xref: /illumos-gate/usr/src/uts/common/c2/audit_event.c (revision 6124874e2cec65f2e7a974b3833b05dbf2a7d905)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 
81 
82 char	_depends_on[] = "fs/sockfs";
83 
84 static au_event_t	aui_open(au_event_t);
85 static au_event_t	aui_fsat(au_event_t);
86 static au_event_t	aui_msgsys(au_event_t);
87 static au_event_t	aui_shmsys(au_event_t);
88 static au_event_t	aui_semsys(au_event_t);
89 static au_event_t	aui_utssys(au_event_t);
90 static au_event_t	aui_fcntl(au_event_t);
91 static au_event_t	aui_execv(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_portfs(au_event_t);
96 static au_event_t	aui_auditsys(au_event_t);
97 static au_event_t	aui_modctl(au_event_t);
98 static au_event_t	aui_acl(au_event_t);
99 static au_event_t	aui_doorfs(au_event_t);
100 static au_event_t	aui_privsys(au_event_t);
101 static au_event_t	aui_forksys(au_event_t);
102 static au_event_t	aui_labelsys(au_event_t);
103 static au_event_t	aui_setpgrp(au_event_t);
104 
105 static void	aus_open(struct t_audit_data *);
106 static void	aus_acl(struct t_audit_data *);
107 static void	aus_acct(struct t_audit_data *);
108 static void	aus_chown(struct t_audit_data *);
109 static void	aus_fchown(struct t_audit_data *);
110 static void	aus_lchown(struct t_audit_data *);
111 static void	aus_chmod(struct t_audit_data *);
112 static void	aus_facl(struct t_audit_data *);
113 static void	aus_fchmod(struct t_audit_data *);
114 static void	aus_fcntl(struct t_audit_data *);
115 static void	aus_fsat(struct t_audit_data *);
116 static void	aus_mkdir(struct t_audit_data *);
117 static void	aus_mknod(struct t_audit_data *);
118 static void	aus_mount(struct t_audit_data *);
119 static void	aus_umount(struct t_audit_data *);
120 static void	aus_umount2(struct t_audit_data *);
121 static void	aus_msgsys(struct t_audit_data *);
122 static void	aus_semsys(struct t_audit_data *);
123 static void	aus_close(struct t_audit_data *);
124 static void	aus_fstatfs(struct t_audit_data *);
125 static void	aus_setgid(struct t_audit_data *);
126 static void	aus_setpgrp(struct t_audit_data *);
127 static void	aus_setuid(struct t_audit_data *);
128 static void	aus_shmsys(struct t_audit_data *);
129 static void	aus_doorfs(struct t_audit_data *);
130 static void	aus_ioctl(struct t_audit_data *);
131 static void	aus_memcntl(struct t_audit_data *);
132 static void	aus_mmap(struct t_audit_data *);
133 static void	aus_munmap(struct t_audit_data *);
134 static void	aus_priocntlsys(struct t_audit_data *);
135 static void	aus_setegid(struct t_audit_data *);
136 static void	aus_setgroups(struct t_audit_data *);
137 static void	aus_seteuid(struct t_audit_data *);
138 static void	aus_putmsg(struct t_audit_data *);
139 static void	aus_putpmsg(struct t_audit_data *);
140 static void	aus_getmsg(struct t_audit_data *);
141 static void	aus_getpmsg(struct t_audit_data *);
142 static void	aus_auditsys(struct t_audit_data *);
143 static void	aus_sysinfo(struct t_audit_data *);
144 static void	aus_modctl(struct t_audit_data *);
145 static void	aus_kill(struct t_audit_data *);
146 static void	aus_xmknod(struct t_audit_data *);
147 static void	aus_setregid(struct t_audit_data *);
148 static void	aus_setreuid(struct t_audit_data *);
149 static void	aus_labelsys(struct t_audit_data *);
150 
151 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
152 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
153 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
154 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
155 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
156 static void	auf_read(struct t_audit_data *, int, rval_t *);
157 static void	auf_write(struct t_audit_data *, int, rval_t *);
158 
159 static void	aus_sigqueue(struct t_audit_data *);
160 static void	aus_p_online(struct t_audit_data *);
161 static void	aus_processor_bind(struct t_audit_data *);
162 static void	aus_inst_sync(struct t_audit_data *);
163 static void	aus_brandsys(struct t_audit_data *);
164 
165 static void	auf_accept(struct t_audit_data *, int, rval_t *);
166 
167 static void	auf_bind(struct t_audit_data *, int, rval_t *);
168 static void	auf_connect(struct t_audit_data *, int, rval_t *);
169 static void	aus_shutdown(struct t_audit_data *);
170 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
171 static void	aus_sockconfig(struct t_audit_data *);
172 static void	auf_recv(struct t_audit_data *, int, rval_t *);
173 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
174 static void	auf_send(struct t_audit_data *, int, rval_t *);
175 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
176 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
177 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
178 static void	aus_socket(struct t_audit_data *);
179 /*
180  * This table contains mapping information for converting system call numbers
181  * to audit event IDs. In several cases it is necessary to map a single system
182  * call to several events.
183  */
184 
185 #define	aui_null	NULL	/* NULL initialize function */
186 #define	aus_null	NULL	/* NULL start function */
187 #define	auf_null	NULL	/* NULL finish function */
188 
189 struct audit_s2e audit_s2e[] =
190 {
191 /*
192  * ----------	---------- 	----------	----------
193  * INITIAL	AUDIT		START		SYSTEM
194  * PROCESSING	EVENT		PROCESSING	CALL
195  * ----------	----------	----------	-----------
196  *		FINISH		EVENT
197  *		PROCESSING	CONTROL
198  * ----------------------------------------------------------
199  */
200 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
201 		auf_null,	0,
202 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
203 		auf_null,	S2E_NPT,
204 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
205 		auf_null,	0,
206 aui_null,	AUE_READ,	aus_null,	/* 3 read */
207 		auf_read,	S2E_PUB,
208 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
209 		auf_write,	0,
210 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
211 		auf_null,	S2E_SP,
212 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
213 		auf_null,	0,
214 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
215 		auf_null,	0,
216 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
217 		auf_null,	S2E_SP,
218 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
219 		auf_null,	0,
220 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
221 		auf_null,	0,
222 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
223 		auf_null,	S2E_MLD,
224 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
225 		auf_null,	S2E_SP,
226 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
227 		auf_null,	0,
228 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
229 		auf_mknod,	0,
230 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
231 		auf_null,	0,
232 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
233 		auf_null,	0,
234 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
235 		auf_null,	0,
236 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
237 		auf_null,	S2E_PUB,
238 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
239 		auf_null,	0,
240 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
241 		auf_null,	0,
242 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
243 		auf_null,	S2E_MLD,
244 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
245 		auf_null,	0,
246 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
247 		auf_null,	0,
248 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
249 		auf_null,	0,
250 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
251 		auf_null,	0,
252 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
253 		auf_null,	0,
254 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
255 		auf_null,	0,
256 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
257 		auf_null,	0,
258 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
259 		auf_null,	0,
260 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
261 		auf_null,	0,
262 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
263 		auf_null,	0,
264 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
265 		auf_null,	0,
266 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
267 		auf_null,	S2E_PUB,
268 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
269 		auf_null,	0,
270 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
271 		auf_null,	S2E_PUB,
272 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
273 		auf_null,	0,
274 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
275 		auf_null,	0,
276 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
277 		auf_null,	S2E_PUB,
278 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
279 		auf_null,	0,
280 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
281 		auf_null,	0,
282 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
283 		auf_null,	0,
284 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
285 		auf_null,	0,
286 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
287 		auf_null,	0,
288 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
289 		auf_null,	0,
290 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
291 						/*	was proc lock */
292 		auf_null,	0,
293 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
294 		auf_null,	0,
295 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
296 		auf_null,	0,
297 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
298 		auf_null,	0,
299 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
300 		auf_msgsys,	0,
301 #if defined(__x86)
302 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
303 		auf_null,	0,
304 #else
305 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
306 		auf_null,	0,
307 #endif /* __x86 */
308 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
309 		auf_null,	0,
310 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
311 		auf_shmsys,	0,
312 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
313 		auf_semsys,	0,
314 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
315 		auf_null,	0,
316 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
317 		auf_null,	0,
318 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
319 		auf_null,	0,
320 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
321 		auf_null,	0,
322 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
323 		auf_null,	0,
324 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
325 		auf_null,	S2E_MLD,
326 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
327 		auf_null,	0,
328 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
329 		auf_null,	S2E_SP,
330 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
331 		auf_null,	0,
332 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
333 		auf_null,	0,
334 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
337 		auf_null,	0,
338 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
339 		auf_null,	0,
340 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
341 						/*	file locking call */
342 		auf_null,	0,
343 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
344 						/*	local system calls */
345 		auf_null,	0,
346 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
359 						/*	was sigret (SunOS) */
360 		auf_null,	0,
361 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
362 		auf_null,	0,
363 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
364 		auf_null,	0,
365 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
366 		auf_null,	0,
367 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
368 		auf_null,	0,
369 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
370 		auf_null,	0,
371 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
372 		auf_null,	0,
373 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
374 						/*	was libattach */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
377 						/*	was libdetach */
378 		auf_null,	0,
379 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
380 		auf_null,	0,
381 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
382 		auf_null,	0,
383 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
384 		auf_null,	0,
385 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
386 		auf_null,	0,
387 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
388 		auf_null,	S2E_PUB,
389 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
390 		auf_null,	0,
391 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
392 		auf_null,	S2E_PUB,
393 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
394 		auf_null,	0,
395 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
396 		auf_null,	0,
397 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
398 		auf_null,	0,
399 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
400 		auf_null,	0,
401 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
402 		auf_null,	0,
403 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
404 		auf_null,	0,
405 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
406 		auf_null,	0,
407 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
408 		auf_null,	0,
409 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
410 		auf_null,	0,
411 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
412 		auf_null,	0,
413 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
414 		auf_null,	0,
415 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
416 						/*	was evtrapret */
417 		auf_null,	0,
418 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
419 		auf_null,	S2E_PUB,
420 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
425 		auf_null,	0,
426 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
427 		auf_null,	0,
428 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
429 		auf_null,	0,
430 #if defined(__x86)
431 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
432 		auf_null,	0,
433 #else
434 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
435 		auf_null,	0,
436 #endif /* __x86 */
437 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
438 		auf_null,	0,
439 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
440 		auf_null,	0,
441 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
442 		auf_null,	0,		/* 112 priocntlsys */
443 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
444 		auf_null,	S2E_PUB,
445 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
446 		auf_null,	0,
447 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
448 		auf_null,	0,
449 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
450 		auf_null,	0,
451 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
452 		auf_null,	0,
453 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
454 		auf_null,	0,
455 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
456 		auf_null,	0,
457 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
458 		auf_null,	0,
459 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
460 		auf_read,	S2E_PUB,
461 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
462 		auf_write,	0,
463 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
464 		auf_null,	S2E_PUB,
465 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
466 		auf_null,	S2E_PUB,
467 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
468 		auf_null,	0,
469 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
470 		auf_xmknod,	0,
471 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
472 		auf_null,	0,
473 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
474 		auf_null,	0,
475 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
476 		auf_null,	0,
477 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
478 		auf_null,	0,
479 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
480 		auf_null,	0,
481 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
482 		auf_null,	0,
483 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
484 		auf_null,	0,
485 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
486 		auf_null,	0,
487 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
488 		auf_null,	0,
489 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
490 		auf_null,	0,
491 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
492 		auf_null,	0,
493 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
494 		auf_null,	0,
495 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
496 		auf_null,	0,
497 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
498 		auf_null,	0,
499 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
500 		auf_null,	0,
501 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
502 		auf_null,	0,
503 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
510 		auf_null,	0,
511 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
512 		auf_null,	0,
513 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
514 		auf_null,	0,
515 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
516 		auf_null,	0,
517 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
518 		auf_null,	0,
519 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
520 		auf_null,	0,
521 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
522 		auf_null,	0,
523 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
524 		auf_null,	0,
525 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
526 		auf_null,	0,
527 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
528 		auf_null,	0,
529 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
530 		auf_null,	0,
531 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
532 		auf_null,	0,
533 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
534 		auf_null,	0,
535 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
536 		auf_null,	0,
537 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
538 		auf_null,	0,
539 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
540 		auf_null,	0,
541 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
542 		auf_null,	0,
543 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
544 		auf_null,	0,
545 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
546 		auf_null,	0,
547 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
548 						/*	was lwp_setprivate */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
551 						/*	was lwp_getprivate */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
560 		auf_null,	0,
561 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
562 		auf_null,	0,
563 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
564 		auf_null,	0,
565 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
566 		auf_read,	S2E_PUB,
567 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
568 		auf_write,	0,
569 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
570 		auf_null,	0,
571 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
572 						/* aus_inst_sync */
573 		auf_null,	0,
574 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
575 		auf_null,	0,
576 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
577 		auf_null,	0,
578 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
579 		auf_null,	0,
580 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
581 		auf_null,	0,
582 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
583 		auf_null,	0,
584 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
585 		auf_null,	S2E_MLD,
586 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
587 		auf_null,	0,
588 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
589 		auf_null,	0,
590 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
591 		auf_null,	0,
592 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
593 		auf_null,	0,
594 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
595 		auf_null,	0,		/* 187 processor_bind */
596 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
597 		auf_null,	0,
598 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
599 		auf_null,	0,
600 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
601 		auf_null,	0,
602 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
603 		auf_null,	0,
604 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
605 		auf_null,	0,
606 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
607 		auf_null,	0,
608 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
609 		auf_null,	0,
610 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
611 		auf_null,	0,
612 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
613 		auf_null,	0,
614 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
615 		auf_null,	0,
616 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
617 		auf_null,	0,
618 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
619 		auf_null,	0,
620 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
621 		auf_null,	0,
622 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
623 		auf_null,	0,
624 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
625 		auf_null,	0,
626 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
627 		auf_null,	0,
628 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
629 		auf_null,	0,
630 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
631 		auf_null,	0,
632 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
633 		auf_null,	0,
634 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
635 		auf_null,	0,
636 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
637 		auf_null,	0,
638 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
639 		auf_null,	0,
640 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
641 		auf_null,	0,
642 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
643 		auf_null,	0,
644 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
645 		auf_null,	0,
646 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
647 		auf_null,	0,
648 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
649 		auf_null,	0,
650 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
651 		auf_null,	S2E_PUB,
652 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
653 		auf_null,	S2E_PUB,
654 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
655 		auf_null,	0,
656 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
657 		auf_null,	S2E_PUB,
658 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
659 		auf_null,	0,
660 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
661 		auf_null,	0,
662 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
663 		auf_null,	0,
664 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
665 		auf_read,	S2E_PUB,
666 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
667 		auf_write,	0,
668 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
669 		auf_null,	S2E_SP,
670 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
671 		auf_null,	S2E_SP,
672 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
673 		auf_null,	0,
674 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
675 		auf_null,	0,
676 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
677 		auf_null,	0,
678 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
679 		auf_null,	0,
680 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
681 		auf_null,	0,
682 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
683 		auf_null,	0,
684 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
685 		auf_bind,	0,
686 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
687 		auf_null,	0,
688 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
689 		auf_accept,	0,
690 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
691 		auf_connect,	0,
692 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
693 		auf_null,	0,
694 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
695 		auf_recv,	0,
696 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
697 		auf_recvfrom,	0,
698 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
699 		auf_recvmsg,	0,
700 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
701 		auf_send,	0,
702 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
703 		auf_sendmsg,	0,
704 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
705 		auf_sendto,	0,
706 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
707 		auf_null,	0,
708 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
709 		auf_null,	0,
710 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
711 		auf_null,	0,
712 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
713 		auf_setsockopt,	0,
714 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
715 		auf_null,	0,
716 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
717 		auf_null,	0,
718 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
719 		auf_null,	0,
720 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
721 		auf_null,	0,
722 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
723 		auf_null,	0,
724 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
725 		auf_null,	0,
726 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
727 		auf_null,	0,
728 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
729 		auf_null,	0,
730 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
731 		auf_null,	0
732 };
733 
734 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
735 
736 
737 /* acct start function */
738 /*ARGSUSED*/
739 static void
740 aus_acct(struct t_audit_data *tad)
741 {
742 	klwp_t *clwp = ttolwp(curthread);
743 	uintptr_t fname;
744 
745 	struct a {
746 		long	fname;		/* char * */
747 	} *uap = (struct a *)clwp->lwp_ap;
748 
749 	fname = (uintptr_t)uap->fname;
750 
751 	if (fname == 0)
752 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
753 }
754 
755 /* chown start function */
756 /*ARGSUSED*/
757 static void
758 aus_chown(struct t_audit_data *tad)
759 {
760 	klwp_t *clwp = ttolwp(curthread);
761 	uint32_t uid, gid;
762 
763 	struct a {
764 		long	fname;		/* char * */
765 		long	uid;
766 		long	gid;
767 	} *uap = (struct a *)clwp->lwp_ap;
768 
769 	uid = (uint32_t)uap->uid;
770 	gid = (uint32_t)uap->gid;
771 
772 	au_uwrite(au_to_arg32(2, "new file uid", uid));
773 	au_uwrite(au_to_arg32(3, "new file gid", gid));
774 }
775 
776 /* fchown start function */
777 /*ARGSUSED*/
778 static void
779 aus_fchown(struct t_audit_data *tad)
780 {
781 	klwp_t *clwp = ttolwp(curthread);
782 	uint32_t uid, gid, fd;
783 	struct file  *fp;
784 	struct vnode *vp;
785 	struct f_audit_data *fad;
786 
787 	struct a {
788 		long fd;
789 		long uid;
790 		long gid;
791 	} *uap = (struct a *)clwp->lwp_ap;
792 
793 	fd  = (uint32_t)uap->fd;
794 	uid = (uint32_t)uap->uid;
795 	gid = (uint32_t)uap->gid;
796 
797 	au_uwrite(au_to_arg32(2, "new file uid", uid));
798 	au_uwrite(au_to_arg32(3, "new file gid", gid));
799 
800 		/*
801 		 * convert file pointer to file descriptor
802 		 *   Note: fd ref count incremented here.
803 		 */
804 	if ((fp = getf(fd)) == NULL)
805 		return;
806 
807 	/* get path from file struct here */
808 	fad = F2A(fp);
809 	if (fad->fad_aupath != NULL) {
810 		au_uwrite(au_to_path(fad->fad_aupath));
811 	} else {
812 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
813 	}
814 
815 	vp = fp->f_vnode;
816 	audit_attributes(vp);
817 
818 	/* decrement file descriptor reference count */
819 	releasef(fd);
820 }
821 
822 /*ARGSUSED*/
823 static void
824 aus_lchown(struct t_audit_data *tad)
825 {
826 	klwp_t *clwp = ttolwp(curthread);
827 	uint32_t uid, gid;
828 
829 
830 	struct a {
831 		long	fname;		/* char	* */
832 		long	uid;
833 		long	gid;
834 	} *uap = (struct a *)clwp->lwp_ap;
835 
836 	uid = (uint32_t)uap->uid;
837 	gid = (uint32_t)uap->gid;
838 
839 	au_uwrite(au_to_arg32(2, "new file uid", uid));
840 	au_uwrite(au_to_arg32(3, "new file gid", gid));
841 }
842 
843 /* chmod start function */
844 /*ARGSUSED*/
845 static void
846 aus_chmod(struct t_audit_data *tad)
847 {
848 	klwp_t *clwp = ttolwp(curthread);
849 	uint32_t fmode;
850 
851 	struct a {
852 		long	fname;		/* char	* */
853 		long	fmode;
854 	} *uap = (struct a *)clwp->lwp_ap;
855 
856 	fmode = (uint32_t)uap->fmode;
857 
858 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
859 }
860 
861 /* chmod start function */
862 /*ARGSUSED*/
863 static void
864 aus_fchmod(struct t_audit_data *tad)
865 {
866 	klwp_t *clwp = ttolwp(curthread);
867 	uint32_t fmode, fd;
868 	struct file  *fp;
869 	struct vnode *vp;
870 	struct f_audit_data *fad;
871 
872 	struct a {
873 		long	fd;
874 		long	fmode;
875 	} *uap = (struct a *)clwp->lwp_ap;
876 
877 	fd = (uint32_t)uap->fd;
878 	fmode = (uint32_t)uap->fmode;
879 
880 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
881 
882 		/*
883 		 * convert file pointer to file descriptor
884 		 *   Note: fd ref count incremented here.
885 		 */
886 	if ((fp = getf(fd)) == NULL)
887 		return;
888 
889 		/* get path from file struct here */
890 	fad = F2A(fp);
891 	if (fad->fad_aupath != NULL) {
892 		au_uwrite(au_to_path(fad->fad_aupath));
893 	} else {
894 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
895 	}
896 
897 	vp = fp->f_vnode;
898 	audit_attributes(vp);
899 
900 	/* decrement file descriptor reference count */
901 	releasef(fd);
902 }
903 
904 
905 /* convert open to appropriate event */
906 static au_event_t
907 aui_open(au_event_t e)
908 {
909 	klwp_t *clwp = ttolwp(curthread);
910 	uint_t fm;
911 
912 	struct a {
913 		long	fnamep;		/* char	* */
914 		long	fmode;
915 		long	cmode;
916 	} *uap = (struct a *)clwp->lwp_ap;
917 
918 	fm = (uint_t)uap->fmode;
919 
920 	if (fm & O_WRONLY)
921 		e = AUE_OPEN_W;
922 	else if (fm & O_RDWR)
923 		e = AUE_OPEN_RW;
924 	else
925 		e = AUE_OPEN_R;
926 
927 	if (fm & O_CREAT)
928 		e += 1;
929 	if (fm & O_TRUNC)
930 		e += 2;
931 
932 	return (e);
933 }
934 
935 /*ARGSUSED*/
936 static void
937 aus_open(struct t_audit_data *tad)
938 {
939 	klwp_t *clwp = ttolwp(curthread);
940 	uint_t fm;
941 
942 	struct a {
943 		long	fnamep;		/* char	* */
944 		long	fmode;
945 		long	cmode;
946 	} *uap = (struct a *)clwp->lwp_ap;
947 
948 	fm = (uint_t)uap->fmode;
949 
950 	/* If no write, create, or trunc modes, mark as a public op */
951 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
952 		tad->tad_ctrl |= PAD_PUBLIC_EV;
953 }
954 
955 /* convert openat(2) to appropriate event */
956 static au_event_t
957 aui_fsat(au_event_t e)
958 {
959 	t_audit_data_t	*tad = U2A(u);
960 	klwp_t *clwp = ttolwp(curthread);
961 	uint_t fmcode, fm;
962 	struct a {
963 		long id;
964 		long arg1;
965 		long arg2;
966 		long arg3;
967 		long arg4;
968 		long arg5;
969 	} *uap = (struct a *)clwp->lwp_ap;
970 
971 	fmcode  = (uint_t)uap->id;
972 
973 	switch (fmcode) {
974 
975 	case 0: /* openat */
976 	case 1: /* openat64 */
977 		fm = (uint_t)uap->arg3;
978 		if (fm & O_WRONLY)
979 			e = AUE_OPENAT_W;
980 		else if (fm & O_RDWR)
981 			e = AUE_OPENAT_RW;
982 		else
983 			e = AUE_OPENAT_R;
984 
985 		/*
986 		 * openat modes are defined in the following order:
987 		 * Read only
988 		 * Read|Create
989 		 * Read|Trunc
990 		 * Read|Create|Trunc
991 		 * Write Only
992 		 * Write|Create
993 		 * Write|Trunc
994 		 * Write|Create|Trunc * RW Only
995 		 * RW|Create
996 		 * RW|Trunc
997 		 * RW|Create|Trunc
998 		 */
999 		if (fm & O_CREAT)
1000 			e += 1;		/* increment to include CREAT in mode */
1001 		if (fm & O_TRUNC)
1002 			e += 2;		/* increment to include TRUNC in mode */
1003 
1004 		/* convert to appropriate au_ctrl */
1005 		tad->tad_ctrl |= PAD_SAVPATH;
1006 		if (fm & FXATTR)
1007 			tad->tad_ctrl |= PAD_ATPATH;
1008 
1009 
1010 		break;
1011 	case 2: /* fstatat64 */
1012 	case 3: /* fstatat */
1013 		e = AUE_FSTATAT;
1014 		break;
1015 	case 4: /* fchownat */
1016 		e = AUE_FCHOWNAT;
1017 		break;
1018 	case 5: /* unlinkat */
1019 		e = AUE_UNLINKAT;
1020 		break;
1021 	case 6: /* futimesat */
1022 		e = AUE_FUTIMESAT;
1023 		break;
1024 	case 7: /* renameat */
1025 		e = AUE_RENAMEAT;
1026 		break;
1027 	case 8: /* faccessat */
1028 		e = AUE_FACCESSAT;
1029 		break;
1030 	case 9: /* __openattrdirat */
1031 		tad->tad_ctrl |= PAD_SAVPATH;
1032 		/*FALLTHROUGH*/
1033 	default:
1034 		e = AUE_NULL;
1035 		break;
1036 	}
1037 
1038 	return (e);
1039 }
1040 
1041 /*ARGSUSED*/
1042 static void
1043 aus_fsat(struct t_audit_data *tad)
1044 {
1045 	klwp_t *clwp = ttolwp(curthread);
1046 	uint_t fmcode, fm;
1047 	struct a {
1048 		long id;
1049 		long arg1;
1050 		long arg2;
1051 		long arg3;
1052 		long arg4;
1053 		long arg5;
1054 	} *uap = (struct a *)clwp->lwp_ap;
1055 
1056 	fmcode  = (uint_t)uap->id;
1057 
1058 	switch (fmcode) {
1059 
1060 	case 0: /* openat */
1061 	case 1: /* openat64 */
1062 		fm = (uint_t)uap->arg3;
1063 		/* If no write, create, or trunc modes, mark as a public op */
1064 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1065 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1066 
1067 		break;
1068 	case 2: /* fstatat64 */
1069 	case 3: /* fstatat */
1070 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1071 		break;
1072 	default:
1073 		break;
1074 	}
1075 }
1076 
1077 /* msgsys */
1078 static au_event_t
1079 aui_msgsys(au_event_t e)
1080 {
1081 	klwp_t *clwp = ttolwp(curthread);
1082 	uint_t fm;
1083 
1084 	struct a {
1085 		long	id;	/* function code id */
1086 		long	ap;	/* arg pointer for recvmsg */
1087 	} *uap = (struct a *)clwp->lwp_ap;
1088 
1089 	struct b {
1090 		long	msgid;
1091 		long	cmd;
1092 		long	buf;	/* struct msqid_ds * */
1093 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1094 
1095 	fm  = (uint_t)uap->id;
1096 
1097 	switch (fm) {
1098 	case 0:		/* msgget */
1099 		e = AUE_MSGGET;
1100 		break;
1101 	case 1:		/* msgctl */
1102 		switch ((uint_t)uap1->cmd) {
1103 		case IPC_RMID:
1104 			e = AUE_MSGCTL_RMID;
1105 			break;
1106 		case IPC_SET:
1107 			e = AUE_MSGCTL_SET;
1108 			break;
1109 		case IPC_STAT:
1110 			e = AUE_MSGCTL_STAT;
1111 			break;
1112 		default:
1113 			e = AUE_MSGCTL;
1114 			break;
1115 		}
1116 		break;
1117 	case 2:		/* msgrcv */
1118 		e = AUE_MSGRCV;
1119 		break;
1120 	case 3:		/* msgsnd */
1121 		e = AUE_MSGSND;
1122 		break;
1123 	default:	/* illegal system call */
1124 		e = AUE_NULL;
1125 		break;
1126 	}
1127 
1128 	return (e);
1129 }
1130 
1131 
1132 /* shmsys */
1133 static au_event_t
1134 aui_shmsys(au_event_t e)
1135 {
1136 	klwp_t *clwp = ttolwp(curthread);
1137 	int fm;
1138 
1139 	struct a {		/* shmsys */
1140 		long	id;	/* function code id */
1141 	} *uap = (struct a *)clwp->lwp_ap;
1142 
1143 	struct b {		/* ctrl */
1144 		long	shmid;
1145 		long	cmd;
1146 		long	arg;		/* struct shmid_ds * */
1147 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1148 	fm  = (uint_t)uap->id;
1149 
1150 	switch (fm) {
1151 	case 0:		/* shmat */
1152 		e = AUE_SHMAT;
1153 		break;
1154 	case 1:		/* shmctl */
1155 		switch ((uint_t)uap1->cmd) {
1156 		case IPC_RMID:
1157 			e = AUE_SHMCTL_RMID;
1158 			break;
1159 		case IPC_SET:
1160 			e = AUE_SHMCTL_SET;
1161 			break;
1162 		case IPC_STAT:
1163 			e = AUE_SHMCTL_STAT;
1164 			break;
1165 		default:
1166 			e = AUE_SHMCTL;
1167 			break;
1168 		}
1169 		break;
1170 	case 2:		/* shmdt */
1171 		e = AUE_SHMDT;
1172 		break;
1173 	case 3:		/* shmget */
1174 		e = AUE_SHMGET;
1175 		break;
1176 	default:	/* illegal system call */
1177 		e = AUE_NULL;
1178 		break;
1179 	}
1180 
1181 	return (e);
1182 }
1183 
1184 
1185 /* semsys */
1186 static au_event_t
1187 aui_semsys(au_event_t e)
1188 {
1189 	klwp_t *clwp = ttolwp(curthread);
1190 	uint_t fm;
1191 
1192 	struct a {		/* semsys */
1193 		long	id;
1194 	} *uap = (struct a *)clwp->lwp_ap;
1195 
1196 	struct b {		/* ctrl */
1197 		long	semid;
1198 		long	semnum;
1199 		long	cmd;
1200 		long	arg;
1201 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1202 
1203 	fm = (uint_t)uap->id;
1204 
1205 	switch (fm) {
1206 	case 0:		/* semctl */
1207 		switch ((uint_t)uap1->cmd) {
1208 		case IPC_RMID:
1209 			e = AUE_SEMCTL_RMID;
1210 			break;
1211 		case IPC_SET:
1212 			e = AUE_SEMCTL_SET;
1213 			break;
1214 		case IPC_STAT:
1215 			e = AUE_SEMCTL_STAT;
1216 			break;
1217 		case GETNCNT:
1218 			e = AUE_SEMCTL_GETNCNT;
1219 			break;
1220 		case GETPID:
1221 			e = AUE_SEMCTL_GETPID;
1222 			break;
1223 		case GETVAL:
1224 			e = AUE_SEMCTL_GETVAL;
1225 			break;
1226 		case GETALL:
1227 			e = AUE_SEMCTL_GETALL;
1228 			break;
1229 		case GETZCNT:
1230 			e = AUE_SEMCTL_GETZCNT;
1231 			break;
1232 		case SETVAL:
1233 			e = AUE_SEMCTL_SETVAL;
1234 			break;
1235 		case SETALL:
1236 			e = AUE_SEMCTL_SETALL;
1237 			break;
1238 		default:
1239 			e = AUE_SEMCTL;
1240 			break;
1241 		}
1242 		break;
1243 	case 1:		/* semget */
1244 		e = AUE_SEMGET;
1245 		break;
1246 	case 2:		/* semop */
1247 		e = AUE_SEMOP;
1248 		break;
1249 	default:	/* illegal system call */
1250 		e = AUE_NULL;
1251 		break;
1252 	}
1253 
1254 	return (e);
1255 }
1256 
1257 /* utssys - uname(2), ustat(2), fusers(2) */
1258 static au_event_t
1259 aui_utssys(au_event_t e)
1260 {
1261 	klwp_t *clwp = ttolwp(curthread);
1262 	uint_t type;
1263 
1264 	struct a {
1265 		union {
1266 			long	cbuf;		/* char * */
1267 			long	ubuf;		/* struct stat * */
1268 		} ub;
1269 		union {
1270 			long	mv;	/* for USTAT */
1271 			long	flags;	/* for FUSERS */
1272 		} un;
1273 		long	type;
1274 		long	outbp;		/* char * for FUSERS */
1275 	} *uap = (struct a *)clwp->lwp_ap;
1276 
1277 	type = (uint_t)uap->type;
1278 
1279 	if (type == UTS_FUSERS)
1280 		return (e);
1281 	else
1282 		return ((au_event_t)AUE_NULL);
1283 }
1284 
1285 static au_event_t
1286 aui_fcntl(au_event_t e)
1287 {
1288 	klwp_t *clwp = ttolwp(curthread);
1289 	uint_t cmd;
1290 
1291 	struct a {
1292 		long	fdes;
1293 		long	cmd;
1294 		long	arg;
1295 	} *uap = (struct a *)clwp->lwp_ap;
1296 
1297 	cmd = (uint_t)uap->cmd;
1298 
1299 	switch (cmd) {
1300 	case F_GETLK:
1301 	case F_SETLK:
1302 	case F_SETLKW:
1303 		break;
1304 	case F_SETFL:
1305 	case F_GETFL:
1306 	case F_GETFD:
1307 		break;
1308 	default:
1309 		e = (au_event_t)AUE_NULL;
1310 		break;
1311 	}
1312 	return ((au_event_t)e);
1313 }
1314 
1315 /* null function for now */
1316 static au_event_t
1317 aui_execv(au_event_t e)
1318 {
1319 	return (e);
1320 }
1321 
1322 /* null function for now */
1323 static au_event_t
1324 aui_execve(au_event_t e)
1325 {
1326 	return (e);
1327 }
1328 
1329 /*ARGSUSED*/
1330 static void
1331 aus_fcntl(struct t_audit_data *tad)
1332 {
1333 	klwp_t *clwp = ttolwp(curthread);
1334 	uint32_t cmd, fd;
1335 	struct file  *fp;
1336 	struct vnode *vp;
1337 	struct f_audit_data *fad;
1338 
1339 	struct a {
1340 		long	fd;
1341 		long	cmd;
1342 		long	arg;
1343 	} *uap = (struct a *)clwp->lwp_ap;
1344 
1345 	cmd = (uint32_t)uap->cmd;
1346 	fd  = (uint32_t)uap->fd;
1347 
1348 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1349 
1350 		/*
1351 		 * convert file pointer to file descriptor
1352 		 *   Note: fd ref count incremented here.
1353 		 */
1354 	if ((fp = getf(fd)) == NULL)
1355 		return;
1356 
1357 	/* get path from file struct here */
1358 	fad = F2A(fp);
1359 	if (fad->fad_aupath != NULL) {
1360 		au_uwrite(au_to_path(fad->fad_aupath));
1361 	} else {
1362 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1363 	}
1364 
1365 	vp = fp->f_vnode;
1366 	audit_attributes(vp);
1367 
1368 	/* decrement file descriptor reference count */
1369 	releasef(fd);
1370 }
1371 
1372 /*ARGSUSED*/
1373 static void
1374 aus_kill(struct t_audit_data *tad)
1375 {
1376 	klwp_t *clwp = ttolwp(curthread);
1377 	struct proc *p;
1378 	uint32_t signo;
1379 	uid_t uid, ruid;
1380 	gid_t gid, rgid;
1381 	pid_t pid;
1382 	const auditinfo_addr_t *ainfo;
1383 	cred_t *cr;
1384 
1385 	struct a {
1386 		long	pid;
1387 		long	signo;
1388 	} *uap = (struct a *)clwp->lwp_ap;
1389 
1390 	pid   = (pid_t)uap->pid;
1391 	signo = (uint32_t)uap->signo;
1392 
1393 	au_uwrite(au_to_arg32(2, "signal", signo));
1394 	if (pid > 0) {
1395 		mutex_enter(&pidlock);
1396 		if (((p = prfind(pid)) == (struct proc *)0) ||
1397 		    (p->p_stat == SIDL)) {
1398 			mutex_exit(&pidlock);
1399 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1400 			return;
1401 		}
1402 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1403 		mutex_exit(&pidlock);
1404 
1405 		mutex_enter(&p->p_crlock);
1406 		crhold(cr = p->p_cred);
1407 		mutex_exit(&p->p_crlock);
1408 		mutex_exit(&p->p_lock);
1409 
1410 		ainfo = crgetauinfo(cr);
1411 		if (ainfo == NULL) {
1412 			crfree(cr);
1413 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1414 			return;
1415 		}
1416 
1417 		uid  = crgetuid(cr);
1418 		gid  = crgetgid(cr);
1419 		ruid = crgetruid(cr);
1420 		rgid = crgetrgid(cr);
1421 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1422 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1423 
1424 		if (is_system_labeled())
1425 			au_uwrite(au_to_label(CR_SL(cr)));
1426 
1427 		crfree(cr);
1428 	}
1429 	else
1430 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1431 }
1432 
1433 /*ARGSUSED*/
1434 static void
1435 aus_mkdir(struct t_audit_data *tad)
1436 {
1437 	klwp_t *clwp = ttolwp(curthread);
1438 	uint32_t dmode;
1439 
1440 	struct a {
1441 		long	dirnamep;		/* char * */
1442 		long	dmode;
1443 	} *uap = (struct a *)clwp->lwp_ap;
1444 
1445 	dmode = (uint32_t)uap->dmode;
1446 
1447 	au_uwrite(au_to_arg32(2, "mode", dmode));
1448 }
1449 
1450 /*ARGSUSED*/
1451 static void
1452 aus_mknod(struct t_audit_data *tad)
1453 {
1454 	klwp_t *clwp = ttolwp(curthread);
1455 	uint32_t fmode;
1456 	dev_t dev;
1457 
1458 	struct a {
1459 		long	pnamep;		/* char * */
1460 		long	fmode;
1461 		long	dev;
1462 	} *uap = (struct a *)clwp->lwp_ap;
1463 
1464 	fmode = (uint32_t)uap->fmode;
1465 	dev   = (dev_t)uap->dev;
1466 
1467 	au_uwrite(au_to_arg32(2, "mode", fmode));
1468 #ifdef _LP64
1469 	au_uwrite(au_to_arg64(3, "dev", dev));
1470 #else
1471 	au_uwrite(au_to_arg32(3, "dev", dev));
1472 #endif
1473 }
1474 
1475 /*ARGSUSED*/
1476 static void
1477 aus_xmknod(struct t_audit_data *tad)
1478 {
1479 	klwp_t *clwp = ttolwp(curthread);
1480 	uint32_t fmode;
1481 	dev_t dev;
1482 
1483 	struct a {
1484 		long	version;	/* version */
1485 		long	pnamep;		/* char * */
1486 		long	fmode;
1487 		long	dev;
1488 	} *uap = (struct a *)clwp->lwp_ap;
1489 
1490 	fmode = (uint32_t)uap->fmode;
1491 	dev   = (dev_t)uap->dev;
1492 
1493 	au_uwrite(au_to_arg32(2, "mode", fmode));
1494 #ifdef _LP64
1495 	au_uwrite(au_to_arg64(3, "dev", dev));
1496 #else
1497 	au_uwrite(au_to_arg32(3, "dev", dev));
1498 #endif
1499 }
1500 
1501 /*ARGSUSED*/
1502 static void
1503 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1504 {
1505 	klwp_t *clwp = ttolwp(curthread);
1506 	vnode_t	*dvp;
1507 	caddr_t pnamep;
1508 
1509 	struct a {
1510 		long	pnamep;		/* char * */
1511 		long	fmode;
1512 		long	dev;
1513 	} *uap = (struct a *)clwp->lwp_ap;
1514 
1515 	/* no error, then already path token in audit record */
1516 	if (error != EPERM)
1517 		return;
1518 
1519 	/* not auditing this event, nothing then to do */
1520 	if (tad->tad_flag == 0)
1521 		return;
1522 
1523 	/* do the lookup to force generation of path token */
1524 	pnamep = (caddr_t)uap->pnamep;
1525 	tad->tad_ctrl |= PAD_NOATTRB;
1526 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1527 	if (error == 0)
1528 		VN_RELE(dvp);
1529 }
1530 
1531 /*ARGSUSED*/
1532 static void
1533 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1534 {
1535 	klwp_t *clwp = ttolwp(curthread);
1536 	vnode_t	*dvp;
1537 	caddr_t pnamep;
1538 
1539 	struct a {
1540 		long	version;	/* version */
1541 		long	pnamep;		/* char * */
1542 		long	fmode;
1543 		long	dev;
1544 	} *uap = (struct a *)clwp->lwp_arg;
1545 
1546 
1547 	/* no error, then already path token in audit record */
1548 	if (error != EPERM)
1549 		return;
1550 
1551 	/* not auditing this event, nothing then to do */
1552 	if (tad->tad_flag == 0)
1553 		return;
1554 
1555 	/* do the lookup to force generation of path token */
1556 	pnamep = (caddr_t)uap->pnamep;
1557 	tad->tad_ctrl |= PAD_NOATTRB;
1558 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1559 	if (error == 0)
1560 		VN_RELE(dvp);
1561 }
1562 
1563 /*ARGSUSED*/
1564 static void
1565 aus_mount(struct t_audit_data *tad)
1566 {	/* AUS_START */
1567 	klwp_t *clwp = ttolwp(curthread);
1568 	uint32_t flags;
1569 	uintptr_t u_fstype, dataptr;
1570 	STRUCT_DECL(nfs_args, nfsargs);
1571 	size_t len;
1572 	char *fstype, *hostname;
1573 
1574 	struct a {
1575 		long	spec;		/* char    * */
1576 		long	dir;		/* char    * */
1577 		long	flags;
1578 		long	fstype;		/* char    * */
1579 		long	dataptr;	/* char    * */
1580 		long	datalen;
1581 	} *uap = (struct a *)clwp->lwp_ap;
1582 
1583 	u_fstype = (uintptr_t)uap->fstype;
1584 	flags    = (uint32_t)uap->flags;
1585 	dataptr  = (uintptr_t)uap->dataptr;
1586 
1587 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1588 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1589 		goto mount_free_fstype;
1590 
1591 	au_uwrite(au_to_arg32(3, "flags", flags));
1592 	au_uwrite(au_to_text(fstype));
1593 
1594 	if (strncmp(fstype, "nfs", 3) == 0) {
1595 
1596 		STRUCT_INIT(nfsargs, get_udatamodel());
1597 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1598 
1599 		if (copyin((caddr_t)dataptr,
1600 				STRUCT_BUF(nfsargs),
1601 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1602 			/* DEBUG debug_enter((char *)NULL); */
1603 			goto mount_free_fstype;
1604 		}
1605 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1606 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1607 				(caddr_t)hostname,
1608 				MAXNAMELEN, &len)) {
1609 			goto mount_free_hostname;
1610 		}
1611 		au_uwrite(au_to_text(hostname));
1612 		au_uwrite(au_to_arg32(3, "internal flags",
1613 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1614 
1615 mount_free_hostname:
1616 		kmem_free(hostname, MAXNAMELEN);
1617 	}
1618 
1619 mount_free_fstype:
1620 	kmem_free(fstype, MAXNAMELEN);
1621 }	/* AUS_MOUNT */
1622 
1623 static void
1624 aus_umount_path(caddr_t umount_dir)
1625 {
1626 	char			*dir_path;
1627 	struct audit_path	*path;
1628 	size_t			path_len, dir_len;
1629 
1630 	/* length alloc'd for two string pointers */
1631 	path_len = sizeof (struct audit_path) + sizeof (char *);
1632 	path = kmem_alloc(path_len, KM_SLEEP);
1633 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1634 
1635 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1636 	    MAXPATHLEN, &dir_len))
1637 		goto umount2_free_dir;
1638 
1639 	/*
1640 	 * the audit_path struct assumes that the buffer pointed to
1641 	 * by audp_sect[n] contains string 0 immediatedly followed
1642 	 * by string 1.
1643 	 */
1644 	path->audp_sect[0] = dir_path;
1645 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1646 	path->audp_size = path_len;
1647 	path->audp_ref = 1;		/* not used */
1648 	path->audp_cnt = 1;		/* one path string */
1649 
1650 	au_uwrite(au_to_path(path));
1651 
1652 umount2_free_dir:
1653 	kmem_free(dir_path, MAXPATHLEN);
1654 	kmem_free(path, path_len);
1655 }
1656 
1657 /*
1658  * the umount syscall is implemented as a call to umount2, but the args
1659  * are different...
1660  */
1661 
1662 /*ARGSUSED*/
1663 static void
1664 aus_umount(struct t_audit_data *tad)
1665 {
1666 	klwp_t			*clwp = ttolwp(curthread);
1667 	struct a {
1668 		long	dir;		/* char    * */
1669 	} *uap = (struct a *)clwp->lwp_ap;
1670 
1671 	aus_umount_path((caddr_t)uap->dir);
1672 }
1673 
1674 /*ARGSUSED*/
1675 static void
1676 aus_umount2(struct t_audit_data *tad)
1677 {
1678 	klwp_t			*clwp = ttolwp(curthread);
1679 	struct a {
1680 		long	dir;		/* char    * */
1681 		long	flags;
1682 	} *uap = (struct a *)clwp->lwp_ap;
1683 
1684 	aus_umount_path((caddr_t)uap->dir);
1685 
1686 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1687 }
1688 
1689 static void
1690 aus_msgsys(struct t_audit_data *tad)
1691 {
1692 	klwp_t *clwp = ttolwp(curthread);
1693 	uint32_t msgid;
1694 
1695 	struct b {
1696 		long	msgid;
1697 		long	cmd;
1698 		long	buf;		/* struct msqid_ds * */
1699 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1700 
1701 	msgid = (uint32_t)uap1->msgid;
1702 
1703 
1704 	switch (tad->tad_event) {
1705 	case AUE_MSGGET:		/* msgget */
1706 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1707 		break;
1708 	case AUE_MSGCTL:		/* msgctl */
1709 	case AUE_MSGCTL_RMID:		/* msgctl */
1710 	case AUE_MSGCTL_SET:		/* msgctl */
1711 	case AUE_MSGCTL_STAT:		/* msgctl */
1712 	case AUE_MSGRCV:		/* msgrcv */
1713 	case AUE_MSGSND:		/* msgsnd */
1714 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1715 		break;
1716 	}
1717 }
1718 
1719 /*ARGSUSED*/
1720 static void
1721 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1722 {
1723 	int id;
1724 
1725 	if (error != 0)
1726 		return;
1727 	if (tad->tad_event == AUE_MSGGET) {
1728 		uint32_t scid;
1729 		uint32_t sy_flags;
1730 
1731 		/* need to determine type of executing binary */
1732 		scid = tad->tad_scid;
1733 #ifdef _SYSCALL32_IMPL
1734 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1735 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1736 		else
1737 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1738 #else
1739 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1740 #endif
1741 		if (sy_flags == SE_32RVAL1)
1742 			id = rval->r_val1;
1743 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1744 			id = rval->r_val1;
1745 		if (sy_flags == SE_64RVAL)
1746 			id = (int)rval->r_vals;
1747 
1748 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1749 	}
1750 }
1751 
1752 static void
1753 aus_semsys(struct t_audit_data *tad)
1754 {
1755 	klwp_t *clwp = ttolwp(curthread);
1756 	uint32_t semid;
1757 
1758 	struct b {		/* ctrl */
1759 		long	semid;
1760 		long	semnum;
1761 		long	cmd;
1762 		long	arg;
1763 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1764 
1765 	semid = (uint32_t)uap1->semid;
1766 
1767 	switch (tad->tad_event) {
1768 	case AUE_SEMCTL_RMID:
1769 	case AUE_SEMCTL_STAT:
1770 	case AUE_SEMCTL_GETNCNT:
1771 	case AUE_SEMCTL_GETPID:
1772 	case AUE_SEMCTL_GETVAL:
1773 	case AUE_SEMCTL_GETALL:
1774 	case AUE_SEMCTL_GETZCNT:
1775 	case AUE_SEMCTL_SET:
1776 	case AUE_SEMCTL_SETVAL:
1777 	case AUE_SEMCTL_SETALL:
1778 	case AUE_SEMCTL:
1779 	case AUE_SEMOP:
1780 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1781 		break;
1782 	case AUE_SEMGET:
1783 		au_uwrite(au_to_arg32(1, "sem key", semid));
1784 		break;
1785 	}
1786 }
1787 
1788 /*ARGSUSED*/
1789 static void
1790 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1791 {
1792 	int id;
1793 
1794 	if (error != 0)
1795 		return;
1796 	if (tad->tad_event == AUE_SEMGET) {
1797 		uint32_t scid;
1798 		uint32_t sy_flags;
1799 
1800 		/* need to determine type of executing binary */
1801 		scid = tad->tad_scid;
1802 #ifdef _SYSCALL32_IMPL
1803 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1804 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1805 		else
1806 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1807 #else
1808 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1809 #endif
1810 		if (sy_flags == SE_32RVAL1)
1811 			id = rval->r_val1;
1812 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1813 			id = rval->r_val1;
1814 		if (sy_flags == SE_64RVAL)
1815 			id = (int)rval->r_vals;
1816 
1817 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1818 	}
1819 }
1820 
1821 /*ARGSUSED*/
1822 static void
1823 aus_close(struct t_audit_data *tad)
1824 {
1825 	klwp_t *clwp = ttolwp(curthread);
1826 	uint32_t fd;
1827 	struct file *fp;
1828 	struct f_audit_data *fad;
1829 	struct vnode *vp;
1830 	struct vattr attr;
1831 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1832 
1833 	struct a {
1834 		long	i;
1835 	} *uap = (struct a *)clwp->lwp_ap;
1836 
1837 	fd = (uint32_t)uap->i;
1838 
1839 	attr.va_mask = 0;
1840 	au_uwrite(au_to_arg32(1, "fd", fd));
1841 
1842 		/*
1843 		 * convert file pointer to file descriptor
1844 		 *   Note: fd ref count incremented here.
1845 		 */
1846 	if ((fp = getf(fd)) == NULL)
1847 		return;
1848 
1849 	fad = F2A(fp);
1850 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1851 	if (fad->fad_aupath != NULL) {
1852 		au_uwrite(au_to_path(fad->fad_aupath));
1853 		if ((vp = fp->f_vnode) != NULL) {
1854 			attr.va_mask = AT_ALL;
1855 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1856 				/*
1857 				 * When write was not used and the file can be
1858 				 * considered public, skip the audit.
1859 				 */
1860 				if (((fp->f_flag & FWRITE) == 0) &&
1861 				    file_is_public(&attr)) {
1862 					tad->tad_flag = 0;
1863 					tad->tad_evmod = 0;
1864 					/* free any residual audit data */
1865 					au_close(kctx, &(u_ad), 0, 0, 0);
1866 					releasef(fd);
1867 					return;
1868 				}
1869 				au_uwrite(au_to_attr(&attr));
1870 				audit_sec_attributes(&(u_ad), vp);
1871 			}
1872 		}
1873 	}
1874 
1875 	/* decrement file descriptor reference count */
1876 	releasef(fd);
1877 }
1878 
1879 /*ARGSUSED*/
1880 static void
1881 aus_fstatfs(struct t_audit_data *tad)
1882 {
1883 	klwp_t *clwp = ttolwp(curthread);
1884 	uint32_t fd;
1885 	struct file  *fp;
1886 	struct vnode *vp;
1887 	struct f_audit_data *fad;
1888 
1889 	struct a {
1890 		long	fd;
1891 		long	buf;		/* struct statfs * */
1892 	} *uap = (struct a *)clwp->lwp_ap;
1893 
1894 	fd = (uint_t)uap->fd;
1895 
1896 		/*
1897 		 * convert file pointer to file descriptor
1898 		 *   Note: fd ref count incremented here.
1899 		 */
1900 	if ((fp = getf(fd)) == NULL)
1901 		return;
1902 
1903 		/* get path from file struct here */
1904 	fad = F2A(fp);
1905 	if (fad->fad_aupath != NULL) {
1906 		au_uwrite(au_to_path(fad->fad_aupath));
1907 	} else {
1908 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1909 	}
1910 
1911 	vp = fp->f_vnode;
1912 	audit_attributes(vp);
1913 
1914 	/* decrement file descriptor reference count */
1915 	releasef(fd);
1916 }
1917 
1918 static au_event_t
1919 aui_setpgrp(au_event_t e)
1920 {
1921 	klwp_t *clwp = ttolwp(curthread);
1922 	int flag;
1923 
1924 	struct a {
1925 		long	flag;
1926 		long	pid;
1927 		long	pgid;
1928 	} *uap = (struct a *)clwp->lwp_ap;
1929 
1930 	flag = (int)uap->flag;
1931 
1932 
1933 	switch (flag) {
1934 
1935 	case 1:	/* setpgrp() */
1936 		e = AUE_SETPGRP;
1937 		break;
1938 
1939 	case 3: /* setsid() */
1940 		e = AUE_SETSID;
1941 		break;
1942 
1943 	case 5: /* setpgid() */
1944 		e = AUE_SETPGID;
1945 		break;
1946 
1947 	case 0: /* getpgrp()	- not security relevant */
1948 	case 2: /* getsid()	- not security relevant */
1949 	case 4: /* getpgid() 	- not security relevant */
1950 		e = AUE_NULL;
1951 		break;
1952 
1953 	default:
1954 		e = AUE_NULL;
1955 		break;
1956 	}
1957 
1958 	return (e);
1959 }
1960 
1961 /*ARGSUSED*/
1962 static void
1963 aus_setpgrp(struct t_audit_data *tad)
1964 {
1965 	klwp_t		*clwp = ttolwp(curthread);
1966 	pid_t		pgid;
1967 	struct proc	*p;
1968 	uid_t		uid, ruid;
1969 	gid_t		gid, rgid;
1970 	pid_t		pid;
1971 	cred_t		*cr;
1972 	int		flag;
1973 	const auditinfo_addr_t	*ainfo;
1974 
1975 	struct a {
1976 		long	flag;
1977 		long	pid;
1978 		long	pgid;
1979 	} *uap = (struct a *)clwp->lwp_ap;
1980 
1981 	flag = (int)uap->flag;
1982 	pid  = (pid_t)uap->pid;
1983 	pgid = (pid_t)uap->pgid;
1984 
1985 
1986 	switch (flag) {
1987 
1988 	case 0: /* getpgrp() */
1989 	case 1: /* setpgrp() */
1990 	case 2: /* getsid() */
1991 	case 3: /* setsid() */
1992 	case 4: /* getpgid() */
1993 		break;
1994 
1995 	case 5: /* setpgid() */
1996 
1997 		/* current process? */
1998 		if (pid == 0) {
1999 			return;
2000 		}
2001 
2002 		mutex_enter(&pidlock);
2003 		p = prfind(pid);
2004 		if (p == NULL || p->p_as == &kas ||
2005 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
2006 			mutex_exit(&pidlock);
2007 			return;
2008 		}
2009 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
2010 		mutex_exit(&pidlock);
2011 
2012 		mutex_enter(&p->p_crlock);
2013 		crhold(cr = p->p_cred);
2014 		mutex_exit(&p->p_crlock);
2015 		mutex_exit(&p->p_lock);
2016 
2017 		ainfo = crgetauinfo(cr);
2018 		if (ainfo == NULL) {
2019 			crfree(cr);
2020 			return;
2021 		}
2022 
2023 		uid  = crgetuid(cr);
2024 		gid  = crgetgid(cr);
2025 		ruid = crgetruid(cr);
2026 		rgid = crgetrgid(cr);
2027 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2028 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2029 		crfree(cr);
2030 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2031 		break;
2032 
2033 	default:
2034 		break;
2035 	}
2036 }
2037 
2038 
2039 /*ARGSUSED*/
2040 static void
2041 aus_setregid(struct t_audit_data *tad)
2042 {
2043 	klwp_t *clwp = ttolwp(curthread);
2044 	uint32_t rgid, egid;
2045 
2046 	struct a {
2047 		long	 rgid;
2048 		long	 egid;
2049 	} *uap = (struct a *)clwp->lwp_ap;
2050 
2051 	rgid  = (uint32_t)uap->rgid;
2052 	egid  = (uint32_t)uap->egid;
2053 
2054 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2055 	au_uwrite(au_to_arg32(2, "egid", egid));
2056 }
2057 
2058 /*ARGSUSED*/
2059 static void
2060 aus_setgid(struct t_audit_data *tad)
2061 {
2062 	klwp_t *clwp = ttolwp(curthread);
2063 	uint32_t gid;
2064 
2065 	struct a {
2066 		long	gid;
2067 	} *uap = (struct a *)clwp->lwp_ap;
2068 
2069 	gid = (uint32_t)uap->gid;
2070 
2071 	au_uwrite(au_to_arg32(1, "gid", gid));
2072 }
2073 
2074 
2075 /*ARGSUSED*/
2076 static void
2077 aus_setreuid(struct t_audit_data *tad)
2078 {
2079 	klwp_t *clwp = ttolwp(curthread);
2080 	uint32_t ruid, euid;
2081 
2082 	struct a {
2083 		long	ruid;
2084 		long	euid;
2085 	} *uap = (struct a *)clwp->lwp_ap;
2086 
2087 	ruid = (uint32_t)uap->ruid;
2088 	euid  = (uint32_t)uap->euid;
2089 
2090 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2091 	au_uwrite(au_to_arg32(2, "euid", euid));
2092 }
2093 
2094 
2095 /*ARGSUSED*/
2096 static void
2097 aus_setuid(struct t_audit_data *tad)
2098 {
2099 	klwp_t *clwp = ttolwp(curthread);
2100 	uint32_t uid;
2101 
2102 	struct a {
2103 		long	uid;
2104 	} *uap = (struct a *)clwp->lwp_ap;
2105 
2106 	uid = (uint32_t)uap->uid;
2107 
2108 	au_uwrite(au_to_arg32(1, "uid", uid));
2109 }
2110 
2111 /*ARGSUSED*/
2112 static void
2113 aus_shmsys(struct t_audit_data *tad)
2114 {
2115 	klwp_t *clwp = ttolwp(curthread);
2116 	uint32_t id, cmd;
2117 
2118 	struct b {
2119 		long	id;
2120 		long	cmd;
2121 		long	buf;		/* struct shmid_ds * */
2122 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2123 
2124 	id  = (uint32_t)uap1->id;
2125 	cmd = (uint32_t)uap1->cmd;
2126 
2127 	switch (tad->tad_event) {
2128 	case AUE_SHMGET:			/* shmget */
2129 		au_uwrite(au_to_arg32(1, "shm key", id));
2130 		break;
2131 	case AUE_SHMCTL:			/* shmctl */
2132 	case AUE_SHMCTL_RMID:			/* shmctl */
2133 	case AUE_SHMCTL_STAT:			/* shmctl */
2134 	case AUE_SHMCTL_SET:			/* shmctl */
2135 		au_uwrite(au_to_arg32(1, "shm ID", id));
2136 		break;
2137 	case AUE_SHMDT:				/* shmdt */
2138 		au_uwrite(au_to_arg32(1, "shm adr", id));
2139 		break;
2140 	case AUE_SHMAT:				/* shmat */
2141 		au_uwrite(au_to_arg32(1, "shm ID", id));
2142 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2143 		break;
2144 	}
2145 }
2146 
2147 /*ARGSUSED*/
2148 static void
2149 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2150 {
2151 	int id;
2152 
2153 	if (error != 0)
2154 		return;
2155 	if (tad->tad_event == AUE_SHMGET) {
2156 		uint32_t scid;
2157 		uint32_t sy_flags;
2158 
2159 		/* need to determine type of executing binary */
2160 		scid = tad->tad_scid;
2161 #ifdef _SYSCALL32_IMPL
2162 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2163 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2164 		else
2165 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2166 #else
2167 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2168 #endif
2169 		if (sy_flags == SE_32RVAL1)
2170 			id = rval->r_val1;
2171 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2172 			id = rval->r_val1;
2173 		if (sy_flags == SE_64RVAL)
2174 			id = (int)rval->r_vals;
2175 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2176 	}
2177 }
2178 
2179 
2180 /*ARGSUSED*/
2181 static void
2182 aus_ioctl(struct t_audit_data *tad)
2183 {
2184 	klwp_t *clwp = ttolwp(curthread);
2185 	struct file *fp;
2186 	struct vnode *vp;
2187 	struct f_audit_data *fad;
2188 	uint32_t fd, cmd;
2189 	uintptr_t cmarg;
2190 
2191 	/* XX64 */
2192 	struct a {
2193 		long	fd;
2194 		long	cmd;
2195 		long	cmarg;		/* caddr_t */
2196 	} *uap = (struct a *)clwp->lwp_ap;
2197 
2198 	fd    = (uint32_t)uap->fd;
2199 	cmd   = (uint32_t)uap->cmd;
2200 	cmarg = (uintptr_t)uap->cmarg;
2201 
2202 		/*
2203 		 * convert file pointer to file descriptor
2204 		 *   Note: fd ref count incremented here.
2205 		 */
2206 	if ((fp = getf(fd)) == NULL) {
2207 		au_uwrite(au_to_arg32(1, "fd", fd));
2208 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2209 #ifndef _LP64
2210 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2211 #else
2212 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2213 #endif
2214 		return;
2215 	}
2216 
2217 	/* get path from file struct here */
2218 	fad = F2A(fp);
2219 	if (fad->fad_aupath != NULL) {
2220 		au_uwrite(au_to_path(fad->fad_aupath));
2221 	} else {
2222 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2223 	}
2224 
2225 	vp = fp->f_vnode;
2226 	audit_attributes(vp);
2227 
2228 	/* decrement file descriptor reference count */
2229 	releasef(fd);
2230 
2231 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2232 #ifndef _LP64
2233 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2234 #else
2235 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2236 #endif
2237 }
2238 
2239 /*
2240  * null function for memcntl for now. We might want to limit memcntl()
2241  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2242  * require privileges.
2243  */
2244 static au_event_t
2245 aui_memcntl(au_event_t e)
2246 {
2247 	return (e);
2248 }
2249 
2250 /*ARGSUSED*/
2251 static au_event_t
2252 aui_privsys(au_event_t e)
2253 {
2254 	klwp_t *clwp = ttolwp(curthread);
2255 
2256 	struct a {
2257 		long	opcode;
2258 	} *uap = (struct a *)clwp->lwp_ap;
2259 
2260 	switch (uap->opcode) {
2261 	case PRIVSYS_SETPPRIV:
2262 		return (AUE_SETPPRIV);
2263 	default:
2264 		return (AUE_NULL);
2265 	}
2266 }
2267 
2268 /*ARGSUSED*/
2269 static void
2270 aus_memcntl(struct t_audit_data *tad)
2271 {
2272 	klwp_t *clwp = ttolwp(curthread);
2273 
2274 	struct a {
2275 		long	addr;
2276 		long	len;
2277 		long	cmd;
2278 		long	arg;
2279 		long	attr;
2280 		long	mask;
2281 	} *uap = (struct a *)clwp->lwp_ap;
2282 
2283 #ifdef _LP64
2284 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2285 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2286 #else
2287 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2288 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2289 #endif
2290 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2291 #ifdef _LP64
2292 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2293 #else
2294 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2295 #endif
2296 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2297 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2298 }
2299 
2300 /*ARGSUSED*/
2301 static void
2302 aus_mmap(struct t_audit_data *tad)
2303 {
2304 	klwp_t *clwp = ttolwp(curthread);
2305 	struct file *fp;
2306 	struct f_audit_data *fad;
2307 	struct vnode *vp;
2308 	uint32_t fd;
2309 
2310 	struct a {
2311 		long	addr;
2312 		long	len;
2313 		long	prot;
2314 		long	flags;
2315 		long	fd;
2316 		long	pos;
2317 	} *uap = (struct a *)clwp->lwp_ap;
2318 
2319 	fd = (uint32_t)uap->fd;
2320 
2321 #ifdef _LP64
2322 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2323 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2324 #else
2325 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2326 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2327 #endif
2328 
2329 	if ((fp = getf(fd)) == NULL) {
2330 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2331 		return;
2332 	}
2333 
2334 	/*
2335 	 * Mark in the tad if write access is NOT requested... if
2336 	 * this is later detected (in audit_attributes) to be a
2337 	 * public object, the mmap event may be discarded.
2338 	 */
2339 	if (((uap->prot) & PROT_WRITE) == 0) {
2340 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2341 	}
2342 
2343 	fad = F2A(fp);
2344 	if (fad->fad_aupath != NULL) {
2345 		au_uwrite(au_to_path(fad->fad_aupath));
2346 	} else {
2347 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2348 	}
2349 
2350 	vp = (struct vnode *)fp->f_vnode;
2351 	audit_attributes(vp);
2352 
2353 	/* mark READ/WRITE since we can't predict access */
2354 	if (uap->prot & PROT_READ)
2355 		fad->fad_flags |= FAD_READ;
2356 	if (uap->prot & PROT_WRITE)
2357 		fad->fad_flags |= FAD_WRITE;
2358 
2359 	/* decrement file descriptor reference count */
2360 	releasef(fd);
2361 
2362 }	/* AUS_MMAP */
2363 
2364 
2365 
2366 
2367 /*ARGSUSED*/
2368 static void
2369 aus_munmap(struct t_audit_data *tad)
2370 {
2371 	klwp_t *clwp = ttolwp(curthread);
2372 
2373 	struct a {
2374 		long	addr;
2375 		long	len;
2376 	} *uap = (struct a *)clwp->lwp_ap;
2377 
2378 #ifdef _LP64
2379 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2380 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2381 #else
2382 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2383 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2384 #endif
2385 
2386 }	/* AUS_MUNMAP */
2387 
2388 
2389 
2390 
2391 
2392 
2393 
2394 /*ARGSUSED*/
2395 static void
2396 aus_priocntlsys(struct t_audit_data *tad)
2397 {
2398 	klwp_t *clwp = ttolwp(curthread);
2399 
2400 	struct a {
2401 		long	pc_version;
2402 		long	psp;		/* procset_t */
2403 		long	cmd;
2404 		long	arg;
2405 	} *uap = (struct a *)clwp->lwp_ap;
2406 
2407 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2408 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2409 
2410 }	/* AUS_PRIOCNTLSYS */
2411 
2412 
2413 /*ARGSUSED*/
2414 static void
2415 aus_setegid(struct t_audit_data *tad)
2416 {
2417 	klwp_t *clwp = ttolwp(curthread);
2418 	uint32_t gid;
2419 
2420 	struct a {
2421 		long	gid;
2422 	} *uap = (struct a *)clwp->lwp_ap;
2423 
2424 	gid = (uint32_t)uap->gid;
2425 
2426 	au_uwrite(au_to_arg32(1, "gid", gid));
2427 }	/* AUS_SETEGID */
2428 
2429 
2430 
2431 
2432 /*ARGSUSED*/
2433 static void
2434 aus_setgroups(struct t_audit_data *tad)
2435 {
2436 	klwp_t *clwp = ttolwp(curthread);
2437 	int i;
2438 	int gidsetsize;
2439 	uintptr_t gidset;
2440 	gid_t *gidlist;
2441 
2442 	struct a {
2443 		long	gidsetsize;
2444 		long	gidset;
2445 	} *uap = (struct a *)clwp->lwp_ap;
2446 
2447 	gidsetsize = (uint_t)uap->gidsetsize;
2448 	gidset = (uintptr_t)uap->gidset;
2449 
2450 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2451 		return;
2452 	if (gidsetsize != 0) {
2453 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2454 		    KM_SLEEP);
2455 		if (copyin((caddr_t)gidset, gidlist,
2456 		    gidsetsize * sizeof (gid_t)) == 0)
2457 			for (i = 0; i < gidsetsize; i++)
2458 				au_uwrite(au_to_arg32(1, "setgroups",
2459 				    (uint32_t)gidlist[i]));
2460 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2461 	} else
2462 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2463 
2464 }	/* AUS_SETGROUPS */
2465 
2466 
2467 
2468 
2469 
2470 /*ARGSUSED*/
2471 static void
2472 aus_seteuid(struct t_audit_data *tad)
2473 {
2474 	klwp_t *clwp = ttolwp(curthread);
2475 	uint32_t uid;
2476 
2477 	struct a {
2478 		long	uid;
2479 	} *uap = (struct a *)clwp->lwp_ap;
2480 
2481 	uid = (uint32_t)uap->uid;
2482 
2483 	au_uwrite(au_to_arg32(1, "euid", uid));
2484 
2485 }	/* AUS_SETEUID */
2486 
2487 /*ARGSUSED*/
2488 static void
2489 aus_putmsg(struct t_audit_data *tad)
2490 {
2491 	klwp_t *clwp = ttolwp(curthread);
2492 	uint32_t fd, pri;
2493 	struct file *fp;
2494 	struct f_audit_data *fad;
2495 
2496 	struct a {
2497 		long	fdes;
2498 		long	ctl;		/* struct strbuf * */
2499 		long	data;		/* struct strbuf * */
2500 		long	pri;
2501 	} *uap = (struct a *)clwp->lwp_ap;
2502 
2503 	fd  = (uint32_t)uap->fdes;
2504 	pri = (uint32_t)uap->pri;
2505 
2506 	au_uwrite(au_to_arg32(1, "fd", fd));
2507 
2508 	if ((fp = getf(fd)) != NULL) {
2509 		fad = F2A(fp);
2510 
2511 		fad->fad_flags |= FAD_WRITE;
2512 
2513 		/* add path name to audit record */
2514 		if (fad->fad_aupath != NULL) {
2515 			au_uwrite(au_to_path(fad->fad_aupath));
2516 		}
2517 		audit_attributes(fp->f_vnode);
2518 
2519 		releasef(fd);
2520 	}
2521 
2522 	au_uwrite(au_to_arg32(4, "pri", pri));
2523 }
2524 
2525 /*ARGSUSED*/
2526 static void
2527 aus_putpmsg(struct t_audit_data *tad)
2528 {
2529 	klwp_t *clwp = ttolwp(curthread);
2530 	uint32_t fd, pri, flags;
2531 	struct file *fp;
2532 	struct f_audit_data *fad;
2533 
2534 	struct a {
2535 		long	fdes;
2536 		long	ctl;		/* struct strbuf * */
2537 		long	data;		/* struct strbuf * */
2538 		long	pri;
2539 		long	flags;
2540 	} *uap = (struct a *)clwp->lwp_ap;
2541 
2542 	fd = (uint32_t)uap->fdes;
2543 	pri  = (uint32_t)uap->pri;
2544 	flags  = (uint32_t)uap->flags;
2545 
2546 	au_uwrite(au_to_arg32(1, "fd", fd));
2547 
2548 	if ((fp = getf(fd)) != NULL) {
2549 		fad = F2A(fp);
2550 
2551 		fad->fad_flags |= FAD_WRITE;
2552 
2553 		/* add path name to audit record */
2554 		if (fad->fad_aupath != NULL) {
2555 			au_uwrite(au_to_path(fad->fad_aupath));
2556 		}
2557 		audit_attributes(fp->f_vnode);
2558 
2559 		releasef(fd);
2560 	}
2561 
2562 
2563 	au_uwrite(au_to_arg32(4, "pri", pri));
2564 	au_uwrite(au_to_arg32(5, "flags", flags));
2565 }
2566 
2567 /*ARGSUSED*/
2568 static void
2569 aus_getmsg(struct t_audit_data *tad)
2570 {
2571 	klwp_t *clwp = ttolwp(curthread);
2572 	uint32_t fd, pri;
2573 	struct file *fp;
2574 	struct f_audit_data *fad;
2575 
2576 	struct a {
2577 		long	fdes;
2578 		long	ctl;		/* struct strbuf * */
2579 		long	data;		/* struct strbuf * */
2580 		long	pri;
2581 	} *uap = (struct a *)clwp->lwp_ap;
2582 
2583 	fd  = (uint32_t)uap->fdes;
2584 	pri = (uint32_t)uap->pri;
2585 
2586 	au_uwrite(au_to_arg32(1, "fd", fd));
2587 
2588 	if ((fp = getf(fd)) != NULL) {
2589 		fad = F2A(fp);
2590 
2591 		/*
2592 		 * read operation on this object
2593 		 */
2594 		fad->fad_flags |= FAD_READ;
2595 
2596 		/* add path name to audit record */
2597 		if (fad->fad_aupath != NULL) {
2598 			au_uwrite(au_to_path(fad->fad_aupath));
2599 		}
2600 		audit_attributes(fp->f_vnode);
2601 
2602 		releasef(fd);
2603 	}
2604 
2605 	au_uwrite(au_to_arg32(4, "pri", pri));
2606 }
2607 
2608 /*ARGSUSED*/
2609 static void
2610 aus_getpmsg(struct t_audit_data *tad)
2611 {
2612 	klwp_t *clwp = ttolwp(curthread);
2613 	uint32_t fd;
2614 	struct file *fp;
2615 	struct f_audit_data *fad;
2616 
2617 	struct a {
2618 		long	fdes;
2619 		long	ctl;		/* struct strbuf * */
2620 		long	data;		/* struct strbuf * */
2621 		long	pri;
2622 		long	flags;
2623 	} *uap = (struct a *)clwp->lwp_ap;
2624 
2625 	fd = (uint32_t)uap->fdes;
2626 
2627 	au_uwrite(au_to_arg32(1, "fd", fd));
2628 
2629 	if ((fp = getf(fd)) != NULL) {
2630 		fad = F2A(fp);
2631 
2632 		/*
2633 		 * read operation on this object
2634 		 */
2635 		fad->fad_flags |= FAD_READ;
2636 
2637 		/* add path name to audit record */
2638 		if (fad->fad_aupath != NULL) {
2639 			au_uwrite(au_to_path(fad->fad_aupath));
2640 		}
2641 		audit_attributes(fp->f_vnode);
2642 
2643 		releasef(fd);
2644 	}
2645 }
2646 
2647 static au_event_t
2648 aui_labelsys(au_event_t e)
2649 {
2650 	klwp_t *clwp = ttolwp(curthread);
2651 	uint32_t code;
2652 	uint32_t cmd;
2653 
2654 	struct a {
2655 		long	code;
2656 		long	cmd;
2657 	} *uap = (struct a *)clwp->lwp_ap;
2658 
2659 	code = (uint32_t)uap->code;
2660 	cmd = (uint32_t)uap->cmd;
2661 
2662 	/* not security relevant if not changing kernel cache */
2663 	if (cmd == TNDB_GET)
2664 		return (AUE_NULL);
2665 
2666 	switch (code) {
2667 	case TSOL_TNRH:
2668 		e = AUE_LABELSYS_TNRH;
2669 		break;
2670 	case TSOL_TNRHTP:
2671 		e = AUE_LABELSYS_TNRHTP;
2672 		break;
2673 	case TSOL_TNMLP:
2674 		e = AUE_LABELSYS_TNMLP;
2675 		break;
2676 	default:
2677 		e = AUE_NULL;
2678 		break;
2679 	}
2680 
2681 	return (e);
2682 
2683 }
2684 
2685 static void
2686 aus_labelsys(struct t_audit_data *tad)
2687 {
2688 	klwp_t *clwp = ttolwp(curthread);
2689 	uint32_t cmd;
2690 	uintptr_t a2;
2691 
2692 	struct a {
2693 		long	code;
2694 		long	cmd;
2695 		long	a2;
2696 	} *uap = (struct a *)clwp->lwp_ap;
2697 
2698 	cmd = (uint32_t)uap->cmd;
2699 	a2 = (uintptr_t)uap->a2;
2700 
2701 	switch (tad->tad_event) {
2702 	case AUE_LABELSYS_TNRH:
2703 	{
2704 		tsol_rhent_t	*rhent;
2705 		tnaddr_t	*rh_addr;
2706 
2707 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2708 
2709 		/* Remaining args don't apply for FLUSH, so skip */
2710 		if (cmd == TNDB_FLUSH)
2711 			break;
2712 
2713 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2714 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2715 			kmem_free(rhent, sizeof (tsol_rhent_t));
2716 			return;
2717 		}
2718 
2719 		rh_addr = &rhent->rh_address;
2720 		if (rh_addr->ta_family == AF_INET) {
2721 			struct in_addr	*ipaddr;
2722 
2723 			ipaddr = &(rh_addr->ta_addr_v4);
2724 			au_uwrite(au_to_in_addr(ipaddr));
2725 		} else if (rh_addr->ta_family == AF_INET6) {
2726 			int32_t		*ipaddr;
2727 
2728 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2729 			au_uwrite(au_to_in_addr_ex(ipaddr));
2730 		}
2731 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2732 
2733 		kmem_free(rhent, sizeof (tsol_rhent_t));
2734 
2735 		break;
2736 	}
2737 	case AUE_LABELSYS_TNRHTP:
2738 	{
2739 		tsol_tpent_t	*tpent;
2740 
2741 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2742 
2743 		/* Remaining args don't apply for FLUSH, so skip */
2744 		if (cmd == TNDB_FLUSH)
2745 			break;
2746 
2747 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2748 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2749 			kmem_free(tpent, sizeof (tsol_tpent_t));
2750 			return;
2751 		}
2752 
2753 		/* Make sure that the template name is null-terminated. */
2754 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2755 
2756 		au_uwrite(au_to_text(tpent->name));
2757 		kmem_free(tpent, sizeof (tsol_tpent_t));
2758 
2759 		break;
2760 	}
2761 	case AUE_LABELSYS_TNMLP:
2762 	{
2763 		tsol_mlpent_t	*mlpent;
2764 
2765 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2766 
2767 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2768 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2769 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2770 			return;
2771 		}
2772 
2773 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2774 			au_uwrite(au_to_text("shared"));
2775 		} else {
2776 			zone_t	*zone;
2777 
2778 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2779 			if (zone != NULL) {
2780 				au_uwrite(au_to_text(zone->zone_name));
2781 				zone_rele(zone);
2782 			}
2783 		}
2784 
2785 		/* Remaining args don't apply for FLUSH, so skip */
2786 		if (cmd == TNDB_FLUSH) {
2787 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2788 			break;
2789 		}
2790 
2791 		au_uwrite(au_to_arg32(2, "proto num",
2792 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2793 		au_uwrite(au_to_arg32(2, "mlp_port",
2794 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2795 
2796 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2797 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2798 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2799 
2800 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2801 
2802 		break;
2803 	}
2804 	default:
2805 		break;
2806 	}
2807 }
2808 
2809 
2810 static au_event_t
2811 aui_auditsys(au_event_t e)
2812 {
2813 	klwp_t *clwp = ttolwp(curthread);
2814 	uint32_t code;
2815 
2816 	struct a {
2817 		long	code;
2818 		long	a1;
2819 		long	a2;
2820 		long	a3;
2821 		long	a4;
2822 		long	a5;
2823 		long	a6;
2824 		long	a7;
2825 	} *uap = (struct a *)clwp->lwp_ap;
2826 
2827 	code = (uint32_t)uap->code;
2828 
2829 	switch (code) {
2830 
2831 	case BSM_GETAUID:
2832 		e = AUE_GETAUID;
2833 		break;
2834 	case BSM_SETAUID:
2835 		e = AUE_SETAUID;
2836 		break;
2837 	case BSM_GETAUDIT:
2838 		e = AUE_GETAUDIT;
2839 		break;
2840 	case BSM_GETAUDIT_ADDR:
2841 		e = AUE_GETAUDIT_ADDR;
2842 		break;
2843 	case BSM_SETAUDIT:
2844 		e = AUE_SETAUDIT;
2845 		break;
2846 	case BSM_SETAUDIT_ADDR:
2847 		e = AUE_SETAUDIT_ADDR;
2848 		break;
2849 	case BSM_AUDIT:
2850 		e = AUE_AUDIT;
2851 		break;
2852 	case BSM_AUDITON:
2853 	case BSM_AUDITCTL:
2854 
2855 		switch ((uint_t)uap->a1) {
2856 
2857 		case A_GETPOLICY:
2858 			e = AUE_AUDITON_GPOLICY;
2859 			break;
2860 		case A_SETPOLICY:
2861 			e = AUE_AUDITON_SPOLICY;
2862 			break;
2863 		case A_GETKMASK:
2864 			e = AUE_AUDITON_GETKMASK;
2865 			break;
2866 		case A_SETKMASK:
2867 			e = AUE_AUDITON_SETKMASK;
2868 			break;
2869 		case A_GETQCTRL:
2870 			e = AUE_AUDITON_GQCTRL;
2871 			break;
2872 		case A_SETQCTRL:
2873 			e = AUE_AUDITON_SQCTRL;
2874 			break;
2875 		case A_GETCWD:
2876 			e = AUE_AUDITON_GETCWD;
2877 			break;
2878 		case A_GETCAR:
2879 			e = AUE_AUDITON_GETCAR;
2880 			break;
2881 		case A_GETSTAT:
2882 			e = AUE_AUDITON_GETSTAT;
2883 			break;
2884 		case A_SETSTAT:
2885 			e = AUE_AUDITON_SETSTAT;
2886 			break;
2887 		case A_SETUMASK:
2888 			e = AUE_AUDITON_SETUMASK;
2889 			break;
2890 		case A_SETSMASK:
2891 			e = AUE_AUDITON_SETSMASK;
2892 			break;
2893 		case A_GETCOND:
2894 			e = AUE_AUDITON_GETCOND;
2895 			break;
2896 		case A_SETCOND:
2897 			e = AUE_AUDITON_SETCOND;
2898 			break;
2899 		case A_GETCLASS:
2900 			e = AUE_AUDITON_GETCLASS;
2901 			break;
2902 		case A_SETCLASS:
2903 			e = AUE_AUDITON_SETCLASS;
2904 			break;
2905 		default:
2906 			e = AUE_NULL;
2907 			break;
2908 		}
2909 		break;
2910 	default:
2911 		e = AUE_NULL;
2912 		break;
2913 	}
2914 
2915 	return (e);
2916 
2917 }	/* AUI_AUDITSYS */
2918 
2919 
2920 static void
2921 aus_auditsys(struct t_audit_data *tad)
2922 {
2923 	klwp_t *clwp = ttolwp(curthread);
2924 	uintptr_t a1, a2;
2925 	STRUCT_DECL(auditinfo, ainfo);
2926 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2927 	au_evclass_map_t event;
2928 	au_mask_t mask;
2929 	int auditstate, policy;
2930 	au_id_t auid;
2931 
2932 
2933 	struct a {
2934 		long	code;
2935 		long	a1;
2936 		long	a2;
2937 		long	a3;
2938 		long	a4;
2939 		long	a5;
2940 		long	a6;
2941 		long	a7;
2942 	} *uap = (struct a *)clwp->lwp_ap;
2943 
2944 	a1   = (uintptr_t)uap->a1;
2945 	a2   = (uintptr_t)uap->a2;
2946 
2947 	switch (tad->tad_event) {
2948 	case AUE_SETAUID:
2949 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2950 				return;
2951 		au_uwrite(au_to_arg32(2, "setauid", auid));
2952 		break;
2953 	case AUE_SETAUDIT:
2954 		STRUCT_INIT(ainfo, get_udatamodel());
2955 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2956 		    STRUCT_SIZE(ainfo))) {
2957 				return;
2958 		}
2959 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2960 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2961 #ifdef _LP64
2962 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2963 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2964 #else
2965 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2966 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2967 #endif
2968 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2969 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2970 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2971 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2972 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2973 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2974 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2975 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2976 		break;
2977 	case AUE_SETAUDIT_ADDR:
2978 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2979 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2980 		    STRUCT_SIZE(ainfo_addr))) {
2981 				return;
2982 		}
2983 		au_uwrite(au_to_arg32((char)1, "auid",
2984 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2985 #ifdef _LP64
2986 		au_uwrite(au_to_arg64((char)1, "port",
2987 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2988 #else
2989 		au_uwrite(au_to_arg32((char)1, "port",
2990 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2991 #endif
2992 		au_uwrite(au_to_arg32((char)1, "type",
2993 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2994 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2995 		    AU_IPv4) {
2996 			au_uwrite(au_to_in_addr(
2997 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2998 			    ai_termid.at_addr)));
2999 		} else {
3000 			au_uwrite(au_to_in_addr_ex(
3001 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
3002 			    ai_termid.at_addr)));
3003 		}
3004 		au_uwrite(au_to_arg32((char)1, "as_success",
3005 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3006 		au_uwrite(au_to_arg32((char)1, "as_failure",
3007 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3008 		au_uwrite(au_to_arg32((char)1, "asid",
3009 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3010 		break;
3011 	case AUE_AUDITON_SETKMASK:
3012 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3013 				return;
3014 		au_uwrite(au_to_arg32(
3015 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
3016 		au_uwrite(au_to_arg32(
3017 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3018 		break;
3019 	case AUE_AUDITON_SPOLICY:
3020 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3021 			return;
3022 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3023 		break;
3024 	case AUE_AUDITON_SQCTRL: {
3025 		STRUCT_DECL(au_qctrl, qctrl);
3026 		model_t model;
3027 
3028 		model = get_udatamodel();
3029 		STRUCT_INIT(qctrl, model);
3030 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3031 				return;
3032 		if (model == DATAMODEL_ILP32) {
3033 			au_uwrite(au_to_arg32(
3034 			    3, "setqctrl:aq_hiwater",
3035 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3036 			au_uwrite(au_to_arg32(
3037 			    3, "setqctrl:aq_lowater",
3038 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3039 			au_uwrite(au_to_arg32(
3040 			    3, "setqctrl:aq_bufsz",
3041 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3042 			au_uwrite(au_to_arg32(
3043 			    3, "setqctrl:aq_delay",
3044 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3045 		} else {
3046 			au_uwrite(au_to_arg64(
3047 			    3, "setqctrl:aq_hiwater",
3048 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3049 			au_uwrite(au_to_arg64(
3050 			    3, "setqctrl:aq_lowater",
3051 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3052 			au_uwrite(au_to_arg64(
3053 			    3, "setqctrl:aq_bufsz",
3054 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3055 			au_uwrite(au_to_arg64(
3056 			    3, "setqctrl:aq_delay",
3057 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3058 		}
3059 		break;
3060 	}
3061 	case AUE_AUDITON_SETUMASK:
3062 		STRUCT_INIT(ainfo, get_udatamodel());
3063 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3064 		    STRUCT_SIZE(ainfo))) {
3065 			return;
3066 		}
3067 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3068 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3069 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3070 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3071 		break;
3072 	case AUE_AUDITON_SETSMASK:
3073 		STRUCT_INIT(ainfo, get_udatamodel());
3074 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3075 		    STRUCT_SIZE(ainfo))) {
3076 			return;
3077 		}
3078 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3079 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3080 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3081 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3082 		break;
3083 	case AUE_AUDITON_SETCOND:
3084 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3085 			return;
3086 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3087 		break;
3088 	case AUE_AUDITON_SETCLASS:
3089 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3090 			return;
3091 		au_uwrite(au_to_arg32(
3092 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3093 		au_uwrite(au_to_arg32(
3094 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3095 		break;
3096 	case AUE_GETAUID:
3097 	case AUE_GETAUDIT:
3098 	case AUE_GETAUDIT_ADDR:
3099 	case AUE_AUDIT:
3100 	case AUE_AUDITON_GPOLICY:
3101 	case AUE_AUDITON_GQCTRL:
3102 	case AUE_AUDITON_GETKMASK:
3103 	case AUE_AUDITON_GETCWD:
3104 	case AUE_AUDITON_GETCAR:
3105 	case AUE_AUDITON_GETSTAT:
3106 	case AUE_AUDITON_SETSTAT:
3107 	case AUE_AUDITON_GETCOND:
3108 	case AUE_AUDITON_GETCLASS:
3109 		break;
3110 	default:
3111 		break;
3112 	}
3113 
3114 }	/* AUS_AUDITSYS */
3115 
3116 
3117 /* only audit privileged operations for systeminfo(2) system call */
3118 static au_event_t
3119 aui_sysinfo(au_event_t e)
3120 {
3121 	klwp_t *clwp = ttolwp(curthread);
3122 	uint32_t command;
3123 
3124 	struct a {
3125 		long	command;
3126 		long	buf;		/* char * */
3127 		long	count;
3128 	} *uap = (struct a *)clwp->lwp_ap;
3129 
3130 	command = (uint32_t)uap->command;
3131 
3132 	switch (command) {
3133 	case SI_SET_HOSTNAME:
3134 	case SI_SET_SRPC_DOMAIN:
3135 		e = (au_event_t)AUE_SYSINFO;
3136 		break;
3137 	default:
3138 		e = (au_event_t)AUE_NULL;
3139 		break;
3140 	}
3141 	return (e);
3142 }
3143 
3144 /*ARGSUSED*/
3145 static void
3146 aus_sysinfo(struct t_audit_data *tad)
3147 {
3148 	klwp_t *clwp = ttolwp(curthread);
3149 	uint32_t command;
3150 	size_t len, maxlen;
3151 	char *name;
3152 	uintptr_t buf;
3153 
3154 	struct a {
3155 		long	command;
3156 		long	buf;		/* char * */
3157 		long	count;
3158 	} *uap = (struct a *)clwp->lwp_ap;
3159 
3160 	command = (uint32_t)uap->command;
3161 	buf = (uintptr_t)uap->buf;
3162 
3163 	au_uwrite(au_to_arg32(1, "cmd", command));
3164 
3165 	switch (command) {
3166 	case SI_SET_HOSTNAME:
3167 	{
3168 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3169 			return;
3170 
3171 		maxlen = SYS_NMLN;
3172 		name = kmem_alloc(maxlen, KM_SLEEP);
3173 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3174 			break;
3175 
3176 		/*
3177 		 * Must be non-NULL string and string
3178 		 * must be less than SYS_NMLN chars.
3179 		 */
3180 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3181 			break;
3182 
3183 		au_uwrite(au_to_text(name));
3184 		break;
3185 	}
3186 
3187 	case SI_SET_SRPC_DOMAIN:
3188 	{
3189 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3190 			return;
3191 
3192 		maxlen = SYS_NMLN;
3193 		name = kmem_alloc(maxlen, KM_SLEEP);
3194 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3195 			break;
3196 
3197 		/*
3198 		 * If string passed in is longer than length
3199 		 * allowed for domain name, fail.
3200 		 */
3201 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3202 			break;
3203 
3204 		au_uwrite(au_to_text(name));
3205 		break;
3206 	}
3207 
3208 	default:
3209 		return;
3210 	}
3211 
3212 	kmem_free(name, maxlen);
3213 }
3214 
3215 static au_event_t
3216 aui_modctl(au_event_t e)
3217 {
3218 	klwp_t *clwp = ttolwp(curthread);
3219 	uint_t cmd;
3220 
3221 	struct a {
3222 		long	cmd;
3223 	} *uap = (struct a *)clwp->lwp_ap;
3224 
3225 	cmd = (uint_t)uap->cmd;
3226 
3227 	switch (cmd) {
3228 	case MODLOAD:
3229 		e = AUE_MODLOAD;
3230 		break;
3231 	case MODUNLOAD:
3232 		e = AUE_MODUNLOAD;
3233 		break;
3234 	case MODADDMAJBIND:
3235 		e = AUE_MODADDMAJ;
3236 		break;
3237 	case MODSETDEVPOLICY:
3238 		e = AUE_MODDEVPLCY;
3239 		break;
3240 	case MODALLOCPRIV:
3241 		e = AUE_MODADDPRIV;
3242 		break;
3243 	default:
3244 		e = AUE_NULL;
3245 		break;
3246 	}
3247 	return (e);
3248 }
3249 
3250 
3251 /*ARGSUSED*/
3252 static void
3253 aus_modctl(struct t_audit_data *tad)
3254 {
3255 	klwp_t *clwp = ttolwp(curthread);
3256 	void *a	= clwp->lwp_ap;
3257 	uint_t use_path;
3258 
3259 	switch (tad->tad_event) {
3260 	case AUE_MODLOAD: {
3261 		typedef struct {
3262 			long	cmd;
3263 			long	use_path;
3264 			long	filename;		/* char * */
3265 		} modloada_t;
3266 
3267 		char *filenamep;
3268 		uintptr_t fname;
3269 		extern char *default_path;
3270 
3271 		fname = (uintptr_t)((modloada_t *)a)->filename;
3272 		use_path = (uint_t)((modloada_t *)a)->use_path;
3273 
3274 			/* space to hold path */
3275 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3276 			/* get string */
3277 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3278 				/* free allocated path */
3279 			kmem_free(filenamep, MOD_MAXPATH);
3280 			return;
3281 		}
3282 			/* ensure it's null terminated */
3283 		filenamep[MOD_MAXPATH - 1] = 0;
3284 
3285 		if (use_path)
3286 			au_uwrite(au_to_text(default_path));
3287 		au_uwrite(au_to_text(filenamep));
3288 
3289 			/* release temporary memory */
3290 		kmem_free(filenamep, MOD_MAXPATH);
3291 		break;
3292 	}
3293 	case AUE_MODUNLOAD: {
3294 		typedef struct {
3295 			long	cmd;
3296 			long	id;
3297 		} modunloada_t;
3298 
3299 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3300 
3301 		au_uwrite(au_to_arg32(1, "id", id));
3302 		break;
3303 	}
3304 	case AUE_MODADDMAJ: {
3305 		STRUCT_DECL(modconfig, mc);
3306 		typedef struct {
3307 			long	cmd;
3308 			long	subcmd;
3309 			long	data;		/* int * */
3310 		} modconfiga_t;
3311 
3312 		STRUCT_DECL(aliases, alias);
3313 		caddr_t ap;
3314 		int i, num_aliases;
3315 		char *drvname, *mc_drvname;
3316 		char *name;
3317 		extern char *ddi_major_to_name(major_t);
3318 		model_t model;
3319 
3320 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3321 
3322 		model = get_udatamodel();
3323 		STRUCT_INIT(mc, model);
3324 			/* sanitize buffer */
3325 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3326 			/* get user arguments */
3327 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3328 		    STRUCT_SIZE(mc)) != 0)
3329 			return;
3330 
3331 		mc_drvname = STRUCT_FGET(mc, drvname);
3332 		if ((drvname = ddi_major_to_name(
3333 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3334 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3335 				/* safety */
3336 			if (mc_drvname[0] != '\0') {
3337 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3338 				au_uwrite(au_to_text(mc_drvname));
3339 			}
3340 				/* drvname != NULL from test above */
3341 			au_uwrite(au_to_text(drvname));
3342 			return;
3343 		}
3344 
3345 		if (mc_drvname[0] != '\0') {
3346 				/* safety */
3347 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3348 			au_uwrite(au_to_text(mc_drvname));
3349 		} else
3350 			au_uwrite(au_to_text("no drvname"));
3351 
3352 		num_aliases = STRUCT_FGET(mc, num_aliases);
3353 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3354 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3355 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3356 		STRUCT_INIT(alias, model);
3357 		for (i = 0; i < num_aliases; i++) {
3358 			bzero((caddr_t)STRUCT_BUF(alias),
3359 			    STRUCT_SIZE(alias));
3360 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3361 			    STRUCT_SIZE(alias)) != 0)
3362 				break;
3363 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3364 			    MAXMODCONFNAME, NULL) != 0) {
3365 				break;
3366 			}
3367 
3368 			au_uwrite(au_to_text(name));
3369 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3370 		}
3371 		kmem_free(name, MAXMODCONFNAME);
3372 		break;
3373 	}
3374 	default:
3375 		break;
3376 	}
3377 }
3378 
3379 
3380 /*ARGSUSED*/
3381 static void
3382 auf_accept(
3383 	struct t_audit_data *tad,
3384 	int	error,
3385 	rval_t	*rval)
3386 {
3387 	uint32_t scid;
3388 	uint32_t sy_flags;
3389 	int fd;
3390 	struct sonode *so;
3391 	char so_laddr[sizeof (struct sockaddr_in6)];
3392 	char so_faddr[sizeof (struct sockaddr_in6)];
3393 	int err;
3394 	short so_family, so_type;
3395 	int add_sock_token = 0;
3396 
3397 	/* need to determine type of executing binary */
3398 	scid = tad->tad_scid;
3399 #ifdef _SYSCALL32_IMPL
3400 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3401 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3402 	else
3403 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3404 #else
3405 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3406 #endif
3407 	if (sy_flags == SE_32RVAL1)
3408 		fd = rval->r_val1;
3409 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3410 		fd = rval->r_val1;
3411 	if (sy_flags == SE_64RVAL)
3412 		fd = (int)rval->r_vals;
3413 
3414 	if (error) {
3415 		/* can't trust socket contents. Just return */
3416 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3417 		return;
3418 	}
3419 
3420 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3421 		/*
3422 		 * not security relevant if doing a accept from non socket
3423 		 * so no extra tokens. Should probably turn off audit record
3424 		 * generation here.
3425 		 */
3426 		return;
3427 	}
3428 
3429 	so_family = so->so_family;
3430 	so_type   = so->so_type;
3431 
3432 	switch (so_family) {
3433 	case AF_INET:
3434 	case AF_INET6:
3435 		/*
3436 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3437 		 */
3438 		if (so->so_type == SOCK_STREAM) {
3439 			socklen_t len;
3440 
3441 			bzero((void *)so_laddr, sizeof (so_laddr));
3442 			bzero((void *)so_faddr, sizeof (so_faddr));
3443 
3444 			len = sizeof (so_laddr);
3445 			(void) socket_getsockname(so,
3446 			    (struct sockaddr *)so_laddr, &len, CRED());
3447 			len = sizeof (so_faddr);
3448 			(void) socket_getpeername(so,
3449 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3450 
3451 			add_sock_token = 1;
3452 		}
3453 		break;
3454 
3455 	default:
3456 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3457 		break;
3458 	}
3459 
3460 	releasef(fd);
3461 
3462 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3463 
3464 	if (add_sock_token == 0) {
3465 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3466 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3467 		return;
3468 	}
3469 
3470 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3471 
3472 }
3473 
3474 /*ARGSUSED*/
3475 static void
3476 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3477 {
3478 	struct a {
3479 		long	fd;
3480 		long	addr;
3481 		long	len;
3482 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3483 
3484 	struct sonode *so;
3485 	char so_laddr[sizeof (struct sockaddr_in6)];
3486 	char so_faddr[sizeof (struct sockaddr_in6)];
3487 	int err, fd;
3488 	socklen_t len;
3489 	short so_family, so_type;
3490 	int add_sock_token = 0;
3491 
3492 	fd = (int)uap->fd;
3493 
3494 	/*
3495 	 * bind failed, then nothing extra to add to audit record.
3496 	 */
3497 	if (error) {
3498 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3499 		/* XXX may want to add failed address some day */
3500 		return;
3501 	}
3502 
3503 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3504 		/*
3505 		 * not security relevant if doing a bind from non socket
3506 		 * so no extra tokens. Should probably turn off audit record
3507 		 * generation here.
3508 		 */
3509 		return;
3510 	}
3511 
3512 	so_family = so->so_family;
3513 	so_type   = so->so_type;
3514 
3515 	switch (so_family) {
3516 	case AF_INET:
3517 	case AF_INET6:
3518 
3519 		bzero(so_faddr, sizeof (so_faddr));
3520 		len = sizeof (so_faddr);
3521 
3522 		(void) socket_getpeername(so,
3523 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3524 		add_sock_token = 1;
3525 
3526 		break;
3527 
3528 	case AF_UNIX:
3529 		/* token added by lookup */
3530 		break;
3531 	default:
3532 		/* AF_ROUTE, AF_KEY do not support accept */
3533 		break;
3534 	}
3535 
3536 	releasef(fd);
3537 
3538 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3539 
3540 	if (add_sock_token == 0) {
3541 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3542 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3543 		return;
3544 	}
3545 
3546 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3547 
3548 }
3549 
3550 /*ARGSUSED*/
3551 static void
3552 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3553 {
3554 	struct a {
3555 		long	fd;
3556 		long	addr;
3557 		long	len;
3558 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3559 
3560 	struct sonode *so;
3561 	char so_laddr[sizeof (struct sockaddr_in6)];
3562 	char so_faddr[sizeof (struct sockaddr_in6)];
3563 	int err, fd;
3564 	socklen_t len;
3565 	short so_family, so_type;
3566 	int add_sock_token = 0;
3567 
3568 	fd = (int)uap->fd;
3569 
3570 
3571 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3572 		/*
3573 		 * not security relevant if doing a connect from non socket
3574 		 * so no extra tokens. Should probably turn off audit record
3575 		 * generation here.
3576 		 */
3577 		return;
3578 	}
3579 
3580 	so_family = so->so_family;
3581 	so_type   = so->so_type;
3582 
3583 	switch (so_family) {
3584 	case AF_INET:
3585 	case AF_INET6:
3586 
3587 		bzero(so_laddr, sizeof (so_laddr));
3588 		bzero(so_faddr, sizeof (so_faddr));
3589 
3590 		len = sizeof (so_laddr);
3591 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3592 		    &len, CRED());
3593 		if (error) {
3594 			if (uap->addr == NULL)
3595 				break;
3596 			if (uap->len <= 0)
3597 				break;
3598 			len = min(uap->len, sizeof (so_faddr));
3599 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3600 				break;
3601 #ifdef NOTYET
3602 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3603 #endif
3604 		} else {
3605 			/* sanity check on length */
3606 			len = sizeof (so_faddr);
3607 			(void) socket_getpeername(so,
3608 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3609 		}
3610 
3611 		add_sock_token = 1;
3612 
3613 		break;
3614 
3615 	case AF_UNIX:
3616 		/* does a lookup on name */
3617 		break;
3618 
3619 	default:
3620 		/* AF_ROUTE, AF_KEY do not support accept */
3621 		break;
3622 	}
3623 
3624 	releasef(fd);
3625 
3626 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3627 
3628 	if (add_sock_token == 0) {
3629 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3630 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3631 		return;
3632 	}
3633 
3634 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3635 
3636 }
3637 
3638 /*ARGSUSED*/
3639 static void
3640 aus_shutdown(struct t_audit_data *tad)
3641 {
3642 	struct a {
3643 		long	fd;
3644 		long	how;
3645 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3646 
3647 	struct sonode *so;
3648 	char so_laddr[sizeof (struct sockaddr_in6)];
3649 	char so_faddr[sizeof (struct sockaddr_in6)];
3650 	int err, fd;
3651 	socklen_t len;
3652 	short so_family, so_type;
3653 	int add_sock_token = 0;
3654 	file_t *fp;				/* unix domain sockets */
3655 	struct f_audit_data *fad;		/* unix domain sockets */
3656 
3657 	fd = (int)uap->fd;
3658 
3659 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3660 		/*
3661 		 * not security relevant if doing a shutdown using non socket
3662 		 * so no extra tokens. Should probably turn off audit record
3663 		 * generation here.
3664 		 */
3665 		return;
3666 	}
3667 
3668 	so_family = so->so_family;
3669 	so_type   = so->so_type;
3670 
3671 	switch (so_family) {
3672 	case AF_INET:
3673 	case AF_INET6:
3674 
3675 		bzero(so_laddr, sizeof (so_laddr));
3676 		bzero(so_faddr, sizeof (so_faddr));
3677 
3678 		len = sizeof (so_laddr);
3679 		(void) socket_getsockname(so,
3680 		    (struct sockaddr *)so_laddr, &len, CRED());
3681 		len = sizeof (so_faddr);
3682 		(void) socket_getpeername(so,
3683 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3684 
3685 		add_sock_token = 1;
3686 
3687 		break;
3688 
3689 	case AF_UNIX:
3690 
3691 		/* get path from file struct here */
3692 		fad = F2A(fp);
3693 		ASSERT(fad);
3694 
3695 		if (fad->fad_aupath != NULL) {
3696 			au_uwrite(au_to_path(fad->fad_aupath));
3697 		} else {
3698 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3699 		}
3700 
3701 		audit_attributes(fp->f_vnode);
3702 
3703 		break;
3704 
3705 	default:
3706 		/*
3707 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3708 		 * added.
3709 		 */
3710 		break;
3711 	}
3712 
3713 	releasef(fd);
3714 
3715 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3716 
3717 	if (add_sock_token == 0) {
3718 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3719 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3720 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3721 		return;
3722 	}
3723 
3724 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3725 
3726 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3727 
3728 }
3729 
3730 /*ARGSUSED*/
3731 static void
3732 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3733 {
3734 	struct a {
3735 		long	fd;
3736 		long	level;
3737 		long	optname;
3738 		long	*optval;
3739 		long	optlen;
3740 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3741 
3742 	struct sonode	*so;
3743 	char so_laddr[sizeof (struct sockaddr_in6)];
3744 	char so_faddr[sizeof (struct sockaddr_in6)];
3745 	char		val[AU_BUFSIZE];
3746 	int		err, fd;
3747 	socklen_t	len;
3748 	short so_family, so_type;
3749 	int		add_sock_token = 0;
3750 	file_t *fp;				/* unix domain sockets */
3751 	struct f_audit_data *fad;		/* unix domain sockets */
3752 
3753 	fd = (int)uap->fd;
3754 
3755 	if (error) {
3756 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3757 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3758 		/* XXX may want to include other arguments */
3759 		return;
3760 	}
3761 
3762 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3763 		/*
3764 		 * not security relevant if doing a setsockopt from non socket
3765 		 * so no extra tokens. Should probably turn off audit record
3766 		 * generation here.
3767 		 */
3768 		return;
3769 	}
3770 
3771 	so_family = so->so_family;
3772 	so_type   = so->so_type;
3773 
3774 	switch (so_family) {
3775 	case AF_INET:
3776 	case AF_INET6:
3777 		bzero((void *)so_laddr, sizeof (so_laddr));
3778 		bzero((void *)so_faddr, sizeof (so_faddr));
3779 
3780 		/* get local and foreign addresses */
3781 		len = sizeof (so_laddr);
3782 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3783 		    &len, CRED());
3784 		len = sizeof (so_faddr);
3785 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3786 		    &len, B_FALSE, CRED());
3787 
3788 		add_sock_token = 1;
3789 
3790 		break;
3791 
3792 	case AF_UNIX:
3793 
3794 		/* get path from file struct here */
3795 		fad = F2A(fp);
3796 		ASSERT(fad);
3797 
3798 		if (fad->fad_aupath != NULL) {
3799 			au_uwrite(au_to_path(fad->fad_aupath));
3800 		} else {
3801 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3802 		}
3803 
3804 		audit_attributes(fp->f_vnode);
3805 
3806 		break;
3807 
3808 	default:
3809 		/*
3810 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3811 		 * added.
3812 		 */
3813 		break;
3814 	}
3815 
3816 	releasef(fd);
3817 
3818 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3819 
3820 	if (add_sock_token == 0) {
3821 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3822 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3823 	}
3824 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3825 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3826 
3827 	bzero(val, sizeof (val));
3828 	len = min(uap->optlen, sizeof (val));
3829 	if ((len > 0) &&
3830 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3831 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3832 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3833 	}
3834 
3835 	if (add_sock_token == 0)
3836 		return;
3837 
3838 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3839 
3840 }
3841 
3842 /*ARGSUSED*/
3843 static void
3844 aus_sockconfig(tad)
3845 	struct t_audit_data *tad;
3846 {
3847 	struct a {
3848 		long	domain;
3849 		long	type;
3850 		long	protocol;
3851 		long	devpath;
3852 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3853 
3854 	char	*kdevpath;
3855 	int	kdevpathlen = MAXPATHLEN + 1;
3856 	size_t	size;
3857 
3858 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3859 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3860 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3861 
3862 	if (uap->devpath == 0) {
3863 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3864 	} else {
3865 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3866 
3867 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3868 			&size)) {
3869 			kmem_free(kdevpath, kdevpathlen);
3870 			return;
3871 		}
3872 
3873 		if (size > MAXPATHLEN) {
3874 			kmem_free(kdevpath, kdevpathlen);
3875 			return;
3876 		}
3877 
3878 		au_uwrite(au_to_text(kdevpath));
3879 		kmem_free(kdevpath, kdevpathlen);
3880 	}
3881 }
3882 
3883 /*
3884  * only audit recvmsg when the system call represents the creation of a new
3885  * circuit. This effectively occurs for all UDP packets and may occur for
3886  * special TCP situations where the local host has not set a local address
3887  * in the socket structure.
3888  */
3889 /*ARGSUSED*/
3890 static void
3891 auf_recvmsg(
3892 	struct t_audit_data *tad,
3893 	int error,
3894 	rval_t *rvp)
3895 {
3896 	struct a {
3897 		long	fd;
3898 		long	msg;	/* struct msghdr */
3899 		long	flags;
3900 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3901 
3902 	struct sonode	*so;
3903 	STRUCT_DECL(msghdr, msg);
3904 	caddr_t msg_name;
3905 	socklen_t msg_namelen;
3906 	int fd;
3907 	int err;
3908 	char so_laddr[sizeof (struct sockaddr_in6)];
3909 	char so_faddr[sizeof (struct sockaddr_in6)];
3910 	socklen_t len;
3911 	file_t *fp;				/* unix domain sockets */
3912 	struct f_audit_data *fad;		/* unix domain sockets */
3913 	short so_family, so_type;
3914 	int add_sock_token = 0;
3915 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3916 
3917 	fd = (int)uap->fd;
3918 
3919 	/* bail if an error */
3920 	if (error) {
3921 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3922 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3923 		return;
3924 	}
3925 
3926 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3927 		/*
3928 		 * not security relevant if doing a recvmsg from non socket
3929 		 * so no extra tokens. Should probably turn off audit record
3930 		 * generation here.
3931 		 */
3932 		return;
3933 	}
3934 
3935 	so_family = so->so_family;
3936 	so_type   = so->so_type;
3937 
3938 	/*
3939 	 * only putout SOCKET_EX token if INET/INET6 family.
3940 	 * XXX - what do we do about other families?
3941 	 */
3942 
3943 	switch (so_family) {
3944 	case AF_INET:
3945 	case AF_INET6:
3946 
3947 		/*
3948 		 * if datagram type socket, then just use what is in
3949 		 * socket structure for local address.
3950 		 * XXX - what do we do for other types?
3951 		 */
3952 		if ((so->so_type == SOCK_DGRAM) ||
3953 		    (so->so_type == SOCK_RAW)) {
3954 			add_sock_token = 1;
3955 
3956 			bzero((void *)so_laddr, sizeof (so_laddr));
3957 			bzero((void *)so_faddr, sizeof (so_faddr));
3958 
3959 			/* get local address */
3960 			len = sizeof (so_laddr);
3961 			(void) socket_getsockname(so,
3962 			    (struct sockaddr *)so_laddr, &len, CRED());
3963 
3964 			/* get peer address */
3965 			STRUCT_INIT(msg, get_udatamodel());
3966 
3967 			if (copyin((caddr_t)(uap->msg),
3968 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3969 				break;
3970 			}
3971 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3972 			if (msg_name == NULL) {
3973 				break;
3974 			}
3975 
3976 			/* length is value from recvmsg - sanity check */
3977 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3978 			if (msg_namelen == 0) {
3979 				break;
3980 			}
3981 			if (copyin(msg_name, so_faddr,
3982 			    sizeof (so_faddr)) != 0) {
3983 				break;
3984 			}
3985 
3986 		} else if (so->so_type == SOCK_STREAM) {
3987 
3988 			/* get path from file struct here */
3989 			fad = F2A(fp);
3990 			ASSERT(fad);
3991 
3992 			/*
3993 			 * already processed this file for read attempt
3994 			 */
3995 			if (fad->fad_flags & FAD_READ) {
3996 				/* don't want to audit every recvmsg attempt */
3997 				tad->tad_flag = 0;
3998 				/* free any residual audit data */
3999 				au_close(kctx, &(u_ad), 0, 0, 0);
4000 				releasef(fd);
4001 				return;
4002 			}
4003 			/*
4004 			 * mark things so we know what happened and don't
4005 			 * repeat things
4006 			 */
4007 			fad->fad_flags |= FAD_READ;
4008 
4009 			bzero((void *)so_laddr, sizeof (so_laddr));
4010 			bzero((void *)so_faddr, sizeof (so_faddr));
4011 
4012 			/* get local and foreign addresses */
4013 			len = sizeof (so_laddr);
4014 			(void) socket_getsockname(so,
4015 			    (struct sockaddr *)so_laddr, &len, CRED());
4016 			len = sizeof (so_faddr);
4017 			(void) socket_getpeername(so,
4018 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4019 
4020 			add_sock_token = 1;
4021 		}
4022 
4023 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4024 
4025 		break;
4026 
4027 	case AF_UNIX:
4028 		/*
4029 		 * first check if this is first time through. Too much
4030 		 * duplicate code to put this in an aui_ routine.
4031 		 */
4032 
4033 		/* get path from file struct here */
4034 		fad = F2A(fp);
4035 		ASSERT(fad);
4036 
4037 		/*
4038 		 * already processed this file for read attempt
4039 		 */
4040 		if (fad->fad_flags & FAD_READ) {
4041 			releasef(fd);
4042 			/* don't want to audit every recvmsg attempt */
4043 			tad->tad_flag = 0;
4044 			/* free any residual audit data */
4045 			au_close(kctx, &(u_ad), 0, 0, 0);
4046 			return;
4047 		}
4048 		/*
4049 		 * mark things so we know what happened and don't
4050 		 * repeat things
4051 		 */
4052 		fad->fad_flags |= FAD_READ;
4053 
4054 		if (fad->fad_aupath != NULL) {
4055 			au_uwrite(au_to_path(fad->fad_aupath));
4056 		} else {
4057 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4058 		}
4059 
4060 		audit_attributes(fp->f_vnode);
4061 
4062 		releasef(fd);
4063 
4064 		return;
4065 
4066 	default:
4067 		break;
4068 
4069 	}
4070 
4071 	releasef(fd);
4072 
4073 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4074 
4075 	if (add_sock_token == 0) {
4076 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4077 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4078 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4079 		return;
4080 	}
4081 
4082 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4083 
4084 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4085 
4086 }
4087 
4088 /*ARGSUSED*/
4089 static void
4090 auf_recvfrom(
4091 	struct t_audit_data *tad,
4092 	int error,
4093 	rval_t *rvp)
4094 {
4095 
4096 	struct a {
4097 		long	fd;
4098 		long	msg;	/* char */
4099 		long	len;
4100 		long	flags;
4101 		long	from;	/* struct sockaddr */
4102 		long	fromlen;
4103 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4104 
4105 	socklen_t	fromlen;
4106 	struct sonode	*so;
4107 	char so_laddr[sizeof (struct sockaddr_in6)];
4108 	char so_faddr[sizeof (struct sockaddr_in6)];
4109 	int		fd;
4110 	short so_family, so_type;
4111 	int add_sock_token = 0;
4112 	socklen_t len;
4113 	int err;
4114 	struct file *fp;
4115 	struct f_audit_data *fad;		/* unix domain sockets */
4116 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4117 
4118 	fd = (int)uap->fd;
4119 
4120 	/* bail if an error */
4121 	if (error) {
4122 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4123 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4124 		return;
4125 	}
4126 
4127 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4128 		/*
4129 		 * not security relevant if doing a recvmsg from non socket
4130 		 * so no extra tokens. Should probably turn off audit record
4131 		 * generation here.
4132 		 */
4133 		return;
4134 	}
4135 
4136 	so_family = so->so_family;
4137 	so_type   = so->so_type;
4138 
4139 	/*
4140 	 * only putout SOCKET_EX token if INET/INET6 family.
4141 	 * XXX - what do we do about other families?
4142 	 */
4143 
4144 	switch (so_family) {
4145 	case AF_INET:
4146 	case AF_INET6:
4147 
4148 		/*
4149 		 * if datagram type socket, then just use what is in
4150 		 * socket structure for local address.
4151 		 * XXX - what do we do for other types?
4152 		 */
4153 		if ((so->so_type == SOCK_DGRAM) ||
4154 		    (so->so_type == SOCK_RAW)) {
4155 			add_sock_token = 1;
4156 
4157 			/* get local address */
4158 			len = sizeof (so_laddr);
4159 			(void) socket_getsockname(so,
4160 			    (struct sockaddr *)so_laddr, &len, CRED());
4161 
4162 			/* get peer address */
4163 			bzero((void *)so_faddr, sizeof (so_faddr));
4164 
4165 			/* sanity check */
4166 			if (uap->from == NULL)
4167 				break;
4168 
4169 			/* sanity checks */
4170 			if (uap->fromlen == 0)
4171 				break;
4172 
4173 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4174 			    sizeof (fromlen)) != 0)
4175 				break;
4176 
4177 			if (fromlen == 0)
4178 				break;
4179 
4180 			/* enforce maximum size */
4181 			if (fromlen > sizeof (so_faddr))
4182 				fromlen = sizeof (so_faddr);
4183 
4184 			if (copyin((caddr_t)(uap->from), so_faddr,
4185 			    fromlen) != 0)
4186 				break;
4187 
4188 		} else if (so->so_type == SOCK_STREAM) {
4189 
4190 			/* get path from file struct here */
4191 			fad = F2A(fp);
4192 			ASSERT(fad);
4193 
4194 			/*
4195 			 * already processed this file for read attempt
4196 			 */
4197 			if (fad->fad_flags & FAD_READ) {
4198 				/* don't want to audit every recvfrom attempt */
4199 				tad->tad_flag = 0;
4200 				/* free any residual audit data */
4201 				au_close(kctx, &(u_ad), 0, 0, 0);
4202 				releasef(fd);
4203 				return;
4204 			}
4205 			/*
4206 			 * mark things so we know what happened and don't
4207 			 * repeat things
4208 			 */
4209 			fad->fad_flags |= FAD_READ;
4210 
4211 			bzero((void *)so_laddr, sizeof (so_laddr));
4212 			bzero((void *)so_faddr, sizeof (so_faddr));
4213 
4214 			/* get local and foreign addresses */
4215 			len = sizeof (so_laddr);
4216 			(void) socket_getsockname(so,
4217 			    (struct sockaddr *)so_laddr, &len, CRED());
4218 			len = sizeof (so_faddr);
4219 			(void) socket_getpeername(so,
4220 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4221 
4222 			add_sock_token = 1;
4223 		}
4224 
4225 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4226 
4227 		break;
4228 
4229 	case AF_UNIX:
4230 		/*
4231 		 * first check if this is first time through. Too much
4232 		 * duplicate code to put this in an aui_ routine.
4233 		 */
4234 
4235 		/* get path from file struct here */
4236 		fad = F2A(fp);
4237 		ASSERT(fad);
4238 
4239 		/*
4240 		 * already processed this file for read attempt
4241 		 */
4242 		if (fad->fad_flags & FAD_READ) {
4243 			/* don't want to audit every recvfrom attempt */
4244 			tad->tad_flag = 0;
4245 			/* free any residual audit data */
4246 			au_close(kctx, &(u_ad), 0, 0, 0);
4247 			releasef(fd);
4248 			return;
4249 		}
4250 		/*
4251 		 * mark things so we know what happened and don't
4252 		 * repeat things
4253 		 */
4254 		fad->fad_flags |= FAD_READ;
4255 
4256 		if (fad->fad_aupath != NULL) {
4257 			au_uwrite(au_to_path(fad->fad_aupath));
4258 		} else {
4259 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4260 		}
4261 
4262 		audit_attributes(fp->f_vnode);
4263 
4264 		releasef(fd);
4265 
4266 		return;
4267 
4268 	default:
4269 		break;
4270 
4271 	}
4272 
4273 	releasef(fd);
4274 
4275 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4276 
4277 	if (add_sock_token == 0) {
4278 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4279 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4280 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4281 		return;
4282 	}
4283 
4284 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4285 
4286 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4287 }
4288 
4289 /*ARGSUSED*/
4290 static void
4291 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4292 {
4293 	struct a {
4294 		long	fd;
4295 		long	msg;	/* struct msghdr */
4296 		long	flags;
4297 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4298 
4299 	struct sonode	*so;
4300 	char so_laddr[sizeof (struct sockaddr_in6)];
4301 	char so_faddr[sizeof (struct sockaddr_in6)];
4302 	int		err;
4303 	int		fd;
4304 	short so_family, so_type;
4305 	int		add_sock_token = 0;
4306 	socklen_t	len;
4307 	struct file	*fp;
4308 	struct f_audit_data *fad;
4309 	caddr_t		msg_name;
4310 	socklen_t	msg_namelen;
4311 	STRUCT_DECL(msghdr, msg);
4312 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4313 
4314 	fd = (int)uap->fd;
4315 
4316 	/* bail if an error */
4317 	if (error) {
4318 		/* XXX include destination address from system call arguments */
4319 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4320 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4321 		return;
4322 	}
4323 
4324 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4325 		/*
4326 		 * not security relevant if doing a sendmsg from non socket
4327 		 * so no extra tokens. Should probably turn off audit record
4328 		 * generation here.
4329 		 */
4330 		return;
4331 	}
4332 
4333 	so_family = so->so_family;
4334 	so_type   = so->so_type;
4335 
4336 	switch (so_family) {
4337 	case AF_INET:
4338 	case AF_INET6:
4339 		/*
4340 		 * if datagram type socket, then just use what is in
4341 		 * socket structure for local address.
4342 		 * XXX - what do we do for other types?
4343 		 */
4344 		if ((so->so_type == SOCK_DGRAM) ||
4345 		    (so->so_type == SOCK_RAW)) {
4346 
4347 			bzero((void *)so_laddr, sizeof (so_laddr));
4348 			bzero((void *)so_faddr, sizeof (so_faddr));
4349 
4350 			/* get local address */
4351 			len = sizeof (so_laddr);
4352 			(void) socket_getsockname(so,
4353 			    (struct sockaddr *)so_laddr, &len, CRED());
4354 
4355 			/* get peer address */
4356 			STRUCT_INIT(msg, get_udatamodel());
4357 
4358 			if (copyin((caddr_t)(uap->msg),
4359 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4360 				break;
4361 			}
4362 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4363 			if (msg_name == NULL)
4364 				break;
4365 
4366 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4367 			/* length is value from recvmsg - sanity check */
4368 			if (msg_namelen == 0)
4369 				break;
4370 
4371 			if (copyin(msg_name, so_faddr,
4372 			    sizeof (so_faddr)) != 0)
4373 				break;
4374 
4375 			add_sock_token = 1;
4376 
4377 		} else if (so->so_type == SOCK_STREAM) {
4378 
4379 			/* get path from file struct here */
4380 			fad = F2A(fp);
4381 			ASSERT(fad);
4382 
4383 			/*
4384 			 * already processed this file for write attempt
4385 			 */
4386 			if (fad->fad_flags & FAD_WRITE) {
4387 				releasef(fd);
4388 				/* don't want to audit every sendmsg attempt */
4389 				tad->tad_flag = 0;
4390 				/* free any residual audit data */
4391 				au_close(kctx, &(u_ad), 0, 0, 0);
4392 				return;
4393 			}
4394 
4395 			/*
4396 			 * mark things so we know what happened and don't
4397 			 * repeat things
4398 			 */
4399 			fad->fad_flags |= FAD_WRITE;
4400 
4401 			bzero((void *)so_laddr, sizeof (so_laddr));
4402 			bzero((void *)so_faddr, sizeof (so_faddr));
4403 
4404 			/* get local and foreign addresses */
4405 			len = sizeof (so_laddr);
4406 			(void) socket_getsockname(so,
4407 			    (struct sockaddr *)so_laddr, &len, CRED());
4408 			len = sizeof (so_faddr);
4409 			(void) socket_getpeername(so,
4410 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4411 
4412 			add_sock_token = 1;
4413 		}
4414 
4415 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4416 
4417 		break;
4418 
4419 	case AF_UNIX:
4420 		/*
4421 		 * first check if this is first time through. Too much
4422 		 * duplicate code to put this in an aui_ routine.
4423 		 */
4424 
4425 		/* get path from file struct here */
4426 		fad = F2A(fp);
4427 		ASSERT(fad);
4428 
4429 		/*
4430 		 * already processed this file for write attempt
4431 		 */
4432 		if (fad->fad_flags & FAD_WRITE) {
4433 			releasef(fd);
4434 			/* don't want to audit every sendmsg attempt */
4435 			tad->tad_flag = 0;
4436 			/* free any residual audit data */
4437 			au_close(kctx, &(u_ad), 0, 0, 0);
4438 			return;
4439 		}
4440 		/*
4441 		 * mark things so we know what happened and don't
4442 		 * repeat things
4443 		 */
4444 		fad->fad_flags |= FAD_WRITE;
4445 
4446 		if (fad->fad_aupath != NULL) {
4447 			au_uwrite(au_to_path(fad->fad_aupath));
4448 		} else {
4449 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4450 		}
4451 
4452 		audit_attributes(fp->f_vnode);
4453 
4454 		releasef(fd);
4455 
4456 		return;
4457 
4458 	default:
4459 		break;
4460 	}
4461 
4462 	releasef(fd);
4463 
4464 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4465 
4466 	if (add_sock_token == 0) {
4467 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4468 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4469 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4470 		return;
4471 	}
4472 
4473 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4474 
4475 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4476 }
4477 
4478 /*ARGSUSED*/
4479 static void
4480 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4481 {
4482 	struct a {
4483 		long	fd;
4484 		long	msg;	/* char */
4485 		long	len;
4486 		long	flags;
4487 		long	to;	/* struct sockaddr */
4488 		long	tolen;
4489 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4490 
4491 	struct sonode	*so;
4492 	char so_laddr[sizeof (struct sockaddr_in6)];
4493 	char so_faddr[sizeof (struct sockaddr_in6)];
4494 	socklen_t	tolen;
4495 	int		err;
4496 	int		fd;
4497 	socklen_t	len;
4498 	short so_family, so_type;
4499 	int		add_sock_token = 0;
4500 	struct file	*fp;
4501 	struct f_audit_data *fad;
4502 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4503 
4504 	fd = (int)uap->fd;
4505 
4506 	/* bail if an error */
4507 	if (error) {
4508 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4509 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4510 		/* XXX include destination address from system call arguments */
4511 		return;
4512 	}
4513 
4514 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4515 		/*
4516 		 * not security relevant if doing a sendto using non socket
4517 		 * so no extra tokens. Should probably turn off audit record
4518 		 * generation here.
4519 		 */
4520 		return;
4521 	}
4522 
4523 	so_family = so->so_family;
4524 	so_type   = so->so_type;
4525 
4526 	/*
4527 	 * only putout SOCKET_EX token if INET/INET6 family.
4528 	 * XXX - what do we do about other families?
4529 	 */
4530 
4531 	switch (so_family) {
4532 	case AF_INET:
4533 	case AF_INET6:
4534 
4535 		/*
4536 		 * if datagram type socket, then just use what is in
4537 		 * socket structure for local address.
4538 		 * XXX - what do we do for other types?
4539 		 */
4540 		if ((so->so_type == SOCK_DGRAM) ||
4541 		    (so->so_type == SOCK_RAW)) {
4542 
4543 			bzero((void *)so_laddr, sizeof (so_laddr));
4544 			bzero((void *)so_faddr, sizeof (so_faddr));
4545 
4546 			/* get local address */
4547 			len = sizeof (so_laddr);
4548 			(void) socket_getsockname(so,
4549 			    (struct sockaddr *)so_laddr, &len, CRED());
4550 
4551 			/* get peer address */
4552 
4553 			/* sanity check */
4554 			if (uap->to == NULL)
4555 				break;
4556 
4557 			/* sanity checks */
4558 			if (uap->tolen == 0)
4559 				break;
4560 
4561 			tolen = (socklen_t)uap->tolen;
4562 
4563 			/* enforce maximum size */
4564 			if (tolen > sizeof (so_faddr))
4565 				tolen = sizeof (so_faddr);
4566 
4567 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4568 				break;
4569 
4570 			add_sock_token = 1;
4571 		} else {
4572 			/*
4573 			 * check if this is first time through.
4574 			 */
4575 
4576 			/* get path from file struct here */
4577 			fad = F2A(fp);
4578 			ASSERT(fad);
4579 
4580 			/*
4581 			 * already processed this file for write attempt
4582 			 */
4583 			if (fad->fad_flags & FAD_WRITE) {
4584 				/* don't want to audit every sendto attempt */
4585 				tad->tad_flag = 0;
4586 				/* free any residual audit data */
4587 				au_close(kctx, &(u_ad), 0, 0, 0);
4588 				releasef(fd);
4589 				return;
4590 			}
4591 			/*
4592 			 * mark things so we know what happened and don't
4593 			 * repeat things
4594 			 */
4595 			fad->fad_flags |= FAD_WRITE;
4596 
4597 			bzero((void *)so_laddr, sizeof (so_laddr));
4598 			bzero((void *)so_faddr, sizeof (so_faddr));
4599 
4600 			/* get local and foreign addresses */
4601 			len = sizeof (so_laddr);
4602 			(void) socket_getsockname(so,
4603 			    (struct sockaddr *)so_laddr, &len, CRED());
4604 			len = sizeof (so_faddr);
4605 			(void) socket_getpeername(so,
4606 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4607 
4608 			add_sock_token = 1;
4609 		}
4610 
4611 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4612 
4613 		break;
4614 
4615 	case AF_UNIX:
4616 		/*
4617 		 * first check if this is first time through. Too much
4618 		 * duplicate code to put this in an aui_ routine.
4619 		 */
4620 
4621 		/* get path from file struct here */
4622 		fad = F2A(fp);
4623 		ASSERT(fad);
4624 
4625 		/*
4626 		 * already processed this file for write attempt
4627 		 */
4628 		if (fad->fad_flags & FAD_WRITE) {
4629 			/* don't want to audit every sendto attempt */
4630 			tad->tad_flag = 0;
4631 			/* free any residual audit data */
4632 			au_close(kctx, &(u_ad), 0, 0, 0);
4633 			releasef(fd);
4634 			return;
4635 		}
4636 		/*
4637 		 * mark things so we know what happened and don't
4638 		 * repeat things
4639 		 */
4640 		fad->fad_flags |= FAD_WRITE;
4641 
4642 		if (fad->fad_aupath != NULL) {
4643 			au_uwrite(au_to_path(fad->fad_aupath));
4644 		} else {
4645 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4646 		}
4647 
4648 		audit_attributes(fp->f_vnode);
4649 
4650 		releasef(fd);
4651 
4652 		return;
4653 
4654 	default:
4655 		break;
4656 
4657 	}
4658 
4659 	releasef(fd);
4660 
4661 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4662 
4663 	if (add_sock_token == 0) {
4664 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4665 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4666 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4667 		return;
4668 	}
4669 
4670 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4671 
4672 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4673 
4674 }
4675 
4676 /*
4677  * XXX socket(2) may be equivalent to open(2) on a unix domain
4678  * socket. This needs investigation.
4679  */
4680 
4681 /*ARGSUSED*/
4682 static void
4683 aus_socket(struct t_audit_data *tad)
4684 {
4685 	struct a {
4686 		long	domain;
4687 		long	type;
4688 		long	protocol;
4689 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4690 
4691 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4692 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4693 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4694 }
4695 
4696 /*ARGSUSED*/
4697 static void
4698 aus_sigqueue(struct t_audit_data *tad)
4699 {
4700 	struct a {
4701 		long	pid;
4702 		long	signo;
4703 		long	*val;
4704 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4705 	struct proc *p;
4706 	uid_t uid, ruid;
4707 	gid_t gid, rgid;
4708 	pid_t pid;
4709 	const auditinfo_addr_t *ainfo;
4710 	cred_t *cr;
4711 
4712 	pid = (pid_t)uap->pid;
4713 
4714 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4715 	if (pid > 0) {
4716 		mutex_enter(&pidlock);
4717 		if ((p = prfind(pid)) == (struct proc *)0) {
4718 			mutex_exit(&pidlock);
4719 			return;
4720 		}
4721 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4722 		mutex_exit(&pidlock);
4723 
4724 		mutex_enter(&p->p_crlock);
4725 		crhold(cr = p->p_cred);
4726 		mutex_exit(&p->p_crlock);
4727 		mutex_exit(&p->p_lock);
4728 
4729 		ainfo = crgetauinfo(cr);
4730 		if (ainfo == NULL) {
4731 			crfree(cr);
4732 			return;
4733 		}
4734 
4735 		uid  = crgetuid(cr);
4736 		gid  = crgetgid(cr);
4737 		ruid = crgetruid(cr);
4738 		rgid = crgetrgid(cr);
4739 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4740 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4741 		crfree(cr);
4742 	}
4743 	else
4744 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4745 }
4746 
4747 /*ARGSUSED*/
4748 static void
4749 aus_inst_sync(struct t_audit_data *tad)
4750 {
4751 	struct a {
4752 		long	name;	/* char */
4753 		long	flags;
4754 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4755 
4756 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4757 }
4758 
4759 /*ARGSUSED*/
4760 static void
4761 aus_brandsys(struct t_audit_data *tad)
4762 {
4763 	klwp_t *clwp = ttolwp(curthread);
4764 
4765 	struct a {
4766 		long	cmd;
4767 		long	arg1;
4768 		long	arg2;
4769 		long	arg3;
4770 		long	arg4;
4771 		long	arg5;
4772 		long	arg6;
4773 	} *uap = (struct a *)clwp->lwp_ap;
4774 
4775 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4776 #ifdef _LP64
4777 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4778 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4779 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4780 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4781 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4782 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4783 #else
4784 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4785 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4786 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4787 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4788 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4789 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4790 #endif
4791 }
4792 
4793 /*ARGSUSED*/
4794 static void
4795 aus_p_online(struct t_audit_data *tad)
4796 {
4797 	struct a {
4798 		long	processor_id;
4799 		long	flag;
4800 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4801 
4802 	struct flags {
4803 			int	flag;
4804 			char	*cflag;
4805 	} aflags[6] = {
4806 			{ P_ONLINE, "P_ONLINE"},
4807 			{ P_OFFLINE, "P_OFFLINE"},
4808 			{ P_NOINTR, "P_NOINTR"},
4809 			{ P_SPARE, "P_SPARE"},
4810 			{ P_FAULTED, "P_FAULTED"},
4811 			{ P_STATUS, "P_STATUS"}
4812 	};
4813 	int i;
4814 	char *cflag;
4815 
4816 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4817 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4818 
4819 	for (i = 0; i < 6; i++) {
4820 		if (aflags[i].flag == uap->flag)
4821 			break;
4822 	}
4823 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4824 
4825 	au_uwrite(au_to_text(cflag));
4826 }
4827 
4828 /*ARGSUSED*/
4829 static void
4830 aus_processor_bind(struct t_audit_data *tad)
4831 {
4832 	struct a {
4833 		long	id_type;
4834 		long	id;
4835 		long	processor_id;
4836 		long	obind;
4837 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4838 
4839 	struct proc *p;
4840 	int lwpcnt;
4841 	uid_t uid, ruid;
4842 	gid_t gid, rgid;
4843 	pid_t pid;
4844 	const auditinfo_addr_t *ainfo;
4845 	cred_t *cr;
4846 
4847 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4848 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4849 	if (uap->processor_id == PBIND_NONE)
4850 		au_uwrite(au_to_text("PBIND_NONE"));
4851 	else
4852 		au_uwrite(au_to_arg32(3, "processor_id",
4853 		    (uint32_t)uap->processor_id));
4854 
4855 	switch (uap->id_type) {
4856 	case P_MYID:
4857 	case P_LWPID:
4858 		mutex_enter(&pidlock);
4859 		p = ttoproc(curthread);
4860 		if (p == NULL || p->p_as == &kas) {
4861 			mutex_exit(&pidlock);
4862 			return;
4863 		}
4864 		mutex_enter(&p->p_lock);
4865 		mutex_exit(&pidlock);
4866 		lwpcnt = p->p_lwpcnt;
4867 		pid  = p->p_pid;
4868 
4869 		mutex_enter(&p->p_crlock);
4870 		crhold(cr = p->p_cred);
4871 		mutex_exit(&p->p_crlock);
4872 		mutex_exit(&p->p_lock);
4873 
4874 		ainfo = crgetauinfo(cr);
4875 		if (ainfo == NULL) {
4876 			crfree(cr);
4877 			return;
4878 		}
4879 
4880 		uid  = crgetuid(cr);
4881 		gid  = crgetgid(cr);
4882 		ruid = crgetruid(cr);
4883 		rgid = crgetrgid(cr);
4884 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4885 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4886 		crfree(cr);
4887 		break;
4888 	case P_PID:
4889 		mutex_enter(&pidlock);
4890 		p = prfind(uap->id);
4891 		if (p == NULL || p->p_as == &kas) {
4892 			mutex_exit(&pidlock);
4893 			return;
4894 		}
4895 		mutex_enter(&p->p_lock);
4896 		mutex_exit(&pidlock);
4897 		lwpcnt = p->p_lwpcnt;
4898 		pid  = p->p_pid;
4899 
4900 		mutex_enter(&p->p_crlock);
4901 		crhold(cr = p->p_cred);
4902 		mutex_exit(&p->p_crlock);
4903 		mutex_exit(&p->p_lock);
4904 
4905 		ainfo = crgetauinfo(cr);
4906 		if (ainfo == NULL) {
4907 			crfree(cr);
4908 			return;
4909 		}
4910 
4911 		uid  = crgetuid(cr);
4912 		gid  = crgetgid(cr);
4913 		ruid = crgetruid(cr);
4914 		rgid = crgetrgid(cr);
4915 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4916 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4917 		crfree(cr);
4918 
4919 		break;
4920 	default:
4921 		return;
4922 	}
4923 
4924 	if (uap->processor_id == PBIND_NONE &&
4925 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4926 		au_uwrite(au_to_text("PBIND_NONE for process"));
4927 	else
4928 		au_uwrite(au_to_arg32(3, "processor_id",
4929 		    (uint32_t)uap->processor_id));
4930 }
4931 
4932 /*ARGSUSED*/
4933 static au_event_t
4934 aui_doorfs(au_event_t e)
4935 {
4936 	uint32_t code;
4937 
4938 	struct a {		/* doorfs */
4939 		long	a1;
4940 		long	a2;
4941 		long	a3;
4942 		long	a4;
4943 		long	a5;
4944 		long	code;
4945 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4946 
4947 	/*
4948 	 *	audit formats for several of the
4949 	 *	door calls have not yet been determined
4950 	 */
4951 	code = (uint32_t)uap->code;
4952 	switch (code) {
4953 	case DOOR_CALL:
4954 		e = AUE_DOORFS_DOOR_CALL;
4955 		break;
4956 	case DOOR_RETURN:
4957 		e = AUE_NULL;
4958 		break;
4959 	case DOOR_CREATE:
4960 		e = AUE_DOORFS_DOOR_CREATE;
4961 		break;
4962 	case DOOR_REVOKE:
4963 		e = AUE_DOORFS_DOOR_REVOKE;
4964 		break;
4965 	case DOOR_INFO:
4966 		e = AUE_NULL;
4967 		break;
4968 	case DOOR_UCRED:
4969 		e = AUE_NULL;
4970 		break;
4971 	case DOOR_BIND:
4972 		e = AUE_NULL;
4973 		break;
4974 	case DOOR_UNBIND:
4975 		e = AUE_NULL;
4976 		break;
4977 	case DOOR_GETPARAM:
4978 		e = AUE_NULL;
4979 		break;
4980 	case DOOR_SETPARAM:
4981 		e = AUE_NULL;
4982 		break;
4983 	default:	/* illegal system call */
4984 		e = AUE_NULL;
4985 		break;
4986 	}
4987 
4988 	return (e);
4989 }
4990 
4991 static door_node_t *
4992 au_door_lookup(int did)
4993 {
4994 	vnode_t	*vp;
4995 	file_t *fp;
4996 
4997 	if ((fp = getf(did)) == NULL)
4998 		return (NULL);
4999 	/*
5000 	 * Use the underlying vnode (we may be namefs mounted)
5001 	 */
5002 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5003 		vp = fp->f_vnode;
5004 
5005 	if (vp == NULL || vp->v_type != VDOOR) {
5006 		releasef(did);
5007 		return (NULL);
5008 	}
5009 
5010 	return (VTOD(vp));
5011 }
5012 
5013 /*ARGSUSED*/
5014 static void
5015 aus_doorfs(struct t_audit_data *tad)
5016 {
5017 
5018 	struct a {		/* doorfs */
5019 		long	a1;
5020 		long	a2;
5021 		long	a3;
5022 		long	a4;
5023 		long	a5;
5024 		long	code;
5025 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5026 
5027 	door_node_t	*dp;
5028 	struct proc	*p;
5029 	uint32_t	did;
5030 	uid_t uid, ruid;
5031 	gid_t gid, rgid;
5032 	pid_t pid;
5033 	const auditinfo_addr_t *ainfo;
5034 	cred_t *cr;
5035 
5036 	did = (uint32_t)uap->a1;
5037 
5038 	switch (tad->tad_event) {
5039 	case AUE_DOORFS_DOOR_CALL:
5040 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5041 		if ((dp = au_door_lookup(did)) == NULL)
5042 			break;
5043 
5044 		if (DOOR_INVALID(dp)) {
5045 			releasef(did);
5046 			break;
5047 		}
5048 
5049 		if ((p = dp->door_target) == NULL) {
5050 			releasef(did);
5051 			break;
5052 		}
5053 		mutex_enter(&p->p_lock);
5054 		releasef(did);
5055 
5056 		pid  = p->p_pid;
5057 
5058 		mutex_enter(&p->p_crlock);
5059 		crhold(cr = p->p_cred);
5060 		mutex_exit(&p->p_crlock);
5061 		mutex_exit(&p->p_lock);
5062 
5063 		ainfo = crgetauinfo(cr);
5064 		if (ainfo == NULL) {
5065 			crfree(cr);
5066 			return;
5067 		}
5068 		uid  = crgetuid(cr);
5069 		gid  = crgetgid(cr);
5070 		ruid = crgetruid(cr);
5071 		rgid = crgetrgid(cr);
5072 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5073 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5074 		crfree(cr);
5075 		break;
5076 	case AUE_DOORFS_DOOR_RETURN:
5077 		/*
5078 		 * We may want to write information about
5079 		 * all doors (if any) which will be copied
5080 		 * by this call to the user space
5081 		 */
5082 		break;
5083 	case AUE_DOORFS_DOOR_CREATE:
5084 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5085 		break;
5086 	case AUE_DOORFS_DOOR_REVOKE:
5087 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5088 		break;
5089 	case AUE_DOORFS_DOOR_INFO:
5090 		break;
5091 	case AUE_DOORFS_DOOR_CRED:
5092 		break;
5093 	case AUE_DOORFS_DOOR_BIND:
5094 		break;
5095 	case AUE_DOORFS_DOOR_UNBIND: {
5096 		break;
5097 	}
5098 	default:	/* illegal system call */
5099 		break;
5100 	}
5101 }
5102 
5103 /*ARGSUSED*/
5104 static au_event_t
5105 aui_acl(au_event_t e)
5106 {
5107 	struct a {
5108 		union {
5109 			long	name;	/* char */
5110 			long	fd;
5111 		}		obj;
5112 
5113 		long		cmd;
5114 		long		nentries;
5115 		long		arg;	/* aclent_t */
5116 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5117 
5118 	switch (uap->cmd) {
5119 	case SETACL:
5120 	case ACE_SETACL:
5121 		/*
5122 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5123 		 * are expected.
5124 		 */
5125 		break;
5126 	case GETACL:
5127 	case GETACLCNT:
5128 	case ACE_GETACL:
5129 	case ACE_GETACLCNT:
5130 		/* do nothing for these four values. */
5131 		e = AUE_NULL;
5132 		break;
5133 	default:
5134 		/* illegal system call */
5135 		break;
5136 	}
5137 
5138 	return (e);
5139 }
5140 
5141 static void
5142 au_acl(int cmd, int nentries, caddr_t bufp)
5143 {
5144 	size_t		a_size;
5145 	aclent_t	*aclbufp;
5146 	ace_t		*acebufp;
5147 	int		i;
5148 
5149 	switch (cmd) {
5150 	case GETACL:
5151 	case GETACLCNT:
5152 		break;
5153 	case SETACL:
5154 		if (nentries < 3)
5155 			break;
5156 
5157 		a_size = nentries * sizeof (aclent_t);
5158 
5159 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5160 			break;
5161 		if (copyin(bufp, aclbufp, a_size)) {
5162 			kmem_free(aclbufp, a_size);
5163 			break;
5164 		}
5165 		for (i = 0; i < nentries; i++) {
5166 			au_uwrite(au_to_acl(aclbufp + i));
5167 		}
5168 		kmem_free(aclbufp, a_size);
5169 		break;
5170 
5171 	case ACE_SETACL:
5172 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5173 			break;
5174 
5175 		a_size = nentries * sizeof (ace_t);
5176 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5177 			break;
5178 		if (copyin(bufp, acebufp, a_size)) {
5179 			kmem_free(acebufp, a_size);
5180 			break;
5181 		}
5182 		for (i = 0; i < nentries; i++) {
5183 			au_uwrite(au_to_ace(acebufp + i));
5184 		}
5185 		kmem_free(acebufp, a_size);
5186 		break;
5187 	default:
5188 		break;
5189 	}
5190 }
5191 
5192 /*ARGSUSED*/
5193 static void
5194 aus_acl(struct t_audit_data *tad)
5195 {
5196 	struct a {
5197 		long	fname;
5198 		long	cmd;
5199 		long	nentries;
5200 		long	aclbufp;
5201 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5202 
5203 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5204 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5205 
5206 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5207 }
5208 
5209 /*ARGSUSED*/
5210 static void
5211 aus_facl(struct t_audit_data *tad)
5212 {
5213 	struct a {
5214 		long	fd;
5215 		long	cmd;
5216 		long	nentries;
5217 		long	aclbufp;
5218 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5219 	struct file  *fp;
5220 	struct vnode *vp;
5221 	struct f_audit_data *fad;
5222 	int fd;
5223 
5224 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5225 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5226 
5227 	fd = (int)uap->fd;
5228 
5229 	if ((fp = getf(fd)) == NULL)
5230 		return;
5231 
5232 	/* get path from file struct here */
5233 	fad = F2A(fp);
5234 	if (fad->fad_aupath != NULL) {
5235 		au_uwrite(au_to_path(fad->fad_aupath));
5236 	} else {
5237 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5238 	}
5239 
5240 	vp = fp->f_vnode;
5241 	audit_attributes(vp);
5242 
5243 	/* decrement file descriptor reference count */
5244 	releasef(fd);
5245 
5246 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5247 }
5248 
5249 /*ARGSUSED*/
5250 static void
5251 auf_read(tad, error, rval)
5252 	struct t_audit_data *tad;
5253 	int error;
5254 	rval_t *rval;
5255 {
5256 	struct file *fp;
5257 	struct f_audit_data *fad;
5258 	int fd;
5259 	register struct a {
5260 		long	fd;
5261 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5262 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5263 
5264 	fd = (int)uap->fd;
5265 
5266 	/*
5267 	 * convert file pointer to file descriptor
5268 	 *   Note: fd ref count incremented here.
5269 	 */
5270 	if ((fp = getf(fd)) == NULL)
5271 		return;
5272 
5273 	/* get path from file struct here */
5274 	fad = F2A(fp);
5275 	ASSERT(fad);
5276 
5277 	/*
5278 	 * already processed this file for read attempt
5279 	 *
5280 	 * XXX might be better to turn off auditing in a aui_read() routine.
5281 	 */
5282 	if (fad->fad_flags & FAD_READ) {
5283 		/* don't really want to audit every read attempt */
5284 		tad->tad_flag = 0;
5285 		/* free any residual audit data */
5286 		au_close(kctx, &(u_ad), 0, 0, 0);
5287 		releasef(fd);
5288 		return;
5289 	}
5290 	/* mark things so we know what happened and don't repeat things */
5291 	fad->fad_flags |= FAD_READ;
5292 
5293 	if (fad->fad_aupath != NULL) {
5294 		au_uwrite(au_to_path(fad->fad_aupath));
5295 	} else {
5296 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5297 	}
5298 
5299 	/* include attributes */
5300 	audit_attributes(fp->f_vnode);
5301 
5302 	/* decrement file descriptor reference count */
5303 	releasef(fd);
5304 }
5305 
5306 /*ARGSUSED*/
5307 static void
5308 auf_write(tad, error, rval)
5309 	struct t_audit_data *tad;
5310 	int error;
5311 	rval_t *rval;
5312 {
5313 	struct file *fp;
5314 	struct f_audit_data *fad;
5315 	int fd;
5316 	register struct a {
5317 		long	fd;
5318 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5319 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5320 
5321 	fd = (int)uap->fd;
5322 
5323 	/*
5324 	 * convert file pointer to file descriptor
5325 	 *   Note: fd ref count incremented here.
5326 	 */
5327 	if ((fp = getf(fd)) == NULL)
5328 		return;
5329 
5330 	/* get path from file struct here */
5331 	fad = F2A(fp);
5332 	ASSERT(fad);
5333 
5334 	/*
5335 	 * already processed this file for write attempt
5336 	 *
5337 	 * XXX might be better to turn off auditing in a aus_write() routine.
5338 	 */
5339 	if (fad->fad_flags & FAD_WRITE) {
5340 		/* don't really want to audit every write attempt */
5341 		tad->tad_flag = 0;
5342 		/* free any residual audit data */
5343 		au_close(kctx, &(u_ad), 0, 0, 0);
5344 		releasef(fd);
5345 		return;
5346 	}
5347 	/* mark things so we know what happened and don't repeat things */
5348 	fad->fad_flags |= FAD_WRITE;
5349 
5350 	if (fad->fad_aupath != NULL) {
5351 		au_uwrite(au_to_path(fad->fad_aupath));
5352 	} else {
5353 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5354 	}
5355 
5356 	/* include attributes */
5357 	audit_attributes(fp->f_vnode);
5358 
5359 	/* decrement file descriptor reference count */
5360 	releasef(fd);
5361 }
5362 
5363 /*ARGSUSED*/
5364 static void
5365 auf_recv(tad, error, rval)
5366 	struct t_audit_data *tad;
5367 	int error;
5368 	rval_t *rval;
5369 {
5370 	struct sonode *so;
5371 	char so_laddr[sizeof (struct sockaddr_in6)];
5372 	char so_faddr[sizeof (struct sockaddr_in6)];
5373 	struct file *fp;
5374 	struct f_audit_data *fad;
5375 	int fd;
5376 	int err;
5377 	socklen_t len;
5378 	short so_family, so_type;
5379 	register struct a {
5380 		long	fd;
5381 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5382 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5383 
5384 	/*
5385 	 * If there was an error, then nothing to do. Only generate
5386 	 * audit record on first successful recv.
5387 	 */
5388 	if (error) {
5389 		/* Turn off audit record generation here. */
5390 		tad->tad_flag = 0;
5391 		/* free any residual audit data */
5392 		au_close(kctx, &(u_ad), 0, 0, 0);
5393 		return;
5394 	}
5395 
5396 	fd = (int)uap->fd;
5397 
5398 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5399 		/* Turn off audit record generation here. */
5400 		tad->tad_flag = 0;
5401 		/* free any residual audit data */
5402 		au_close(kctx, &(u_ad), 0, 0, 0);
5403 		return;
5404 	}
5405 
5406 	/* get path from file struct here */
5407 	fad = F2A(fp);
5408 	ASSERT(fad);
5409 
5410 	/*
5411 	 * already processed this file for read attempt
5412 	 */
5413 	if (fad->fad_flags & FAD_READ) {
5414 		releasef(fd);
5415 		/* don't really want to audit every recv call */
5416 		tad->tad_flag = 0;
5417 		/* free any residual audit data */
5418 		au_close(kctx, &(u_ad), 0, 0, 0);
5419 		return;
5420 	}
5421 
5422 	/* mark things so we know what happened and don't repeat things */
5423 	fad->fad_flags |= FAD_READ;
5424 
5425 	so_family = so->so_family;
5426 	so_type   = so->so_type;
5427 
5428 	switch (so_family) {
5429 	case AF_INET:
5430 	case AF_INET6:
5431 		/*
5432 		 * Only for connections.
5433 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5434 		 */
5435 		if (so->so_state & SS_ISBOUND) {
5436 
5437 			bzero((void *)so_laddr, sizeof (so_laddr));
5438 			bzero((void *)so_faddr, sizeof (so_faddr));
5439 
5440 			/* get local and foreign addresses */
5441 			len = sizeof (so_laddr);
5442 			(void) socket_getsockname(so,
5443 			    (struct sockaddr *)so_laddr, &len, CRED());
5444 			len = sizeof (so_faddr);
5445 			(void) socket_getpeername(so,
5446 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5447 
5448 			/*
5449 			 * only way to drop out of switch. Note that we
5450 			 * we release fd below.
5451 			 */
5452 
5453 			break;
5454 		}
5455 
5456 		releasef(fd);
5457 
5458 		/* don't really want to audit every recv call */
5459 		tad->tad_flag = 0;
5460 		/* free any residual audit data */
5461 		au_close(kctx, &(u_ad), 0, 0, 0);
5462 
5463 		return;
5464 
5465 	case AF_UNIX:
5466 
5467 		if (fad->fad_aupath != NULL) {
5468 			au_uwrite(au_to_path(fad->fad_aupath));
5469 		} else {
5470 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5471 		}
5472 
5473 		audit_attributes(fp->f_vnode);
5474 
5475 		releasef(fd);
5476 
5477 		return;
5478 
5479 	default:
5480 		releasef(fd);
5481 
5482 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5483 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5484 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5485 
5486 		return;
5487 	}
5488 
5489 	releasef(fd);
5490 
5491 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5492 
5493 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5494 
5495 }
5496 
5497 /*ARGSUSED*/
5498 static void
5499 auf_send(tad, error, rval)
5500 	struct t_audit_data *tad;
5501 	int error;
5502 	rval_t *rval;
5503 {
5504 	struct sonode *so;
5505 	char so_laddr[sizeof (struct sockaddr_in6)];
5506 	char so_faddr[sizeof (struct sockaddr_in6)];
5507 	struct file *fp;
5508 	struct f_audit_data *fad;
5509 	int fd;
5510 	int err;
5511 	socklen_t len;
5512 	short so_family, so_type;
5513 	register struct a {
5514 		long	fd;
5515 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5516 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5517 
5518 	fd = (int)uap->fd;
5519 
5520 	/*
5521 	 * If there was an error, then nothing to do. Only generate
5522 	 * audit record on first successful send.
5523 	 */
5524 	if (error != 0) {
5525 		/* Turn off audit record generation here. */
5526 		tad->tad_flag = 0;
5527 		/* free any residual audit data */
5528 		au_close(kctx, &(u_ad), 0, 0, 0);
5529 		return;
5530 	}
5531 
5532 	fd = (int)uap->fd;
5533 
5534 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5535 		/* Turn off audit record generation here. */
5536 		tad->tad_flag = 0;
5537 		/* free any residual audit data */
5538 		au_close(kctx, &(u_ad), 0, 0, 0);
5539 		return;
5540 	}
5541 
5542 	/* get path from file struct here */
5543 	fad = F2A(fp);
5544 	ASSERT(fad);
5545 
5546 	/*
5547 	 * already processed this file for write attempt
5548 	 */
5549 	if (fad->fad_flags & FAD_WRITE) {
5550 		releasef(fd);
5551 		/* don't really want to audit every send call */
5552 		tad->tad_flag = 0;
5553 		/* free any residual audit data */
5554 		au_close(kctx, &(u_ad), 0, 0, 0);
5555 		return;
5556 	}
5557 
5558 	/* mark things so we know what happened and don't repeat things */
5559 	fad->fad_flags |= FAD_WRITE;
5560 
5561 	so_family = so->so_family;
5562 	so_type   = so->so_type;
5563 
5564 	switch (so_family) {
5565 	case AF_INET:
5566 	case AF_INET6:
5567 		/*
5568 		 * Only for connections.
5569 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5570 		 */
5571 		if (so->so_state & SS_ISBOUND) {
5572 
5573 			bzero((void *)so_laddr, sizeof (so_laddr));
5574 			bzero((void *)so_faddr, sizeof (so_faddr));
5575 
5576 			/* get local and foreign addresses */
5577 			len = sizeof (so_laddr);
5578 			(void) socket_getsockname(so,
5579 			    (struct sockaddr *)so_laddr, &len, CRED());
5580 			len = sizeof (so_faddr);
5581 			(void) socket_getpeername(so,
5582 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5583 
5584 			/*
5585 			 * only way to drop out of switch. Note that we
5586 			 * we release fd below.
5587 			 */
5588 
5589 			break;
5590 		}
5591 
5592 		releasef(fd);
5593 		/* don't really want to audit every send call */
5594 		tad->tad_flag = 0;
5595 		/* free any residual audit data */
5596 		au_close(kctx, &(u_ad), 0, 0, 0);
5597 
5598 		return;
5599 
5600 	case AF_UNIX:
5601 
5602 		if (fad->fad_aupath != NULL) {
5603 			au_uwrite(au_to_path(fad->fad_aupath));
5604 		} else {
5605 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5606 		}
5607 
5608 		audit_attributes(fp->f_vnode);
5609 
5610 		releasef(fd);
5611 
5612 		return;
5613 
5614 	default:
5615 		releasef(fd);
5616 
5617 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5618 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5619 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5620 
5621 		return;
5622 	}
5623 
5624 	releasef(fd);
5625 
5626 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5627 
5628 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5629 }
5630 
5631 static au_event_t
5632 aui_forksys(au_event_t e)
5633 {
5634 	struct a {
5635 		long	subcode;
5636 		long	flags;
5637 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5638 
5639 	switch ((uint_t)uap->subcode) {
5640 	case 0:
5641 		e = AUE_FORK1;
5642 		break;
5643 	case 1:
5644 		e = AUE_FORKALL;
5645 		break;
5646 	case 2:
5647 		e = AUE_VFORK;
5648 		break;
5649 	default:
5650 		e = AUE_NULL;
5651 		break;
5652 	}
5653 
5654 	return (e);
5655 }
5656 
5657 /*ARGSUSED*/
5658 static au_event_t
5659 aui_portfs(au_event_t e)
5660 {
5661 	struct a {		/* portfs */
5662 		long	a1;
5663 		long	a2;
5664 		long	a3;
5665 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5666 
5667 	/*
5668 	 * check opcode
5669 	 */
5670 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5671 	case PORT_ASSOCIATE:
5672 		/* check source */
5673 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5674 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5675 			e = AUE_PORTFS_ASSOCIATE;
5676 		} else {
5677 			e = AUE_NULL;
5678 		}
5679 		break;
5680 	case PORT_DISSOCIATE:
5681 		/* check source */
5682 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5683 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5684 			e = AUE_PORTFS_DISSOCIATE;
5685 		} else {
5686 			e = AUE_NULL;
5687 		}
5688 		break;
5689 	default:
5690 		e = AUE_NULL;
5691 	}
5692 	return (e);
5693 }
5694