1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 char _depends_on[] = "fs/sockfs"; 81 82 static au_event_t aui_open(au_event_t); 83 static au_event_t aui_fsat(au_event_t); 84 static au_event_t aui_msgsys(au_event_t); 85 static au_event_t aui_shmsys(au_event_t); 86 static au_event_t aui_semsys(au_event_t); 87 static au_event_t aui_utssys(au_event_t); 88 static au_event_t aui_fcntl(au_event_t); 89 static au_event_t aui_execv(au_event_t); 90 static au_event_t aui_execve(au_event_t); 91 static au_event_t aui_memcntl(au_event_t); 92 static au_event_t aui_sysinfo(au_event_t); 93 static au_event_t aui_portfs(au_event_t); 94 static au_event_t aui_auditsys(au_event_t); 95 static au_event_t aui_modctl(au_event_t); 96 static au_event_t aui_acl(au_event_t); 97 static au_event_t aui_doorfs(au_event_t); 98 static au_event_t aui_privsys(au_event_t); 99 static au_event_t aui_forksys(au_event_t); 100 static au_event_t aui_labelsys(au_event_t); 101 102 static void aus_open(struct t_audit_data *); 103 static void aus_acl(struct t_audit_data *); 104 static void aus_acct(struct t_audit_data *); 105 static void aus_chown(struct t_audit_data *); 106 static void aus_fchown(struct t_audit_data *); 107 static void aus_lchown(struct t_audit_data *); 108 static void aus_chmod(struct t_audit_data *); 109 static void aus_facl(struct t_audit_data *); 110 static void aus_fchmod(struct t_audit_data *); 111 static void aus_fcntl(struct t_audit_data *); 112 static void aus_fsat(struct t_audit_data *); 113 static void aus_mkdir(struct t_audit_data *); 114 static void aus_mknod(struct t_audit_data *); 115 static void aus_mount(struct t_audit_data *); 116 static void aus_umount(struct t_audit_data *); 117 static void aus_umount2(struct t_audit_data *); 118 static void aus_msgsys(struct t_audit_data *); 119 static void aus_semsys(struct t_audit_data *); 120 static void aus_close(struct t_audit_data *); 121 static void aus_fstatfs(struct t_audit_data *); 122 static void aus_setgid(struct t_audit_data *); 123 static void aus_setuid(struct t_audit_data *); 124 static void aus_shmsys(struct t_audit_data *); 125 static void aus_doorfs(struct t_audit_data *); 126 static void aus_ioctl(struct t_audit_data *); 127 static void aus_memcntl(struct t_audit_data *); 128 static void aus_mmap(struct t_audit_data *); 129 static void aus_munmap(struct t_audit_data *); 130 static void aus_priocntlsys(struct t_audit_data *); 131 static void aus_setegid(struct t_audit_data *); 132 static void aus_setgroups(struct t_audit_data *); 133 static void aus_seteuid(struct t_audit_data *); 134 static void aus_putmsg(struct t_audit_data *); 135 static void aus_putpmsg(struct t_audit_data *); 136 static void aus_getmsg(struct t_audit_data *); 137 static void aus_getpmsg(struct t_audit_data *); 138 static void aus_auditsys(struct t_audit_data *); 139 static void aus_sysinfo(struct t_audit_data *); 140 static void aus_modctl(struct t_audit_data *); 141 static void aus_kill(struct t_audit_data *); 142 static void aus_xmknod(struct t_audit_data *); 143 static void aus_setregid(struct t_audit_data *); 144 static void aus_setreuid(struct t_audit_data *); 145 static void aus_labelsys(struct t_audit_data *); 146 147 static void auf_mknod(struct t_audit_data *, int, rval_t *); 148 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 149 static void auf_semsys(struct t_audit_data *, int, rval_t *); 150 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 151 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 152 static void auf_read(struct t_audit_data *, int, rval_t *); 153 static void auf_write(struct t_audit_data *, int, rval_t *); 154 155 static void aus_sigqueue(struct t_audit_data *); 156 static void aus_p_online(struct t_audit_data *); 157 static void aus_processor_bind(struct t_audit_data *); 158 static void aus_inst_sync(struct t_audit_data *); 159 static void aus_brandsys(struct t_audit_data *); 160 161 static void auf_accept(struct t_audit_data *, int, rval_t *); 162 163 static void auf_bind(struct t_audit_data *, int, rval_t *); 164 static void auf_connect(struct t_audit_data *, int, rval_t *); 165 static void aus_shutdown(struct t_audit_data *); 166 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 167 static void aus_sockconfig(struct t_audit_data *); 168 static void auf_recv(struct t_audit_data *, int, rval_t *); 169 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 170 static void auf_send(struct t_audit_data *, int, rval_t *); 171 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 172 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 173 static void auf_sendto(struct t_audit_data *, int, rval_t *); 174 static void aus_socket(struct t_audit_data *); 175 /* 176 * This table contains mapping information for converting system call numbers 177 * to audit event IDs. In several cases it is necessary to map a single system 178 * call to several events. 179 */ 180 181 #define aui_null NULL /* NULL initialize function */ 182 #define aus_null NULL /* NULL start function */ 183 #define auf_null NULL /* NULL finish function */ 184 185 struct audit_s2e audit_s2e[] = 186 { 187 /* 188 * ---------- ---------- ---------- ---------- 189 * INITIAL AUDIT START SYSTEM 190 * PROCESSING EVENT PROCESSING CALL 191 * ---------- ---------- ---------- ----------- 192 * FINISH EVENT 193 * PROCESSING CONTROL 194 * ---------------------------------------------------------- 195 */ 196 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 197 auf_null, 0, 198 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 199 auf_null, S2E_NPT, 200 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 201 auf_null, 0, 202 aui_null, AUE_READ, aus_null, /* 3 read */ 203 auf_read, S2E_PUB, 204 aui_null, AUE_WRITE, aus_null, /* 4 write */ 205 auf_write, 0, 206 aui_open, AUE_OPEN, aus_open, /* 5 open */ 207 auf_null, S2E_SP, 208 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 209 auf_null, 0, 210 aui_null, AUE_NULL, aus_null, /* 7 wait */ 211 auf_null, 0, 212 aui_null, AUE_CREAT, aus_null, /* 8 create */ 213 auf_null, S2E_SP, 214 aui_null, AUE_LINK, aus_null, /* 9 link */ 215 auf_null, 0, 216 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 217 auf_null, 0, 218 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 219 auf_null, S2E_MLD, 220 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 221 auf_null, S2E_SP, 222 aui_null, AUE_NULL, aus_null, /* 13 time */ 223 auf_null, 0, 224 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 225 auf_mknod, 0, 226 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 227 auf_null, 0, 228 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 229 auf_null, 0, 230 aui_null, AUE_NULL, aus_null, /* 17 brk */ 231 auf_null, 0, 232 aui_null, AUE_STAT, aus_null, /* 18 stat */ 233 auf_null, S2E_PUB, 234 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 235 auf_null, 0, 236 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 237 auf_null, 0, 238 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 239 auf_null, S2E_MLD, 240 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 241 auf_null, 0, 242 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 243 auf_null, 0, 244 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 245 auf_null, 0, 246 aui_null, AUE_STIME, aus_null, /* 25 stime */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 249 auf_null, 0, 250 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 29 pause */ 255 auf_null, 0, 256 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 261 auf_null, 0, 262 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 263 auf_null, S2E_PUB, 264 aui_null, AUE_NICE, aus_null, /* 34 nice */ 265 auf_null, 0, 266 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NULL, aus_null, /* 36 sync */ 269 auf_null, 0, 270 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 271 auf_null, 0, 272 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 273 auf_null, S2E_PUB, 274 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 275 auf_null, 0, 276 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 277 auf_null, 0, 278 aui_null, AUE_NULL, aus_null, /* 41 dup */ 279 auf_null, 0, 280 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 43 times */ 283 auf_null, 0, 284 aui_null, AUE_NULL, aus_null, /* 44 profil */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 287 /* was proc lock */ 288 auf_null, 0, 289 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 48 sig */ 294 auf_null, 0, 295 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 296 auf_msgsys, 0, 297 #if defined(__x86) 298 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 299 auf_null, 0, 300 #else 301 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 302 auf_null, 0, 303 #endif /* __x86 */ 304 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 305 auf_null, 0, 306 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 307 auf_shmsys, 0, 308 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 309 auf_semsys, 0, 310 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 311 auf_null, 0, 312 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 315 auf_null, 0, 316 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 319 auf_null, 0, 320 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 321 auf_null, S2E_MLD, 322 aui_null, AUE_NULL, aus_null, /* 60 umask */ 323 auf_null, 0, 324 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 325 auf_null, S2E_SP, 326 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 327 auf_null, 0, 328 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 337 /* file locking call */ 338 auf_null, 0, 339 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 340 /* local system calls */ 341 auf_null, 0, 342 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 343 auf_null, 0, 344 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 355 /* was sigret (SunOS) */ 356 auf_null, 0, 357 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 358 auf_null, 0, 359 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 362 auf_null, 0, 363 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 364 auf_null, 0, 365 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 366 auf_null, 0, 367 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 368 auf_null, 0, 369 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 370 /* was libattach */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 373 /* was libdetach */ 374 auf_null, 0, 375 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 376 auf_null, 0, 377 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 378 auf_null, 0, 379 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 380 auf_null, 0, 381 aui_null, AUE_NULL, aus_null, /* 87 poll */ 382 auf_null, 0, 383 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 384 auf_null, S2E_PUB, 385 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 386 auf_null, 0, 387 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 390 auf_null, 0, 391 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 392 auf_null, 0, 393 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 394 auf_null, 0, 395 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 396 auf_null, 0, 397 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 412 /* was evtrapret */ 413 auf_null, 0, 414 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 415 auf_null, S2E_PUB, 416 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 425 auf_null, 0, 426 #if defined(__x86) 427 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 428 auf_null, 0, 429 #else 430 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 431 auf_null, 0, 432 #endif /* __x86 */ 433 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 434 auf_null, 0, 435 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 436 auf_null, 0, 437 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 438 auf_null, 0, /* 112 priocntlsys */ 439 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 440 auf_null, S2E_PUB, 441 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 442 auf_null, 0, 443 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 444 auf_null, 0, 445 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 446 auf_null, 0, 447 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 450 auf_null, 0, 451 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 452 auf_null, 0, 453 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 454 auf_null, 0, 455 aui_null, AUE_READ, aus_null, /* 121 readv */ 456 auf_read, S2E_PUB, 457 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 458 auf_write, 0, 459 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 460 auf_null, S2E_PUB, 461 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 462 auf_null, S2E_PUB, 463 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 464 auf_null, 0, 465 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 466 auf_xmknod, 0, 467 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 468 auf_null, 0, 469 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 470 auf_null, 0, 471 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 472 auf_null, 0, 473 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 474 auf_null, 0, 475 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 476 auf_null, 0, 477 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 478 auf_null, 0, 479 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 480 auf_null, 0, 481 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 482 auf_null, 0, 483 aui_null, AUE_NULL, aus_null, /* 135 uname */ 484 auf_null, 0, 485 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 488 auf_null, 0, 489 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 490 auf_null, 0, 491 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 492 auf_null, 0, 493 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 494 auf_null, 0, 495 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 496 auf_null, 0, 497 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 498 auf_null, 0, 499 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 146 yield */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 516 auf_null, 0, 517 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 518 auf_null, 0, 519 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 520 auf_null, 0, 521 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 522 auf_null, 0, 523 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 544 /* was lwp_setprivate */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 547 /* was lwp_getprivate */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 560 auf_null, 0, 561 aui_null, AUE_READ, aus_null, /* 173 pread */ 562 auf_read, S2E_PUB, 563 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 564 auf_write, 0, 565 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 566 auf_null, 0, 567 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 568 /* aus_inst_sync */ 569 auf_null, 0, 570 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 571 auf_null, 0, 572 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 579 auf_null, 0, 580 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 583 auf_null, 0, 584 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 585 auf_null, 0, 586 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 587 auf_null, 0, 588 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 589 auf_null, 0, 590 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 591 auf_null, 0, /* 187 processor_bind */ 592 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 593 auf_null, 0, 594 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 595 auf_null, 0, 596 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 599 auf_null, 0, 600 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 615 auf_null, 0, 616 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 617 auf_null, 0, 618 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 619 auf_null, 0, 620 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 621 auf_null, 0, 622 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 623 auf_null, 0, 624 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 643 auf_null, 0, 644 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 645 auf_null, 0, 646 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 647 auf_null, S2E_PUB, 648 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 651 auf_null, 0, 652 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 653 auf_null, S2E_PUB, 654 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 655 auf_null, 0, 656 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 657 auf_null, 0, 658 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 661 auf_read, S2E_PUB, 662 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 663 auf_write, 0, 664 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 665 auf_null, S2E_SP, 666 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 667 auf_null, S2E_SP, 668 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 669 auf_null, 0, 670 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 677 auf_null, 0, 678 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 679 auf_null, 0, 680 aui_null, AUE_BIND, aus_null, /* 232 bind */ 681 auf_bind, 0, 682 aui_null, AUE_NULL, aus_null, /* 233 listen */ 683 auf_null, 0, 684 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 685 auf_accept, 0, 686 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 687 auf_connect, 0, 688 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 689 auf_null, 0, 690 aui_null, AUE_READ, aus_null, /* 237 recv */ 691 auf_recv, 0, 692 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 693 auf_recvfrom, 0, 694 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 695 auf_recvmsg, 0, 696 aui_null, AUE_WRITE, aus_null, /* 240 send */ 697 auf_send, 0, 698 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 699 auf_sendmsg, 0, 700 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 701 auf_sendto, 0, 702 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 703 auf_null, 0, 704 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 707 auf_null, 0, 708 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 709 auf_setsockopt, 0, 710 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 711 auf_null, 0, 712 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 713 auf_null, 0, 714 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 725 auf_null, 0, 726 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 727 auf_null, 0 728 }; 729 730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 731 732 733 /* acct start function */ 734 /*ARGSUSED*/ 735 static void 736 aus_acct(struct t_audit_data *tad) 737 { 738 klwp_t *clwp = ttolwp(curthread); 739 uintptr_t fname; 740 741 struct a { 742 long fname; /* char * */ 743 } *uap = (struct a *)clwp->lwp_ap; 744 745 fname = (uintptr_t)uap->fname; 746 747 if (fname == 0) 748 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 749 } 750 751 /* chown start function */ 752 /*ARGSUSED*/ 753 static void 754 aus_chown(struct t_audit_data *tad) 755 { 756 klwp_t *clwp = ttolwp(curthread); 757 uint32_t uid, gid; 758 759 struct a { 760 long fname; /* char * */ 761 long uid; 762 long gid; 763 } *uap = (struct a *)clwp->lwp_ap; 764 765 uid = (uint32_t)uap->uid; 766 gid = (uint32_t)uap->gid; 767 768 au_uwrite(au_to_arg32(2, "new file uid", uid)); 769 au_uwrite(au_to_arg32(3, "new file gid", gid)); 770 } 771 772 /* fchown start function */ 773 /*ARGSUSED*/ 774 static void 775 aus_fchown(struct t_audit_data *tad) 776 { 777 klwp_t *clwp = ttolwp(curthread); 778 uint32_t uid, gid, fd; 779 struct file *fp; 780 struct vnode *vp; 781 struct f_audit_data *fad; 782 783 struct a { 784 long fd; 785 long uid; 786 long gid; 787 } *uap = (struct a *)clwp->lwp_ap; 788 789 fd = (uint32_t)uap->fd; 790 uid = (uint32_t)uap->uid; 791 gid = (uint32_t)uap->gid; 792 793 au_uwrite(au_to_arg32(2, "new file uid", uid)); 794 au_uwrite(au_to_arg32(3, "new file gid", gid)); 795 796 /* 797 * convert file pointer to file descriptor 798 * Note: fd ref count incremented here. 799 */ 800 if ((fp = getf(fd)) == NULL) 801 return; 802 803 /* get path from file struct here */ 804 fad = F2A(fp); 805 if (fad->fad_aupath != NULL) { 806 au_uwrite(au_to_path(fad->fad_aupath)); 807 } else { 808 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 809 } 810 811 vp = fp->f_vnode; 812 audit_attributes(vp); 813 814 /* decrement file descriptor reference count */ 815 releasef(fd); 816 } 817 818 /*ARGSUSED*/ 819 static void 820 aus_lchown(struct t_audit_data *tad) 821 { 822 klwp_t *clwp = ttolwp(curthread); 823 uint32_t uid, gid; 824 825 826 struct a { 827 long fname; /* char * */ 828 long uid; 829 long gid; 830 } *uap = (struct a *)clwp->lwp_ap; 831 832 uid = (uint32_t)uap->uid; 833 gid = (uint32_t)uap->gid; 834 835 au_uwrite(au_to_arg32(2, "new file uid", uid)); 836 au_uwrite(au_to_arg32(3, "new file gid", gid)); 837 } 838 839 /* chmod start function */ 840 /*ARGSUSED*/ 841 static void 842 aus_chmod(struct t_audit_data *tad) 843 { 844 klwp_t *clwp = ttolwp(curthread); 845 uint32_t fmode; 846 847 struct a { 848 long fname; /* char * */ 849 long fmode; 850 } *uap = (struct a *)clwp->lwp_ap; 851 852 fmode = (uint32_t)uap->fmode; 853 854 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 855 } 856 857 /* chmod start function */ 858 /*ARGSUSED*/ 859 static void 860 aus_fchmod(struct t_audit_data *tad) 861 { 862 klwp_t *clwp = ttolwp(curthread); 863 uint32_t fmode, fd; 864 struct file *fp; 865 struct vnode *vp; 866 struct f_audit_data *fad; 867 868 struct a { 869 long fd; 870 long fmode; 871 } *uap = (struct a *)clwp->lwp_ap; 872 873 fd = (uint32_t)uap->fd; 874 fmode = (uint32_t)uap->fmode; 875 876 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 877 878 /* 879 * convert file pointer to file descriptor 880 * Note: fd ref count incremented here. 881 */ 882 if ((fp = getf(fd)) == NULL) 883 return; 884 885 /* get path from file struct here */ 886 fad = F2A(fp); 887 if (fad->fad_aupath != NULL) { 888 au_uwrite(au_to_path(fad->fad_aupath)); 889 } else { 890 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 891 } 892 893 vp = fp->f_vnode; 894 audit_attributes(vp); 895 896 /* decrement file descriptor reference count */ 897 releasef(fd); 898 } 899 900 901 /* convert open to appropriate event */ 902 static au_event_t 903 aui_open(au_event_t e) 904 { 905 klwp_t *clwp = ttolwp(curthread); 906 uint_t fm; 907 908 struct a { 909 long fnamep; /* char * */ 910 long fmode; 911 long cmode; 912 } *uap = (struct a *)clwp->lwp_ap; 913 914 fm = (uint_t)uap->fmode; 915 916 if (fm & O_WRONLY) 917 e = AUE_OPEN_W; 918 else if (fm & O_RDWR) 919 e = AUE_OPEN_RW; 920 else 921 e = AUE_OPEN_R; 922 923 if (fm & O_CREAT) 924 e += 1; 925 if (fm & O_TRUNC) 926 e += 2; 927 928 return (e); 929 } 930 931 /*ARGSUSED*/ 932 static void 933 aus_open(struct t_audit_data *tad) 934 { 935 klwp_t *clwp = ttolwp(curthread); 936 uint_t fm; 937 938 struct a { 939 long fnamep; /* char * */ 940 long fmode; 941 long cmode; 942 } *uap = (struct a *)clwp->lwp_ap; 943 944 fm = (uint_t)uap->fmode; 945 946 /* If no write, create, or trunc modes, mark as a public op */ 947 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 948 tad->tad_ctrl |= PAD_PUBLIC_EV; 949 } 950 951 /* convert openat(2) to appropriate event */ 952 static au_event_t 953 aui_fsat(au_event_t e) 954 { 955 t_audit_data_t *tad = U2A(u); 956 klwp_t *clwp = ttolwp(curthread); 957 uint_t fmcode, fm; 958 struct a { 959 long id; 960 long arg1; 961 long arg2; 962 long arg3; 963 long arg4; 964 long arg5; 965 } *uap = (struct a *)clwp->lwp_ap; 966 967 fmcode = (uint_t)uap->id; 968 969 switch (fmcode) { 970 971 case 0: /* openat */ 972 case 1: /* openat64 */ 973 fm = (uint_t)uap->arg3; 974 if (fm & O_WRONLY) 975 e = AUE_OPENAT_W; 976 else if (fm & O_RDWR) 977 e = AUE_OPENAT_RW; 978 else 979 e = AUE_OPENAT_R; 980 981 /* 982 * openat modes are defined in the following order: 983 * Read only 984 * Read|Create 985 * Read|Trunc 986 * Read|Create|Trunc 987 * Write Only 988 * Write|Create 989 * Write|Trunc 990 * Write|Create|Trunc * RW Only 991 * RW|Create 992 * RW|Trunc 993 * RW|Create|Trunc 994 */ 995 if (fm & O_CREAT) 996 e += 1; /* increment to include CREAT in mode */ 997 if (fm & O_TRUNC) 998 e += 2; /* increment to include TRUNC in mode */ 999 1000 /* convert to appropriate au_ctrl */ 1001 tad->tad_ctrl |= PAD_SAVPATH; 1002 if (fm & FXATTR) 1003 tad->tad_ctrl |= PAD_ATPATH; 1004 1005 1006 break; 1007 case 2: /* fstatat64 */ 1008 case 3: /* fstatat */ 1009 e = AUE_FSTATAT; 1010 break; 1011 case 4: /* fchownat */ 1012 e = AUE_FCHOWNAT; 1013 break; 1014 case 5: /* unlinkat */ 1015 e = AUE_UNLINKAT; 1016 break; 1017 case 6: /* futimesat */ 1018 e = AUE_FUTIMESAT; 1019 break; 1020 case 7: /* renameat */ 1021 e = AUE_RENAMEAT; 1022 break; 1023 case 9: /* __openattrdirat */ 1024 tad->tad_ctrl |= PAD_SAVPATH; 1025 /*FALLTHROUGH*/ 1026 default: 1027 e = AUE_NULL; 1028 break; 1029 } 1030 1031 return (e); 1032 } 1033 1034 /*ARGSUSED*/ 1035 static void 1036 aus_fsat(struct t_audit_data *tad) 1037 { 1038 klwp_t *clwp = ttolwp(curthread); 1039 uint_t fmcode, fm; 1040 struct a { 1041 long id; 1042 long arg1; 1043 long arg2; 1044 long arg3; 1045 long arg4; 1046 long arg5; 1047 } *uap = (struct a *)clwp->lwp_ap; 1048 1049 fmcode = (uint_t)uap->id; 1050 1051 switch (fmcode) { 1052 1053 case 0: /* openat */ 1054 case 1: /* openat64 */ 1055 fm = (uint_t)uap->arg3; 1056 /* If no write, create, or trunc modes, mark as a public op */ 1057 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1058 tad->tad_ctrl |= PAD_PUBLIC_EV; 1059 1060 break; 1061 case 2: /* fstatat64 */ 1062 case 3: /* fstatat */ 1063 tad->tad_ctrl |= PAD_PUBLIC_EV; 1064 break; 1065 default: 1066 break; 1067 } 1068 } 1069 1070 /* msgsys */ 1071 static au_event_t 1072 aui_msgsys(au_event_t e) 1073 { 1074 klwp_t *clwp = ttolwp(curthread); 1075 uint_t fm; 1076 1077 struct a { 1078 long id; /* function code id */ 1079 long ap; /* arg pointer for recvmsg */ 1080 } *uap = (struct a *)clwp->lwp_ap; 1081 1082 struct b { 1083 long msgid; 1084 long cmd; 1085 long buf; /* struct msqid_ds * */ 1086 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1087 1088 fm = (uint_t)uap->id; 1089 1090 switch (fm) { 1091 case 0: /* msgget */ 1092 e = AUE_MSGGET; 1093 break; 1094 case 1: /* msgctl */ 1095 switch ((uint_t)uap1->cmd) { 1096 case IPC_RMID: 1097 e = AUE_MSGCTL_RMID; 1098 break; 1099 case IPC_SET: 1100 e = AUE_MSGCTL_SET; 1101 break; 1102 case IPC_STAT: 1103 e = AUE_MSGCTL_STAT; 1104 break; 1105 default: 1106 e = AUE_MSGCTL; 1107 break; 1108 } 1109 break; 1110 case 2: /* msgrcv */ 1111 e = AUE_MSGRCV; 1112 break; 1113 case 3: /* msgsnd */ 1114 e = AUE_MSGSND; 1115 break; 1116 default: /* illegal system call */ 1117 e = AUE_NULL; 1118 break; 1119 } 1120 1121 return (e); 1122 } 1123 1124 1125 /* shmsys */ 1126 static au_event_t 1127 aui_shmsys(au_event_t e) 1128 { 1129 klwp_t *clwp = ttolwp(curthread); 1130 int fm; 1131 1132 struct a { /* shmsys */ 1133 long id; /* function code id */ 1134 } *uap = (struct a *)clwp->lwp_ap; 1135 1136 struct b { /* ctrl */ 1137 long shmid; 1138 long cmd; 1139 long arg; /* struct shmid_ds * */ 1140 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1141 fm = (uint_t)uap->id; 1142 1143 switch (fm) { 1144 case 0: /* shmat */ 1145 e = AUE_SHMAT; 1146 break; 1147 case 1: /* shmctl */ 1148 switch ((uint_t)uap1->cmd) { 1149 case IPC_RMID: 1150 e = AUE_SHMCTL_RMID; 1151 break; 1152 case IPC_SET: 1153 e = AUE_SHMCTL_SET; 1154 break; 1155 case IPC_STAT: 1156 e = AUE_SHMCTL_STAT; 1157 break; 1158 default: 1159 e = AUE_SHMCTL; 1160 break; 1161 } 1162 break; 1163 case 2: /* shmdt */ 1164 e = AUE_SHMDT; 1165 break; 1166 case 3: /* shmget */ 1167 e = AUE_SHMGET; 1168 break; 1169 default: /* illegal system call */ 1170 e = AUE_NULL; 1171 break; 1172 } 1173 1174 return (e); 1175 } 1176 1177 1178 /* semsys */ 1179 static au_event_t 1180 aui_semsys(au_event_t e) 1181 { 1182 klwp_t *clwp = ttolwp(curthread); 1183 uint_t fm; 1184 1185 struct a { /* semsys */ 1186 long id; 1187 } *uap = (struct a *)clwp->lwp_ap; 1188 1189 struct b { /* ctrl */ 1190 long semid; 1191 long semnum; 1192 long cmd; 1193 long arg; 1194 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1195 1196 fm = (uint_t)uap->id; 1197 1198 switch (fm) { 1199 case 0: /* semctl */ 1200 switch ((uint_t)uap1->cmd) { 1201 case IPC_RMID: 1202 e = AUE_SEMCTL_RMID; 1203 break; 1204 case IPC_SET: 1205 e = AUE_SEMCTL_SET; 1206 break; 1207 case IPC_STAT: 1208 e = AUE_SEMCTL_STAT; 1209 break; 1210 case GETNCNT: 1211 e = AUE_SEMCTL_GETNCNT; 1212 break; 1213 case GETPID: 1214 e = AUE_SEMCTL_GETPID; 1215 break; 1216 case GETVAL: 1217 e = AUE_SEMCTL_GETVAL; 1218 break; 1219 case GETALL: 1220 e = AUE_SEMCTL_GETALL; 1221 break; 1222 case GETZCNT: 1223 e = AUE_SEMCTL_GETZCNT; 1224 break; 1225 case SETVAL: 1226 e = AUE_SEMCTL_SETVAL; 1227 break; 1228 case SETALL: 1229 e = AUE_SEMCTL_SETALL; 1230 break; 1231 default: 1232 e = AUE_SEMCTL; 1233 break; 1234 } 1235 break; 1236 case 1: /* semget */ 1237 e = AUE_SEMGET; 1238 break; 1239 case 2: /* semop */ 1240 e = AUE_SEMOP; 1241 break; 1242 default: /* illegal system call */ 1243 e = AUE_NULL; 1244 break; 1245 } 1246 1247 return (e); 1248 } 1249 1250 /* utssys - uname(2), ustat(2), fusers(2) */ 1251 static au_event_t 1252 aui_utssys(au_event_t e) 1253 { 1254 klwp_t *clwp = ttolwp(curthread); 1255 uint_t type; 1256 1257 struct a { 1258 union { 1259 long cbuf; /* char * */ 1260 long ubuf; /* struct stat * */ 1261 } ub; 1262 union { 1263 long mv; /* for USTAT */ 1264 long flags; /* for FUSERS */ 1265 } un; 1266 long type; 1267 long outbp; /* char * for FUSERS */ 1268 } *uap = (struct a *)clwp->lwp_ap; 1269 1270 type = (uint_t)uap->type; 1271 1272 if (type == UTS_FUSERS) 1273 return (e); 1274 else 1275 return ((au_event_t)AUE_NULL); 1276 } 1277 1278 static au_event_t 1279 aui_fcntl(au_event_t e) 1280 { 1281 klwp_t *clwp = ttolwp(curthread); 1282 uint_t cmd; 1283 1284 struct a { 1285 long fdes; 1286 long cmd; 1287 long arg; 1288 } *uap = (struct a *)clwp->lwp_ap; 1289 1290 cmd = (uint_t)uap->cmd; 1291 1292 switch (cmd) { 1293 case F_GETLK: 1294 case F_SETLK: 1295 case F_SETLKW: 1296 break; 1297 case F_SETFL: 1298 case F_GETFL: 1299 case F_GETFD: 1300 break; 1301 default: 1302 e = (au_event_t)AUE_NULL; 1303 break; 1304 } 1305 return ((au_event_t)e); 1306 } 1307 1308 /* null function for now */ 1309 static au_event_t 1310 aui_execv(au_event_t e) 1311 { 1312 return (e); 1313 } 1314 1315 /* null function for now */ 1316 static au_event_t 1317 aui_execve(au_event_t e) 1318 { 1319 return (e); 1320 } 1321 1322 /*ARGSUSED*/ 1323 static void 1324 aus_fcntl(struct t_audit_data *tad) 1325 { 1326 klwp_t *clwp = ttolwp(curthread); 1327 uint32_t cmd, fd; 1328 struct file *fp; 1329 struct vnode *vp; 1330 struct f_audit_data *fad; 1331 1332 struct a { 1333 long fd; 1334 long cmd; 1335 long arg; 1336 } *uap = (struct a *)clwp->lwp_ap; 1337 1338 cmd = (uint32_t)uap->cmd; 1339 fd = (uint32_t)uap->fd; 1340 1341 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1342 1343 /* 1344 * convert file pointer to file descriptor 1345 * Note: fd ref count incremented here. 1346 */ 1347 if ((fp = getf(fd)) == NULL) 1348 return; 1349 1350 /* get path from file struct here */ 1351 fad = F2A(fp); 1352 if (fad->fad_aupath != NULL) { 1353 au_uwrite(au_to_path(fad->fad_aupath)); 1354 } else { 1355 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1356 } 1357 1358 vp = fp->f_vnode; 1359 audit_attributes(vp); 1360 1361 /* decrement file descriptor reference count */ 1362 releasef(fd); 1363 } 1364 1365 /*ARGSUSED*/ 1366 static void 1367 aus_kill(struct t_audit_data *tad) 1368 { 1369 klwp_t *clwp = ttolwp(curthread); 1370 struct proc *p; 1371 uint32_t signo; 1372 uid_t uid, ruid; 1373 gid_t gid, rgid; 1374 pid_t pid; 1375 const auditinfo_addr_t *ainfo; 1376 cred_t *cr; 1377 1378 struct a { 1379 long pid; 1380 long signo; 1381 } *uap = (struct a *)clwp->lwp_ap; 1382 1383 pid = (pid_t)uap->pid; 1384 signo = (uint32_t)uap->signo; 1385 1386 au_uwrite(au_to_arg32(2, "signal", signo)); 1387 if (pid > 0) { 1388 mutex_enter(&pidlock); 1389 if (((p = prfind(pid)) == (struct proc *)0) || 1390 (p->p_stat == SIDL)) { 1391 mutex_exit(&pidlock); 1392 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1393 return; 1394 } 1395 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1396 mutex_exit(&pidlock); 1397 1398 mutex_enter(&p->p_crlock); 1399 crhold(cr = p->p_cred); 1400 mutex_exit(&p->p_crlock); 1401 mutex_exit(&p->p_lock); 1402 1403 ainfo = crgetauinfo(cr); 1404 if (ainfo == NULL) { 1405 crfree(cr); 1406 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1407 return; 1408 } 1409 1410 uid = crgetuid(cr); 1411 gid = crgetgid(cr); 1412 ruid = crgetruid(cr); 1413 rgid = crgetrgid(cr); 1414 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1415 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1416 1417 if (is_system_labeled()) 1418 au_uwrite(au_to_label(CR_SL(cr))); 1419 1420 crfree(cr); 1421 } 1422 else 1423 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1424 } 1425 1426 /*ARGSUSED*/ 1427 static void 1428 aus_mkdir(struct t_audit_data *tad) 1429 { 1430 klwp_t *clwp = ttolwp(curthread); 1431 uint32_t dmode; 1432 1433 struct a { 1434 long dirnamep; /* char * */ 1435 long dmode; 1436 } *uap = (struct a *)clwp->lwp_ap; 1437 1438 dmode = (uint32_t)uap->dmode; 1439 1440 au_uwrite(au_to_arg32(2, "mode", dmode)); 1441 } 1442 1443 /*ARGSUSED*/ 1444 static void 1445 aus_mknod(struct t_audit_data *tad) 1446 { 1447 klwp_t *clwp = ttolwp(curthread); 1448 uint32_t fmode; 1449 dev_t dev; 1450 1451 struct a { 1452 long pnamep; /* char * */ 1453 long fmode; 1454 long dev; 1455 } *uap = (struct a *)clwp->lwp_ap; 1456 1457 fmode = (uint32_t)uap->fmode; 1458 dev = (dev_t)uap->dev; 1459 1460 au_uwrite(au_to_arg32(2, "mode", fmode)); 1461 #ifdef _LP64 1462 au_uwrite(au_to_arg64(3, "dev", dev)); 1463 #else 1464 au_uwrite(au_to_arg32(3, "dev", dev)); 1465 #endif 1466 } 1467 1468 /*ARGSUSED*/ 1469 static void 1470 aus_xmknod(struct t_audit_data *tad) 1471 { 1472 klwp_t *clwp = ttolwp(curthread); 1473 uint32_t fmode; 1474 dev_t dev; 1475 1476 struct a { 1477 long version; /* version */ 1478 long pnamep; /* char * */ 1479 long fmode; 1480 long dev; 1481 } *uap = (struct a *)clwp->lwp_ap; 1482 1483 fmode = (uint32_t)uap->fmode; 1484 dev = (dev_t)uap->dev; 1485 1486 au_uwrite(au_to_arg32(2, "mode", fmode)); 1487 #ifdef _LP64 1488 au_uwrite(au_to_arg64(3, "dev", dev)); 1489 #else 1490 au_uwrite(au_to_arg32(3, "dev", dev)); 1491 #endif 1492 } 1493 1494 /*ARGSUSED*/ 1495 static void 1496 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1497 { 1498 klwp_t *clwp = ttolwp(curthread); 1499 vnode_t *dvp; 1500 caddr_t pnamep; 1501 1502 struct a { 1503 long pnamep; /* char * */ 1504 long fmode; 1505 long dev; 1506 } *uap = (struct a *)clwp->lwp_ap; 1507 1508 /* no error, then already path token in audit record */ 1509 if (error != EPERM) 1510 return; 1511 1512 /* not auditing this event, nothing then to do */ 1513 if (tad->tad_flag == 0) 1514 return; 1515 1516 /* do the lookup to force generation of path token */ 1517 pnamep = (caddr_t)uap->pnamep; 1518 tad->tad_ctrl |= PAD_NOATTRB; 1519 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1520 if (error == 0) 1521 VN_RELE(dvp); 1522 } 1523 1524 /*ARGSUSED*/ 1525 static void 1526 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1527 { 1528 klwp_t *clwp = ttolwp(curthread); 1529 vnode_t *dvp; 1530 caddr_t pnamep; 1531 1532 struct a { 1533 long version; /* version */ 1534 long pnamep; /* char * */ 1535 long fmode; 1536 long dev; 1537 } *uap = (struct a *)clwp->lwp_arg; 1538 1539 1540 /* no error, then already path token in audit record */ 1541 if (error != EPERM) 1542 return; 1543 1544 /* not auditing this event, nothing then to do */ 1545 if (tad->tad_flag == 0) 1546 return; 1547 1548 /* do the lookup to force generation of path token */ 1549 pnamep = (caddr_t)uap->pnamep; 1550 tad->tad_ctrl |= PAD_NOATTRB; 1551 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1552 if (error == 0) 1553 VN_RELE(dvp); 1554 } 1555 1556 /*ARGSUSED*/ 1557 static void 1558 aus_mount(struct t_audit_data *tad) 1559 { /* AUS_START */ 1560 klwp_t *clwp = ttolwp(curthread); 1561 uint32_t flags; 1562 uintptr_t u_fstype, dataptr; 1563 STRUCT_DECL(nfs_args, nfsargs); 1564 size_t len; 1565 char *fstype, *hostname; 1566 1567 struct a { 1568 long spec; /* char * */ 1569 long dir; /* char * */ 1570 long flags; 1571 long fstype; /* char * */ 1572 long dataptr; /* char * */ 1573 long datalen; 1574 } *uap = (struct a *)clwp->lwp_ap; 1575 1576 u_fstype = (uintptr_t)uap->fstype; 1577 flags = (uint32_t)uap->flags; 1578 dataptr = (uintptr_t)uap->dataptr; 1579 1580 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1581 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1582 goto mount_free_fstype; 1583 1584 au_uwrite(au_to_arg32(3, "flags", flags)); 1585 au_uwrite(au_to_text(fstype)); 1586 1587 if (strncmp(fstype, "nfs", 3) == 0) { 1588 1589 STRUCT_INIT(nfsargs, get_udatamodel()); 1590 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1591 1592 if (copyin((caddr_t)dataptr, 1593 STRUCT_BUF(nfsargs), 1594 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1595 /* DEBUG debug_enter((char *)NULL); */ 1596 goto mount_free_fstype; 1597 } 1598 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1599 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1600 (caddr_t)hostname, 1601 MAXNAMELEN, &len)) { 1602 goto mount_free_hostname; 1603 } 1604 au_uwrite(au_to_text(hostname)); 1605 au_uwrite(au_to_arg32(3, "internal flags", 1606 (uint_t)STRUCT_FGET(nfsargs, flags))); 1607 1608 mount_free_hostname: 1609 kmem_free(hostname, MAXNAMELEN); 1610 } 1611 1612 mount_free_fstype: 1613 kmem_free(fstype, MAXNAMELEN); 1614 } /* AUS_MOUNT */ 1615 1616 static void 1617 aus_umount_path(caddr_t umount_dir) 1618 { 1619 char *dir_path; 1620 struct audit_path *path; 1621 size_t path_len, dir_len; 1622 1623 /* length alloc'd for two string pointers */ 1624 path_len = sizeof (struct audit_path) + sizeof (char *); 1625 path = kmem_alloc(path_len, KM_SLEEP); 1626 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1627 1628 if (copyinstr(umount_dir, (caddr_t)dir_path, 1629 MAXPATHLEN, &dir_len)) 1630 goto umount2_free_dir; 1631 1632 /* 1633 * the audit_path struct assumes that the buffer pointed to 1634 * by audp_sect[n] contains string 0 immediatedly followed 1635 * by string 1. 1636 */ 1637 path->audp_sect[0] = dir_path; 1638 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1639 path->audp_size = path_len; 1640 path->audp_ref = 1; /* not used */ 1641 path->audp_cnt = 1; /* one path string */ 1642 1643 au_uwrite(au_to_path(path)); 1644 1645 umount2_free_dir: 1646 kmem_free(dir_path, MAXPATHLEN); 1647 kmem_free(path, path_len); 1648 } 1649 1650 /* 1651 * the umount syscall is implemented as a call to umount2, but the args 1652 * are different... 1653 */ 1654 1655 /*ARGSUSED*/ 1656 static void 1657 aus_umount(struct t_audit_data *tad) 1658 { 1659 klwp_t *clwp = ttolwp(curthread); 1660 struct a { 1661 long dir; /* char * */ 1662 } *uap = (struct a *)clwp->lwp_ap; 1663 1664 aus_umount_path((caddr_t)uap->dir); 1665 } 1666 1667 /*ARGSUSED*/ 1668 static void 1669 aus_umount2(struct t_audit_data *tad) 1670 { 1671 klwp_t *clwp = ttolwp(curthread); 1672 struct a { 1673 long dir; /* char * */ 1674 long flags; 1675 } *uap = (struct a *)clwp->lwp_ap; 1676 1677 aus_umount_path((caddr_t)uap->dir); 1678 1679 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1680 } 1681 1682 static void 1683 aus_msgsys(struct t_audit_data *tad) 1684 { 1685 klwp_t *clwp = ttolwp(curthread); 1686 uint32_t msgid; 1687 1688 struct b { 1689 long msgid; 1690 long cmd; 1691 long buf; /* struct msqid_ds * */ 1692 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1693 1694 msgid = (uint32_t)uap1->msgid; 1695 1696 1697 switch (tad->tad_event) { 1698 case AUE_MSGGET: /* msgget */ 1699 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1700 break; 1701 case AUE_MSGCTL: /* msgctl */ 1702 case AUE_MSGCTL_RMID: /* msgctl */ 1703 case AUE_MSGCTL_STAT: /* msgctl */ 1704 case AUE_MSGRCV: /* msgrcv */ 1705 case AUE_MSGSND: /* msgsnd */ 1706 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1707 break; 1708 case AUE_MSGCTL_SET: /* msgctl */ 1709 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1710 break; 1711 } 1712 } 1713 1714 /*ARGSUSED*/ 1715 static void 1716 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1717 { 1718 int id; 1719 1720 if (error != 0) 1721 return; 1722 if (tad->tad_event == AUE_MSGGET) { 1723 uint32_t scid; 1724 uint32_t sy_flags; 1725 1726 /* need to determine type of executing binary */ 1727 scid = tad->tad_scid; 1728 #ifdef _SYSCALL32_IMPL 1729 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1730 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1731 else 1732 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1733 #else 1734 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1735 #endif 1736 if (sy_flags == SE_32RVAL1) 1737 id = rval->r_val1; 1738 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1739 id = rval->r_val1; 1740 if (sy_flags == SE_64RVAL) 1741 id = (int)rval->r_vals; 1742 1743 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1744 } 1745 } 1746 1747 static void 1748 aus_semsys(struct t_audit_data *tad) 1749 { 1750 klwp_t *clwp = ttolwp(curthread); 1751 uint32_t semid; 1752 1753 struct b { /* ctrl */ 1754 long semid; 1755 long semnum; 1756 long cmd; 1757 long arg; 1758 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1759 1760 semid = (uint32_t)uap1->semid; 1761 1762 switch (tad->tad_event) { 1763 case AUE_SEMCTL_RMID: 1764 case AUE_SEMCTL_STAT: 1765 case AUE_SEMCTL_GETNCNT: 1766 case AUE_SEMCTL_GETPID: 1767 case AUE_SEMCTL_GETVAL: 1768 case AUE_SEMCTL_GETALL: 1769 case AUE_SEMCTL_GETZCNT: 1770 case AUE_SEMCTL_SETVAL: 1771 case AUE_SEMCTL_SETALL: 1772 case AUE_SEMCTL: 1773 case AUE_SEMOP: 1774 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1775 break; 1776 case AUE_SEMCTL_SET: 1777 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1778 break; 1779 case AUE_SEMGET: 1780 au_uwrite(au_to_arg32(1, "sem key", semid)); 1781 break; 1782 } 1783 } 1784 1785 /*ARGSUSED*/ 1786 static void 1787 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1788 { 1789 int id; 1790 1791 if (error != 0) 1792 return; 1793 if (tad->tad_event == AUE_SEMGET) { 1794 uint32_t scid; 1795 uint32_t sy_flags; 1796 1797 /* need to determine type of executing binary */ 1798 scid = tad->tad_scid; 1799 #ifdef _SYSCALL32_IMPL 1800 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1801 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1802 else 1803 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1804 #else 1805 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1806 #endif 1807 if (sy_flags == SE_32RVAL1) 1808 id = rval->r_val1; 1809 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1810 id = rval->r_val1; 1811 if (sy_flags == SE_64RVAL) 1812 id = (int)rval->r_vals; 1813 1814 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1815 } 1816 } 1817 1818 /*ARGSUSED*/ 1819 static void 1820 aus_close(struct t_audit_data *tad) 1821 { 1822 klwp_t *clwp = ttolwp(curthread); 1823 uint32_t fd; 1824 struct file *fp; 1825 struct f_audit_data *fad; 1826 struct vnode *vp; 1827 struct vattr attr; 1828 au_kcontext_t *kctx = GET_KCTX_PZ; 1829 1830 struct a { 1831 long i; 1832 } *uap = (struct a *)clwp->lwp_ap; 1833 1834 fd = (uint32_t)uap->i; 1835 1836 attr.va_mask = 0; 1837 au_uwrite(au_to_arg32(1, "fd", fd)); 1838 1839 /* 1840 * convert file pointer to file descriptor 1841 * Note: fd ref count incremented here. 1842 */ 1843 if ((fp = getf(fd)) == NULL) 1844 return; 1845 1846 fad = F2A(fp); 1847 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1848 if (fad->fad_aupath != NULL) { 1849 au_uwrite(au_to_path(fad->fad_aupath)); 1850 if ((vp = fp->f_vnode) != NULL) { 1851 attr.va_mask = AT_ALL; 1852 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1853 /* 1854 * When write was not used and the file can be 1855 * considered public, skip the audit. 1856 */ 1857 if (((fp->f_flag & FWRITE) == 0) && 1858 file_is_public(&attr)) { 1859 tad->tad_flag = 0; 1860 tad->tad_evmod = 0; 1861 /* free any residual audit data */ 1862 au_close(kctx, &(u_ad), 0, 0, 0); 1863 releasef(fd); 1864 return; 1865 } 1866 au_uwrite(au_to_attr(&attr)); 1867 audit_sec_attributes(&(u_ad), vp); 1868 } 1869 } 1870 } 1871 1872 /* decrement file descriptor reference count */ 1873 releasef(fd); 1874 } 1875 1876 /*ARGSUSED*/ 1877 static void 1878 aus_fstatfs(struct t_audit_data *tad) 1879 { 1880 klwp_t *clwp = ttolwp(curthread); 1881 uint32_t fd; 1882 struct file *fp; 1883 struct vnode *vp; 1884 struct f_audit_data *fad; 1885 1886 struct a { 1887 long fd; 1888 long buf; /* struct statfs * */ 1889 } *uap = (struct a *)clwp->lwp_ap; 1890 1891 fd = (uint_t)uap->fd; 1892 1893 /* 1894 * convert file pointer to file descriptor 1895 * Note: fd ref count incremented here. 1896 */ 1897 if ((fp = getf(fd)) == NULL) 1898 return; 1899 1900 /* get path from file struct here */ 1901 fad = F2A(fp); 1902 if (fad->fad_aupath != NULL) { 1903 au_uwrite(au_to_path(fad->fad_aupath)); 1904 } else { 1905 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1906 } 1907 1908 vp = fp->f_vnode; 1909 audit_attributes(vp); 1910 1911 /* decrement file descriptor reference count */ 1912 releasef(fd); 1913 } 1914 1915 #ifdef NOTYET 1916 /*ARGSUSED*/ 1917 static void 1918 aus_setpgrp(struct t_audit_data *tad) 1919 { 1920 klwp_t *clwp = ttolwp(curthread); 1921 uint32_t pgrp; 1922 struct proc *p; 1923 uid_t uid, ruid; 1924 gid_t gid, rgid; 1925 pid_t pid; 1926 const auditinfo_addr_t *ainfo; 1927 cred_t *cr; 1928 1929 struct a { 1930 long pid; 1931 long pgrp; 1932 } *uap = (struct a *)clwp->lwp_ap; 1933 1934 pid = (pid_t)uap->pid; 1935 pgrp = (uint32_t)uap->pgrp; 1936 1937 /* current process? */ 1938 if (pid == 0) 1939 (return); 1940 1941 mutex_enter(&pidlock); 1942 p = prfind(pid); 1943 if (p == NULL || p->p_as == &kas) { 1944 mutex_exit(&pidlock); 1945 return; 1946 } 1947 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1948 mutex_exit(&pidlock); 1949 1950 mutex_enter(&p->p_crlock); 1951 crhold(cr = p->p_cred); 1952 mutex_exit(&p->p_crlock); 1953 mutex_exit(&p->p_lock); 1954 1955 ainfo = crgetauinfo(cr); 1956 if (ainfo == NULL) { 1957 crfree(cr); 1958 return; 1959 } 1960 1961 uid = crgetuid(cr); 1962 gid = crgetgid(cr); 1963 ruid = crgetruid(cr); 1964 rgid = crgetrgid(cr); 1965 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1966 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1967 crfree(cr); 1968 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1969 } 1970 #endif 1971 1972 /*ARGSUSED*/ 1973 static void 1974 aus_setregid(struct t_audit_data *tad) 1975 { 1976 klwp_t *clwp = ttolwp(curthread); 1977 uint32_t rgid, egid; 1978 1979 struct a { 1980 long rgid; 1981 long egid; 1982 } *uap = (struct a *)clwp->lwp_ap; 1983 1984 rgid = (uint32_t)uap->rgid; 1985 egid = (uint32_t)uap->egid; 1986 1987 au_uwrite(au_to_arg32(1, "rgid", rgid)); 1988 au_uwrite(au_to_arg32(2, "egid", egid)); 1989 } 1990 1991 /*ARGSUSED*/ 1992 static void 1993 aus_setgid(struct t_audit_data *tad) 1994 { 1995 klwp_t *clwp = ttolwp(curthread); 1996 uint32_t gid; 1997 1998 struct a { 1999 long gid; 2000 } *uap = (struct a *)clwp->lwp_ap; 2001 2002 gid = (uint32_t)uap->gid; 2003 2004 au_uwrite(au_to_arg32(1, "gid", gid)); 2005 } 2006 2007 2008 /*ARGSUSED*/ 2009 static void 2010 aus_setreuid(struct t_audit_data *tad) 2011 { 2012 klwp_t *clwp = ttolwp(curthread); 2013 uint32_t ruid, euid; 2014 2015 struct a { 2016 long ruid; 2017 long euid; 2018 } *uap = (struct a *)clwp->lwp_ap; 2019 2020 ruid = (uint32_t)uap->ruid; 2021 euid = (uint32_t)uap->euid; 2022 2023 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2024 au_uwrite(au_to_arg32(2, "euid", euid)); 2025 } 2026 2027 2028 /*ARGSUSED*/ 2029 static void 2030 aus_setuid(struct t_audit_data *tad) 2031 { 2032 klwp_t *clwp = ttolwp(curthread); 2033 uint32_t uid; 2034 2035 struct a { 2036 long uid; 2037 } *uap = (struct a *)clwp->lwp_ap; 2038 2039 uid = (uint32_t)uap->uid; 2040 2041 au_uwrite(au_to_arg32(1, "uid", uid)); 2042 } 2043 2044 /*ARGSUSED*/ 2045 static void 2046 aus_shmsys(struct t_audit_data *tad) 2047 { 2048 klwp_t *clwp = ttolwp(curthread); 2049 uint32_t id, cmd; 2050 2051 struct b { 2052 long id; 2053 long cmd; 2054 long buf; /* struct shmid_ds * */ 2055 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2056 2057 id = (uint32_t)uap1->id; 2058 cmd = (uint32_t)uap1->cmd; 2059 2060 switch (tad->tad_event) { 2061 case AUE_SHMGET: /* shmget */ 2062 au_uwrite(au_to_arg32(1, "shm key", id)); 2063 break; 2064 case AUE_SHMCTL: /* shmctl */ 2065 case AUE_SHMCTL_RMID: /* shmctl */ 2066 case AUE_SHMCTL_STAT: /* shmctl */ 2067 case AUE_SHMCTL_SET: /* shmctl */ 2068 au_uwrite(au_to_arg32(1, "shm ID", id)); 2069 break; 2070 case AUE_SHMDT: /* shmdt */ 2071 au_uwrite(au_to_arg32(1, "shm adr", id)); 2072 break; 2073 case AUE_SHMAT: /* shmat */ 2074 au_uwrite(au_to_arg32(1, "shm ID", id)); 2075 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2076 break; 2077 } 2078 } 2079 2080 /*ARGSUSED*/ 2081 static void 2082 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2083 { 2084 int id; 2085 2086 if (error != 0) 2087 return; 2088 if (tad->tad_event == AUE_SHMGET) { 2089 uint32_t scid; 2090 uint32_t sy_flags; 2091 2092 /* need to determine type of executing binary */ 2093 scid = tad->tad_scid; 2094 #ifdef _SYSCALL32_IMPL 2095 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2096 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2097 else 2098 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2099 #else 2100 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2101 #endif 2102 if (sy_flags == SE_32RVAL1) 2103 id = rval->r_val1; 2104 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2105 id = rval->r_val1; 2106 if (sy_flags == SE_64RVAL) 2107 id = (int)rval->r_vals; 2108 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2109 } 2110 } 2111 2112 2113 /*ARGSUSED*/ 2114 static void 2115 aus_ioctl(struct t_audit_data *tad) 2116 { 2117 klwp_t *clwp = ttolwp(curthread); 2118 struct file *fp; 2119 struct vnode *vp; 2120 struct f_audit_data *fad; 2121 uint32_t fd, cmd; 2122 uintptr_t cmarg; 2123 2124 /* XX64 */ 2125 struct a { 2126 long fd; 2127 long cmd; 2128 long cmarg; /* caddr_t */ 2129 } *uap = (struct a *)clwp->lwp_ap; 2130 2131 fd = (uint32_t)uap->fd; 2132 cmd = (uint32_t)uap->cmd; 2133 cmarg = (uintptr_t)uap->cmarg; 2134 2135 /* 2136 * convert file pointer to file descriptor 2137 * Note: fd ref count incremented here. 2138 */ 2139 if ((fp = getf(fd)) == NULL) { 2140 au_uwrite(au_to_arg32(1, "fd", fd)); 2141 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2142 #ifndef _LP64 2143 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2144 #else 2145 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2146 #endif 2147 return; 2148 } 2149 2150 /* get path from file struct here */ 2151 fad = F2A(fp); 2152 if (fad->fad_aupath != NULL) { 2153 au_uwrite(au_to_path(fad->fad_aupath)); 2154 } else { 2155 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2156 } 2157 2158 vp = fp->f_vnode; 2159 audit_attributes(vp); 2160 2161 /* decrement file descriptor reference count */ 2162 releasef(fd); 2163 2164 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2165 #ifndef _LP64 2166 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2167 #else 2168 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2169 #endif 2170 } 2171 2172 /* 2173 * null function for memcntl for now. We might want to limit memcntl() 2174 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2175 * require privileges. 2176 */ 2177 static au_event_t 2178 aui_memcntl(au_event_t e) 2179 { 2180 return (e); 2181 } 2182 2183 /*ARGSUSED*/ 2184 static au_event_t 2185 aui_privsys(au_event_t e) 2186 { 2187 klwp_t *clwp = ttolwp(curthread); 2188 2189 struct a { 2190 long opcode; 2191 } *uap = (struct a *)clwp->lwp_ap; 2192 2193 switch (uap->opcode) { 2194 case PRIVSYS_SETPPRIV: 2195 return (AUE_SETPPRIV); 2196 default: 2197 return (AUE_NULL); 2198 } 2199 } 2200 2201 /*ARGSUSED*/ 2202 static void 2203 aus_memcntl(struct t_audit_data *tad) 2204 { 2205 klwp_t *clwp = ttolwp(curthread); 2206 2207 struct a { 2208 long addr; 2209 long len; 2210 long cmd; 2211 long arg; 2212 long attr; 2213 long mask; 2214 } *uap = (struct a *)clwp->lwp_ap; 2215 2216 #ifdef _LP64 2217 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2218 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2219 #else 2220 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2221 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2222 #endif 2223 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2224 #ifdef _LP64 2225 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2226 #else 2227 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2228 #endif 2229 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2230 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2231 } 2232 2233 /*ARGSUSED*/ 2234 static void 2235 aus_mmap(struct t_audit_data *tad) 2236 { 2237 klwp_t *clwp = ttolwp(curthread); 2238 struct file *fp; 2239 struct f_audit_data *fad; 2240 struct vnode *vp; 2241 uint32_t fd; 2242 2243 struct a { 2244 long addr; 2245 long len; 2246 long prot; 2247 long flags; 2248 long fd; 2249 long pos; 2250 } *uap = (struct a *)clwp->lwp_ap; 2251 2252 fd = (uint32_t)uap->fd; 2253 2254 #ifdef _LP64 2255 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2256 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2257 #else 2258 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2259 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2260 #endif 2261 2262 if ((fp = getf(fd)) == NULL) { 2263 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2264 return; 2265 } 2266 2267 /* 2268 * Mark in the tad if write access is NOT requested... if 2269 * this is later detected (in audit_attributes) to be a 2270 * public object, the mmap event may be discarded. 2271 */ 2272 if (((uap->prot) & PROT_WRITE) == 0) { 2273 tad->tad_ctrl |= PAD_PUBLIC_EV; 2274 } 2275 2276 fad = F2A(fp); 2277 if (fad->fad_aupath != NULL) { 2278 au_uwrite(au_to_path(fad->fad_aupath)); 2279 } else { 2280 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2281 } 2282 2283 vp = (struct vnode *)fp->f_vnode; 2284 audit_attributes(vp); 2285 2286 /* mark READ/WRITE since we can't predict access */ 2287 if (uap->prot & PROT_READ) 2288 fad->fad_flags |= FAD_READ; 2289 if (uap->prot & PROT_WRITE) 2290 fad->fad_flags |= FAD_WRITE; 2291 2292 /* decrement file descriptor reference count */ 2293 releasef(fd); 2294 2295 } /* AUS_MMAP */ 2296 2297 2298 2299 2300 /*ARGSUSED*/ 2301 static void 2302 aus_munmap(struct t_audit_data *tad) 2303 { 2304 klwp_t *clwp = ttolwp(curthread); 2305 2306 struct a { 2307 long addr; 2308 long len; 2309 } *uap = (struct a *)clwp->lwp_ap; 2310 2311 #ifdef _LP64 2312 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2313 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2314 #else 2315 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2316 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2317 #endif 2318 2319 } /* AUS_MUNMAP */ 2320 2321 2322 2323 2324 2325 2326 2327 /*ARGSUSED*/ 2328 static void 2329 aus_priocntlsys(struct t_audit_data *tad) 2330 { 2331 klwp_t *clwp = ttolwp(curthread); 2332 2333 struct a { 2334 long pc_version; 2335 long psp; /* procset_t */ 2336 long cmd; 2337 long arg; 2338 } *uap = (struct a *)clwp->lwp_ap; 2339 2340 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2341 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2342 2343 } /* AUS_PRIOCNTLSYS */ 2344 2345 2346 /*ARGSUSED*/ 2347 static void 2348 aus_setegid(struct t_audit_data *tad) 2349 { 2350 klwp_t *clwp = ttolwp(curthread); 2351 uint32_t gid; 2352 2353 struct a { 2354 long gid; 2355 } *uap = (struct a *)clwp->lwp_ap; 2356 2357 gid = (uint32_t)uap->gid; 2358 2359 au_uwrite(au_to_arg32(1, "gid", gid)); 2360 } /* AUS_SETEGID */ 2361 2362 2363 2364 2365 /*ARGSUSED*/ 2366 static void 2367 aus_setgroups(struct t_audit_data *tad) 2368 { 2369 klwp_t *clwp = ttolwp(curthread); 2370 int i; 2371 int gidsetsize; 2372 uintptr_t gidset; 2373 gid_t *gidlist; 2374 2375 struct a { 2376 long gidsetsize; 2377 long gidset; 2378 } *uap = (struct a *)clwp->lwp_ap; 2379 2380 gidsetsize = (uint_t)uap->gidsetsize; 2381 gidset = (uintptr_t)uap->gidset; 2382 2383 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2384 return; 2385 if (gidsetsize != 0) { 2386 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2387 KM_SLEEP); 2388 if (copyin((caddr_t)gidset, gidlist, 2389 gidsetsize * sizeof (gid_t)) == 0) 2390 for (i = 0; i < gidsetsize; i++) 2391 au_uwrite(au_to_arg32(1, "setgroups", 2392 (uint32_t)gidlist[i])); 2393 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2394 } else 2395 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2396 2397 } /* AUS_SETGROUPS */ 2398 2399 2400 2401 2402 2403 /*ARGSUSED*/ 2404 static void 2405 aus_seteuid(struct t_audit_data *tad) 2406 { 2407 klwp_t *clwp = ttolwp(curthread); 2408 uint32_t uid; 2409 2410 struct a { 2411 long uid; 2412 } *uap = (struct a *)clwp->lwp_ap; 2413 2414 uid = (uint32_t)uap->uid; 2415 2416 au_uwrite(au_to_arg32(1, "euid", uid)); 2417 2418 } /* AUS_SETEUID */ 2419 2420 /*ARGSUSED*/ 2421 static void 2422 aus_putmsg(struct t_audit_data *tad) 2423 { 2424 klwp_t *clwp = ttolwp(curthread); 2425 uint32_t fd, pri; 2426 struct file *fp; 2427 struct f_audit_data *fad; 2428 2429 struct a { 2430 long fdes; 2431 long ctl; /* struct strbuf * */ 2432 long data; /* struct strbuf * */ 2433 long pri; 2434 } *uap = (struct a *)clwp->lwp_ap; 2435 2436 fd = (uint32_t)uap->fdes; 2437 pri = (uint32_t)uap->pri; 2438 2439 au_uwrite(au_to_arg32(1, "fd", fd)); 2440 2441 if ((fp = getf(fd)) != NULL) { 2442 fad = F2A(fp); 2443 2444 fad->fad_flags |= FAD_WRITE; 2445 2446 /* add path name to audit record */ 2447 if (fad->fad_aupath != NULL) { 2448 au_uwrite(au_to_path(fad->fad_aupath)); 2449 } 2450 audit_attributes(fp->f_vnode); 2451 2452 releasef(fd); 2453 } 2454 2455 au_uwrite(au_to_arg32(4, "pri", pri)); 2456 } 2457 2458 /*ARGSUSED*/ 2459 static void 2460 aus_putpmsg(struct t_audit_data *tad) 2461 { 2462 klwp_t *clwp = ttolwp(curthread); 2463 uint32_t fd, pri, flags; 2464 struct file *fp; 2465 struct f_audit_data *fad; 2466 2467 struct a { 2468 long fdes; 2469 long ctl; /* struct strbuf * */ 2470 long data; /* struct strbuf * */ 2471 long pri; 2472 long flags; 2473 } *uap = (struct a *)clwp->lwp_ap; 2474 2475 fd = (uint32_t)uap->fdes; 2476 pri = (uint32_t)uap->pri; 2477 flags = (uint32_t)uap->flags; 2478 2479 au_uwrite(au_to_arg32(1, "fd", fd)); 2480 2481 if ((fp = getf(fd)) != NULL) { 2482 fad = F2A(fp); 2483 2484 fad->fad_flags |= FAD_WRITE; 2485 2486 /* add path name to audit record */ 2487 if (fad->fad_aupath != NULL) { 2488 au_uwrite(au_to_path(fad->fad_aupath)); 2489 } 2490 audit_attributes(fp->f_vnode); 2491 2492 releasef(fd); 2493 } 2494 2495 2496 au_uwrite(au_to_arg32(4, "pri", pri)); 2497 au_uwrite(au_to_arg32(5, "flags", flags)); 2498 } 2499 2500 /*ARGSUSED*/ 2501 static void 2502 aus_getmsg(struct t_audit_data *tad) 2503 { 2504 klwp_t *clwp = ttolwp(curthread); 2505 uint32_t fd, pri; 2506 struct file *fp; 2507 struct f_audit_data *fad; 2508 2509 struct a { 2510 long fdes; 2511 long ctl; /* struct strbuf * */ 2512 long data; /* struct strbuf * */ 2513 long pri; 2514 } *uap = (struct a *)clwp->lwp_ap; 2515 2516 fd = (uint32_t)uap->fdes; 2517 pri = (uint32_t)uap->pri; 2518 2519 au_uwrite(au_to_arg32(1, "fd", fd)); 2520 2521 if ((fp = getf(fd)) != NULL) { 2522 fad = F2A(fp); 2523 2524 /* 2525 * read operation on this object 2526 */ 2527 fad->fad_flags |= FAD_READ; 2528 2529 /* add path name to audit record */ 2530 if (fad->fad_aupath != NULL) { 2531 au_uwrite(au_to_path(fad->fad_aupath)); 2532 } 2533 audit_attributes(fp->f_vnode); 2534 2535 releasef(fd); 2536 } 2537 2538 au_uwrite(au_to_arg32(4, "pri", pri)); 2539 } 2540 2541 /*ARGSUSED*/ 2542 static void 2543 aus_getpmsg(struct t_audit_data *tad) 2544 { 2545 klwp_t *clwp = ttolwp(curthread); 2546 uint32_t fd; 2547 struct file *fp; 2548 struct f_audit_data *fad; 2549 2550 struct a { 2551 long fdes; 2552 long ctl; /* struct strbuf * */ 2553 long data; /* struct strbuf * */ 2554 long pri; 2555 long flags; 2556 } *uap = (struct a *)clwp->lwp_ap; 2557 2558 fd = (uint32_t)uap->fdes; 2559 2560 au_uwrite(au_to_arg32(1, "fd", fd)); 2561 2562 if ((fp = getf(fd)) != NULL) { 2563 fad = F2A(fp); 2564 2565 /* 2566 * read operation on this object 2567 */ 2568 fad->fad_flags |= FAD_READ; 2569 2570 /* add path name to audit record */ 2571 if (fad->fad_aupath != NULL) { 2572 au_uwrite(au_to_path(fad->fad_aupath)); 2573 } 2574 audit_attributes(fp->f_vnode); 2575 2576 releasef(fd); 2577 } 2578 } 2579 2580 static au_event_t 2581 aui_labelsys(au_event_t e) 2582 { 2583 klwp_t *clwp = ttolwp(curthread); 2584 uint32_t code; 2585 uint32_t cmd; 2586 2587 struct a { 2588 long code; 2589 long cmd; 2590 } *uap = (struct a *)clwp->lwp_ap; 2591 2592 code = (uint32_t)uap->code; 2593 cmd = (uint32_t)uap->cmd; 2594 2595 /* not security relevant if not changing kernel cache */ 2596 if (cmd == TNDB_GET) 2597 return (AUE_NULL); 2598 2599 switch (code) { 2600 case TSOL_TNRH: 2601 e = AUE_LABELSYS_TNRH; 2602 break; 2603 case TSOL_TNRHTP: 2604 e = AUE_LABELSYS_TNRHTP; 2605 break; 2606 case TSOL_TNMLP: 2607 e = AUE_LABELSYS_TNMLP; 2608 break; 2609 default: 2610 e = AUE_NULL; 2611 break; 2612 } 2613 2614 return (e); 2615 2616 } 2617 2618 static void 2619 aus_labelsys(struct t_audit_data *tad) 2620 { 2621 klwp_t *clwp = ttolwp(curthread); 2622 uint32_t cmd; 2623 uintptr_t a2; 2624 2625 struct a { 2626 long code; 2627 long cmd; 2628 long a2; 2629 } *uap = (struct a *)clwp->lwp_ap; 2630 2631 cmd = (uint32_t)uap->cmd; 2632 a2 = (uintptr_t)uap->a2; 2633 2634 switch (tad->tad_event) { 2635 case AUE_LABELSYS_TNRH: 2636 { 2637 tsol_rhent_t *rhent; 2638 tnaddr_t *rh_addr; 2639 2640 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2641 2642 /* Remaining args don't apply for FLUSH, so skip */ 2643 if (cmd == TNDB_FLUSH) 2644 break; 2645 2646 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2647 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2648 kmem_free(rhent, sizeof (tsol_rhent_t)); 2649 return; 2650 } 2651 2652 rh_addr = &rhent->rh_address; 2653 if (rh_addr->ta_family == AF_INET) { 2654 struct in_addr *ipaddr; 2655 2656 ipaddr = &(rh_addr->ta_addr_v4); 2657 au_uwrite(au_to_in_addr(ipaddr)); 2658 } else if (rh_addr->ta_family == AF_INET6) { 2659 int32_t *ipaddr; 2660 2661 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2662 au_uwrite(au_to_in_addr_ex(ipaddr)); 2663 } 2664 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2665 2666 kmem_free(rhent, sizeof (tsol_rhent_t)); 2667 2668 break; 2669 } 2670 case AUE_LABELSYS_TNRHTP: 2671 { 2672 tsol_tpent_t *tpent; 2673 2674 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2675 2676 /* Remaining args don't apply for FLUSH, so skip */ 2677 if (cmd == TNDB_FLUSH) 2678 break; 2679 2680 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2681 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2682 kmem_free(tpent, sizeof (tsol_tpent_t)); 2683 return; 2684 } 2685 2686 /* Make sure that the template name is null-terminated. */ 2687 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2688 2689 au_uwrite(au_to_text(tpent->name)); 2690 kmem_free(tpent, sizeof (tsol_tpent_t)); 2691 2692 break; 2693 } 2694 case AUE_LABELSYS_TNMLP: 2695 { 2696 tsol_mlpent_t *mlpent; 2697 2698 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2699 2700 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2701 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2702 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2703 return; 2704 } 2705 2706 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2707 au_uwrite(au_to_text("shared")); 2708 } else { 2709 zone_t *zone; 2710 2711 zone = zone_find_by_id(mlpent->tsme_zoneid); 2712 if (zone != NULL) { 2713 au_uwrite(au_to_text(zone->zone_name)); 2714 zone_rele(zone); 2715 } 2716 } 2717 2718 /* Remaining args don't apply for FLUSH, so skip */ 2719 if (cmd == TNDB_FLUSH) { 2720 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2721 break; 2722 } 2723 2724 au_uwrite(au_to_arg32(2, "proto num", 2725 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2726 au_uwrite(au_to_arg32(2, "mlp_port", 2727 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2728 2729 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2730 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2731 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2732 2733 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2734 2735 break; 2736 } 2737 default: 2738 break; 2739 } 2740 } 2741 2742 2743 static au_event_t 2744 aui_auditsys(au_event_t e) 2745 { 2746 klwp_t *clwp = ttolwp(curthread); 2747 uint32_t code; 2748 2749 struct a { 2750 long code; 2751 long a1; 2752 long a2; 2753 long a3; 2754 long a4; 2755 long a5; 2756 long a6; 2757 long a7; 2758 } *uap = (struct a *)clwp->lwp_ap; 2759 2760 code = (uint32_t)uap->code; 2761 2762 switch (code) { 2763 2764 case BSM_GETAUID: 2765 e = AUE_GETAUID; 2766 break; 2767 case BSM_SETAUID: 2768 e = AUE_SETAUID; 2769 break; 2770 case BSM_GETAUDIT: 2771 e = AUE_GETAUDIT; 2772 break; 2773 case BSM_GETAUDIT_ADDR: 2774 e = AUE_GETAUDIT_ADDR; 2775 break; 2776 case BSM_SETAUDIT: 2777 e = AUE_SETAUDIT; 2778 break; 2779 case BSM_SETAUDIT_ADDR: 2780 e = AUE_SETAUDIT_ADDR; 2781 break; 2782 case BSM_AUDIT: 2783 e = AUE_AUDIT; 2784 break; 2785 case BSM_GETPORTAUDIT: 2786 e = AUE_GETPORTAUDIT; 2787 break; 2788 case BSM_AUDITON: 2789 case BSM_AUDITCTL: 2790 2791 switch ((uint_t)uap->a1) { 2792 2793 case A_GETPOLICY: 2794 e = AUE_AUDITON_GPOLICY; 2795 break; 2796 case A_SETPOLICY: 2797 e = AUE_AUDITON_SPOLICY; 2798 break; 2799 case A_GETKMASK: 2800 e = AUE_AUDITON_GETKMASK; 2801 break; 2802 case A_SETKMASK: 2803 e = AUE_AUDITON_SETKMASK; 2804 break; 2805 case A_GETQCTRL: 2806 e = AUE_AUDITON_GQCTRL; 2807 break; 2808 case A_SETQCTRL: 2809 e = AUE_AUDITON_SQCTRL; 2810 break; 2811 case A_GETCWD: 2812 e = AUE_AUDITON_GETCWD; 2813 break; 2814 case A_GETCAR: 2815 e = AUE_AUDITON_GETCAR; 2816 break; 2817 case A_GETSTAT: 2818 e = AUE_AUDITON_GETSTAT; 2819 break; 2820 case A_SETSTAT: 2821 e = AUE_AUDITON_SETSTAT; 2822 break; 2823 case A_SETUMASK: 2824 e = AUE_AUDITON_SETUMASK; 2825 break; 2826 case A_SETSMASK: 2827 e = AUE_AUDITON_SETSMASK; 2828 break; 2829 case A_GETCOND: 2830 e = AUE_AUDITON_GETCOND; 2831 break; 2832 case A_SETCOND: 2833 e = AUE_AUDITON_SETCOND; 2834 break; 2835 case A_GETCLASS: 2836 e = AUE_AUDITON_GETCLASS; 2837 break; 2838 case A_SETCLASS: 2839 e = AUE_AUDITON_SETCLASS; 2840 break; 2841 default: 2842 e = AUE_NULL; 2843 break; 2844 } 2845 break; 2846 default: 2847 e = AUE_NULL; 2848 break; 2849 } 2850 2851 return (e); 2852 2853 } /* AUI_AUDITSYS */ 2854 2855 2856 static void 2857 aus_auditsys(struct t_audit_data *tad) 2858 { 2859 klwp_t *clwp = ttolwp(curthread); 2860 uintptr_t a1, a2; 2861 STRUCT_DECL(auditinfo, ainfo); 2862 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2863 au_evclass_map_t event; 2864 au_mask_t mask; 2865 int auditstate, policy; 2866 au_id_t auid; 2867 2868 2869 struct a { 2870 long code; 2871 long a1; 2872 long a2; 2873 long a3; 2874 long a4; 2875 long a5; 2876 long a6; 2877 long a7; 2878 } *uap = (struct a *)clwp->lwp_ap; 2879 2880 a1 = (uintptr_t)uap->a1; 2881 a2 = (uintptr_t)uap->a2; 2882 2883 switch (tad->tad_event) { 2884 case AUE_SETAUID: 2885 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2886 return; 2887 au_uwrite(au_to_arg32(2, "setauid", auid)); 2888 break; 2889 case AUE_SETAUDIT: 2890 STRUCT_INIT(ainfo, get_udatamodel()); 2891 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2892 STRUCT_SIZE(ainfo))) { 2893 return; 2894 } 2895 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2896 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2897 #ifdef _LP64 2898 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2899 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2900 #else 2901 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2902 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2903 #endif 2904 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2905 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2906 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2907 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2908 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2909 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2910 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2911 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2912 break; 2913 case AUE_SETAUDIT_ADDR: 2914 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2915 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2916 STRUCT_SIZE(ainfo_addr))) { 2917 return; 2918 } 2919 au_uwrite(au_to_arg32((char)1, "auid", 2920 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2921 #ifdef _LP64 2922 au_uwrite(au_to_arg64((char)1, "port", 2923 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2924 #else 2925 au_uwrite(au_to_arg32((char)1, "port", 2926 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2927 #endif 2928 au_uwrite(au_to_arg32((char)1, "type", 2929 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2930 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2931 AU_IPv4) { 2932 au_uwrite(au_to_in_addr( 2933 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2934 ai_termid.at_addr))); 2935 } else { 2936 au_uwrite(au_to_in_addr_ex( 2937 (int32_t *)STRUCT_FGETP(ainfo_addr, 2938 ai_termid.at_addr))); 2939 } 2940 au_uwrite(au_to_arg32((char)1, "as_success", 2941 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2942 au_uwrite(au_to_arg32((char)1, "as_failure", 2943 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2944 au_uwrite(au_to_arg32((char)1, "asid", 2945 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2946 break; 2947 case AUE_AUDITON_SETKMASK: 2948 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2949 return; 2950 au_uwrite(au_to_arg32( 2951 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2952 au_uwrite(au_to_arg32( 2953 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2954 break; 2955 case AUE_AUDITON_SPOLICY: 2956 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2957 return; 2958 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2959 break; 2960 case AUE_AUDITON_SQCTRL: { 2961 STRUCT_DECL(au_qctrl, qctrl); 2962 model_t model; 2963 2964 model = get_udatamodel(); 2965 STRUCT_INIT(qctrl, model); 2966 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2967 return; 2968 if (model == DATAMODEL_ILP32) { 2969 au_uwrite(au_to_arg32( 2970 3, "setqctrl:aq_hiwater", 2971 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2972 au_uwrite(au_to_arg32( 2973 3, "setqctrl:aq_lowater", 2974 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2975 au_uwrite(au_to_arg32( 2976 3, "setqctrl:aq_bufsz", 2977 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2978 au_uwrite(au_to_arg32( 2979 3, "setqctrl:aq_delay", 2980 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2981 } else { 2982 au_uwrite(au_to_arg64( 2983 3, "setqctrl:aq_hiwater", 2984 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2985 au_uwrite(au_to_arg64( 2986 3, "setqctrl:aq_lowater", 2987 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2988 au_uwrite(au_to_arg64( 2989 3, "setqctrl:aq_bufsz", 2990 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2991 au_uwrite(au_to_arg64( 2992 3, "setqctrl:aq_delay", 2993 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2994 } 2995 break; 2996 } 2997 case AUE_AUDITON_SETUMASK: 2998 STRUCT_INIT(ainfo, get_udatamodel()); 2999 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3000 STRUCT_SIZE(ainfo))) { 3001 return; 3002 } 3003 au_uwrite(au_to_arg32(3, "setumask:as_success", 3004 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3005 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3006 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3007 break; 3008 case AUE_AUDITON_SETSMASK: 3009 STRUCT_INIT(ainfo, get_udatamodel()); 3010 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3011 STRUCT_SIZE(ainfo))) { 3012 return; 3013 } 3014 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3015 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3016 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3017 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3018 break; 3019 case AUE_AUDITON_SETCOND: 3020 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3021 return; 3022 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3023 break; 3024 case AUE_AUDITON_SETCLASS: 3025 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3026 return; 3027 au_uwrite(au_to_arg32( 3028 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3029 au_uwrite(au_to_arg32( 3030 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3031 break; 3032 case AUE_GETAUID: 3033 case AUE_GETAUDIT: 3034 case AUE_GETAUDIT_ADDR: 3035 case AUE_AUDIT: 3036 case AUE_GETPORTAUDIT: 3037 case AUE_AUDITON_GPOLICY: 3038 case AUE_AUDITON_GQCTRL: 3039 case AUE_AUDITON_GETKMASK: 3040 case AUE_AUDITON_GETCWD: 3041 case AUE_AUDITON_GETCAR: 3042 case AUE_AUDITON_GETSTAT: 3043 case AUE_AUDITON_SETSTAT: 3044 case AUE_AUDITON_GETCOND: 3045 case AUE_AUDITON_GETCLASS: 3046 break; 3047 default: 3048 break; 3049 } 3050 3051 } /* AUS_AUDITSYS */ 3052 3053 3054 /* only audit privileged operations for systeminfo(2) system call */ 3055 static au_event_t 3056 aui_sysinfo(au_event_t e) 3057 { 3058 klwp_t *clwp = ttolwp(curthread); 3059 uint32_t command; 3060 3061 struct a { 3062 long command; 3063 long buf; /* char * */ 3064 long count; 3065 } *uap = (struct a *)clwp->lwp_ap; 3066 3067 command = (uint32_t)uap->command; 3068 3069 switch (command) { 3070 case SI_SET_HOSTNAME: 3071 case SI_SET_SRPC_DOMAIN: 3072 e = (au_event_t)AUE_SYSINFO; 3073 break; 3074 default: 3075 e = (au_event_t)AUE_NULL; 3076 break; 3077 } 3078 return (e); 3079 } 3080 3081 /*ARGSUSED*/ 3082 static void 3083 aus_sysinfo(struct t_audit_data *tad) 3084 { 3085 klwp_t *clwp = ttolwp(curthread); 3086 uint32_t command; 3087 size_t len, maxlen; 3088 char *name; 3089 uintptr_t buf; 3090 3091 struct a { 3092 long command; 3093 long buf; /* char * */ 3094 long count; 3095 } *uap = (struct a *)clwp->lwp_ap; 3096 3097 command = (uint32_t)uap->command; 3098 buf = (uintptr_t)uap->buf; 3099 3100 au_uwrite(au_to_arg32(1, "cmd", command)); 3101 3102 switch (command) { 3103 case SI_SET_HOSTNAME: 3104 { 3105 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3106 return; 3107 3108 maxlen = SYS_NMLN; 3109 name = kmem_alloc(maxlen, KM_SLEEP); 3110 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3111 break; 3112 3113 /* 3114 * Must be non-NULL string and string 3115 * must be less than SYS_NMLN chars. 3116 */ 3117 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3118 break; 3119 3120 au_uwrite(au_to_text(name)); 3121 break; 3122 } 3123 3124 case SI_SET_SRPC_DOMAIN: 3125 { 3126 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3127 return; 3128 3129 maxlen = SYS_NMLN; 3130 name = kmem_alloc(maxlen, KM_SLEEP); 3131 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3132 break; 3133 3134 /* 3135 * If string passed in is longer than length 3136 * allowed for domain name, fail. 3137 */ 3138 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3139 break; 3140 3141 au_uwrite(au_to_text(name)); 3142 break; 3143 } 3144 3145 default: 3146 return; 3147 } 3148 3149 kmem_free(name, maxlen); 3150 } 3151 3152 static au_event_t 3153 aui_modctl(au_event_t e) 3154 { 3155 klwp_t *clwp = ttolwp(curthread); 3156 uint_t cmd; 3157 3158 struct a { 3159 long cmd; 3160 } *uap = (struct a *)clwp->lwp_ap; 3161 3162 cmd = (uint_t)uap->cmd; 3163 3164 switch (cmd) { 3165 case MODLOAD: 3166 e = AUE_MODLOAD; 3167 break; 3168 case MODUNLOAD: 3169 e = AUE_MODUNLOAD; 3170 break; 3171 case MODADDMAJBIND: 3172 e = AUE_MODADDMAJ; 3173 break; 3174 case MODSETDEVPOLICY: 3175 e = AUE_MODDEVPLCY; 3176 break; 3177 case MODALLOCPRIV: 3178 e = AUE_MODADDPRIV; 3179 break; 3180 default: 3181 e = AUE_NULL; 3182 break; 3183 } 3184 return (e); 3185 } 3186 3187 3188 /*ARGSUSED*/ 3189 static void 3190 aus_modctl(struct t_audit_data *tad) 3191 { 3192 klwp_t *clwp = ttolwp(curthread); 3193 void *a = clwp->lwp_ap; 3194 uint_t use_path; 3195 3196 switch (tad->tad_event) { 3197 case AUE_MODLOAD: { 3198 typedef struct { 3199 long cmd; 3200 long use_path; 3201 long filename; /* char * */ 3202 } modloada_t; 3203 3204 char *filenamep; 3205 uintptr_t fname; 3206 extern char *default_path; 3207 3208 fname = (uintptr_t)((modloada_t *)a)->filename; 3209 use_path = (uint_t)((modloada_t *)a)->use_path; 3210 3211 /* space to hold path */ 3212 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3213 /* get string */ 3214 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3215 /* free allocated path */ 3216 kmem_free(filenamep, MOD_MAXPATH); 3217 return; 3218 } 3219 /* ensure it's null terminated */ 3220 filenamep[MOD_MAXPATH - 1] = 0; 3221 3222 if (use_path) 3223 au_uwrite(au_to_text(default_path)); 3224 au_uwrite(au_to_text(filenamep)); 3225 3226 /* release temporary memory */ 3227 kmem_free(filenamep, MOD_MAXPATH); 3228 break; 3229 } 3230 case AUE_MODUNLOAD: { 3231 typedef struct { 3232 long cmd; 3233 long id; 3234 } modunloada_t; 3235 3236 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3237 3238 au_uwrite(au_to_arg32(1, "id", id)); 3239 break; 3240 } 3241 case AUE_MODADDMAJ: { 3242 STRUCT_DECL(modconfig, mc); 3243 typedef struct { 3244 long cmd; 3245 long subcmd; 3246 long data; /* int * */ 3247 } modconfiga_t; 3248 3249 STRUCT_DECL(aliases, alias); 3250 caddr_t ap; 3251 int i, num_aliases; 3252 char *drvname, *mc_drvname; 3253 char *name; 3254 extern char *ddi_major_to_name(major_t); 3255 model_t model; 3256 3257 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3258 3259 model = get_udatamodel(); 3260 STRUCT_INIT(mc, model); 3261 /* sanitize buffer */ 3262 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3263 /* get user arguments */ 3264 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3265 STRUCT_SIZE(mc)) != 0) 3266 return; 3267 3268 mc_drvname = STRUCT_FGET(mc, drvname); 3269 if ((drvname = ddi_major_to_name( 3270 (major_t)STRUCT_FGET(mc, major))) != NULL && 3271 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3272 /* safety */ 3273 if (mc_drvname[0] != '\0') { 3274 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3275 au_uwrite(au_to_text(mc_drvname)); 3276 } 3277 /* drvname != NULL from test above */ 3278 au_uwrite(au_to_text(drvname)); 3279 return; 3280 } 3281 3282 if (mc_drvname[0] != '\0') { 3283 /* safety */ 3284 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3285 au_uwrite(au_to_text(mc_drvname)); 3286 } else 3287 au_uwrite(au_to_text("no drvname")); 3288 3289 num_aliases = STRUCT_FGET(mc, num_aliases); 3290 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3291 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3292 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3293 STRUCT_INIT(alias, model); 3294 for (i = 0; i < num_aliases; i++) { 3295 bzero((caddr_t)STRUCT_BUF(alias), 3296 STRUCT_SIZE(alias)); 3297 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3298 STRUCT_SIZE(alias)) != 0) 3299 break; 3300 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3301 MAXMODCONFNAME, NULL) != 0) { 3302 break; 3303 } 3304 3305 au_uwrite(au_to_text(name)); 3306 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3307 } 3308 kmem_free(name, MAXMODCONFNAME); 3309 break; 3310 } 3311 default: 3312 break; 3313 } 3314 } 3315 3316 3317 /*ARGSUSED*/ 3318 static void 3319 auf_accept( 3320 struct t_audit_data *tad, 3321 int error, 3322 rval_t *rval) 3323 { 3324 uint32_t scid; 3325 uint32_t sy_flags; 3326 int fd; 3327 struct sonode *so; 3328 char so_laddr[sizeof (struct sockaddr_in6)]; 3329 char so_faddr[sizeof (struct sockaddr_in6)]; 3330 int err; 3331 int len; 3332 short so_family, so_type; 3333 int add_sock_token = 0; 3334 3335 /* need to determine type of executing binary */ 3336 scid = tad->tad_scid; 3337 #ifdef _SYSCALL32_IMPL 3338 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3339 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3340 else 3341 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3342 #else 3343 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3344 #endif 3345 if (sy_flags == SE_32RVAL1) 3346 fd = rval->r_val1; 3347 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3348 fd = rval->r_val1; 3349 if (sy_flags == SE_64RVAL) 3350 fd = (int)rval->r_vals; 3351 3352 if (error) { 3353 /* can't trust socket contents. Just return */ 3354 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3355 return; 3356 } 3357 3358 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3359 /* 3360 * not security relevant if doing a accept from non socket 3361 * so no extra tokens. Should probably turn off audit record 3362 * generation here. 3363 */ 3364 return; 3365 } 3366 3367 so_family = so->so_family; 3368 so_type = so->so_type; 3369 3370 switch (so_family) { 3371 case AF_INET: 3372 case AF_INET6: 3373 /* 3374 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3375 */ 3376 if (so->so_type == SOCK_STREAM) { 3377 3378 bzero((void *)so_laddr, sizeof (so_laddr)); 3379 bzero((void *)so_faddr, sizeof (so_faddr)); 3380 3381 /* 3382 * no local address then need to get it from lower 3383 * levels. only put out record on first read ala 3384 * AUE_WRITE. 3385 */ 3386 if (so->so_state & SS_ISBOUND) { 3387 /* only done once on a connection */ 3388 (void) SOP_GETSOCKNAME(so); 3389 (void) SOP_GETPEERNAME(so); 3390 3391 /* get local and foreign addresses */ 3392 mutex_enter(&so->so_lock); 3393 len = min(so->so_laddr_len, sizeof (so_laddr)); 3394 bcopy(so->so_laddr_sa, so_laddr, len); 3395 len = min(so->so_faddr_len, sizeof (so_faddr)); 3396 bcopy(so->so_faddr_sa, so_faddr, len); 3397 mutex_exit(&so->so_lock); 3398 } 3399 3400 add_sock_token = 1; 3401 } 3402 break; 3403 3404 default: 3405 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3406 break; 3407 } 3408 3409 releasef(fd); 3410 3411 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3412 3413 if (add_sock_token == 0) { 3414 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3415 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3416 return; 3417 } 3418 3419 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3420 3421 } 3422 3423 /*ARGSUSED*/ 3424 static void 3425 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3426 { 3427 struct a { 3428 long fd; 3429 long addr; 3430 long len; 3431 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3432 3433 struct sonode *so; 3434 char so_laddr[sizeof (struct sockaddr_in6)]; 3435 char so_faddr[sizeof (struct sockaddr_in6)]; 3436 int err, fd; 3437 int len; 3438 short so_family, so_type; 3439 int add_sock_token = 0; 3440 3441 fd = (int)uap->fd; 3442 3443 /* 3444 * bind failed, then nothing extra to add to audit record. 3445 */ 3446 if (error) { 3447 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3448 /* XXX may want to add failed address some day */ 3449 return; 3450 } 3451 3452 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3453 /* 3454 * not security relevant if doing a bind from non socket 3455 * so no extra tokens. Should probably turn off audit record 3456 * generation here. 3457 */ 3458 return; 3459 } 3460 3461 so_family = so->so_family; 3462 so_type = so->so_type; 3463 3464 switch (so_family) { 3465 case AF_INET: 3466 case AF_INET6: 3467 3468 bzero(so_faddr, sizeof (so_faddr)); 3469 3470 if (so->so_state & SS_ISBOUND) { 3471 /* only done once on a connection */ 3472 (void) SOP_GETSOCKNAME(so); 3473 } 3474 3475 mutex_enter(&so->so_lock); 3476 len = min(so->so_laddr_len, sizeof (so_laddr)); 3477 bcopy(so->so_laddr_sa, so_laddr, len); 3478 mutex_exit(&so->so_lock); 3479 3480 add_sock_token = 1; 3481 3482 break; 3483 3484 case AF_UNIX: 3485 /* token added by lookup */ 3486 break; 3487 default: 3488 /* AF_ROUTE, AF_KEY do not support accept */ 3489 break; 3490 } 3491 3492 releasef(fd); 3493 3494 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3495 3496 if (add_sock_token == 0) { 3497 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3498 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3499 return; 3500 } 3501 3502 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3503 3504 } 3505 3506 /*ARGSUSED*/ 3507 static void 3508 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3509 { 3510 struct a { 3511 long fd; 3512 long addr; 3513 long len; 3514 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3515 3516 struct sonode *so; 3517 char so_laddr[sizeof (struct sockaddr_in6)]; 3518 char so_faddr[sizeof (struct sockaddr_in6)]; 3519 int err, fd; 3520 int len; 3521 short so_family, so_type; 3522 int add_sock_token = 0; 3523 3524 fd = (int)uap->fd; 3525 3526 3527 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3528 /* 3529 * not security relevant if doing a connect from non socket 3530 * so no extra tokens. Should probably turn off audit record 3531 * generation here. 3532 */ 3533 return; 3534 } 3535 3536 so_family = so->so_family; 3537 so_type = so->so_type; 3538 3539 switch (so_family) { 3540 case AF_INET: 3541 case AF_INET6: 3542 /* 3543 * no local address then need to get it from lower 3544 * levels. 3545 */ 3546 if (so->so_state & SS_ISBOUND) { 3547 /* only done once on a connection */ 3548 (void) SOP_GETSOCKNAME(so); 3549 (void) SOP_GETPEERNAME(so); 3550 } 3551 3552 bzero(so_laddr, sizeof (so_laddr)); 3553 bzero(so_faddr, sizeof (so_faddr)); 3554 3555 mutex_enter(&so->so_lock); 3556 len = min(so->so_laddr_len, sizeof (so_laddr)); 3557 bcopy(so->so_laddr_sa, so_laddr, len); 3558 if (error) { 3559 mutex_exit(&so->so_lock); 3560 if (uap->addr == NULL) 3561 break; 3562 if (uap->len <= 0) 3563 break; 3564 len = min(uap->len, sizeof (so_faddr)); 3565 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3566 break; 3567 #ifdef NOTYET 3568 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3569 #endif 3570 } else { 3571 /* sanity check on length */ 3572 len = min(so->so_faddr_len, sizeof (so_faddr)); 3573 bcopy(so->so_faddr_sa, so_faddr, len); 3574 mutex_exit(&so->so_lock); 3575 } 3576 3577 add_sock_token = 1; 3578 3579 break; 3580 3581 case AF_UNIX: 3582 /* does a lookup on name */ 3583 break; 3584 3585 default: 3586 /* AF_ROUTE, AF_KEY do not support accept */ 3587 break; 3588 } 3589 3590 releasef(fd); 3591 3592 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3593 3594 if (add_sock_token == 0) { 3595 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3596 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3597 return; 3598 } 3599 3600 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3601 3602 } 3603 3604 /*ARGSUSED*/ 3605 static void 3606 aus_shutdown(struct t_audit_data *tad) 3607 { 3608 struct a { 3609 long fd; 3610 long how; 3611 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3612 3613 struct sonode *so; 3614 char so_laddr[sizeof (struct sockaddr_in6)]; 3615 char so_faddr[sizeof (struct sockaddr_in6)]; 3616 int err, fd; 3617 int len; 3618 short so_family, so_type; 3619 int add_sock_token = 0; 3620 file_t *fp; /* unix domain sockets */ 3621 struct f_audit_data *fad; /* unix domain sockets */ 3622 3623 fd = (int)uap->fd; 3624 3625 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3626 /* 3627 * not security relevant if doing a shutdown using non socket 3628 * so no extra tokens. Should probably turn off audit record 3629 * generation here. 3630 */ 3631 return; 3632 } 3633 3634 so_family = so->so_family; 3635 so_type = so->so_type; 3636 3637 switch (so_family) { 3638 case AF_INET: 3639 case AF_INET6: 3640 3641 bzero(so_laddr, sizeof (so_laddr)); 3642 bzero(so_faddr, sizeof (so_faddr)); 3643 3644 if (so->so_state & SS_ISBOUND) { 3645 /* 3646 * no local address then need to get it from lower 3647 * levels. 3648 */ 3649 if (so->so_laddr_len == 0) 3650 (void) SOP_GETSOCKNAME(so); 3651 if (so->so_faddr_len == 0) 3652 (void) SOP_GETPEERNAME(so); 3653 } 3654 3655 mutex_enter(&so->so_lock); 3656 len = min(so->so_laddr_len, sizeof (so_laddr)); 3657 bcopy(so->so_laddr_sa, so_laddr, len); 3658 len = min(so->so_faddr_len, sizeof (so_faddr)); 3659 bcopy(so->so_faddr_sa, so_faddr, len); 3660 mutex_exit(&so->so_lock); 3661 3662 add_sock_token = 1; 3663 3664 break; 3665 3666 case AF_UNIX: 3667 3668 /* get path from file struct here */ 3669 fad = F2A(fp); 3670 ASSERT(fad); 3671 3672 if (fad->fad_aupath != NULL) { 3673 au_uwrite(au_to_path(fad->fad_aupath)); 3674 } else { 3675 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3676 } 3677 3678 audit_attributes(fp->f_vnode); 3679 3680 break; 3681 3682 default: 3683 /* 3684 * AF_KEY and AF_ROUTE support shutdown. No socket token 3685 * added. 3686 */ 3687 break; 3688 } 3689 3690 releasef(fd); 3691 3692 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3693 3694 if (add_sock_token == 0) { 3695 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3696 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3697 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3698 return; 3699 } 3700 3701 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3702 3703 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3704 3705 } 3706 3707 /*ARGSUSED*/ 3708 static void 3709 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3710 { 3711 struct a { 3712 long fd; 3713 long level; 3714 long optname; 3715 long *optval; 3716 long optlen; 3717 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3718 3719 struct sonode *so; 3720 char so_laddr[sizeof (struct sockaddr_in6)]; 3721 char so_faddr[sizeof (struct sockaddr_in6)]; 3722 char val[AU_BUFSIZE]; 3723 int err, fd; 3724 int len; 3725 short so_family, so_type; 3726 int add_sock_token = 0; 3727 file_t *fp; /* unix domain sockets */ 3728 struct f_audit_data *fad; /* unix domain sockets */ 3729 3730 fd = (int)uap->fd; 3731 3732 if (error) { 3733 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3734 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3735 /* XXX may want to include other arguments */ 3736 return; 3737 } 3738 3739 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3740 /* 3741 * not security relevant if doing a setsockopt from non socket 3742 * so no extra tokens. Should probably turn off audit record 3743 * generation here. 3744 */ 3745 return; 3746 } 3747 3748 so_family = so->so_family; 3749 so_type = so->so_type; 3750 3751 switch (so_family) { 3752 case AF_INET: 3753 case AF_INET6: 3754 3755 bzero((void *)so_laddr, sizeof (so_laddr)); 3756 bzero((void *)so_faddr, sizeof (so_faddr)); 3757 3758 if (so->so_state & SS_ISBOUND) { 3759 if (so->so_laddr_len == 0) 3760 (void) SOP_GETSOCKNAME(so); 3761 if (so->so_faddr_len == 0) 3762 (void) SOP_GETPEERNAME(so); 3763 } 3764 3765 /* get local and foreign addresses */ 3766 mutex_enter(&so->so_lock); 3767 len = min(so->so_laddr_len, sizeof (so_laddr)); 3768 bcopy(so->so_laddr_sa, so_laddr, len); 3769 len = min(so->so_faddr_len, sizeof (so_faddr)); 3770 bcopy(so->so_faddr_sa, so_faddr, len); 3771 mutex_exit(&so->so_lock); 3772 3773 add_sock_token = 1; 3774 3775 break; 3776 3777 case AF_UNIX: 3778 3779 /* get path from file struct here */ 3780 fad = F2A(fp); 3781 ASSERT(fad); 3782 3783 if (fad->fad_aupath != NULL) { 3784 au_uwrite(au_to_path(fad->fad_aupath)); 3785 } else { 3786 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3787 } 3788 3789 audit_attributes(fp->f_vnode); 3790 3791 break; 3792 3793 default: 3794 /* 3795 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3796 * added. 3797 */ 3798 break; 3799 } 3800 3801 releasef(fd); 3802 3803 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3804 3805 if (add_sock_token == 0) { 3806 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3807 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3808 } 3809 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3810 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3811 3812 bzero(val, sizeof (val)); 3813 len = min(uap->optlen, sizeof (val)); 3814 if ((len > 0) && 3815 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3816 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3817 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3818 } 3819 3820 if (add_sock_token == 0) 3821 return; 3822 3823 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3824 3825 } 3826 3827 /*ARGSUSED*/ 3828 static void 3829 aus_sockconfig(tad) 3830 struct t_audit_data *tad; 3831 { 3832 struct a { 3833 long domain; 3834 long type; 3835 long protocol; 3836 long devpath; 3837 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3838 3839 char *kdevpath; 3840 int kdevpathlen = MAXPATHLEN + 1; 3841 size_t size; 3842 3843 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3844 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3845 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3846 3847 if (uap->devpath == 0) { 3848 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3849 } else { 3850 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3851 3852 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3853 &size)) { 3854 kmem_free(kdevpath, kdevpathlen); 3855 return; 3856 } 3857 3858 if (size > MAXPATHLEN) { 3859 kmem_free(kdevpath, kdevpathlen); 3860 return; 3861 } 3862 3863 au_uwrite(au_to_text(kdevpath)); 3864 kmem_free(kdevpath, kdevpathlen); 3865 } 3866 } 3867 3868 /* 3869 * only audit recvmsg when the system call represents the creation of a new 3870 * circuit. This effectively occurs for all UDP packets and may occur for 3871 * special TCP situations where the local host has not set a local address 3872 * in the socket structure. 3873 */ 3874 /*ARGSUSED*/ 3875 static void 3876 auf_recvmsg( 3877 struct t_audit_data *tad, 3878 int error, 3879 rval_t *rvp) 3880 { 3881 struct a { 3882 long fd; 3883 long msg; /* struct msghdr */ 3884 long flags; 3885 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3886 3887 struct sonode *so; 3888 STRUCT_DECL(msghdr, msg); 3889 caddr_t msg_name; 3890 socklen_t msg_namelen; 3891 int fd; 3892 int err; 3893 char so_laddr[sizeof (struct sockaddr_in6)]; 3894 char so_faddr[sizeof (struct sockaddr_in6)]; 3895 int len; 3896 file_t *fp; /* unix domain sockets */ 3897 struct f_audit_data *fad; /* unix domain sockets */ 3898 short so_family, so_type; 3899 int add_sock_token = 0; 3900 au_kcontext_t *kctx = GET_KCTX_PZ; 3901 3902 fd = (int)uap->fd; 3903 3904 /* bail if an error */ 3905 if (error) { 3906 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3907 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3908 return; 3909 } 3910 3911 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3912 /* 3913 * not security relevant if doing a recvmsg from non socket 3914 * so no extra tokens. Should probably turn off audit record 3915 * generation here. 3916 */ 3917 return; 3918 } 3919 3920 so_family = so->so_family; 3921 so_type = so->so_type; 3922 3923 /* 3924 * only putout SOCKET_EX token if INET/INET6 family. 3925 * XXX - what do we do about other families? 3926 */ 3927 3928 switch (so_family) { 3929 case AF_INET: 3930 case AF_INET6: 3931 3932 /* 3933 * if datagram type socket, then just use what is in 3934 * socket structure for local address. 3935 * XXX - what do we do for other types? 3936 */ 3937 if ((so->so_type == SOCK_DGRAM) || 3938 (so->so_type == SOCK_RAW)) { 3939 add_sock_token = 1; 3940 3941 bzero((void *)so_laddr, sizeof (so_laddr)); 3942 bzero((void *)so_faddr, sizeof (so_faddr)); 3943 3944 /* get local address */ 3945 mutex_enter(&so->so_lock); 3946 len = min(so->so_laddr_len, sizeof (so_laddr)); 3947 bcopy(so->so_laddr_sa, so_laddr, len); 3948 mutex_exit(&so->so_lock); 3949 3950 /* get peer address */ 3951 STRUCT_INIT(msg, get_udatamodel()); 3952 3953 if (copyin((caddr_t)(uap->msg), 3954 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3955 break; 3956 } 3957 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3958 if (msg_name == NULL) { 3959 break; 3960 } 3961 3962 /* length is value from recvmsg - sanity check */ 3963 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3964 if (msg_namelen == 0) { 3965 break; 3966 } 3967 if (copyin(msg_name, so_faddr, 3968 sizeof (so_faddr)) != 0) { 3969 break; 3970 } 3971 3972 } else if (so->so_type == SOCK_STREAM) { 3973 3974 /* get path from file struct here */ 3975 fad = F2A(fp); 3976 ASSERT(fad); 3977 3978 /* 3979 * already processed this file for read attempt 3980 */ 3981 if (fad->fad_flags & FAD_READ) { 3982 /* don't want to audit every recvmsg attempt */ 3983 tad->tad_flag = 0; 3984 /* free any residual audit data */ 3985 au_close(kctx, &(u_ad), 0, 0, 0); 3986 releasef(fd); 3987 return; 3988 } 3989 /* 3990 * mark things so we know what happened and don't 3991 * repeat things 3992 */ 3993 fad->fad_flags |= FAD_READ; 3994 3995 bzero((void *)so_laddr, sizeof (so_laddr)); 3996 bzero((void *)so_faddr, sizeof (so_faddr)); 3997 3998 if (so->so_state & SS_ISBOUND) { 3999 4000 if (so->so_laddr_len == 0) 4001 (void) SOP_GETSOCKNAME(so); 4002 if (so->so_faddr_len == 0) 4003 (void) SOP_GETPEERNAME(so); 4004 4005 /* get local and foreign addresses */ 4006 mutex_enter(&so->so_lock); 4007 len = min(so->so_laddr_len, sizeof (so_laddr)); 4008 bcopy(so->so_laddr_sa, so_laddr, len); 4009 len = min(so->so_faddr_len, sizeof (so_faddr)); 4010 bcopy(so->so_faddr_sa, so_faddr, len); 4011 mutex_exit(&so->so_lock); 4012 } 4013 4014 add_sock_token = 1; 4015 } 4016 4017 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4018 4019 break; 4020 4021 case AF_UNIX: 4022 /* 4023 * first check if this is first time through. Too much 4024 * duplicate code to put this in an aui_ routine. 4025 */ 4026 4027 /* get path from file struct here */ 4028 fad = F2A(fp); 4029 ASSERT(fad); 4030 4031 /* 4032 * already processed this file for read attempt 4033 */ 4034 if (fad->fad_flags & FAD_READ) { 4035 releasef(fd); 4036 /* don't want to audit every recvmsg attempt */ 4037 tad->tad_flag = 0; 4038 /* free any residual audit data */ 4039 au_close(kctx, &(u_ad), 0, 0, 0); 4040 return; 4041 } 4042 /* 4043 * mark things so we know what happened and don't 4044 * repeat things 4045 */ 4046 fad->fad_flags |= FAD_READ; 4047 4048 if (fad->fad_aupath != NULL) { 4049 au_uwrite(au_to_path(fad->fad_aupath)); 4050 } else { 4051 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4052 } 4053 4054 audit_attributes(fp->f_vnode); 4055 4056 releasef(fd); 4057 4058 return; 4059 4060 default: 4061 break; 4062 4063 } 4064 4065 releasef(fd); 4066 4067 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4068 4069 if (add_sock_token == 0) { 4070 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4071 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4072 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4073 return; 4074 } 4075 4076 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4077 4078 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4079 4080 } 4081 4082 /*ARGSUSED*/ 4083 static void 4084 auf_recvfrom( 4085 struct t_audit_data *tad, 4086 int error, 4087 rval_t *rvp) 4088 { 4089 4090 struct a { 4091 long fd; 4092 long msg; /* char */ 4093 long len; 4094 long flags; 4095 long from; /* struct sockaddr */ 4096 long fromlen; 4097 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4098 4099 socklen_t fromlen; 4100 struct sonode *so; 4101 char so_laddr[sizeof (struct sockaddr_in6)]; 4102 char so_faddr[sizeof (struct sockaddr_in6)]; 4103 int fd; 4104 short so_family, so_type; 4105 int add_sock_token = 0; 4106 int len; 4107 int err; 4108 struct file *fp; 4109 struct f_audit_data *fad; /* unix domain sockets */ 4110 au_kcontext_t *kctx = GET_KCTX_PZ; 4111 4112 fd = (int)uap->fd; 4113 4114 /* bail if an error */ 4115 if (error) { 4116 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4117 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4118 return; 4119 } 4120 4121 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4122 /* 4123 * not security relevant if doing a recvmsg from non socket 4124 * so no extra tokens. Should probably turn off audit record 4125 * generation here. 4126 */ 4127 return; 4128 } 4129 4130 so_family = so->so_family; 4131 so_type = so->so_type; 4132 4133 /* 4134 * only putout SOCKET_EX token if INET/INET6 family. 4135 * XXX - what do we do about other families? 4136 */ 4137 4138 switch (so_family) { 4139 case AF_INET: 4140 case AF_INET6: 4141 4142 /* 4143 * if datagram type socket, then just use what is in 4144 * socket structure for local address. 4145 * XXX - what do we do for other types? 4146 */ 4147 if ((so->so_type == SOCK_DGRAM) || 4148 (so->so_type == SOCK_RAW)) { 4149 add_sock_token = 1; 4150 4151 /* get local address */ 4152 mutex_enter(&so->so_lock); 4153 len = min(so->so_laddr_len, sizeof (so_laddr)); 4154 bcopy(so->so_laddr_sa, so_laddr, len); 4155 mutex_exit(&so->so_lock); 4156 4157 /* get peer address */ 4158 bzero((void *)so_faddr, sizeof (so_faddr)); 4159 4160 /* sanity check */ 4161 if (uap->from == NULL) 4162 break; 4163 4164 /* sanity checks */ 4165 if (uap->fromlen == 0) 4166 break; 4167 4168 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4169 sizeof (fromlen)) != 0) 4170 break; 4171 4172 if (fromlen == 0) 4173 break; 4174 4175 /* enforce maximum size */ 4176 if (fromlen > sizeof (so_faddr)) 4177 fromlen = sizeof (so_faddr); 4178 4179 if (copyin((caddr_t)(uap->from), so_faddr, 4180 fromlen) != 0) 4181 break; 4182 4183 } else if (so->so_type == SOCK_STREAM) { 4184 4185 /* get path from file struct here */ 4186 fad = F2A(fp); 4187 ASSERT(fad); 4188 4189 /* 4190 * already processed this file for read attempt 4191 */ 4192 if (fad->fad_flags & FAD_READ) { 4193 /* don't want to audit every recvfrom attempt */ 4194 tad->tad_flag = 0; 4195 /* free any residual audit data */ 4196 au_close(kctx, &(u_ad), 0, 0, 0); 4197 releasef(fd); 4198 return; 4199 } 4200 /* 4201 * mark things so we know what happened and don't 4202 * repeat things 4203 */ 4204 fad->fad_flags |= FAD_READ; 4205 4206 bzero((void *)so_laddr, sizeof (so_laddr)); 4207 bzero((void *)so_faddr, sizeof (so_faddr)); 4208 4209 if (so->so_state & SS_ISBOUND) { 4210 4211 if (so->so_laddr_len == 0) 4212 (void) SOP_GETSOCKNAME(so); 4213 if (so->so_faddr_len == 0) 4214 (void) SOP_GETPEERNAME(so); 4215 4216 /* get local and foreign addresses */ 4217 mutex_enter(&so->so_lock); 4218 len = min(so->so_laddr_len, sizeof (so_laddr)); 4219 bcopy(so->so_laddr_sa, so_laddr, len); 4220 len = min(so->so_faddr_len, sizeof (so_faddr)); 4221 bcopy(so->so_faddr_sa, so_faddr, len); 4222 mutex_exit(&so->so_lock); 4223 } 4224 4225 add_sock_token = 1; 4226 } 4227 4228 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4229 4230 break; 4231 4232 case AF_UNIX: 4233 /* 4234 * first check if this is first time through. Too much 4235 * duplicate code to put this in an aui_ routine. 4236 */ 4237 4238 /* get path from file struct here */ 4239 fad = F2A(fp); 4240 ASSERT(fad); 4241 4242 /* 4243 * already processed this file for read attempt 4244 */ 4245 if (fad->fad_flags & FAD_READ) { 4246 /* don't want to audit every recvfrom attempt */ 4247 tad->tad_flag = 0; 4248 /* free any residual audit data */ 4249 au_close(kctx, &(u_ad), 0, 0, 0); 4250 releasef(fd); 4251 return; 4252 } 4253 /* 4254 * mark things so we know what happened and don't 4255 * repeat things 4256 */ 4257 fad->fad_flags |= FAD_READ; 4258 4259 if (fad->fad_aupath != NULL) { 4260 au_uwrite(au_to_path(fad->fad_aupath)); 4261 } else { 4262 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4263 } 4264 4265 audit_attributes(fp->f_vnode); 4266 4267 releasef(fd); 4268 4269 return; 4270 4271 default: 4272 break; 4273 4274 } 4275 4276 releasef(fd); 4277 4278 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4279 4280 if (add_sock_token == 0) { 4281 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4282 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4283 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4284 return; 4285 } 4286 4287 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4288 4289 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4290 } 4291 4292 /*ARGSUSED*/ 4293 static void 4294 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4295 { 4296 struct a { 4297 long fd; 4298 long msg; /* struct msghdr */ 4299 long flags; 4300 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4301 4302 struct sonode *so; 4303 char so_laddr[sizeof (struct sockaddr_in6)]; 4304 char so_faddr[sizeof (struct sockaddr_in6)]; 4305 int err; 4306 int fd; 4307 short so_family, so_type; 4308 int add_sock_token = 0; 4309 int len; 4310 struct file *fp; 4311 struct f_audit_data *fad; 4312 caddr_t msg_name; 4313 socklen_t msg_namelen; 4314 STRUCT_DECL(msghdr, msg); 4315 au_kcontext_t *kctx = GET_KCTX_PZ; 4316 4317 fd = (int)uap->fd; 4318 4319 /* bail if an error */ 4320 if (error) { 4321 /* XXX include destination address from system call arguments */ 4322 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4323 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4324 return; 4325 } 4326 4327 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4328 /* 4329 * not security relevant if doing a sendmsg from non socket 4330 * so no extra tokens. Should probably turn off audit record 4331 * generation here. 4332 */ 4333 return; 4334 } 4335 4336 so_family = so->so_family; 4337 so_type = so->so_type; 4338 4339 switch (so_family) { 4340 case AF_INET: 4341 case AF_INET6: 4342 /* 4343 * if datagram type socket, then just use what is in 4344 * socket structure for local address. 4345 * XXX - what do we do for other types? 4346 */ 4347 if ((so->so_type == SOCK_DGRAM) || 4348 (so->so_type == SOCK_RAW)) { 4349 4350 bzero((void *)so_laddr, sizeof (so_laddr)); 4351 bzero((void *)so_faddr, sizeof (so_faddr)); 4352 4353 /* get local address */ 4354 mutex_enter(&so->so_lock); 4355 len = min(so->so_laddr_len, sizeof (so_laddr)); 4356 bcopy(so->so_laddr_sa, so_laddr, len); 4357 mutex_exit(&so->so_lock); 4358 4359 /* get peer address */ 4360 STRUCT_INIT(msg, get_udatamodel()); 4361 4362 if (copyin((caddr_t)(uap->msg), 4363 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4364 break; 4365 } 4366 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4367 if (msg_name == NULL) 4368 break; 4369 4370 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4371 /* length is value from recvmsg - sanity check */ 4372 if (msg_namelen == 0) 4373 break; 4374 4375 if (copyin(msg_name, so_faddr, 4376 sizeof (so_faddr)) != 0) 4377 break; 4378 4379 add_sock_token = 1; 4380 4381 } else if (so->so_type == SOCK_STREAM) { 4382 4383 /* get path from file struct here */ 4384 fad = F2A(fp); 4385 ASSERT(fad); 4386 4387 /* 4388 * already processed this file for write attempt 4389 */ 4390 if (fad->fad_flags & FAD_WRITE) { 4391 releasef(fd); 4392 /* don't want to audit every sendmsg attempt */ 4393 tad->tad_flag = 0; 4394 /* free any residual audit data */ 4395 au_close(kctx, &(u_ad), 0, 0, 0); 4396 return; 4397 } 4398 4399 /* 4400 * mark things so we know what happened and don't 4401 * repeat things 4402 */ 4403 fad->fad_flags |= FAD_WRITE; 4404 4405 bzero((void *)so_laddr, sizeof (so_laddr)); 4406 bzero((void *)so_faddr, sizeof (so_faddr)); 4407 4408 if (so->so_state & SS_ISBOUND) { 4409 4410 if (so->so_laddr_len == 0) 4411 (void) SOP_GETSOCKNAME(so); 4412 if (so->so_faddr_len == 0) 4413 (void) SOP_GETPEERNAME(so); 4414 4415 /* get local and foreign addresses */ 4416 mutex_enter(&so->so_lock); 4417 len = min(so->so_laddr_len, sizeof (so_laddr)); 4418 bcopy(so->so_laddr_sa, so_laddr, len); 4419 len = min(so->so_faddr_len, sizeof (so_faddr)); 4420 bcopy(so->so_faddr_sa, so_faddr, len); 4421 mutex_exit(&so->so_lock); 4422 } 4423 4424 add_sock_token = 1; 4425 } 4426 4427 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4428 4429 break; 4430 4431 case AF_UNIX: 4432 /* 4433 * first check if this is first time through. Too much 4434 * duplicate code to put this in an aui_ routine. 4435 */ 4436 4437 /* get path from file struct here */ 4438 fad = F2A(fp); 4439 ASSERT(fad); 4440 4441 /* 4442 * already processed this file for write attempt 4443 */ 4444 if (fad->fad_flags & FAD_WRITE) { 4445 releasef(fd); 4446 /* don't want to audit every sendmsg attempt */ 4447 tad->tad_flag = 0; 4448 /* free any residual audit data */ 4449 au_close(kctx, &(u_ad), 0, 0, 0); 4450 return; 4451 } 4452 /* 4453 * mark things so we know what happened and don't 4454 * repeat things 4455 */ 4456 fad->fad_flags |= FAD_WRITE; 4457 4458 if (fad->fad_aupath != NULL) { 4459 au_uwrite(au_to_path(fad->fad_aupath)); 4460 } else { 4461 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4462 } 4463 4464 audit_attributes(fp->f_vnode); 4465 4466 releasef(fd); 4467 4468 return; 4469 4470 default: 4471 break; 4472 } 4473 4474 releasef(fd); 4475 4476 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4477 4478 if (add_sock_token == 0) { 4479 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4480 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4481 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4482 return; 4483 } 4484 4485 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4486 4487 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4488 } 4489 4490 /*ARGSUSED*/ 4491 static void 4492 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4493 { 4494 struct a { 4495 long fd; 4496 long msg; /* char */ 4497 long len; 4498 long flags; 4499 long to; /* struct sockaddr */ 4500 long tolen; 4501 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4502 4503 struct sonode *so; 4504 char so_laddr[sizeof (struct sockaddr_in6)]; 4505 char so_faddr[sizeof (struct sockaddr_in6)]; 4506 socklen_t tolen; 4507 int err; 4508 int fd; 4509 int len; 4510 short so_family, so_type; 4511 int add_sock_token = 0; 4512 struct file *fp; 4513 struct f_audit_data *fad; 4514 au_kcontext_t *kctx = GET_KCTX_PZ; 4515 4516 fd = (int)uap->fd; 4517 4518 /* bail if an error */ 4519 if (error) { 4520 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4521 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4522 /* XXX include destination address from system call arguments */ 4523 return; 4524 } 4525 4526 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4527 /* 4528 * not security relevant if doing a sendto using non socket 4529 * so no extra tokens. Should probably turn off audit record 4530 * generation here. 4531 */ 4532 return; 4533 } 4534 4535 so_family = so->so_family; 4536 so_type = so->so_type; 4537 4538 /* 4539 * only putout SOCKET_EX token if INET/INET6 family. 4540 * XXX - what do we do about other families? 4541 */ 4542 4543 switch (so_family) { 4544 case AF_INET: 4545 case AF_INET6: 4546 4547 /* 4548 * if datagram type socket, then just use what is in 4549 * socket structure for local address. 4550 * XXX - what do we do for other types? 4551 */ 4552 if ((so->so_type == SOCK_DGRAM) || 4553 (so->so_type == SOCK_RAW)) { 4554 4555 bzero((void *)so_laddr, sizeof (so_laddr)); 4556 bzero((void *)so_faddr, sizeof (so_faddr)); 4557 4558 /* get local address */ 4559 mutex_enter(&so->so_lock); 4560 len = min(so->so_laddr_len, sizeof (so_laddr)); 4561 bcopy(so->so_laddr_sa, so_laddr, len); 4562 mutex_exit(&so->so_lock); 4563 4564 /* get peer address */ 4565 4566 /* sanity check */ 4567 if (uap->to == NULL) 4568 break; 4569 4570 /* sanity checks */ 4571 if (uap->tolen == 0) 4572 break; 4573 4574 tolen = (socklen_t)uap->tolen; 4575 4576 /* enforce maximum size */ 4577 if (tolen > sizeof (so_faddr)) 4578 tolen = sizeof (so_faddr); 4579 4580 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4581 break; 4582 4583 add_sock_token = 1; 4584 } else { 4585 /* 4586 * check if this is first time through. 4587 */ 4588 4589 /* get path from file struct here */ 4590 fad = F2A(fp); 4591 ASSERT(fad); 4592 4593 /* 4594 * already processed this file for write attempt 4595 */ 4596 if (fad->fad_flags & FAD_WRITE) { 4597 /* don't want to audit every sendto attempt */ 4598 tad->tad_flag = 0; 4599 /* free any residual audit data */ 4600 au_close(kctx, &(u_ad), 0, 0, 0); 4601 releasef(fd); 4602 return; 4603 } 4604 /* 4605 * mark things so we know what happened and don't 4606 * repeat things 4607 */ 4608 fad->fad_flags |= FAD_WRITE; 4609 4610 bzero((void *)so_laddr, sizeof (so_laddr)); 4611 bzero((void *)so_faddr, sizeof (so_faddr)); 4612 4613 if (so->so_state & SS_ISBOUND) { 4614 4615 if (so->so_laddr_len == 0) 4616 (void) SOP_GETSOCKNAME(so); 4617 if (so->so_faddr_len == 0) 4618 (void) SOP_GETPEERNAME(so); 4619 4620 /* get local and foreign addresses */ 4621 mutex_enter(&so->so_lock); 4622 len = min(so->so_laddr_len, sizeof (so_laddr)); 4623 bcopy(so->so_laddr_sa, so_laddr, len); 4624 len = min(so->so_faddr_len, sizeof (so_faddr)); 4625 bcopy(so->so_faddr_sa, so_faddr, len); 4626 mutex_exit(&so->so_lock); 4627 } 4628 4629 add_sock_token = 1; 4630 } 4631 4632 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4633 4634 break; 4635 4636 case AF_UNIX: 4637 /* 4638 * first check if this is first time through. Too much 4639 * duplicate code to put this in an aui_ routine. 4640 */ 4641 4642 /* get path from file struct here */ 4643 fad = F2A(fp); 4644 ASSERT(fad); 4645 4646 /* 4647 * already processed this file for write attempt 4648 */ 4649 if (fad->fad_flags & FAD_WRITE) { 4650 /* don't want to audit every sendto attempt */ 4651 tad->tad_flag = 0; 4652 /* free any residual audit data */ 4653 au_close(kctx, &(u_ad), 0, 0, 0); 4654 releasef(fd); 4655 return; 4656 } 4657 /* 4658 * mark things so we know what happened and don't 4659 * repeat things 4660 */ 4661 fad->fad_flags |= FAD_WRITE; 4662 4663 if (fad->fad_aupath != NULL) { 4664 au_uwrite(au_to_path(fad->fad_aupath)); 4665 } else { 4666 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4667 } 4668 4669 audit_attributes(fp->f_vnode); 4670 4671 releasef(fd); 4672 4673 return; 4674 4675 default: 4676 break; 4677 4678 } 4679 4680 releasef(fd); 4681 4682 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4683 4684 if (add_sock_token == 0) { 4685 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4686 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4687 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4688 return; 4689 } 4690 4691 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4692 4693 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4694 4695 } 4696 4697 /* 4698 * XXX socket(2) may be equivalent to open(2) on a unix domain 4699 * socket. This needs investigation. 4700 */ 4701 4702 /*ARGSUSED*/ 4703 static void 4704 aus_socket(struct t_audit_data *tad) 4705 { 4706 struct a { 4707 long domain; 4708 long type; 4709 long protocol; 4710 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4711 4712 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4713 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4714 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4715 } 4716 4717 /*ARGSUSED*/ 4718 static void 4719 aus_sigqueue(struct t_audit_data *tad) 4720 { 4721 struct a { 4722 long pid; 4723 long signo; 4724 long *val; 4725 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4726 struct proc *p; 4727 uid_t uid, ruid; 4728 gid_t gid, rgid; 4729 pid_t pid; 4730 const auditinfo_addr_t *ainfo; 4731 cred_t *cr; 4732 4733 pid = (pid_t)uap->pid; 4734 4735 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4736 if (pid > 0) { 4737 mutex_enter(&pidlock); 4738 if ((p = prfind(pid)) == (struct proc *)0) { 4739 mutex_exit(&pidlock); 4740 return; 4741 } 4742 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4743 mutex_exit(&pidlock); 4744 4745 mutex_enter(&p->p_crlock); 4746 crhold(cr = p->p_cred); 4747 mutex_exit(&p->p_crlock); 4748 mutex_exit(&p->p_lock); 4749 4750 ainfo = crgetauinfo(cr); 4751 if (ainfo == NULL) { 4752 crfree(cr); 4753 return; 4754 } 4755 4756 uid = crgetuid(cr); 4757 gid = crgetgid(cr); 4758 ruid = crgetruid(cr); 4759 rgid = crgetrgid(cr); 4760 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4761 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4762 crfree(cr); 4763 } 4764 else 4765 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4766 } 4767 4768 /*ARGSUSED*/ 4769 static void 4770 aus_inst_sync(struct t_audit_data *tad) 4771 { 4772 struct a { 4773 long name; /* char */ 4774 long flags; 4775 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4776 4777 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4778 } 4779 4780 /*ARGSUSED*/ 4781 static void 4782 aus_brandsys(struct t_audit_data *tad) 4783 { 4784 klwp_t *clwp = ttolwp(curthread); 4785 4786 struct a { 4787 long cmd; 4788 long arg1; 4789 long arg2; 4790 long arg3; 4791 long arg4; 4792 long arg5; 4793 long arg6; 4794 } *uap = (struct a *)clwp->lwp_ap; 4795 4796 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4797 #ifdef _LP64 4798 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4799 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4800 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4801 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4802 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4803 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4804 #else 4805 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4806 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4807 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4808 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4809 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4810 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4811 #endif 4812 } 4813 4814 /*ARGSUSED*/ 4815 static void 4816 aus_p_online(struct t_audit_data *tad) 4817 { 4818 struct a { 4819 long processor_id; 4820 long flag; 4821 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4822 4823 struct flags { 4824 int flag; 4825 char *cflag; 4826 } aflags[6] = { 4827 { P_ONLINE, "P_ONLINE"}, 4828 { P_OFFLINE, "P_OFFLINE"}, 4829 { P_NOINTR, "P_NOINTR"}, 4830 { P_SPARE, "P_SPARE"}, 4831 { P_FAULTED, "P_FAULTED"}, 4832 { P_STATUS, "P_STATUS"} 4833 }; 4834 int i; 4835 char *cflag; 4836 4837 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4838 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4839 4840 for (i = 0; i < 6; i++) { 4841 if (aflags[i].flag == uap->flag) 4842 break; 4843 } 4844 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4845 4846 au_uwrite(au_to_text(cflag)); 4847 } 4848 4849 /*ARGSUSED*/ 4850 static void 4851 aus_processor_bind(struct t_audit_data *tad) 4852 { 4853 struct a { 4854 long id_type; 4855 long id; 4856 long processor_id; 4857 long obind; 4858 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4859 4860 struct proc *p; 4861 int lwpcnt; 4862 uid_t uid, ruid; 4863 gid_t gid, rgid; 4864 pid_t pid; 4865 const auditinfo_addr_t *ainfo; 4866 cred_t *cr; 4867 4868 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4869 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4870 if (uap->processor_id == PBIND_NONE) 4871 au_uwrite(au_to_text("PBIND_NONE")); 4872 else 4873 au_uwrite(au_to_arg32(3, "processor_id", 4874 (uint32_t)uap->processor_id)); 4875 4876 switch (uap->id_type) { 4877 case P_MYID: 4878 case P_LWPID: 4879 mutex_enter(&pidlock); 4880 p = ttoproc(curthread); 4881 if (p == NULL || p->p_as == &kas) { 4882 mutex_exit(&pidlock); 4883 return; 4884 } 4885 mutex_enter(&p->p_lock); 4886 mutex_exit(&pidlock); 4887 lwpcnt = p->p_lwpcnt; 4888 pid = p->p_pid; 4889 4890 mutex_enter(&p->p_crlock); 4891 crhold(cr = p->p_cred); 4892 mutex_exit(&p->p_crlock); 4893 mutex_exit(&p->p_lock); 4894 4895 ainfo = crgetauinfo(cr); 4896 if (ainfo == NULL) { 4897 crfree(cr); 4898 return; 4899 } 4900 4901 uid = crgetuid(cr); 4902 gid = crgetgid(cr); 4903 ruid = crgetruid(cr); 4904 rgid = crgetrgid(cr); 4905 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4906 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4907 crfree(cr); 4908 break; 4909 case P_PID: 4910 mutex_enter(&pidlock); 4911 p = prfind(uap->id); 4912 if (p == NULL || p->p_as == &kas) { 4913 mutex_exit(&pidlock); 4914 return; 4915 } 4916 mutex_enter(&p->p_lock); 4917 mutex_exit(&pidlock); 4918 lwpcnt = p->p_lwpcnt; 4919 pid = p->p_pid; 4920 4921 mutex_enter(&p->p_crlock); 4922 crhold(cr = p->p_cred); 4923 mutex_exit(&p->p_crlock); 4924 mutex_exit(&p->p_lock); 4925 4926 ainfo = crgetauinfo(cr); 4927 if (ainfo == NULL) { 4928 crfree(cr); 4929 return; 4930 } 4931 4932 uid = crgetuid(cr); 4933 gid = crgetgid(cr); 4934 ruid = crgetruid(cr); 4935 rgid = crgetrgid(cr); 4936 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4937 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4938 crfree(cr); 4939 4940 break; 4941 default: 4942 return; 4943 } 4944 4945 if (uap->processor_id == PBIND_NONE && 4946 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4947 au_uwrite(au_to_text("PBIND_NONE for process")); 4948 else 4949 au_uwrite(au_to_arg32(3, "processor_id", 4950 (uint32_t)uap->processor_id)); 4951 } 4952 4953 /*ARGSUSED*/ 4954 static au_event_t 4955 aui_doorfs(au_event_t e) 4956 { 4957 uint32_t code; 4958 4959 struct a { /* doorfs */ 4960 long a1; 4961 long a2; 4962 long a3; 4963 long a4; 4964 long a5; 4965 long code; 4966 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4967 4968 /* 4969 * audit formats for several of the 4970 * door calls have not yet been determined 4971 */ 4972 code = (uint32_t)uap->code; 4973 switch (code) { 4974 case DOOR_CALL: 4975 e = AUE_DOORFS_DOOR_CALL; 4976 break; 4977 case DOOR_RETURN: 4978 e = AUE_NULL; 4979 break; 4980 case DOOR_CREATE: 4981 e = AUE_DOORFS_DOOR_CREATE; 4982 break; 4983 case DOOR_REVOKE: 4984 e = AUE_DOORFS_DOOR_REVOKE; 4985 break; 4986 case DOOR_INFO: 4987 e = AUE_NULL; 4988 break; 4989 case DOOR_UCRED: 4990 e = AUE_NULL; 4991 break; 4992 case DOOR_BIND: 4993 e = AUE_NULL; 4994 break; 4995 case DOOR_UNBIND: 4996 e = AUE_NULL; 4997 break; 4998 case DOOR_GETPARAM: 4999 e = AUE_NULL; 5000 break; 5001 case DOOR_SETPARAM: 5002 e = AUE_NULL; 5003 break; 5004 default: /* illegal system call */ 5005 e = AUE_NULL; 5006 break; 5007 } 5008 5009 return (e); 5010 } 5011 5012 static door_node_t * 5013 au_door_lookup(int did) 5014 { 5015 vnode_t *vp; 5016 file_t *fp; 5017 5018 if ((fp = getf(did)) == NULL) 5019 return (NULL); 5020 /* 5021 * Use the underlying vnode (we may be namefs mounted) 5022 */ 5023 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5024 vp = fp->f_vnode; 5025 5026 if (vp == NULL || vp->v_type != VDOOR) { 5027 releasef(did); 5028 return (NULL); 5029 } 5030 5031 return (VTOD(vp)); 5032 } 5033 5034 /*ARGSUSED*/ 5035 static void 5036 aus_doorfs(struct t_audit_data *tad) 5037 { 5038 5039 struct a { /* doorfs */ 5040 long a1; 5041 long a2; 5042 long a3; 5043 long a4; 5044 long a5; 5045 long code; 5046 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5047 5048 door_node_t *dp; 5049 struct proc *p; 5050 uint32_t did; 5051 uid_t uid, ruid; 5052 gid_t gid, rgid; 5053 pid_t pid; 5054 const auditinfo_addr_t *ainfo; 5055 cred_t *cr; 5056 5057 did = (uint32_t)uap->a1; 5058 5059 switch (tad->tad_event) { 5060 case AUE_DOORFS_DOOR_CALL: 5061 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5062 if ((dp = au_door_lookup(did)) == NULL) 5063 break; 5064 5065 if (DOOR_INVALID(dp)) { 5066 releasef(did); 5067 break; 5068 } 5069 5070 if ((p = dp->door_target) == NULL) { 5071 releasef(did); 5072 break; 5073 } 5074 mutex_enter(&p->p_lock); 5075 releasef(did); 5076 5077 pid = p->p_pid; 5078 5079 mutex_enter(&p->p_crlock); 5080 crhold(cr = p->p_cred); 5081 mutex_exit(&p->p_crlock); 5082 mutex_exit(&p->p_lock); 5083 5084 ainfo = crgetauinfo(cr); 5085 if (ainfo == NULL) { 5086 crfree(cr); 5087 return; 5088 } 5089 uid = crgetuid(cr); 5090 gid = crgetgid(cr); 5091 ruid = crgetruid(cr); 5092 rgid = crgetrgid(cr); 5093 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5094 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5095 crfree(cr); 5096 break; 5097 case AUE_DOORFS_DOOR_RETURN: 5098 /* 5099 * We may want to write information about 5100 * all doors (if any) which will be copied 5101 * by this call to the user space 5102 */ 5103 break; 5104 case AUE_DOORFS_DOOR_CREATE: 5105 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5106 break; 5107 case AUE_DOORFS_DOOR_REVOKE: 5108 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5109 break; 5110 case AUE_DOORFS_DOOR_INFO: 5111 break; 5112 case AUE_DOORFS_DOOR_CRED: 5113 break; 5114 case AUE_DOORFS_DOOR_BIND: 5115 break; 5116 case AUE_DOORFS_DOOR_UNBIND: { 5117 break; 5118 } 5119 default: /* illegal system call */ 5120 break; 5121 } 5122 } 5123 5124 /*ARGSUSED*/ 5125 static au_event_t 5126 aui_acl(au_event_t e) 5127 { 5128 struct a { 5129 union { 5130 long name; /* char */ 5131 long fd; 5132 } obj; 5133 5134 long cmd; 5135 long nentries; 5136 long arg; /* aclent_t */ 5137 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5138 5139 switch (uap->cmd) { 5140 case SETACL: 5141 case ACE_SETACL: 5142 /* 5143 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5144 * are expected. 5145 */ 5146 break; 5147 case GETACL: 5148 case GETACLCNT: 5149 case ACE_GETACLCNT: 5150 /* do nothing for these two values. */ 5151 e = AUE_NULL; 5152 break; 5153 default: 5154 /* illegal system call */ 5155 break; 5156 } 5157 5158 return (e); 5159 } 5160 5161 static void 5162 au_acl(int cmd, int nentries, caddr_t bufp) 5163 { 5164 size_t a_size; 5165 aclent_t *aclbufp; 5166 ace_t *acebufp; 5167 int i; 5168 5169 switch (cmd) { 5170 case GETACL: 5171 case GETACLCNT: 5172 break; 5173 case SETACL: 5174 if (nentries < 3) 5175 break; 5176 5177 a_size = nentries * sizeof (aclent_t); 5178 5179 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5180 break; 5181 if (copyin(bufp, aclbufp, a_size)) { 5182 kmem_free(aclbufp, a_size); 5183 break; 5184 } 5185 for (i = 0; i < nentries; i++) { 5186 au_uwrite(au_to_acl(aclbufp + i)); 5187 } 5188 kmem_free(aclbufp, a_size); 5189 break; 5190 5191 case ACE_SETACL: 5192 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5193 break; 5194 5195 a_size = nentries * sizeof (ace_t); 5196 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5197 break; 5198 if (copyin(bufp, acebufp, a_size)) { 5199 kmem_free(acebufp, a_size); 5200 break; 5201 } 5202 for (i = 0; i < nentries; i++) { 5203 au_uwrite(au_to_ace(acebufp + i)); 5204 } 5205 kmem_free(acebufp, a_size); 5206 break; 5207 default: 5208 break; 5209 } 5210 } 5211 5212 /*ARGSUSED*/ 5213 static void 5214 aus_acl(struct t_audit_data *tad) 5215 { 5216 struct a { 5217 long fname; 5218 long cmd; 5219 long nentries; 5220 long aclbufp; 5221 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5222 5223 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5224 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5225 5226 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5227 } 5228 5229 /*ARGSUSED*/ 5230 static void 5231 aus_facl(struct t_audit_data *tad) 5232 { 5233 struct a { 5234 long fd; 5235 long cmd; 5236 long nentries; 5237 long aclbufp; 5238 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5239 struct file *fp; 5240 struct vnode *vp; 5241 struct f_audit_data *fad; 5242 int fd; 5243 5244 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5245 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5246 5247 fd = (int)uap->fd; 5248 5249 if ((fp = getf(fd)) == NULL) 5250 return; 5251 5252 /* get path from file struct here */ 5253 fad = F2A(fp); 5254 if (fad->fad_aupath != NULL) { 5255 au_uwrite(au_to_path(fad->fad_aupath)); 5256 } else { 5257 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5258 } 5259 5260 vp = fp->f_vnode; 5261 audit_attributes(vp); 5262 5263 /* decrement file descriptor reference count */ 5264 releasef(fd); 5265 5266 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5267 } 5268 5269 /*ARGSUSED*/ 5270 static void 5271 auf_read(tad, error, rval) 5272 struct t_audit_data *tad; 5273 int error; 5274 rval_t *rval; 5275 { 5276 struct file *fp; 5277 struct f_audit_data *fad; 5278 int fd; 5279 register struct a { 5280 long fd; 5281 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5282 au_kcontext_t *kctx = GET_KCTX_PZ; 5283 5284 fd = (int)uap->fd; 5285 5286 /* 5287 * convert file pointer to file descriptor 5288 * Note: fd ref count incremented here. 5289 */ 5290 if ((fp = getf(fd)) == NULL) 5291 return; 5292 5293 /* get path from file struct here */ 5294 fad = F2A(fp); 5295 ASSERT(fad); 5296 5297 /* 5298 * already processed this file for read attempt 5299 * 5300 * XXX might be better to turn off auditing in a aui_read() routine. 5301 */ 5302 if (fad->fad_flags & FAD_READ) { 5303 /* don't really want to audit every read attempt */ 5304 tad->tad_flag = 0; 5305 /* free any residual audit data */ 5306 au_close(kctx, &(u_ad), 0, 0, 0); 5307 releasef(fd); 5308 return; 5309 } 5310 /* mark things so we know what happened and don't repeat things */ 5311 fad->fad_flags |= FAD_READ; 5312 5313 if (fad->fad_aupath != NULL) { 5314 au_uwrite(au_to_path(fad->fad_aupath)); 5315 } else { 5316 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5317 } 5318 5319 /* include attributes */ 5320 audit_attributes(fp->f_vnode); 5321 5322 /* decrement file descriptor reference count */ 5323 releasef(fd); 5324 } 5325 5326 /*ARGSUSED*/ 5327 static void 5328 auf_write(tad, error, rval) 5329 struct t_audit_data *tad; 5330 int error; 5331 rval_t *rval; 5332 { 5333 struct file *fp; 5334 struct f_audit_data *fad; 5335 int fd; 5336 register struct a { 5337 long fd; 5338 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5339 au_kcontext_t *kctx = GET_KCTX_PZ; 5340 5341 fd = (int)uap->fd; 5342 5343 /* 5344 * convert file pointer to file descriptor 5345 * Note: fd ref count incremented here. 5346 */ 5347 if ((fp = getf(fd)) == NULL) 5348 return; 5349 5350 /* get path from file struct here */ 5351 fad = F2A(fp); 5352 ASSERT(fad); 5353 5354 /* 5355 * already processed this file for write attempt 5356 * 5357 * XXX might be better to turn off auditing in a aus_write() routine. 5358 */ 5359 if (fad->fad_flags & FAD_WRITE) { 5360 /* don't really want to audit every write attempt */ 5361 tad->tad_flag = 0; 5362 /* free any residual audit data */ 5363 au_close(kctx, &(u_ad), 0, 0, 0); 5364 releasef(fd); 5365 return; 5366 } 5367 /* mark things so we know what happened and don't repeat things */ 5368 fad->fad_flags |= FAD_WRITE; 5369 5370 if (fad->fad_aupath != NULL) { 5371 au_uwrite(au_to_path(fad->fad_aupath)); 5372 } else { 5373 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5374 } 5375 5376 /* include attributes */ 5377 audit_attributes(fp->f_vnode); 5378 5379 /* decrement file descriptor reference count */ 5380 releasef(fd); 5381 } 5382 5383 /*ARGSUSED*/ 5384 static void 5385 auf_recv(tad, error, rval) 5386 struct t_audit_data *tad; 5387 int error; 5388 rval_t *rval; 5389 { 5390 struct sonode *so; 5391 char so_laddr[sizeof (struct sockaddr_in6)]; 5392 char so_faddr[sizeof (struct sockaddr_in6)]; 5393 struct file *fp; 5394 struct f_audit_data *fad; 5395 int fd; 5396 int err; 5397 int len; 5398 short so_family, so_type; 5399 register struct a { 5400 long fd; 5401 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5402 au_kcontext_t *kctx = GET_KCTX_PZ; 5403 5404 /* 5405 * If there was an error, then nothing to do. Only generate 5406 * audit record on first successful recv. 5407 */ 5408 if (error) { 5409 /* Turn off audit record generation here. */ 5410 tad->tad_flag = 0; 5411 /* free any residual audit data */ 5412 au_close(kctx, &(u_ad), 0, 0, 0); 5413 return; 5414 } 5415 5416 fd = (int)uap->fd; 5417 5418 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5419 /* Turn off audit record generation here. */ 5420 tad->tad_flag = 0; 5421 /* free any residual audit data */ 5422 au_close(kctx, &(u_ad), 0, 0, 0); 5423 return; 5424 } 5425 5426 /* get path from file struct here */ 5427 fad = F2A(fp); 5428 ASSERT(fad); 5429 5430 /* 5431 * already processed this file for read attempt 5432 */ 5433 if (fad->fad_flags & FAD_READ) { 5434 releasef(fd); 5435 /* don't really want to audit every recv call */ 5436 tad->tad_flag = 0; 5437 /* free any residual audit data */ 5438 au_close(kctx, &(u_ad), 0, 0, 0); 5439 return; 5440 } 5441 5442 /* mark things so we know what happened and don't repeat things */ 5443 fad->fad_flags |= FAD_READ; 5444 5445 so_family = so->so_family; 5446 so_type = so->so_type; 5447 5448 switch (so_family) { 5449 case AF_INET: 5450 case AF_INET6: 5451 /* 5452 * Only for connections. 5453 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5454 */ 5455 if (so->so_state & SS_ISBOUND) { 5456 5457 bzero((void *)so_laddr, sizeof (so_laddr)); 5458 bzero((void *)so_faddr, sizeof (so_faddr)); 5459 5460 /* only done once on a connection */ 5461 (void) SOP_GETSOCKNAME(so); 5462 (void) SOP_GETPEERNAME(so); 5463 5464 /* get local and foreign addresses */ 5465 mutex_enter(&so->so_lock); 5466 len = min(so->so_laddr_len, sizeof (so_laddr)); 5467 bcopy(so->so_laddr_sa, so_laddr, len); 5468 len = min(so->so_faddr_len, sizeof (so_faddr)); 5469 bcopy(so->so_faddr_sa, so_faddr, len); 5470 mutex_exit(&so->so_lock); 5471 5472 /* 5473 * only way to drop out of switch. Note that we 5474 * we release fd below. 5475 */ 5476 5477 break; 5478 } 5479 5480 releasef(fd); 5481 5482 /* don't really want to audit every recv call */ 5483 tad->tad_flag = 0; 5484 /* free any residual audit data */ 5485 au_close(kctx, &(u_ad), 0, 0, 0); 5486 5487 return; 5488 5489 case AF_UNIX: 5490 5491 if (fad->fad_aupath != NULL) { 5492 au_uwrite(au_to_path(fad->fad_aupath)); 5493 } else { 5494 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5495 } 5496 5497 audit_attributes(fp->f_vnode); 5498 5499 releasef(fd); 5500 5501 return; 5502 5503 default: 5504 releasef(fd); 5505 5506 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5507 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5508 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5509 5510 return; 5511 } 5512 5513 releasef(fd); 5514 5515 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5516 5517 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5518 5519 } 5520 5521 /*ARGSUSED*/ 5522 static void 5523 auf_send(tad, error, rval) 5524 struct t_audit_data *tad; 5525 int error; 5526 rval_t *rval; 5527 { 5528 struct sonode *so; 5529 char so_laddr[sizeof (struct sockaddr_in6)]; 5530 char so_faddr[sizeof (struct sockaddr_in6)]; 5531 struct file *fp; 5532 struct f_audit_data *fad; 5533 int fd; 5534 int err; 5535 int len; 5536 short so_family, so_type; 5537 register struct a { 5538 long fd; 5539 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5540 au_kcontext_t *kctx = GET_KCTX_PZ; 5541 5542 fd = (int)uap->fd; 5543 5544 /* 5545 * If there was an error, then nothing to do. Only generate 5546 * audit record on first successful send. 5547 */ 5548 if (error != 0) { 5549 /* Turn off audit record generation here. */ 5550 tad->tad_flag = 0; 5551 /* free any residual audit data */ 5552 au_close(kctx, &(u_ad), 0, 0, 0); 5553 return; 5554 } 5555 5556 fd = (int)uap->fd; 5557 5558 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5559 /* Turn off audit record generation here. */ 5560 tad->tad_flag = 0; 5561 /* free any residual audit data */ 5562 au_close(kctx, &(u_ad), 0, 0, 0); 5563 return; 5564 } 5565 5566 /* get path from file struct here */ 5567 fad = F2A(fp); 5568 ASSERT(fad); 5569 5570 /* 5571 * already processed this file for write attempt 5572 */ 5573 if (fad->fad_flags & FAD_WRITE) { 5574 releasef(fd); 5575 /* don't really want to audit every send call */ 5576 tad->tad_flag = 0; 5577 /* free any residual audit data */ 5578 au_close(kctx, &(u_ad), 0, 0, 0); 5579 return; 5580 } 5581 5582 /* mark things so we know what happened and don't repeat things */ 5583 fad->fad_flags |= FAD_WRITE; 5584 5585 so_family = so->so_family; 5586 so_type = so->so_type; 5587 5588 switch (so_family) { 5589 case AF_INET: 5590 case AF_INET6: 5591 /* 5592 * Only for connections. 5593 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5594 */ 5595 if (so->so_state & SS_ISBOUND) { 5596 5597 bzero((void *)so_laddr, sizeof (so_laddr)); 5598 bzero((void *)so_faddr, sizeof (so_faddr)); 5599 5600 /* only done once on a connection */ 5601 (void) SOP_GETSOCKNAME(so); 5602 (void) SOP_GETPEERNAME(so); 5603 5604 /* get local and foreign addresses */ 5605 mutex_enter(&so->so_lock); 5606 len = min(so->so_laddr_len, sizeof (so_laddr)); 5607 bcopy(so->so_laddr_sa, so_laddr, len); 5608 len = min(so->so_faddr_len, sizeof (so_faddr)); 5609 bcopy(so->so_faddr_sa, so_faddr, len); 5610 mutex_exit(&so->so_lock); 5611 5612 /* 5613 * only way to drop out of switch. Note that we 5614 * we release fd below. 5615 */ 5616 5617 break; 5618 } 5619 5620 releasef(fd); 5621 /* don't really want to audit every send call */ 5622 tad->tad_flag = 0; 5623 /* free any residual audit data */ 5624 au_close(kctx, &(u_ad), 0, 0, 0); 5625 5626 return; 5627 5628 case AF_UNIX: 5629 5630 if (fad->fad_aupath != NULL) { 5631 au_uwrite(au_to_path(fad->fad_aupath)); 5632 } else { 5633 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5634 } 5635 5636 audit_attributes(fp->f_vnode); 5637 5638 releasef(fd); 5639 5640 return; 5641 5642 default: 5643 releasef(fd); 5644 5645 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5646 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5647 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5648 5649 return; 5650 } 5651 5652 releasef(fd); 5653 5654 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5655 5656 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5657 } 5658 5659 static au_event_t 5660 aui_forksys(au_event_t e) 5661 { 5662 struct a { 5663 long subcode; 5664 long flags; 5665 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5666 5667 switch ((uint_t)uap->subcode) { 5668 case 0: 5669 e = AUE_FORK1; 5670 break; 5671 case 1: 5672 e = AUE_FORKALL; 5673 break; 5674 case 2: 5675 e = AUE_VFORK; 5676 break; 5677 default: 5678 e = AUE_NULL; 5679 break; 5680 } 5681 5682 return (e); 5683 } 5684 5685 /*ARGSUSED*/ 5686 static au_event_t 5687 aui_portfs(au_event_t e) 5688 { 5689 struct a { /* portfs */ 5690 long a1; 5691 long a2; 5692 long a3; 5693 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5694 5695 /* 5696 * check opcode 5697 */ 5698 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5699 case PORT_ASSOCIATE: 5700 case PORT_DISSOCIATE: 5701 /* 5702 * check source 5703 */ 5704 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5705 e = AUE_PORTFS; 5706 } else { 5707 e = AUE_NULL; 5708 } 5709 break; 5710 default: 5711 e = AUE_NULL; 5712 } 5713 return (e); 5714 } 5715