1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 int au_naevent; 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_null(au_event_t); 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 103 static void aus_null(struct t_audit_data *); 104 static void aus_open(struct t_audit_data *); 105 static void aus_acl(struct t_audit_data *); 106 static void aus_acct(struct t_audit_data *); 107 static void aus_chown(struct t_audit_data *); 108 static void aus_fchown(struct t_audit_data *); 109 static void aus_lchown(struct t_audit_data *); 110 static void aus_chmod(struct t_audit_data *); 111 static void aus_facl(struct t_audit_data *); 112 static void aus_fchmod(struct t_audit_data *); 113 static void aus_fcntl(struct t_audit_data *); 114 static void aus_fsat(struct t_audit_data *); 115 static void aus_mkdir(struct t_audit_data *); 116 static void aus_mknod(struct t_audit_data *); 117 static void aus_mount(struct t_audit_data *); 118 static void aus_umount(struct t_audit_data *); 119 static void aus_umount2(struct t_audit_data *); 120 static void aus_msgsys(struct t_audit_data *); 121 static void aus_semsys(struct t_audit_data *); 122 static void aus_close(struct t_audit_data *); 123 static void aus_fstatfs(struct t_audit_data *); 124 static void aus_setgid(struct t_audit_data *); 125 static void aus_setuid(struct t_audit_data *); 126 static void aus_shmsys(struct t_audit_data *); 127 static void aus_doorfs(struct t_audit_data *); 128 static void aus_ioctl(struct t_audit_data *); 129 static void aus_memcntl(struct t_audit_data *); 130 static void aus_mmap(struct t_audit_data *); 131 static void aus_munmap(struct t_audit_data *); 132 static void aus_priocntlsys(struct t_audit_data *); 133 static void aus_setegid(struct t_audit_data *); 134 static void aus_setgroups(struct t_audit_data *); 135 static void aus_seteuid(struct t_audit_data *); 136 static void aus_putmsg(struct t_audit_data *); 137 static void aus_putpmsg(struct t_audit_data *); 138 static void aus_getmsg(struct t_audit_data *); 139 static void aus_getpmsg(struct t_audit_data *); 140 static void aus_auditsys(struct t_audit_data *); 141 static void aus_sysinfo(struct t_audit_data *); 142 static void aus_modctl(struct t_audit_data *); 143 static void aus_kill(struct t_audit_data *); 144 static void aus_xmknod(struct t_audit_data *); 145 static void aus_setregid(struct t_audit_data *); 146 static void aus_setreuid(struct t_audit_data *); 147 148 static void auf_null(struct t_audit_data *, int, rval_t *); 149 static void auf_mknod(struct t_audit_data *, int, rval_t *); 150 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 151 static void auf_semsys(struct t_audit_data *, int, rval_t *); 152 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 153 #if 0 154 static void auf_open(struct t_audit_data *, int, rval_t *); 155 #endif 156 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 157 static void auf_read(struct t_audit_data *, int, rval_t *); 158 static void auf_write(struct t_audit_data *, int, rval_t *); 159 160 static void aus_sigqueue(struct t_audit_data *); 161 static void aus_p_online(struct t_audit_data *); 162 static void aus_processor_bind(struct t_audit_data *); 163 static void aus_inst_sync(struct t_audit_data *); 164 static void aus_brandsys(struct t_audit_data *); 165 166 static void auf_accept(struct t_audit_data *, int, rval_t *); 167 168 static void auf_bind(struct t_audit_data *, int, rval_t *); 169 static void auf_connect(struct t_audit_data *, int, rval_t *); 170 static void aus_shutdown(struct t_audit_data *); 171 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 172 static void aus_sockconfig(struct t_audit_data *); 173 static void auf_recv(struct t_audit_data *, int, rval_t *); 174 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_send(struct t_audit_data *, int, rval_t *); 176 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 177 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 178 static void auf_sendto(struct t_audit_data *, int, rval_t *); 179 static void aus_socket(struct t_audit_data *); 180 /* 181 * This table contains mapping information for converting system call numbers 182 * to audit event IDs. In several cases it is necessary to map a single system 183 * call to several events. 184 */ 185 186 struct audit_s2e audit_s2e[] = 187 { 188 /* 189 * ---------- ---------- ---------- ---------- 190 * INITIAL AUDIT START SYSTEM 191 * PROCESSING EVENT PROCESSING CALL 192 * ---------- ---------- ---------- ----------- 193 * FINISH EVENT 194 * PROCESSING CONTROL 195 * ---------------------------------------------------------- 196 */ 197 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 198 auf_null, 0, 199 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 200 auf_null, S2E_NPT, 201 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 202 auf_null, 0, 203 aui_null, AUE_READ, aus_null, /* 3 read */ 204 auf_read, S2E_PUB, 205 aui_null, AUE_WRITE, aus_null, /* 4 write */ 206 auf_write, 0, 207 aui_open, AUE_OPEN, aus_open, /* 5 open */ 208 auf_null, S2E_SP, 209 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 210 auf_null, 0, 211 aui_null, AUE_NULL, aus_null, /* 7 wait */ 212 auf_null, 0, 213 aui_null, AUE_CREAT, aus_null, /* 8 create */ 214 auf_null, S2E_SP, 215 aui_null, AUE_LINK, aus_null, /* 9 link */ 216 auf_null, 0, 217 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 218 auf_null, 0, 219 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 220 auf_null, S2E_MLD, 221 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 222 auf_null, S2E_SP, 223 aui_null, AUE_NULL, aus_null, /* 13 time */ 224 auf_null, 0, 225 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 226 auf_mknod, 0, 227 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 228 auf_null, 0, 229 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 230 auf_null, 0, 231 aui_null, AUE_NULL, aus_null, /* 17 brk */ 232 auf_null, 0, 233 aui_null, AUE_STAT, aus_null, /* 18 stat */ 234 auf_null, S2E_PUB, 235 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 236 auf_null, 0, 237 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 238 auf_null, 0, 239 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 240 auf_null, S2E_MLD, 241 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 242 auf_null, 0, 243 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 246 auf_null, 0, 247 aui_null, AUE_STIME, aus_null, /* 25 stime */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 29 pause */ 256 auf_null, 0, 257 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 262 auf_null, 0, 263 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 264 auf_null, S2E_PUB, 265 aui_null, AUE_NICE, aus_null, /* 34 nice */ 266 auf_null, 0, 267 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 268 auf_null, S2E_PUB, 269 aui_null, AUE_NULL, aus_null, /* 36 sync */ 270 auf_null, 0, 271 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 272 auf_null, 0, 273 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 274 auf_null, S2E_PUB, 275 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 276 auf_null, 0, 277 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 41 dup */ 280 auf_null, 0, 281 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 43 times */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 44 profil */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 288 /* was proc lock */ 289 auf_null, 0, 290 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 291 auf_null, 0, 292 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 48 sig */ 295 auf_null, 0, 296 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 297 auf_msgsys, 0, 298 #if defined(__x86) 299 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 300 auf_null, 0, 301 #else 302 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 303 auf_null, 0, 304 #endif /* __x86 */ 305 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 306 auf_null, 0, 307 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 308 auf_shmsys, 0, 309 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 310 auf_semsys, 0, 311 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 312 auf_null, 0, 313 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 316 auf_null, 0, 317 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 318 auf_null, 0, 319 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 320 auf_null, 0, 321 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 322 auf_null, S2E_MLD, 323 aui_null, AUE_NULL, aus_null, /* 60 umask */ 324 auf_null, 0, 325 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 326 auf_null, S2E_SP, 327 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 328 auf_null, 0, 329 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 334 auf_null, 0, 335 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 338 /* file locking call */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 341 /* local system calls */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 356 /* was sigret (SunOS) */ 357 auf_null, 0, 358 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 363 auf_null, 0, 364 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 365 auf_null, 0, 366 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 367 auf_null, 0, 368 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 369 auf_null, 0, 370 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 371 /* was libattach */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 374 /* was libdetach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 377 auf_null, 0, 378 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 379 auf_null, 0, 380 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 381 auf_null, 0, 382 aui_null, AUE_NULL, aus_null, /* 87 poll */ 383 auf_null, 0, 384 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 387 auf_null, 0, 388 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 389 auf_null, S2E_PUB, 390 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 391 auf_null, 0, 392 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 393 auf_null, 0, 394 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 395 auf_null, 0, 396 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 411 auf_null, 0, 412 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 413 /* was evtrapret */ 414 auf_null, 0, 415 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 416 auf_null, S2E_PUB, 417 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 426 auf_null, 0, 427 #if defined(__x86) 428 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 429 auf_null, 0, 430 #else 431 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 432 auf_null, 0, 433 #endif /* __x86 */ 434 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 435 auf_null, 0, 436 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 437 auf_null, 0, 438 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 439 auf_null, 0, /* 112 priocntlsys */ 440 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 441 auf_null, S2E_PUB, 442 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 443 auf_null, 0, 444 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 445 auf_null, 0, 446 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 447 auf_null, 0, 448 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 449 auf_null, 0, 450 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 451 auf_null, 0, 452 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 453 auf_null, 0, 454 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 455 auf_null, 0, 456 aui_null, AUE_READ, aus_null, /* 121 readv */ 457 auf_read, S2E_PUB, 458 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 459 auf_write, 0, 460 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 461 auf_null, S2E_PUB, 462 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 463 auf_null, S2E_PUB, 464 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 465 auf_null, 0, 466 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 467 auf_xmknod, 0, 468 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 469 auf_null, 0, 470 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 471 auf_null, 0, 472 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 473 auf_null, 0, 474 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 475 auf_null, 0, 476 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 477 auf_null, 0, 478 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 479 auf_null, 0, 480 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 481 auf_null, 0, 482 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 483 auf_null, 0, 484 aui_null, AUE_NULL, aus_null, /* 135 uname */ 485 auf_null, 0, 486 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 487 auf_null, 0, 488 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 489 auf_null, 0, 490 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 491 auf_null, 0, 492 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 493 auf_null, 0, 494 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 495 auf_null, 0, 496 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 497 auf_null, 0, 498 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 499 auf_null, 0, 500 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 146 yield */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 517 auf_null, 0, 518 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 519 auf_null, 0, 520 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 521 auf_null, 0, 522 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 545 /* was lwp_setprivate */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 548 /* was lwp_getprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 561 auf_null, 0, 562 aui_null, AUE_READ, aus_null, /* 173 pread */ 563 auf_read, S2E_PUB, 564 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 565 auf_write, 0, 566 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 567 auf_null, 0, 568 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 569 /* aus_inst_sync */ 570 auf_null, 0, 571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 580 auf_null, 0, 581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 582 auf_null, 0, 583 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 584 auf_null, 0, 585 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 586 auf_null, 0, 587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 588 auf_null, 0, 589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 590 auf_null, 0, 591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 592 auf_null, 0, /* 187 processor_bind */ 593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 594 auf_null, 0, 595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 600 auf_null, 0, 601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 616 auf_null, 0, 617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 618 auf_null, 0, 619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 620 auf_null, 0, 621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 622 auf_null, 0, 623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 644 auf_null, 0, 645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 646 auf_null, 0, 647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 652 auf_null, 0, 653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 656 auf_null, 0, 657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 662 auf_read, S2E_PUB, 663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 664 auf_write, 0, 665 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 666 auf_null, S2E_SP, 667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 668 auf_null, S2E_SP, 669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 676 auf_null, 0, 677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 680 auf_null, 0, 681 aui_null, AUE_BIND, aus_null, /* 232 bind */ 682 auf_bind, 0, 683 aui_null, AUE_NULL, aus_null, /* 233 listen */ 684 auf_null, 0, 685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 686 auf_accept, 0, 687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 688 auf_connect, 0, 689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 690 auf_null, 0, 691 aui_null, AUE_READ, aus_null, /* 237 recv */ 692 auf_recv, 0, 693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 694 auf_recvfrom, 0, 695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 696 auf_recvmsg, 0, 697 aui_null, AUE_WRITE, aus_null, /* 240 send */ 698 auf_send, 0, 699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 700 auf_sendmsg, 0, 701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 702 auf_sendto, 0, 703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 708 auf_null, 0, 709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 710 auf_setsockopt, 0, 711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 714 auf_null, 0, 715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 726 auf_null, 0, 727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 728 auf_null, 0 729 }; 730 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 732 733 /* null start function */ 734 /*ARGSUSED*/ 735 static void 736 aus_null(struct t_audit_data *tad) 737 { 738 } 739 740 /* acct start function */ 741 /*ARGSUSED*/ 742 static void 743 aus_acct(struct t_audit_data *tad) 744 { 745 klwp_t *clwp = ttolwp(curthread); 746 uintptr_t fname; 747 748 struct a { 749 long fname; /* char * */ 750 } *uap = (struct a *)clwp->lwp_ap; 751 752 fname = (uintptr_t)uap->fname; 753 754 if (fname == 0) 755 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 756 } 757 758 /* chown start function */ 759 /*ARGSUSED*/ 760 static void 761 aus_chown(struct t_audit_data *tad) 762 { 763 klwp_t *clwp = ttolwp(curthread); 764 uint32_t uid, gid; 765 766 struct a { 767 long fname; /* char * */ 768 long uid; 769 long gid; 770 } *uap = (struct a *)clwp->lwp_ap; 771 772 uid = (uint32_t)uap->uid; 773 gid = (uint32_t)uap->gid; 774 775 au_uwrite(au_to_arg32(2, "new file uid", uid)); 776 au_uwrite(au_to_arg32(3, "new file gid", gid)); 777 } 778 779 /* fchown start function */ 780 /*ARGSUSED*/ 781 static void 782 aus_fchown(struct t_audit_data *tad) 783 { 784 klwp_t *clwp = ttolwp(curthread); 785 uint32_t uid, gid, fd; 786 struct file *fp; 787 struct vnode *vp; 788 struct f_audit_data *fad; 789 790 struct a { 791 long fd; 792 long uid; 793 long gid; 794 } *uap = (struct a *)clwp->lwp_ap; 795 796 fd = (uint32_t)uap->fd; 797 uid = (uint32_t)uap->uid; 798 gid = (uint32_t)uap->gid; 799 800 au_uwrite(au_to_arg32(2, "new file uid", uid)); 801 au_uwrite(au_to_arg32(3, "new file gid", gid)); 802 803 /* 804 * convert file pointer to file descriptor 805 * Note: fd ref count incremented here. 806 */ 807 if ((fp = getf(fd)) == NULL) 808 return; 809 810 /* get path from file struct here */ 811 fad = F2A(fp); 812 if (fad->fad_aupath != NULL) { 813 au_uwrite(au_to_path(fad->fad_aupath)); 814 } else { 815 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 816 } 817 818 vp = fp->f_vnode; 819 audit_attributes(vp); 820 821 /* decrement file descriptor reference count */ 822 releasef(fd); 823 } 824 825 /*ARGSUSED*/ 826 static void 827 aus_lchown(struct t_audit_data *tad) 828 { 829 klwp_t *clwp = ttolwp(curthread); 830 uint32_t uid, gid; 831 832 833 struct a { 834 long fname; /* char * */ 835 long uid; 836 long gid; 837 } *uap = (struct a *)clwp->lwp_ap; 838 839 uid = (uint32_t)uap->uid; 840 gid = (uint32_t)uap->gid; 841 842 au_uwrite(au_to_arg32(2, "new file uid", uid)); 843 au_uwrite(au_to_arg32(3, "new file gid", gid)); 844 } 845 846 /* chmod start function */ 847 /*ARGSUSED*/ 848 static void 849 aus_chmod(struct t_audit_data *tad) 850 { 851 klwp_t *clwp = ttolwp(curthread); 852 uint32_t fmode; 853 854 struct a { 855 long fname; /* char * */ 856 long fmode; 857 } *uap = (struct a *)clwp->lwp_ap; 858 859 fmode = (uint32_t)uap->fmode; 860 861 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 862 } 863 864 /* chmod start function */ 865 /*ARGSUSED*/ 866 static void 867 aus_fchmod(struct t_audit_data *tad) 868 { 869 klwp_t *clwp = ttolwp(curthread); 870 uint32_t fmode, fd; 871 struct file *fp; 872 struct vnode *vp; 873 struct f_audit_data *fad; 874 875 struct a { 876 long fd; 877 long fmode; 878 } *uap = (struct a *)clwp->lwp_ap; 879 880 fd = (uint32_t)uap->fd; 881 fmode = (uint32_t)uap->fmode; 882 883 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 884 885 /* 886 * convert file pointer to file descriptor 887 * Note: fd ref count incremented here. 888 */ 889 if ((fp = getf(fd)) == NULL) 890 return; 891 892 /* get path from file struct here */ 893 fad = F2A(fp); 894 if (fad->fad_aupath != NULL) { 895 au_uwrite(au_to_path(fad->fad_aupath)); 896 } else { 897 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 898 } 899 900 vp = fp->f_vnode; 901 audit_attributes(vp); 902 903 /* decrement file descriptor reference count */ 904 releasef(fd); 905 } 906 907 /* null function */ 908 /*ARGSUSED*/ 909 static void 910 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 911 { 912 } 913 914 /* null function */ 915 static au_event_t 916 aui_null(au_event_t e) 917 { 918 return (e); 919 } 920 921 /* convert open to appropriate event */ 922 static au_event_t 923 aui_open(au_event_t e) 924 { 925 klwp_t *clwp = ttolwp(curthread); 926 uint_t fm; 927 928 struct a { 929 long fnamep; /* char * */ 930 long fmode; 931 long cmode; 932 } *uap = (struct a *)clwp->lwp_ap; 933 934 fm = (uint_t)uap->fmode; 935 936 if (fm & O_WRONLY) 937 e = AUE_OPEN_W; 938 else if (fm & O_RDWR) 939 e = AUE_OPEN_RW; 940 else 941 e = AUE_OPEN_R; 942 943 if (fm & O_CREAT) 944 e += 1; 945 if (fm & O_TRUNC) 946 e += 2; 947 948 return (e); 949 } 950 951 /*ARGSUSED*/ 952 static void 953 aus_open(struct t_audit_data *tad) 954 { 955 klwp_t *clwp = ttolwp(curthread); 956 uint_t fm; 957 958 struct a { 959 long fnamep; /* char * */ 960 long fmode; 961 long cmode; 962 } *uap = (struct a *)clwp->lwp_ap; 963 964 fm = (uint_t)uap->fmode; 965 966 /* If no write, create, or trunc modes, mark as a public op */ 967 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 968 tad->tad_ctrl |= PAD_PUBLIC_EV; 969 } 970 971 /* convert openat(2) to appropriate event */ 972 static au_event_t 973 aui_fsat(au_event_t e) 974 { 975 t_audit_data_t *tad = U2A(u); 976 klwp_t *clwp = ttolwp(curthread); 977 uint_t fmcode, fm; 978 struct a { 979 long id; 980 long arg1; 981 long arg2; 982 long arg3; 983 long arg4; 984 long arg5; 985 } *uap = (struct a *)clwp->lwp_ap; 986 987 fmcode = (uint_t)uap->id; 988 989 switch (fmcode) { 990 991 case 0: /* openat */ 992 case 1: /* openat64 */ 993 fm = (uint_t)uap->arg3; 994 if (fm & O_WRONLY) 995 e = AUE_OPENAT_W; 996 else if (fm & O_RDWR) 997 e = AUE_OPENAT_RW; 998 else 999 e = AUE_OPENAT_R; 1000 1001 /* 1002 * openat modes are defined in the following order: 1003 * Read only 1004 * Read|Create 1005 * Read|Trunc 1006 * Read|Create|Trunc 1007 * Write Only 1008 * Write|Create 1009 * Write|Trunc 1010 * Write|Create|Trunc * RW Only 1011 * RW|Create 1012 * RW|Trunc 1013 * RW|Create|Trunc 1014 */ 1015 if (fm & O_CREAT) 1016 e += 1; /* increment to include CREAT in mode */ 1017 if (fm & O_TRUNC) 1018 e += 2; /* increment to include TRUNC in mode */ 1019 1020 /* convert to appropriate au_ctrl */ 1021 tad->tad_ctrl |= PAD_SAVPATH; 1022 if (fm & FXATTR) 1023 tad->tad_ctrl |= PAD_ATPATH; 1024 1025 1026 break; 1027 case 2: /* fstatat64 */ 1028 case 3: /* fstatat */ 1029 e = AUE_FSTATAT; 1030 break; 1031 case 4: /* fchownat */ 1032 e = AUE_FCHOWNAT; 1033 break; 1034 case 5: /* unlinkat */ 1035 e = AUE_UNLINKAT; 1036 break; 1037 case 6: /* futimesat */ 1038 e = AUE_FUTIMESAT; 1039 break; 1040 case 7: /* renameat */ 1041 e = AUE_RENAMEAT; 1042 break; 1043 default: 1044 e = AUE_NULL; 1045 break; 1046 } 1047 1048 return (e); 1049 } 1050 1051 /*ARGSUSED*/ 1052 static void 1053 aus_fsat(struct t_audit_data *tad) 1054 { 1055 klwp_t *clwp = ttolwp(curthread); 1056 uint_t fmcode, fm; 1057 struct a { 1058 long id; 1059 long arg1; 1060 long arg2; 1061 long arg3; 1062 long arg4; 1063 long arg5; 1064 } *uap = (struct a *)clwp->lwp_ap; 1065 1066 fmcode = (uint_t)uap->id; 1067 1068 switch (fmcode) { 1069 1070 case 0: /* openat */ 1071 case 1: /* openat64 */ 1072 fm = (uint_t)uap->arg3; 1073 /* If no write, create, or trunc modes, mark as a public op */ 1074 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1075 tad->tad_ctrl |= PAD_PUBLIC_EV; 1076 1077 break; 1078 case 2: /* fstatat64 */ 1079 case 3: /* fstatat */ 1080 tad->tad_ctrl |= PAD_PUBLIC_EV; 1081 break; 1082 default: 1083 break; 1084 } 1085 } 1086 1087 /* msgsys */ 1088 static au_event_t 1089 aui_msgsys(au_event_t e) 1090 { 1091 klwp_t *clwp = ttolwp(curthread); 1092 uint_t fm; 1093 1094 struct a { 1095 long id; /* function code id */ 1096 long ap; /* arg pointer for recvmsg */ 1097 } *uap = (struct a *)clwp->lwp_ap; 1098 1099 struct b { 1100 long msgid; 1101 long cmd; 1102 long buf; /* struct msqid_ds * */ 1103 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1104 1105 fm = (uint_t)uap->id; 1106 1107 switch (fm) { 1108 case 0: /* msgget */ 1109 e = AUE_MSGGET; 1110 break; 1111 case 1: /* msgctl */ 1112 switch ((uint_t)uap1->cmd) { 1113 case IPC_RMID: 1114 e = AUE_MSGCTL_RMID; 1115 break; 1116 case IPC_SET: 1117 e = AUE_MSGCTL_SET; 1118 break; 1119 case IPC_STAT: 1120 e = AUE_MSGCTL_STAT; 1121 break; 1122 default: 1123 e = AUE_MSGCTL; 1124 break; 1125 } 1126 break; 1127 case 2: /* msgrcv */ 1128 e = AUE_MSGRCV; 1129 break; 1130 case 3: /* msgsnd */ 1131 e = AUE_MSGSND; 1132 break; 1133 default: /* illegal system call */ 1134 e = AUE_NULL; 1135 break; 1136 } 1137 1138 return (e); 1139 } 1140 1141 1142 /* shmsys */ 1143 static au_event_t 1144 aui_shmsys(au_event_t e) 1145 { 1146 klwp_t *clwp = ttolwp(curthread); 1147 int fm; 1148 1149 struct a { /* shmsys */ 1150 long id; /* function code id */ 1151 } *uap = (struct a *)clwp->lwp_ap; 1152 1153 struct b { /* ctrl */ 1154 long shmid; 1155 long cmd; 1156 long arg; /* struct shmid_ds * */ 1157 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1158 fm = (uint_t)uap->id; 1159 1160 switch (fm) { 1161 case 0: /* shmat */ 1162 e = AUE_SHMAT; 1163 break; 1164 case 1: /* shmctl */ 1165 switch ((uint_t)uap1->cmd) { 1166 case IPC_RMID: 1167 e = AUE_SHMCTL_RMID; 1168 break; 1169 case IPC_SET: 1170 e = AUE_SHMCTL_SET; 1171 break; 1172 case IPC_STAT: 1173 e = AUE_SHMCTL_STAT; 1174 break; 1175 default: 1176 e = AUE_SHMCTL; 1177 break; 1178 } 1179 break; 1180 case 2: /* shmdt */ 1181 e = AUE_SHMDT; 1182 break; 1183 case 3: /* shmget */ 1184 e = AUE_SHMGET; 1185 break; 1186 default: /* illegal system call */ 1187 e = AUE_NULL; 1188 break; 1189 } 1190 1191 return (e); 1192 } 1193 1194 1195 /* semsys */ 1196 static au_event_t 1197 aui_semsys(au_event_t e) 1198 { 1199 klwp_t *clwp = ttolwp(curthread); 1200 uint_t fm; 1201 1202 struct a { /* semsys */ 1203 long id; 1204 } *uap = (struct a *)clwp->lwp_ap; 1205 1206 struct b { /* ctrl */ 1207 long semid; 1208 long semnum; 1209 long cmd; 1210 long arg; 1211 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1212 1213 fm = (uint_t)uap->id; 1214 1215 switch (fm) { 1216 case 0: /* semctl */ 1217 switch ((uint_t)uap1->cmd) { 1218 case IPC_RMID: 1219 e = AUE_SEMCTL_RMID; 1220 break; 1221 case IPC_SET: 1222 e = AUE_SEMCTL_SET; 1223 break; 1224 case IPC_STAT: 1225 e = AUE_SEMCTL_STAT; 1226 break; 1227 case GETNCNT: 1228 e = AUE_SEMCTL_GETNCNT; 1229 break; 1230 case GETPID: 1231 e = AUE_SEMCTL_GETPID; 1232 break; 1233 case GETVAL: 1234 e = AUE_SEMCTL_GETVAL; 1235 break; 1236 case GETALL: 1237 e = AUE_SEMCTL_GETALL; 1238 break; 1239 case GETZCNT: 1240 e = AUE_SEMCTL_GETZCNT; 1241 break; 1242 case SETVAL: 1243 e = AUE_SEMCTL_SETVAL; 1244 break; 1245 case SETALL: 1246 e = AUE_SEMCTL_SETALL; 1247 break; 1248 default: 1249 e = AUE_SEMCTL; 1250 break; 1251 } 1252 break; 1253 case 1: /* semget */ 1254 e = AUE_SEMGET; 1255 break; 1256 case 2: /* semop */ 1257 e = AUE_SEMOP; 1258 break; 1259 default: /* illegal system call */ 1260 e = AUE_NULL; 1261 break; 1262 } 1263 1264 return (e); 1265 } 1266 1267 /* utssys - uname(2), ustat(2), fusers(2) */ 1268 static au_event_t 1269 aui_utssys(au_event_t e) 1270 { 1271 klwp_t *clwp = ttolwp(curthread); 1272 uint_t type; 1273 1274 struct a { 1275 union { 1276 long cbuf; /* char * */ 1277 long ubuf; /* struct stat * */ 1278 } ub; 1279 union { 1280 long mv; /* for USTAT */ 1281 long flags; /* for FUSERS */ 1282 } un; 1283 long type; 1284 long outbp; /* char * for FUSERS */ 1285 } *uap = (struct a *)clwp->lwp_ap; 1286 1287 type = (uint_t)uap->type; 1288 1289 if (type == UTS_FUSERS) 1290 return (e); 1291 else 1292 return ((au_event_t)AUE_NULL); 1293 } 1294 1295 static au_event_t 1296 aui_fcntl(au_event_t e) 1297 { 1298 klwp_t *clwp = ttolwp(curthread); 1299 uint_t cmd; 1300 1301 struct a { 1302 long fdes; 1303 long cmd; 1304 long arg; 1305 } *uap = (struct a *)clwp->lwp_ap; 1306 1307 cmd = (uint_t)uap->cmd; 1308 1309 switch (cmd) { 1310 case F_GETLK: 1311 case F_SETLK: 1312 case F_SETLKW: 1313 break; 1314 case F_SETFL: 1315 case F_GETFL: 1316 case F_GETFD: 1317 break; 1318 default: 1319 e = (au_event_t)AUE_NULL; 1320 break; 1321 } 1322 return ((au_event_t)e); 1323 } 1324 1325 /* null function for now */ 1326 static au_event_t 1327 aui_execv(au_event_t e) 1328 { 1329 return (e); 1330 } 1331 1332 /* null function for now */ 1333 static au_event_t 1334 aui_execve(au_event_t e) 1335 { 1336 return (e); 1337 } 1338 1339 /*ARGSUSED*/ 1340 static void 1341 aus_fcntl(struct t_audit_data *tad) 1342 { 1343 klwp_t *clwp = ttolwp(curthread); 1344 uint32_t cmd, fd; 1345 struct file *fp; 1346 struct vnode *vp; 1347 struct f_audit_data *fad; 1348 1349 struct a { 1350 long fd; 1351 long cmd; 1352 long arg; 1353 } *uap = (struct a *)clwp->lwp_ap; 1354 1355 cmd = (uint32_t)uap->cmd; 1356 fd = (uint32_t)uap->fd; 1357 1358 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1359 1360 /* 1361 * convert file pointer to file descriptor 1362 * Note: fd ref count incremented here. 1363 */ 1364 if ((fp = getf(fd)) == NULL) 1365 return; 1366 1367 /* get path from file struct here */ 1368 fad = F2A(fp); 1369 if (fad->fad_aupath != NULL) { 1370 au_uwrite(au_to_path(fad->fad_aupath)); 1371 } else { 1372 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1373 } 1374 1375 vp = fp->f_vnode; 1376 audit_attributes(vp); 1377 1378 /* decrement file descriptor reference count */ 1379 releasef(fd); 1380 } 1381 1382 /*ARGSUSED*/ 1383 static void 1384 aus_kill(struct t_audit_data *tad) 1385 { 1386 klwp_t *clwp = ttolwp(curthread); 1387 struct proc *p; 1388 uint32_t signo; 1389 uid_t uid, ruid; 1390 gid_t gid, rgid; 1391 pid_t pid; 1392 const auditinfo_addr_t *ainfo; 1393 cred_t *cr; 1394 1395 struct a { 1396 long pid; 1397 long signo; 1398 } *uap = (struct a *)clwp->lwp_ap; 1399 1400 pid = (pid_t)uap->pid; 1401 signo = (uint32_t)uap->signo; 1402 1403 au_uwrite(au_to_arg32(2, "signal", signo)); 1404 if (pid > 0) { 1405 mutex_enter(&pidlock); 1406 if (((p = prfind(pid)) == (struct proc *)0) || 1407 (p->p_stat == SIDL)) { 1408 mutex_exit(&pidlock); 1409 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1410 return; 1411 } 1412 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1413 mutex_exit(&pidlock); 1414 1415 mutex_enter(&p->p_crlock); 1416 crhold(cr = p->p_cred); 1417 mutex_exit(&p->p_crlock); 1418 mutex_exit(&p->p_lock); 1419 1420 ainfo = crgetauinfo(cr); 1421 if (ainfo == NULL) { 1422 crfree(cr); 1423 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1424 return; 1425 } 1426 1427 uid = crgetuid(cr); 1428 gid = crgetgid(cr); 1429 ruid = crgetruid(cr); 1430 rgid = crgetrgid(cr); 1431 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1432 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1433 1434 if (is_system_labeled()) 1435 au_uwrite(au_to_label(CR_SL(cr))); 1436 1437 crfree(cr); 1438 } 1439 else 1440 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1441 } 1442 1443 /*ARGSUSED*/ 1444 static void 1445 aus_mkdir(struct t_audit_data *tad) 1446 { 1447 klwp_t *clwp = ttolwp(curthread); 1448 uint32_t dmode; 1449 1450 struct a { 1451 long dirnamep; /* char * */ 1452 long dmode; 1453 } *uap = (struct a *)clwp->lwp_ap; 1454 1455 dmode = (uint32_t)uap->dmode; 1456 1457 au_uwrite(au_to_arg32(2, "mode", dmode)); 1458 } 1459 1460 /*ARGSUSED*/ 1461 static void 1462 aus_mknod(struct t_audit_data *tad) 1463 { 1464 klwp_t *clwp = ttolwp(curthread); 1465 uint32_t fmode; 1466 dev_t dev; 1467 1468 struct a { 1469 long pnamep; /* char * */ 1470 long fmode; 1471 long dev; 1472 } *uap = (struct a *)clwp->lwp_ap; 1473 1474 fmode = (uint32_t)uap->fmode; 1475 dev = (dev_t)uap->dev; 1476 1477 au_uwrite(au_to_arg32(2, "mode", fmode)); 1478 #ifdef _LP64 1479 au_uwrite(au_to_arg64(3, "dev", dev)); 1480 #else 1481 au_uwrite(au_to_arg32(3, "dev", dev)); 1482 #endif 1483 } 1484 1485 /*ARGSUSED*/ 1486 static void 1487 aus_xmknod(struct t_audit_data *tad) 1488 { 1489 klwp_t *clwp = ttolwp(curthread); 1490 uint32_t fmode; 1491 dev_t dev; 1492 1493 struct a { 1494 long version; /* version */ 1495 long pnamep; /* char * */ 1496 long fmode; 1497 long dev; 1498 } *uap = (struct a *)clwp->lwp_ap; 1499 1500 fmode = (uint32_t)uap->fmode; 1501 dev = (dev_t)uap->dev; 1502 1503 au_uwrite(au_to_arg32(2, "mode", fmode)); 1504 #ifdef _LP64 1505 au_uwrite(au_to_arg64(3, "dev", dev)); 1506 #else 1507 au_uwrite(au_to_arg32(3, "dev", dev)); 1508 #endif 1509 } 1510 1511 /*ARGSUSED*/ 1512 static void 1513 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1514 { 1515 klwp_t *clwp = ttolwp(curthread); 1516 vnode_t *dvp; 1517 caddr_t pnamep; 1518 1519 struct a { 1520 long pnamep; /* char * */ 1521 long fmode; 1522 long dev; 1523 } *uap = (struct a *)clwp->lwp_ap; 1524 1525 /* no error, then already path token in audit record */ 1526 if (error != EPERM) 1527 return; 1528 1529 /* not auditing this event, nothing then to do */ 1530 if (tad->tad_flag == 0) 1531 return; 1532 1533 /* do the lookup to force generation of path token */ 1534 pnamep = (caddr_t)uap->pnamep; 1535 tad->tad_ctrl |= PAD_NOATTRB; 1536 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1537 if (error == 0) 1538 VN_RELE(dvp); 1539 } 1540 1541 /*ARGSUSED*/ 1542 static void 1543 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1544 { 1545 klwp_t *clwp = ttolwp(curthread); 1546 vnode_t *dvp; 1547 caddr_t pnamep; 1548 1549 struct a { 1550 long version; /* version */ 1551 long pnamep; /* char * */ 1552 long fmode; 1553 long dev; 1554 } *uap = (struct a *)clwp->lwp_arg; 1555 1556 1557 /* no error, then already path token in audit record */ 1558 if (error != EPERM) 1559 return; 1560 1561 /* not auditing this event, nothing then to do */ 1562 if (tad->tad_flag == 0) 1563 return; 1564 1565 /* do the lookup to force generation of path token */ 1566 pnamep = (caddr_t)uap->pnamep; 1567 tad->tad_ctrl |= PAD_NOATTRB; 1568 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1569 if (error == 0) 1570 VN_RELE(dvp); 1571 } 1572 1573 /*ARGSUSED*/ 1574 static void 1575 aus_mount(struct t_audit_data *tad) 1576 { /* AUS_START */ 1577 klwp_t *clwp = ttolwp(curthread); 1578 uint32_t flags; 1579 uintptr_t u_fstype, dataptr; 1580 STRUCT_DECL(nfs_args, nfsargs); 1581 size_t len; 1582 char *fstype, *hostname; 1583 1584 struct a { 1585 long spec; /* char * */ 1586 long dir; /* char * */ 1587 long flags; 1588 long fstype; /* char * */ 1589 long dataptr; /* char * */ 1590 long datalen; 1591 } *uap = (struct a *)clwp->lwp_ap; 1592 1593 u_fstype = (uintptr_t)uap->fstype; 1594 flags = (uint32_t)uap->flags; 1595 dataptr = (uintptr_t)uap->dataptr; 1596 1597 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1598 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1599 goto mount_free_fstype; 1600 1601 au_uwrite(au_to_arg32(3, "flags", flags)); 1602 au_uwrite(au_to_text(fstype)); 1603 1604 if (strncmp(fstype, "nfs", 3) == 0) { 1605 1606 STRUCT_INIT(nfsargs, get_udatamodel()); 1607 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1608 1609 if (copyin((caddr_t)dataptr, 1610 STRUCT_BUF(nfsargs), 1611 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1612 /* DEBUG debug_enter((char *)NULL); */ 1613 goto mount_free_fstype; 1614 } 1615 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1616 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1617 (caddr_t)hostname, 1618 MAXNAMELEN, &len)) { 1619 goto mount_free_hostname; 1620 } 1621 au_uwrite(au_to_text(hostname)); 1622 au_uwrite(au_to_arg32(3, "internal flags", 1623 (uint_t)STRUCT_FGET(nfsargs, flags))); 1624 1625 mount_free_hostname: 1626 kmem_free(hostname, MAXNAMELEN); 1627 } 1628 1629 mount_free_fstype: 1630 kmem_free(fstype, MAXNAMELEN); 1631 } /* AUS_MOUNT */ 1632 1633 static void 1634 aus_umount_path(caddr_t umount_dir) 1635 { 1636 char *dir_path; 1637 struct audit_path *path; 1638 size_t path_len, dir_len; 1639 1640 /* length alloc'd for two string pointers */ 1641 path_len = sizeof (struct audit_path) + sizeof (char *); 1642 path = kmem_alloc(path_len, KM_SLEEP); 1643 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1644 1645 if (copyinstr(umount_dir, (caddr_t)dir_path, 1646 MAXPATHLEN, &dir_len)) 1647 goto umount2_free_dir; 1648 1649 /* 1650 * the audit_path struct assumes that the buffer pointed to 1651 * by audp_sect[n] contains string 0 immediatedly followed 1652 * by string 1. 1653 */ 1654 path->audp_sect[0] = dir_path; 1655 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1656 path->audp_size = path_len; 1657 path->audp_ref = 1; /* not used */ 1658 path->audp_cnt = 1; /* one path string */ 1659 1660 au_uwrite(au_to_path(path)); 1661 1662 umount2_free_dir: 1663 kmem_free(dir_path, MAXPATHLEN); 1664 kmem_free(path, path_len); 1665 } 1666 1667 /* 1668 * the umount syscall is implemented as a call to umount2, but the args 1669 * are different... 1670 */ 1671 1672 /*ARGSUSED*/ 1673 static void 1674 aus_umount(struct t_audit_data *tad) 1675 { 1676 klwp_t *clwp = ttolwp(curthread); 1677 struct a { 1678 long dir; /* char * */ 1679 } *uap = (struct a *)clwp->lwp_ap; 1680 1681 aus_umount_path((caddr_t)uap->dir); 1682 } 1683 1684 /*ARGSUSED*/ 1685 static void 1686 aus_umount2(struct t_audit_data *tad) 1687 { 1688 klwp_t *clwp = ttolwp(curthread); 1689 struct a { 1690 long dir; /* char * */ 1691 long flags; 1692 } *uap = (struct a *)clwp->lwp_ap; 1693 1694 aus_umount_path((caddr_t)uap->dir); 1695 1696 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1697 } 1698 1699 static void 1700 aus_msgsys(struct t_audit_data *tad) 1701 { 1702 klwp_t *clwp = ttolwp(curthread); 1703 uint32_t msgid; 1704 1705 struct b { 1706 long msgid; 1707 long cmd; 1708 long buf; /* struct msqid_ds * */ 1709 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1710 1711 msgid = (uint32_t)uap1->msgid; 1712 1713 1714 switch (tad->tad_event) { 1715 case AUE_MSGGET: /* msgget */ 1716 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1717 break; 1718 case AUE_MSGCTL: /* msgctl */ 1719 case AUE_MSGCTL_RMID: /* msgctl */ 1720 case AUE_MSGCTL_STAT: /* msgctl */ 1721 case AUE_MSGRCV: /* msgrcv */ 1722 case AUE_MSGSND: /* msgsnd */ 1723 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1724 break; 1725 case AUE_MSGCTL_SET: /* msgctl */ 1726 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1727 break; 1728 } 1729 } 1730 1731 /*ARGSUSED*/ 1732 static void 1733 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1734 { 1735 int id; 1736 1737 if (error != 0) 1738 return; 1739 if (tad->tad_event == AUE_MSGGET) { 1740 uint32_t scid; 1741 uint32_t sy_flags; 1742 1743 /* need to determine type of executing binary */ 1744 scid = tad->tad_scid; 1745 #ifdef _SYSCALL32_IMPL 1746 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1747 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1748 else 1749 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1750 #else 1751 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1752 #endif 1753 if (sy_flags == SE_32RVAL1) 1754 id = rval->r_val1; 1755 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1756 id = rval->r_val1; 1757 if (sy_flags == SE_64RVAL) 1758 id = (int)rval->r_vals; 1759 1760 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1761 } 1762 } 1763 1764 static void 1765 aus_semsys(struct t_audit_data *tad) 1766 { 1767 klwp_t *clwp = ttolwp(curthread); 1768 uint32_t semid; 1769 1770 struct b { /* ctrl */ 1771 long semid; 1772 long semnum; 1773 long cmd; 1774 long arg; 1775 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1776 1777 semid = (uint32_t)uap1->semid; 1778 1779 switch (tad->tad_event) { 1780 case AUE_SEMCTL_RMID: 1781 case AUE_SEMCTL_STAT: 1782 case AUE_SEMCTL_GETNCNT: 1783 case AUE_SEMCTL_GETPID: 1784 case AUE_SEMCTL_GETVAL: 1785 case AUE_SEMCTL_GETALL: 1786 case AUE_SEMCTL_GETZCNT: 1787 case AUE_SEMCTL_SETVAL: 1788 case AUE_SEMCTL_SETALL: 1789 case AUE_SEMCTL: 1790 case AUE_SEMOP: 1791 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1792 break; 1793 case AUE_SEMCTL_SET: 1794 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1795 break; 1796 case AUE_SEMGET: 1797 au_uwrite(au_to_arg32(1, "sem key", semid)); 1798 break; 1799 } 1800 } 1801 1802 /*ARGSUSED*/ 1803 static void 1804 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1805 { 1806 int id; 1807 1808 if (error != 0) 1809 return; 1810 if (tad->tad_event == AUE_SEMGET) { 1811 uint32_t scid; 1812 uint32_t sy_flags; 1813 1814 /* need to determine type of executing binary */ 1815 scid = tad->tad_scid; 1816 #ifdef _SYSCALL32_IMPL 1817 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1818 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1819 else 1820 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1821 #else 1822 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1823 #endif 1824 if (sy_flags == SE_32RVAL1) 1825 id = rval->r_val1; 1826 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1827 id = rval->r_val1; 1828 if (sy_flags == SE_64RVAL) 1829 id = (int)rval->r_vals; 1830 1831 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1832 } 1833 } 1834 1835 /*ARGSUSED*/ 1836 static void 1837 aus_close(struct t_audit_data *tad) 1838 { 1839 klwp_t *clwp = ttolwp(curthread); 1840 uint32_t fd; 1841 struct file *fp; 1842 struct f_audit_data *fad; 1843 struct vnode *vp; 1844 struct vattr attr; 1845 au_kcontext_t *kctx = GET_KCTX_PZ; 1846 1847 struct a { 1848 long i; 1849 } *uap = (struct a *)clwp->lwp_ap; 1850 1851 fd = (uint32_t)uap->i; 1852 1853 attr.va_mask = 0; 1854 au_uwrite(au_to_arg32(1, "fd", fd)); 1855 1856 /* 1857 * convert file pointer to file descriptor 1858 * Note: fd ref count incremented here. 1859 */ 1860 if ((fp = getf(fd)) == NULL) 1861 return; 1862 1863 fad = F2A(fp); 1864 tad->tad_evmod = (short)fad->fad_flags; 1865 if (fad->fad_aupath != NULL) { 1866 au_uwrite(au_to_path(fad->fad_aupath)); 1867 if ((vp = fp->f_vnode) != NULL) { 1868 attr.va_mask = AT_ALL; 1869 if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) { 1870 /* 1871 * When write was not used and the file can be 1872 * considered public, skip the audit. 1873 */ 1874 if (((fp->f_flag & FWRITE) == 0) && 1875 file_is_public(&attr)) { 1876 tad->tad_flag = 0; 1877 tad->tad_evmod = 0; 1878 /* free any residual audit data */ 1879 au_close(kctx, &(u_ad), 0, 0, 0); 1880 releasef(fd); 1881 return; 1882 } 1883 au_uwrite(au_to_attr(&attr)); 1884 audit_sec_attributes(&(u_ad), vp); 1885 } 1886 } 1887 } 1888 1889 /* decrement file descriptor reference count */ 1890 releasef(fd); 1891 } 1892 1893 /*ARGSUSED*/ 1894 static void 1895 aus_fstatfs(struct t_audit_data *tad) 1896 { 1897 klwp_t *clwp = ttolwp(curthread); 1898 uint32_t fd; 1899 struct file *fp; 1900 struct vnode *vp; 1901 struct f_audit_data *fad; 1902 1903 struct a { 1904 long fd; 1905 long buf; /* struct statfs * */ 1906 } *uap = (struct a *)clwp->lwp_ap; 1907 1908 fd = (uint_t)uap->fd; 1909 1910 /* 1911 * convert file pointer to file descriptor 1912 * Note: fd ref count incremented here. 1913 */ 1914 if ((fp = getf(fd)) == NULL) 1915 return; 1916 1917 /* get path from file struct here */ 1918 fad = F2A(fp); 1919 if (fad->fad_aupath != NULL) { 1920 au_uwrite(au_to_path(fad->fad_aupath)); 1921 } else { 1922 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1923 } 1924 1925 vp = fp->f_vnode; 1926 audit_attributes(vp); 1927 1928 /* decrement file descriptor reference count */ 1929 releasef(fd); 1930 } 1931 1932 #ifdef NOTYET 1933 /*ARGSUSED*/ 1934 static void 1935 aus_setpgrp(struct t_audit_data *tad) 1936 { 1937 klwp_t *clwp = ttolwp(curthread); 1938 uint32_t pgrp; 1939 struct proc *p; 1940 uid_t uid, ruid; 1941 gid_t gid, rgid; 1942 pid_t pid; 1943 const auditinfo_addr_t *ainfo; 1944 cred_t *cr; 1945 1946 struct a { 1947 long pid; 1948 long pgrp; 1949 } *uap = (struct a *)clwp->lwp_ap; 1950 1951 pid = (pid_t)uap->pid; 1952 pgrp = (uint32_t)uap->pgrp; 1953 1954 /* current process? */ 1955 if (pid == 0) 1956 (return); 1957 1958 mutex_enter(&pidlock); 1959 p = prfind(pid); 1960 if (p == NULL || p->p_as == &kas) { 1961 mutex_exit(&pidlock); 1962 return; 1963 } 1964 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1965 mutex_exit(&pidlock); 1966 1967 mutex_enter(&p->p_crlock); 1968 crhold(cr = p->p_cred); 1969 mutex_exit(&p->p_crlock); 1970 mutex_exit(&p->p_lock); 1971 1972 ainfo = crgetauinfo(cr); 1973 if (ainfo == NULL) { 1974 crfree(cr); 1975 return; 1976 } 1977 1978 uid = crgetuid(cr); 1979 gid = crgetgid(cr); 1980 ruid = crgetruid(cr); 1981 rgid = crgetrgid(cr); 1982 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1983 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1984 crfree(cr); 1985 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1986 } 1987 #endif 1988 1989 /*ARGSUSED*/ 1990 static void 1991 aus_setregid(struct t_audit_data *tad) 1992 { 1993 klwp_t *clwp = ttolwp(curthread); 1994 uint32_t rgid, egid; 1995 1996 struct a { 1997 long rgid; 1998 long egid; 1999 } *uap = (struct a *)clwp->lwp_ap; 2000 2001 rgid = (uint32_t)uap->rgid; 2002 egid = (uint32_t)uap->egid; 2003 2004 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2005 au_uwrite(au_to_arg32(2, "egid", egid)); 2006 } 2007 2008 /*ARGSUSED*/ 2009 static void 2010 aus_setgid(struct t_audit_data *tad) 2011 { 2012 klwp_t *clwp = ttolwp(curthread); 2013 uint32_t gid; 2014 2015 struct a { 2016 long gid; 2017 } *uap = (struct a *)clwp->lwp_ap; 2018 2019 gid = (uint32_t)uap->gid; 2020 2021 au_uwrite(au_to_arg32(1, "gid", gid)); 2022 } 2023 2024 2025 /*ARGSUSED*/ 2026 static void 2027 aus_setreuid(struct t_audit_data *tad) 2028 { 2029 klwp_t *clwp = ttolwp(curthread); 2030 uint32_t ruid, euid; 2031 2032 struct a { 2033 long ruid; 2034 long euid; 2035 } *uap = (struct a *)clwp->lwp_ap; 2036 2037 ruid = (uint32_t)uap->ruid; 2038 euid = (uint32_t)uap->euid; 2039 2040 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2041 au_uwrite(au_to_arg32(2, "euid", euid)); 2042 } 2043 2044 2045 /*ARGSUSED*/ 2046 static void 2047 aus_setuid(struct t_audit_data *tad) 2048 { 2049 klwp_t *clwp = ttolwp(curthread); 2050 uint32_t uid; 2051 2052 struct a { 2053 long uid; 2054 } *uap = (struct a *)clwp->lwp_ap; 2055 2056 uid = (uint32_t)uap->uid; 2057 2058 au_uwrite(au_to_arg32(1, "uid", uid)); 2059 } 2060 2061 /*ARGSUSED*/ 2062 static void 2063 aus_shmsys(struct t_audit_data *tad) 2064 { 2065 klwp_t *clwp = ttolwp(curthread); 2066 uint32_t id, cmd; 2067 2068 struct b { 2069 long id; 2070 long cmd; 2071 long buf; /* struct shmid_ds * */ 2072 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2073 2074 id = (uint32_t)uap1->id; 2075 cmd = (uint32_t)uap1->cmd; 2076 2077 switch (tad->tad_event) { 2078 case AUE_SHMGET: /* shmget */ 2079 au_uwrite(au_to_arg32(1, "shm key", id)); 2080 break; 2081 case AUE_SHMCTL: /* shmctl */ 2082 case AUE_SHMCTL_RMID: /* shmctl */ 2083 case AUE_SHMCTL_STAT: /* shmctl */ 2084 case AUE_SHMCTL_SET: /* shmctl */ 2085 au_uwrite(au_to_arg32(1, "shm ID", id)); 2086 break; 2087 case AUE_SHMDT: /* shmdt */ 2088 au_uwrite(au_to_arg32(1, "shm adr", id)); 2089 break; 2090 case AUE_SHMAT: /* shmat */ 2091 au_uwrite(au_to_arg32(1, "shm ID", id)); 2092 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2093 break; 2094 } 2095 } 2096 2097 /*ARGSUSED*/ 2098 static void 2099 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2100 { 2101 int id; 2102 2103 if (error != 0) 2104 return; 2105 if (tad->tad_event == AUE_SHMGET) { 2106 uint32_t scid; 2107 uint32_t sy_flags; 2108 2109 /* need to determine type of executing binary */ 2110 scid = tad->tad_scid; 2111 #ifdef _SYSCALL32_IMPL 2112 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2113 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2114 else 2115 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2116 #else 2117 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2118 #endif 2119 if (sy_flags == SE_32RVAL1) 2120 id = rval->r_val1; 2121 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2122 id = rval->r_val1; 2123 if (sy_flags == SE_64RVAL) 2124 id = (int)rval->r_vals; 2125 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2126 } 2127 } 2128 2129 2130 /*ARGSUSED*/ 2131 static void 2132 aus_ioctl(struct t_audit_data *tad) 2133 { 2134 klwp_t *clwp = ttolwp(curthread); 2135 struct file *fp; 2136 struct vnode *vp; 2137 struct f_audit_data *fad; 2138 uint32_t fd, cmd; 2139 uintptr_t cmarg; 2140 2141 /* XX64 */ 2142 struct a { 2143 long fd; 2144 long cmd; 2145 long cmarg; /* caddr_t */ 2146 } *uap = (struct a *)clwp->lwp_ap; 2147 2148 fd = (uint32_t)uap->fd; 2149 cmd = (uint32_t)uap->cmd; 2150 cmarg = (uintptr_t)uap->cmarg; 2151 2152 /* 2153 * convert file pointer to file descriptor 2154 * Note: fd ref count incremented here. 2155 */ 2156 if ((fp = getf(fd)) == NULL) { 2157 au_uwrite(au_to_arg32(1, "fd", fd)); 2158 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2159 #ifndef _LP64 2160 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2161 #else 2162 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2163 #endif 2164 return; 2165 } 2166 2167 /* get path from file struct here */ 2168 fad = F2A(fp); 2169 if (fad->fad_aupath != NULL) { 2170 au_uwrite(au_to_path(fad->fad_aupath)); 2171 } else { 2172 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2173 } 2174 2175 vp = fp->f_vnode; 2176 audit_attributes(vp); 2177 2178 /* decrement file descriptor reference count */ 2179 releasef(fd); 2180 2181 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2182 #ifndef _LP64 2183 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2184 #else 2185 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2186 #endif 2187 } 2188 2189 /* 2190 * null function for memcntl for now. We might want to limit memcntl() 2191 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2192 * require privileges. 2193 */ 2194 static au_event_t 2195 aui_memcntl(au_event_t e) 2196 { 2197 return (e); 2198 } 2199 2200 /*ARGSUSED*/ 2201 static au_event_t 2202 aui_privsys(au_event_t e) 2203 { 2204 klwp_t *clwp = ttolwp(curthread); 2205 2206 struct a { 2207 long opcode; 2208 } *uap = (struct a *)clwp->lwp_ap; 2209 2210 switch (uap->opcode) { 2211 case PRIVSYS_SETPPRIV: 2212 return (AUE_SETPPRIV); 2213 default: 2214 return (AUE_NULL); 2215 } 2216 } 2217 2218 /*ARGSUSED*/ 2219 static void 2220 aus_memcntl(struct t_audit_data *tad) 2221 { 2222 klwp_t *clwp = ttolwp(curthread); 2223 2224 struct a { 2225 long addr; 2226 long len; 2227 long cmd; 2228 long arg; 2229 long attr; 2230 long mask; 2231 } *uap = (struct a *)clwp->lwp_ap; 2232 2233 #ifdef _LP64 2234 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2235 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2236 #else 2237 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2238 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2239 #endif 2240 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2241 #ifdef _LP64 2242 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2243 #else 2244 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2245 #endif 2246 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2247 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2248 } 2249 2250 /*ARGSUSED*/ 2251 static void 2252 aus_mmap(struct t_audit_data *tad) 2253 { 2254 klwp_t *clwp = ttolwp(curthread); 2255 struct file *fp; 2256 struct f_audit_data *fad; 2257 struct vnode *vp; 2258 uint32_t fd; 2259 2260 struct a { 2261 long addr; 2262 long len; 2263 long prot; 2264 long flags; 2265 long fd; 2266 long pos; 2267 } *uap = (struct a *)clwp->lwp_ap; 2268 2269 fd = (uint32_t)uap->fd; 2270 2271 #ifdef _LP64 2272 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2273 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2274 #else 2275 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2276 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2277 #endif 2278 2279 if ((fp = getf(fd)) == NULL) { 2280 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2281 return; 2282 } 2283 2284 /* 2285 * Mark in the tad if write access is NOT requested... if 2286 * this is later detected (in audit_attributes) to be a 2287 * public object, the mmap event may be discarded. 2288 */ 2289 if (((uap->prot) & PROT_WRITE) == 0) { 2290 tad->tad_ctrl |= PAD_PUBLIC_EV; 2291 } 2292 2293 fad = F2A(fp); 2294 if (fad->fad_aupath != NULL) { 2295 au_uwrite(au_to_path(fad->fad_aupath)); 2296 } else { 2297 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2298 } 2299 2300 vp = (struct vnode *)fp->f_vnode; 2301 audit_attributes(vp); 2302 2303 /* mark READ/WRITE since we can't predict access */ 2304 if (uap->prot & PROT_READ) 2305 fad->fad_flags |= FAD_READ; 2306 if (uap->prot & PROT_WRITE) 2307 fad->fad_flags |= FAD_WRITE; 2308 2309 /* decrement file descriptor reference count */ 2310 releasef(fd); 2311 2312 } /* AUS_MMAP */ 2313 2314 2315 2316 2317 /*ARGSUSED*/ 2318 static void 2319 aus_munmap(struct t_audit_data *tad) 2320 { 2321 klwp_t *clwp = ttolwp(curthread); 2322 2323 struct a { 2324 long addr; 2325 long len; 2326 } *uap = (struct a *)clwp->lwp_ap; 2327 2328 #ifdef _LP64 2329 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2330 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2331 #else 2332 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2333 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2334 #endif 2335 2336 } /* AUS_MUNMAP */ 2337 2338 2339 2340 2341 2342 2343 2344 /*ARGSUSED*/ 2345 static void 2346 aus_priocntlsys(struct t_audit_data *tad) 2347 { 2348 klwp_t *clwp = ttolwp(curthread); 2349 2350 struct a { 2351 long pc_version; 2352 long psp; /* procset_t */ 2353 long cmd; 2354 long arg; 2355 } *uap = (struct a *)clwp->lwp_ap; 2356 2357 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2358 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2359 2360 } /* AUS_PRIOCNTLSYS */ 2361 2362 2363 /*ARGSUSED*/ 2364 static void 2365 aus_setegid(struct t_audit_data *tad) 2366 { 2367 klwp_t *clwp = ttolwp(curthread); 2368 uint32_t gid; 2369 2370 struct a { 2371 long gid; 2372 } *uap = (struct a *)clwp->lwp_ap; 2373 2374 gid = (uint32_t)uap->gid; 2375 2376 au_uwrite(au_to_arg32(1, "gid", gid)); 2377 } /* AUS_SETEGID */ 2378 2379 2380 2381 2382 /*ARGSUSED*/ 2383 static void 2384 aus_setgroups(struct t_audit_data *tad) 2385 { 2386 klwp_t *clwp = ttolwp(curthread); 2387 int i; 2388 int gidsetsize; 2389 uintptr_t gidset; 2390 gid_t *gidlist; 2391 2392 struct a { 2393 long gidsetsize; 2394 long gidset; 2395 } *uap = (struct a *)clwp->lwp_ap; 2396 2397 gidsetsize = (uint_t)uap->gidsetsize; 2398 gidset = (uintptr_t)uap->gidset; 2399 2400 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2401 return; 2402 if (gidsetsize != 0) { 2403 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2404 KM_SLEEP); 2405 if (copyin((caddr_t)gidset, gidlist, 2406 gidsetsize * sizeof (gid_t)) == 0) 2407 for (i = 0; i < gidsetsize; i++) 2408 au_uwrite(au_to_arg32(1, "setgroups", 2409 (uint32_t)gidlist[i])); 2410 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2411 } else 2412 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2413 2414 } /* AUS_SETGROUPS */ 2415 2416 2417 2418 2419 2420 /*ARGSUSED*/ 2421 static void 2422 aus_seteuid(struct t_audit_data *tad) 2423 { 2424 klwp_t *clwp = ttolwp(curthread); 2425 uint32_t uid; 2426 2427 struct a { 2428 long uid; 2429 } *uap = (struct a *)clwp->lwp_ap; 2430 2431 uid = (uint32_t)uap->uid; 2432 2433 au_uwrite(au_to_arg32(1, "euid", uid)); 2434 2435 } /* AUS_SETEUID */ 2436 2437 /*ARGSUSED*/ 2438 static void 2439 aus_putmsg(struct t_audit_data *tad) 2440 { 2441 klwp_t *clwp = ttolwp(curthread); 2442 uint32_t fd, pri; 2443 struct file *fp; 2444 struct f_audit_data *fad; 2445 2446 struct a { 2447 long fdes; 2448 long ctl; /* struct strbuf * */ 2449 long data; /* struct strbuf * */ 2450 long pri; 2451 } *uap = (struct a *)clwp->lwp_ap; 2452 2453 fd = (uint32_t)uap->fdes; 2454 pri = (uint32_t)uap->pri; 2455 2456 au_uwrite(au_to_arg32(1, "fd", fd)); 2457 2458 if ((fp = getf(fd)) != NULL) { 2459 fad = F2A(fp); 2460 2461 fad->fad_flags |= FAD_WRITE; 2462 2463 /* add path name to audit record */ 2464 if (fad->fad_aupath != NULL) { 2465 au_uwrite(au_to_path(fad->fad_aupath)); 2466 } 2467 audit_attributes(fp->f_vnode); 2468 2469 releasef(fd); 2470 } 2471 2472 au_uwrite(au_to_arg32(4, "pri", pri)); 2473 } 2474 2475 /*ARGSUSED*/ 2476 static void 2477 aus_putpmsg(struct t_audit_data *tad) 2478 { 2479 klwp_t *clwp = ttolwp(curthread); 2480 uint32_t fd, pri, flags; 2481 struct file *fp; 2482 struct f_audit_data *fad; 2483 2484 struct a { 2485 long fdes; 2486 long ctl; /* struct strbuf * */ 2487 long data; /* struct strbuf * */ 2488 long pri; 2489 long flags; 2490 } *uap = (struct a *)clwp->lwp_ap; 2491 2492 fd = (uint32_t)uap->fdes; 2493 pri = (uint32_t)uap->pri; 2494 flags = (uint32_t)uap->flags; 2495 2496 au_uwrite(au_to_arg32(1, "fd", fd)); 2497 2498 if ((fp = getf(fd)) != NULL) { 2499 fad = F2A(fp); 2500 2501 fad->fad_flags |= FAD_WRITE; 2502 2503 /* add path name to audit record */ 2504 if (fad->fad_aupath != NULL) { 2505 au_uwrite(au_to_path(fad->fad_aupath)); 2506 } 2507 audit_attributes(fp->f_vnode); 2508 2509 releasef(fd); 2510 } 2511 2512 2513 au_uwrite(au_to_arg32(4, "pri", pri)); 2514 au_uwrite(au_to_arg32(5, "flags", flags)); 2515 } 2516 2517 /*ARGSUSED*/ 2518 static void 2519 aus_getmsg(struct t_audit_data *tad) 2520 { 2521 klwp_t *clwp = ttolwp(curthread); 2522 uint32_t fd, pri; 2523 struct file *fp; 2524 struct f_audit_data *fad; 2525 2526 struct a { 2527 long fdes; 2528 long ctl; /* struct strbuf * */ 2529 long data; /* struct strbuf * */ 2530 long pri; 2531 } *uap = (struct a *)clwp->lwp_ap; 2532 2533 fd = (uint32_t)uap->fdes; 2534 pri = (uint32_t)uap->pri; 2535 2536 au_uwrite(au_to_arg32(1, "fd", fd)); 2537 2538 if ((fp = getf(fd)) != NULL) { 2539 fad = F2A(fp); 2540 2541 /* 2542 * read operation on this object 2543 */ 2544 fad->fad_flags |= FAD_READ; 2545 2546 /* add path name to audit record */ 2547 if (fad->fad_aupath != NULL) { 2548 au_uwrite(au_to_path(fad->fad_aupath)); 2549 } 2550 audit_attributes(fp->f_vnode); 2551 2552 releasef(fd); 2553 } 2554 2555 au_uwrite(au_to_arg32(4, "pri", pri)); 2556 } 2557 2558 /*ARGSUSED*/ 2559 static void 2560 aus_getpmsg(struct t_audit_data *tad) 2561 { 2562 klwp_t *clwp = ttolwp(curthread); 2563 uint32_t fd; 2564 struct file *fp; 2565 struct f_audit_data *fad; 2566 2567 struct a { 2568 long fdes; 2569 long ctl; /* struct strbuf * */ 2570 long data; /* struct strbuf * */ 2571 long pri; 2572 long flags; 2573 } *uap = (struct a *)clwp->lwp_ap; 2574 2575 fd = (uint32_t)uap->fdes; 2576 2577 au_uwrite(au_to_arg32(1, "fd", fd)); 2578 2579 if ((fp = getf(fd)) != NULL) { 2580 fad = F2A(fp); 2581 2582 /* 2583 * read operation on this object 2584 */ 2585 fad->fad_flags |= FAD_READ; 2586 2587 /* add path name to audit record */ 2588 if (fad->fad_aupath != NULL) { 2589 au_uwrite(au_to_path(fad->fad_aupath)); 2590 } 2591 audit_attributes(fp->f_vnode); 2592 2593 releasef(fd); 2594 } 2595 } 2596 2597 static au_event_t 2598 aui_auditsys(au_event_t e) 2599 { 2600 klwp_t *clwp = ttolwp(curthread); 2601 uint32_t code; 2602 2603 struct a { 2604 long code; 2605 long a1; 2606 long a2; 2607 long a3; 2608 long a4; 2609 long a5; 2610 long a6; 2611 long a7; 2612 } *uap = (struct a *)clwp->lwp_ap; 2613 2614 code = (uint32_t)uap->code; 2615 2616 switch (code) { 2617 2618 case BSM_GETAUID: 2619 e = AUE_GETAUID; 2620 break; 2621 case BSM_SETAUID: 2622 e = AUE_SETAUID; 2623 break; 2624 case BSM_GETAUDIT: 2625 e = AUE_GETAUDIT; 2626 break; 2627 case BSM_GETAUDIT_ADDR: 2628 e = AUE_GETAUDIT_ADDR; 2629 break; 2630 case BSM_SETAUDIT: 2631 e = AUE_SETAUDIT; 2632 break; 2633 case BSM_SETAUDIT_ADDR: 2634 e = AUE_SETAUDIT_ADDR; 2635 break; 2636 case BSM_AUDIT: 2637 e = AUE_AUDIT; 2638 break; 2639 case BSM_AUDITSVC: 2640 e = AUE_AUDITSVC; 2641 break; 2642 case BSM_GETPORTAUDIT: 2643 e = AUE_GETPORTAUDIT; 2644 break; 2645 case BSM_AUDITON: 2646 case BSM_AUDITCTL: 2647 2648 switch ((uint_t)uap->a1) { 2649 2650 case A_GETPOLICY: 2651 e = AUE_AUDITON_GPOLICY; 2652 break; 2653 case A_SETPOLICY: 2654 e = AUE_AUDITON_SPOLICY; 2655 break; 2656 case A_GETKMASK: 2657 e = AUE_AUDITON_GETKMASK; 2658 break; 2659 case A_SETKMASK: 2660 e = AUE_AUDITON_SETKMASK; 2661 break; 2662 case A_GETQCTRL: 2663 e = AUE_AUDITON_GQCTRL; 2664 break; 2665 case A_SETQCTRL: 2666 e = AUE_AUDITON_SQCTRL; 2667 break; 2668 case A_GETCWD: 2669 e = AUE_AUDITON_GETCWD; 2670 break; 2671 case A_GETCAR: 2672 e = AUE_AUDITON_GETCAR; 2673 break; 2674 case A_GETSTAT: 2675 e = AUE_AUDITON_GETSTAT; 2676 break; 2677 case A_SETSTAT: 2678 e = AUE_AUDITON_SETSTAT; 2679 break; 2680 case A_SETUMASK: 2681 e = AUE_AUDITON_SETUMASK; 2682 break; 2683 case A_SETSMASK: 2684 e = AUE_AUDITON_SETSMASK; 2685 break; 2686 case A_GETCOND: 2687 e = AUE_AUDITON_GETCOND; 2688 break; 2689 case A_SETCOND: 2690 e = AUE_AUDITON_SETCOND; 2691 break; 2692 case A_GETCLASS: 2693 e = AUE_AUDITON_GETCLASS; 2694 break; 2695 case A_SETCLASS: 2696 e = AUE_AUDITON_SETCLASS; 2697 break; 2698 default: 2699 e = AUE_NULL; 2700 break; 2701 } 2702 break; 2703 default: 2704 e = AUE_NULL; 2705 break; 2706 } 2707 2708 return (e); 2709 2710 2711 2712 2713 } /* AUI_AUDITSYS */ 2714 2715 2716 2717 2718 2719 2720 2721 static void 2722 aus_auditsys(struct t_audit_data *tad) 2723 { 2724 klwp_t *clwp = ttolwp(curthread); 2725 uintptr_t a1, a2; 2726 struct file *fp; 2727 struct f_audit_data *fad; 2728 struct vnode *vp; 2729 STRUCT_DECL(auditinfo, ainfo); 2730 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2731 au_evclass_map_t event; 2732 au_mask_t mask; 2733 int auditstate, policy; 2734 au_id_t auid; 2735 2736 2737 struct a { 2738 long code; 2739 long a1; 2740 long a2; 2741 long a3; 2742 long a4; 2743 long a5; 2744 long a6; 2745 long a7; 2746 } *uap = (struct a *)clwp->lwp_ap; 2747 2748 a1 = (uintptr_t)uap->a1; 2749 a2 = (uintptr_t)uap->a2; 2750 2751 switch (tad->tad_event) { 2752 case AUE_SETAUID: 2753 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2754 return; 2755 au_uwrite(au_to_arg32(2, "setauid", auid)); 2756 break; 2757 case AUE_SETAUDIT: 2758 STRUCT_INIT(ainfo, get_udatamodel()); 2759 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2760 STRUCT_SIZE(ainfo))) { 2761 return; 2762 } 2763 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2764 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2765 #ifdef _LP64 2766 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2767 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2768 #else 2769 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2770 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2771 #endif 2772 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2773 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2774 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2775 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2776 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2777 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2778 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2779 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2780 break; 2781 case AUE_SETAUDIT_ADDR: 2782 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2783 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2784 STRUCT_SIZE(ainfo_addr))) { 2785 return; 2786 } 2787 au_uwrite(au_to_arg32((char)1, "auid", 2788 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2789 #ifdef _LP64 2790 au_uwrite(au_to_arg64((char)1, "port", 2791 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2792 #else 2793 au_uwrite(au_to_arg32((char)1, "port", 2794 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2795 #endif 2796 au_uwrite(au_to_arg32((char)1, "type", 2797 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2798 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2799 AU_IPv4) { 2800 au_uwrite(au_to_in_addr( 2801 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2802 ai_termid.at_addr))); 2803 } else { 2804 au_uwrite(au_to_in_addr_ex( 2805 (int32_t *)STRUCT_FGETP(ainfo_addr, 2806 ai_termid.at_addr))); 2807 } 2808 au_uwrite(au_to_arg32((char)1, "as_success", 2809 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2810 au_uwrite(au_to_arg32((char)1, "as_failure", 2811 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2812 au_uwrite(au_to_arg32((char)1, "asid", 2813 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2814 break; 2815 case AUE_AUDITSVC: 2816 /* 2817 * convert file pointer to file descriptor 2818 * Note: fd ref count incremented here 2819 */ 2820 if ((fp = getf((uint_t)a1)) == NULL) 2821 return; 2822 fad = F2A(fp); 2823 if (fad->fad_aupath != NULL) { 2824 au_uwrite(au_to_path(fad->fad_aupath)); 2825 } else { 2826 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2827 } 2828 2829 vp = fp->f_vnode; /* include vnode attributes */ 2830 audit_attributes(vp); 2831 2832 /* decrement file descriptor ref count */ 2833 releasef((uint_t)a1); 2834 2835 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2836 break; 2837 case AUE_AUDITON_SETKMASK: 2838 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2839 return; 2840 au_uwrite(au_to_arg32( 2841 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2842 au_uwrite(au_to_arg32( 2843 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2844 break; 2845 case AUE_AUDITON_SPOLICY: 2846 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2847 return; 2848 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2849 break; 2850 case AUE_AUDITON_SQCTRL: { 2851 STRUCT_DECL(au_qctrl, qctrl); 2852 model_t model; 2853 2854 model = get_udatamodel(); 2855 STRUCT_INIT(qctrl, model); 2856 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2857 return; 2858 if (model == DATAMODEL_ILP32) { 2859 au_uwrite(au_to_arg32( 2860 3, "setqctrl:aq_hiwater", 2861 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2862 au_uwrite(au_to_arg32( 2863 3, "setqctrl:aq_lowater", 2864 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2865 au_uwrite(au_to_arg32( 2866 3, "setqctrl:aq_bufsz", 2867 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2868 au_uwrite(au_to_arg32( 2869 3, "setqctrl:aq_delay", 2870 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2871 } else { 2872 au_uwrite(au_to_arg64( 2873 3, "setqctrl:aq_hiwater", 2874 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2875 au_uwrite(au_to_arg64( 2876 3, "setqctrl:aq_lowater", 2877 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2878 au_uwrite(au_to_arg64( 2879 3, "setqctrl:aq_bufsz", 2880 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2881 au_uwrite(au_to_arg64( 2882 3, "setqctrl:aq_delay", 2883 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2884 } 2885 break; 2886 } 2887 case AUE_AUDITON_SETUMASK: 2888 STRUCT_INIT(ainfo, get_udatamodel()); 2889 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2890 STRUCT_SIZE(ainfo))) { 2891 return; 2892 } 2893 au_uwrite(au_to_arg32(3, "setumask:as_success", 2894 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2895 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2896 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2897 break; 2898 case AUE_AUDITON_SETSMASK: 2899 STRUCT_INIT(ainfo, get_udatamodel()); 2900 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2901 STRUCT_SIZE(ainfo))) { 2902 return; 2903 } 2904 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2905 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2906 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2907 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2908 break; 2909 case AUE_AUDITON_SETCOND: 2910 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2911 return; 2912 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2913 break; 2914 case AUE_AUDITON_SETCLASS: 2915 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2916 return; 2917 au_uwrite(au_to_arg32( 2918 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2919 au_uwrite(au_to_arg32( 2920 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2921 break; 2922 case AUE_GETAUID: 2923 case AUE_GETAUDIT: 2924 case AUE_GETAUDIT_ADDR: 2925 case AUE_AUDIT: 2926 case AUE_GETPORTAUDIT: 2927 case AUE_AUDITON_GPOLICY: 2928 case AUE_AUDITON_GQCTRL: 2929 case AUE_AUDITON_GETKMASK: 2930 case AUE_AUDITON_GETCWD: 2931 case AUE_AUDITON_GETCAR: 2932 case AUE_AUDITON_GETSTAT: 2933 case AUE_AUDITON_SETSTAT: 2934 case AUE_AUDITON_GETCOND: 2935 case AUE_AUDITON_GETCLASS: 2936 break; 2937 default: 2938 break; 2939 } 2940 2941 } /* AUS_AUDITSYS */ 2942 2943 2944 /* only audit privileged operations for systeminfo(2) system call */ 2945 static au_event_t 2946 aui_sysinfo(au_event_t e) 2947 { 2948 klwp_t *clwp = ttolwp(curthread); 2949 uint32_t command; 2950 2951 struct a { 2952 long command; 2953 long buf; /* char * */ 2954 long count; 2955 } *uap = (struct a *)clwp->lwp_ap; 2956 2957 command = (uint32_t)uap->command; 2958 2959 switch (command) { 2960 case SI_SET_HOSTNAME: 2961 case SI_SET_SRPC_DOMAIN: 2962 e = (au_event_t)AUE_SYSINFO; 2963 break; 2964 default: 2965 e = (au_event_t)AUE_NULL; 2966 break; 2967 } 2968 return (e); 2969 } 2970 2971 /*ARGSUSED*/ 2972 static void 2973 aus_sysinfo(struct t_audit_data *tad) 2974 { 2975 klwp_t *clwp = ttolwp(curthread); 2976 uint32_t command; 2977 size_t len, maxlen; 2978 char *name; 2979 uintptr_t buf; 2980 2981 struct a { 2982 long command; 2983 long buf; /* char * */ 2984 long count; 2985 } *uap = (struct a *)clwp->lwp_ap; 2986 2987 command = (uint32_t)uap->command; 2988 buf = (uintptr_t)uap->buf; 2989 2990 au_uwrite(au_to_arg32(1, "cmd", command)); 2991 2992 switch (command) { 2993 case SI_SET_HOSTNAME: 2994 { 2995 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2996 return; 2997 2998 maxlen = SYS_NMLN; 2999 name = kmem_alloc(maxlen, KM_SLEEP); 3000 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3001 break; 3002 3003 /* 3004 * Must be non-NULL string and string 3005 * must be less than SYS_NMLN chars. 3006 */ 3007 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3008 break; 3009 3010 au_uwrite(au_to_text(name)); 3011 break; 3012 } 3013 3014 case SI_SET_SRPC_DOMAIN: 3015 { 3016 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3017 return; 3018 3019 maxlen = SYS_NMLN; 3020 name = kmem_alloc(maxlen, KM_SLEEP); 3021 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3022 break; 3023 3024 /* 3025 * If string passed in is longer than length 3026 * allowed for domain name, fail. 3027 */ 3028 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3029 break; 3030 3031 au_uwrite(au_to_text(name)); 3032 break; 3033 } 3034 3035 default: 3036 return; 3037 } 3038 3039 kmem_free(name, maxlen); 3040 } 3041 3042 static au_event_t 3043 aui_modctl(au_event_t e) 3044 { 3045 klwp_t *clwp = ttolwp(curthread); 3046 uint_t cmd; 3047 3048 struct a { 3049 long cmd; 3050 } *uap = (struct a *)clwp->lwp_ap; 3051 3052 cmd = (uint_t)uap->cmd; 3053 3054 switch (cmd) { 3055 case MODLOAD: 3056 e = AUE_MODLOAD; 3057 break; 3058 case MODUNLOAD: 3059 e = AUE_MODUNLOAD; 3060 break; 3061 case MODADDMAJBIND: 3062 e = AUE_MODADDMAJ; 3063 break; 3064 case MODSETDEVPOLICY: 3065 e = AUE_MODDEVPLCY; 3066 break; 3067 case MODALLOCPRIV: 3068 e = AUE_MODADDPRIV; 3069 break; 3070 default: 3071 e = AUE_NULL; 3072 break; 3073 } 3074 return (e); 3075 } 3076 3077 3078 /*ARGSUSED*/ 3079 static void 3080 aus_modctl(struct t_audit_data *tad) 3081 { 3082 klwp_t *clwp = ttolwp(curthread); 3083 void *a = clwp->lwp_ap; 3084 uint_t use_path; 3085 3086 switch (tad->tad_event) { 3087 case AUE_MODLOAD: { 3088 typedef struct { 3089 long cmd; 3090 long use_path; 3091 long filename; /* char * */ 3092 } modloada_t; 3093 3094 char *filenamep; 3095 uintptr_t fname; 3096 extern char *default_path; 3097 3098 fname = (uintptr_t)((modloada_t *)a)->filename; 3099 use_path = (uint_t)((modloada_t *)a)->use_path; 3100 3101 /* space to hold path */ 3102 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3103 /* get string */ 3104 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3105 /* free allocated path */ 3106 kmem_free(filenamep, MOD_MAXPATH); 3107 return; 3108 } 3109 /* ensure it's null terminated */ 3110 filenamep[MOD_MAXPATH - 1] = 0; 3111 3112 if (use_path) 3113 au_uwrite(au_to_text(default_path)); 3114 au_uwrite(au_to_text(filenamep)); 3115 3116 /* release temporary memory */ 3117 kmem_free(filenamep, MOD_MAXPATH); 3118 break; 3119 } 3120 case AUE_MODUNLOAD: { 3121 typedef struct { 3122 long cmd; 3123 long id; 3124 } modunloada_t; 3125 3126 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3127 3128 au_uwrite(au_to_arg32(1, "id", id)); 3129 break; 3130 } 3131 case AUE_MODADDMAJ: { 3132 STRUCT_DECL(modconfig, mc); 3133 typedef struct { 3134 long cmd; 3135 long subcmd; 3136 long data; /* int * */ 3137 } modconfiga_t; 3138 3139 STRUCT_DECL(aliases, alias); 3140 caddr_t ap; 3141 int i, num_aliases; 3142 char *drvname, *mc_drvname; 3143 char *name; 3144 extern char *ddi_major_to_name(major_t); 3145 model_t model; 3146 3147 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3148 3149 model = get_udatamodel(); 3150 STRUCT_INIT(mc, model); 3151 /* sanitize buffer */ 3152 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3153 /* get user arguments */ 3154 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3155 STRUCT_SIZE(mc)) != 0) 3156 return; 3157 3158 mc_drvname = STRUCT_FGET(mc, drvname); 3159 if ((drvname = ddi_major_to_name( 3160 (major_t)STRUCT_FGET(mc, major))) != NULL && 3161 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3162 /* safety */ 3163 if (mc_drvname[0] != '\0') { 3164 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3165 au_uwrite(au_to_text(mc_drvname)); 3166 } 3167 /* drvname != NULL from test above */ 3168 au_uwrite(au_to_text(drvname)); 3169 return; 3170 } 3171 3172 if (mc_drvname[0] != '\0') { 3173 /* safety */ 3174 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3175 au_uwrite(au_to_text(mc_drvname)); 3176 } else 3177 au_uwrite(au_to_text("no drvname")); 3178 3179 num_aliases = STRUCT_FGET(mc, num_aliases); 3180 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3181 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3182 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3183 STRUCT_INIT(alias, model); 3184 for (i = 0; i < num_aliases; i++) { 3185 bzero((caddr_t)STRUCT_BUF(alias), 3186 STRUCT_SIZE(alias)); 3187 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3188 STRUCT_SIZE(alias)) != 0) 3189 break; 3190 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3191 MAXMODCONFNAME, NULL) != 0) { 3192 break; 3193 } 3194 3195 au_uwrite(au_to_text(name)); 3196 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3197 } 3198 kmem_free(name, MAXMODCONFNAME); 3199 break; 3200 } 3201 default: 3202 break; 3203 } 3204 } 3205 3206 3207 /*ARGSUSED*/ 3208 static void 3209 auf_accept( 3210 struct t_audit_data *tad, 3211 int error, 3212 rval_t *rval) 3213 { 3214 uint32_t scid; 3215 uint32_t sy_flags; 3216 int fd; 3217 struct sonode *so; 3218 char so_laddr[sizeof (struct sockaddr_in6)]; 3219 char so_faddr[sizeof (struct sockaddr_in6)]; 3220 int err; 3221 int len; 3222 short so_family, so_type; 3223 int add_sock_token = 0; 3224 3225 /* need to determine type of executing binary */ 3226 scid = tad->tad_scid; 3227 #ifdef _SYSCALL32_IMPL 3228 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3229 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3230 else 3231 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3232 #else 3233 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3234 #endif 3235 if (sy_flags == SE_32RVAL1) 3236 fd = rval->r_val1; 3237 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3238 fd = rval->r_val1; 3239 if (sy_flags == SE_64RVAL) 3240 fd = (int)rval->r_vals; 3241 3242 if (error) { 3243 /* can't trust socket contents. Just return */ 3244 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3245 return; 3246 } 3247 3248 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3249 /* 3250 * not security relevant if doing a accept from non socket 3251 * so no extra tokens. Should probably turn off audit record 3252 * generation here. 3253 */ 3254 return; 3255 } 3256 3257 so_family = so->so_family; 3258 so_type = so->so_type; 3259 3260 switch (so_family) { 3261 case AF_INET: 3262 case AF_INET6: 3263 /* 3264 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3265 */ 3266 if (so->so_type == SOCK_STREAM) { 3267 3268 bzero((void *)so_laddr, sizeof (so_laddr)); 3269 bzero((void *)so_faddr, sizeof (so_faddr)); 3270 3271 /* 3272 * no local address then need to get it from lower 3273 * levels. only put out record on first read ala 3274 * AUE_WRITE. 3275 */ 3276 if (so->so_state & SS_ISBOUND) { 3277 /* only done once on a connection */ 3278 (void) SOP_GETSOCKNAME(so); 3279 (void) SOP_GETPEERNAME(so); 3280 3281 /* get local and foreign addresses */ 3282 mutex_enter(&so->so_lock); 3283 len = min(so->so_laddr_len, sizeof (so_laddr)); 3284 bcopy(so->so_laddr_sa, so_laddr, len); 3285 len = min(so->so_faddr_len, sizeof (so_faddr)); 3286 bcopy(so->so_faddr_sa, so_faddr, len); 3287 mutex_exit(&so->so_lock); 3288 } 3289 3290 add_sock_token = 1; 3291 } 3292 break; 3293 3294 default: 3295 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3296 break; 3297 } 3298 3299 releasef(fd); 3300 3301 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3302 3303 if (add_sock_token == 0) { 3304 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3305 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3306 return; 3307 } 3308 3309 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3310 3311 } 3312 3313 /*ARGSUSED*/ 3314 static void 3315 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3316 { 3317 struct a { 3318 long fd; 3319 long addr; 3320 long len; 3321 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3322 3323 struct sonode *so; 3324 char so_laddr[sizeof (struct sockaddr_in6)]; 3325 char so_faddr[sizeof (struct sockaddr_in6)]; 3326 int err, fd; 3327 int len; 3328 short so_family, so_type; 3329 int add_sock_token = 0; 3330 3331 fd = (int)uap->fd; 3332 3333 /* 3334 * bind failed, then nothing extra to add to audit record. 3335 */ 3336 if (error) { 3337 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3338 /* XXX may want to add failed address some day */ 3339 return; 3340 } 3341 3342 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3343 /* 3344 * not security relevant if doing a bind from non socket 3345 * so no extra tokens. Should probably turn off audit record 3346 * generation here. 3347 */ 3348 return; 3349 } 3350 3351 so_family = so->so_family; 3352 so_type = so->so_type; 3353 3354 switch (so_family) { 3355 case AF_INET: 3356 case AF_INET6: 3357 3358 bzero(so_faddr, sizeof (so_faddr)); 3359 3360 if (so->so_state & SS_ISBOUND) { 3361 /* only done once on a connection */ 3362 (void) SOP_GETSOCKNAME(so); 3363 } 3364 3365 mutex_enter(&so->so_lock); 3366 len = min(so->so_laddr_len, sizeof (so_laddr)); 3367 bcopy(so->so_laddr_sa, so_laddr, len); 3368 mutex_exit(&so->so_lock); 3369 3370 add_sock_token = 1; 3371 3372 break; 3373 3374 case AF_UNIX: 3375 /* token added by lookup */ 3376 break; 3377 default: 3378 /* AF_ROUTE, AF_KEY do not support accept */ 3379 break; 3380 } 3381 3382 releasef(fd); 3383 3384 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3385 3386 if (add_sock_token == 0) { 3387 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3388 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3389 return; 3390 } 3391 3392 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3393 3394 } 3395 3396 /*ARGSUSED*/ 3397 static void 3398 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3399 { 3400 struct a { 3401 long fd; 3402 long addr; 3403 long len; 3404 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3405 3406 struct sonode *so; 3407 char so_laddr[sizeof (struct sockaddr_in6)]; 3408 char so_faddr[sizeof (struct sockaddr_in6)]; 3409 int err, fd; 3410 int len; 3411 short so_family, so_type; 3412 int add_sock_token = 0; 3413 3414 fd = (int)uap->fd; 3415 3416 3417 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3418 /* 3419 * not security relevant if doing a connect from non socket 3420 * so no extra tokens. Should probably turn off audit record 3421 * generation here. 3422 */ 3423 return; 3424 } 3425 3426 so_family = so->so_family; 3427 so_type = so->so_type; 3428 3429 switch (so_family) { 3430 case AF_INET: 3431 case AF_INET6: 3432 /* 3433 * no local address then need to get it from lower 3434 * levels. 3435 */ 3436 if (so->so_state & SS_ISBOUND) { 3437 /* only done once on a connection */ 3438 (void) SOP_GETSOCKNAME(so); 3439 (void) SOP_GETPEERNAME(so); 3440 } 3441 3442 bzero(so_laddr, sizeof (so_laddr)); 3443 bzero(so_faddr, sizeof (so_faddr)); 3444 3445 mutex_enter(&so->so_lock); 3446 len = min(so->so_laddr_len, sizeof (so_laddr)); 3447 bcopy(so->so_laddr_sa, so_laddr, len); 3448 if (error) { 3449 mutex_exit(&so->so_lock); 3450 if (uap->addr == NULL) 3451 break; 3452 if (uap->len <= 0) 3453 break; 3454 len = min(uap->len, sizeof (so_faddr)); 3455 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3456 break; 3457 #ifdef NOTYET 3458 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3459 #endif 3460 } else { 3461 /* sanity check on length */ 3462 len = min(so->so_faddr_len, sizeof (so_faddr)); 3463 bcopy(so->so_faddr_sa, so_faddr, len); 3464 mutex_exit(&so->so_lock); 3465 } 3466 3467 add_sock_token = 1; 3468 3469 break; 3470 3471 case AF_UNIX: 3472 /* does a lookup on name */ 3473 break; 3474 3475 default: 3476 /* AF_ROUTE, AF_KEY do not support accept */ 3477 break; 3478 } 3479 3480 releasef(fd); 3481 3482 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3483 3484 if (add_sock_token == 0) { 3485 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3486 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3487 return; 3488 } 3489 3490 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3491 3492 } 3493 3494 /*ARGSUSED*/ 3495 static void 3496 aus_shutdown(struct t_audit_data *tad) 3497 { 3498 struct a { 3499 long fd; 3500 long how; 3501 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3502 3503 struct sonode *so; 3504 char so_laddr[sizeof (struct sockaddr_in6)]; 3505 char so_faddr[sizeof (struct sockaddr_in6)]; 3506 int err, fd; 3507 int len; 3508 short so_family, so_type; 3509 int add_sock_token = 0; 3510 file_t *fp; /* unix domain sockets */ 3511 struct f_audit_data *fad; /* unix domain sockets */ 3512 3513 fd = (int)uap->fd; 3514 3515 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3516 /* 3517 * not security relevant if doing a shutdown using non socket 3518 * so no extra tokens. Should probably turn off audit record 3519 * generation here. 3520 */ 3521 return; 3522 } 3523 3524 so_family = so->so_family; 3525 so_type = so->so_type; 3526 3527 switch (so_family) { 3528 case AF_INET: 3529 case AF_INET6: 3530 3531 bzero(so_laddr, sizeof (so_laddr)); 3532 bzero(so_faddr, sizeof (so_faddr)); 3533 3534 if (so->so_state & SS_ISBOUND) { 3535 /* 3536 * no local address then need to get it from lower 3537 * levels. 3538 */ 3539 if (so->so_laddr_len == 0) 3540 (void) SOP_GETSOCKNAME(so); 3541 if (so->so_faddr_len == 0) 3542 (void) SOP_GETPEERNAME(so); 3543 } 3544 3545 mutex_enter(&so->so_lock); 3546 len = min(so->so_laddr_len, sizeof (so_laddr)); 3547 bcopy(so->so_laddr_sa, so_laddr, len); 3548 len = min(so->so_faddr_len, sizeof (so_faddr)); 3549 bcopy(so->so_faddr_sa, so_faddr, len); 3550 mutex_exit(&so->so_lock); 3551 3552 add_sock_token = 1; 3553 3554 break; 3555 3556 case AF_UNIX: 3557 3558 /* get path from file struct here */ 3559 fad = F2A(fp); 3560 ASSERT(fad); 3561 3562 if (fad->fad_aupath != NULL) { 3563 au_uwrite(au_to_path(fad->fad_aupath)); 3564 } else { 3565 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3566 } 3567 3568 audit_attributes(fp->f_vnode); 3569 3570 break; 3571 3572 default: 3573 /* 3574 * AF_KEY and AF_ROUTE support shutdown. No socket token 3575 * added. 3576 */ 3577 break; 3578 } 3579 3580 releasef(fd); 3581 3582 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3583 3584 if (add_sock_token == 0) { 3585 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3586 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3587 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3588 return; 3589 } 3590 3591 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3592 3593 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3594 3595 } 3596 3597 /*ARGSUSED*/ 3598 static void 3599 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3600 { 3601 struct a { 3602 long fd; 3603 long level; 3604 long optname; 3605 long *optval; 3606 long optlen; 3607 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3608 3609 struct sonode *so; 3610 char so_laddr[sizeof (struct sockaddr_in6)]; 3611 char so_faddr[sizeof (struct sockaddr_in6)]; 3612 char val[AU_BUFSIZE]; 3613 int err, fd; 3614 int len; 3615 short so_family, so_type; 3616 int add_sock_token = 0; 3617 file_t *fp; /* unix domain sockets */ 3618 struct f_audit_data *fad; /* unix domain sockets */ 3619 3620 fd = (int)uap->fd; 3621 3622 if (error) { 3623 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3624 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3625 /* XXX may want to include other arguments */ 3626 return; 3627 } 3628 3629 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3630 /* 3631 * not security relevant if doing a setsockopt from non socket 3632 * so no extra tokens. Should probably turn off audit record 3633 * generation here. 3634 */ 3635 return; 3636 } 3637 3638 so_family = so->so_family; 3639 so_type = so->so_type; 3640 3641 switch (so_family) { 3642 case AF_INET: 3643 case AF_INET6: 3644 3645 bzero((void *)so_laddr, sizeof (so_laddr)); 3646 bzero((void *)so_faddr, sizeof (so_faddr)); 3647 3648 if (so->so_state & SS_ISBOUND) { 3649 if (so->so_laddr_len == 0) 3650 (void) SOP_GETSOCKNAME(so); 3651 if (so->so_faddr_len == 0) 3652 (void) SOP_GETPEERNAME(so); 3653 } 3654 3655 /* get local and foreign addresses */ 3656 mutex_enter(&so->so_lock); 3657 len = min(so->so_laddr_len, sizeof (so_laddr)); 3658 bcopy(so->so_laddr_sa, so_laddr, len); 3659 len = min(so->so_faddr_len, sizeof (so_faddr)); 3660 bcopy(so->so_faddr_sa, so_faddr, len); 3661 mutex_exit(&so->so_lock); 3662 3663 add_sock_token = 1; 3664 3665 break; 3666 3667 case AF_UNIX: 3668 3669 /* get path from file struct here */ 3670 fad = F2A(fp); 3671 ASSERT(fad); 3672 3673 if (fad->fad_aupath != NULL) { 3674 au_uwrite(au_to_path(fad->fad_aupath)); 3675 } else { 3676 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3677 } 3678 3679 audit_attributes(fp->f_vnode); 3680 3681 break; 3682 3683 default: 3684 /* 3685 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3686 * added. 3687 */ 3688 break; 3689 } 3690 3691 releasef(fd); 3692 3693 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3694 3695 if (add_sock_token == 0) { 3696 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3697 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3698 } 3699 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3700 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3701 3702 bzero(val, sizeof (val)); 3703 len = min(uap->optlen, sizeof (val)); 3704 if ((len > 0) && 3705 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3706 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3707 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3708 } 3709 3710 if (add_sock_token == 0) 3711 return; 3712 3713 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3714 3715 } 3716 3717 /*ARGSUSED*/ 3718 static void 3719 aus_sockconfig(tad) 3720 struct t_audit_data *tad; 3721 { 3722 struct a { 3723 long domain; 3724 long type; 3725 long protocol; 3726 long devpath; 3727 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3728 3729 char *kdevpath; 3730 int kdevpathlen = MAXPATHLEN + 1; 3731 size_t size; 3732 3733 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3734 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3735 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3736 3737 if (uap->devpath == 0) { 3738 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3739 } else { 3740 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3741 3742 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3743 &size)) { 3744 kmem_free(kdevpath, kdevpathlen); 3745 return; 3746 } 3747 3748 if (size > MAXPATHLEN) { 3749 kmem_free(kdevpath, kdevpathlen); 3750 return; 3751 } 3752 3753 au_uwrite(au_to_text(kdevpath)); 3754 kmem_free(kdevpath, kdevpathlen); 3755 } 3756 } 3757 3758 /* 3759 * only audit recvmsg when the system call represents the creation of a new 3760 * circuit. This effectively occurs for all UDP packets and may occur for 3761 * special TCP situations where the local host has not set a local address 3762 * in the socket structure. 3763 */ 3764 /*ARGSUSED*/ 3765 static void 3766 auf_recvmsg( 3767 struct t_audit_data *tad, 3768 int error, 3769 rval_t *rvp) 3770 { 3771 struct a { 3772 long fd; 3773 long msg; /* struct msghdr */ 3774 long flags; 3775 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3776 3777 struct sonode *so; 3778 STRUCT_DECL(msghdr, msg); 3779 caddr_t msg_name; 3780 socklen_t msg_namelen; 3781 int fd; 3782 int err; 3783 char so_laddr[sizeof (struct sockaddr_in6)]; 3784 char so_faddr[sizeof (struct sockaddr_in6)]; 3785 int len; 3786 file_t *fp; /* unix domain sockets */ 3787 struct f_audit_data *fad; /* unix domain sockets */ 3788 short so_family, so_type; 3789 int add_sock_token = 0; 3790 au_kcontext_t *kctx = GET_KCTX_PZ; 3791 3792 fd = (int)uap->fd; 3793 3794 /* bail if an error */ 3795 if (error) { 3796 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3797 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3798 return; 3799 } 3800 3801 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3802 /* 3803 * not security relevant if doing a recvmsg from non socket 3804 * so no extra tokens. Should probably turn off audit record 3805 * generation here. 3806 */ 3807 return; 3808 } 3809 3810 so_family = so->so_family; 3811 so_type = so->so_type; 3812 3813 /* 3814 * only putout SOCKET_EX token if INET/INET6 family. 3815 * XXX - what do we do about other families? 3816 */ 3817 3818 switch (so_family) { 3819 case AF_INET: 3820 case AF_INET6: 3821 3822 /* 3823 * if datagram type socket, then just use what is in 3824 * socket structure for local address. 3825 * XXX - what do we do for other types? 3826 */ 3827 if ((so->so_type == SOCK_DGRAM) || 3828 (so->so_type == SOCK_RAW)) { 3829 add_sock_token = 1; 3830 3831 bzero((void *)so_laddr, sizeof (so_laddr)); 3832 bzero((void *)so_faddr, sizeof (so_faddr)); 3833 3834 /* get local address */ 3835 mutex_enter(&so->so_lock); 3836 len = min(so->so_laddr_len, sizeof (so_laddr)); 3837 bcopy(so->so_laddr_sa, so_laddr, len); 3838 mutex_exit(&so->so_lock); 3839 3840 /* get peer address */ 3841 STRUCT_INIT(msg, get_udatamodel()); 3842 3843 if (copyin((caddr_t)(uap->msg), 3844 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3845 break; 3846 } 3847 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3848 if (msg_name == NULL) { 3849 break; 3850 } 3851 3852 /* length is value from recvmsg - sanity check */ 3853 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3854 if (msg_namelen == 0) { 3855 break; 3856 } 3857 if (copyin(msg_name, so_faddr, 3858 sizeof (so_faddr)) != 0) { 3859 break; 3860 } 3861 3862 } else if (so->so_type == SOCK_STREAM) { 3863 3864 /* get path from file struct here */ 3865 fad = F2A(fp); 3866 ASSERT(fad); 3867 3868 /* 3869 * already processed this file for read attempt 3870 */ 3871 if (fad->fad_flags & FAD_READ) { 3872 /* don't want to audit every recvmsg attempt */ 3873 tad->tad_flag = 0; 3874 /* free any residual audit data */ 3875 au_close(kctx, &(u_ad), 0, 0, 0); 3876 releasef(fd); 3877 return; 3878 } 3879 /* 3880 * mark things so we know what happened and don't 3881 * repeat things 3882 */ 3883 fad->fad_flags |= FAD_READ; 3884 3885 bzero((void *)so_laddr, sizeof (so_laddr)); 3886 bzero((void *)so_faddr, sizeof (so_faddr)); 3887 3888 if (so->so_state & SS_ISBOUND) { 3889 3890 if (so->so_laddr_len == 0) 3891 (void) SOP_GETSOCKNAME(so); 3892 if (so->so_faddr_len == 0) 3893 (void) SOP_GETPEERNAME(so); 3894 3895 /* get local and foreign addresses */ 3896 mutex_enter(&so->so_lock); 3897 len = min(so->so_laddr_len, sizeof (so_laddr)); 3898 bcopy(so->so_laddr_sa, so_laddr, len); 3899 len = min(so->so_faddr_len, sizeof (so_faddr)); 3900 bcopy(so->so_faddr_sa, so_faddr, len); 3901 mutex_exit(&so->so_lock); 3902 } 3903 3904 add_sock_token = 1; 3905 } 3906 3907 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3908 3909 break; 3910 3911 case AF_UNIX: 3912 /* 3913 * first check if this is first time through. Too much 3914 * duplicate code to put this in an aui_ routine. 3915 */ 3916 3917 /* get path from file struct here */ 3918 fad = F2A(fp); 3919 ASSERT(fad); 3920 3921 /* 3922 * already processed this file for read attempt 3923 */ 3924 if (fad->fad_flags & FAD_READ) { 3925 releasef(fd); 3926 /* don't want to audit every recvmsg attempt */ 3927 tad->tad_flag = 0; 3928 /* free any residual audit data */ 3929 au_close(kctx, &(u_ad), 0, 0, 0); 3930 return; 3931 } 3932 /* 3933 * mark things so we know what happened and don't 3934 * repeat things 3935 */ 3936 fad->fad_flags |= FAD_READ; 3937 3938 if (fad->fad_aupath != NULL) { 3939 au_uwrite(au_to_path(fad->fad_aupath)); 3940 } else { 3941 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3942 } 3943 3944 audit_attributes(fp->f_vnode); 3945 3946 releasef(fd); 3947 3948 return; 3949 3950 default: 3951 break; 3952 3953 } 3954 3955 releasef(fd); 3956 3957 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3958 3959 if (add_sock_token == 0) { 3960 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 3961 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 3962 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3963 return; 3964 } 3965 3966 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3967 3968 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3969 3970 } 3971 3972 /*ARGSUSED*/ 3973 static void 3974 auf_recvfrom( 3975 struct t_audit_data *tad, 3976 int error, 3977 rval_t *rvp) 3978 { 3979 3980 struct a { 3981 long fd; 3982 long msg; /* char */ 3983 long len; 3984 long flags; 3985 long from; /* struct sockaddr */ 3986 long fromlen; 3987 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3988 3989 socklen_t fromlen; 3990 struct sonode *so; 3991 char so_laddr[sizeof (struct sockaddr_in6)]; 3992 char so_faddr[sizeof (struct sockaddr_in6)]; 3993 int fd; 3994 short so_family, so_type; 3995 int add_sock_token = 0; 3996 int len; 3997 int err; 3998 struct file *fp; 3999 struct f_audit_data *fad; /* unix domain sockets */ 4000 au_kcontext_t *kctx = GET_KCTX_PZ; 4001 4002 fd = (int)uap->fd; 4003 4004 /* bail if an error */ 4005 if (error) { 4006 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4007 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4008 return; 4009 } 4010 4011 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4012 /* 4013 * not security relevant if doing a recvmsg from non socket 4014 * so no extra tokens. Should probably turn off audit record 4015 * generation here. 4016 */ 4017 return; 4018 } 4019 4020 so_family = so->so_family; 4021 so_type = so->so_type; 4022 4023 /* 4024 * only putout SOCKET_EX token if INET/INET6 family. 4025 * XXX - what do we do about other families? 4026 */ 4027 4028 switch (so_family) { 4029 case AF_INET: 4030 case AF_INET6: 4031 4032 /* 4033 * if datagram type socket, then just use what is in 4034 * socket structure for local address. 4035 * XXX - what do we do for other types? 4036 */ 4037 if ((so->so_type == SOCK_DGRAM) || 4038 (so->so_type == SOCK_RAW)) { 4039 add_sock_token = 1; 4040 4041 /* get local address */ 4042 mutex_enter(&so->so_lock); 4043 len = min(so->so_laddr_len, sizeof (so_laddr)); 4044 bcopy(so->so_laddr_sa, so_laddr, len); 4045 mutex_exit(&so->so_lock); 4046 4047 /* get peer address */ 4048 bzero((void *)so_faddr, sizeof (so_faddr)); 4049 4050 /* sanity check */ 4051 if (uap->from == NULL) 4052 break; 4053 4054 /* sanity checks */ 4055 if (uap->fromlen == 0) 4056 break; 4057 4058 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4059 sizeof (fromlen)) != 0) 4060 break; 4061 4062 if (fromlen == 0) 4063 break; 4064 4065 /* enforce maximum size */ 4066 if (fromlen > sizeof (so_faddr)) 4067 fromlen = sizeof (so_faddr); 4068 4069 if (copyin((caddr_t)(uap->from), so_faddr, 4070 fromlen) != 0) 4071 break; 4072 4073 } else if (so->so_type == SOCK_STREAM) { 4074 4075 /* get path from file struct here */ 4076 fad = F2A(fp); 4077 ASSERT(fad); 4078 4079 /* 4080 * already processed this file for read attempt 4081 */ 4082 if (fad->fad_flags & FAD_READ) { 4083 /* don't want to audit every recvfrom attempt */ 4084 tad->tad_flag = 0; 4085 /* free any residual audit data */ 4086 au_close(kctx, &(u_ad), 0, 0, 0); 4087 releasef(fd); 4088 return; 4089 } 4090 /* 4091 * mark things so we know what happened and don't 4092 * repeat things 4093 */ 4094 fad->fad_flags |= FAD_READ; 4095 4096 bzero((void *)so_laddr, sizeof (so_laddr)); 4097 bzero((void *)so_faddr, sizeof (so_faddr)); 4098 4099 if (so->so_state & SS_ISBOUND) { 4100 4101 if (so->so_laddr_len == 0) 4102 (void) SOP_GETSOCKNAME(so); 4103 if (so->so_faddr_len == 0) 4104 (void) SOP_GETPEERNAME(so); 4105 4106 /* get local and foreign addresses */ 4107 mutex_enter(&so->so_lock); 4108 len = min(so->so_laddr_len, sizeof (so_laddr)); 4109 bcopy(so->so_laddr_sa, so_laddr, len); 4110 len = min(so->so_faddr_len, sizeof (so_faddr)); 4111 bcopy(so->so_faddr_sa, so_faddr, len); 4112 mutex_exit(&so->so_lock); 4113 } 4114 4115 add_sock_token = 1; 4116 } 4117 4118 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4119 4120 break; 4121 4122 case AF_UNIX: 4123 /* 4124 * first check if this is first time through. Too much 4125 * duplicate code to put this in an aui_ routine. 4126 */ 4127 4128 /* get path from file struct here */ 4129 fad = F2A(fp); 4130 ASSERT(fad); 4131 4132 /* 4133 * already processed this file for read attempt 4134 */ 4135 if (fad->fad_flags & FAD_READ) { 4136 /* don't want to audit every recvfrom attempt */ 4137 tad->tad_flag = 0; 4138 /* free any residual audit data */ 4139 au_close(kctx, &(u_ad), 0, 0, 0); 4140 releasef(fd); 4141 return; 4142 } 4143 /* 4144 * mark things so we know what happened and don't 4145 * repeat things 4146 */ 4147 fad->fad_flags |= FAD_READ; 4148 4149 if (fad->fad_aupath != NULL) { 4150 au_uwrite(au_to_path(fad->fad_aupath)); 4151 } else { 4152 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4153 } 4154 4155 audit_attributes(fp->f_vnode); 4156 4157 releasef(fd); 4158 4159 return; 4160 4161 default: 4162 break; 4163 4164 } 4165 4166 releasef(fd); 4167 4168 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4169 4170 if (add_sock_token == 0) { 4171 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4172 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4173 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4174 return; 4175 } 4176 4177 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4178 4179 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4180 } 4181 4182 /*ARGSUSED*/ 4183 static void 4184 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4185 { 4186 struct a { 4187 long fd; 4188 long msg; /* struct msghdr */ 4189 long flags; 4190 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4191 4192 struct sonode *so; 4193 char so_laddr[sizeof (struct sockaddr_in6)]; 4194 char so_faddr[sizeof (struct sockaddr_in6)]; 4195 int err; 4196 int fd; 4197 short so_family, so_type; 4198 int add_sock_token = 0; 4199 int len; 4200 struct file *fp; 4201 struct f_audit_data *fad; 4202 caddr_t msg_name; 4203 socklen_t msg_namelen; 4204 STRUCT_DECL(msghdr, msg); 4205 au_kcontext_t *kctx = GET_KCTX_PZ; 4206 4207 fd = (int)uap->fd; 4208 4209 /* bail if an error */ 4210 if (error) { 4211 /* XXX include destination address from system call arguments */ 4212 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4213 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4214 return; 4215 } 4216 4217 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4218 /* 4219 * not security relevant if doing a sendmsg from non socket 4220 * so no extra tokens. Should probably turn off audit record 4221 * generation here. 4222 */ 4223 return; 4224 } 4225 4226 so_family = so->so_family; 4227 so_type = so->so_type; 4228 4229 switch (so_family) { 4230 case AF_INET: 4231 case AF_INET6: 4232 /* 4233 * if datagram type socket, then just use what is in 4234 * socket structure for local address. 4235 * XXX - what do we do for other types? 4236 */ 4237 if ((so->so_type == SOCK_DGRAM) || 4238 (so->so_type == SOCK_RAW)) { 4239 4240 bzero((void *)so_laddr, sizeof (so_laddr)); 4241 bzero((void *)so_faddr, sizeof (so_faddr)); 4242 4243 /* get local address */ 4244 mutex_enter(&so->so_lock); 4245 len = min(so->so_laddr_len, sizeof (so_laddr)); 4246 bcopy(so->so_laddr_sa, so_laddr, len); 4247 mutex_exit(&so->so_lock); 4248 4249 /* get peer address */ 4250 STRUCT_INIT(msg, get_udatamodel()); 4251 4252 if (copyin((caddr_t)(uap->msg), 4253 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4254 break; 4255 } 4256 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4257 if (msg_name == NULL) 4258 break; 4259 4260 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4261 /* length is value from recvmsg - sanity check */ 4262 if (msg_namelen == 0) 4263 break; 4264 4265 if (copyin(msg_name, so_faddr, 4266 sizeof (so_faddr)) != 0) 4267 break; 4268 4269 add_sock_token = 1; 4270 4271 } else if (so->so_type == SOCK_STREAM) { 4272 4273 /* get path from file struct here */ 4274 fad = F2A(fp); 4275 ASSERT(fad); 4276 4277 /* 4278 * already processed this file for write attempt 4279 */ 4280 if (fad->fad_flags & FAD_WRITE) { 4281 releasef(fd); 4282 /* don't want to audit every sendmsg attempt */ 4283 tad->tad_flag = 0; 4284 /* free any residual audit data */ 4285 au_close(kctx, &(u_ad), 0, 0, 0); 4286 return; 4287 } 4288 4289 /* 4290 * mark things so we know what happened and don't 4291 * repeat things 4292 */ 4293 fad->fad_flags |= FAD_WRITE; 4294 4295 bzero((void *)so_laddr, sizeof (so_laddr)); 4296 bzero((void *)so_faddr, sizeof (so_faddr)); 4297 4298 if (so->so_state & SS_ISBOUND) { 4299 4300 if (so->so_laddr_len == 0) 4301 (void) SOP_GETSOCKNAME(so); 4302 if (so->so_faddr_len == 0) 4303 (void) SOP_GETPEERNAME(so); 4304 4305 /* get local and foreign addresses */ 4306 mutex_enter(&so->so_lock); 4307 len = min(so->so_laddr_len, sizeof (so_laddr)); 4308 bcopy(so->so_laddr_sa, so_laddr, len); 4309 len = min(so->so_faddr_len, sizeof (so_faddr)); 4310 bcopy(so->so_faddr_sa, so_faddr, len); 4311 mutex_exit(&so->so_lock); 4312 } 4313 4314 add_sock_token = 1; 4315 } 4316 4317 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4318 4319 break; 4320 4321 case AF_UNIX: 4322 /* 4323 * first check if this is first time through. Too much 4324 * duplicate code to put this in an aui_ routine. 4325 */ 4326 4327 /* get path from file struct here */ 4328 fad = F2A(fp); 4329 ASSERT(fad); 4330 4331 /* 4332 * already processed this file for write attempt 4333 */ 4334 if (fad->fad_flags & FAD_WRITE) { 4335 releasef(fd); 4336 /* don't want to audit every sendmsg attempt */ 4337 tad->tad_flag = 0; 4338 /* free any residual audit data */ 4339 au_close(kctx, &(u_ad), 0, 0, 0); 4340 return; 4341 } 4342 /* 4343 * mark things so we know what happened and don't 4344 * repeat things 4345 */ 4346 fad->fad_flags |= FAD_WRITE; 4347 4348 if (fad->fad_aupath != NULL) { 4349 au_uwrite(au_to_path(fad->fad_aupath)); 4350 } else { 4351 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4352 } 4353 4354 audit_attributes(fp->f_vnode); 4355 4356 releasef(fd); 4357 4358 return; 4359 4360 default: 4361 break; 4362 } 4363 4364 releasef(fd); 4365 4366 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4367 4368 if (add_sock_token == 0) { 4369 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4370 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4371 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4372 return; 4373 } 4374 4375 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4376 4377 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4378 } 4379 4380 /*ARGSUSED*/ 4381 static void 4382 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4383 { 4384 struct a { 4385 long fd; 4386 long msg; /* char */ 4387 long len; 4388 long flags; 4389 long to; /* struct sockaddr */ 4390 long tolen; 4391 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4392 4393 struct sonode *so; 4394 char so_laddr[sizeof (struct sockaddr_in6)]; 4395 char so_faddr[sizeof (struct sockaddr_in6)]; 4396 socklen_t tolen; 4397 int err; 4398 int fd; 4399 int len; 4400 short so_family, so_type; 4401 int add_sock_token = 0; 4402 struct file *fp; 4403 struct f_audit_data *fad; 4404 au_kcontext_t *kctx = GET_KCTX_PZ; 4405 4406 fd = (int)uap->fd; 4407 4408 /* bail if an error */ 4409 if (error) { 4410 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4411 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4412 /* XXX include destination address from system call arguments */ 4413 return; 4414 } 4415 4416 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4417 /* 4418 * not security relevant if doing a sendto using non socket 4419 * so no extra tokens. Should probably turn off audit record 4420 * generation here. 4421 */ 4422 return; 4423 } 4424 4425 so_family = so->so_family; 4426 so_type = so->so_type; 4427 4428 /* 4429 * only putout SOCKET_EX token if INET/INET6 family. 4430 * XXX - what do we do about other families? 4431 */ 4432 4433 switch (so_family) { 4434 case AF_INET: 4435 case AF_INET6: 4436 4437 /* 4438 * if datagram type socket, then just use what is in 4439 * socket structure for local address. 4440 * XXX - what do we do for other types? 4441 */ 4442 if ((so->so_type == SOCK_DGRAM) || 4443 (so->so_type == SOCK_RAW)) { 4444 4445 bzero((void *)so_laddr, sizeof (so_laddr)); 4446 bzero((void *)so_faddr, sizeof (so_faddr)); 4447 4448 /* get local address */ 4449 mutex_enter(&so->so_lock); 4450 len = min(so->so_laddr_len, sizeof (so_laddr)); 4451 bcopy(so->so_laddr_sa, so_laddr, len); 4452 mutex_exit(&so->so_lock); 4453 4454 /* get peer address */ 4455 4456 /* sanity check */ 4457 if (uap->to == NULL) 4458 break; 4459 4460 /* sanity checks */ 4461 if (uap->tolen == 0) 4462 break; 4463 4464 tolen = (socklen_t)uap->tolen; 4465 4466 /* enforce maximum size */ 4467 if (tolen > sizeof (so_faddr)) 4468 tolen = sizeof (so_faddr); 4469 4470 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4471 break; 4472 4473 add_sock_token = 1; 4474 } else { 4475 /* 4476 * check if this is first time through. 4477 */ 4478 4479 /* get path from file struct here */ 4480 fad = F2A(fp); 4481 ASSERT(fad); 4482 4483 /* 4484 * already processed this file for write attempt 4485 */ 4486 if (fad->fad_flags & FAD_WRITE) { 4487 /* don't want to audit every sendto attempt */ 4488 tad->tad_flag = 0; 4489 /* free any residual audit data */ 4490 au_close(kctx, &(u_ad), 0, 0, 0); 4491 releasef(fd); 4492 return; 4493 } 4494 /* 4495 * mark things so we know what happened and don't 4496 * repeat things 4497 */ 4498 fad->fad_flags |= FAD_WRITE; 4499 4500 bzero((void *)so_laddr, sizeof (so_laddr)); 4501 bzero((void *)so_faddr, sizeof (so_faddr)); 4502 4503 if (so->so_state & SS_ISBOUND) { 4504 4505 if (so->so_laddr_len == 0) 4506 (void) SOP_GETSOCKNAME(so); 4507 if (so->so_faddr_len == 0) 4508 (void) SOP_GETPEERNAME(so); 4509 4510 /* get local and foreign addresses */ 4511 mutex_enter(&so->so_lock); 4512 len = min(so->so_laddr_len, sizeof (so_laddr)); 4513 bcopy(so->so_laddr_sa, so_laddr, len); 4514 len = min(so->so_faddr_len, sizeof (so_faddr)); 4515 bcopy(so->so_faddr_sa, so_faddr, len); 4516 mutex_exit(&so->so_lock); 4517 } 4518 4519 add_sock_token = 1; 4520 } 4521 4522 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4523 4524 break; 4525 4526 case AF_UNIX: 4527 /* 4528 * first check if this is first time through. Too much 4529 * duplicate code to put this in an aui_ routine. 4530 */ 4531 4532 /* get path from file struct here */ 4533 fad = F2A(fp); 4534 ASSERT(fad); 4535 4536 /* 4537 * already processed this file for write attempt 4538 */ 4539 if (fad->fad_flags & FAD_WRITE) { 4540 /* don't want to audit every sendto attempt */ 4541 tad->tad_flag = 0; 4542 /* free any residual audit data */ 4543 au_close(kctx, &(u_ad), 0, 0, 0); 4544 releasef(fd); 4545 return; 4546 } 4547 /* 4548 * mark things so we know what happened and don't 4549 * repeat things 4550 */ 4551 fad->fad_flags |= FAD_WRITE; 4552 4553 if (fad->fad_aupath != NULL) { 4554 au_uwrite(au_to_path(fad->fad_aupath)); 4555 } else { 4556 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4557 } 4558 4559 audit_attributes(fp->f_vnode); 4560 4561 releasef(fd); 4562 4563 return; 4564 4565 default: 4566 break; 4567 4568 } 4569 4570 releasef(fd); 4571 4572 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4573 4574 if (add_sock_token == 0) { 4575 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4576 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4577 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4578 return; 4579 } 4580 4581 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4582 4583 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4584 4585 } 4586 4587 /* 4588 * XXX socket(2) may be equivilent to open(2) on a unix domain 4589 * socket. This needs investigation. 4590 */ 4591 4592 /*ARGSUSED*/ 4593 static void 4594 aus_socket(struct t_audit_data *tad) 4595 { 4596 struct a { 4597 long domain; 4598 long type; 4599 long protocol; 4600 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4601 4602 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4603 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4604 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4605 } 4606 4607 /*ARGSUSED*/ 4608 static void 4609 aus_sigqueue(struct t_audit_data *tad) 4610 { 4611 struct a { 4612 long pid; 4613 long signo; 4614 long *val; 4615 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4616 struct proc *p; 4617 uid_t uid, ruid; 4618 gid_t gid, rgid; 4619 pid_t pid; 4620 const auditinfo_addr_t *ainfo; 4621 cred_t *cr; 4622 4623 pid = (pid_t)uap->pid; 4624 4625 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4626 if (pid > 0) { 4627 mutex_enter(&pidlock); 4628 if ((p = prfind(pid)) == (struct proc *)0) { 4629 mutex_exit(&pidlock); 4630 return; 4631 } 4632 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4633 mutex_exit(&pidlock); 4634 4635 mutex_enter(&p->p_crlock); 4636 crhold(cr = p->p_cred); 4637 mutex_exit(&p->p_crlock); 4638 mutex_exit(&p->p_lock); 4639 4640 ainfo = crgetauinfo(cr); 4641 if (ainfo == NULL) { 4642 crfree(cr); 4643 return; 4644 } 4645 4646 uid = crgetuid(cr); 4647 gid = crgetgid(cr); 4648 ruid = crgetruid(cr); 4649 rgid = crgetrgid(cr); 4650 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4651 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4652 crfree(cr); 4653 } 4654 else 4655 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4656 } 4657 4658 /*ARGSUSED*/ 4659 static void 4660 aus_inst_sync(struct t_audit_data *tad) 4661 { 4662 struct a { 4663 long name; /* char */ 4664 long flags; 4665 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4666 4667 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4668 } 4669 4670 /*ARGSUSED*/ 4671 static void 4672 aus_brandsys(struct t_audit_data *tad) 4673 { 4674 klwp_t *clwp = ttolwp(curthread); 4675 4676 struct a { 4677 long cmd; 4678 long arg1; 4679 long arg2; 4680 long arg3; 4681 long arg4; 4682 long arg5; 4683 long arg6; 4684 } *uap = (struct a *)clwp->lwp_ap; 4685 4686 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4687 #ifdef _LP64 4688 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4689 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4690 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4691 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4692 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4693 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4694 #else 4695 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4696 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4697 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4698 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4699 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4700 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4701 #endif 4702 } 4703 4704 /*ARGSUSED*/ 4705 static void 4706 aus_p_online(struct t_audit_data *tad) 4707 { 4708 struct a { 4709 long processor_id; 4710 long flag; 4711 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4712 4713 struct flags { 4714 int flag; 4715 char *cflag; 4716 } aflags[6] = { 4717 { P_ONLINE, "P_ONLINE"}, 4718 { P_OFFLINE, "P_OFFLINE"}, 4719 { P_NOINTR, "P_NOINTR"}, 4720 { P_SPARE, "P_SPARE"}, 4721 { P_FAULTED, "P_FAULTED"}, 4722 { P_STATUS, "P_STATUS"} 4723 }; 4724 int i; 4725 char *cflag; 4726 4727 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4728 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4729 4730 for (i = 0; i < 6; i++) { 4731 if (aflags[i].flag == uap->flag) 4732 break; 4733 } 4734 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4735 4736 au_uwrite(au_to_text(cflag)); 4737 } 4738 4739 /*ARGSUSED*/ 4740 static void 4741 aus_processor_bind(struct t_audit_data *tad) 4742 { 4743 struct a { 4744 long id_type; 4745 long id; 4746 long processor_id; 4747 long obind; 4748 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4749 4750 struct proc *p; 4751 int lwpcnt; 4752 uid_t uid, ruid; 4753 gid_t gid, rgid; 4754 pid_t pid; 4755 const auditinfo_addr_t *ainfo; 4756 cred_t *cr; 4757 4758 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4759 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4760 if (uap->processor_id == PBIND_NONE) 4761 au_uwrite(au_to_text("PBIND_NONE")); 4762 else 4763 au_uwrite(au_to_arg32(3, "processor_id", 4764 (uint32_t)uap->processor_id)); 4765 4766 switch (uap->id_type) { 4767 case P_MYID: 4768 case P_LWPID: 4769 mutex_enter(&pidlock); 4770 p = ttoproc(curthread); 4771 if (p == NULL || p->p_as == &kas) { 4772 mutex_exit(&pidlock); 4773 return; 4774 } 4775 mutex_enter(&p->p_lock); 4776 mutex_exit(&pidlock); 4777 lwpcnt = p->p_lwpcnt; 4778 pid = p->p_pid; 4779 4780 mutex_enter(&p->p_crlock); 4781 crhold(cr = p->p_cred); 4782 mutex_exit(&p->p_crlock); 4783 mutex_exit(&p->p_lock); 4784 4785 ainfo = crgetauinfo(cr); 4786 if (ainfo == NULL) { 4787 crfree(cr); 4788 return; 4789 } 4790 4791 uid = crgetuid(cr); 4792 gid = crgetgid(cr); 4793 ruid = crgetruid(cr); 4794 rgid = crgetrgid(cr); 4795 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4796 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4797 crfree(cr); 4798 break; 4799 case P_PID: 4800 mutex_enter(&pidlock); 4801 p = prfind(uap->id); 4802 if (p == NULL || p->p_as == &kas) { 4803 mutex_exit(&pidlock); 4804 return; 4805 } 4806 mutex_enter(&p->p_lock); 4807 mutex_exit(&pidlock); 4808 lwpcnt = p->p_lwpcnt; 4809 pid = p->p_pid; 4810 4811 mutex_enter(&p->p_crlock); 4812 crhold(cr = p->p_cred); 4813 mutex_exit(&p->p_crlock); 4814 mutex_exit(&p->p_lock); 4815 4816 ainfo = crgetauinfo(cr); 4817 if (ainfo == NULL) { 4818 crfree(cr); 4819 return; 4820 } 4821 4822 uid = crgetuid(cr); 4823 gid = crgetgid(cr); 4824 ruid = crgetruid(cr); 4825 rgid = crgetrgid(cr); 4826 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4827 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4828 crfree(cr); 4829 4830 break; 4831 default: 4832 return; 4833 } 4834 4835 if (uap->processor_id == PBIND_NONE && 4836 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4837 au_uwrite(au_to_text("PBIND_NONE for process")); 4838 else 4839 au_uwrite(au_to_arg32(3, "processor_id", 4840 (uint32_t)uap->processor_id)); 4841 } 4842 4843 /*ARGSUSED*/ 4844 static au_event_t 4845 aui_doorfs(au_event_t e) 4846 { 4847 uint32_t code; 4848 4849 struct a { /* doorfs */ 4850 long a1; 4851 long a2; 4852 long a3; 4853 long a4; 4854 long a5; 4855 long code; 4856 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4857 4858 /* 4859 * audit formats for several of the 4860 * door calls have not yet been determined 4861 */ 4862 code = (uint32_t)uap->code; 4863 switch (code) { 4864 case DOOR_CALL: 4865 e = AUE_DOORFS_DOOR_CALL; 4866 break; 4867 case DOOR_RETURN: 4868 e = AUE_NULL; 4869 break; 4870 case DOOR_CREATE: 4871 e = AUE_DOORFS_DOOR_CREATE; 4872 break; 4873 case DOOR_REVOKE: 4874 e = AUE_DOORFS_DOOR_REVOKE; 4875 break; 4876 case DOOR_INFO: 4877 e = AUE_NULL; 4878 break; 4879 case DOOR_UCRED: 4880 e = AUE_NULL; 4881 break; 4882 case DOOR_BIND: 4883 e = AUE_NULL; 4884 break; 4885 case DOOR_UNBIND: 4886 e = AUE_NULL; 4887 break; 4888 case DOOR_GETPARAM: 4889 e = AUE_NULL; 4890 break; 4891 case DOOR_SETPARAM: 4892 e = AUE_NULL; 4893 break; 4894 default: /* illegal system call */ 4895 e = AUE_NULL; 4896 break; 4897 } 4898 4899 return (e); 4900 } 4901 4902 static door_node_t * 4903 au_door_lookup(int did) 4904 { 4905 vnode_t *vp; 4906 file_t *fp; 4907 4908 if ((fp = getf(did)) == NULL) 4909 return (NULL); 4910 /* 4911 * Use the underlying vnode (we may be namefs mounted) 4912 */ 4913 if (VOP_REALVP(fp->f_vnode, &vp)) 4914 vp = fp->f_vnode; 4915 4916 if (vp == NULL || vp->v_type != VDOOR) { 4917 releasef(did); 4918 return (NULL); 4919 } 4920 4921 return (VTOD(vp)); 4922 } 4923 4924 /*ARGSUSED*/ 4925 static void 4926 aus_doorfs(struct t_audit_data *tad) 4927 { 4928 4929 struct a { /* doorfs */ 4930 long a1; 4931 long a2; 4932 long a3; 4933 long a4; 4934 long a5; 4935 long code; 4936 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4937 4938 door_node_t *dp; 4939 struct proc *p; 4940 uint32_t did; 4941 uid_t uid, ruid; 4942 gid_t gid, rgid; 4943 pid_t pid; 4944 const auditinfo_addr_t *ainfo; 4945 cred_t *cr; 4946 4947 did = (uint32_t)uap->a1; 4948 4949 switch (tad->tad_event) { 4950 case AUE_DOORFS_DOOR_CALL: 4951 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4952 if ((dp = au_door_lookup(did)) == NULL) 4953 break; 4954 4955 if (DOOR_INVALID(dp)) { 4956 releasef(did); 4957 break; 4958 } 4959 4960 if ((p = dp->door_target) == NULL) { 4961 releasef(did); 4962 break; 4963 } 4964 mutex_enter(&p->p_lock); 4965 releasef(did); 4966 4967 pid = p->p_pid; 4968 4969 mutex_enter(&p->p_crlock); 4970 crhold(cr = p->p_cred); 4971 mutex_exit(&p->p_crlock); 4972 mutex_exit(&p->p_lock); 4973 4974 ainfo = crgetauinfo(cr); 4975 if (ainfo == NULL) { 4976 crfree(cr); 4977 return; 4978 } 4979 uid = crgetuid(cr); 4980 gid = crgetgid(cr); 4981 ruid = crgetruid(cr); 4982 rgid = crgetrgid(cr); 4983 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4984 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4985 crfree(cr); 4986 break; 4987 case AUE_DOORFS_DOOR_RETURN: 4988 /* 4989 * We may want to write information about 4990 * all doors (if any) which will be copied 4991 * by this call to the user space 4992 */ 4993 break; 4994 case AUE_DOORFS_DOOR_CREATE: 4995 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 4996 break; 4997 case AUE_DOORFS_DOOR_REVOKE: 4998 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4999 break; 5000 case AUE_DOORFS_DOOR_INFO: 5001 break; 5002 case AUE_DOORFS_DOOR_CRED: 5003 break; 5004 case AUE_DOORFS_DOOR_BIND: 5005 break; 5006 case AUE_DOORFS_DOOR_UNBIND: { 5007 break; 5008 } 5009 default: /* illegal system call */ 5010 break; 5011 } 5012 } 5013 5014 /*ARGSUSED*/ 5015 static au_event_t 5016 aui_acl(au_event_t e) 5017 { 5018 struct a { 5019 union { 5020 long name; /* char */ 5021 long fd; 5022 } obj; 5023 5024 long cmd; 5025 long nentries; 5026 long arg; /* aclent_t */ 5027 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5028 5029 switch (uap->cmd) { 5030 case SETACL: 5031 /* ok, acl(SETACL, ...) and facl(SETACL, ...) are expected. */ 5032 break; 5033 case GETACL: 5034 case GETACLCNT: 5035 /* do nothing for these two values. */ 5036 e = AUE_NULL; 5037 break; 5038 default: 5039 /* illegal system call */ 5040 break; 5041 } 5042 5043 return (e); 5044 } 5045 5046 5047 /*ARGSUSED*/ 5048 static void 5049 aus_acl(struct t_audit_data *tad) 5050 { 5051 struct a { 5052 long fname; 5053 long cmd; 5054 long nentries; 5055 long aclbufp; 5056 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5057 struct acl *aclbufp; 5058 5059 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5060 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5061 5062 switch (uap->cmd) { 5063 case GETACL: 5064 case GETACLCNT: 5065 break; 5066 case SETACL: 5067 if (uap->nentries < 3) 5068 break; 5069 else { 5070 size_t a_size = uap->nentries * sizeof (struct acl); 5071 int i; 5072 5073 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5074 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5075 kmem_free(aclbufp, a_size); 5076 break; 5077 } 5078 for (i = 0; i < uap->nentries; i++) { 5079 au_uwrite(au_to_acl(aclbufp + i)); 5080 } 5081 kmem_free(aclbufp, a_size); 5082 break; 5083 } 5084 default: 5085 break; 5086 } 5087 } 5088 5089 /*ARGSUSED*/ 5090 static void 5091 aus_facl(struct t_audit_data *tad) 5092 { 5093 struct a { 5094 long fd; 5095 long cmd; 5096 long nentries; 5097 long aclbufp; 5098 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5099 struct file *fp; 5100 struct vnode *vp; 5101 struct f_audit_data *fad; 5102 struct acl *aclbufp; 5103 int fd; 5104 5105 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5106 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5107 5108 fd = (int)uap->fd; 5109 5110 if ((fp = getf(fd)) == NULL) 5111 return; 5112 5113 /* get path from file struct here */ 5114 fad = F2A(fp); 5115 if (fad->fad_aupath != NULL) { 5116 au_uwrite(au_to_path(fad->fad_aupath)); 5117 } else { 5118 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5119 } 5120 5121 vp = fp->f_vnode; 5122 audit_attributes(vp); 5123 5124 /* decrement file descriptor reference count */ 5125 releasef(fd); 5126 5127 switch (uap->cmd) { 5128 case GETACL: 5129 case GETACLCNT: 5130 break; 5131 case SETACL: 5132 if (uap->nentries < 3) 5133 break; 5134 else { 5135 size_t a_size = uap->nentries * sizeof (struct acl); 5136 int i; 5137 5138 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5139 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5140 kmem_free(aclbufp, a_size); 5141 break; 5142 } 5143 for (i = 0; i < uap->nentries; i++) { 5144 au_uwrite(au_to_acl(aclbufp + i)); 5145 } 5146 kmem_free(aclbufp, a_size); 5147 break; 5148 } 5149 default: 5150 break; 5151 } 5152 } 5153 5154 /*ARGSUSED*/ 5155 static void 5156 auf_read(tad, error, rval) 5157 struct t_audit_data *tad; 5158 int error; 5159 rval_t *rval; 5160 { 5161 struct file *fp; 5162 struct f_audit_data *fad; 5163 int fd; 5164 register struct a { 5165 long fd; 5166 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5167 au_kcontext_t *kctx = GET_KCTX_PZ; 5168 5169 fd = (int)uap->fd; 5170 5171 /* 5172 * convert file pointer to file descriptor 5173 * Note: fd ref count incremented here. 5174 */ 5175 if ((fp = getf(fd)) == NULL) 5176 return; 5177 5178 /* get path from file struct here */ 5179 fad = F2A(fp); 5180 ASSERT(fad); 5181 5182 /* 5183 * already processed this file for read attempt 5184 * 5185 * XXX might be better to turn off auditing in a aui_read() routine. 5186 */ 5187 if (fad->fad_flags & FAD_READ) { 5188 /* don't really want to audit every read attempt */ 5189 tad->tad_flag = 0; 5190 /* free any residual audit data */ 5191 au_close(kctx, &(u_ad), 0, 0, 0); 5192 releasef(fd); 5193 return; 5194 } 5195 /* mark things so we know what happened and don't repeat things */ 5196 fad->fad_flags |= FAD_READ; 5197 5198 if (fad->fad_aupath != NULL) { 5199 au_uwrite(au_to_path(fad->fad_aupath)); 5200 } else { 5201 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5202 } 5203 5204 /* include attributes */ 5205 audit_attributes(fp->f_vnode); 5206 5207 /* decrement file descriptor reference count */ 5208 releasef(fd); 5209 } 5210 5211 /*ARGSUSED*/ 5212 static void 5213 auf_write(tad, error, rval) 5214 struct t_audit_data *tad; 5215 int error; 5216 rval_t *rval; 5217 { 5218 struct file *fp; 5219 struct f_audit_data *fad; 5220 int fd; 5221 register struct a { 5222 long fd; 5223 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5224 au_kcontext_t *kctx = GET_KCTX_PZ; 5225 5226 fd = (int)uap->fd; 5227 5228 /* 5229 * convert file pointer to file descriptor 5230 * Note: fd ref count incremented here. 5231 */ 5232 if ((fp = getf(fd)) == NULL) 5233 return; 5234 5235 /* get path from file struct here */ 5236 fad = F2A(fp); 5237 ASSERT(fad); 5238 5239 /* 5240 * already processed this file for write attempt 5241 * 5242 * XXX might be better to turn off auditing in a aus_write() routine. 5243 */ 5244 if (fad->fad_flags & FAD_WRITE) { 5245 /* don't really want to audit every write attempt */ 5246 tad->tad_flag = 0; 5247 /* free any residual audit data */ 5248 au_close(kctx, &(u_ad), 0, 0, 0); 5249 releasef(fd); 5250 return; 5251 } 5252 /* mark things so we know what happened and don't repeat things */ 5253 fad->fad_flags |= FAD_WRITE; 5254 5255 if (fad->fad_aupath != NULL) { 5256 au_uwrite(au_to_path(fad->fad_aupath)); 5257 } else { 5258 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5259 } 5260 5261 /* include attributes */ 5262 audit_attributes(fp->f_vnode); 5263 5264 /* decrement file descriptor reference count */ 5265 releasef(fd); 5266 } 5267 5268 /*ARGSUSED*/ 5269 static void 5270 auf_recv(tad, error, rval) 5271 struct t_audit_data *tad; 5272 int error; 5273 rval_t *rval; 5274 { 5275 struct sonode *so; 5276 char so_laddr[sizeof (struct sockaddr_in6)]; 5277 char so_faddr[sizeof (struct sockaddr_in6)]; 5278 struct file *fp; 5279 struct f_audit_data *fad; 5280 int fd; 5281 int err; 5282 int len; 5283 short so_family, so_type; 5284 register struct a { 5285 long fd; 5286 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5287 au_kcontext_t *kctx = GET_KCTX_PZ; 5288 5289 /* 5290 * If there was an error, then nothing to do. Only generate 5291 * audit record on first successful recv. 5292 */ 5293 if (error) { 5294 /* Turn off audit record generation here. */ 5295 tad->tad_flag = 0; 5296 /* free any residual audit data */ 5297 au_close(kctx, &(u_ad), 0, 0, 0); 5298 return; 5299 } 5300 5301 fd = (int)uap->fd; 5302 5303 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5304 /* Turn off audit record generation here. */ 5305 tad->tad_flag = 0; 5306 /* free any residual audit data */ 5307 au_close(kctx, &(u_ad), 0, 0, 0); 5308 return; 5309 } 5310 5311 /* get path from file struct here */ 5312 fad = F2A(fp); 5313 ASSERT(fad); 5314 5315 /* 5316 * already processed this file for read attempt 5317 */ 5318 if (fad->fad_flags & FAD_READ) { 5319 releasef(fd); 5320 /* don't really want to audit every recv call */ 5321 tad->tad_flag = 0; 5322 /* free any residual audit data */ 5323 au_close(kctx, &(u_ad), 0, 0, 0); 5324 return; 5325 } 5326 5327 /* mark things so we know what happened and don't repeat things */ 5328 fad->fad_flags |= FAD_READ; 5329 5330 so_family = so->so_family; 5331 so_type = so->so_type; 5332 5333 switch (so_family) { 5334 case AF_INET: 5335 case AF_INET6: 5336 /* 5337 * Only for connections. 5338 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5339 */ 5340 if (so->so_state & SS_ISBOUND) { 5341 5342 bzero((void *)so_laddr, sizeof (so_laddr)); 5343 bzero((void *)so_faddr, sizeof (so_faddr)); 5344 5345 /* only done once on a connection */ 5346 (void) SOP_GETSOCKNAME(so); 5347 (void) SOP_GETPEERNAME(so); 5348 5349 /* get local and foreign addresses */ 5350 mutex_enter(&so->so_lock); 5351 len = min(so->so_laddr_len, sizeof (so_laddr)); 5352 bcopy(so->so_laddr_sa, so_laddr, len); 5353 len = min(so->so_faddr_len, sizeof (so_faddr)); 5354 bcopy(so->so_faddr_sa, so_faddr, len); 5355 mutex_exit(&so->so_lock); 5356 5357 /* 5358 * only way to drop out of switch. Note that we 5359 * we release fd below. 5360 */ 5361 5362 break; 5363 } 5364 5365 releasef(fd); 5366 5367 /* don't really want to audit every recv call */ 5368 tad->tad_flag = 0; 5369 /* free any residual audit data */ 5370 au_close(kctx, &(u_ad), 0, 0, 0); 5371 5372 return; 5373 5374 case AF_UNIX: 5375 5376 if (fad->fad_aupath != NULL) { 5377 au_uwrite(au_to_path(fad->fad_aupath)); 5378 } else { 5379 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5380 } 5381 5382 audit_attributes(fp->f_vnode); 5383 5384 releasef(fd); 5385 5386 return; 5387 5388 default: 5389 releasef(fd); 5390 5391 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5392 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5393 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5394 5395 return; 5396 } 5397 5398 releasef(fd); 5399 5400 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5401 5402 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5403 5404 } 5405 5406 /*ARGSUSED*/ 5407 static void 5408 auf_send(tad, error, rval) 5409 struct t_audit_data *tad; 5410 int error; 5411 rval_t *rval; 5412 { 5413 struct sonode *so; 5414 char so_laddr[sizeof (struct sockaddr_in6)]; 5415 char so_faddr[sizeof (struct sockaddr_in6)]; 5416 struct file *fp; 5417 struct f_audit_data *fad; 5418 int fd; 5419 int err; 5420 int len; 5421 short so_family, so_type; 5422 register struct a { 5423 long fd; 5424 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5425 au_kcontext_t *kctx = GET_KCTX_PZ; 5426 5427 fd = (int)uap->fd; 5428 5429 /* 5430 * If there was an error, then nothing to do. Only generate 5431 * audit record on first successful send. 5432 */ 5433 if (error != 0) { 5434 /* Turn off audit record generation here. */ 5435 tad->tad_flag = 0; 5436 /* free any residual audit data */ 5437 au_close(kctx, &(u_ad), 0, 0, 0); 5438 return; 5439 } 5440 5441 fd = (int)uap->fd; 5442 5443 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5444 /* Turn off audit record generation here. */ 5445 tad->tad_flag = 0; 5446 /* free any residual audit data */ 5447 au_close(kctx, &(u_ad), 0, 0, 0); 5448 return; 5449 } 5450 5451 /* get path from file struct here */ 5452 fad = F2A(fp); 5453 ASSERT(fad); 5454 5455 /* 5456 * already processed this file for write attempt 5457 */ 5458 if (fad->fad_flags & FAD_WRITE) { 5459 releasef(fd); 5460 /* don't really want to audit every send call */ 5461 tad->tad_flag = 0; 5462 /* free any residual audit data */ 5463 au_close(kctx, &(u_ad), 0, 0, 0); 5464 return; 5465 } 5466 5467 /* mark things so we know what happened and don't repeat things */ 5468 fad->fad_flags |= FAD_WRITE; 5469 5470 so_family = so->so_family; 5471 so_type = so->so_type; 5472 5473 switch (so_family) { 5474 case AF_INET: 5475 case AF_INET6: 5476 /* 5477 * Only for connections. 5478 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5479 */ 5480 if (so->so_state & SS_ISBOUND) { 5481 5482 bzero((void *)so_laddr, sizeof (so_laddr)); 5483 bzero((void *)so_faddr, sizeof (so_faddr)); 5484 5485 /* only done once on a connection */ 5486 (void) SOP_GETSOCKNAME(so); 5487 (void) SOP_GETPEERNAME(so); 5488 5489 /* get local and foreign addresses */ 5490 mutex_enter(&so->so_lock); 5491 len = min(so->so_laddr_len, sizeof (so_laddr)); 5492 bcopy(so->so_laddr_sa, so_laddr, len); 5493 len = min(so->so_faddr_len, sizeof (so_faddr)); 5494 bcopy(so->so_faddr_sa, so_faddr, len); 5495 mutex_exit(&so->so_lock); 5496 5497 /* 5498 * only way to drop out of switch. Note that we 5499 * we release fd below. 5500 */ 5501 5502 break; 5503 } 5504 5505 releasef(fd); 5506 /* don't really want to audit every send call */ 5507 tad->tad_flag = 0; 5508 /* free any residual audit data */ 5509 au_close(kctx, &(u_ad), 0, 0, 0); 5510 5511 return; 5512 5513 case AF_UNIX: 5514 5515 if (fad->fad_aupath != NULL) { 5516 au_uwrite(au_to_path(fad->fad_aupath)); 5517 } else { 5518 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5519 } 5520 5521 audit_attributes(fp->f_vnode); 5522 5523 releasef(fd); 5524 5525 return; 5526 5527 default: 5528 releasef(fd); 5529 5530 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5531 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5532 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5533 5534 return; 5535 } 5536 5537 releasef(fd); 5538 5539 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5540 5541 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5542 } 5543 5544 static au_event_t 5545 aui_forksys(au_event_t e) 5546 { 5547 struct a { 5548 long subcode; 5549 long flags; 5550 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5551 5552 switch ((uint_t)uap->subcode) { 5553 case 0: 5554 e = AUE_FORK1; 5555 break; 5556 case 1: 5557 e = AUE_FORKALL; 5558 break; 5559 case 2: 5560 e = AUE_VFORK; 5561 break; 5562 default: 5563 e = AUE_NULL; 5564 break; 5565 } 5566 5567 return (e); 5568 } 5569 5570 /*ARGSUSED*/ 5571 static au_event_t 5572 aui_portfs(au_event_t e) 5573 { 5574 struct a { /* portfs */ 5575 long a1; 5576 long a2; 5577 long a3; 5578 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5579 5580 /* 5581 * check opcode 5582 */ 5583 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5584 case PORT_ASSOCIATE: 5585 case PORT_DISSOCIATE: 5586 /* 5587 * check source 5588 */ 5589 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5590 e = AUE_PORTFS; 5591 } else { 5592 e = AUE_NULL; 5593 } 5594 break; 5595 default: 5596 e = AUE_NULL; 5597 } 5598 return (e); 5599 } 5600