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3620 
3621 	if (add_sock_token == 0) {
3622 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3623 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3624 		return;
3625 	}
3626 
3627 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3628 
3629 }
3630 
3631 /*ARGSUSED*/
3632 static void
3633 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3634 {
3635 	struct a {
3636 		long	fd;
3637 		long	addr;
3638 		long	len;
3639 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3640 
3641 	struct sonode *so;
3642 	char so_laddr[sizeof (struct sockaddr_in6)];
3643 	char so_faddr[sizeof (struct sockaddr_in6)];
3644 	int err, fd;
3645 	socklen_t len;
3646 	short so_family, so_type;
3647 	int add_sock_token = 0;
3648 
3649 	fd = (int)uap->fd;
3650 
3651 	/*
3652 	 * bind failed, then nothing extra to add to audit record.
3653 	 */
3654 	if (error) {
3655 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3656 		/* XXX may want to add failed address some day */
3657 		return;
3658 	}
3659 
3660 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3661 		/*
3662 		 * not security relevant if doing a bind from non socket
3663 		 * so no extra tokens. Should probably turn off audit record
3664 		 * generation here.
3665 		 */
3666 		return;
3667 	}
3668 
3669 	so_family = so->so_family;
3670 	so_type   = so->so_type;
3671 
3672 	switch (so_family) {
3673 	case AF_INET:
3674 	case AF_INET6:
3675 
3676 		bzero(so_faddr, sizeof (so_faddr));
3677 		len = sizeof (so_faddr);
3678 
3679 		(void) socket_getpeername(so,
3680 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3681 		add_sock_token = 1;
3682 
3683 		break;
3684 
3685 	case AF_UNIX:
3686 		/* token added by lookup */
3687 		break;
3688 	default:
3689 		/* AF_ROUTE, AF_KEY do not support accept */
3690 		break;
3691 	}
3692 
3693 	releasef(fd);
3694 
3695 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3696 
3697 	if (add_sock_token == 0) {
3698 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3699 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3700 		return;
3701 	}
3702 
3703 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3704 
3705 }
3706 
3707 /*ARGSUSED*/
3708 static void
3709 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3710 {
3711 	struct a {
3712 		long	fd;
3713 		long	addr;
3714 		long	len;
3715 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3716 
3717 	struct sonode *so;
3718 	char so_laddr[sizeof (struct sockaddr_in6)];
3719 	char so_faddr[sizeof (struct sockaddr_in6)];
3720 	int err, fd;
3721 	socklen_t len;
3722 	short so_family, so_type;
3723 	int add_sock_token = 0;
3724 
3725 	fd = (int)uap->fd;
3726 
3727 
3728 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3729 		/*
3730 		 * not security relevant if doing a connect from non socket
3731 		 * so no extra tokens. Should probably turn off audit record
3732 		 * generation here.
3733 		 */
3734 		return;
3735 	}
3736 
3737 	so_family = so->so_family;
3738 	so_type   = so->so_type;
3739 
3740 	switch (so_family) {
3741 	case AF_INET:
3742 	case AF_INET6:
3743 
3744 		bzero(so_laddr, sizeof (so_laddr));
3745 		bzero(so_faddr, sizeof (so_faddr));
3746 
3747 		len = sizeof (so_laddr);
3748 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3749 		    &len, CRED());
3750 		if (error) {
3751 			if (uap->addr == NULL)
3752 				break;
3753 			if (uap->len <= 0)
3754 				break;
3755 			len = min(uap->len, sizeof (so_faddr));
3756 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3757 				break;
3758 #ifdef NOTYET
3759 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3760 #endif
3761 		} else {
3762 			/* sanity check on length */
3763 			len = sizeof (so_faddr);
3764 			(void) socket_getpeername(so,
3765 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3766 		}
3767 
3768 		add_sock_token = 1;
3769 
3770 		break;
3771 
3772 	case AF_UNIX:
3773 		/* does a lookup on name */
3774 		break;
3775 
3776 	default:
3777 		/* AF_ROUTE, AF_KEY do not support accept */
3778 		break;
3779 	}
3780 
3781 	releasef(fd);
3782 
3783 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3784 
3785 	if (add_sock_token == 0) {
3786 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3787 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3788 		return;
3789 	}
3790 
3791 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3792 
3793 }
3794 
3795 /*ARGSUSED*/
3796 static void
3797 aus_shutdown(struct t_audit_data *tad)
3798 {
3799 	struct a {
3800 		long	fd;
3801 		long	how;
3802 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3803 
3804 	struct sonode *so;
3805 	char so_laddr[sizeof (struct sockaddr_in6)];
3806 	char so_faddr[sizeof (struct sockaddr_in6)];
3807 	int err, fd;
3808 	socklen_t len;
3809 	short so_family, so_type;
3810 	int add_sock_token = 0;
3811 	file_t *fp;				/* unix domain sockets */
3812 	struct f_audit_data *fad;		/* unix domain sockets */
3813 
3814 	fd = (int)uap->fd;
3815 
3816 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3817 		/*
3818 		 * not security relevant if doing a shutdown using non socket
3819 		 * so no extra tokens. Should probably turn off audit record
3820 		 * generation here.
3821 		 */
3822 		return;
3823 	}
3824 
3825 	so_family = so->so_family;
3826 	so_type   = so->so_type;
3827 
3828 	switch (so_family) {
3829 	case AF_INET:
3830 	case AF_INET6:
3831 
3832 		bzero(so_laddr, sizeof (so_laddr));
3833 		bzero(so_faddr, sizeof (so_faddr));
3834 
3835 		len = sizeof (so_laddr);
3836 		(void) socket_getsockname(so,
3837 		    (struct sockaddr *)so_laddr, &len, CRED());
3838 		len = sizeof (so_faddr);
3839 		(void) socket_getpeername(so,
3840 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3841 
3842 		add_sock_token = 1;
3843 
3844 		break;
3845 
3846 	case AF_UNIX:
3847 
3848 		/* get path from file struct here */
3849 		fad = F2A(fp);
3850 		ASSERT(fad);
3851 
3852 		if (fad->fad_aupath != NULL) {
3853 			au_uwrite(au_to_path(fad->fad_aupath));
3854 		} else {
3855 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3856 		}
3857 
3858 		audit_attributes(fp->f_vnode);
3859 
3860 		break;
3861 
3862 	default:
3863 		/*
3864 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3865 		 * added.
3866 		 */
3867 		break;
3868 	}
3869 
3870 	releasef(fd);
3871 
3872 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3873 
3874 	if (add_sock_token == 0) {
3875 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3876 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3877 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3878 		return;
3879 	}
3880 
3881 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3882 
3883 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3884 
3885 }
3886 
3887 /*ARGSUSED*/
3888 static void
3889 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3890 {
3891 	struct a {
3892 		long	fd;
3893 		long	level;
3894 		long	optname;
3895 		long	*optval;
3896 		long	optlen;
3897 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3898 
3899 	struct sonode	*so;
3900 	char so_laddr[sizeof (struct sockaddr_in6)];
3901 	char so_faddr[sizeof (struct sockaddr_in6)];
3902 	char		val[AU_BUFSIZE];
3903 	int		err, fd;
3904 	socklen_t	len;
3905 	short so_family, so_type;
3906 	int		add_sock_token = 0;
3907 	file_t *fp;				/* unix domain sockets */
3908 	struct f_audit_data *fad;		/* unix domain sockets */
3909 
3910 	fd = (int)uap->fd;
3911 
3912 	if (error) {
3913 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3914 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3915 		/* XXX may want to include other arguments */
3916 		return;
3917 	}
3918 
3919 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3920 		/*
3921 		 * not security relevant if doing a setsockopt from non socket
3922 		 * so no extra tokens. Should probably turn off audit record
3923 		 * generation here.
3924 		 */
3925 		return;
3926 	}
3927 
3928 	so_family = so->so_family;
3929 	so_type   = so->so_type;
3930 
3931 	switch (so_family) {
3932 	case AF_INET:
3933 	case AF_INET6:
3934 		bzero((void *)so_laddr, sizeof (so_laddr));
3935 		bzero((void *)so_faddr, sizeof (so_faddr));
3936 
3937 		/* get local and foreign addresses */
3938 		len = sizeof (so_laddr);
3939 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3940 		    &len, CRED());
3941 		len = sizeof (so_faddr);
3942 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3943 		    &len, B_FALSE, CRED());
3944 
3945 		add_sock_token = 1;
3946 
3947 		break;
3948 
3949 	case AF_UNIX:
3950 
3951 		/* get path from file struct here */
3952 		fad = F2A(fp);
3953 		ASSERT(fad);
3954 
3955 		if (fad->fad_aupath != NULL) {
3956 			au_uwrite(au_to_path(fad->fad_aupath));
3957 		} else {
3958 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3959 		}
3960 
3961 		audit_attributes(fp->f_vnode);
3962 
3963 		break;
3964 
3965 	default:
3966 		/*
3967 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3968 		 * added.
3969 		 */
3970 		break;
3971 	}
3972 
3973 	releasef(fd);
3974 
3975 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3976 
3977 	if (add_sock_token == 0) {
3978 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3979 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3980 	}
3981 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3982 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3983 
3984 	bzero(val, sizeof (val));
3985 	len = min(uap->optlen, sizeof (val));
3986 	if ((len > 0) &&
3987 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3988 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3989 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3990 	}
3991 
3992 	if (add_sock_token == 0)
3993 		return;
3994 
3995 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3996 
3997 }
3998 
3999 /*ARGSUSED*/
4000 static void
4001 aus_sockconfig(tad)
4002 	struct t_audit_data *tad;
4003 {
4004 	struct a {
4005 		long	cmd;
4006 		long	arg1;
4007 		long	arg2;
4008 		long	arg3;
4009 		long	arg4;
4010 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4011 
4012 	char	*buf;
4013 	int	buflen;
4014 	size_t	size;
4015 
4016 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4017 	switch (uap->cmd) {
4018 	case SOCKCONFIG_ADD_SOCK:
4019 	case SOCKCONFIG_REMOVE_SOCK:
4020 		au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4021 		au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4022 		au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4023 
4024 		if (uap->arg4 == 0) {
4025 			au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4026 		} else {
4027 			buflen = MAXPATHLEN + 1;
4028 			buf = kmem_alloc(buflen, KM_SLEEP);
4029 			if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4030 			    &size)) {
4031 				kmem_free(buf, buflen);
4032 				return;
4033 			}
4034 
4035 			if (size > MAXPATHLEN) {
4036 				kmem_free(buf, buflen);
4037 				return;
4038 			}
4039 
4040 			au_uwrite(au_to_text(buf));
4041 			kmem_free(buf, buflen);
4042 		}
4043 		break;
4044 	case SOCKCONFIG_ADD_FILTER:
4045 	case SOCKCONFIG_REMOVE_FILTER:
4046 		buflen = FILNAME_MAX;
4047 		buf = kmem_alloc(buflen, KM_SLEEP);
4048 
4049 		if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4050 			kmem_free(buf, buflen);
4051 			return;
4052 		}
4053 
4054 		au_uwrite(au_to_text(buf));
4055 		kmem_free(buf, buflen);
4056 		break;
4057 	default:
4058 		break;
4059 	}
4060 }
4061 
4062 /*
4063  * only audit recvmsg when the system call represents the creation of a new
4064  * circuit. This effectively occurs for all UDP packets and may occur for
4065  * special TCP situations where the local host has not set a local address
4066  * in the socket structure.
4067  */
4068 /*ARGSUSED*/
4069 static void
4070 auf_recvmsg(
4071 	struct t_audit_data *tad,
4072 	int error,
4073 	rval_t *rvp)
4074 {
4075 	struct a {
4076 		long	fd;
4077 		long	msg;	/* struct msghdr */
4078 		long	flags;
4079 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4080 
4081 	struct sonode	*so;
4082 	STRUCT_DECL(msghdr, msg);
4083 	caddr_t msg_name;
4084 	socklen_t msg_namelen;
4085 	int fd;
4086 	int err;
4087 	char so_laddr[sizeof (struct sockaddr_in6)];
4088 	char so_faddr[sizeof (struct sockaddr_in6)];
4089 	socklen_t len;
4090 	file_t *fp;				/* unix domain sockets */
4091 	struct f_audit_data *fad;		/* unix domain sockets */
4092 	short so_family, so_type;
4093 	int add_sock_token = 0;
4094 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4095 
4096 	fd = (int)uap->fd;
4097 
4098 	/* bail if an error */
4099 	if (error) {
4100 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4101 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4102 		return;
4103 	}
4104 
4105 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4106 		/*
4107 		 * not security relevant if doing a recvmsg from non socket
4108 		 * so no extra tokens. Should probably turn off audit record
4109 		 * generation here.
4110 		 */
4111 		return;
4112 	}
4113 
4114 	so_family = so->so_family;
4115 	so_type   = so->so_type;
4116 
4117 	/*
4118 	 * only putout SOCKET_EX token if INET/INET6 family.
4119 	 * XXX - what do we do about other families?
4120 	 */
4121 
4122 	switch (so_family) {
4123 	case AF_INET:
4124 	case AF_INET6:
4125 
4126 		/*
4127 		 * if datagram type socket, then just use what is in
4128 		 * socket structure for local address.
4129 		 * XXX - what do we do for other types?
4130 		 */
4131 		if ((so->so_type == SOCK_DGRAM) ||
4132 		    (so->so_type == SOCK_RAW)) {
4133 			add_sock_token = 1;
4134 
4135 			bzero((void *)so_laddr, sizeof (so_laddr));
4136 			bzero((void *)so_faddr, sizeof (so_faddr));
4137 
4138 			/* get local address */
4139 			len = sizeof (so_laddr);
4140 			(void) socket_getsockname(so,
4141 			    (struct sockaddr *)so_laddr, &len, CRED());
4142 
4143 			/* get peer address */
4144 			STRUCT_INIT(msg, get_udatamodel());
4145 
4146 			if (copyin((caddr_t)(uap->msg),
4147 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4148 				break;
4149 			}
4150 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4151 			if (msg_name == NULL) {
4152 				break;
4153 			}
4154 
4155 			/* length is value from recvmsg - sanity check */
4156 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4157 			if (msg_namelen == 0) {
4158 				break;
4159 			}
4160 			if (copyin(msg_name, so_faddr,
4161 			    sizeof (so_faddr)) != 0) {
4162 				break;
4163 			}
4164 
4165 		} else if (so->so_type == SOCK_STREAM) {
4166 
4167 			/* get path from file struct here */
4168 			fad = F2A(fp);
4169 			ASSERT(fad);
4170 
4171 			/*
4172 			 * already processed this file for read attempt
4173 			 */
4174 			if (fad->fad_flags & FAD_READ) {
4175 				/* don't want to audit every recvmsg attempt */
4176 				tad->tad_flag = 0;
4177 				/* free any residual audit data */
4178 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4179 				releasef(fd);
4180 				return;
4181 			}
4182 			/*
4183 			 * mark things so we know what happened and don't
4184 			 * repeat things
4185 			 */
4186 			fad->fad_flags |= FAD_READ;
4187 
4188 			bzero((void *)so_laddr, sizeof (so_laddr));
4189 			bzero((void *)so_faddr, sizeof (so_faddr));
4190 
4191 			/* get local and foreign addresses */
4192 			len = sizeof (so_laddr);
4193 			(void) socket_getsockname(so,
4194 			    (struct sockaddr *)so_laddr, &len, CRED());
4195 			len = sizeof (so_faddr);
4196 			(void) socket_getpeername(so,
4197 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4198 
4199 			add_sock_token = 1;
4200 		}
4201 
4202 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4203 
4204 		break;
4205 
4206 	case AF_UNIX:
4207 		/*
4208 		 * first check if this is first time through. Too much
4209 		 * duplicate code to put this in an aui_ routine.
4210 		 */
4211 
4212 		/* get path from file struct here */
4213 		fad = F2A(fp);
4214 		ASSERT(fad);
4215 
4216 		/*
4217 		 * already processed this file for read attempt
4218 		 */
4219 		if (fad->fad_flags & FAD_READ) {
4220 			releasef(fd);
4221 			/* don't want to audit every recvmsg attempt */
4222 			tad->tad_flag = 0;
4223 			/* free any residual audit data */
4224 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4225 			return;
4226 		}
4227 		/*
4228 		 * mark things so we know what happened and don't
4229 		 * repeat things
4230 		 */
4231 		fad->fad_flags |= FAD_READ;
4232 
4233 		if (fad->fad_aupath != NULL) {
4234 			au_uwrite(au_to_path(fad->fad_aupath));
4235 		} else {
4236 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4237 		}
4238 
4239 		audit_attributes(fp->f_vnode);
4240 
4241 		releasef(fd);
4242 
4243 		return;
4244 
4245 	default:
4246 		break;
4247 
4248 	}
4249 
4250 	releasef(fd);
4251 
4252 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4253 
4254 	if (add_sock_token == 0) {
4255 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4256 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4257 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4258 		return;
4259 	}
4260 
4261 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4262 
4263 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4264 
4265 }
4266 
4267 /*ARGSUSED*/
4268 static void
4269 auf_recvfrom(
4270 	struct t_audit_data *tad,
4271 	int error,
4272 	rval_t *rvp)
4273 {
4274 
4275 	struct a {
4276 		long	fd;
4277 		long	msg;	/* char */
4278 		long	len;
4279 		long	flags;
4280 		long	from;	/* struct sockaddr */
4281 		long	fromlen;
4282 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4283 
4284 	socklen_t	fromlen;
4285 	struct sonode	*so;
4286 	char so_laddr[sizeof (struct sockaddr_in6)];
4287 	char so_faddr[sizeof (struct sockaddr_in6)];
4288 	int		fd;
4289 	short so_family, so_type;
4290 	int add_sock_token = 0;
4291 	socklen_t len;
4292 	int err;
4293 	struct file *fp;
4294 	struct f_audit_data *fad;		/* unix domain sockets */
4295 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4296 
4297 	fd = (int)uap->fd;
4298 
4299 	/* bail if an error */
4300 	if (error) {
4301 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4302 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4303 		return;
4304 	}
4305 
4306 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4307 		/*
4308 		 * not security relevant if doing a recvmsg from non socket
4309 		 * so no extra tokens. Should probably turn off audit record
4310 		 * generation here.
4311 		 */
4312 		return;
4313 	}
4314 
4315 	so_family = so->so_family;
4316 	so_type   = so->so_type;
4317 
4318 	/*
4319 	 * only putout SOCKET_EX token if INET/INET6 family.
4320 	 * XXX - what do we do about other families?
4321 	 */
4322 
4323 	switch (so_family) {
4324 	case AF_INET:
4325 	case AF_INET6:
4326 
4327 		/*
4328 		 * if datagram type socket, then just use what is in
4329 		 * socket structure for local address.
4330 		 * XXX - what do we do for other types?
4331 		 */
4332 		if ((so->so_type == SOCK_DGRAM) ||
4333 		    (so->so_type == SOCK_RAW)) {
4334 			add_sock_token = 1;
4335 
4336 			/* get local address */
4337 			len = sizeof (so_laddr);
4338 			(void) socket_getsockname(so,
4339 			    (struct sockaddr *)so_laddr, &len, CRED());
4340 
4341 			/* get peer address */
4342 			bzero((void *)so_faddr, sizeof (so_faddr));
4343 
4344 			/* sanity check */
4345 			if (uap->from == NULL)
4346 				break;
4347 
4348 			/* sanity checks */
4349 			if (uap->fromlen == 0)
4350 				break;
4351 
4352 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4353 			    sizeof (fromlen)) != 0)
4354 				break;
4355 
4356 			if (fromlen == 0)
4357 				break;
4358 
4359 			/* enforce maximum size */
4360 			if (fromlen > sizeof (so_faddr))
4361 				fromlen = sizeof (so_faddr);
4362 
4363 			if (copyin((caddr_t)(uap->from), so_faddr,
4364 			    fromlen) != 0)
4365 				break;
4366 
4367 		} else if (so->so_type == SOCK_STREAM) {
4368 
4369 			/* get path from file struct here */
4370 			fad = F2A(fp);
4371 			ASSERT(fad);
4372 
4373 			/*
4374 			 * already processed this file for read attempt
4375 			 */
4376 			if (fad->fad_flags & FAD_READ) {
4377 				/* don't want to audit every recvfrom attempt */
4378 				tad->tad_flag = 0;
4379 				/* free any residual audit data */
4380 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4381 				releasef(fd);
4382 				return;
4383 			}
4384 			/*
4385 			 * mark things so we know what happened and don't
4386 			 * repeat things
4387 			 */
4388 			fad->fad_flags |= FAD_READ;
4389 
4390 			bzero((void *)so_laddr, sizeof (so_laddr));
4391 			bzero((void *)so_faddr, sizeof (so_faddr));
4392 
4393 			/* get local and foreign addresses */
4394 			len = sizeof (so_laddr);
4395 			(void) socket_getsockname(so,
4396 			    (struct sockaddr *)so_laddr, &len, CRED());
4397 			len = sizeof (so_faddr);
4398 			(void) socket_getpeername(so,
4399 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4400 
4401 			add_sock_token = 1;
4402 		}
4403 
4404 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4405 
4406 		break;
4407 
4408 	case AF_UNIX:
4409 		/*
4410 		 * first check if this is first time through. Too much
4411 		 * duplicate code to put this in an aui_ routine.
4412 		 */
4413 
4414 		/* get path from file struct here */
4415 		fad = F2A(fp);
4416 		ASSERT(fad);
4417 
4418 		/*
4419 		 * already processed this file for read attempt
4420 		 */
4421 		if (fad->fad_flags & FAD_READ) {
4422 			/* don't want to audit every recvfrom attempt */
4423 			tad->tad_flag = 0;
4424 			/* free any residual audit data */
4425 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4426 			releasef(fd);
4427 			return;
4428 		}
4429 		/*
4430 		 * mark things so we know what happened and don't
4431 		 * repeat things
4432 		 */
4433 		fad->fad_flags |= FAD_READ;
4434 
4435 		if (fad->fad_aupath != NULL) {
4436 			au_uwrite(au_to_path(fad->fad_aupath));
4437 		} else {
4438 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4439 		}
4440 
4441 		audit_attributes(fp->f_vnode);
4442 
4443 		releasef(fd);
4444 
4445 		return;
4446 
4447 	default:
4448 		break;
4449 
4450 	}
4451 
4452 	releasef(fd);
4453 
4454 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4455 
4456 	if (add_sock_token == 0) {
4457 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4458 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4459 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4460 		return;
4461 	}
4462 
4463 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4464 
4465 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4466 }
4467 
4468 /*ARGSUSED*/
4469 static void
4470 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4471 {
4472 	struct a {
4473 		long	fd;
4474 		long	msg;	/* struct msghdr */
4475 		long	flags;
4476 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4477 
4478 	struct sonode	*so;
4479 	char so_laddr[sizeof (struct sockaddr_in6)];
4480 	char so_faddr[sizeof (struct sockaddr_in6)];
4481 	int		err;
4482 	int		fd;
4483 	short so_family, so_type;
4484 	int		add_sock_token = 0;
4485 	socklen_t	len;
4486 	struct file	*fp;
4487 	struct f_audit_data *fad;
4488 	caddr_t		msg_name;
4489 	socklen_t	msg_namelen;
4490 	STRUCT_DECL(msghdr, msg);
4491 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4492 
4493 	fd = (int)uap->fd;
4494 
4495 	/* bail if an error */
4496 	if (error) {
4497 		/* XXX include destination address from system call arguments */
4498 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4499 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4500 		return;
4501 	}
4502 
4503 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4504 		/*
4505 		 * not security relevant if doing a sendmsg from non socket
4506 		 * so no extra tokens. Should probably turn off audit record
4507 		 * generation here.
4508 		 */
4509 		return;
4510 	}
4511 
4512 	so_family = so->so_family;
4513 	so_type   = so->so_type;
4514 
4515 	switch (so_family) {
4516 	case AF_INET:
4517 	case AF_INET6:
4518 		/*
4519 		 * if datagram type socket, then just use what is in
4520 		 * socket structure for local address.
4521 		 * XXX - what do we do for other types?
4522 		 */
4523 		if ((so->so_type == SOCK_DGRAM) ||
4524 		    (so->so_type == SOCK_RAW)) {
4525 
4526 			bzero((void *)so_laddr, sizeof (so_laddr));
4527 			bzero((void *)so_faddr, sizeof (so_faddr));
4528 
4529 			/* get local address */
4530 			len = sizeof (so_laddr);
4531 			(void) socket_getsockname(so,
4532 			    (struct sockaddr *)so_laddr, &len, CRED());
4533 
4534 			/* get peer address */
4535 			STRUCT_INIT(msg, get_udatamodel());
4536 
4537 			if (copyin((caddr_t)(uap->msg),
4538 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4539 				break;
4540 			}
4541 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4542 			if (msg_name == NULL)
4543 				break;
4544 
4545 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4546 			/* length is value from recvmsg - sanity check */
4547 			if (msg_namelen == 0)
4548 				break;
4549 
4550 			if (copyin(msg_name, so_faddr,
4551 			    sizeof (so_faddr)) != 0)
4552 				break;
4553 
4554 			add_sock_token = 1;
4555 
4556 		} else if (so->so_type == SOCK_STREAM) {
4557 
4558 			/* get path from file struct here */
4559 			fad = F2A(fp);
4560 			ASSERT(fad);
4561 
4562 			/*
4563 			 * already processed this file for write attempt
4564 			 */
4565 			if (fad->fad_flags & FAD_WRITE) {
4566 				releasef(fd);
4567 				/* don't want to audit every sendmsg attempt */
4568 				tad->tad_flag = 0;
4569 				/* free any residual audit data */
4570 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4571 				return;
4572 			}
4573 
4574 			/*
4575 			 * mark things so we know what happened and don't
4576 			 * repeat things
4577 			 */
4578 			fad->fad_flags |= FAD_WRITE;
4579 
4580 			bzero((void *)so_laddr, sizeof (so_laddr));
4581 			bzero((void *)so_faddr, sizeof (so_faddr));
4582 
4583 			/* get local and foreign addresses */
4584 			len = sizeof (so_laddr);
4585 			(void) socket_getsockname(so,
4586 			    (struct sockaddr *)so_laddr, &len, CRED());
4587 			len = sizeof (so_faddr);
4588 			(void) socket_getpeername(so,
4589 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4590 
4591 			add_sock_token = 1;
4592 		}
4593 
4594 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4595 
4596 		break;
4597 
4598 	case AF_UNIX:
4599 		/*
4600 		 * first check if this is first time through. Too much
4601 		 * duplicate code to put this in an aui_ routine.
4602 		 */
4603 
4604 		/* get path from file struct here */
4605 		fad = F2A(fp);
4606 		ASSERT(fad);
4607 
4608 		/*
4609 		 * already processed this file for write attempt
4610 		 */
4611 		if (fad->fad_flags & FAD_WRITE) {
4612 			releasef(fd);
4613 			/* don't want to audit every sendmsg attempt */
4614 			tad->tad_flag = 0;
4615 			/* free any residual audit data */
4616 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4617 			return;
4618 		}
4619 		/*
4620 		 * mark things so we know what happened and don't
4621 		 * repeat things
4622 		 */
4623 		fad->fad_flags |= FAD_WRITE;
4624 
4625 		if (fad->fad_aupath != NULL) {
4626 			au_uwrite(au_to_path(fad->fad_aupath));
4627 		} else {
4628 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4629 		}
4630 
4631 		audit_attributes(fp->f_vnode);
4632 
4633 		releasef(fd);
4634 
4635 		return;
4636 
4637 	default:
4638 		break;
4639 	}
4640 
4641 	releasef(fd);
4642 
4643 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4644 
4645 	if (add_sock_token == 0) {
4646 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4647 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4648 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4649 		return;
4650 	}
4651 
4652 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4653 
4654 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4655 }
4656 
4657 /*ARGSUSED*/
4658 static void
4659 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4660 {
4661 	struct a {
4662 		long	fd;
4663 		long	msg;	/* char */
4664 		long	len;
4665 		long	flags;
4666 		long	to;	/* struct sockaddr */
4667 		long	tolen;
4668 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4669 
4670 	struct sonode	*so;
4671 	char so_laddr[sizeof (struct sockaddr_in6)];
4672 	char so_faddr[sizeof (struct sockaddr_in6)];
4673 	socklen_t	tolen;
4674 	int		err;
4675 	int		fd;
4676 	socklen_t	len;
4677 	short so_family, so_type;
4678 	int		add_sock_token = 0;
4679 	struct file	*fp;
4680 	struct f_audit_data *fad;
4681 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4682 
4683 	fd = (int)uap->fd;
4684 
4685 	/* bail if an error */
4686 	if (error) {
4687 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4688 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4689 		/* XXX include destination address from system call arguments */
4690 		return;
4691 	}
4692 
4693 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4694 		/*
4695 		 * not security relevant if doing a sendto using non socket
4696 		 * so no extra tokens. Should probably turn off audit record
4697 		 * generation here.
4698 		 */
4699 		return;
4700 	}
4701 
4702 	so_family = so->so_family;
4703 	so_type   = so->so_type;
4704 
4705 	/*
4706 	 * only putout SOCKET_EX token if INET/INET6 family.
4707 	 * XXX - what do we do about other families?
4708 	 */
4709 
4710 	switch (so_family) {
4711 	case AF_INET:
4712 	case AF_INET6:
4713 
4714 		/*
4715 		 * if datagram type socket, then just use what is in
4716 		 * socket structure for local address.
4717 		 * XXX - what do we do for other types?
4718 		 */
4719 		if ((so->so_type == SOCK_DGRAM) ||
4720 		    (so->so_type == SOCK_RAW)) {
4721 
4722 			bzero((void *)so_laddr, sizeof (so_laddr));
4723 			bzero((void *)so_faddr, sizeof (so_faddr));
4724 
4725 			/* get local address */
4726 			len = sizeof (so_laddr);
4727 			(void) socket_getsockname(so,
4728 			    (struct sockaddr *)so_laddr, &len, CRED());
4729 
4730 			/* get peer address */
4731 
4732 			/* sanity check */
4733 			if (uap->to == NULL)
4734 				break;
4735 
4736 			/* sanity checks */
4737 			if (uap->tolen == 0)
4738 				break;
4739 
4740 			tolen = (socklen_t)uap->tolen;
4741 
4742 			/* enforce maximum size */
4743 			if (tolen > sizeof (so_faddr))
4744 				tolen = sizeof (so_faddr);
4745 
4746 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4747 				break;
4748 
4749 			add_sock_token = 1;
4750 		} else {
4751 			/*
4752 			 * check if this is first time through.
4753 			 */
4754 
4755 			/* get path from file struct here */
4756 			fad = F2A(fp);
4757 			ASSERT(fad);
4758 
4759 			/*
4760 			 * already processed this file for write attempt
4761 			 */
4762 			if (fad->fad_flags & FAD_WRITE) {
4763 				/* don't want to audit every sendto attempt */
4764 				tad->tad_flag = 0;
4765 				/* free any residual audit data */
4766 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4767 				releasef(fd);
4768 				return;
4769 			}
4770 			/*
4771 			 * mark things so we know what happened and don't
4772 			 * repeat things
4773 			 */
4774 			fad->fad_flags |= FAD_WRITE;
4775 
4776 			bzero((void *)so_laddr, sizeof (so_laddr));
4777 			bzero((void *)so_faddr, sizeof (so_faddr));
4778 
4779 			/* get local and foreign addresses */
4780 			len = sizeof (so_laddr);
4781 			(void) socket_getsockname(so,
4782 			    (struct sockaddr *)so_laddr, &len, CRED());
4783 			len = sizeof (so_faddr);
4784 			(void) socket_getpeername(so,
4785 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4786 
4787 			add_sock_token = 1;
4788 		}
4789 
4790 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4791 
4792 		break;
4793 
4794 	case AF_UNIX:
4795 		/*
4796 		 * first check if this is first time through. Too much
4797 		 * duplicate code to put this in an aui_ routine.
4798 		 */
4799 
4800 		/* get path from file struct here */
4801 		fad = F2A(fp);
4802 		ASSERT(fad);
4803 
4804 		/*
4805 		 * already processed this file for write attempt
4806 		 */
4807 		if (fad->fad_flags & FAD_WRITE) {
4808 			/* don't want to audit every sendto attempt */
4809 			tad->tad_flag = 0;
4810 			/* free any residual audit data */
4811 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4812 			releasef(fd);
4813 			return;
4814 		}
4815 		/*
4816 		 * mark things so we know what happened and don't
4817 		 * repeat things
4818 		 */
4819 		fad->fad_flags |= FAD_WRITE;
4820 
4821 		if (fad->fad_aupath != NULL) {
4822 			au_uwrite(au_to_path(fad->fad_aupath));
4823 		} else {
4824 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4825 		}
4826 
4827 		audit_attributes(fp->f_vnode);
4828 
4829 		releasef(fd);
4830 
4831 		return;
4832 
4833 	default:
4834 		break;
4835 
4836 	}
4837 
4838 	releasef(fd);
4839 
4840 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4841 
4842 	if (add_sock_token == 0) {
4843 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4844 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4845 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4846 		return;
4847 	}
4848 
4849 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4850 
4851 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4852 
4853 }
4854 
4855 /*
4856  * XXX socket(2) may be equivalent to open(2) on a unix domain
4857  * socket. This needs investigation.
4858  */
4859 
4860 /*ARGSUSED*/
4861 static void
4862 aus_socket(struct t_audit_data *tad)
4863 {
4864 	struct a {
4865 		long	domain;
4866 		long	type;
4867 		long	protocol;
4868 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4869 
4870 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4871 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4872 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4873 }
4874 
4875 /*ARGSUSED*/
4876 static void
4877 aus_sigqueue(struct t_audit_data *tad)
4878 {
4879 	struct a {
4880 		long	pid;
4881 		long	signo;
4882 		long	*val;
4883 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4884 	struct proc *p;
4885 	uid_t uid, ruid;
4886 	gid_t gid, rgid;
4887 	pid_t pid;
4888 	const auditinfo_addr_t *ainfo;
4889 	cred_t *cr;
4890 
4891 	pid = (pid_t)uap->pid;
4892 
4893 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4894 	if (pid > 0) {
4895 		mutex_enter(&pidlock);
4896 		if ((p = prfind(pid)) == (struct proc *)0) {
4897 			mutex_exit(&pidlock);
4898 			return;
4899 		}
4900 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4901 		mutex_exit(&pidlock);
4902 
4903 		mutex_enter(&p->p_crlock);
4904 		crhold(cr = p->p_cred);
4905 		mutex_exit(&p->p_crlock);
4906 		mutex_exit(&p->p_lock);
4907 
4908 		ainfo = crgetauinfo(cr);
4909 		if (ainfo == NULL) {
4910 			crfree(cr);
4911 			return;
4912 		}
4913 
4914 		uid  = crgetuid(cr);
4915 		gid  = crgetgid(cr);
4916 		ruid = crgetruid(cr);
4917 		rgid = crgetrgid(cr);
4918 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4919 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4920 		crfree(cr);
4921 	}
4922 	else
4923 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4924 }
4925 
4926 /*ARGSUSED*/
4927 static void
4928 aus_inst_sync(struct t_audit_data *tad)
4929 {
4930 	struct a {
4931 		long	name;	/* char */
4932 		long	flags;
4933 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4934 
4935 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4936 }
4937 
4938 /*ARGSUSED*/
4939 static void
4940 aus_brandsys(struct t_audit_data *tad)
4941 {
4942 	klwp_t *clwp = ttolwp(curthread);
4943 
4944 	struct a {
4945 		long	cmd;
4946 		long	arg1;
4947 		long	arg2;
4948 		long	arg3;
4949 		long	arg4;
4950 		long	arg5;
4951 		long	arg6;
4952 	} *uap = (struct a *)clwp->lwp_ap;
4953 
4954 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4955 #ifdef _LP64
4956 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4957 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4958 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4959 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4960 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4961 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4962 #else
4963 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4964 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4965 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4966 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4967 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4968 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4969 #endif
4970 }
4971 
4972 /*ARGSUSED*/
4973 static void
4974 aus_p_online(struct t_audit_data *tad)
4975 {
4976 	struct a {
4977 		long	processor_id;
4978 		long	flag;
4979 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4980 
4981 	struct flags {
4982 			int	flag;
4983 			char	*cflag;
4984 	} aflags[6] = {
4985 			{ P_ONLINE, "P_ONLINE"},
4986 			{ P_OFFLINE, "P_OFFLINE"},
4987 			{ P_NOINTR, "P_NOINTR"},
4988 			{ P_SPARE, "P_SPARE"},
4989 			{ P_FAULTED, "P_FAULTED"},
4990 			{ P_STATUS, "P_STATUS"}
4991 	};
4992 	int i;
4993 	char *cflag;
4994 
4995 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4996 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4997 
4998 	for (i = 0; i < 6; i++) {
4999 		if (aflags[i].flag == uap->flag)
5000 			break;
5001 	}
5002 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5003 
5004 	au_uwrite(au_to_text(cflag));
5005 }
5006 
5007 /*ARGSUSED*/
5008 static void
5009 aus_processor_bind(struct t_audit_data *tad)
5010 {
5011 	struct a {
5012 		long	id_type;
5013 		long	id;
5014 		long	processor_id;
5015 		long	obind;
5016 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5017 
5018 	struct proc *p;
5019 	int lwpcnt;
5020 	uid_t uid, ruid;
5021 	gid_t gid, rgid;
5022 	pid_t pid;
5023 	const auditinfo_addr_t *ainfo;
5024 	cred_t *cr;
5025 
5026 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5027 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5028 	if (uap->processor_id == PBIND_NONE)
5029 		au_uwrite(au_to_text("PBIND_NONE"));
5030 	else
5031 		au_uwrite(au_to_arg32(3, "processor_id",
5032 		    (uint32_t)uap->processor_id));
5033 
5034 	switch (uap->id_type) {
5035 	case P_MYID:
5036 	case P_LWPID:
5037 		mutex_enter(&pidlock);
5038 		p = ttoproc(curthread);
5039 		if (p == NULL || p->p_as == &kas) {
5040 			mutex_exit(&pidlock);
5041 			return;
5042 		}
5043 		mutex_enter(&p->p_lock);
5044 		mutex_exit(&pidlock);
5045 		lwpcnt = p->p_lwpcnt;
5046 		pid  = p->p_pid;
5047 
5048 		mutex_enter(&p->p_crlock);
5049 		crhold(cr = p->p_cred);
5050 		mutex_exit(&p->p_crlock);
5051 		mutex_exit(&p->p_lock);
5052 
5053 		ainfo = crgetauinfo(cr);
5054 		if (ainfo == NULL) {
5055 			crfree(cr);
5056 			return;
5057 		}
5058 
5059 		uid  = crgetuid(cr);
5060 		gid  = crgetgid(cr);
5061 		ruid = crgetruid(cr);
5062 		rgid = crgetrgid(cr);
5063 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5064 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5065 		crfree(cr);
5066 		break;
5067 	case P_PID:
5068 		mutex_enter(&pidlock);
5069 		p = prfind(uap->id);
5070 		if (p == NULL || p->p_as == &kas) {
5071 			mutex_exit(&pidlock);
5072 			return;
5073 		}
5074 		mutex_enter(&p->p_lock);
5075 		mutex_exit(&pidlock);
5076 		lwpcnt = p->p_lwpcnt;
5077 		pid  = p->p_pid;
5078 
5079 		mutex_enter(&p->p_crlock);
5080 		crhold(cr = p->p_cred);
5081 		mutex_exit(&p->p_crlock);
5082 		mutex_exit(&p->p_lock);
5083 
5084 		ainfo = crgetauinfo(cr);
5085 		if (ainfo == NULL) {
5086 			crfree(cr);
5087 			return;
5088 		}
5089 
5090 		uid  = crgetuid(cr);
5091 		gid  = crgetgid(cr);
5092 		ruid = crgetruid(cr);
5093 		rgid = crgetrgid(cr);
5094 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5095 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5096 		crfree(cr);
5097 
5098 		break;
5099 	default:
5100 		return;
5101 	}
5102 
5103 	if (uap->processor_id == PBIND_NONE &&
5104 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5105 		au_uwrite(au_to_text("PBIND_NONE for process"));
5106 	else
5107 		au_uwrite(au_to_arg32(3, "processor_id",
5108 		    (uint32_t)uap->processor_id));
5109 }
5110 
5111 /*ARGSUSED*/
5112 static au_event_t
5113 aui_doorfs(au_event_t e)
5114 {
5115 	uint32_t code;
5116 
5117 	struct a {		/* doorfs */
5118 		long	a1;
5119 		long	a2;
5120 		long	a3;
5121 		long	a4;
5122 		long	a5;
5123 		long	code;
5124 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5125 
5126 	/*
5127 	 *	audit formats for several of the
5128 	 *	door calls have not yet been determined
5129 	 */
5130 	code = (uint32_t)uap->code;
5131 	switch (code) {
5132 	case DOOR_CALL:
5133 		e = AUE_DOORFS_DOOR_CALL;
5134 		break;
5135 	case DOOR_RETURN:
5136 		e = AUE_NULL;
5137 		break;
5138 	case DOOR_CREATE:
5139 		e = AUE_DOORFS_DOOR_CREATE;
5140 		break;
5141 	case DOOR_REVOKE:
5142 		e = AUE_DOORFS_DOOR_REVOKE;
5143 		break;
5144 	case DOOR_INFO:
5145 		e = AUE_NULL;
5146 		break;
5147 	case DOOR_UCRED:
5148 		e = AUE_NULL;
5149 		break;
5150 	case DOOR_BIND:
5151 		e = AUE_NULL;
5152 		break;
5153 	case DOOR_UNBIND:
5154 		e = AUE_NULL;
5155 		break;
5156 	case DOOR_GETPARAM:
5157 		e = AUE_NULL;
5158 		break;
5159 	case DOOR_SETPARAM:
5160 		e = AUE_NULL;
5161 		break;
5162 	default:	/* illegal system call */
5163 		e = AUE_NULL;
5164 		break;
5165 	}
5166 
5167 	return (e);
5168 }
5169 
5170 static door_node_t *
5171 au_door_lookup(int did)
5172 {
5173 	vnode_t	*vp;
5174 	file_t *fp;
5175 
5176 	if ((fp = getf(did)) == NULL)
5177 		return (NULL);
5178 	/*
5179 	 * Use the underlying vnode (we may be namefs mounted)
5180 	 */
5181 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5182 		vp = fp->f_vnode;
5183 
5184 	if (vp == NULL || vp->v_type != VDOOR) {
5185 		releasef(did);
5186 		return (NULL);
5187 	}
5188 
5189 	return (VTOD(vp));
5190 }
5191 
5192 /*ARGSUSED*/
5193 static void
5194 aus_doorfs(struct t_audit_data *tad)
5195 {
5196 
5197 	struct a {		/* doorfs */
5198 		long	a1;
5199 		long	a2;
5200 		long	a3;
5201 		long	a4;
5202 		long	a5;
5203 		long	code;
5204 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5205 
5206 	door_node_t	*dp;
5207 	struct proc	*p;
5208 	uint32_t	did;
5209 	uid_t uid, ruid;
5210 	gid_t gid, rgid;
5211 	pid_t pid;
5212 	const auditinfo_addr_t *ainfo;
5213 	cred_t *cr;
5214 
5215 	did = (uint32_t)uap->a1;
5216 
5217 	switch (tad->tad_event) {
5218 	case AUE_DOORFS_DOOR_CALL:
5219 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5220 		if ((dp = au_door_lookup(did)) == NULL)
5221 			break;
5222 
5223 		if (DOOR_INVALID(dp)) {
5224 			releasef(did);
5225 			break;
5226 		}
5227 
5228 		if ((p = dp->door_target) == NULL) {
5229 			releasef(did);
5230 			break;
5231 		}
5232 		mutex_enter(&p->p_lock);
5233 		releasef(did);
5234 
5235 		pid  = p->p_pid;
5236 
5237 		mutex_enter(&p->p_crlock);
5238 		crhold(cr = p->p_cred);
5239 		mutex_exit(&p->p_crlock);
5240 		mutex_exit(&p->p_lock);
5241 
5242 		ainfo = crgetauinfo(cr);
5243 		if (ainfo == NULL) {
5244 			crfree(cr);
5245 			return;
5246 		}
5247 		uid  = crgetuid(cr);
5248 		gid  = crgetgid(cr);
5249 		ruid = crgetruid(cr);
5250 		rgid = crgetrgid(cr);
5251 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5252 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5253 		crfree(cr);
5254 		break;
5255 	case AUE_DOORFS_DOOR_RETURN:
5256 		/*
5257 		 * We may want to write information about
5258 		 * all doors (if any) which will be copied
5259 		 * by this call to the user space
5260 		 */
5261 		break;
5262 	case AUE_DOORFS_DOOR_CREATE:
5263 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5264 		break;
5265 	case AUE_DOORFS_DOOR_REVOKE:
5266 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5267 		break;
5268 	case AUE_DOORFS_DOOR_INFO:
5269 		break;
5270 	case AUE_DOORFS_DOOR_CRED:
5271 		break;
5272 	case AUE_DOORFS_DOOR_BIND:
5273 		break;
5274 	case AUE_DOORFS_DOOR_UNBIND: {
5275 		break;
5276 	}
5277 	default:	/* illegal system call */
5278 		break;
5279 	}
5280 }
5281 
5282 /*ARGSUSED*/
5283 static au_event_t
5284 aui_acl(au_event_t e)
5285 {
5286 	struct a {
5287 		union {
5288 			long	name;	/* char */
5289 			long	fd;
5290 		}		obj;
5291 
5292 		long		cmd;
5293 		long		nentries;
5294 		long		arg;	/* aclent_t */
5295 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5296 
5297 	switch (uap->cmd) {
5298 	case SETACL:
5299 	case ACE_SETACL:
5300 		/*
5301 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5302 		 * are expected.
5303 		 */
5304 		break;
5305 	case GETACL:
5306 	case GETACLCNT:
5307 	case ACE_GETACL:
5308 	case ACE_GETACLCNT:
5309 		/* do nothing for these four values. */
5310 		e = AUE_NULL;
5311 		break;
5312 	default:
5313 		/* illegal system call */
5314 		break;
5315 	}
5316 
5317 	return (e);
5318 }
5319 
5320 static void
5321 au_acl(int cmd, int nentries, caddr_t bufp)
5322 {
5323 	size_t		a_size;
5324 	aclent_t	*aclbufp;
5325 	ace_t		*acebufp;
5326 	int		i;
5327 
5328 	switch (cmd) {
5329 	case GETACL:
5330 	case GETACLCNT:
5331 		break;
5332 	case SETACL:
5333 		if (nentries < 3)
5334 			break;
5335 
5336 		a_size = nentries * sizeof (aclent_t);
5337 
5338 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5339 			break;
5340 		if (copyin(bufp, aclbufp, a_size)) {
5341 			kmem_free(aclbufp, a_size);
5342 			break;
5343 		}
5344 		for (i = 0; i < nentries; i++) {
5345 			au_uwrite(au_to_acl(aclbufp + i));
5346 		}
5347 		kmem_free(aclbufp, a_size);
5348 		break;
5349 
5350 	case ACE_SETACL:
5351 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5352 			break;
5353 
5354 		a_size = nentries * sizeof (ace_t);
5355 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5356 			break;
5357 		if (copyin(bufp, acebufp, a_size)) {
5358 			kmem_free(acebufp, a_size);
5359 			break;
5360 		}
5361 		for (i = 0; i < nentries; i++) {
5362 			au_uwrite(au_to_ace(acebufp + i));
5363 		}
5364 		kmem_free(acebufp, a_size);
5365 		break;
5366 	default:
5367 		break;
5368 	}
5369 }
5370 
5371 /*ARGSUSED*/
5372 static void
5373 aus_acl(struct t_audit_data *tad)
5374 {
5375 	struct a {
5376 		long	fname;
5377 		long	cmd;
5378 		long	nentries;
5379 		long	aclbufp;
5380 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5381 
5382 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5383 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5384 
5385 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5386 }
5387 
5388 /*ARGSUSED*/
5389 static void
5390 aus_facl(struct t_audit_data *tad)
5391 {
5392 	struct a {
5393 		long	fd;
5394 		long	cmd;
5395 		long	nentries;
5396 		long	aclbufp;
5397 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5398 	struct file  *fp;
5399 	struct vnode *vp;
5400 	struct f_audit_data *fad;
5401 	int fd;
5402 
5403 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5404 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5405 
5406 	fd = (int)uap->fd;
5407 
5408 	if ((fp = getf(fd)) == NULL)
5409 		return;
5410 
5411 	/* get path from file struct here */
5412 	fad = F2A(fp);
5413 	if (fad->fad_aupath != NULL) {
5414 		au_uwrite(au_to_path(fad->fad_aupath));
5415 	} else {
5416 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5417 	}
5418 
5419 	vp = fp->f_vnode;
5420 	audit_attributes(vp);
5421 
5422 	/* decrement file descriptor reference count */
5423 	releasef(fd);
5424 
5425 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5426 }
5427 
5428 /*ARGSUSED*/
5429 static void
5430 auf_read(tad, error, rval)
5431 	struct t_audit_data *tad;
5432 	int error;
5433 	rval_t *rval;
5434 {
5435 	struct file *fp;
5436 	struct f_audit_data *fad;
5437 	int fd;
5438 	register struct a {
5439 		long	fd;
5440 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5441 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5442 
5443 	fd = (int)uap->fd;
5444 
5445 	/*
5446 	 * convert file pointer to file descriptor
5447 	 *   Note: fd ref count incremented here.
5448 	 */
5449 	if ((fp = getf(fd)) == NULL)
5450 		return;
5451 
5452 	/* get path from file struct here */
5453 	fad = F2A(fp);
5454 	ASSERT(fad);
5455 
5456 	/*
5457 	 * already processed this file for read attempt
5458 	 *
5459 	 * XXX might be better to turn off auditing in a aui_read() routine.
5460 	 */
5461 	if (fad->fad_flags & FAD_READ) {
5462 		/* don't really want to audit every read attempt */
5463 		tad->tad_flag = 0;
5464 		/* free any residual audit data */
5465 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5466 		releasef(fd);
5467 		return;
5468 	}
5469 	/* mark things so we know what happened and don't repeat things */
5470 	fad->fad_flags |= FAD_READ;
5471 
5472 	if (fad->fad_aupath != NULL) {
5473 		au_uwrite(au_to_path(fad->fad_aupath));
5474 	} else {
5475 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5476 	}
5477 
5478 	/* include attributes */
5479 	audit_attributes(fp->f_vnode);
5480 
5481 	/* decrement file descriptor reference count */
5482 	releasef(fd);
5483 }
5484 
5485 /*ARGSUSED*/
5486 static void
5487 auf_write(tad, error, rval)
5488 	struct t_audit_data *tad;
5489 	int error;
5490 	rval_t *rval;
5491 {
5492 	struct file *fp;
5493 	struct f_audit_data *fad;
5494 	int fd;
5495 	register struct a {
5496 		long	fd;
5497 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5498 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5499 
5500 	fd = (int)uap->fd;
5501 
5502 	/*
5503 	 * convert file pointer to file descriptor
5504 	 *   Note: fd ref count incremented here.
5505 	 */
5506 	if ((fp = getf(fd)) == NULL)
5507 		return;
5508 
5509 	/* get path from file struct here */
5510 	fad = F2A(fp);
5511 	ASSERT(fad);
5512 
5513 	/*
5514 	 * already processed this file for write attempt
5515 	 *
5516 	 * XXX might be better to turn off auditing in a aus_write() routine.
5517 	 */
5518 	if (fad->fad_flags & FAD_WRITE) {
5519 		/* don't really want to audit every write attempt */
5520 		tad->tad_flag = 0;
5521 		/* free any residual audit data */
5522 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5523 		releasef(fd);
5524 		return;
5525 	}
5526 	/* mark things so we know what happened and don't repeat things */
5527 	fad->fad_flags |= FAD_WRITE;
5528 
5529 	if (fad->fad_aupath != NULL) {
5530 		au_uwrite(au_to_path(fad->fad_aupath));
5531 	} else {
5532 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5533 	}
5534 
5535 	/* include attributes */
5536 	audit_attributes(fp->f_vnode);
5537 
5538 	/* decrement file descriptor reference count */
5539 	releasef(fd);
5540 }
5541 
5542 /*ARGSUSED*/
5543 static void
5544 auf_recv(tad, error, rval)
5545 	struct t_audit_data *tad;
5546 	int error;
5547 	rval_t *rval;
5548 {
5549 	struct sonode *so;
5550 	char so_laddr[sizeof (struct sockaddr_in6)];
5551 	char so_faddr[sizeof (struct sockaddr_in6)];
5552 	struct file *fp;
5553 	struct f_audit_data *fad;
5554 	int fd;
5555 	int err;
5556 	socklen_t len;
5557 	short so_family, so_type;
5558 	register struct a {
5559 		long	fd;
5560 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5561 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5562 
5563 	/*
5564 	 * If there was an error, then nothing to do. Only generate
5565 	 * audit record on first successful recv.
5566 	 */
5567 	if (error) {
5568 		/* Turn off audit record generation here. */
5569 		tad->tad_flag = 0;
5570 		/* free any residual audit data */
5571 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5572 		return;
5573 	}
5574 
5575 	fd = (int)uap->fd;
5576 
5577 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5578 		/* Turn off audit record generation here. */
5579 		tad->tad_flag = 0;
5580 		/* free any residual audit data */
5581 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5582 		return;
5583 	}
5584 
5585 	/* get path from file struct here */
5586 	fad = F2A(fp);
5587 	ASSERT(fad);
5588 
5589 	/*
5590 	 * already processed this file for read attempt
5591 	 */
5592 	if (fad->fad_flags & FAD_READ) {
5593 		releasef(fd);
5594 		/* don't really want to audit every recv call */
5595 		tad->tad_flag = 0;
5596 		/* free any residual audit data */
5597 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5598 		return;
5599 	}
5600 
5601 	/* mark things so we know what happened and don't repeat things */
5602 	fad->fad_flags |= FAD_READ;
5603 
5604 	so_family = so->so_family;
5605 	so_type   = so->so_type;
5606 
5607 	switch (so_family) {
5608 	case AF_INET:
5609 	case AF_INET6:
5610 		/*
5611 		 * Only for connections.
5612 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5613 		 */
5614 		if (so->so_state & SS_ISBOUND) {
5615 
5616 			bzero((void *)so_laddr, sizeof (so_laddr));
5617 			bzero((void *)so_faddr, sizeof (so_faddr));
5618 
5619 			/* get local and foreign addresses */
5620 			len = sizeof (so_laddr);
5621 			(void) socket_getsockname(so,
5622 			    (struct sockaddr *)so_laddr, &len, CRED());
5623 			len = sizeof (so_faddr);
5624 			(void) socket_getpeername(so,
5625 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5626 
5627 			/*
5628 			 * only way to drop out of switch. Note that we
5629 			 * we release fd below.
5630 			 */
5631 
5632 			break;
5633 		}
5634 
5635 		releasef(fd);
5636 
5637 		/* don't really want to audit every recv call */
5638 		tad->tad_flag = 0;
5639 		/* free any residual audit data */
5640 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5641 
5642 		return;
5643 
5644 	case AF_UNIX:
5645 
5646 		if (fad->fad_aupath != NULL) {
5647 			au_uwrite(au_to_path(fad->fad_aupath));
5648 		} else {
5649 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5650 		}
5651 
5652 		audit_attributes(fp->f_vnode);
5653 
5654 		releasef(fd);
5655 
5656 		return;
5657 
5658 	default:
5659 		releasef(fd);
5660 
5661 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5662 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5663 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5664 
5665 		return;
5666 	}
5667 
5668 	releasef(fd);
5669 
5670 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5671 
5672 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5673 
5674 }
5675 
5676 /*ARGSUSED*/
5677 static void
5678 auf_send(tad, error, rval)
5679 	struct t_audit_data *tad;
5680 	int error;
5681 	rval_t *rval;
5682 {
5683 	struct sonode *so;
5684 	char so_laddr[sizeof (struct sockaddr_in6)];
5685 	char so_faddr[sizeof (struct sockaddr_in6)];
5686 	struct file *fp;
5687 	struct f_audit_data *fad;
5688 	int fd;
5689 	int err;
5690 	socklen_t len;
5691 	short so_family, so_type;
5692 	register struct a {
5693 		long	fd;
5694 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5695 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5696 
5697 	fd = (int)uap->fd;
5698 
5699 	/*
5700 	 * If there was an error, then nothing to do. Only generate
5701 	 * audit record on first successful send.
5702 	 */
5703 	if (error != 0) {
5704 		/* Turn off audit record generation here. */
5705 		tad->tad_flag = 0;
5706 		/* free any residual audit data */
5707 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5708 		return;
5709 	}
5710 
5711 	fd = (int)uap->fd;
5712 
5713 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5714 		/* Turn off audit record generation here. */
5715 		tad->tad_flag = 0;
5716 		/* free any residual audit data */
5717 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5718 		return;
5719 	}
5720 
5721 	/* get path from file struct here */
5722 	fad = F2A(fp);
5723 	ASSERT(fad);
5724 
5725 	/*
5726 	 * already processed this file for write attempt
5727 	 */
5728 	if (fad->fad_flags & FAD_WRITE) {
5729 		releasef(fd);
5730 		/* don't really want to audit every send call */
5731 		tad->tad_flag = 0;
5732 		/* free any residual audit data */
5733 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5734 		return;
5735 	}
5736 
5737 	/* mark things so we know what happened and don't repeat things */
5738 	fad->fad_flags |= FAD_WRITE;
5739 
5740 	so_family = so->so_family;
5741 	so_type   = so->so_type;
5742 
5743 	switch (so_family) {
5744 	case AF_INET:
5745 	case AF_INET6:
5746 		/*
5747 		 * Only for connections.
5748 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5749 		 */
5750 		if (so->so_state & SS_ISBOUND) {
5751 
5752 			bzero((void *)so_laddr, sizeof (so_laddr));
5753 			bzero((void *)so_faddr, sizeof (so_faddr));
5754 
5755 			/* get local and foreign addresses */
5756 			len = sizeof (so_laddr);
5757 			(void) socket_getsockname(so,
5758 			    (struct sockaddr *)so_laddr, &len, CRED());
5759 			len = sizeof (so_faddr);
5760 			(void) socket_getpeername(so,
5761 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5762 
5763 			/*
5764 			 * only way to drop out of switch. Note that we
5765 			 * we release fd below.
5766 			 */
5767 
5768 			break;
5769 		}
5770 
5771 		releasef(fd);
5772 		/* don't really want to audit every send call */
5773 		tad->tad_flag = 0;
5774 		/* free any residual audit data */
5775 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5776 
5777 		return;
5778 
5779 	case AF_UNIX:
5780 
5781 		if (fad->fad_aupath != NULL) {
5782 			au_uwrite(au_to_path(fad->fad_aupath));
5783 		} else {
5784 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5785 		}
5786 
5787 		audit_attributes(fp->f_vnode);
5788 
5789 		releasef(fd);
5790 
5791 		return;
5792 
5793 	default:
5794 		releasef(fd);
5795 
5796 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5797 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5798 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5799 
5800 		return;
5801 	}
5802 
5803 	releasef(fd);
5804 
5805 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5806 
5807 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5808 }
5809 
5810 static au_event_t
5811 aui_forksys(au_event_t e)
5812 {
5813 	struct a {
5814 		long	subcode;
5815 		long	flags;
5816 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5817 
5818 	switch ((uint_t)uap->subcode) {
5819 	case 0:
5820 		e = AUE_FORK1;
5821 		break;
5822 	case 1:
5823 		e = AUE_FORKALL;
5824 		break;
5825 	case 2:
5826 		e = AUE_VFORK;
5827 		break;
5828 	default:
5829 		e = AUE_NULL;
5830 		break;
5831 	}
5832 
5833 	return (e);
5834 }
5835 
5836 /*ARGSUSED*/
5837 static au_event_t
5838 aui_portfs(au_event_t e)
5839 {
5840 	struct a {		/* portfs */
5841 		long	a1;
5842 		long	a2;
5843 		long	a3;
5844 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5845 
5846 	/*
5847 	 * check opcode
5848 	 */
5849 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5850 	case PORT_ASSOCIATE:
5851 		/* check source */
5852 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5853 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5854 			e = AUE_PORTFS_ASSOCIATE;
5855 		} else {
5856 			e = AUE_NULL;
5857 		}
5858 		break;
5859 	case PORT_DISSOCIATE:
5860 		/* check source */
5861 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5862 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5863 			e = AUE_PORTFS_DISSOCIATE;
5864 		} else {
5865 			e = AUE_NULL;
5866 		}
5867 		break;
5868 	default:
5869 		e = AUE_NULL;
5870 	}
5871 	return (e);
5872 }
5873