1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the audit event table used to control the production 27 * of audit records for each system call. 28 */ 29 30 #include <sys/policy.h> 31 #include <sys/cred.h> 32 #include <sys/types.h> 33 #include <sys/systm.h> 34 #include <sys/systeminfo.h> /* for sysinfo auditing */ 35 #include <sys/utsname.h> /* for sysinfo auditing */ 36 #include <sys/proc.h> 37 #include <sys/vnode.h> 38 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 39 #include <sys/fcntl.h> 40 #include <sys/modctl.h> /* for modctl auditing */ 41 #include <sys/vnode.h> 42 #include <sys/user.h> 43 #include <sys/types.h> 44 #include <sys/processor.h> 45 #include <sys/procset.h> 46 #include <sys/acl.h> 47 #include <sys/ipc.h> 48 #include <sys/door.h> 49 #include <sys/sem.h> 50 #include <sys/msg.h> 51 #include <sys/shm.h> 52 #include <sys/kmem.h> 53 #include <sys/file.h> /* for accept */ 54 #include <sys/utssys.h> /* for fuser */ 55 #include <sys/tsol/label.h> 56 #include <sys/tsol/tndb.h> 57 #include <sys/tsol/tsyscall.h> 58 #include <c2/audit.h> 59 #include <c2/audit_kernel.h> 60 #include <c2/audit_kevents.h> 61 #include <c2/audit_record.h> 62 #include <sys/procset.h> 63 #include <nfs/mount.h> 64 #include <sys/param.h> 65 #include <sys/debug.h> 66 #include <sys/sysmacros.h> 67 #include <sys/stream.h> 68 #include <sys/strsubr.h> 69 #include <sys/stropts.h> 70 #include <sys/tihdr.h> 71 #include <sys/socket.h> 72 #include <sys/socketvar.h> 73 #include <sys/vfs_opreg.h> 74 #include <fs/sockfs/sockcommon.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 char _depends_on[] = "fs/sockfs"; 81 82 static au_event_t aui_fchownat(au_event_t); 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_openat(au_event_t); 85 static au_event_t aui_unlinkat(au_event_t); 86 static au_event_t aui_fstatat(au_event_t); 87 static au_event_t aui_msgsys(au_event_t); 88 static au_event_t aui_shmsys(au_event_t); 89 static au_event_t aui_semsys(au_event_t); 90 static au_event_t aui_utssys(au_event_t); 91 static au_event_t aui_fcntl(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_exit(struct t_audit_data *); 106 static void aus_open(struct t_audit_data *); 107 static void aus_openat(struct t_audit_data *); 108 static void aus_acl(struct t_audit_data *); 109 static void aus_acct(struct t_audit_data *); 110 static void aus_chown(struct t_audit_data *); 111 static void aus_fchown(struct t_audit_data *); 112 static void aus_lchown(struct t_audit_data *); 113 static void aus_fchownat(struct t_audit_data *); 114 static void aus_chmod(struct t_audit_data *); 115 static void aus_facl(struct t_audit_data *); 116 static void aus_fchmod(struct t_audit_data *); 117 static void aus_fcntl(struct t_audit_data *); 118 static void aus_mkdir(struct t_audit_data *); 119 static void aus_mknod(struct t_audit_data *); 120 static void aus_mount(struct t_audit_data *); 121 static void aus_umount2(struct t_audit_data *); 122 static void aus_msgsys(struct t_audit_data *); 123 static void aus_semsys(struct t_audit_data *); 124 static void aus_close(struct t_audit_data *); 125 static void aus_fstatfs(struct t_audit_data *); 126 static void aus_setgid(struct t_audit_data *); 127 static void aus_setpgrp(struct t_audit_data *); 128 static void aus_setuid(struct t_audit_data *); 129 static void aus_shmsys(struct t_audit_data *); 130 static void aus_doorfs(struct t_audit_data *); 131 static void aus_ioctl(struct t_audit_data *); 132 static void aus_memcntl(struct t_audit_data *); 133 static void aus_mmap(struct t_audit_data *); 134 static void aus_munmap(struct t_audit_data *); 135 static void aus_priocntlsys(struct t_audit_data *); 136 static void aus_setegid(struct t_audit_data *); 137 static void aus_setgroups(struct t_audit_data *); 138 static void aus_seteuid(struct t_audit_data *); 139 static void aus_putmsg(struct t_audit_data *); 140 static void aus_putpmsg(struct t_audit_data *); 141 static void aus_getmsg(struct t_audit_data *); 142 static void aus_getpmsg(struct t_audit_data *); 143 static void aus_auditsys(struct t_audit_data *); 144 static void aus_sysinfo(struct t_audit_data *); 145 static void aus_modctl(struct t_audit_data *); 146 static void aus_kill(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 static void aus_labelsys(struct t_audit_data *); 150 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 static void auf_read(struct t_audit_data *, int, rval_t *); 156 static void auf_write(struct t_audit_data *, int, rval_t *); 157 158 static void aus_sigqueue(struct t_audit_data *); 159 static void aus_p_online(struct t_audit_data *); 160 static void aus_processor_bind(struct t_audit_data *); 161 static void aus_inst_sync(struct t_audit_data *); 162 static void aus_brandsys(struct t_audit_data *); 163 164 static void auf_accept(struct t_audit_data *, int, rval_t *); 165 166 static void auf_bind(struct t_audit_data *, int, rval_t *); 167 static void auf_connect(struct t_audit_data *, int, rval_t *); 168 static void aus_shutdown(struct t_audit_data *); 169 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 170 static void aus_sockconfig(struct t_audit_data *); 171 static void auf_recv(struct t_audit_data *, int, rval_t *); 172 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 173 static void auf_send(struct t_audit_data *, int, rval_t *); 174 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 176 static void auf_sendto(struct t_audit_data *, int, rval_t *); 177 static void aus_socket(struct t_audit_data *); 178 /* 179 * This table contains mapping information for converting system call numbers 180 * to audit event IDs. In several cases it is necessary to map a single system 181 * call to several events. 182 */ 183 184 #define aui_null NULL /* NULL initialize function */ 185 #define aus_null NULL /* NULL start function */ 186 #define auf_null NULL /* NULL finish function */ 187 188 struct audit_s2e audit_s2e[] = 189 { 190 /* 191 * ---------- ---------- ---------- ---------- 192 * INITIAL AUDIT START SYSTEM 193 * PROCESSING EVENT PROCESSING CALL 194 * ---------- ---------- ---------- ----------- 195 * FINISH EVENT 196 * PROCESSING CONTROL 197 * ---------------------------------------------------------- 198 */ 199 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 200 auf_null, 0, 201 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 202 auf_null, S2E_NPT, 203 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 204 auf_null, 0, 205 aui_null, AUE_READ, aus_null, /* 3 read */ 206 auf_read, S2E_PUB, 207 aui_null, AUE_WRITE, aus_null, /* 4 write */ 208 auf_write, 0, 209 aui_open, AUE_OPEN, aus_open, /* 5 open */ 210 auf_null, S2E_SP, 211 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 212 auf_null, 0, 213 aui_null, AUE_NULL, aus_null, /* 7 (loadable) was wait */ 214 auf_null, 0, 215 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 216 auf_null, 0, 217 aui_null, AUE_LINK, aus_null, /* 9 link */ 218 auf_null, 0, 219 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 220 auf_null, 0, 221 aui_null, AUE_NULL, aus_null, /* 11 (loadable) was exec */ 222 auf_null, 0, 223 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 224 auf_null, S2E_SP, 225 aui_null, AUE_NULL, aus_null, /* 13 time */ 226 auf_null, 0, 227 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 228 auf_mknod, 0, 229 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 230 auf_null, 0, 231 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 232 auf_null, 0, 233 aui_null, AUE_NULL, aus_null, /* 17 brk */ 234 auf_null, 0, 235 aui_null, AUE_STAT, aus_null, /* 18 stat */ 236 auf_null, S2E_PUB, 237 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 240 auf_null, 0, 241 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 242 auf_null, S2E_MLD, 243 aui_null, AUE_NULL, aus_null, /* 22 (loadable) was umount */ 244 auf_null, 0, 245 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 248 auf_null, 0, 249 aui_null, AUE_STIME, aus_null, /* 25 stime */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 29 pause */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 264 auf_null, 0, 265 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 266 auf_null, S2E_PUB, 267 aui_null, AUE_NICE, aus_null, /* 34 nice */ 268 auf_null, 0, 269 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_NULL, aus_null, /* 36 sync */ 272 auf_null, 0, 273 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 274 auf_null, 0, 275 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 276 auf_null, S2E_PUB, 277 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 282 auf_null, 0, 283 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 43 times */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 44 profil */ 288 auf_null, 0, 289 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 290 auf_null, S2E_PUB | S2E_ATC, 291 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 48 (loadable) was ssig */ 296 auf_null, 0, 297 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 298 auf_msgsys, 0, 299 #if defined(__x86) 300 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 301 auf_null, 0, 302 #else 303 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 304 auf_null, 0, 305 #endif /* __x86 */ 306 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 307 auf_null, 0, 308 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 309 auf_shmsys, 0, 310 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 311 auf_semsys, 0, 312 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 315 auf_null, 0, 316 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 317 auf_null, S2E_ATC, 318 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 321 auf_null, 0, 322 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 323 auf_null, S2E_MLD, 324 aui_null, AUE_NULL, aus_null, /* 60 umask */ 325 auf_null, 0, 326 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 327 auf_null, S2E_SP, 328 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 331 auf_null, 0, 332 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 333 auf_null, S2E_ATC, 334 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 335 auf_null, S2E_ATC, 336 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 337 auf_null, S2E_PUB | S2E_ATC, 338 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 339 auf_null, S2E_PUB | S2E_ATC, 340 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 341 auf_null, S2E_SP | S2E_ATC, 342 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 343 auf_null, S2E_SP | S2E_ATC, 344 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 361 auf_null, 0, 362 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 363 auf_null, 0, 364 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 367 auf_null, 0, 368 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 373 auf_null, 0, 374 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 375 auf_null, 0, 376 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 379 auf_null, 0, 380 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 381 auf_null, S2E_PUB, 382 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 383 auf_null, 0, 384 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 387 auf_null, 0, 388 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 389 auf_null, 0, 390 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 391 auf_null, 0, 392 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 101 (loadable) */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 409 auf_null, 0, 410 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 411 auf_null, S2E_PUB, 412 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 413 auf_null, 0, 414 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 415 auf_null, 0, 416 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 421 auf_null, 0, 422 #if defined(__x86) 423 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 424 auf_null, 0, 425 #else 426 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 427 auf_null, 0, 428 #endif /* __x86 */ 429 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 430 auf_null, S2E_ATC, 431 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 432 auf_null, 0, 433 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 434 auf_null, 0, 435 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 436 auf_null, S2E_PUB, 437 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 438 auf_null, 0, 439 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 440 auf_null, 0, 441 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 442 auf_null, 0, 443 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 444 auf_null, 0, 445 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 446 auf_null, 0, 447 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 448 auf_null, 0, 449 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 450 auf_null, 0, 451 aui_null, AUE_READ, aus_null, /* 121 readv */ 452 auf_read, S2E_PUB, 453 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 454 auf_write, 0, 455 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 456 auf_null, 0, 457 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 458 auf_null, 0, 459 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 460 auf_null, 0, 461 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 464 auf_null, 0, 465 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 468 auf_null, 0, 469 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 470 auf_null, 0, 471 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 472 auf_null, 0, 473 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 474 auf_null, 0, 475 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 476 auf_null, 0, 477 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 478 auf_null, 0, 479 aui_null, AUE_NULL, aus_null, /* 135 uname */ 480 auf_null, 0, 481 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 482 auf_null, 0, 483 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 484 auf_null, 0, 485 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 486 auf_null, 0, 487 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 490 auf_null, 0, 491 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 492 auf_null, 0, 493 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 146 yield */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 504 /* was lwp_sema_wait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 513 auf_null, 0, 514 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 515 auf_null, 0, 516 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 549 /* was lwp_mutex_lock */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 556 auf_null, 0, 557 aui_null, AUE_READ, aus_null, /* 173 pread */ 558 auf_read, S2E_PUB, 559 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 560 auf_write, 0, 561 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 562 auf_null, 0, 563 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 564 auf_null, 0, 565 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 566 auf_null, 0, 567 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 568 auf_null, 0, 569 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 574 auf_null, 0, 575 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 576 auf_null, S2E_MLD, 577 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 578 auf_null, 0, 579 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 580 auf_null, 0, 581 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 582 auf_null, 0, 583 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 584 auf_null, 0, 585 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 586 auf_null, 0, 587 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 588 auf_null, 0, 589 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 590 auf_null, 0, 591 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 594 auf_null, 0, 595 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 610 auf_null, 0, 611 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 612 auf_null, 0, 613 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 614 auf_null, 0, 615 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 616 auf_null, 0, 617 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 618 auf_null, 0, 619 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 620 auf_null, 0, 621 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 638 auf_null, 0, 639 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 640 auf_null, 0, 641 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 642 auf_null, S2E_PUB, 643 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 644 auf_null, S2E_PUB, 645 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 646 auf_null, 0, 647 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 650 auf_null, 0, 651 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 652 auf_null, 0, 653 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 654 auf_null, 0, 655 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 656 auf_read, S2E_PUB, 657 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 658 auf_write, 0, 659 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 660 auf_null, 0, 661 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 662 auf_null, S2E_SP, 663 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 664 auf_null, 0, 665 aui_null, AUE_NULL, aus_null, /* 227 zone */ 666 auf_null, 0, 667 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 670 auf_null, 0, 671 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 674 auf_null, 0, 675 aui_null, AUE_BIND, aus_null, /* 232 bind */ 676 auf_bind, 0, 677 aui_null, AUE_NULL, aus_null, /* 233 listen */ 678 auf_null, 0, 679 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 680 auf_accept, 0, 681 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 682 auf_connect, 0, 683 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 684 auf_null, 0, 685 aui_null, AUE_READ, aus_null, /* 237 recv */ 686 auf_recv, 0, 687 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 688 auf_recvfrom, 0, 689 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 690 auf_recvmsg, 0, 691 aui_null, AUE_WRITE, aus_null, /* 240 send */ 692 auf_send, 0, 693 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 694 auf_sendmsg, 0, 695 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 696 auf_sendto, 0, 697 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 698 auf_null, 0, 699 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 700 auf_null, 0, 701 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 702 auf_null, 0, 703 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 704 auf_setsockopt, 0, 705 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 708 auf_null, 0, 709 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 710 auf_null, 0, 711 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 720 auf_null, 0, 721 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 722 auf_null, 0 723 }; 724 725 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 726 727 728 /* exit start function */ 729 /*ARGSUSED*/ 730 static void 731 aus_exit(struct t_audit_data *tad) 732 { 733 uint32_t rval; 734 struct a { 735 long rval; 736 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 737 738 rval = (uint32_t)uap->rval; 739 au_uwrite(au_to_arg32(1, "exit status", rval)); 740 } 741 742 /* acct start function */ 743 /*ARGSUSED*/ 744 static void 745 aus_acct(struct t_audit_data *tad) 746 { 747 klwp_t *clwp = ttolwp(curthread); 748 uintptr_t fname; 749 750 struct a { 751 long fname; /* char * */ 752 } *uap = (struct a *)clwp->lwp_ap; 753 754 fname = (uintptr_t)uap->fname; 755 756 if (fname == 0) 757 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 758 } 759 760 /* chown start function */ 761 /*ARGSUSED*/ 762 static void 763 aus_chown(struct t_audit_data *tad) 764 { 765 klwp_t *clwp = ttolwp(curthread); 766 uint32_t uid, gid; 767 768 struct a { 769 long fname; /* char * */ 770 long uid; 771 long gid; 772 } *uap = (struct a *)clwp->lwp_ap; 773 774 uid = (uint32_t)uap->uid; 775 gid = (uint32_t)uap->gid; 776 777 au_uwrite(au_to_arg32(2, "new file uid", uid)); 778 au_uwrite(au_to_arg32(3, "new file gid", gid)); 779 } 780 781 /* fchown start function */ 782 /*ARGSUSED*/ 783 static void 784 aus_fchown(struct t_audit_data *tad) 785 { 786 klwp_t *clwp = ttolwp(curthread); 787 uint32_t uid, gid, fd; 788 struct file *fp; 789 struct vnode *vp; 790 struct f_audit_data *fad; 791 792 struct a { 793 long fd; 794 long uid; 795 long gid; 796 } *uap = (struct a *)clwp->lwp_ap; 797 798 fd = (uint32_t)uap->fd; 799 uid = (uint32_t)uap->uid; 800 gid = (uint32_t)uap->gid; 801 802 au_uwrite(au_to_arg32(2, "new file uid", uid)); 803 au_uwrite(au_to_arg32(3, "new file gid", gid)); 804 805 /* 806 * convert file pointer to file descriptor 807 * Note: fd ref count incremented here. 808 */ 809 if ((fp = getf(fd)) == NULL) 810 return; 811 812 /* get path from file struct here */ 813 fad = F2A(fp); 814 if (fad->fad_aupath != NULL) { 815 au_uwrite(au_to_path(fad->fad_aupath)); 816 } else { 817 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 818 } 819 820 vp = fp->f_vnode; 821 audit_attributes(vp); 822 823 /* decrement file descriptor reference count */ 824 releasef(fd); 825 } 826 827 /*ARGSUSED*/ 828 static void 829 aus_lchown(struct t_audit_data *tad) 830 { 831 klwp_t *clwp = ttolwp(curthread); 832 uint32_t uid, gid; 833 834 835 struct a { 836 long fname; /* char * */ 837 long uid; 838 long gid; 839 } *uap = (struct a *)clwp->lwp_ap; 840 841 uid = (uint32_t)uap->uid; 842 gid = (uint32_t)uap->gid; 843 844 au_uwrite(au_to_arg32(2, "new file uid", uid)); 845 au_uwrite(au_to_arg32(3, "new file gid", gid)); 846 } 847 848 static au_event_t 849 aui_fchownat(au_event_t e) 850 { 851 klwp_t *clwp = ttolwp(curthread); 852 853 struct a { 854 long fd; 855 long fname; /* char * */ 856 long uid; 857 long gid; 858 long flags; 859 } *uap = (struct a *)clwp->lwp_ap; 860 861 if (uap->fname == NULL) 862 e = AUE_FCHOWN; 863 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 864 e = AUE_LCHOWN; 865 else 866 e = AUE_CHOWN; 867 868 return (e); 869 } 870 871 /*ARGSUSED*/ 872 static void 873 aus_fchownat(struct t_audit_data *tad) 874 { 875 klwp_t *clwp = ttolwp(curthread); 876 uint32_t uid, gid; 877 878 struct a { 879 long fd; 880 long fname; /* char * */ 881 long uid; 882 long gid; 883 long flags; 884 } *uap = (struct a *)clwp->lwp_ap; 885 886 uid = (uint32_t)uap->uid; 887 gid = (uint32_t)uap->gid; 888 889 au_uwrite(au_to_arg32(3, "new file uid", uid)); 890 au_uwrite(au_to_arg32(4, "new file gid", gid)); 891 } 892 893 /* chmod start function */ 894 /*ARGSUSED*/ 895 static void 896 aus_chmod(struct t_audit_data *tad) 897 { 898 klwp_t *clwp = ttolwp(curthread); 899 uint32_t fmode; 900 901 struct a { 902 long fname; /* char * */ 903 long fmode; 904 } *uap = (struct a *)clwp->lwp_ap; 905 906 fmode = (uint32_t)uap->fmode; 907 908 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 909 } 910 911 /* chmod start function */ 912 /*ARGSUSED*/ 913 static void 914 aus_fchmod(struct t_audit_data *tad) 915 { 916 klwp_t *clwp = ttolwp(curthread); 917 uint32_t fmode, fd; 918 struct file *fp; 919 struct vnode *vp; 920 struct f_audit_data *fad; 921 922 struct a { 923 long fd; 924 long fmode; 925 } *uap = (struct a *)clwp->lwp_ap; 926 927 fd = (uint32_t)uap->fd; 928 fmode = (uint32_t)uap->fmode; 929 930 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 931 932 /* 933 * convert file pointer to file descriptor 934 * Note: fd ref count incremented here. 935 */ 936 if ((fp = getf(fd)) == NULL) 937 return; 938 939 /* get path from file struct here */ 940 fad = F2A(fp); 941 if (fad->fad_aupath != NULL) { 942 au_uwrite(au_to_path(fad->fad_aupath)); 943 } else { 944 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 945 } 946 947 vp = fp->f_vnode; 948 audit_attributes(vp); 949 950 /* decrement file descriptor reference count */ 951 releasef(fd); 952 } 953 954 /* 955 * convert open mode to appropriate open event 956 */ 957 au_event_t 958 open_event(uint_t fm) 959 { 960 au_event_t e; 961 962 switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) { 963 case O_RDONLY: 964 e = AUE_OPEN_R; 965 break; 966 case O_RDONLY | O_CREAT: 967 e = AUE_OPEN_RC; 968 break; 969 case O_RDONLY | O_TRUNC: 970 e = AUE_OPEN_RT; 971 break; 972 case O_RDONLY | O_TRUNC | O_CREAT: 973 e = AUE_OPEN_RTC; 974 break; 975 case O_WRONLY: 976 e = AUE_OPEN_W; 977 break; 978 case O_WRONLY | O_CREAT: 979 e = AUE_OPEN_WC; 980 break; 981 case O_WRONLY | O_TRUNC: 982 e = AUE_OPEN_WT; 983 break; 984 case O_WRONLY | O_TRUNC | O_CREAT: 985 e = AUE_OPEN_WTC; 986 break; 987 case O_RDWR: 988 e = AUE_OPEN_RW; 989 break; 990 case O_RDWR | O_CREAT: 991 e = AUE_OPEN_RWC; 992 break; 993 case O_RDWR | O_TRUNC: 994 e = AUE_OPEN_RWT; 995 break; 996 case O_RDWR | O_TRUNC | O_CREAT: 997 e = AUE_OPEN_RWTC; 998 break; 999 default: 1000 e = AUE_NULL; 1001 break; 1002 } 1003 1004 return (e); 1005 } 1006 1007 /* ARGSUSED */ 1008 static au_event_t 1009 aui_open(au_event_t e) 1010 { 1011 t_audit_data_t *tad = T2A(curthread); 1012 klwp_t *clwp = ttolwp(curthread); 1013 uint_t fm; 1014 1015 struct a { 1016 long fnamep; /* char * */ 1017 long fmode; 1018 long cmode; 1019 } *uap = (struct a *)clwp->lwp_ap; 1020 1021 fm = (uint_t)uap->fmode; 1022 1023 /* convert to appropriate au_ctrl */ 1024 if (fm & (FXATTR | FXATTRDIROPEN)) 1025 tad->tad_ctrl |= TAD_ATTPATH; 1026 1027 return (open_event(fm)); 1028 } 1029 1030 static void 1031 aus_open(struct t_audit_data *tad) 1032 { 1033 klwp_t *clwp = ttolwp(curthread); 1034 uint_t fm; 1035 1036 struct a { 1037 long fnamep; /* char * */ 1038 long fmode; 1039 long cmode; 1040 } *uap = (struct a *)clwp->lwp_ap; 1041 1042 fm = (uint_t)uap->fmode; 1043 1044 /* If no write, create, or trunc modes, mark as a public op */ 1045 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1046 tad->tad_ctrl |= TAD_PUBLIC_EV; 1047 } 1048 1049 /* ARGSUSED */ 1050 static au_event_t 1051 aui_openat(au_event_t e) 1052 { 1053 t_audit_data_t *tad = T2A(curthread); 1054 klwp_t *clwp = ttolwp(curthread); 1055 uint_t fm; 1056 1057 struct a { 1058 long filedes; 1059 long fnamep; /* char * */ 1060 long fmode; 1061 long cmode; 1062 } *uap = (struct a *)clwp->lwp_ap; 1063 1064 fm = (uint_t)uap->fmode; 1065 1066 /* convert to appropriate au_ctrl */ 1067 if (fm & (FXATTR | FXATTRDIROPEN)) 1068 tad->tad_ctrl |= TAD_ATTPATH; 1069 1070 return (open_event(fm)); 1071 } 1072 1073 static void 1074 aus_openat(struct t_audit_data *tad) 1075 { 1076 klwp_t *clwp = ttolwp(curthread); 1077 uint_t fm; 1078 1079 struct a { 1080 long filedes; 1081 long fnamep; /* char * */ 1082 long fmode; 1083 long cmode; 1084 } *uap = (struct a *)clwp->lwp_ap; 1085 1086 fm = (uint_t)uap->fmode; 1087 1088 /* If no write, create, or trunc modes, mark as a public op */ 1089 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1090 tad->tad_ctrl |= TAD_PUBLIC_EV; 1091 } 1092 1093 static au_event_t 1094 aui_unlinkat(au_event_t e) 1095 { 1096 klwp_t *clwp = ttolwp(curthread); 1097 1098 struct a { 1099 long filedes; 1100 long fnamep; /* char * */ 1101 long flags; 1102 } *uap = (struct a *)clwp->lwp_ap; 1103 1104 if (uap->flags & AT_REMOVEDIR) 1105 e = AUE_RMDIR; 1106 else 1107 e = AUE_UNLINK; 1108 1109 return (e); 1110 } 1111 1112 static au_event_t 1113 aui_fstatat(au_event_t e) 1114 { 1115 klwp_t *clwp = ttolwp(curthread); 1116 1117 struct a { 1118 long filedes; 1119 long fnamep; /* char * */ 1120 long statb; 1121 long flags; 1122 } *uap = (struct a *)clwp->lwp_ap; 1123 1124 if (uap->fnamep == NULL) 1125 e = AUE_FSTAT; 1126 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1127 e = AUE_LSTAT; 1128 else 1129 e = AUE_STAT; 1130 1131 return (e); 1132 } 1133 1134 /* msgsys */ 1135 static au_event_t 1136 aui_msgsys(au_event_t e) 1137 { 1138 klwp_t *clwp = ttolwp(curthread); 1139 uint_t fm; 1140 1141 struct a { 1142 long id; /* function code id */ 1143 long ap; /* arg pointer for recvmsg */ 1144 } *uap = (struct a *)clwp->lwp_ap; 1145 1146 struct b { 1147 long msgid; 1148 long cmd; 1149 long buf; /* struct msqid_ds * */ 1150 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1151 1152 fm = (uint_t)uap->id; 1153 1154 switch (fm) { 1155 case 0: /* msgget */ 1156 e = AUE_MSGGET; 1157 break; 1158 case 1: /* msgctl */ 1159 switch ((uint_t)uap1->cmd) { 1160 case IPC_RMID: 1161 e = AUE_MSGCTL_RMID; 1162 break; 1163 case IPC_SET: 1164 e = AUE_MSGCTL_SET; 1165 break; 1166 case IPC_STAT: 1167 e = AUE_MSGCTL_STAT; 1168 break; 1169 default: 1170 e = AUE_MSGCTL; 1171 break; 1172 } 1173 break; 1174 case 2: /* msgrcv */ 1175 e = AUE_MSGRCV; 1176 break; 1177 case 3: /* msgsnd */ 1178 e = AUE_MSGSND; 1179 break; 1180 default: /* illegal system call */ 1181 e = AUE_NULL; 1182 break; 1183 } 1184 1185 return (e); 1186 } 1187 1188 1189 /* shmsys */ 1190 static au_event_t 1191 aui_shmsys(au_event_t e) 1192 { 1193 klwp_t *clwp = ttolwp(curthread); 1194 int fm; 1195 1196 struct a { /* shmsys */ 1197 long id; /* function code id */ 1198 } *uap = (struct a *)clwp->lwp_ap; 1199 1200 struct b { /* ctrl */ 1201 long shmid; 1202 long cmd; 1203 long arg; /* struct shmid_ds * */ 1204 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1205 fm = (uint_t)uap->id; 1206 1207 switch (fm) { 1208 case 0: /* shmat */ 1209 e = AUE_SHMAT; 1210 break; 1211 case 1: /* shmctl */ 1212 switch ((uint_t)uap1->cmd) { 1213 case IPC_RMID: 1214 e = AUE_SHMCTL_RMID; 1215 break; 1216 case IPC_SET: 1217 e = AUE_SHMCTL_SET; 1218 break; 1219 case IPC_STAT: 1220 e = AUE_SHMCTL_STAT; 1221 break; 1222 default: 1223 e = AUE_SHMCTL; 1224 break; 1225 } 1226 break; 1227 case 2: /* shmdt */ 1228 e = AUE_SHMDT; 1229 break; 1230 case 3: /* shmget */ 1231 e = AUE_SHMGET; 1232 break; 1233 default: /* illegal system call */ 1234 e = AUE_NULL; 1235 break; 1236 } 1237 1238 return (e); 1239 } 1240 1241 1242 /* semsys */ 1243 static au_event_t 1244 aui_semsys(au_event_t e) 1245 { 1246 klwp_t *clwp = ttolwp(curthread); 1247 uint_t fm; 1248 1249 struct a { /* semsys */ 1250 long id; 1251 } *uap = (struct a *)clwp->lwp_ap; 1252 1253 struct b { /* ctrl */ 1254 long semid; 1255 long semnum; 1256 long cmd; 1257 long arg; 1258 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1259 1260 fm = (uint_t)uap->id; 1261 1262 switch (fm) { 1263 case 0: /* semctl */ 1264 switch ((uint_t)uap1->cmd) { 1265 case IPC_RMID: 1266 e = AUE_SEMCTL_RMID; 1267 break; 1268 case IPC_SET: 1269 e = AUE_SEMCTL_SET; 1270 break; 1271 case IPC_STAT: 1272 e = AUE_SEMCTL_STAT; 1273 break; 1274 case GETNCNT: 1275 e = AUE_SEMCTL_GETNCNT; 1276 break; 1277 case GETPID: 1278 e = AUE_SEMCTL_GETPID; 1279 break; 1280 case GETVAL: 1281 e = AUE_SEMCTL_GETVAL; 1282 break; 1283 case GETALL: 1284 e = AUE_SEMCTL_GETALL; 1285 break; 1286 case GETZCNT: 1287 e = AUE_SEMCTL_GETZCNT; 1288 break; 1289 case SETVAL: 1290 e = AUE_SEMCTL_SETVAL; 1291 break; 1292 case SETALL: 1293 e = AUE_SEMCTL_SETALL; 1294 break; 1295 default: 1296 e = AUE_SEMCTL; 1297 break; 1298 } 1299 break; 1300 case 1: /* semget */ 1301 e = AUE_SEMGET; 1302 break; 1303 case 2: /* semop */ 1304 e = AUE_SEMOP; 1305 break; 1306 default: /* illegal system call */ 1307 e = AUE_NULL; 1308 break; 1309 } 1310 1311 return (e); 1312 } 1313 1314 /* utssys - uname(2), ustat(2), fusers(2) */ 1315 static au_event_t 1316 aui_utssys(au_event_t e) 1317 { 1318 klwp_t *clwp = ttolwp(curthread); 1319 uint_t type; 1320 1321 struct a { 1322 union { 1323 long cbuf; /* char * */ 1324 long ubuf; /* struct stat * */ 1325 } ub; 1326 union { 1327 long mv; /* for USTAT */ 1328 long flags; /* for FUSERS */ 1329 } un; 1330 long type; 1331 long outbp; /* char * for FUSERS */ 1332 } *uap = (struct a *)clwp->lwp_ap; 1333 1334 type = (uint_t)uap->type; 1335 1336 if (type == UTS_FUSERS) 1337 return (e); 1338 else 1339 return ((au_event_t)AUE_NULL); 1340 } 1341 1342 static au_event_t 1343 aui_fcntl(au_event_t e) 1344 { 1345 klwp_t *clwp = ttolwp(curthread); 1346 uint_t cmd; 1347 1348 struct a { 1349 long fdes; 1350 long cmd; 1351 long arg; 1352 } *uap = (struct a *)clwp->lwp_ap; 1353 1354 cmd = (uint_t)uap->cmd; 1355 1356 switch (cmd) { 1357 case F_GETLK: 1358 case F_SETLK: 1359 case F_SETLKW: 1360 break; 1361 case F_SETFL: 1362 case F_GETFL: 1363 case F_GETFD: 1364 break; 1365 default: 1366 e = (au_event_t)AUE_NULL; 1367 break; 1368 } 1369 return ((au_event_t)e); 1370 } 1371 1372 /* null function for now */ 1373 static au_event_t 1374 aui_execve(au_event_t e) 1375 { 1376 return (e); 1377 } 1378 1379 /*ARGSUSED*/ 1380 static void 1381 aus_fcntl(struct t_audit_data *tad) 1382 { 1383 klwp_t *clwp = ttolwp(curthread); 1384 uint32_t cmd, fd, flags; 1385 struct file *fp; 1386 struct vnode *vp; 1387 struct f_audit_data *fad; 1388 1389 struct a { 1390 long fd; 1391 long cmd; 1392 long arg; 1393 } *uap = (struct a *)clwp->lwp_ap; 1394 1395 cmd = (uint32_t)uap->cmd; 1396 fd = (uint32_t)uap->fd; 1397 flags = (uint32_t)uap->arg; 1398 1399 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1400 1401 if (cmd == F_SETFL) 1402 au_uwrite(au_to_arg32(3, "flags", flags)); 1403 1404 /* 1405 * convert file pointer to file descriptor 1406 * Note: fd ref count incremented here. 1407 */ 1408 if ((fp = getf(fd)) == NULL) 1409 return; 1410 1411 /* get path from file struct here */ 1412 fad = F2A(fp); 1413 if (fad->fad_aupath != NULL) { 1414 au_uwrite(au_to_path(fad->fad_aupath)); 1415 } else { 1416 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1417 } 1418 1419 vp = fp->f_vnode; 1420 audit_attributes(vp); 1421 1422 /* decrement file descriptor reference count */ 1423 releasef(fd); 1424 } 1425 1426 /*ARGSUSED*/ 1427 static void 1428 aus_kill(struct t_audit_data *tad) 1429 { 1430 klwp_t *clwp = ttolwp(curthread); 1431 struct proc *p; 1432 uint32_t signo; 1433 uid_t uid, ruid; 1434 gid_t gid, rgid; 1435 pid_t pid; 1436 const auditinfo_addr_t *ainfo; 1437 cred_t *cr; 1438 1439 struct a { 1440 long pid; 1441 long signo; 1442 } *uap = (struct a *)clwp->lwp_ap; 1443 1444 pid = (pid_t)uap->pid; 1445 signo = (uint32_t)uap->signo; 1446 1447 au_uwrite(au_to_arg32(2, "signal", signo)); 1448 if (pid > 0) { 1449 mutex_enter(&pidlock); 1450 if (((p = prfind(pid)) == (struct proc *)0) || 1451 (p->p_stat == SIDL)) { 1452 mutex_exit(&pidlock); 1453 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1454 return; 1455 } 1456 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1457 mutex_exit(&pidlock); 1458 1459 mutex_enter(&p->p_crlock); 1460 crhold(cr = p->p_cred); 1461 mutex_exit(&p->p_crlock); 1462 mutex_exit(&p->p_lock); 1463 1464 ainfo = crgetauinfo(cr); 1465 if (ainfo == NULL) { 1466 crfree(cr); 1467 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1468 return; 1469 } 1470 1471 uid = crgetuid(cr); 1472 gid = crgetgid(cr); 1473 ruid = crgetruid(cr); 1474 rgid = crgetrgid(cr); 1475 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1476 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1477 1478 if (is_system_labeled()) 1479 au_uwrite(au_to_label(CR_SL(cr))); 1480 1481 crfree(cr); 1482 } 1483 else 1484 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1485 } 1486 1487 /*ARGSUSED*/ 1488 static void 1489 aus_mkdir(struct t_audit_data *tad) 1490 { 1491 klwp_t *clwp = ttolwp(curthread); 1492 uint32_t dmode; 1493 1494 struct a { 1495 long dirnamep; /* char * */ 1496 long dmode; 1497 } *uap = (struct a *)clwp->lwp_ap; 1498 1499 dmode = (uint32_t)uap->dmode; 1500 1501 au_uwrite(au_to_arg32(2, "mode", dmode)); 1502 } 1503 1504 /*ARGSUSED*/ 1505 static void 1506 aus_mknod(struct t_audit_data *tad) 1507 { 1508 klwp_t *clwp = ttolwp(curthread); 1509 uint32_t fmode; 1510 dev_t dev; 1511 1512 struct a { 1513 long pnamep; /* char * */ 1514 long fmode; 1515 long dev; 1516 } *uap = (struct a *)clwp->lwp_ap; 1517 1518 fmode = (uint32_t)uap->fmode; 1519 dev = (dev_t)uap->dev; 1520 1521 au_uwrite(au_to_arg32(2, "mode", fmode)); 1522 #ifdef _LP64 1523 au_uwrite(au_to_arg64(3, "dev", dev)); 1524 #else 1525 au_uwrite(au_to_arg32(3, "dev", dev)); 1526 #endif 1527 } 1528 1529 /*ARGSUSED*/ 1530 static void 1531 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1532 { 1533 klwp_t *clwp = ttolwp(curthread); 1534 vnode_t *dvp; 1535 caddr_t pnamep; 1536 1537 struct a { 1538 long pnamep; /* char * */ 1539 long fmode; 1540 long dev; 1541 } *uap = (struct a *)clwp->lwp_ap; 1542 1543 /* no error, then already path token in audit record */ 1544 if (error != EPERM) 1545 return; 1546 1547 /* not auditing this event, nothing then to do */ 1548 if (tad->tad_flag == 0) 1549 return; 1550 1551 /* do the lookup to force generation of path token */ 1552 pnamep = (caddr_t)uap->pnamep; 1553 tad->tad_ctrl |= TAD_NOATTRB; 1554 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1555 if (error == 0) 1556 VN_RELE(dvp); 1557 } 1558 1559 /*ARGSUSED*/ 1560 static void 1561 aus_mount(struct t_audit_data *tad) 1562 { /* AUS_START */ 1563 klwp_t *clwp = ttolwp(curthread); 1564 uint32_t flags; 1565 uintptr_t u_fstype, dataptr; 1566 STRUCT_DECL(nfs_args, nfsargs); 1567 size_t len; 1568 char *fstype, *hostname; 1569 1570 struct a { 1571 long spec; /* char * */ 1572 long dir; /* char * */ 1573 long flags; 1574 long fstype; /* char * */ 1575 long dataptr; /* char * */ 1576 long datalen; 1577 } *uap = (struct a *)clwp->lwp_ap; 1578 1579 u_fstype = (uintptr_t)uap->fstype; 1580 flags = (uint32_t)uap->flags; 1581 dataptr = (uintptr_t)uap->dataptr; 1582 1583 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1584 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1585 goto mount_free_fstype; 1586 1587 au_uwrite(au_to_arg32(3, "flags", flags)); 1588 au_uwrite(au_to_text(fstype)); 1589 1590 if (strncmp(fstype, "nfs", 3) == 0) { 1591 1592 STRUCT_INIT(nfsargs, get_udatamodel()); 1593 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1594 1595 if (copyin((caddr_t)dataptr, 1596 STRUCT_BUF(nfsargs), 1597 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1598 /* DEBUG debug_enter((char *)NULL); */ 1599 goto mount_free_fstype; 1600 } 1601 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1602 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1603 (caddr_t)hostname, 1604 MAXNAMELEN, &len)) { 1605 goto mount_free_hostname; 1606 } 1607 au_uwrite(au_to_text(hostname)); 1608 au_uwrite(au_to_arg32(3, "internal flags", 1609 (uint_t)STRUCT_FGET(nfsargs, flags))); 1610 1611 mount_free_hostname: 1612 kmem_free(hostname, MAXNAMELEN); 1613 } 1614 1615 mount_free_fstype: 1616 kmem_free(fstype, MAXNAMELEN); 1617 } /* AUS_MOUNT */ 1618 1619 static void 1620 aus_umount_path(caddr_t umount_dir) 1621 { 1622 char *dir_path; 1623 struct audit_path *path; 1624 size_t path_len, dir_len; 1625 1626 /* length alloc'd for two string pointers */ 1627 path_len = sizeof (struct audit_path) + sizeof (char *); 1628 path = kmem_alloc(path_len, KM_SLEEP); 1629 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1630 1631 if (copyinstr(umount_dir, (caddr_t)dir_path, 1632 MAXPATHLEN, &dir_len)) 1633 goto umount2_free_dir; 1634 1635 /* 1636 * the audit_path struct assumes that the buffer pointed to 1637 * by audp_sect[n] contains string 0 immediatedly followed 1638 * by string 1. 1639 */ 1640 path->audp_sect[0] = dir_path; 1641 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1642 path->audp_size = path_len; 1643 path->audp_ref = 1; /* not used */ 1644 path->audp_cnt = 1; /* one path string */ 1645 1646 au_uwrite(au_to_path(path)); 1647 1648 umount2_free_dir: 1649 kmem_free(dir_path, MAXPATHLEN); 1650 kmem_free(path, path_len); 1651 } 1652 1653 /*ARGSUSED*/ 1654 static void 1655 aus_umount2(struct t_audit_data *tad) 1656 { 1657 klwp_t *clwp = ttolwp(curthread); 1658 struct a { 1659 long dir; /* char * */ 1660 long flags; 1661 } *uap = (struct a *)clwp->lwp_ap; 1662 1663 aus_umount_path((caddr_t)uap->dir); 1664 1665 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1666 } 1667 1668 static void 1669 aus_msgsys(struct t_audit_data *tad) 1670 { 1671 klwp_t *clwp = ttolwp(curthread); 1672 uint32_t msgid; 1673 1674 struct b { 1675 long msgid; 1676 long cmd; 1677 long buf; /* struct msqid_ds * */ 1678 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1679 1680 msgid = (uint32_t)uap1->msgid; 1681 1682 1683 switch (tad->tad_event) { 1684 case AUE_MSGGET: /* msgget */ 1685 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1686 break; 1687 case AUE_MSGCTL: /* msgctl */ 1688 case AUE_MSGCTL_RMID: /* msgctl */ 1689 case AUE_MSGCTL_SET: /* msgctl */ 1690 case AUE_MSGCTL_STAT: /* msgctl */ 1691 case AUE_MSGRCV: /* msgrcv */ 1692 case AUE_MSGSND: /* msgsnd */ 1693 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1694 break; 1695 } 1696 } 1697 1698 /*ARGSUSED*/ 1699 static void 1700 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1701 { 1702 int id; 1703 1704 if (error != 0) 1705 return; 1706 if (tad->tad_event == AUE_MSGGET) { 1707 uint32_t scid; 1708 uint32_t sy_flags; 1709 1710 /* need to determine type of executing binary */ 1711 scid = tad->tad_scid; 1712 #ifdef _SYSCALL32_IMPL 1713 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1714 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1715 else 1716 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1717 #else 1718 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1719 #endif 1720 if (sy_flags == SE_32RVAL1) 1721 id = rval->r_val1; 1722 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1723 id = rval->r_val1; 1724 if (sy_flags == SE_64RVAL) 1725 id = (int)rval->r_vals; 1726 1727 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1728 } 1729 } 1730 1731 static void 1732 aus_semsys(struct t_audit_data *tad) 1733 { 1734 klwp_t *clwp = ttolwp(curthread); 1735 uint32_t semid; 1736 1737 struct b { /* ctrl */ 1738 long semid; 1739 long semnum; 1740 long cmd; 1741 long arg; 1742 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1743 1744 semid = (uint32_t)uap1->semid; 1745 1746 switch (tad->tad_event) { 1747 case AUE_SEMCTL_RMID: 1748 case AUE_SEMCTL_STAT: 1749 case AUE_SEMCTL_GETNCNT: 1750 case AUE_SEMCTL_GETPID: 1751 case AUE_SEMCTL_GETVAL: 1752 case AUE_SEMCTL_GETALL: 1753 case AUE_SEMCTL_GETZCNT: 1754 case AUE_SEMCTL_SET: 1755 case AUE_SEMCTL_SETVAL: 1756 case AUE_SEMCTL_SETALL: 1757 case AUE_SEMCTL: 1758 case AUE_SEMOP: 1759 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1760 break; 1761 case AUE_SEMGET: 1762 au_uwrite(au_to_arg32(1, "sem key", semid)); 1763 break; 1764 } 1765 } 1766 1767 /*ARGSUSED*/ 1768 static void 1769 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1770 { 1771 int id; 1772 1773 if (error != 0) 1774 return; 1775 if (tad->tad_event == AUE_SEMGET) { 1776 uint32_t scid; 1777 uint32_t sy_flags; 1778 1779 /* need to determine type of executing binary */ 1780 scid = tad->tad_scid; 1781 #ifdef _SYSCALL32_IMPL 1782 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1783 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1784 else 1785 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1786 #else 1787 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1788 #endif 1789 if (sy_flags == SE_32RVAL1) 1790 id = rval->r_val1; 1791 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1792 id = rval->r_val1; 1793 if (sy_flags == SE_64RVAL) 1794 id = (int)rval->r_vals; 1795 1796 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1797 } 1798 } 1799 1800 /*ARGSUSED*/ 1801 static void 1802 aus_close(struct t_audit_data *tad) 1803 { 1804 klwp_t *clwp = ttolwp(curthread); 1805 uint32_t fd; 1806 struct file *fp; 1807 struct f_audit_data *fad; 1808 struct vnode *vp; 1809 struct vattr attr; 1810 au_kcontext_t *kctx = GET_KCTX_PZ; 1811 1812 struct a { 1813 long i; 1814 } *uap = (struct a *)clwp->lwp_ap; 1815 1816 fd = (uint32_t)uap->i; 1817 1818 attr.va_mask = 0; 1819 au_uwrite(au_to_arg32(1, "fd", fd)); 1820 1821 /* 1822 * convert file pointer to file descriptor 1823 * Note: fd ref count incremented here. 1824 */ 1825 if ((fp = getf(fd)) == NULL) 1826 return; 1827 1828 fad = F2A(fp); 1829 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1830 if (fad->fad_aupath != NULL) { 1831 au_uwrite(au_to_path(fad->fad_aupath)); 1832 if ((vp = fp->f_vnode) != NULL) { 1833 attr.va_mask = AT_ALL; 1834 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1835 /* 1836 * When write was not used and the file can be 1837 * considered public, skip the audit. 1838 */ 1839 if (((fp->f_flag & FWRITE) == 0) && 1840 object_is_public(&attr)) { 1841 tad->tad_flag = 0; 1842 tad->tad_evmod = 0; 1843 /* free any residual audit data */ 1844 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1845 releasef(fd); 1846 return; 1847 } 1848 au_uwrite(au_to_attr(&attr)); 1849 audit_sec_attributes(&(u_ad), vp); 1850 } 1851 } 1852 } 1853 1854 /* decrement file descriptor reference count */ 1855 releasef(fd); 1856 } 1857 1858 /*ARGSUSED*/ 1859 static void 1860 aus_fstatfs(struct t_audit_data *tad) 1861 { 1862 klwp_t *clwp = ttolwp(curthread); 1863 uint32_t fd; 1864 struct file *fp; 1865 struct vnode *vp; 1866 struct f_audit_data *fad; 1867 1868 struct a { 1869 long fd; 1870 long buf; /* struct statfs * */ 1871 } *uap = (struct a *)clwp->lwp_ap; 1872 1873 fd = (uint_t)uap->fd; 1874 1875 /* 1876 * convert file pointer to file descriptor 1877 * Note: fd ref count incremented here. 1878 */ 1879 if ((fp = getf(fd)) == NULL) 1880 return; 1881 1882 /* get path from file struct here */ 1883 fad = F2A(fp); 1884 if (fad->fad_aupath != NULL) { 1885 au_uwrite(au_to_path(fad->fad_aupath)); 1886 } else { 1887 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1888 } 1889 1890 vp = fp->f_vnode; 1891 audit_attributes(vp); 1892 1893 /* decrement file descriptor reference count */ 1894 releasef(fd); 1895 } 1896 1897 static au_event_t 1898 aui_setpgrp(au_event_t e) 1899 { 1900 klwp_t *clwp = ttolwp(curthread); 1901 int flag; 1902 1903 struct a { 1904 long flag; 1905 long pid; 1906 long pgid; 1907 } *uap = (struct a *)clwp->lwp_ap; 1908 1909 flag = (int)uap->flag; 1910 1911 1912 switch (flag) { 1913 1914 case 1: /* setpgrp() */ 1915 e = AUE_SETPGRP; 1916 break; 1917 1918 case 3: /* setsid() */ 1919 e = AUE_SETSID; 1920 break; 1921 1922 case 5: /* setpgid() */ 1923 e = AUE_SETPGID; 1924 break; 1925 1926 case 0: /* getpgrp() - not security relevant */ 1927 case 2: /* getsid() - not security relevant */ 1928 case 4: /* getpgid() - not security relevant */ 1929 e = AUE_NULL; 1930 break; 1931 1932 default: 1933 e = AUE_NULL; 1934 break; 1935 } 1936 1937 return (e); 1938 } 1939 1940 /*ARGSUSED*/ 1941 static void 1942 aus_setpgrp(struct t_audit_data *tad) 1943 { 1944 klwp_t *clwp = ttolwp(curthread); 1945 pid_t pgid; 1946 struct proc *p; 1947 uid_t uid, ruid; 1948 gid_t gid, rgid; 1949 pid_t pid; 1950 cred_t *cr; 1951 int flag; 1952 const auditinfo_addr_t *ainfo; 1953 1954 struct a { 1955 long flag; 1956 long pid; 1957 long pgid; 1958 } *uap = (struct a *)clwp->lwp_ap; 1959 1960 flag = (int)uap->flag; 1961 pid = (pid_t)uap->pid; 1962 pgid = (pid_t)uap->pgid; 1963 1964 1965 switch (flag) { 1966 1967 case 0: /* getpgrp() */ 1968 case 1: /* setpgrp() */ 1969 case 2: /* getsid() */ 1970 case 3: /* setsid() */ 1971 case 4: /* getpgid() */ 1972 break; 1973 1974 case 5: /* setpgid() */ 1975 1976 /* current process? */ 1977 if (pid == 0) { 1978 return; 1979 } 1980 1981 mutex_enter(&pidlock); 1982 p = prfind(pid); 1983 if (p == NULL || p->p_as == &kas || 1984 p->p_stat == SIDL || p->p_stat == SZOMB) { 1985 mutex_exit(&pidlock); 1986 return; 1987 } 1988 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1989 mutex_exit(&pidlock); 1990 1991 mutex_enter(&p->p_crlock); 1992 crhold(cr = p->p_cred); 1993 mutex_exit(&p->p_crlock); 1994 mutex_exit(&p->p_lock); 1995 1996 ainfo = crgetauinfo(cr); 1997 if (ainfo == NULL) { 1998 crfree(cr); 1999 return; 2000 } 2001 2002 uid = crgetuid(cr); 2003 gid = crgetgid(cr); 2004 ruid = crgetruid(cr); 2005 rgid = crgetrgid(cr); 2006 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2007 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2008 crfree(cr); 2009 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2010 break; 2011 2012 default: 2013 break; 2014 } 2015 } 2016 2017 2018 /*ARGSUSED*/ 2019 static void 2020 aus_setregid(struct t_audit_data *tad) 2021 { 2022 klwp_t *clwp = ttolwp(curthread); 2023 uint32_t rgid, egid; 2024 2025 struct a { 2026 long rgid; 2027 long egid; 2028 } *uap = (struct a *)clwp->lwp_ap; 2029 2030 rgid = (uint32_t)uap->rgid; 2031 egid = (uint32_t)uap->egid; 2032 2033 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2034 au_uwrite(au_to_arg32(2, "egid", egid)); 2035 } 2036 2037 /*ARGSUSED*/ 2038 static void 2039 aus_setgid(struct t_audit_data *tad) 2040 { 2041 klwp_t *clwp = ttolwp(curthread); 2042 uint32_t gid; 2043 2044 struct a { 2045 long gid; 2046 } *uap = (struct a *)clwp->lwp_ap; 2047 2048 gid = (uint32_t)uap->gid; 2049 2050 au_uwrite(au_to_arg32(1, "gid", gid)); 2051 } 2052 2053 2054 /*ARGSUSED*/ 2055 static void 2056 aus_setreuid(struct t_audit_data *tad) 2057 { 2058 klwp_t *clwp = ttolwp(curthread); 2059 uint32_t ruid, euid; 2060 2061 struct a { 2062 long ruid; 2063 long euid; 2064 } *uap = (struct a *)clwp->lwp_ap; 2065 2066 ruid = (uint32_t)uap->ruid; 2067 euid = (uint32_t)uap->euid; 2068 2069 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2070 au_uwrite(au_to_arg32(2, "euid", euid)); 2071 } 2072 2073 2074 /*ARGSUSED*/ 2075 static void 2076 aus_setuid(struct t_audit_data *tad) 2077 { 2078 klwp_t *clwp = ttolwp(curthread); 2079 uint32_t uid; 2080 2081 struct a { 2082 long uid; 2083 } *uap = (struct a *)clwp->lwp_ap; 2084 2085 uid = (uint32_t)uap->uid; 2086 2087 au_uwrite(au_to_arg32(1, "uid", uid)); 2088 } 2089 2090 /*ARGSUSED*/ 2091 static void 2092 aus_shmsys(struct t_audit_data *tad) 2093 { 2094 klwp_t *clwp = ttolwp(curthread); 2095 uint32_t id, cmd; 2096 2097 struct b { 2098 long id; 2099 long cmd; 2100 long buf; /* struct shmid_ds * */ 2101 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2102 2103 id = (uint32_t)uap1->id; 2104 cmd = (uint32_t)uap1->cmd; 2105 2106 switch (tad->tad_event) { 2107 case AUE_SHMGET: /* shmget */ 2108 au_uwrite(au_to_arg32(1, "shm key", id)); 2109 break; 2110 case AUE_SHMCTL: /* shmctl */ 2111 case AUE_SHMCTL_RMID: /* shmctl */ 2112 case AUE_SHMCTL_STAT: /* shmctl */ 2113 case AUE_SHMCTL_SET: /* shmctl */ 2114 au_uwrite(au_to_arg32(1, "shm ID", id)); 2115 break; 2116 case AUE_SHMDT: /* shmdt */ 2117 au_uwrite(au_to_arg32(1, "shm adr", id)); 2118 break; 2119 case AUE_SHMAT: /* shmat */ 2120 au_uwrite(au_to_arg32(1, "shm ID", id)); 2121 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2122 break; 2123 } 2124 } 2125 2126 /*ARGSUSED*/ 2127 static void 2128 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2129 { 2130 int id; 2131 2132 if (error != 0) 2133 return; 2134 if (tad->tad_event == AUE_SHMGET) { 2135 uint32_t scid; 2136 uint32_t sy_flags; 2137 2138 /* need to determine type of executing binary */ 2139 scid = tad->tad_scid; 2140 #ifdef _SYSCALL32_IMPL 2141 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2142 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2143 else 2144 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2145 #else 2146 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2147 #endif 2148 if (sy_flags == SE_32RVAL1) 2149 id = rval->r_val1; 2150 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2151 id = rval->r_val1; 2152 if (sy_flags == SE_64RVAL) 2153 id = (int)rval->r_vals; 2154 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2155 } 2156 } 2157 2158 2159 /*ARGSUSED*/ 2160 static void 2161 aus_ioctl(struct t_audit_data *tad) 2162 { 2163 klwp_t *clwp = ttolwp(curthread); 2164 struct file *fp; 2165 struct vnode *vp; 2166 struct f_audit_data *fad; 2167 uint32_t fd, cmd; 2168 uintptr_t cmarg; 2169 2170 /* XX64 */ 2171 struct a { 2172 long fd; 2173 long cmd; 2174 long cmarg; /* caddr_t */ 2175 } *uap = (struct a *)clwp->lwp_ap; 2176 2177 fd = (uint32_t)uap->fd; 2178 cmd = (uint32_t)uap->cmd; 2179 cmarg = (uintptr_t)uap->cmarg; 2180 2181 /* 2182 * convert file pointer to file descriptor 2183 * Note: fd ref count incremented here. 2184 */ 2185 if ((fp = getf(fd)) == NULL) { 2186 au_uwrite(au_to_arg32(1, "fd", fd)); 2187 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2188 #ifndef _LP64 2189 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2190 #else 2191 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2192 #endif 2193 return; 2194 } 2195 2196 /* get path from file struct here */ 2197 fad = F2A(fp); 2198 if (fad->fad_aupath != NULL) { 2199 au_uwrite(au_to_path(fad->fad_aupath)); 2200 } else { 2201 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2202 } 2203 2204 vp = fp->f_vnode; 2205 audit_attributes(vp); 2206 2207 /* decrement file descriptor reference count */ 2208 releasef(fd); 2209 2210 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2211 #ifndef _LP64 2212 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2213 #else 2214 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2215 #endif 2216 } 2217 2218 /* 2219 * null function for memcntl for now. We might want to limit memcntl() 2220 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2221 * require privileges. 2222 */ 2223 static au_event_t 2224 aui_memcntl(au_event_t e) 2225 { 2226 return (e); 2227 } 2228 2229 /*ARGSUSED*/ 2230 static au_event_t 2231 aui_privsys(au_event_t e) 2232 { 2233 klwp_t *clwp = ttolwp(curthread); 2234 2235 struct a { 2236 long opcode; 2237 } *uap = (struct a *)clwp->lwp_ap; 2238 2239 switch (uap->opcode) { 2240 case PRIVSYS_SETPPRIV: 2241 return (AUE_SETPPRIV); 2242 default: 2243 return (AUE_NULL); 2244 } 2245 } 2246 2247 /*ARGSUSED*/ 2248 static void 2249 aus_memcntl(struct t_audit_data *tad) 2250 { 2251 klwp_t *clwp = ttolwp(curthread); 2252 2253 struct a { 2254 long addr; 2255 long len; 2256 long cmd; 2257 long arg; 2258 long attr; 2259 long mask; 2260 } *uap = (struct a *)clwp->lwp_ap; 2261 2262 #ifdef _LP64 2263 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2264 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2265 #else 2266 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2267 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2268 #endif 2269 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2270 #ifdef _LP64 2271 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2272 #else 2273 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2274 #endif 2275 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2276 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2277 } 2278 2279 /*ARGSUSED*/ 2280 static void 2281 aus_mmap(struct t_audit_data *tad) 2282 { 2283 klwp_t *clwp = ttolwp(curthread); 2284 struct file *fp; 2285 struct f_audit_data *fad; 2286 struct vnode *vp; 2287 uint32_t fd; 2288 2289 struct a { 2290 long addr; 2291 long len; 2292 long prot; 2293 long flags; 2294 long fd; 2295 long pos; 2296 } *uap = (struct a *)clwp->lwp_ap; 2297 2298 fd = (uint32_t)uap->fd; 2299 2300 #ifdef _LP64 2301 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2302 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2303 #else 2304 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2305 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2306 #endif 2307 2308 if ((fp = getf(fd)) == NULL) { 2309 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2310 return; 2311 } 2312 2313 /* 2314 * Mark in the tad if write access is NOT requested... if 2315 * this is later detected (in audit_attributes) to be a 2316 * public object, the mmap event may be discarded. 2317 */ 2318 if (((uap->prot) & PROT_WRITE) == 0) { 2319 tad->tad_ctrl |= TAD_PUBLIC_EV; 2320 } 2321 2322 fad = F2A(fp); 2323 if (fad->fad_aupath != NULL) { 2324 au_uwrite(au_to_path(fad->fad_aupath)); 2325 } else { 2326 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2327 } 2328 2329 vp = (struct vnode *)fp->f_vnode; 2330 audit_attributes(vp); 2331 2332 /* mark READ/WRITE since we can't predict access */ 2333 if (uap->prot & PROT_READ) 2334 fad->fad_flags |= FAD_READ; 2335 if (uap->prot & PROT_WRITE) 2336 fad->fad_flags |= FAD_WRITE; 2337 2338 /* decrement file descriptor reference count */ 2339 releasef(fd); 2340 2341 } /* AUS_MMAP */ 2342 2343 2344 2345 2346 /*ARGSUSED*/ 2347 static void 2348 aus_munmap(struct t_audit_data *tad) 2349 { 2350 klwp_t *clwp = ttolwp(curthread); 2351 2352 struct a { 2353 long addr; 2354 long len; 2355 } *uap = (struct a *)clwp->lwp_ap; 2356 2357 #ifdef _LP64 2358 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2359 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2360 #else 2361 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2362 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2363 #endif 2364 2365 } /* AUS_MUNMAP */ 2366 2367 2368 2369 2370 2371 2372 2373 /*ARGSUSED*/ 2374 static void 2375 aus_priocntlsys(struct t_audit_data *tad) 2376 { 2377 klwp_t *clwp = ttolwp(curthread); 2378 2379 struct a { 2380 long pc_version; 2381 long psp; /* procset_t */ 2382 long cmd; 2383 long arg; 2384 } *uap = (struct a *)clwp->lwp_ap; 2385 2386 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2387 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2388 2389 } /* AUS_PRIOCNTLSYS */ 2390 2391 2392 /*ARGSUSED*/ 2393 static void 2394 aus_setegid(struct t_audit_data *tad) 2395 { 2396 klwp_t *clwp = ttolwp(curthread); 2397 uint32_t gid; 2398 2399 struct a { 2400 long gid; 2401 } *uap = (struct a *)clwp->lwp_ap; 2402 2403 gid = (uint32_t)uap->gid; 2404 2405 au_uwrite(au_to_arg32(1, "gid", gid)); 2406 } /* AUS_SETEGID */ 2407 2408 2409 2410 2411 /*ARGSUSED*/ 2412 static void 2413 aus_setgroups(struct t_audit_data *tad) 2414 { 2415 klwp_t *clwp = ttolwp(curthread); 2416 int i; 2417 int gidsetsize; 2418 uintptr_t gidset; 2419 gid_t *gidlist; 2420 2421 struct a { 2422 long gidsetsize; 2423 long gidset; 2424 } *uap = (struct a *)clwp->lwp_ap; 2425 2426 gidsetsize = (uint_t)uap->gidsetsize; 2427 gidset = (uintptr_t)uap->gidset; 2428 2429 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2430 return; 2431 if (gidsetsize != 0) { 2432 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2433 KM_SLEEP); 2434 if (copyin((caddr_t)gidset, gidlist, 2435 gidsetsize * sizeof (gid_t)) == 0) 2436 for (i = 0; i < gidsetsize; i++) 2437 au_uwrite(au_to_arg32(1, "setgroups", 2438 (uint32_t)gidlist[i])); 2439 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2440 } else 2441 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2442 2443 } /* AUS_SETGROUPS */ 2444 2445 2446 2447 2448 2449 /*ARGSUSED*/ 2450 static void 2451 aus_seteuid(struct t_audit_data *tad) 2452 { 2453 klwp_t *clwp = ttolwp(curthread); 2454 uint32_t uid; 2455 2456 struct a { 2457 long uid; 2458 } *uap = (struct a *)clwp->lwp_ap; 2459 2460 uid = (uint32_t)uap->uid; 2461 2462 au_uwrite(au_to_arg32(1, "euid", uid)); 2463 2464 } /* AUS_SETEUID */ 2465 2466 /*ARGSUSED*/ 2467 static void 2468 aus_putmsg(struct t_audit_data *tad) 2469 { 2470 klwp_t *clwp = ttolwp(curthread); 2471 uint32_t fd, pri; 2472 struct file *fp; 2473 struct f_audit_data *fad; 2474 2475 struct a { 2476 long fdes; 2477 long ctl; /* struct strbuf * */ 2478 long data; /* struct strbuf * */ 2479 long pri; 2480 } *uap = (struct a *)clwp->lwp_ap; 2481 2482 fd = (uint32_t)uap->fdes; 2483 pri = (uint32_t)uap->pri; 2484 2485 au_uwrite(au_to_arg32(1, "fd", fd)); 2486 2487 if ((fp = getf(fd)) != NULL) { 2488 fad = F2A(fp); 2489 2490 fad->fad_flags |= FAD_WRITE; 2491 2492 /* add path name to audit record */ 2493 if (fad->fad_aupath != NULL) { 2494 au_uwrite(au_to_path(fad->fad_aupath)); 2495 } 2496 audit_attributes(fp->f_vnode); 2497 2498 releasef(fd); 2499 } 2500 2501 au_uwrite(au_to_arg32(4, "pri", pri)); 2502 } 2503 2504 /*ARGSUSED*/ 2505 static void 2506 aus_putpmsg(struct t_audit_data *tad) 2507 { 2508 klwp_t *clwp = ttolwp(curthread); 2509 uint32_t fd, pri, flags; 2510 struct file *fp; 2511 struct f_audit_data *fad; 2512 2513 struct a { 2514 long fdes; 2515 long ctl; /* struct strbuf * */ 2516 long data; /* struct strbuf * */ 2517 long pri; 2518 long flags; 2519 } *uap = (struct a *)clwp->lwp_ap; 2520 2521 fd = (uint32_t)uap->fdes; 2522 pri = (uint32_t)uap->pri; 2523 flags = (uint32_t)uap->flags; 2524 2525 au_uwrite(au_to_arg32(1, "fd", fd)); 2526 2527 if ((fp = getf(fd)) != NULL) { 2528 fad = F2A(fp); 2529 2530 fad->fad_flags |= FAD_WRITE; 2531 2532 /* add path name to audit record */ 2533 if (fad->fad_aupath != NULL) { 2534 au_uwrite(au_to_path(fad->fad_aupath)); 2535 } 2536 audit_attributes(fp->f_vnode); 2537 2538 releasef(fd); 2539 } 2540 2541 2542 au_uwrite(au_to_arg32(4, "pri", pri)); 2543 au_uwrite(au_to_arg32(5, "flags", flags)); 2544 } 2545 2546 /*ARGSUSED*/ 2547 static void 2548 aus_getmsg(struct t_audit_data *tad) 2549 { 2550 klwp_t *clwp = ttolwp(curthread); 2551 uint32_t fd, pri; 2552 struct file *fp; 2553 struct f_audit_data *fad; 2554 2555 struct a { 2556 long fdes; 2557 long ctl; /* struct strbuf * */ 2558 long data; /* struct strbuf * */ 2559 long pri; 2560 } *uap = (struct a *)clwp->lwp_ap; 2561 2562 fd = (uint32_t)uap->fdes; 2563 pri = (uint32_t)uap->pri; 2564 2565 au_uwrite(au_to_arg32(1, "fd", fd)); 2566 2567 if ((fp = getf(fd)) != NULL) { 2568 fad = F2A(fp); 2569 2570 /* 2571 * read operation on this object 2572 */ 2573 fad->fad_flags |= FAD_READ; 2574 2575 /* add path name to audit record */ 2576 if (fad->fad_aupath != NULL) { 2577 au_uwrite(au_to_path(fad->fad_aupath)); 2578 } 2579 audit_attributes(fp->f_vnode); 2580 2581 releasef(fd); 2582 } 2583 2584 au_uwrite(au_to_arg32(4, "pri", pri)); 2585 } 2586 2587 /*ARGSUSED*/ 2588 static void 2589 aus_getpmsg(struct t_audit_data *tad) 2590 { 2591 klwp_t *clwp = ttolwp(curthread); 2592 uint32_t fd; 2593 struct file *fp; 2594 struct f_audit_data *fad; 2595 2596 struct a { 2597 long fdes; 2598 long ctl; /* struct strbuf * */ 2599 long data; /* struct strbuf * */ 2600 long pri; 2601 long flags; 2602 } *uap = (struct a *)clwp->lwp_ap; 2603 2604 fd = (uint32_t)uap->fdes; 2605 2606 au_uwrite(au_to_arg32(1, "fd", fd)); 2607 2608 if ((fp = getf(fd)) != NULL) { 2609 fad = F2A(fp); 2610 2611 /* 2612 * read operation on this object 2613 */ 2614 fad->fad_flags |= FAD_READ; 2615 2616 /* add path name to audit record */ 2617 if (fad->fad_aupath != NULL) { 2618 au_uwrite(au_to_path(fad->fad_aupath)); 2619 } 2620 audit_attributes(fp->f_vnode); 2621 2622 releasef(fd); 2623 } 2624 } 2625 2626 static au_event_t 2627 aui_labelsys(au_event_t e) 2628 { 2629 klwp_t *clwp = ttolwp(curthread); 2630 uint32_t code; 2631 uint32_t cmd; 2632 2633 struct a { 2634 long code; 2635 long cmd; 2636 } *uap = (struct a *)clwp->lwp_ap; 2637 2638 code = (uint32_t)uap->code; 2639 cmd = (uint32_t)uap->cmd; 2640 2641 /* not security relevant if not changing kernel cache */ 2642 if (cmd == TNDB_GET) 2643 return (AUE_NULL); 2644 2645 switch (code) { 2646 case TSOL_TNRH: 2647 e = AUE_LABELSYS_TNRH; 2648 break; 2649 case TSOL_TNRHTP: 2650 e = AUE_LABELSYS_TNRHTP; 2651 break; 2652 case TSOL_TNMLP: 2653 e = AUE_LABELSYS_TNMLP; 2654 break; 2655 default: 2656 e = AUE_NULL; 2657 break; 2658 } 2659 2660 return (e); 2661 2662 } 2663 2664 static void 2665 aus_labelsys(struct t_audit_data *tad) 2666 { 2667 klwp_t *clwp = ttolwp(curthread); 2668 uint32_t cmd; 2669 uintptr_t a2; 2670 2671 struct a { 2672 long code; 2673 long cmd; 2674 long a2; 2675 } *uap = (struct a *)clwp->lwp_ap; 2676 2677 cmd = (uint32_t)uap->cmd; 2678 a2 = (uintptr_t)uap->a2; 2679 2680 switch (tad->tad_event) { 2681 case AUE_LABELSYS_TNRH: 2682 { 2683 tsol_rhent_t *rhent; 2684 tnaddr_t *rh_addr; 2685 2686 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2687 2688 /* Remaining args don't apply for FLUSH, so skip */ 2689 if (cmd == TNDB_FLUSH) 2690 break; 2691 2692 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2693 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2694 kmem_free(rhent, sizeof (tsol_rhent_t)); 2695 return; 2696 } 2697 2698 rh_addr = &rhent->rh_address; 2699 if (rh_addr->ta_family == AF_INET) { 2700 struct in_addr *ipaddr; 2701 2702 ipaddr = &(rh_addr->ta_addr_v4); 2703 au_uwrite(au_to_in_addr(ipaddr)); 2704 } else if (rh_addr->ta_family == AF_INET6) { 2705 int32_t *ipaddr; 2706 2707 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2708 au_uwrite(au_to_in_addr_ex(ipaddr)); 2709 } 2710 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2711 2712 kmem_free(rhent, sizeof (tsol_rhent_t)); 2713 2714 break; 2715 } 2716 case AUE_LABELSYS_TNRHTP: 2717 { 2718 tsol_tpent_t *tpent; 2719 2720 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2721 2722 /* Remaining args don't apply for FLUSH, so skip */ 2723 if (cmd == TNDB_FLUSH) 2724 break; 2725 2726 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2727 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2728 kmem_free(tpent, sizeof (tsol_tpent_t)); 2729 return; 2730 } 2731 2732 /* Make sure that the template name is null-terminated. */ 2733 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2734 2735 au_uwrite(au_to_text(tpent->name)); 2736 kmem_free(tpent, sizeof (tsol_tpent_t)); 2737 2738 break; 2739 } 2740 case AUE_LABELSYS_TNMLP: 2741 { 2742 tsol_mlpent_t *mlpent; 2743 2744 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2745 2746 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2747 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2748 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2749 return; 2750 } 2751 2752 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2753 au_uwrite(au_to_text("shared")); 2754 } else { 2755 zone_t *zone; 2756 2757 zone = zone_find_by_id(mlpent->tsme_zoneid); 2758 if (zone != NULL) { 2759 au_uwrite(au_to_text(zone->zone_name)); 2760 zone_rele(zone); 2761 } 2762 } 2763 2764 /* Remaining args don't apply for FLUSH, so skip */ 2765 if (cmd == TNDB_FLUSH) { 2766 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2767 break; 2768 } 2769 2770 au_uwrite(au_to_arg32(2, "proto num", 2771 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2772 au_uwrite(au_to_arg32(2, "mlp_port", 2773 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2774 2775 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2776 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2777 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2778 2779 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2780 2781 break; 2782 } 2783 default: 2784 break; 2785 } 2786 } 2787 2788 2789 static au_event_t 2790 aui_auditsys(au_event_t e) 2791 { 2792 klwp_t *clwp = ttolwp(curthread); 2793 uint32_t code; 2794 2795 struct a { 2796 long code; 2797 long a1; 2798 long a2; 2799 long a3; 2800 long a4; 2801 long a5; 2802 long a6; 2803 long a7; 2804 } *uap = (struct a *)clwp->lwp_ap; 2805 2806 code = (uint32_t)uap->code; 2807 2808 switch (code) { 2809 2810 case BSM_GETAUID: 2811 e = AUE_GETAUID; 2812 break; 2813 case BSM_SETAUID: 2814 e = AUE_SETAUID; 2815 break; 2816 case BSM_GETAUDIT: 2817 e = AUE_GETAUDIT; 2818 break; 2819 case BSM_GETAUDIT_ADDR: 2820 e = AUE_GETAUDIT_ADDR; 2821 break; 2822 case BSM_SETAUDIT: 2823 e = AUE_SETAUDIT; 2824 break; 2825 case BSM_SETAUDIT_ADDR: 2826 e = AUE_SETAUDIT_ADDR; 2827 break; 2828 case BSM_AUDIT: 2829 e = AUE_AUDIT; 2830 break; 2831 case BSM_AUDITCTL: 2832 switch ((uint_t)uap->a1) { 2833 2834 case A_GETPOLICY: 2835 e = AUE_AUDITON_GPOLICY; 2836 break; 2837 case A_SETPOLICY: 2838 e = AUE_AUDITON_SPOLICY; 2839 break; 2840 case A_GETKMASK: 2841 e = AUE_AUDITON_GETKMASK; 2842 break; 2843 case A_SETKMASK: 2844 e = AUE_AUDITON_SETKMASK; 2845 break; 2846 case A_GETQCTRL: 2847 e = AUE_AUDITON_GQCTRL; 2848 break; 2849 case A_SETQCTRL: 2850 e = AUE_AUDITON_SQCTRL; 2851 break; 2852 case A_GETCWD: 2853 e = AUE_AUDITON_GETCWD; 2854 break; 2855 case A_GETCAR: 2856 e = AUE_AUDITON_GETCAR; 2857 break; 2858 case A_GETSTAT: 2859 e = AUE_AUDITON_GETSTAT; 2860 break; 2861 case A_SETSTAT: 2862 e = AUE_AUDITON_SETSTAT; 2863 break; 2864 case A_SETUMASK: 2865 e = AUE_AUDITON_SETUMASK; 2866 break; 2867 case A_SETSMASK: 2868 e = AUE_AUDITON_SETSMASK; 2869 break; 2870 case A_GETCOND: 2871 e = AUE_AUDITON_GETCOND; 2872 break; 2873 case A_SETCOND: 2874 e = AUE_AUDITON_SETCOND; 2875 break; 2876 case A_GETCLASS: 2877 e = AUE_AUDITON_GETCLASS; 2878 break; 2879 case A_SETCLASS: 2880 e = AUE_AUDITON_SETCLASS; 2881 break; 2882 default: 2883 e = AUE_NULL; 2884 break; 2885 } 2886 break; 2887 default: 2888 e = AUE_NULL; 2889 break; 2890 } 2891 2892 return (e); 2893 2894 } /* AUI_AUDITSYS */ 2895 2896 2897 static void 2898 aus_auditsys(struct t_audit_data *tad) 2899 { 2900 klwp_t *clwp = ttolwp(curthread); 2901 uintptr_t a1, a2; 2902 STRUCT_DECL(auditinfo, ainfo); 2903 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2904 au_evclass_map_t event; 2905 au_mask_t mask; 2906 int auditstate, policy; 2907 au_id_t auid; 2908 2909 2910 struct a { 2911 long code; 2912 long a1; 2913 long a2; 2914 long a3; 2915 long a4; 2916 long a5; 2917 long a6; 2918 long a7; 2919 } *uap = (struct a *)clwp->lwp_ap; 2920 2921 a1 = (uintptr_t)uap->a1; 2922 a2 = (uintptr_t)uap->a2; 2923 2924 switch (tad->tad_event) { 2925 case AUE_SETAUID: 2926 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2927 return; 2928 au_uwrite(au_to_arg32(2, "setauid", auid)); 2929 break; 2930 case AUE_SETAUDIT: 2931 STRUCT_INIT(ainfo, get_udatamodel()); 2932 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2933 STRUCT_SIZE(ainfo))) { 2934 return; 2935 } 2936 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2937 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2938 #ifdef _LP64 2939 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2940 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2941 #else 2942 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2943 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2944 #endif 2945 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2946 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2947 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2948 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2949 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2950 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2951 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2952 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2953 break; 2954 case AUE_SETAUDIT_ADDR: 2955 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2956 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2957 STRUCT_SIZE(ainfo_addr))) { 2958 return; 2959 } 2960 au_uwrite(au_to_arg32((char)1, "auid", 2961 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2962 #ifdef _LP64 2963 au_uwrite(au_to_arg64((char)1, "port", 2964 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2965 #else 2966 au_uwrite(au_to_arg32((char)1, "port", 2967 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2968 #endif 2969 au_uwrite(au_to_arg32((char)1, "type", 2970 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2971 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2972 AU_IPv4) { 2973 au_uwrite(au_to_in_addr( 2974 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2975 ai_termid.at_addr))); 2976 } else { 2977 au_uwrite(au_to_in_addr_ex( 2978 (int32_t *)STRUCT_FGETP(ainfo_addr, 2979 ai_termid.at_addr))); 2980 } 2981 au_uwrite(au_to_arg32((char)1, "as_success", 2982 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2983 au_uwrite(au_to_arg32((char)1, "as_failure", 2984 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2985 au_uwrite(au_to_arg32((char)1, "asid", 2986 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2987 break; 2988 case AUE_AUDITON_SETKMASK: 2989 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2990 return; 2991 au_uwrite(au_to_arg32( 2992 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2993 au_uwrite(au_to_arg32( 2994 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2995 break; 2996 case AUE_AUDITON_SPOLICY: 2997 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2998 return; 2999 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3000 break; 3001 case AUE_AUDITON_SQCTRL: { 3002 STRUCT_DECL(au_qctrl, qctrl); 3003 model_t model; 3004 3005 model = get_udatamodel(); 3006 STRUCT_INIT(qctrl, model); 3007 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3008 return; 3009 if (model == DATAMODEL_ILP32) { 3010 au_uwrite(au_to_arg32( 3011 3, "setqctrl:aq_hiwater", 3012 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3013 au_uwrite(au_to_arg32( 3014 3, "setqctrl:aq_lowater", 3015 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3016 au_uwrite(au_to_arg32( 3017 3, "setqctrl:aq_bufsz", 3018 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3019 au_uwrite(au_to_arg32( 3020 3, "setqctrl:aq_delay", 3021 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3022 } else { 3023 au_uwrite(au_to_arg64( 3024 3, "setqctrl:aq_hiwater", 3025 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3026 au_uwrite(au_to_arg64( 3027 3, "setqctrl:aq_lowater", 3028 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3029 au_uwrite(au_to_arg64( 3030 3, "setqctrl:aq_bufsz", 3031 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3032 au_uwrite(au_to_arg64( 3033 3, "setqctrl:aq_delay", 3034 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3035 } 3036 break; 3037 } 3038 case AUE_AUDITON_SETUMASK: 3039 STRUCT_INIT(ainfo, get_udatamodel()); 3040 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3041 STRUCT_SIZE(ainfo))) { 3042 return; 3043 } 3044 au_uwrite(au_to_arg32(3, "setumask:as_success", 3045 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3046 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3047 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3048 break; 3049 case AUE_AUDITON_SETSMASK: 3050 STRUCT_INIT(ainfo, get_udatamodel()); 3051 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3052 STRUCT_SIZE(ainfo))) { 3053 return; 3054 } 3055 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3056 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3057 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3058 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3059 break; 3060 case AUE_AUDITON_SETCOND: 3061 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3062 return; 3063 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3064 break; 3065 case AUE_AUDITON_SETCLASS: 3066 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3067 return; 3068 au_uwrite(au_to_arg32( 3069 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3070 au_uwrite(au_to_arg32( 3071 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3072 break; 3073 case AUE_GETAUID: 3074 case AUE_GETAUDIT: 3075 case AUE_GETAUDIT_ADDR: 3076 case AUE_AUDIT: 3077 case AUE_AUDITON_GPOLICY: 3078 case AUE_AUDITON_GQCTRL: 3079 case AUE_AUDITON_GETKMASK: 3080 case AUE_AUDITON_GETCWD: 3081 case AUE_AUDITON_GETCAR: 3082 case AUE_AUDITON_GETSTAT: 3083 case AUE_AUDITON_SETSTAT: 3084 case AUE_AUDITON_GETCOND: 3085 case AUE_AUDITON_GETCLASS: 3086 break; 3087 default: 3088 break; 3089 } 3090 3091 } /* AUS_AUDITSYS */ 3092 3093 3094 /* only audit privileged operations for systeminfo(2) system call */ 3095 static au_event_t 3096 aui_sysinfo(au_event_t e) 3097 { 3098 klwp_t *clwp = ttolwp(curthread); 3099 uint32_t command; 3100 3101 struct a { 3102 long command; 3103 long buf; /* char * */ 3104 long count; 3105 } *uap = (struct a *)clwp->lwp_ap; 3106 3107 command = (uint32_t)uap->command; 3108 3109 switch (command) { 3110 case SI_SET_HOSTNAME: 3111 case SI_SET_SRPC_DOMAIN: 3112 e = (au_event_t)AUE_SYSINFO; 3113 break; 3114 default: 3115 e = (au_event_t)AUE_NULL; 3116 break; 3117 } 3118 return (e); 3119 } 3120 3121 /*ARGSUSED*/ 3122 static void 3123 aus_sysinfo(struct t_audit_data *tad) 3124 { 3125 klwp_t *clwp = ttolwp(curthread); 3126 uint32_t command; 3127 size_t len, maxlen; 3128 char *name; 3129 uintptr_t buf; 3130 3131 struct a { 3132 long command; 3133 long buf; /* char * */ 3134 long count; 3135 } *uap = (struct a *)clwp->lwp_ap; 3136 3137 command = (uint32_t)uap->command; 3138 buf = (uintptr_t)uap->buf; 3139 3140 au_uwrite(au_to_arg32(1, "cmd", command)); 3141 3142 switch (command) { 3143 case SI_SET_HOSTNAME: 3144 { 3145 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3146 return; 3147 3148 maxlen = SYS_NMLN; 3149 name = kmem_alloc(maxlen, KM_SLEEP); 3150 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3151 break; 3152 3153 /* 3154 * Must be non-NULL string and string 3155 * must be less than SYS_NMLN chars. 3156 */ 3157 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3158 break; 3159 3160 au_uwrite(au_to_text(name)); 3161 break; 3162 } 3163 3164 case SI_SET_SRPC_DOMAIN: 3165 { 3166 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3167 return; 3168 3169 maxlen = SYS_NMLN; 3170 name = kmem_alloc(maxlen, KM_SLEEP); 3171 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3172 break; 3173 3174 /* 3175 * If string passed in is longer than length 3176 * allowed for domain name, fail. 3177 */ 3178 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3179 break; 3180 3181 au_uwrite(au_to_text(name)); 3182 break; 3183 } 3184 3185 default: 3186 return; 3187 } 3188 3189 kmem_free(name, maxlen); 3190 } 3191 3192 static au_event_t 3193 aui_modctl(au_event_t e) 3194 { 3195 klwp_t *clwp = ttolwp(curthread); 3196 uint_t cmd; 3197 3198 struct a { 3199 long cmd; 3200 } *uap = (struct a *)clwp->lwp_ap; 3201 3202 cmd = (uint_t)uap->cmd; 3203 3204 switch (cmd) { 3205 case MODLOAD: 3206 e = AUE_MODLOAD; 3207 break; 3208 case MODUNLOAD: 3209 e = AUE_MODUNLOAD; 3210 break; 3211 case MODADDMAJBIND: 3212 e = AUE_MODADDMAJ; 3213 break; 3214 case MODSETDEVPOLICY: 3215 e = AUE_MODDEVPLCY; 3216 break; 3217 case MODALLOCPRIV: 3218 e = AUE_MODADDPRIV; 3219 break; 3220 default: 3221 e = AUE_NULL; 3222 break; 3223 } 3224 return (e); 3225 } 3226 3227 3228 /*ARGSUSED*/ 3229 static void 3230 aus_modctl(struct t_audit_data *tad) 3231 { 3232 klwp_t *clwp = ttolwp(curthread); 3233 void *a = clwp->lwp_ap; 3234 uint_t use_path; 3235 3236 switch (tad->tad_event) { 3237 case AUE_MODLOAD: { 3238 typedef struct { 3239 long cmd; 3240 long use_path; 3241 long filename; /* char * */ 3242 } modloada_t; 3243 3244 char *filenamep; 3245 uintptr_t fname; 3246 extern char *default_path; 3247 3248 fname = (uintptr_t)((modloada_t *)a)->filename; 3249 use_path = (uint_t)((modloada_t *)a)->use_path; 3250 3251 /* space to hold path */ 3252 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3253 /* get string */ 3254 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3255 /* free allocated path */ 3256 kmem_free(filenamep, MOD_MAXPATH); 3257 return; 3258 } 3259 /* ensure it's null terminated */ 3260 filenamep[MOD_MAXPATH - 1] = 0; 3261 3262 if (use_path) 3263 au_uwrite(au_to_text(default_path)); 3264 au_uwrite(au_to_text(filenamep)); 3265 3266 /* release temporary memory */ 3267 kmem_free(filenamep, MOD_MAXPATH); 3268 break; 3269 } 3270 case AUE_MODUNLOAD: { 3271 typedef struct { 3272 long cmd; 3273 long id; 3274 } modunloada_t; 3275 3276 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3277 3278 au_uwrite(au_to_arg32(1, "id", id)); 3279 break; 3280 } 3281 case AUE_MODADDMAJ: { 3282 STRUCT_DECL(modconfig, mc); 3283 typedef struct { 3284 long cmd; 3285 long subcmd; 3286 long data; /* int * */ 3287 } modconfiga_t; 3288 3289 STRUCT_DECL(aliases, alias); 3290 caddr_t ap; 3291 int i, num_aliases; 3292 char *drvname, *mc_drvname; 3293 char *name; 3294 extern char *ddi_major_to_name(major_t); 3295 model_t model; 3296 3297 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3298 3299 model = get_udatamodel(); 3300 STRUCT_INIT(mc, model); 3301 /* sanitize buffer */ 3302 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3303 /* get user arguments */ 3304 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3305 STRUCT_SIZE(mc)) != 0) 3306 return; 3307 3308 mc_drvname = STRUCT_FGET(mc, drvname); 3309 if ((drvname = ddi_major_to_name( 3310 (major_t)STRUCT_FGET(mc, major))) != NULL && 3311 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3312 /* safety */ 3313 if (mc_drvname[0] != '\0') { 3314 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3315 au_uwrite(au_to_text(mc_drvname)); 3316 } 3317 /* drvname != NULL from test above */ 3318 au_uwrite(au_to_text(drvname)); 3319 return; 3320 } 3321 3322 if (mc_drvname[0] != '\0') { 3323 /* safety */ 3324 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3325 au_uwrite(au_to_text(mc_drvname)); 3326 } else 3327 au_uwrite(au_to_text("no drvname")); 3328 3329 num_aliases = STRUCT_FGET(mc, num_aliases); 3330 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3331 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3332 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3333 STRUCT_INIT(alias, model); 3334 for (i = 0; i < num_aliases; i++) { 3335 bzero((caddr_t)STRUCT_BUF(alias), 3336 STRUCT_SIZE(alias)); 3337 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3338 STRUCT_SIZE(alias)) != 0) 3339 break; 3340 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3341 MAXMODCONFNAME, NULL) != 0) { 3342 break; 3343 } 3344 3345 au_uwrite(au_to_text(name)); 3346 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3347 } 3348 kmem_free(name, MAXMODCONFNAME); 3349 break; 3350 } 3351 default: 3352 break; 3353 } 3354 } 3355 3356 3357 /*ARGSUSED*/ 3358 static void 3359 auf_accept( 3360 struct t_audit_data *tad, 3361 int error, 3362 rval_t *rval) 3363 { 3364 uint32_t scid; 3365 uint32_t sy_flags; 3366 int fd; 3367 struct sonode *so; 3368 char so_laddr[sizeof (struct sockaddr_in6)]; 3369 char so_faddr[sizeof (struct sockaddr_in6)]; 3370 int err; 3371 short so_family, so_type; 3372 int add_sock_token = 0; 3373 3374 /* need to determine type of executing binary */ 3375 scid = tad->tad_scid; 3376 #ifdef _SYSCALL32_IMPL 3377 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3378 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3379 else 3380 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3381 #else 3382 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3383 #endif 3384 if (sy_flags == SE_32RVAL1) 3385 fd = rval->r_val1; 3386 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3387 fd = rval->r_val1; 3388 if (sy_flags == SE_64RVAL) 3389 fd = (int)rval->r_vals; 3390 3391 if (error) { 3392 /* can't trust socket contents. Just return */ 3393 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3394 return; 3395 } 3396 3397 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3398 /* 3399 * not security relevant if doing a accept from non socket 3400 * so no extra tokens. Should probably turn off audit record 3401 * generation here. 3402 */ 3403 return; 3404 } 3405 3406 so_family = so->so_family; 3407 so_type = so->so_type; 3408 3409 switch (so_family) { 3410 case AF_INET: 3411 case AF_INET6: 3412 /* 3413 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3414 */ 3415 if (so->so_type == SOCK_STREAM) { 3416 socklen_t len; 3417 3418 bzero((void *)so_laddr, sizeof (so_laddr)); 3419 bzero((void *)so_faddr, sizeof (so_faddr)); 3420 3421 len = sizeof (so_laddr); 3422 (void) socket_getsockname(so, 3423 (struct sockaddr *)so_laddr, &len, CRED()); 3424 len = sizeof (so_faddr); 3425 (void) socket_getpeername(so, 3426 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3427 3428 add_sock_token = 1; 3429 } 3430 break; 3431 3432 default: 3433 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3434 break; 3435 } 3436 3437 releasef(fd); 3438 3439 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3440 3441 if (add_sock_token == 0) { 3442 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3443 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3444 return; 3445 } 3446 3447 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3448 3449 } 3450 3451 /*ARGSUSED*/ 3452 static void 3453 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3454 { 3455 struct a { 3456 long fd; 3457 long addr; 3458 long len; 3459 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3460 3461 struct sonode *so; 3462 char so_laddr[sizeof (struct sockaddr_in6)]; 3463 char so_faddr[sizeof (struct sockaddr_in6)]; 3464 int err, fd; 3465 socklen_t len; 3466 short so_family, so_type; 3467 int add_sock_token = 0; 3468 3469 fd = (int)uap->fd; 3470 3471 /* 3472 * bind failed, then nothing extra to add to audit record. 3473 */ 3474 if (error) { 3475 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3476 /* XXX may want to add failed address some day */ 3477 return; 3478 } 3479 3480 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3481 /* 3482 * not security relevant if doing a bind from non socket 3483 * so no extra tokens. Should probably turn off audit record 3484 * generation here. 3485 */ 3486 return; 3487 } 3488 3489 so_family = so->so_family; 3490 so_type = so->so_type; 3491 3492 switch (so_family) { 3493 case AF_INET: 3494 case AF_INET6: 3495 3496 bzero(so_faddr, sizeof (so_faddr)); 3497 len = sizeof (so_faddr); 3498 3499 (void) socket_getpeername(so, 3500 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3501 add_sock_token = 1; 3502 3503 break; 3504 3505 case AF_UNIX: 3506 /* token added by lookup */ 3507 break; 3508 default: 3509 /* AF_ROUTE, AF_KEY do not support accept */ 3510 break; 3511 } 3512 3513 releasef(fd); 3514 3515 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3516 3517 if (add_sock_token == 0) { 3518 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3519 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3520 return; 3521 } 3522 3523 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3524 3525 } 3526 3527 /*ARGSUSED*/ 3528 static void 3529 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3530 { 3531 struct a { 3532 long fd; 3533 long addr; 3534 long len; 3535 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3536 3537 struct sonode *so; 3538 char so_laddr[sizeof (struct sockaddr_in6)]; 3539 char so_faddr[sizeof (struct sockaddr_in6)]; 3540 int err, fd; 3541 socklen_t len; 3542 short so_family, so_type; 3543 int add_sock_token = 0; 3544 3545 fd = (int)uap->fd; 3546 3547 3548 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3549 /* 3550 * not security relevant if doing a connect from non socket 3551 * so no extra tokens. Should probably turn off audit record 3552 * generation here. 3553 */ 3554 return; 3555 } 3556 3557 so_family = so->so_family; 3558 so_type = so->so_type; 3559 3560 switch (so_family) { 3561 case AF_INET: 3562 case AF_INET6: 3563 3564 bzero(so_laddr, sizeof (so_laddr)); 3565 bzero(so_faddr, sizeof (so_faddr)); 3566 3567 len = sizeof (so_laddr); 3568 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3569 &len, CRED()); 3570 if (error) { 3571 if (uap->addr == NULL) 3572 break; 3573 if (uap->len <= 0) 3574 break; 3575 len = min(uap->len, sizeof (so_faddr)); 3576 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3577 break; 3578 #ifdef NOTYET 3579 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3580 #endif 3581 } else { 3582 /* sanity check on length */ 3583 len = sizeof (so_faddr); 3584 (void) socket_getpeername(so, 3585 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3586 } 3587 3588 add_sock_token = 1; 3589 3590 break; 3591 3592 case AF_UNIX: 3593 /* does a lookup on name */ 3594 break; 3595 3596 default: 3597 /* AF_ROUTE, AF_KEY do not support accept */ 3598 break; 3599 } 3600 3601 releasef(fd); 3602 3603 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3604 3605 if (add_sock_token == 0) { 3606 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3607 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3608 return; 3609 } 3610 3611 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3612 3613 } 3614 3615 /*ARGSUSED*/ 3616 static void 3617 aus_shutdown(struct t_audit_data *tad) 3618 { 3619 struct a { 3620 long fd; 3621 long how; 3622 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3623 3624 struct sonode *so; 3625 char so_laddr[sizeof (struct sockaddr_in6)]; 3626 char so_faddr[sizeof (struct sockaddr_in6)]; 3627 int err, fd; 3628 socklen_t len; 3629 short so_family, so_type; 3630 int add_sock_token = 0; 3631 file_t *fp; /* unix domain sockets */ 3632 struct f_audit_data *fad; /* unix domain sockets */ 3633 3634 fd = (int)uap->fd; 3635 3636 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3637 /* 3638 * not security relevant if doing a shutdown using non socket 3639 * so no extra tokens. Should probably turn off audit record 3640 * generation here. 3641 */ 3642 return; 3643 } 3644 3645 so_family = so->so_family; 3646 so_type = so->so_type; 3647 3648 switch (so_family) { 3649 case AF_INET: 3650 case AF_INET6: 3651 3652 bzero(so_laddr, sizeof (so_laddr)); 3653 bzero(so_faddr, sizeof (so_faddr)); 3654 3655 len = sizeof (so_laddr); 3656 (void) socket_getsockname(so, 3657 (struct sockaddr *)so_laddr, &len, CRED()); 3658 len = sizeof (so_faddr); 3659 (void) socket_getpeername(so, 3660 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3661 3662 add_sock_token = 1; 3663 3664 break; 3665 3666 case AF_UNIX: 3667 3668 /* get path from file struct here */ 3669 fad = F2A(fp); 3670 ASSERT(fad); 3671 3672 if (fad->fad_aupath != NULL) { 3673 au_uwrite(au_to_path(fad->fad_aupath)); 3674 } else { 3675 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3676 } 3677 3678 audit_attributes(fp->f_vnode); 3679 3680 break; 3681 3682 default: 3683 /* 3684 * AF_KEY and AF_ROUTE support shutdown. No socket token 3685 * added. 3686 */ 3687 break; 3688 } 3689 3690 releasef(fd); 3691 3692 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3693 3694 if (add_sock_token == 0) { 3695 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3696 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3697 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3698 return; 3699 } 3700 3701 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3702 3703 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3704 3705 } 3706 3707 /*ARGSUSED*/ 3708 static void 3709 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3710 { 3711 struct a { 3712 long fd; 3713 long level; 3714 long optname; 3715 long *optval; 3716 long optlen; 3717 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3718 3719 struct sonode *so; 3720 char so_laddr[sizeof (struct sockaddr_in6)]; 3721 char so_faddr[sizeof (struct sockaddr_in6)]; 3722 char val[AU_BUFSIZE]; 3723 int err, fd; 3724 socklen_t len; 3725 short so_family, so_type; 3726 int add_sock_token = 0; 3727 file_t *fp; /* unix domain sockets */ 3728 struct f_audit_data *fad; /* unix domain sockets */ 3729 3730 fd = (int)uap->fd; 3731 3732 if (error) { 3733 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3734 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3735 /* XXX may want to include other arguments */ 3736 return; 3737 } 3738 3739 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3740 /* 3741 * not security relevant if doing a setsockopt from non socket 3742 * so no extra tokens. Should probably turn off audit record 3743 * generation here. 3744 */ 3745 return; 3746 } 3747 3748 so_family = so->so_family; 3749 so_type = so->so_type; 3750 3751 switch (so_family) { 3752 case AF_INET: 3753 case AF_INET6: 3754 bzero((void *)so_laddr, sizeof (so_laddr)); 3755 bzero((void *)so_faddr, sizeof (so_faddr)); 3756 3757 /* get local and foreign addresses */ 3758 len = sizeof (so_laddr); 3759 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3760 &len, CRED()); 3761 len = sizeof (so_faddr); 3762 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3763 &len, B_FALSE, CRED()); 3764 3765 add_sock_token = 1; 3766 3767 break; 3768 3769 case AF_UNIX: 3770 3771 /* get path from file struct here */ 3772 fad = F2A(fp); 3773 ASSERT(fad); 3774 3775 if (fad->fad_aupath != NULL) { 3776 au_uwrite(au_to_path(fad->fad_aupath)); 3777 } else { 3778 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3779 } 3780 3781 audit_attributes(fp->f_vnode); 3782 3783 break; 3784 3785 default: 3786 /* 3787 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3788 * added. 3789 */ 3790 break; 3791 } 3792 3793 releasef(fd); 3794 3795 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3796 3797 if (add_sock_token == 0) { 3798 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3799 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3800 } 3801 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3802 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3803 3804 bzero(val, sizeof (val)); 3805 len = min(uap->optlen, sizeof (val)); 3806 if ((len > 0) && 3807 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3808 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3809 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3810 } 3811 3812 if (add_sock_token == 0) 3813 return; 3814 3815 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3816 3817 } 3818 3819 /*ARGSUSED*/ 3820 static void 3821 aus_sockconfig(tad) 3822 struct t_audit_data *tad; 3823 { 3824 struct a { 3825 long domain; 3826 long type; 3827 long protocol; 3828 long devpath; 3829 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3830 3831 char *kdevpath; 3832 int kdevpathlen = MAXPATHLEN + 1; 3833 size_t size; 3834 3835 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3836 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3837 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3838 3839 if (uap->devpath == 0) { 3840 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3841 } else { 3842 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3843 3844 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3845 &size)) { 3846 kmem_free(kdevpath, kdevpathlen); 3847 return; 3848 } 3849 3850 if (size > MAXPATHLEN) { 3851 kmem_free(kdevpath, kdevpathlen); 3852 return; 3853 } 3854 3855 au_uwrite(au_to_text(kdevpath)); 3856 kmem_free(kdevpath, kdevpathlen); 3857 } 3858 } 3859 3860 /* 3861 * only audit recvmsg when the system call represents the creation of a new 3862 * circuit. This effectively occurs for all UDP packets and may occur for 3863 * special TCP situations where the local host has not set a local address 3864 * in the socket structure. 3865 */ 3866 /*ARGSUSED*/ 3867 static void 3868 auf_recvmsg( 3869 struct t_audit_data *tad, 3870 int error, 3871 rval_t *rvp) 3872 { 3873 struct a { 3874 long fd; 3875 long msg; /* struct msghdr */ 3876 long flags; 3877 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3878 3879 struct sonode *so; 3880 STRUCT_DECL(msghdr, msg); 3881 caddr_t msg_name; 3882 socklen_t msg_namelen; 3883 int fd; 3884 int err; 3885 char so_laddr[sizeof (struct sockaddr_in6)]; 3886 char so_faddr[sizeof (struct sockaddr_in6)]; 3887 socklen_t len; 3888 file_t *fp; /* unix domain sockets */ 3889 struct f_audit_data *fad; /* unix domain sockets */ 3890 short so_family, so_type; 3891 int add_sock_token = 0; 3892 au_kcontext_t *kctx = GET_KCTX_PZ; 3893 3894 fd = (int)uap->fd; 3895 3896 /* bail if an error */ 3897 if (error) { 3898 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3899 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3900 return; 3901 } 3902 3903 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3904 /* 3905 * not security relevant if doing a recvmsg from non socket 3906 * so no extra tokens. Should probably turn off audit record 3907 * generation here. 3908 */ 3909 return; 3910 } 3911 3912 so_family = so->so_family; 3913 so_type = so->so_type; 3914 3915 /* 3916 * only putout SOCKET_EX token if INET/INET6 family. 3917 * XXX - what do we do about other families? 3918 */ 3919 3920 switch (so_family) { 3921 case AF_INET: 3922 case AF_INET6: 3923 3924 /* 3925 * if datagram type socket, then just use what is in 3926 * socket structure for local address. 3927 * XXX - what do we do for other types? 3928 */ 3929 if ((so->so_type == SOCK_DGRAM) || 3930 (so->so_type == SOCK_RAW)) { 3931 add_sock_token = 1; 3932 3933 bzero((void *)so_laddr, sizeof (so_laddr)); 3934 bzero((void *)so_faddr, sizeof (so_faddr)); 3935 3936 /* get local address */ 3937 len = sizeof (so_laddr); 3938 (void) socket_getsockname(so, 3939 (struct sockaddr *)so_laddr, &len, CRED()); 3940 3941 /* get peer address */ 3942 STRUCT_INIT(msg, get_udatamodel()); 3943 3944 if (copyin((caddr_t)(uap->msg), 3945 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3946 break; 3947 } 3948 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3949 if (msg_name == NULL) { 3950 break; 3951 } 3952 3953 /* length is value from recvmsg - sanity check */ 3954 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3955 if (msg_namelen == 0) { 3956 break; 3957 } 3958 if (copyin(msg_name, so_faddr, 3959 sizeof (so_faddr)) != 0) { 3960 break; 3961 } 3962 3963 } else if (so->so_type == SOCK_STREAM) { 3964 3965 /* get path from file struct here */ 3966 fad = F2A(fp); 3967 ASSERT(fad); 3968 3969 /* 3970 * already processed this file for read attempt 3971 */ 3972 if (fad->fad_flags & FAD_READ) { 3973 /* don't want to audit every recvmsg attempt */ 3974 tad->tad_flag = 0; 3975 /* free any residual audit data */ 3976 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 3977 releasef(fd); 3978 return; 3979 } 3980 /* 3981 * mark things so we know what happened and don't 3982 * repeat things 3983 */ 3984 fad->fad_flags |= FAD_READ; 3985 3986 bzero((void *)so_laddr, sizeof (so_laddr)); 3987 bzero((void *)so_faddr, sizeof (so_faddr)); 3988 3989 /* get local and foreign addresses */ 3990 len = sizeof (so_laddr); 3991 (void) socket_getsockname(so, 3992 (struct sockaddr *)so_laddr, &len, CRED()); 3993 len = sizeof (so_faddr); 3994 (void) socket_getpeername(so, 3995 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3996 3997 add_sock_token = 1; 3998 } 3999 4000 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4001 4002 break; 4003 4004 case AF_UNIX: 4005 /* 4006 * first check if this is first time through. Too much 4007 * duplicate code to put this in an aui_ routine. 4008 */ 4009 4010 /* get path from file struct here */ 4011 fad = F2A(fp); 4012 ASSERT(fad); 4013 4014 /* 4015 * already processed this file for read attempt 4016 */ 4017 if (fad->fad_flags & FAD_READ) { 4018 releasef(fd); 4019 /* don't want to audit every recvmsg attempt */ 4020 tad->tad_flag = 0; 4021 /* free any residual audit data */ 4022 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4023 return; 4024 } 4025 /* 4026 * mark things so we know what happened and don't 4027 * repeat things 4028 */ 4029 fad->fad_flags |= FAD_READ; 4030 4031 if (fad->fad_aupath != NULL) { 4032 au_uwrite(au_to_path(fad->fad_aupath)); 4033 } else { 4034 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4035 } 4036 4037 audit_attributes(fp->f_vnode); 4038 4039 releasef(fd); 4040 4041 return; 4042 4043 default: 4044 break; 4045 4046 } 4047 4048 releasef(fd); 4049 4050 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4051 4052 if (add_sock_token == 0) { 4053 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4054 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4055 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4056 return; 4057 } 4058 4059 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4060 4061 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4062 4063 } 4064 4065 /*ARGSUSED*/ 4066 static void 4067 auf_recvfrom( 4068 struct t_audit_data *tad, 4069 int error, 4070 rval_t *rvp) 4071 { 4072 4073 struct a { 4074 long fd; 4075 long msg; /* char */ 4076 long len; 4077 long flags; 4078 long from; /* struct sockaddr */ 4079 long fromlen; 4080 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4081 4082 socklen_t fromlen; 4083 struct sonode *so; 4084 char so_laddr[sizeof (struct sockaddr_in6)]; 4085 char so_faddr[sizeof (struct sockaddr_in6)]; 4086 int fd; 4087 short so_family, so_type; 4088 int add_sock_token = 0; 4089 socklen_t len; 4090 int err; 4091 struct file *fp; 4092 struct f_audit_data *fad; /* unix domain sockets */ 4093 au_kcontext_t *kctx = GET_KCTX_PZ; 4094 4095 fd = (int)uap->fd; 4096 4097 /* bail if an error */ 4098 if (error) { 4099 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4100 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4101 return; 4102 } 4103 4104 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4105 /* 4106 * not security relevant if doing a recvmsg from non socket 4107 * so no extra tokens. Should probably turn off audit record 4108 * generation here. 4109 */ 4110 return; 4111 } 4112 4113 so_family = so->so_family; 4114 so_type = so->so_type; 4115 4116 /* 4117 * only putout SOCKET_EX token if INET/INET6 family. 4118 * XXX - what do we do about other families? 4119 */ 4120 4121 switch (so_family) { 4122 case AF_INET: 4123 case AF_INET6: 4124 4125 /* 4126 * if datagram type socket, then just use what is in 4127 * socket structure for local address. 4128 * XXX - what do we do for other types? 4129 */ 4130 if ((so->so_type == SOCK_DGRAM) || 4131 (so->so_type == SOCK_RAW)) { 4132 add_sock_token = 1; 4133 4134 /* get local address */ 4135 len = sizeof (so_laddr); 4136 (void) socket_getsockname(so, 4137 (struct sockaddr *)so_laddr, &len, CRED()); 4138 4139 /* get peer address */ 4140 bzero((void *)so_faddr, sizeof (so_faddr)); 4141 4142 /* sanity check */ 4143 if (uap->from == NULL) 4144 break; 4145 4146 /* sanity checks */ 4147 if (uap->fromlen == 0) 4148 break; 4149 4150 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4151 sizeof (fromlen)) != 0) 4152 break; 4153 4154 if (fromlen == 0) 4155 break; 4156 4157 /* enforce maximum size */ 4158 if (fromlen > sizeof (so_faddr)) 4159 fromlen = sizeof (so_faddr); 4160 4161 if (copyin((caddr_t)(uap->from), so_faddr, 4162 fromlen) != 0) 4163 break; 4164 4165 } else if (so->so_type == SOCK_STREAM) { 4166 4167 /* get path from file struct here */ 4168 fad = F2A(fp); 4169 ASSERT(fad); 4170 4171 /* 4172 * already processed this file for read attempt 4173 */ 4174 if (fad->fad_flags & FAD_READ) { 4175 /* don't want to audit every recvfrom attempt */ 4176 tad->tad_flag = 0; 4177 /* free any residual audit data */ 4178 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4179 releasef(fd); 4180 return; 4181 } 4182 /* 4183 * mark things so we know what happened and don't 4184 * repeat things 4185 */ 4186 fad->fad_flags |= FAD_READ; 4187 4188 bzero((void *)so_laddr, sizeof (so_laddr)); 4189 bzero((void *)so_faddr, sizeof (so_faddr)); 4190 4191 /* get local and foreign addresses */ 4192 len = sizeof (so_laddr); 4193 (void) socket_getsockname(so, 4194 (struct sockaddr *)so_laddr, &len, CRED()); 4195 len = sizeof (so_faddr); 4196 (void) socket_getpeername(so, 4197 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4198 4199 add_sock_token = 1; 4200 } 4201 4202 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4203 4204 break; 4205 4206 case AF_UNIX: 4207 /* 4208 * first check if this is first time through. Too much 4209 * duplicate code to put this in an aui_ routine. 4210 */ 4211 4212 /* get path from file struct here */ 4213 fad = F2A(fp); 4214 ASSERT(fad); 4215 4216 /* 4217 * already processed this file for read attempt 4218 */ 4219 if (fad->fad_flags & FAD_READ) { 4220 /* don't want to audit every recvfrom attempt */ 4221 tad->tad_flag = 0; 4222 /* free any residual audit data */ 4223 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4224 releasef(fd); 4225 return; 4226 } 4227 /* 4228 * mark things so we know what happened and don't 4229 * repeat things 4230 */ 4231 fad->fad_flags |= FAD_READ; 4232 4233 if (fad->fad_aupath != NULL) { 4234 au_uwrite(au_to_path(fad->fad_aupath)); 4235 } else { 4236 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4237 } 4238 4239 audit_attributes(fp->f_vnode); 4240 4241 releasef(fd); 4242 4243 return; 4244 4245 default: 4246 break; 4247 4248 } 4249 4250 releasef(fd); 4251 4252 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4253 4254 if (add_sock_token == 0) { 4255 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4256 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4257 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4258 return; 4259 } 4260 4261 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4262 4263 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4264 } 4265 4266 /*ARGSUSED*/ 4267 static void 4268 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4269 { 4270 struct a { 4271 long fd; 4272 long msg; /* struct msghdr */ 4273 long flags; 4274 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4275 4276 struct sonode *so; 4277 char so_laddr[sizeof (struct sockaddr_in6)]; 4278 char so_faddr[sizeof (struct sockaddr_in6)]; 4279 int err; 4280 int fd; 4281 short so_family, so_type; 4282 int add_sock_token = 0; 4283 socklen_t len; 4284 struct file *fp; 4285 struct f_audit_data *fad; 4286 caddr_t msg_name; 4287 socklen_t msg_namelen; 4288 STRUCT_DECL(msghdr, msg); 4289 au_kcontext_t *kctx = GET_KCTX_PZ; 4290 4291 fd = (int)uap->fd; 4292 4293 /* bail if an error */ 4294 if (error) { 4295 /* XXX include destination address from system call arguments */ 4296 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4297 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4298 return; 4299 } 4300 4301 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4302 /* 4303 * not security relevant if doing a sendmsg from non socket 4304 * so no extra tokens. Should probably turn off audit record 4305 * generation here. 4306 */ 4307 return; 4308 } 4309 4310 so_family = so->so_family; 4311 so_type = so->so_type; 4312 4313 switch (so_family) { 4314 case AF_INET: 4315 case AF_INET6: 4316 /* 4317 * if datagram type socket, then just use what is in 4318 * socket structure for local address. 4319 * XXX - what do we do for other types? 4320 */ 4321 if ((so->so_type == SOCK_DGRAM) || 4322 (so->so_type == SOCK_RAW)) { 4323 4324 bzero((void *)so_laddr, sizeof (so_laddr)); 4325 bzero((void *)so_faddr, sizeof (so_faddr)); 4326 4327 /* get local address */ 4328 len = sizeof (so_laddr); 4329 (void) socket_getsockname(so, 4330 (struct sockaddr *)so_laddr, &len, CRED()); 4331 4332 /* get peer address */ 4333 STRUCT_INIT(msg, get_udatamodel()); 4334 4335 if (copyin((caddr_t)(uap->msg), 4336 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4337 break; 4338 } 4339 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4340 if (msg_name == NULL) 4341 break; 4342 4343 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4344 /* length is value from recvmsg - sanity check */ 4345 if (msg_namelen == 0) 4346 break; 4347 4348 if (copyin(msg_name, so_faddr, 4349 sizeof (so_faddr)) != 0) 4350 break; 4351 4352 add_sock_token = 1; 4353 4354 } else if (so->so_type == SOCK_STREAM) { 4355 4356 /* get path from file struct here */ 4357 fad = F2A(fp); 4358 ASSERT(fad); 4359 4360 /* 4361 * already processed this file for write attempt 4362 */ 4363 if (fad->fad_flags & FAD_WRITE) { 4364 releasef(fd); 4365 /* don't want to audit every sendmsg attempt */ 4366 tad->tad_flag = 0; 4367 /* free any residual audit data */ 4368 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4369 return; 4370 } 4371 4372 /* 4373 * mark things so we know what happened and don't 4374 * repeat things 4375 */ 4376 fad->fad_flags |= FAD_WRITE; 4377 4378 bzero((void *)so_laddr, sizeof (so_laddr)); 4379 bzero((void *)so_faddr, sizeof (so_faddr)); 4380 4381 /* get local and foreign addresses */ 4382 len = sizeof (so_laddr); 4383 (void) socket_getsockname(so, 4384 (struct sockaddr *)so_laddr, &len, CRED()); 4385 len = sizeof (so_faddr); 4386 (void) socket_getpeername(so, 4387 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4388 4389 add_sock_token = 1; 4390 } 4391 4392 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4393 4394 break; 4395 4396 case AF_UNIX: 4397 /* 4398 * first check if this is first time through. Too much 4399 * duplicate code to put this in an aui_ routine. 4400 */ 4401 4402 /* get path from file struct here */ 4403 fad = F2A(fp); 4404 ASSERT(fad); 4405 4406 /* 4407 * already processed this file for write attempt 4408 */ 4409 if (fad->fad_flags & FAD_WRITE) { 4410 releasef(fd); 4411 /* don't want to audit every sendmsg attempt */ 4412 tad->tad_flag = 0; 4413 /* free any residual audit data */ 4414 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4415 return; 4416 } 4417 /* 4418 * mark things so we know what happened and don't 4419 * repeat things 4420 */ 4421 fad->fad_flags |= FAD_WRITE; 4422 4423 if (fad->fad_aupath != NULL) { 4424 au_uwrite(au_to_path(fad->fad_aupath)); 4425 } else { 4426 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4427 } 4428 4429 audit_attributes(fp->f_vnode); 4430 4431 releasef(fd); 4432 4433 return; 4434 4435 default: 4436 break; 4437 } 4438 4439 releasef(fd); 4440 4441 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4442 4443 if (add_sock_token == 0) { 4444 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4445 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4446 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4447 return; 4448 } 4449 4450 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4451 4452 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4453 } 4454 4455 /*ARGSUSED*/ 4456 static void 4457 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4458 { 4459 struct a { 4460 long fd; 4461 long msg; /* char */ 4462 long len; 4463 long flags; 4464 long to; /* struct sockaddr */ 4465 long tolen; 4466 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4467 4468 struct sonode *so; 4469 char so_laddr[sizeof (struct sockaddr_in6)]; 4470 char so_faddr[sizeof (struct sockaddr_in6)]; 4471 socklen_t tolen; 4472 int err; 4473 int fd; 4474 socklen_t len; 4475 short so_family, so_type; 4476 int add_sock_token = 0; 4477 struct file *fp; 4478 struct f_audit_data *fad; 4479 au_kcontext_t *kctx = GET_KCTX_PZ; 4480 4481 fd = (int)uap->fd; 4482 4483 /* bail if an error */ 4484 if (error) { 4485 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4486 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4487 /* XXX include destination address from system call arguments */ 4488 return; 4489 } 4490 4491 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4492 /* 4493 * not security relevant if doing a sendto using non socket 4494 * so no extra tokens. Should probably turn off audit record 4495 * generation here. 4496 */ 4497 return; 4498 } 4499 4500 so_family = so->so_family; 4501 so_type = so->so_type; 4502 4503 /* 4504 * only putout SOCKET_EX token if INET/INET6 family. 4505 * XXX - what do we do about other families? 4506 */ 4507 4508 switch (so_family) { 4509 case AF_INET: 4510 case AF_INET6: 4511 4512 /* 4513 * if datagram type socket, then just use what is in 4514 * socket structure for local address. 4515 * XXX - what do we do for other types? 4516 */ 4517 if ((so->so_type == SOCK_DGRAM) || 4518 (so->so_type == SOCK_RAW)) { 4519 4520 bzero((void *)so_laddr, sizeof (so_laddr)); 4521 bzero((void *)so_faddr, sizeof (so_faddr)); 4522 4523 /* get local address */ 4524 len = sizeof (so_laddr); 4525 (void) socket_getsockname(so, 4526 (struct sockaddr *)so_laddr, &len, CRED()); 4527 4528 /* get peer address */ 4529 4530 /* sanity check */ 4531 if (uap->to == NULL) 4532 break; 4533 4534 /* sanity checks */ 4535 if (uap->tolen == 0) 4536 break; 4537 4538 tolen = (socklen_t)uap->tolen; 4539 4540 /* enforce maximum size */ 4541 if (tolen > sizeof (so_faddr)) 4542 tolen = sizeof (so_faddr); 4543 4544 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4545 break; 4546 4547 add_sock_token = 1; 4548 } else { 4549 /* 4550 * check if this is first time through. 4551 */ 4552 4553 /* get path from file struct here */ 4554 fad = F2A(fp); 4555 ASSERT(fad); 4556 4557 /* 4558 * already processed this file for write attempt 4559 */ 4560 if (fad->fad_flags & FAD_WRITE) { 4561 /* don't want to audit every sendto attempt */ 4562 tad->tad_flag = 0; 4563 /* free any residual audit data */ 4564 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4565 releasef(fd); 4566 return; 4567 } 4568 /* 4569 * mark things so we know what happened and don't 4570 * repeat things 4571 */ 4572 fad->fad_flags |= FAD_WRITE; 4573 4574 bzero((void *)so_laddr, sizeof (so_laddr)); 4575 bzero((void *)so_faddr, sizeof (so_faddr)); 4576 4577 /* get local and foreign addresses */ 4578 len = sizeof (so_laddr); 4579 (void) socket_getsockname(so, 4580 (struct sockaddr *)so_laddr, &len, CRED()); 4581 len = sizeof (so_faddr); 4582 (void) socket_getpeername(so, 4583 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4584 4585 add_sock_token = 1; 4586 } 4587 4588 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4589 4590 break; 4591 4592 case AF_UNIX: 4593 /* 4594 * first check if this is first time through. Too much 4595 * duplicate code to put this in an aui_ routine. 4596 */ 4597 4598 /* get path from file struct here */ 4599 fad = F2A(fp); 4600 ASSERT(fad); 4601 4602 /* 4603 * already processed this file for write attempt 4604 */ 4605 if (fad->fad_flags & FAD_WRITE) { 4606 /* don't want to audit every sendto attempt */ 4607 tad->tad_flag = 0; 4608 /* free any residual audit data */ 4609 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4610 releasef(fd); 4611 return; 4612 } 4613 /* 4614 * mark things so we know what happened and don't 4615 * repeat things 4616 */ 4617 fad->fad_flags |= FAD_WRITE; 4618 4619 if (fad->fad_aupath != NULL) { 4620 au_uwrite(au_to_path(fad->fad_aupath)); 4621 } else { 4622 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4623 } 4624 4625 audit_attributes(fp->f_vnode); 4626 4627 releasef(fd); 4628 4629 return; 4630 4631 default: 4632 break; 4633 4634 } 4635 4636 releasef(fd); 4637 4638 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4639 4640 if (add_sock_token == 0) { 4641 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4642 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4643 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4644 return; 4645 } 4646 4647 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4648 4649 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4650 4651 } 4652 4653 /* 4654 * XXX socket(2) may be equivalent to open(2) on a unix domain 4655 * socket. This needs investigation. 4656 */ 4657 4658 /*ARGSUSED*/ 4659 static void 4660 aus_socket(struct t_audit_data *tad) 4661 { 4662 struct a { 4663 long domain; 4664 long type; 4665 long protocol; 4666 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4667 4668 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4669 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4670 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4671 } 4672 4673 /*ARGSUSED*/ 4674 static void 4675 aus_sigqueue(struct t_audit_data *tad) 4676 { 4677 struct a { 4678 long pid; 4679 long signo; 4680 long *val; 4681 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4682 struct proc *p; 4683 uid_t uid, ruid; 4684 gid_t gid, rgid; 4685 pid_t pid; 4686 const auditinfo_addr_t *ainfo; 4687 cred_t *cr; 4688 4689 pid = (pid_t)uap->pid; 4690 4691 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4692 if (pid > 0) { 4693 mutex_enter(&pidlock); 4694 if ((p = prfind(pid)) == (struct proc *)0) { 4695 mutex_exit(&pidlock); 4696 return; 4697 } 4698 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4699 mutex_exit(&pidlock); 4700 4701 mutex_enter(&p->p_crlock); 4702 crhold(cr = p->p_cred); 4703 mutex_exit(&p->p_crlock); 4704 mutex_exit(&p->p_lock); 4705 4706 ainfo = crgetauinfo(cr); 4707 if (ainfo == NULL) { 4708 crfree(cr); 4709 return; 4710 } 4711 4712 uid = crgetuid(cr); 4713 gid = crgetgid(cr); 4714 ruid = crgetruid(cr); 4715 rgid = crgetrgid(cr); 4716 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4717 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4718 crfree(cr); 4719 } 4720 else 4721 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4722 } 4723 4724 /*ARGSUSED*/ 4725 static void 4726 aus_inst_sync(struct t_audit_data *tad) 4727 { 4728 struct a { 4729 long name; /* char */ 4730 long flags; 4731 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4732 4733 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4734 } 4735 4736 /*ARGSUSED*/ 4737 static void 4738 aus_brandsys(struct t_audit_data *tad) 4739 { 4740 klwp_t *clwp = ttolwp(curthread); 4741 4742 struct a { 4743 long cmd; 4744 long arg1; 4745 long arg2; 4746 long arg3; 4747 long arg4; 4748 long arg5; 4749 long arg6; 4750 } *uap = (struct a *)clwp->lwp_ap; 4751 4752 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4753 #ifdef _LP64 4754 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4755 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4756 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4757 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4758 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4759 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4760 #else 4761 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4762 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4763 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4764 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4765 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4766 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4767 #endif 4768 } 4769 4770 /*ARGSUSED*/ 4771 static void 4772 aus_p_online(struct t_audit_data *tad) 4773 { 4774 struct a { 4775 long processor_id; 4776 long flag; 4777 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4778 4779 struct flags { 4780 int flag; 4781 char *cflag; 4782 } aflags[6] = { 4783 { P_ONLINE, "P_ONLINE"}, 4784 { P_OFFLINE, "P_OFFLINE"}, 4785 { P_NOINTR, "P_NOINTR"}, 4786 { P_SPARE, "P_SPARE"}, 4787 { P_FAULTED, "P_FAULTED"}, 4788 { P_STATUS, "P_STATUS"} 4789 }; 4790 int i; 4791 char *cflag; 4792 4793 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4794 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4795 4796 for (i = 0; i < 6; i++) { 4797 if (aflags[i].flag == uap->flag) 4798 break; 4799 } 4800 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4801 4802 au_uwrite(au_to_text(cflag)); 4803 } 4804 4805 /*ARGSUSED*/ 4806 static void 4807 aus_processor_bind(struct t_audit_data *tad) 4808 { 4809 struct a { 4810 long id_type; 4811 long id; 4812 long processor_id; 4813 long obind; 4814 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4815 4816 struct proc *p; 4817 int lwpcnt; 4818 uid_t uid, ruid; 4819 gid_t gid, rgid; 4820 pid_t pid; 4821 const auditinfo_addr_t *ainfo; 4822 cred_t *cr; 4823 4824 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4825 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4826 if (uap->processor_id == PBIND_NONE) 4827 au_uwrite(au_to_text("PBIND_NONE")); 4828 else 4829 au_uwrite(au_to_arg32(3, "processor_id", 4830 (uint32_t)uap->processor_id)); 4831 4832 switch (uap->id_type) { 4833 case P_MYID: 4834 case P_LWPID: 4835 mutex_enter(&pidlock); 4836 p = ttoproc(curthread); 4837 if (p == NULL || p->p_as == &kas) { 4838 mutex_exit(&pidlock); 4839 return; 4840 } 4841 mutex_enter(&p->p_lock); 4842 mutex_exit(&pidlock); 4843 lwpcnt = p->p_lwpcnt; 4844 pid = p->p_pid; 4845 4846 mutex_enter(&p->p_crlock); 4847 crhold(cr = p->p_cred); 4848 mutex_exit(&p->p_crlock); 4849 mutex_exit(&p->p_lock); 4850 4851 ainfo = crgetauinfo(cr); 4852 if (ainfo == NULL) { 4853 crfree(cr); 4854 return; 4855 } 4856 4857 uid = crgetuid(cr); 4858 gid = crgetgid(cr); 4859 ruid = crgetruid(cr); 4860 rgid = crgetrgid(cr); 4861 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4862 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4863 crfree(cr); 4864 break; 4865 case P_PID: 4866 mutex_enter(&pidlock); 4867 p = prfind(uap->id); 4868 if (p == NULL || p->p_as == &kas) { 4869 mutex_exit(&pidlock); 4870 return; 4871 } 4872 mutex_enter(&p->p_lock); 4873 mutex_exit(&pidlock); 4874 lwpcnt = p->p_lwpcnt; 4875 pid = p->p_pid; 4876 4877 mutex_enter(&p->p_crlock); 4878 crhold(cr = p->p_cred); 4879 mutex_exit(&p->p_crlock); 4880 mutex_exit(&p->p_lock); 4881 4882 ainfo = crgetauinfo(cr); 4883 if (ainfo == NULL) { 4884 crfree(cr); 4885 return; 4886 } 4887 4888 uid = crgetuid(cr); 4889 gid = crgetgid(cr); 4890 ruid = crgetruid(cr); 4891 rgid = crgetrgid(cr); 4892 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4893 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4894 crfree(cr); 4895 4896 break; 4897 default: 4898 return; 4899 } 4900 4901 if (uap->processor_id == PBIND_NONE && 4902 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4903 au_uwrite(au_to_text("PBIND_NONE for process")); 4904 else 4905 au_uwrite(au_to_arg32(3, "processor_id", 4906 (uint32_t)uap->processor_id)); 4907 } 4908 4909 /*ARGSUSED*/ 4910 static au_event_t 4911 aui_doorfs(au_event_t e) 4912 { 4913 uint32_t code; 4914 4915 struct a { /* doorfs */ 4916 long a1; 4917 long a2; 4918 long a3; 4919 long a4; 4920 long a5; 4921 long code; 4922 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4923 4924 /* 4925 * audit formats for several of the 4926 * door calls have not yet been determined 4927 */ 4928 code = (uint32_t)uap->code; 4929 switch (code) { 4930 case DOOR_CALL: 4931 e = AUE_DOORFS_DOOR_CALL; 4932 break; 4933 case DOOR_RETURN: 4934 e = AUE_NULL; 4935 break; 4936 case DOOR_CREATE: 4937 e = AUE_DOORFS_DOOR_CREATE; 4938 break; 4939 case DOOR_REVOKE: 4940 e = AUE_DOORFS_DOOR_REVOKE; 4941 break; 4942 case DOOR_INFO: 4943 e = AUE_NULL; 4944 break; 4945 case DOOR_UCRED: 4946 e = AUE_NULL; 4947 break; 4948 case DOOR_BIND: 4949 e = AUE_NULL; 4950 break; 4951 case DOOR_UNBIND: 4952 e = AUE_NULL; 4953 break; 4954 case DOOR_GETPARAM: 4955 e = AUE_NULL; 4956 break; 4957 case DOOR_SETPARAM: 4958 e = AUE_NULL; 4959 break; 4960 default: /* illegal system call */ 4961 e = AUE_NULL; 4962 break; 4963 } 4964 4965 return (e); 4966 } 4967 4968 static door_node_t * 4969 au_door_lookup(int did) 4970 { 4971 vnode_t *vp; 4972 file_t *fp; 4973 4974 if ((fp = getf(did)) == NULL) 4975 return (NULL); 4976 /* 4977 * Use the underlying vnode (we may be namefs mounted) 4978 */ 4979 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4980 vp = fp->f_vnode; 4981 4982 if (vp == NULL || vp->v_type != VDOOR) { 4983 releasef(did); 4984 return (NULL); 4985 } 4986 4987 return (VTOD(vp)); 4988 } 4989 4990 /*ARGSUSED*/ 4991 static void 4992 aus_doorfs(struct t_audit_data *tad) 4993 { 4994 4995 struct a { /* doorfs */ 4996 long a1; 4997 long a2; 4998 long a3; 4999 long a4; 5000 long a5; 5001 long code; 5002 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5003 5004 door_node_t *dp; 5005 struct proc *p; 5006 uint32_t did; 5007 uid_t uid, ruid; 5008 gid_t gid, rgid; 5009 pid_t pid; 5010 const auditinfo_addr_t *ainfo; 5011 cred_t *cr; 5012 5013 did = (uint32_t)uap->a1; 5014 5015 switch (tad->tad_event) { 5016 case AUE_DOORFS_DOOR_CALL: 5017 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5018 if ((dp = au_door_lookup(did)) == NULL) 5019 break; 5020 5021 if (DOOR_INVALID(dp)) { 5022 releasef(did); 5023 break; 5024 } 5025 5026 if ((p = dp->door_target) == NULL) { 5027 releasef(did); 5028 break; 5029 } 5030 mutex_enter(&p->p_lock); 5031 releasef(did); 5032 5033 pid = p->p_pid; 5034 5035 mutex_enter(&p->p_crlock); 5036 crhold(cr = p->p_cred); 5037 mutex_exit(&p->p_crlock); 5038 mutex_exit(&p->p_lock); 5039 5040 ainfo = crgetauinfo(cr); 5041 if (ainfo == NULL) { 5042 crfree(cr); 5043 return; 5044 } 5045 uid = crgetuid(cr); 5046 gid = crgetgid(cr); 5047 ruid = crgetruid(cr); 5048 rgid = crgetrgid(cr); 5049 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5050 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5051 crfree(cr); 5052 break; 5053 case AUE_DOORFS_DOOR_RETURN: 5054 /* 5055 * We may want to write information about 5056 * all doors (if any) which will be copied 5057 * by this call to the user space 5058 */ 5059 break; 5060 case AUE_DOORFS_DOOR_CREATE: 5061 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5062 break; 5063 case AUE_DOORFS_DOOR_REVOKE: 5064 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5065 break; 5066 case AUE_DOORFS_DOOR_INFO: 5067 break; 5068 case AUE_DOORFS_DOOR_CRED: 5069 break; 5070 case AUE_DOORFS_DOOR_BIND: 5071 break; 5072 case AUE_DOORFS_DOOR_UNBIND: { 5073 break; 5074 } 5075 default: /* illegal system call */ 5076 break; 5077 } 5078 } 5079 5080 /*ARGSUSED*/ 5081 static au_event_t 5082 aui_acl(au_event_t e) 5083 { 5084 struct a { 5085 union { 5086 long name; /* char */ 5087 long fd; 5088 } obj; 5089 5090 long cmd; 5091 long nentries; 5092 long arg; /* aclent_t */ 5093 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5094 5095 switch (uap->cmd) { 5096 case SETACL: 5097 case ACE_SETACL: 5098 /* 5099 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5100 * are expected. 5101 */ 5102 break; 5103 case GETACL: 5104 case GETACLCNT: 5105 case ACE_GETACL: 5106 case ACE_GETACLCNT: 5107 /* do nothing for these four values. */ 5108 e = AUE_NULL; 5109 break; 5110 default: 5111 /* illegal system call */ 5112 break; 5113 } 5114 5115 return (e); 5116 } 5117 5118 static void 5119 au_acl(int cmd, int nentries, caddr_t bufp) 5120 { 5121 size_t a_size; 5122 aclent_t *aclbufp; 5123 ace_t *acebufp; 5124 int i; 5125 5126 switch (cmd) { 5127 case GETACL: 5128 case GETACLCNT: 5129 break; 5130 case SETACL: 5131 if (nentries < 3) 5132 break; 5133 5134 a_size = nentries * sizeof (aclent_t); 5135 5136 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5137 break; 5138 if (copyin(bufp, aclbufp, a_size)) { 5139 kmem_free(aclbufp, a_size); 5140 break; 5141 } 5142 for (i = 0; i < nentries; i++) { 5143 au_uwrite(au_to_acl(aclbufp + i)); 5144 } 5145 kmem_free(aclbufp, a_size); 5146 break; 5147 5148 case ACE_SETACL: 5149 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5150 break; 5151 5152 a_size = nentries * sizeof (ace_t); 5153 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5154 break; 5155 if (copyin(bufp, acebufp, a_size)) { 5156 kmem_free(acebufp, a_size); 5157 break; 5158 } 5159 for (i = 0; i < nentries; i++) { 5160 au_uwrite(au_to_ace(acebufp + i)); 5161 } 5162 kmem_free(acebufp, a_size); 5163 break; 5164 default: 5165 break; 5166 } 5167 } 5168 5169 /*ARGSUSED*/ 5170 static void 5171 aus_acl(struct t_audit_data *tad) 5172 { 5173 struct a { 5174 long fname; 5175 long cmd; 5176 long nentries; 5177 long aclbufp; 5178 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5179 5180 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5181 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5182 5183 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5184 } 5185 5186 /*ARGSUSED*/ 5187 static void 5188 aus_facl(struct t_audit_data *tad) 5189 { 5190 struct a { 5191 long fd; 5192 long cmd; 5193 long nentries; 5194 long aclbufp; 5195 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5196 struct file *fp; 5197 struct vnode *vp; 5198 struct f_audit_data *fad; 5199 int fd; 5200 5201 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5202 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5203 5204 fd = (int)uap->fd; 5205 5206 if ((fp = getf(fd)) == NULL) 5207 return; 5208 5209 /* get path from file struct here */ 5210 fad = F2A(fp); 5211 if (fad->fad_aupath != NULL) { 5212 au_uwrite(au_to_path(fad->fad_aupath)); 5213 } else { 5214 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5215 } 5216 5217 vp = fp->f_vnode; 5218 audit_attributes(vp); 5219 5220 /* decrement file descriptor reference count */ 5221 releasef(fd); 5222 5223 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5224 } 5225 5226 /*ARGSUSED*/ 5227 static void 5228 auf_read(tad, error, rval) 5229 struct t_audit_data *tad; 5230 int error; 5231 rval_t *rval; 5232 { 5233 struct file *fp; 5234 struct f_audit_data *fad; 5235 int fd; 5236 register struct a { 5237 long fd; 5238 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5239 au_kcontext_t *kctx = GET_KCTX_PZ; 5240 5241 fd = (int)uap->fd; 5242 5243 /* 5244 * convert file pointer to file descriptor 5245 * Note: fd ref count incremented here. 5246 */ 5247 if ((fp = getf(fd)) == NULL) 5248 return; 5249 5250 /* get path from file struct here */ 5251 fad = F2A(fp); 5252 ASSERT(fad); 5253 5254 /* 5255 * already processed this file for read attempt 5256 * 5257 * XXX might be better to turn off auditing in a aui_read() routine. 5258 */ 5259 if (fad->fad_flags & FAD_READ) { 5260 /* don't really want to audit every read attempt */ 5261 tad->tad_flag = 0; 5262 /* free any residual audit data */ 5263 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5264 releasef(fd); 5265 return; 5266 } 5267 /* mark things so we know what happened and don't repeat things */ 5268 fad->fad_flags |= FAD_READ; 5269 5270 if (fad->fad_aupath != NULL) { 5271 au_uwrite(au_to_path(fad->fad_aupath)); 5272 } else { 5273 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5274 } 5275 5276 /* include attributes */ 5277 audit_attributes(fp->f_vnode); 5278 5279 /* decrement file descriptor reference count */ 5280 releasef(fd); 5281 } 5282 5283 /*ARGSUSED*/ 5284 static void 5285 auf_write(tad, error, rval) 5286 struct t_audit_data *tad; 5287 int error; 5288 rval_t *rval; 5289 { 5290 struct file *fp; 5291 struct f_audit_data *fad; 5292 int fd; 5293 register struct a { 5294 long fd; 5295 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5296 au_kcontext_t *kctx = GET_KCTX_PZ; 5297 5298 fd = (int)uap->fd; 5299 5300 /* 5301 * convert file pointer to file descriptor 5302 * Note: fd ref count incremented here. 5303 */ 5304 if ((fp = getf(fd)) == NULL) 5305 return; 5306 5307 /* get path from file struct here */ 5308 fad = F2A(fp); 5309 ASSERT(fad); 5310 5311 /* 5312 * already processed this file for write attempt 5313 * 5314 * XXX might be better to turn off auditing in a aus_write() routine. 5315 */ 5316 if (fad->fad_flags & FAD_WRITE) { 5317 /* don't really want to audit every write attempt */ 5318 tad->tad_flag = 0; 5319 /* free any residual audit data */ 5320 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5321 releasef(fd); 5322 return; 5323 } 5324 /* mark things so we know what happened and don't repeat things */ 5325 fad->fad_flags |= FAD_WRITE; 5326 5327 if (fad->fad_aupath != NULL) { 5328 au_uwrite(au_to_path(fad->fad_aupath)); 5329 } else { 5330 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5331 } 5332 5333 /* include attributes */ 5334 audit_attributes(fp->f_vnode); 5335 5336 /* decrement file descriptor reference count */ 5337 releasef(fd); 5338 } 5339 5340 /*ARGSUSED*/ 5341 static void 5342 auf_recv(tad, error, rval) 5343 struct t_audit_data *tad; 5344 int error; 5345 rval_t *rval; 5346 { 5347 struct sonode *so; 5348 char so_laddr[sizeof (struct sockaddr_in6)]; 5349 char so_faddr[sizeof (struct sockaddr_in6)]; 5350 struct file *fp; 5351 struct f_audit_data *fad; 5352 int fd; 5353 int err; 5354 socklen_t len; 5355 short so_family, so_type; 5356 register struct a { 5357 long fd; 5358 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5359 au_kcontext_t *kctx = GET_KCTX_PZ; 5360 5361 /* 5362 * If there was an error, then nothing to do. Only generate 5363 * audit record on first successful recv. 5364 */ 5365 if (error) { 5366 /* Turn off audit record generation here. */ 5367 tad->tad_flag = 0; 5368 /* free any residual audit data */ 5369 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5370 return; 5371 } 5372 5373 fd = (int)uap->fd; 5374 5375 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5376 /* Turn off audit record generation here. */ 5377 tad->tad_flag = 0; 5378 /* free any residual audit data */ 5379 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5380 return; 5381 } 5382 5383 /* get path from file struct here */ 5384 fad = F2A(fp); 5385 ASSERT(fad); 5386 5387 /* 5388 * already processed this file for read attempt 5389 */ 5390 if (fad->fad_flags & FAD_READ) { 5391 releasef(fd); 5392 /* don't really want to audit every recv call */ 5393 tad->tad_flag = 0; 5394 /* free any residual audit data */ 5395 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5396 return; 5397 } 5398 5399 /* mark things so we know what happened and don't repeat things */ 5400 fad->fad_flags |= FAD_READ; 5401 5402 so_family = so->so_family; 5403 so_type = so->so_type; 5404 5405 switch (so_family) { 5406 case AF_INET: 5407 case AF_INET6: 5408 /* 5409 * Only for connections. 5410 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5411 */ 5412 if (so->so_state & SS_ISBOUND) { 5413 5414 bzero((void *)so_laddr, sizeof (so_laddr)); 5415 bzero((void *)so_faddr, sizeof (so_faddr)); 5416 5417 /* get local and foreign addresses */ 5418 len = sizeof (so_laddr); 5419 (void) socket_getsockname(so, 5420 (struct sockaddr *)so_laddr, &len, CRED()); 5421 len = sizeof (so_faddr); 5422 (void) socket_getpeername(so, 5423 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5424 5425 /* 5426 * only way to drop out of switch. Note that we 5427 * we release fd below. 5428 */ 5429 5430 break; 5431 } 5432 5433 releasef(fd); 5434 5435 /* don't really want to audit every recv call */ 5436 tad->tad_flag = 0; 5437 /* free any residual audit data */ 5438 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5439 5440 return; 5441 5442 case AF_UNIX: 5443 5444 if (fad->fad_aupath != NULL) { 5445 au_uwrite(au_to_path(fad->fad_aupath)); 5446 } else { 5447 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5448 } 5449 5450 audit_attributes(fp->f_vnode); 5451 5452 releasef(fd); 5453 5454 return; 5455 5456 default: 5457 releasef(fd); 5458 5459 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5460 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5461 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5462 5463 return; 5464 } 5465 5466 releasef(fd); 5467 5468 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5469 5470 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5471 5472 } 5473 5474 /*ARGSUSED*/ 5475 static void 5476 auf_send(tad, error, rval) 5477 struct t_audit_data *tad; 5478 int error; 5479 rval_t *rval; 5480 { 5481 struct sonode *so; 5482 char so_laddr[sizeof (struct sockaddr_in6)]; 5483 char so_faddr[sizeof (struct sockaddr_in6)]; 5484 struct file *fp; 5485 struct f_audit_data *fad; 5486 int fd; 5487 int err; 5488 socklen_t len; 5489 short so_family, so_type; 5490 register struct a { 5491 long fd; 5492 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5493 au_kcontext_t *kctx = GET_KCTX_PZ; 5494 5495 fd = (int)uap->fd; 5496 5497 /* 5498 * If there was an error, then nothing to do. Only generate 5499 * audit record on first successful send. 5500 */ 5501 if (error != 0) { 5502 /* Turn off audit record generation here. */ 5503 tad->tad_flag = 0; 5504 /* free any residual audit data */ 5505 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5506 return; 5507 } 5508 5509 fd = (int)uap->fd; 5510 5511 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5512 /* Turn off audit record generation here. */ 5513 tad->tad_flag = 0; 5514 /* free any residual audit data */ 5515 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5516 return; 5517 } 5518 5519 /* get path from file struct here */ 5520 fad = F2A(fp); 5521 ASSERT(fad); 5522 5523 /* 5524 * already processed this file for write attempt 5525 */ 5526 if (fad->fad_flags & FAD_WRITE) { 5527 releasef(fd); 5528 /* don't really want to audit every send call */ 5529 tad->tad_flag = 0; 5530 /* free any residual audit data */ 5531 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5532 return; 5533 } 5534 5535 /* mark things so we know what happened and don't repeat things */ 5536 fad->fad_flags |= FAD_WRITE; 5537 5538 so_family = so->so_family; 5539 so_type = so->so_type; 5540 5541 switch (so_family) { 5542 case AF_INET: 5543 case AF_INET6: 5544 /* 5545 * Only for connections. 5546 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5547 */ 5548 if (so->so_state & SS_ISBOUND) { 5549 5550 bzero((void *)so_laddr, sizeof (so_laddr)); 5551 bzero((void *)so_faddr, sizeof (so_faddr)); 5552 5553 /* get local and foreign addresses */ 5554 len = sizeof (so_laddr); 5555 (void) socket_getsockname(so, 5556 (struct sockaddr *)so_laddr, &len, CRED()); 5557 len = sizeof (so_faddr); 5558 (void) socket_getpeername(so, 5559 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5560 5561 /* 5562 * only way to drop out of switch. Note that we 5563 * we release fd below. 5564 */ 5565 5566 break; 5567 } 5568 5569 releasef(fd); 5570 /* don't really want to audit every send call */ 5571 tad->tad_flag = 0; 5572 /* free any residual audit data */ 5573 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5574 5575 return; 5576 5577 case AF_UNIX: 5578 5579 if (fad->fad_aupath != NULL) { 5580 au_uwrite(au_to_path(fad->fad_aupath)); 5581 } else { 5582 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5583 } 5584 5585 audit_attributes(fp->f_vnode); 5586 5587 releasef(fd); 5588 5589 return; 5590 5591 default: 5592 releasef(fd); 5593 5594 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5595 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5596 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5597 5598 return; 5599 } 5600 5601 releasef(fd); 5602 5603 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5604 5605 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5606 } 5607 5608 static au_event_t 5609 aui_forksys(au_event_t e) 5610 { 5611 struct a { 5612 long subcode; 5613 long flags; 5614 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5615 5616 switch ((uint_t)uap->subcode) { 5617 case 0: 5618 e = AUE_FORK1; 5619 break; 5620 case 1: 5621 e = AUE_FORKALL; 5622 break; 5623 case 2: 5624 e = AUE_VFORK; 5625 break; 5626 default: 5627 e = AUE_NULL; 5628 break; 5629 } 5630 5631 return (e); 5632 } 5633 5634 /*ARGSUSED*/ 5635 static au_event_t 5636 aui_portfs(au_event_t e) 5637 { 5638 struct a { /* portfs */ 5639 long a1; 5640 long a2; 5641 long a3; 5642 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5643 5644 /* 5645 * check opcode 5646 */ 5647 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5648 case PORT_ASSOCIATE: 5649 /* check source */ 5650 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5651 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5652 e = AUE_PORTFS_ASSOCIATE; 5653 } else { 5654 e = AUE_NULL; 5655 } 5656 break; 5657 case PORT_DISSOCIATE: 5658 /* check source */ 5659 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5660 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5661 e = AUE_PORTFS_DISSOCIATE; 5662 } else { 5663 e = AUE_NULL; 5664 } 5665 break; 5666 default: 5667 e = AUE_NULL; 5668 } 5669 return (e); 5670 } 5671