xref: /illumos-gate/usr/src/uts/common/c2/audit_event.c (revision 985cc36c07a787e0cb720fcf2fab565aa2a77590)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 #include <sys/secflags.h>
81 
82 static au_event_t	aui_fchownat(au_event_t);
83 static au_event_t	aui_fchmodat(au_event_t);
84 static au_event_t	aui_open(au_event_t);
85 static au_event_t	aui_openat(au_event_t);
86 static au_event_t	aui_unlinkat(au_event_t);
87 static au_event_t	aui_fstatat(au_event_t);
88 static au_event_t	aui_msgsys(au_event_t);
89 static au_event_t	aui_shmsys(au_event_t);
90 static au_event_t	aui_semsys(au_event_t);
91 static au_event_t	aui_utssys(au_event_t);
92 static au_event_t	aui_fcntl(au_event_t);
93 static au_event_t	aui_execve(au_event_t);
94 static au_event_t	aui_memcntl(au_event_t);
95 static au_event_t	aui_sysinfo(au_event_t);
96 static au_event_t	aui_portfs(au_event_t);
97 static au_event_t	aui_auditsys(au_event_t);
98 static au_event_t	aui_modctl(au_event_t);
99 static au_event_t	aui_acl(au_event_t);
100 static au_event_t	aui_doorfs(au_event_t);
101 static au_event_t	aui_privsys(au_event_t);
102 static au_event_t	aui_forksys(au_event_t);
103 static au_event_t	aui_labelsys(au_event_t);
104 static au_event_t	aui_setpgrp(au_event_t);
105 
106 
107 static void	aus_exit(struct t_audit_data *);
108 static void	aus_open(struct t_audit_data *);
109 static void	aus_openat(struct t_audit_data *);
110 static void	aus_acl(struct t_audit_data *);
111 static void	aus_acct(struct t_audit_data *);
112 static void	aus_chown(struct t_audit_data *);
113 static void	aus_fchown(struct t_audit_data *);
114 static void	aus_lchown(struct t_audit_data *);
115 static void	aus_fchownat(struct t_audit_data *);
116 static void	aus_chmod(struct t_audit_data *);
117 static void	aus_facl(struct t_audit_data *);
118 static void	aus_fchmod(struct t_audit_data *);
119 static void	aus_fchmodat(struct t_audit_data *);
120 static void	aus_fcntl(struct t_audit_data *);
121 static void	aus_mkdir(struct t_audit_data *);
122 static void	aus_mkdirat(struct t_audit_data *);
123 static void	aus_mknod(struct t_audit_data *);
124 static void	aus_mknodat(struct t_audit_data *);
125 static void	aus_mount(struct t_audit_data *);
126 static void	aus_umount2(struct t_audit_data *);
127 static void	aus_msgsys(struct t_audit_data *);
128 static void	aus_semsys(struct t_audit_data *);
129 static void	aus_close(struct t_audit_data *);
130 static void	aus_fstatfs(struct t_audit_data *);
131 static void	aus_setgid(struct t_audit_data *);
132 static void	aus_setpgrp(struct t_audit_data *);
133 static void	aus_setuid(struct t_audit_data *);
134 static void	aus_shmsys(struct t_audit_data *);
135 static void	aus_doorfs(struct t_audit_data *);
136 static void	aus_ioctl(struct t_audit_data *);
137 static void	aus_memcntl(struct t_audit_data *);
138 static void	aus_mmap(struct t_audit_data *);
139 static void	aus_munmap(struct t_audit_data *);
140 static void	aus_priocntlsys(struct t_audit_data *);
141 static void	aus_setegid(struct t_audit_data *);
142 static void	aus_setgroups(struct t_audit_data *);
143 static void	aus_seteuid(struct t_audit_data *);
144 static void	aus_putmsg(struct t_audit_data *);
145 static void	aus_putpmsg(struct t_audit_data *);
146 static void	aus_getmsg(struct t_audit_data *);
147 static void	aus_getpmsg(struct t_audit_data *);
148 static void	aus_auditsys(struct t_audit_data *);
149 static void	aus_sysinfo(struct t_audit_data *);
150 static void	aus_modctl(struct t_audit_data *);
151 static void	aus_kill(struct t_audit_data *);
152 static void	aus_setregid(struct t_audit_data *);
153 static void	aus_setreuid(struct t_audit_data *);
154 static void	aus_labelsys(struct t_audit_data *);
155 
156 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
157 static void	auf_mknodat(struct t_audit_data *, int, rval_t *);
158 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
159 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
160 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
161 static void	auf_read(struct t_audit_data *, int, rval_t *);
162 static void	auf_write(struct t_audit_data *, int, rval_t *);
163 
164 static void	aus_sigqueue(struct t_audit_data *);
165 static void	aus_p_online(struct t_audit_data *);
166 static void	aus_processor_bind(struct t_audit_data *);
167 static void	aus_inst_sync(struct t_audit_data *);
168 static void	aus_brandsys(struct t_audit_data *);
169 
170 static void	auf_accept(struct t_audit_data *, int, rval_t *);
171 
172 static void	auf_bind(struct t_audit_data *, int, rval_t *);
173 static void	auf_connect(struct t_audit_data *, int, rval_t *);
174 static void	aus_shutdown(struct t_audit_data *);
175 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
176 static void	aus_sockconfig(struct t_audit_data *);
177 static void	auf_recv(struct t_audit_data *, int, rval_t *);
178 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
179 static void	auf_send(struct t_audit_data *, int, rval_t *);
180 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
181 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
182 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
183 static void	aus_socket(struct t_audit_data *);
184 /*
185  * This table contains mapping information for converting system call numbers
186  * to audit event IDs. In several cases it is necessary to map a single system
187  * call to several events.
188  */
189 
190 #define	aui_null	NULL	/* NULL initialize function */
191 #define	aus_null	NULL	/* NULL start function */
192 #define	auf_null	NULL	/* NULL finish function */
193 
194 struct audit_s2e audit_s2e[] =
195 {
196 /*
197  * ----------	---------- 	----------	----------
198  * INITIAL	AUDIT		START		SYSTEM
199  * PROCESSING	EVENT		PROCESSING	CALL
200  * ----------	----------	----------	-----------
201  *		FINISH		EVENT
202  *		PROCESSING	CONTROL
203  * ----------------------------------------------------------
204  */
205 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
206 		auf_null,	0,
207 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
208 		auf_null,	S2E_NPT,
209 aui_null,	AUE_PSECFLAGS,	aus_null,	/* 2 psecflags */
210 		auf_null,	0,
211 aui_null,	AUE_READ,	aus_null,	/* 3 read */
212 		auf_read,	S2E_PUB,
213 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
214 		auf_write,	0,
215 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
216 		auf_null,	S2E_SP,
217 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
218 		auf_null,	0,
219 aui_null,	AUE_LINK,	aus_null,	/* 7 linkat */
220 		auf_null,	0,
221 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
222 		auf_null,	0,
223 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
224 		auf_null,	0,
225 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
226 		auf_null,	0,
227 aui_null,	AUE_SYMLINK,	aus_null,	/* 11 symlinkat */
228 		auf_null,	0,
229 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
230 		auf_null,	S2E_SP,
231 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
232 		auf_null,	0,
233 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
234 		auf_mknod,	S2E_MLD,
235 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
236 		auf_null,	0,
237 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
238 		auf_null,	0,
239 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
240 		auf_null,	0,
241 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
242 		auf_null,	S2E_PUB,
243 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
244 		auf_null,	0,
245 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
246 		auf_null,	0,
247 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
248 		auf_null,	S2E_MLD,
249 aui_null,	AUE_READLINK,	aus_null,	/* 22 readlinkat */
250 		auf_null,	S2E_PUB,
251 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
254 		auf_null,	0,
255 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
264 		auf_null,	0,
265 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
266 		auf_null,	0,
267 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
268 		auf_null,	0,
269 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
270 		auf_null,	0,
271 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
272 		auf_null,	S2E_PUB,
273 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
274 		auf_null,	0,
275 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
276 		auf_null,	S2E_PUB,
277 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
278 		auf_null,	0,
279 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
280 		auf_null,	0,
281 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
282 		auf_null,	S2E_PUB,
283 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
288 		auf_null,	0,
289 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
290 		auf_null,	0,
291 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
294 		auf_null,	0,
295 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
296 		auf_null,	S2E_PUB,
297 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
298 		auf_null,	0,
299 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
300 		auf_null,	0,
301 aui_null,	AUE_MKNOD,	aus_mknodat,	/* 48 mknodat */
302 		auf_mknodat,	S2E_MLD,
303 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
304 		auf_msgsys,	0,
305 #if defined(__x86)
306 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
307 		auf_null,	0,
308 #else
309 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
310 		auf_null,	0,
311 #endif /* __x86 */
312 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
313 		auf_null,	0,
314 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
315 		auf_shmsys,	0,
316 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
317 		auf_semsys,	0,
318 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
319 		auf_null,	0,
320 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
321 		auf_null,	0,
322 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
323 		auf_null,	0,
324 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
325 		auf_null,	0,
326 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
327 		auf_null,	0,
328 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
329 		auf_null,	S2E_MLD,
330 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
331 		auf_null,	0,
332 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
333 		auf_null,	S2E_SP,
334 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
337 		auf_null,	0,
338 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
339 		auf_null,	0,
340 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
341 		auf_null,	0,
342 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
343 		auf_null,	S2E_PUB,
344 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
345 		auf_null,	S2E_PUB,
346 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
347 		auf_null,	S2E_SP,
348 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
349 		auf_null,	S2E_SP,
350 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
363 		auf_null,	0,
364 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
365 		auf_null,	0,
366 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
367 		auf_null,	0,
368 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
369 		auf_null,	0,
370 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
373 		auf_null,	0,
374 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
379 		auf_null,	0,
380 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
381 		auf_null,	0,
382 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
383 		auf_null,	0,
384 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
385 		auf_null,	0,
386 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
389 		auf_null,	0,
390 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
391 		auf_null,	S2E_PUB,
392 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
395 		auf_null,	0,
396 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
397 		auf_null,	0,
398 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
411 		auf_null,	0,
412 aui_fchmodat,	AUE_NULL,	aus_fchmodat,	/* 101 fchmodat */
413 		auf_null,	0,
414 aui_null,	AUE_MKDIR,	aus_mkdirat,	/* 102 mkdirat */
415 		auf_null,	0,
416 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
417 		auf_null,	S2E_PUB,
418 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
425 		auf_null,	0,
426 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
427 		auf_null,	0,
428 #if defined(__x86)
429 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
430 		auf_null,	0,
431 #else
432 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
433 		auf_null,	0,
434 #endif /* __x86 */
435 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
436 		auf_null,	0,
437 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
438 		auf_null,	0,
439 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
440 		auf_null,	0,
441 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
442 		auf_null,	S2E_PUB,
443 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
444 		auf_null,	0,
445 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
446 		auf_null,	0,
447 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
448 		auf_null,	0,
449 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
450 		auf_null,	0,
451 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
452 		auf_null,	0,
453 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
454 		auf_null,	0,
455 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
456 		auf_null,	0,
457 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
458 		auf_read,	S2E_PUB,
459 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
460 		auf_write,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
464 		auf_null,	0,
465 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
466 		auf_null,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
468 		auf_null,	0,
469 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
470 		auf_null,	0,
471 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
472 		auf_null,	0,
473 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
474 		auf_null,	0,
475 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
476 		auf_null,	0,
477 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
478 		auf_null,	0,
479 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
480 		auf_null,	0,
481 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
482 		auf_null,	0,
483 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
484 		auf_null,	0,
485 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
486 		auf_null,	0,
487 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
488 		auf_null,	0,
489 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
490 		auf_null,	0,
491 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
492 		auf_null,	0,
493 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
494 		auf_null,	0,
495 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
496 		auf_null,	0,
497 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
498 		auf_null,	0,
499 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
510 						/*	was lwp_sema_wait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
517 		auf_null,	0,
518 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
519 		auf_null,	0,
520 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
521 		auf_null,	0,
522 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
555 						/*	was lwp_mutex_lock */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
560 		auf_null,	0,
561 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
562 		auf_null,	0,
563 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
564 		auf_read,	S2E_PUB,
565 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
566 		auf_write,	0,
567 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
568 		auf_null,	0,
569 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
570 		auf_null,	0,
571 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
580 		auf_null,	0,
581 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
582 		auf_null,	S2E_MLD,
583 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
584 		auf_null,	0,
585 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
586 		auf_null,	0,
587 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
588 		auf_null,	0,
589 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
590 		auf_null,	0,
591 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
594 		auf_null,	0,
595 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
600 		auf_null,	0,
601 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
616 		auf_null,	0,
617 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
618 		auf_null,	0,
619 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
620 		auf_null,	0,
621 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
622 		auf_null,	0,
623 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
644 		auf_null,	0,
645 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
646 		auf_null,	0,
647 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
652 		auf_null,	0,
653 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
654 		auf_null,	S2E_PUB,
655 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
656 		auf_null,	0,
657 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
662 		auf_read,	S2E_PUB,
663 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
664 		auf_write,	0,
665 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
666 		auf_null,	0,
667 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
668 		auf_null,	S2E_SP,
669 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
676 		auf_null,	0,
677 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
678 		auf_null,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
680 		auf_null,	0,
681 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
682 		auf_bind,	0,
683 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
684 		auf_null,	0,
685 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
686 		auf_accept,	0,
687 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
688 		auf_connect,	0,
689 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
690 		auf_null,	0,
691 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
692 		auf_recv,	0,
693 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
694 		auf_recvfrom,	0,
695 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
696 		auf_recvmsg,	0,
697 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
698 		auf_send,	0,
699 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
700 		auf_sendmsg,	0,
701 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
702 		auf_sendto,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
708 		auf_null,	0,
709 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
710 		auf_setsockopt,	0,
711 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
714 		auf_null,	0,
715 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
726 		auf_null,	0,
727 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
728 		auf_null,	0
729 };
730 
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732 
733 
734 /* exit start function */
735 /*ARGSUSED*/
736 static void
737 aus_exit(struct t_audit_data *tad)
738 {
739 	uint32_t rval;
740 	struct a {
741 		long rval;
742 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
743 
744 	rval = (uint32_t)uap->rval;
745 	au_uwrite(au_to_arg32(1, "exit status", rval));
746 }
747 
748 
749 /* acct start function */
750 /*ARGSUSED*/
751 static void
752 aus_acct(struct t_audit_data *tad)
753 {
754 	klwp_t *clwp = ttolwp(curthread);
755 	uintptr_t fname;
756 
757 	struct a {
758 		long	fname;		/* char * */
759 	} *uap = (struct a *)clwp->lwp_ap;
760 
761 	fname = (uintptr_t)uap->fname;
762 
763 	if (fname == 0)
764 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
765 }
766 
767 /* chown start function */
768 /*ARGSUSED*/
769 static void
770 aus_chown(struct t_audit_data *tad)
771 {
772 	klwp_t *clwp = ttolwp(curthread);
773 	uint32_t uid, gid;
774 
775 	struct a {
776 		long	fname;		/* char * */
777 		long	uid;
778 		long	gid;
779 	} *uap = (struct a *)clwp->lwp_ap;
780 
781 	uid = (uint32_t)uap->uid;
782 	gid = (uint32_t)uap->gid;
783 
784 	au_uwrite(au_to_arg32(2, "new file uid", uid));
785 	au_uwrite(au_to_arg32(3, "new file gid", gid));
786 }
787 
788 /* fchown start function */
789 /*ARGSUSED*/
790 static void
791 aus_fchown(struct t_audit_data *tad)
792 {
793 	klwp_t *clwp = ttolwp(curthread);
794 	uint32_t uid, gid, fd;
795 	struct file  *fp;
796 	struct vnode *vp;
797 	struct f_audit_data *fad;
798 
799 	struct a {
800 		long fd;
801 		long uid;
802 		long gid;
803 	} *uap = (struct a *)clwp->lwp_ap;
804 
805 	fd  = (uint32_t)uap->fd;
806 	uid = (uint32_t)uap->uid;
807 	gid = (uint32_t)uap->gid;
808 
809 	au_uwrite(au_to_arg32(2, "new file uid", uid));
810 	au_uwrite(au_to_arg32(3, "new file gid", gid));
811 
812 		/*
813 		 * convert file pointer to file descriptor
814 		 *   Note: fd ref count incremented here.
815 		 */
816 	if ((fp = getf(fd)) == NULL)
817 		return;
818 
819 	/* get path from file struct here */
820 	fad = F2A(fp);
821 	if (fad->fad_aupath != NULL) {
822 		au_uwrite(au_to_path(fad->fad_aupath));
823 	} else {
824 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
825 	}
826 
827 	vp = fp->f_vnode;
828 	audit_attributes(vp);
829 
830 	/* decrement file descriptor reference count */
831 	releasef(fd);
832 }
833 
834 /*ARGSUSED*/
835 static void
836 aus_lchown(struct t_audit_data *tad)
837 {
838 	klwp_t *clwp = ttolwp(curthread);
839 	uint32_t uid, gid;
840 
841 
842 	struct a {
843 		long	fname;		/* char	* */
844 		long	uid;
845 		long	gid;
846 	} *uap = (struct a *)clwp->lwp_ap;
847 
848 	uid = (uint32_t)uap->uid;
849 	gid = (uint32_t)uap->gid;
850 
851 	au_uwrite(au_to_arg32(2, "new file uid", uid));
852 	au_uwrite(au_to_arg32(3, "new file gid", gid));
853 }
854 
855 static au_event_t
856 aui_fchownat(au_event_t e)
857 {
858 	klwp_t *clwp = ttolwp(curthread);
859 
860 	struct a {
861 		long	fd;
862 		long	fname;		/* char * */
863 		long	uid;
864 		long	gid;
865 		long	flags;
866 	} *uap = (struct a *)clwp->lwp_ap;
867 
868 	if (uap->fname == NULL)
869 		e = AUE_FCHOWN;
870 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
871 		e = AUE_LCHOWN;
872 	else
873 		e = AUE_CHOWN;
874 
875 	return (e);
876 }
877 
878 /*ARGSUSED*/
879 static void
880 aus_fchownat(struct t_audit_data *tad)
881 {
882 	klwp_t *clwp = ttolwp(curthread);
883 	uint32_t uid, gid;
884 
885 	struct a {
886 		long	fd;
887 		long	fname;		/* char * */
888 		long	uid;
889 		long	gid;
890 		long	flags;
891 	} *uap = (struct a *)clwp->lwp_ap;
892 
893 	uid = (uint32_t)uap->uid;
894 	gid = (uint32_t)uap->gid;
895 
896 	au_uwrite(au_to_arg32(3, "new file uid", uid));
897 	au_uwrite(au_to_arg32(4, "new file gid", gid));
898 }
899 
900 /*ARGSUSED*/
901 static void
902 aus_chmod(struct t_audit_data *tad)
903 {
904 	klwp_t *clwp = ttolwp(curthread);
905 	uint32_t fmode;
906 
907 	struct a {
908 		long	fname;		/* char	* */
909 		long	fmode;
910 	} *uap = (struct a *)clwp->lwp_ap;
911 
912 	fmode = (uint32_t)uap->fmode;
913 
914 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
915 }
916 
917 /*ARGSUSED*/
918 static void
919 aus_fchmod(struct t_audit_data *tad)
920 {
921 	klwp_t *clwp = ttolwp(curthread);
922 	uint32_t fmode, fd;
923 	struct file  *fp;
924 	struct vnode *vp;
925 	struct f_audit_data *fad;
926 
927 	struct a {
928 		long	fd;
929 		long	fmode;
930 	} *uap = (struct a *)clwp->lwp_ap;
931 
932 	fd = (uint32_t)uap->fd;
933 	fmode = (uint32_t)uap->fmode;
934 
935 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
936 
937 	/*
938 	 * convert file pointer to file descriptor
939 	 *   Note: fd ref count incremented here.
940 	 */
941 	if ((fp = getf(fd)) == NULL)
942 		return;
943 
944 	/* get path from file struct here */
945 	fad = F2A(fp);
946 	if (fad->fad_aupath != NULL) {
947 		au_uwrite(au_to_path(fad->fad_aupath));
948 	} else {
949 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
950 	}
951 
952 	vp = fp->f_vnode;
953 	audit_attributes(vp);
954 
955 	/* decrement file descriptor reference count */
956 	releasef(fd);
957 }
958 
959 static au_event_t
960 aui_fchmodat(au_event_t e)
961 {
962 	klwp_t *clwp = ttolwp(curthread);
963 
964 	struct a {
965 		long	fd;
966 		long	fname;		/* char	* */
967 		long	fmode;
968 		long	flag;
969 	} *uap = (struct a *)clwp->lwp_ap;
970 
971 	if (uap->fname == NULL)
972 		e = AUE_FCHMOD;
973 	else
974 		e = AUE_CHMOD;
975 
976 	return (e);
977 }
978 
979 /*ARGSUSED*/
980 static void
981 aus_fchmodat(struct t_audit_data *tad)
982 {
983 	klwp_t *clwp = ttolwp(curthread);
984 	uint32_t fmode;
985 	uint32_t fd;
986 	struct file  *fp;
987 	struct vnode *vp;
988 	struct f_audit_data *fad;
989 
990 	struct a {
991 		long	fd;
992 		long	fname;		/* char	* */
993 		long	fmode;
994 		long	flag;
995 	} *uap = (struct a *)clwp->lwp_ap;
996 
997 	fd = (uint32_t)uap->fd;
998 	fmode = (uint32_t)uap->fmode;
999 
1000 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1001 
1002 	if (fd == AT_FDCWD || uap->fname != NULL)	/* same as chmod() */
1003 		return;
1004 
1005 	/*
1006 	 * convert file pointer to file descriptor
1007 	 *   Note: fd ref count incremented here.
1008 	 */
1009 	if ((fp = getf(fd)) == NULL)
1010 		return;
1011 
1012 	/* get path from file struct here */
1013 	fad = F2A(fp);
1014 	if (fad->fad_aupath != NULL) {
1015 		au_uwrite(au_to_path(fad->fad_aupath));
1016 	} else {
1017 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1018 	}
1019 
1020 	vp = fp->f_vnode;
1021 	audit_attributes(vp);
1022 
1023 	/* decrement file descriptor reference count */
1024 	releasef(fd);
1025 }
1026 
1027 /*
1028  * convert open mode to appropriate open event
1029  */
1030 au_event_t
1031 open_event(uint_t fm)
1032 {
1033 	au_event_t e;
1034 
1035 	switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1036 	case O_RDONLY:
1037 		e = AUE_OPEN_R;
1038 		break;
1039 	case O_RDONLY | O_CREAT:
1040 		e = AUE_OPEN_RC;
1041 		break;
1042 	case O_RDONLY | O_TRUNC:
1043 		e = AUE_OPEN_RT;
1044 		break;
1045 	case O_RDONLY | O_TRUNC | O_CREAT:
1046 		e = AUE_OPEN_RTC;
1047 		break;
1048 	case O_WRONLY:
1049 		e = AUE_OPEN_W;
1050 		break;
1051 	case O_WRONLY | O_CREAT:
1052 		e = AUE_OPEN_WC;
1053 		break;
1054 	case O_WRONLY | O_TRUNC:
1055 		e = AUE_OPEN_WT;
1056 		break;
1057 	case O_WRONLY | O_TRUNC | O_CREAT:
1058 		e = AUE_OPEN_WTC;
1059 		break;
1060 	case O_RDWR:
1061 		e = AUE_OPEN_RW;
1062 		break;
1063 	case O_RDWR | O_CREAT:
1064 		e = AUE_OPEN_RWC;
1065 		break;
1066 	case O_RDWR | O_TRUNC:
1067 		e = AUE_OPEN_RWT;
1068 		break;
1069 	case O_RDWR | O_TRUNC | O_CREAT:
1070 		e = AUE_OPEN_RWTC;
1071 		break;
1072 	case O_SEARCH:
1073 		e = AUE_OPEN_S;
1074 		break;
1075 	case O_EXEC:
1076 		e = AUE_OPEN_E;
1077 		break;
1078 	default:
1079 		e = AUE_NULL;
1080 		break;
1081 	}
1082 
1083 	return (e);
1084 }
1085 
1086 /* ARGSUSED */
1087 static au_event_t
1088 aui_open(au_event_t e)
1089 {
1090 	klwp_t *clwp = ttolwp(curthread);
1091 	uint_t fm;
1092 
1093 	struct a {
1094 		long	fnamep;		/* char	* */
1095 		long	fmode;
1096 		long	cmode;
1097 	} *uap = (struct a *)clwp->lwp_ap;
1098 
1099 	fm = (uint_t)uap->fmode;
1100 
1101 	return (open_event(fm));
1102 }
1103 
1104 static void
1105 aus_open(struct t_audit_data *tad)
1106 {
1107 	klwp_t *clwp = ttolwp(curthread);
1108 	uint_t fm;
1109 
1110 	struct a {
1111 		long	fnamep;		/* char	* */
1112 		long	fmode;
1113 		long	cmode;
1114 	} *uap = (struct a *)clwp->lwp_ap;
1115 
1116 	fm = (uint_t)uap->fmode;
1117 
1118 	/* If no write, create, or trunc modes, mark as a public op */
1119 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1120 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1121 }
1122 
1123 /* ARGSUSED */
1124 static au_event_t
1125 aui_openat(au_event_t e)
1126 {
1127 	t_audit_data_t *tad = T2A(curthread);
1128 	klwp_t *clwp = ttolwp(curthread);
1129 	uint_t fm;
1130 
1131 	struct a {
1132 		long	filedes;
1133 		long	fnamep;		/* char	* */
1134 		long	fmode;
1135 		long	cmode;
1136 	} *uap = (struct a *)clwp->lwp_ap;
1137 
1138 	fm = (uint_t)uap->fmode;
1139 
1140 	/*
1141 	 * __openattrdirat() does an extra pathname lookup in order to
1142 	 * enter the extended system attribute namespace of the referenced
1143 	 * extended attribute filename.
1144 	 */
1145 	if (fm & FXATTRDIROPEN)
1146 		tad->tad_ctrl |= TAD_MLD;
1147 
1148 	return (open_event(fm));
1149 }
1150 
1151 static void
1152 aus_openat(struct t_audit_data *tad)
1153 {
1154 	klwp_t *clwp = ttolwp(curthread);
1155 	uint_t fm;
1156 
1157 	struct a {
1158 		long	filedes;
1159 		long	fnamep;		/* char	* */
1160 		long	fmode;
1161 		long	cmode;
1162 	} *uap = (struct a *)clwp->lwp_ap;
1163 
1164 	fm = (uint_t)uap->fmode;
1165 
1166 	/* If no write, create, or trunc modes, mark as a public op */
1167 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1168 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1169 }
1170 
1171 static au_event_t
1172 aui_unlinkat(au_event_t e)
1173 {
1174 	klwp_t *clwp = ttolwp(curthread);
1175 
1176 	struct a {
1177 		long	filedes;
1178 		long	fnamep;		/* char	* */
1179 		long	flags;
1180 	} *uap = (struct a *)clwp->lwp_ap;
1181 
1182 	if (uap->flags & AT_REMOVEDIR)
1183 		e = AUE_RMDIR;
1184 	else
1185 		e = AUE_UNLINK;
1186 
1187 	return (e);
1188 }
1189 
1190 static au_event_t
1191 aui_fstatat(au_event_t e)
1192 {
1193 	klwp_t *clwp = ttolwp(curthread);
1194 
1195 	struct a {
1196 		long	filedes;
1197 		long	fnamep;		/* char	* */
1198 		long	statb;
1199 		long	flags;
1200 	} *uap = (struct a *)clwp->lwp_ap;
1201 
1202 	if (uap->fnamep == NULL)
1203 		e = AUE_FSTAT;
1204 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1205 		e = AUE_LSTAT;
1206 	else
1207 		e = AUE_STAT;
1208 
1209 	return (e);
1210 }
1211 
1212 /* msgsys */
1213 static au_event_t
1214 aui_msgsys(au_event_t e)
1215 {
1216 	klwp_t *clwp = ttolwp(curthread);
1217 	uint_t fm;
1218 
1219 	struct a {
1220 		long	id;	/* function code id */
1221 		long	ap;	/* arg pointer for recvmsg */
1222 	} *uap = (struct a *)clwp->lwp_ap;
1223 
1224 	struct b {
1225 		long	msgid;
1226 		long	cmd;
1227 		long	buf;	/* struct msqid_ds * */
1228 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1229 
1230 	fm  = (uint_t)uap->id;
1231 
1232 	switch (fm) {
1233 	case 0:		/* msgget */
1234 		e = AUE_MSGGET;
1235 		break;
1236 	case 1:		/* msgctl */
1237 		switch ((uint_t)uap1->cmd) {
1238 		case IPC_RMID:
1239 			e = AUE_MSGCTL_RMID;
1240 			break;
1241 		case IPC_SET:
1242 			e = AUE_MSGCTL_SET;
1243 			break;
1244 		case IPC_STAT:
1245 			e = AUE_MSGCTL_STAT;
1246 			break;
1247 		default:
1248 			e = AUE_MSGCTL;
1249 			break;
1250 		}
1251 		break;
1252 	case 2:		/* msgrcv */
1253 		e = AUE_MSGRCV;
1254 		break;
1255 	case 3:		/* msgsnd */
1256 		e = AUE_MSGSND;
1257 		break;
1258 	default:	/* illegal system call */
1259 		e = AUE_NULL;
1260 		break;
1261 	}
1262 
1263 	return (e);
1264 }
1265 
1266 
1267 /* shmsys */
1268 static au_event_t
1269 aui_shmsys(au_event_t e)
1270 {
1271 	klwp_t *clwp = ttolwp(curthread);
1272 	int fm;
1273 
1274 	struct a {		/* shmsys */
1275 		long	id;	/* function code id */
1276 	} *uap = (struct a *)clwp->lwp_ap;
1277 
1278 	struct b {		/* ctrl */
1279 		long	shmid;
1280 		long	cmd;
1281 		long	arg;		/* struct shmid_ds * */
1282 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1283 	fm  = (uint_t)uap->id;
1284 
1285 	switch (fm) {
1286 	case 0:		/* shmat */
1287 		e = AUE_SHMAT;
1288 		break;
1289 	case 1:		/* shmctl */
1290 		switch ((uint_t)uap1->cmd) {
1291 		case IPC_RMID:
1292 			e = AUE_SHMCTL_RMID;
1293 			break;
1294 		case IPC_SET:
1295 			e = AUE_SHMCTL_SET;
1296 			break;
1297 		case IPC_STAT:
1298 			e = AUE_SHMCTL_STAT;
1299 			break;
1300 		default:
1301 			e = AUE_SHMCTL;
1302 			break;
1303 		}
1304 		break;
1305 	case 2:		/* shmdt */
1306 		e = AUE_SHMDT;
1307 		break;
1308 	case 3:		/* shmget */
1309 		e = AUE_SHMGET;
1310 		break;
1311 	default:	/* illegal system call */
1312 		e = AUE_NULL;
1313 		break;
1314 	}
1315 
1316 	return (e);
1317 }
1318 
1319 
1320 /* semsys */
1321 static au_event_t
1322 aui_semsys(au_event_t e)
1323 {
1324 	klwp_t *clwp = ttolwp(curthread);
1325 	uint_t fm;
1326 
1327 	struct a {		/* semsys */
1328 		long	id;
1329 	} *uap = (struct a *)clwp->lwp_ap;
1330 
1331 	struct b {		/* ctrl */
1332 		long	semid;
1333 		long	semnum;
1334 		long	cmd;
1335 		long	arg;
1336 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1337 
1338 	fm = (uint_t)uap->id;
1339 
1340 	switch (fm) {
1341 	case 0:		/* semctl */
1342 		switch ((uint_t)uap1->cmd) {
1343 		case IPC_RMID:
1344 			e = AUE_SEMCTL_RMID;
1345 			break;
1346 		case IPC_SET:
1347 			e = AUE_SEMCTL_SET;
1348 			break;
1349 		case IPC_STAT:
1350 			e = AUE_SEMCTL_STAT;
1351 			break;
1352 		case GETNCNT:
1353 			e = AUE_SEMCTL_GETNCNT;
1354 			break;
1355 		case GETPID:
1356 			e = AUE_SEMCTL_GETPID;
1357 			break;
1358 		case GETVAL:
1359 			e = AUE_SEMCTL_GETVAL;
1360 			break;
1361 		case GETALL:
1362 			e = AUE_SEMCTL_GETALL;
1363 			break;
1364 		case GETZCNT:
1365 			e = AUE_SEMCTL_GETZCNT;
1366 			break;
1367 		case SETVAL:
1368 			e = AUE_SEMCTL_SETVAL;
1369 			break;
1370 		case SETALL:
1371 			e = AUE_SEMCTL_SETALL;
1372 			break;
1373 		default:
1374 			e = AUE_SEMCTL;
1375 			break;
1376 		}
1377 		break;
1378 	case 1:		/* semget */
1379 		e = AUE_SEMGET;
1380 		break;
1381 	case 2:		/* semop */
1382 		e = AUE_SEMOP;
1383 		break;
1384 	default:	/* illegal system call */
1385 		e = AUE_NULL;
1386 		break;
1387 	}
1388 
1389 	return (e);
1390 }
1391 
1392 /* utssys - uname(2), ustat(2), fusers(2) */
1393 static au_event_t
1394 aui_utssys(au_event_t e)
1395 {
1396 	klwp_t *clwp = ttolwp(curthread);
1397 	uint_t type;
1398 
1399 	struct a {
1400 		union {
1401 			long	cbuf;		/* char * */
1402 			long	ubuf;		/* struct stat * */
1403 		} ub;
1404 		union {
1405 			long	mv;	/* for USTAT */
1406 			long	flags;	/* for FUSERS */
1407 		} un;
1408 		long	type;
1409 		long	outbp;		/* char * for FUSERS */
1410 	} *uap = (struct a *)clwp->lwp_ap;
1411 
1412 	type = (uint_t)uap->type;
1413 
1414 	if (type == UTS_FUSERS)
1415 		return (e);
1416 	else
1417 		return ((au_event_t)AUE_NULL);
1418 }
1419 
1420 static au_event_t
1421 aui_fcntl(au_event_t e)
1422 {
1423 	klwp_t *clwp = ttolwp(curthread);
1424 	uint_t cmd;
1425 
1426 	struct a {
1427 		long	fdes;
1428 		long	cmd;
1429 		long	arg;
1430 	} *uap = (struct a *)clwp->lwp_ap;
1431 
1432 	cmd = (uint_t)uap->cmd;
1433 
1434 	switch (cmd) {
1435 	case F_GETLK:
1436 	case F_SETLK:
1437 	case F_SETLKW:
1438 		break;
1439 	case F_SETFL:
1440 	case F_GETFL:
1441 	case F_GETFD:
1442 		break;
1443 	default:
1444 		e = (au_event_t)AUE_NULL;
1445 		break;
1446 	}
1447 	return ((au_event_t)e);
1448 }
1449 
1450 /* null function for now */
1451 static au_event_t
1452 aui_execve(au_event_t e)
1453 {
1454 	return (e);
1455 }
1456 
1457 /*ARGSUSED*/
1458 static void
1459 aus_fcntl(struct t_audit_data *tad)
1460 {
1461 	klwp_t *clwp = ttolwp(curthread);
1462 	uint32_t cmd, fd, flags;
1463 	struct file  *fp;
1464 	struct vnode *vp;
1465 	struct f_audit_data *fad;
1466 
1467 	struct a {
1468 		long	fd;
1469 		long	cmd;
1470 		long	arg;
1471 	} *uap = (struct a *)clwp->lwp_ap;
1472 
1473 	cmd	= (uint32_t)uap->cmd;
1474 	fd	= (uint32_t)uap->fd;
1475 	flags	= (uint32_t)uap->arg;
1476 
1477 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1478 
1479 	if (cmd == F_SETFL)
1480 		au_uwrite(au_to_arg32(3, "flags", flags));
1481 
1482 		/*
1483 		 * convert file pointer to file descriptor
1484 		 *   Note: fd ref count incremented here.
1485 		 */
1486 	if ((fp = getf(fd)) == NULL)
1487 		return;
1488 
1489 	/* get path from file struct here */
1490 	fad = F2A(fp);
1491 	if (fad->fad_aupath != NULL) {
1492 		au_uwrite(au_to_path(fad->fad_aupath));
1493 	} else {
1494 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1495 	}
1496 
1497 	vp = fp->f_vnode;
1498 	audit_attributes(vp);
1499 
1500 	/* decrement file descriptor reference count */
1501 	releasef(fd);
1502 }
1503 
1504 /*ARGSUSED*/
1505 static void
1506 aus_kill(struct t_audit_data *tad)
1507 {
1508 	klwp_t *clwp = ttolwp(curthread);
1509 	struct proc *p;
1510 	uint32_t signo;
1511 	uid_t uid, ruid;
1512 	gid_t gid, rgid;
1513 	pid_t pid;
1514 	const auditinfo_addr_t *ainfo;
1515 	cred_t *cr;
1516 
1517 	struct a {
1518 		long	pid;
1519 		long	signo;
1520 	} *uap = (struct a *)clwp->lwp_ap;
1521 
1522 	pid   = (pid_t)uap->pid;
1523 	signo = (uint32_t)uap->signo;
1524 
1525 	au_uwrite(au_to_arg32(2, "signal", signo));
1526 	if (pid > 0) {
1527 		mutex_enter(&pidlock);
1528 		if (((p = prfind(pid)) == (struct proc *)0) ||
1529 		    (p->p_stat == SIDL)) {
1530 			mutex_exit(&pidlock);
1531 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1532 			return;
1533 		}
1534 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1535 		mutex_exit(&pidlock);
1536 
1537 		mutex_enter(&p->p_crlock);
1538 		crhold(cr = p->p_cred);
1539 		mutex_exit(&p->p_crlock);
1540 		mutex_exit(&p->p_lock);
1541 
1542 		ainfo = crgetauinfo(cr);
1543 		if (ainfo == NULL) {
1544 			crfree(cr);
1545 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1546 			return;
1547 		}
1548 
1549 		uid  = crgetuid(cr);
1550 		gid  = crgetgid(cr);
1551 		ruid = crgetruid(cr);
1552 		rgid = crgetrgid(cr);
1553 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1554 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1555 
1556 		if (is_system_labeled())
1557 			au_uwrite(au_to_label(CR_SL(cr)));
1558 
1559 		crfree(cr);
1560 	}
1561 	else
1562 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1563 }
1564 
1565 /*ARGSUSED*/
1566 static void
1567 aus_mkdir(struct t_audit_data *tad)
1568 {
1569 	klwp_t *clwp = ttolwp(curthread);
1570 	uint32_t dmode;
1571 
1572 	struct a {
1573 		long	dirnamep;		/* char * */
1574 		long	dmode;
1575 	} *uap = (struct a *)clwp->lwp_ap;
1576 
1577 	dmode = (uint32_t)uap->dmode;
1578 
1579 	au_uwrite(au_to_arg32(2, "mode", dmode));
1580 }
1581 
1582 /*ARGSUSED*/
1583 static void
1584 aus_mkdirat(struct t_audit_data *tad)
1585 {
1586 	klwp_t *clwp = ttolwp(curthread);
1587 	uint32_t dmode;
1588 
1589 	struct a {
1590 		long	fd;
1591 		long	dirnamep;		/* char * */
1592 		long	dmode;
1593 	} *uap = (struct a *)clwp->lwp_ap;
1594 
1595 	dmode = (uint32_t)uap->dmode;
1596 
1597 	au_uwrite(au_to_arg32(2, "mode", dmode));
1598 }
1599 
1600 /*ARGSUSED*/
1601 static void
1602 aus_mknod(struct t_audit_data *tad)
1603 {
1604 	klwp_t *clwp = ttolwp(curthread);
1605 	uint32_t fmode;
1606 	dev_t dev;
1607 
1608 	struct a {
1609 		long	pnamep;		/* char * */
1610 		long	fmode;
1611 		long	dev;
1612 	} *uap = (struct a *)clwp->lwp_ap;
1613 
1614 	fmode = (uint32_t)uap->fmode;
1615 	dev   = (dev_t)uap->dev;
1616 
1617 	au_uwrite(au_to_arg32(2, "mode", fmode));
1618 #ifdef _LP64
1619 	au_uwrite(au_to_arg64(3, "dev", dev));
1620 #else
1621 	au_uwrite(au_to_arg32(3, "dev", dev));
1622 #endif
1623 }
1624 
1625 /*ARGSUSED*/
1626 static void
1627 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1628 {
1629 	klwp_t *clwp = ttolwp(curthread);
1630 	vnode_t	*dvp;
1631 	caddr_t pnamep;
1632 
1633 	struct a {
1634 		long	pnamep;		/* char * */
1635 		long	fmode;
1636 		long	dev;
1637 	} *uap = (struct a *)clwp->lwp_ap;
1638 
1639 	/* no error, then already path token in audit record */
1640 	if (error != EPERM && error != EINVAL)
1641 		return;
1642 
1643 	/* do the lookup to force generation of path token */
1644 	pnamep = (caddr_t)uap->pnamep;
1645 	tad->tad_ctrl |= TAD_NOATTRB;
1646 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1647 	if (error == 0)
1648 		VN_RELE(dvp);
1649 }
1650 
1651 /*ARGSUSED*/
1652 static void
1653 aus_mknodat(struct t_audit_data *tad)
1654 {
1655 	klwp_t *clwp = ttolwp(curthread);
1656 	uint32_t fmode;
1657 	dev_t dev;
1658 
1659 	struct a {
1660 		long	fd;
1661 		long	pnamep;		/* char * */
1662 		long	fmode;
1663 		long	dev;
1664 	} *uap = (struct a *)clwp->lwp_ap;
1665 
1666 	fmode = (uint32_t)uap->fmode;
1667 	dev   = (dev_t)uap->dev;
1668 
1669 	au_uwrite(au_to_arg32(2, "mode", fmode));
1670 #ifdef _LP64
1671 	au_uwrite(au_to_arg64(3, "dev", dev));
1672 #else
1673 	au_uwrite(au_to_arg32(3, "dev", dev));
1674 #endif
1675 }
1676 
1677 /*ARGSUSED*/
1678 static void
1679 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1680 {
1681 	klwp_t *clwp = ttolwp(curthread);
1682 	vnode_t	*startvp;
1683 	vnode_t	*dvp;
1684 	caddr_t pnamep;
1685 	int fd;
1686 
1687 	struct a {
1688 		long	fd;
1689 		long	pnamep;		/* char * */
1690 		long	fmode;
1691 		long	dev;
1692 	} *uap = (struct a *)clwp->lwp_ap;
1693 
1694 	/* no error, then already path token in audit record */
1695 	if (error != EPERM && error != EINVAL)
1696 		return;
1697 
1698 	/* do the lookup to force generation of path token */
1699 	fd = (int)uap->fd;
1700 	pnamep = (caddr_t)uap->pnamep;
1701 	if (pnamep == NULL ||
1702 	    fgetstartvp(fd, pnamep, &startvp) != 0)
1703 		return;
1704 	tad->tad_ctrl |= TAD_NOATTRB;
1705 	error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1706 	    startvp);
1707 	if (error == 0)
1708 		VN_RELE(dvp);
1709 	if (startvp != NULL)
1710 		VN_RELE(startvp);
1711 }
1712 
1713 /*ARGSUSED*/
1714 static void
1715 aus_mount(struct t_audit_data *tad)
1716 {	/* AUS_START */
1717 	klwp_t *clwp = ttolwp(curthread);
1718 	uint32_t flags;
1719 	uintptr_t u_fstype, dataptr;
1720 	STRUCT_DECL(nfs_args, nfsargs);
1721 	size_t len;
1722 	char *fstype, *hostname;
1723 
1724 	struct a {
1725 		long	spec;		/* char    * */
1726 		long	dir;		/* char    * */
1727 		long	flags;
1728 		long	fstype;		/* char    * */
1729 		long	dataptr;	/* char    * */
1730 		long	datalen;
1731 	} *uap = (struct a *)clwp->lwp_ap;
1732 
1733 	u_fstype = (uintptr_t)uap->fstype;
1734 	flags    = (uint32_t)uap->flags;
1735 	dataptr  = (uintptr_t)uap->dataptr;
1736 
1737 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1738 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1739 		goto mount_free_fstype;
1740 
1741 	au_uwrite(au_to_arg32(3, "flags", flags));
1742 	au_uwrite(au_to_text(fstype));
1743 
1744 	if (strncmp(fstype, "nfs", 3) == 0) {
1745 
1746 		STRUCT_INIT(nfsargs, get_udatamodel());
1747 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1748 
1749 		if (copyin((caddr_t)dataptr,
1750 				STRUCT_BUF(nfsargs),
1751 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1752 			/* DEBUG debug_enter((char *)NULL); */
1753 			goto mount_free_fstype;
1754 		}
1755 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1756 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1757 				(caddr_t)hostname,
1758 				MAXNAMELEN, &len)) {
1759 			goto mount_free_hostname;
1760 		}
1761 		au_uwrite(au_to_text(hostname));
1762 		au_uwrite(au_to_arg32(3, "internal flags",
1763 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1764 
1765 mount_free_hostname:
1766 		kmem_free(hostname, MAXNAMELEN);
1767 	}
1768 
1769 mount_free_fstype:
1770 	kmem_free(fstype, MAXNAMELEN);
1771 }	/* AUS_MOUNT */
1772 
1773 static void
1774 aus_umount_path(caddr_t umount_dir)
1775 {
1776 	char			*dir_path;
1777 	struct audit_path	*path;
1778 	size_t			path_len, dir_len;
1779 
1780 	/* length alloc'd for two string pointers */
1781 	path_len = sizeof (struct audit_path) + sizeof (char *);
1782 	path = kmem_alloc(path_len, KM_SLEEP);
1783 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1784 
1785 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1786 	    MAXPATHLEN, &dir_len))
1787 		goto umount2_free_dir;
1788 
1789 	/*
1790 	 * the audit_path struct assumes that the buffer pointed to
1791 	 * by audp_sect[n] contains string 0 immediatedly followed
1792 	 * by string 1.
1793 	 */
1794 	path->audp_sect[0] = dir_path;
1795 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1796 	path->audp_size = path_len;
1797 	path->audp_ref = 1;		/* not used */
1798 	path->audp_cnt = 1;		/* one path string */
1799 
1800 	au_uwrite(au_to_path(path));
1801 
1802 umount2_free_dir:
1803 	kmem_free(dir_path, MAXPATHLEN);
1804 	kmem_free(path, path_len);
1805 }
1806 
1807 /*ARGSUSED*/
1808 static void
1809 aus_umount2(struct t_audit_data *tad)
1810 {
1811 	klwp_t			*clwp = ttolwp(curthread);
1812 	struct a {
1813 		long	dir;		/* char    * */
1814 		long	flags;
1815 	} *uap = (struct a *)clwp->lwp_ap;
1816 
1817 	aus_umount_path((caddr_t)uap->dir);
1818 
1819 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1820 }
1821 
1822 static void
1823 aus_msgsys(struct t_audit_data *tad)
1824 {
1825 	klwp_t *clwp = ttolwp(curthread);
1826 	uint32_t msgid;
1827 
1828 	struct b {
1829 		long	msgid;
1830 		long	cmd;
1831 		long	buf;		/* struct msqid_ds * */
1832 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1833 
1834 	msgid = (uint32_t)uap1->msgid;
1835 
1836 
1837 	switch (tad->tad_event) {
1838 	case AUE_MSGGET:		/* msgget */
1839 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1840 		break;
1841 	case AUE_MSGCTL:		/* msgctl */
1842 	case AUE_MSGCTL_RMID:		/* msgctl */
1843 	case AUE_MSGCTL_SET:		/* msgctl */
1844 	case AUE_MSGCTL_STAT:		/* msgctl */
1845 	case AUE_MSGRCV:		/* msgrcv */
1846 	case AUE_MSGSND:		/* msgsnd */
1847 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1848 		break;
1849 	}
1850 }
1851 
1852 /*ARGSUSED*/
1853 static void
1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1855 {
1856 	int id;
1857 
1858 	if (error != 0)
1859 		return;
1860 	if (tad->tad_event == AUE_MSGGET) {
1861 		uint32_t scid;
1862 		uint32_t sy_flags;
1863 
1864 		/* need to determine type of executing binary */
1865 		scid = tad->tad_scid;
1866 #ifdef _SYSCALL32_IMPL
1867 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1868 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869 		else
1870 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1871 #else
1872 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1873 #endif
1874 		if (sy_flags == SE_32RVAL1)
1875 			id = rval->r_val1;
1876 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1877 			id = rval->r_val1;
1878 		if (sy_flags == SE_64RVAL)
1879 			id = (int)rval->r_vals;
1880 
1881 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1882 	}
1883 }
1884 
1885 static void
1886 aus_semsys(struct t_audit_data *tad)
1887 {
1888 	klwp_t *clwp = ttolwp(curthread);
1889 	uint32_t semid;
1890 
1891 	struct b {		/* ctrl */
1892 		long	semid;
1893 		long	semnum;
1894 		long	cmd;
1895 		long	arg;
1896 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1897 
1898 	semid = (uint32_t)uap1->semid;
1899 
1900 	switch (tad->tad_event) {
1901 	case AUE_SEMCTL_RMID:
1902 	case AUE_SEMCTL_STAT:
1903 	case AUE_SEMCTL_GETNCNT:
1904 	case AUE_SEMCTL_GETPID:
1905 	case AUE_SEMCTL_GETVAL:
1906 	case AUE_SEMCTL_GETALL:
1907 	case AUE_SEMCTL_GETZCNT:
1908 	case AUE_SEMCTL_SET:
1909 	case AUE_SEMCTL_SETVAL:
1910 	case AUE_SEMCTL_SETALL:
1911 	case AUE_SEMCTL:
1912 	case AUE_SEMOP:
1913 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1914 		break;
1915 	case AUE_SEMGET:
1916 		au_uwrite(au_to_arg32(1, "sem key", semid));
1917 		break;
1918 	}
1919 }
1920 
1921 /*ARGSUSED*/
1922 static void
1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1924 {
1925 	int id;
1926 
1927 	if (error != 0)
1928 		return;
1929 	if (tad->tad_event == AUE_SEMGET) {
1930 		uint32_t scid;
1931 		uint32_t sy_flags;
1932 
1933 		/* need to determine type of executing binary */
1934 		scid = tad->tad_scid;
1935 #ifdef _SYSCALL32_IMPL
1936 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1937 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1938 		else
1939 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1940 #else
1941 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1942 #endif
1943 		if (sy_flags == SE_32RVAL1)
1944 			id = rval->r_val1;
1945 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1946 			id = rval->r_val1;
1947 		if (sy_flags == SE_64RVAL)
1948 			id = (int)rval->r_vals;
1949 
1950 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1951 	}
1952 }
1953 
1954 /*ARGSUSED*/
1955 static void
1956 aus_close(struct t_audit_data *tad)
1957 {
1958 	klwp_t *clwp = ttolwp(curthread);
1959 	uint32_t fd;
1960 	struct file *fp;
1961 	struct f_audit_data *fad;
1962 	struct vnode *vp;
1963 	struct vattr attr;
1964 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1965 
1966 	struct a {
1967 		long	i;
1968 	} *uap = (struct a *)clwp->lwp_ap;
1969 
1970 	fd = (uint32_t)uap->i;
1971 
1972 	attr.va_mask = 0;
1973 	au_uwrite(au_to_arg32(1, "fd", fd));
1974 
1975 		/*
1976 		 * convert file pointer to file descriptor
1977 		 *   Note: fd ref count incremented here.
1978 		 */
1979 	if ((fp = getf(fd)) == NULL)
1980 		return;
1981 
1982 	fad = F2A(fp);
1983 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1984 	if (fad->fad_aupath != NULL) {
1985 		au_uwrite(au_to_path(fad->fad_aupath));
1986 		if ((vp = fp->f_vnode) != NULL) {
1987 			attr.va_mask = AT_ALL;
1988 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1989 				/*
1990 				 * When write was not used and the file can be
1991 				 * considered public, skip the audit.
1992 				 */
1993 				if (((fp->f_flag & FWRITE) == 0) &&
1994 				    object_is_public(&attr)) {
1995 					tad->tad_flag = 0;
1996 					tad->tad_evmod = 0;
1997 					/* free any residual audit data */
1998 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1999 					releasef(fd);
2000 					return;
2001 				}
2002 				au_uwrite(au_to_attr(&attr));
2003 				audit_sec_attributes(&(u_ad), vp);
2004 			}
2005 		}
2006 	}
2007 
2008 	/* decrement file descriptor reference count */
2009 	releasef(fd);
2010 }
2011 
2012 /*ARGSUSED*/
2013 static void
2014 aus_fstatfs(struct t_audit_data *tad)
2015 {
2016 	klwp_t *clwp = ttolwp(curthread);
2017 	uint32_t fd;
2018 	struct file  *fp;
2019 	struct vnode *vp;
2020 	struct f_audit_data *fad;
2021 
2022 	struct a {
2023 		long	fd;
2024 		long	buf;		/* struct statfs * */
2025 	} *uap = (struct a *)clwp->lwp_ap;
2026 
2027 	fd = (uint_t)uap->fd;
2028 
2029 		/*
2030 		 * convert file pointer to file descriptor
2031 		 *   Note: fd ref count incremented here.
2032 		 */
2033 	if ((fp = getf(fd)) == NULL)
2034 		return;
2035 
2036 		/* get path from file struct here */
2037 	fad = F2A(fp);
2038 	if (fad->fad_aupath != NULL) {
2039 		au_uwrite(au_to_path(fad->fad_aupath));
2040 	} else {
2041 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2042 	}
2043 
2044 	vp = fp->f_vnode;
2045 	audit_attributes(vp);
2046 
2047 	/* decrement file descriptor reference count */
2048 	releasef(fd);
2049 }
2050 
2051 static au_event_t
2052 aui_setpgrp(au_event_t e)
2053 {
2054 	klwp_t *clwp = ttolwp(curthread);
2055 	int flag;
2056 
2057 	struct a {
2058 		long	flag;
2059 		long	pid;
2060 		long	pgid;
2061 	} *uap = (struct a *)clwp->lwp_ap;
2062 
2063 	flag = (int)uap->flag;
2064 
2065 
2066 	switch (flag) {
2067 
2068 	case 1:	/* setpgrp() */
2069 		e = AUE_SETPGRP;
2070 		break;
2071 
2072 	case 3: /* setsid() */
2073 		e = AUE_SETSID;
2074 		break;
2075 
2076 	case 5: /* setpgid() */
2077 		e = AUE_SETPGID;
2078 		break;
2079 
2080 	case 0: /* getpgrp()	- not security relevant */
2081 	case 2: /* getsid()	- not security relevant */
2082 	case 4: /* getpgid() 	- not security relevant */
2083 		e = AUE_NULL;
2084 		break;
2085 
2086 	default:
2087 		e = AUE_NULL;
2088 		break;
2089 	}
2090 
2091 	return (e);
2092 }
2093 
2094 /*ARGSUSED*/
2095 static void
2096 aus_setpgrp(struct t_audit_data *tad)
2097 {
2098 	klwp_t		*clwp = ttolwp(curthread);
2099 	pid_t		pgid;
2100 	struct proc	*p;
2101 	uid_t		uid, ruid;
2102 	gid_t		gid, rgid;
2103 	pid_t		pid;
2104 	cred_t		*cr;
2105 	int		flag;
2106 	const auditinfo_addr_t	*ainfo;
2107 
2108 	struct a {
2109 		long	flag;
2110 		long	pid;
2111 		long	pgid;
2112 	} *uap = (struct a *)clwp->lwp_ap;
2113 
2114 	flag = (int)uap->flag;
2115 	pid  = (pid_t)uap->pid;
2116 	pgid = (pid_t)uap->pgid;
2117 
2118 
2119 	switch (flag) {
2120 
2121 	case 0: /* getpgrp() */
2122 	case 1: /* setpgrp() */
2123 	case 2: /* getsid() */
2124 	case 3: /* setsid() */
2125 	case 4: /* getpgid() */
2126 		break;
2127 
2128 	case 5: /* setpgid() */
2129 
2130 		/* current process? */
2131 		if (pid == 0) {
2132 			return;
2133 		}
2134 
2135 		mutex_enter(&pidlock);
2136 		p = prfind(pid);
2137 		if (p == NULL || p->p_as == &kas ||
2138 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
2139 			mutex_exit(&pidlock);
2140 			return;
2141 		}
2142 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
2143 		mutex_exit(&pidlock);
2144 
2145 		mutex_enter(&p->p_crlock);
2146 		crhold(cr = p->p_cred);
2147 		mutex_exit(&p->p_crlock);
2148 		mutex_exit(&p->p_lock);
2149 
2150 		ainfo = crgetauinfo(cr);
2151 		if (ainfo == NULL) {
2152 			crfree(cr);
2153 			return;
2154 		}
2155 
2156 		uid  = crgetuid(cr);
2157 		gid  = crgetgid(cr);
2158 		ruid = crgetruid(cr);
2159 		rgid = crgetrgid(cr);
2160 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2161 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2162 		crfree(cr);
2163 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2164 		break;
2165 
2166 	default:
2167 		break;
2168 	}
2169 }
2170 
2171 
2172 /*ARGSUSED*/
2173 static void
2174 aus_setregid(struct t_audit_data *tad)
2175 {
2176 	klwp_t *clwp = ttolwp(curthread);
2177 	uint32_t rgid, egid;
2178 
2179 	struct a {
2180 		long	 rgid;
2181 		long	 egid;
2182 	} *uap = (struct a *)clwp->lwp_ap;
2183 
2184 	rgid  = (uint32_t)uap->rgid;
2185 	egid  = (uint32_t)uap->egid;
2186 
2187 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2188 	au_uwrite(au_to_arg32(2, "egid", egid));
2189 }
2190 
2191 /*ARGSUSED*/
2192 static void
2193 aus_setgid(struct t_audit_data *tad)
2194 {
2195 	klwp_t *clwp = ttolwp(curthread);
2196 	uint32_t gid;
2197 
2198 	struct a {
2199 		long	gid;
2200 	} *uap = (struct a *)clwp->lwp_ap;
2201 
2202 	gid = (uint32_t)uap->gid;
2203 
2204 	au_uwrite(au_to_arg32(1, "gid", gid));
2205 }
2206 
2207 
2208 /*ARGSUSED*/
2209 static void
2210 aus_setreuid(struct t_audit_data *tad)
2211 {
2212 	klwp_t *clwp = ttolwp(curthread);
2213 	uint32_t ruid, euid;
2214 
2215 	struct a {
2216 		long	ruid;
2217 		long	euid;
2218 	} *uap = (struct a *)clwp->lwp_ap;
2219 
2220 	ruid = (uint32_t)uap->ruid;
2221 	euid  = (uint32_t)uap->euid;
2222 
2223 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2224 	au_uwrite(au_to_arg32(2, "euid", euid));
2225 }
2226 
2227 
2228 /*ARGSUSED*/
2229 static void
2230 aus_setuid(struct t_audit_data *tad)
2231 {
2232 	klwp_t *clwp = ttolwp(curthread);
2233 	uint32_t uid;
2234 
2235 	struct a {
2236 		long	uid;
2237 	} *uap = (struct a *)clwp->lwp_ap;
2238 
2239 	uid = (uint32_t)uap->uid;
2240 
2241 	au_uwrite(au_to_arg32(1, "uid", uid));
2242 }
2243 
2244 /*ARGSUSED*/
2245 static void
2246 aus_shmsys(struct t_audit_data *tad)
2247 {
2248 	klwp_t *clwp = ttolwp(curthread);
2249 	uint32_t id, cmd;
2250 
2251 	struct b {
2252 		long	id;
2253 		long	cmd;
2254 		long	buf;		/* struct shmid_ds * */
2255 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2256 
2257 	id  = (uint32_t)uap1->id;
2258 	cmd = (uint32_t)uap1->cmd;
2259 
2260 	switch (tad->tad_event) {
2261 	case AUE_SHMGET:			/* shmget */
2262 		au_uwrite(au_to_arg32(1, "shm key", id));
2263 		break;
2264 	case AUE_SHMCTL:			/* shmctl */
2265 	case AUE_SHMCTL_RMID:			/* shmctl */
2266 	case AUE_SHMCTL_STAT:			/* shmctl */
2267 	case AUE_SHMCTL_SET:			/* shmctl */
2268 		au_uwrite(au_to_arg32(1, "shm ID", id));
2269 		break;
2270 	case AUE_SHMDT:				/* shmdt */
2271 		au_uwrite(au_to_arg32(1, "shm adr", id));
2272 		break;
2273 	case AUE_SHMAT:				/* shmat */
2274 		au_uwrite(au_to_arg32(1, "shm ID", id));
2275 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2276 		break;
2277 	}
2278 }
2279 
2280 /*ARGSUSED*/
2281 static void
2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2283 {
2284 	int id;
2285 
2286 	if (error != 0)
2287 		return;
2288 	if (tad->tad_event == AUE_SHMGET) {
2289 		uint32_t scid;
2290 		uint32_t sy_flags;
2291 
2292 		/* need to determine type of executing binary */
2293 		scid = tad->tad_scid;
2294 #ifdef _SYSCALL32_IMPL
2295 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2296 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2297 		else
2298 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2299 #else
2300 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2301 #endif
2302 		if (sy_flags == SE_32RVAL1)
2303 			id = rval->r_val1;
2304 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2305 			id = rval->r_val1;
2306 		if (sy_flags == SE_64RVAL)
2307 			id = (int)rval->r_vals;
2308 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2309 	}
2310 }
2311 
2312 
2313 /*ARGSUSED*/
2314 static void
2315 aus_ioctl(struct t_audit_data *tad)
2316 {
2317 	klwp_t *clwp = ttolwp(curthread);
2318 	struct file *fp;
2319 	struct vnode *vp;
2320 	struct f_audit_data *fad;
2321 	uint32_t fd, cmd;
2322 	uintptr_t cmarg;
2323 
2324 	/* XX64 */
2325 	struct a {
2326 		long	fd;
2327 		long	cmd;
2328 		long	cmarg;		/* caddr_t */
2329 	} *uap = (struct a *)clwp->lwp_ap;
2330 
2331 	fd    = (uint32_t)uap->fd;
2332 	cmd   = (uint32_t)uap->cmd;
2333 	cmarg = (uintptr_t)uap->cmarg;
2334 
2335 		/*
2336 		 * convert file pointer to file descriptor
2337 		 *   Note: fd ref count incremented here.
2338 		 */
2339 	if ((fp = getf(fd)) == NULL) {
2340 		au_uwrite(au_to_arg32(1, "fd", fd));
2341 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2342 #ifndef _LP64
2343 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2344 #else
2345 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2346 #endif
2347 		return;
2348 	}
2349 
2350 	/* get path from file struct here */
2351 	fad = F2A(fp);
2352 	if (fad->fad_aupath != NULL) {
2353 		au_uwrite(au_to_path(fad->fad_aupath));
2354 	} else {
2355 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2356 	}
2357 
2358 	vp = fp->f_vnode;
2359 	audit_attributes(vp);
2360 
2361 	/* decrement file descriptor reference count */
2362 	releasef(fd);
2363 
2364 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2365 #ifndef _LP64
2366 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2367 #else
2368 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2369 #endif
2370 }
2371 
2372 /*
2373  * null function for memcntl for now. We might want to limit memcntl()
2374  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2375  * require privileges.
2376  */
2377 static au_event_t
2378 aui_memcntl(au_event_t e)
2379 {
2380 	return (e);
2381 }
2382 
2383 /*ARGSUSED*/
2384 static au_event_t
2385 aui_privsys(au_event_t e)
2386 {
2387 	klwp_t *clwp = ttolwp(curthread);
2388 
2389 	struct a {
2390 		long	opcode;
2391 	} *uap = (struct a *)clwp->lwp_ap;
2392 
2393 	switch (uap->opcode) {
2394 	case PRIVSYS_SETPPRIV:
2395 		return (AUE_SETPPRIV);
2396 	default:
2397 		return (AUE_NULL);
2398 	}
2399 }
2400 
2401 /*ARGSUSED*/
2402 static void
2403 aus_memcntl(struct t_audit_data *tad)
2404 {
2405 	klwp_t *clwp = ttolwp(curthread);
2406 
2407 	struct a {
2408 		long	addr;
2409 		long	len;
2410 		long	cmd;
2411 		long	arg;
2412 		long	attr;
2413 		long	mask;
2414 	} *uap = (struct a *)clwp->lwp_ap;
2415 
2416 #ifdef _LP64
2417 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2418 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2419 #else
2420 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2421 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2422 #endif
2423 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2424 #ifdef _LP64
2425 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2426 #else
2427 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2428 #endif
2429 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2430 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2431 }
2432 
2433 /*ARGSUSED*/
2434 static void
2435 aus_mmap(struct t_audit_data *tad)
2436 {
2437 	klwp_t *clwp = ttolwp(curthread);
2438 	struct file *fp;
2439 	struct f_audit_data *fad;
2440 	struct vnode *vp;
2441 	uint32_t fd;
2442 
2443 	struct a {
2444 		long	addr;
2445 		long	len;
2446 		long	prot;
2447 		long	flags;
2448 		long	fd;
2449 		long	pos;
2450 	} *uap = (struct a *)clwp->lwp_ap;
2451 
2452 	fd = (uint32_t)uap->fd;
2453 
2454 #ifdef _LP64
2455 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2456 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2457 #else
2458 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2459 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2460 #endif
2461 
2462 	if ((fp = getf(fd)) == NULL) {
2463 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2464 		return;
2465 	}
2466 
2467 	/*
2468 	 * Mark in the tad if write access is NOT requested... if
2469 	 * this is later detected (in audit_attributes) to be a
2470 	 * public object, the mmap event may be discarded.
2471 	 */
2472 	if (((uap->prot) & PROT_WRITE) == 0) {
2473 		tad->tad_ctrl |= TAD_PUBLIC_EV;
2474 	}
2475 
2476 	fad = F2A(fp);
2477 	if (fad->fad_aupath != NULL) {
2478 		au_uwrite(au_to_path(fad->fad_aupath));
2479 	} else {
2480 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2481 	}
2482 
2483 	vp = (struct vnode *)fp->f_vnode;
2484 	audit_attributes(vp);
2485 
2486 	/* mark READ/WRITE since we can't predict access */
2487 	if (uap->prot & PROT_READ)
2488 		fad->fad_flags |= FAD_READ;
2489 	if (uap->prot & PROT_WRITE)
2490 		fad->fad_flags |= FAD_WRITE;
2491 
2492 	/* decrement file descriptor reference count */
2493 	releasef(fd);
2494 
2495 }	/* AUS_MMAP */
2496 
2497 
2498 
2499 
2500 /*ARGSUSED*/
2501 static void
2502 aus_munmap(struct t_audit_data *tad)
2503 {
2504 	klwp_t *clwp = ttolwp(curthread);
2505 
2506 	struct a {
2507 		long	addr;
2508 		long	len;
2509 	} *uap = (struct a *)clwp->lwp_ap;
2510 
2511 #ifdef _LP64
2512 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2513 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2514 #else
2515 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2516 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2517 #endif
2518 
2519 }	/* AUS_MUNMAP */
2520 
2521 
2522 
2523 
2524 
2525 
2526 
2527 /*ARGSUSED*/
2528 static void
2529 aus_priocntlsys(struct t_audit_data *tad)
2530 {
2531 	klwp_t *clwp = ttolwp(curthread);
2532 
2533 	struct a {
2534 		long	pc_version;
2535 		long	psp;		/* procset_t */
2536 		long	cmd;
2537 		long	arg;
2538 	} *uap = (struct a *)clwp->lwp_ap;
2539 
2540 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2541 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2542 
2543 }	/* AUS_PRIOCNTLSYS */
2544 
2545 
2546 /*ARGSUSED*/
2547 static void
2548 aus_setegid(struct t_audit_data *tad)
2549 {
2550 	klwp_t *clwp = ttolwp(curthread);
2551 	uint32_t gid;
2552 
2553 	struct a {
2554 		long	gid;
2555 	} *uap = (struct a *)clwp->lwp_ap;
2556 
2557 	gid = (uint32_t)uap->gid;
2558 
2559 	au_uwrite(au_to_arg32(1, "gid", gid));
2560 }	/* AUS_SETEGID */
2561 
2562 
2563 
2564 
2565 /*ARGSUSED*/
2566 static void
2567 aus_setgroups(struct t_audit_data *tad)
2568 {
2569 	klwp_t *clwp = ttolwp(curthread);
2570 	int i;
2571 	int gidsetsize;
2572 	uintptr_t gidset;
2573 	gid_t *gidlist;
2574 
2575 	struct a {
2576 		long	gidsetsize;
2577 		long	gidset;
2578 	} *uap = (struct a *)clwp->lwp_ap;
2579 
2580 	gidsetsize = (uint_t)uap->gidsetsize;
2581 	gidset = (uintptr_t)uap->gidset;
2582 
2583 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2584 		return;
2585 	if (gidsetsize != 0) {
2586 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2587 		    KM_SLEEP);
2588 		if (copyin((caddr_t)gidset, gidlist,
2589 		    gidsetsize * sizeof (gid_t)) == 0)
2590 			for (i = 0; i < gidsetsize; i++)
2591 				au_uwrite(au_to_arg32(1, "setgroups",
2592 				    (uint32_t)gidlist[i]));
2593 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2594 	} else
2595 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2596 
2597 }	/* AUS_SETGROUPS */
2598 
2599 
2600 
2601 
2602 
2603 /*ARGSUSED*/
2604 static void
2605 aus_seteuid(struct t_audit_data *tad)
2606 {
2607 	klwp_t *clwp = ttolwp(curthread);
2608 	uint32_t uid;
2609 
2610 	struct a {
2611 		long	uid;
2612 	} *uap = (struct a *)clwp->lwp_ap;
2613 
2614 	uid = (uint32_t)uap->uid;
2615 
2616 	au_uwrite(au_to_arg32(1, "euid", uid));
2617 
2618 }	/* AUS_SETEUID */
2619 
2620 /*ARGSUSED*/
2621 static void
2622 aus_putmsg(struct t_audit_data *tad)
2623 {
2624 	klwp_t *clwp = ttolwp(curthread);
2625 	uint32_t fd, pri;
2626 	struct file *fp;
2627 	struct f_audit_data *fad;
2628 
2629 	struct a {
2630 		long	fdes;
2631 		long	ctl;		/* struct strbuf * */
2632 		long	data;		/* struct strbuf * */
2633 		long	pri;
2634 	} *uap = (struct a *)clwp->lwp_ap;
2635 
2636 	fd  = (uint32_t)uap->fdes;
2637 	pri = (uint32_t)uap->pri;
2638 
2639 	au_uwrite(au_to_arg32(1, "fd", fd));
2640 
2641 	if ((fp = getf(fd)) != NULL) {
2642 		fad = F2A(fp);
2643 
2644 		fad->fad_flags |= FAD_WRITE;
2645 
2646 		/* add path name to audit record */
2647 		if (fad->fad_aupath != NULL) {
2648 			au_uwrite(au_to_path(fad->fad_aupath));
2649 		}
2650 		audit_attributes(fp->f_vnode);
2651 
2652 		releasef(fd);
2653 	}
2654 
2655 	au_uwrite(au_to_arg32(4, "pri", pri));
2656 }
2657 
2658 /*ARGSUSED*/
2659 static void
2660 aus_putpmsg(struct t_audit_data *tad)
2661 {
2662 	klwp_t *clwp = ttolwp(curthread);
2663 	uint32_t fd, pri, flags;
2664 	struct file *fp;
2665 	struct f_audit_data *fad;
2666 
2667 	struct a {
2668 		long	fdes;
2669 		long	ctl;		/* struct strbuf * */
2670 		long	data;		/* struct strbuf * */
2671 		long	pri;
2672 		long	flags;
2673 	} *uap = (struct a *)clwp->lwp_ap;
2674 
2675 	fd = (uint32_t)uap->fdes;
2676 	pri  = (uint32_t)uap->pri;
2677 	flags  = (uint32_t)uap->flags;
2678 
2679 	au_uwrite(au_to_arg32(1, "fd", fd));
2680 
2681 	if ((fp = getf(fd)) != NULL) {
2682 		fad = F2A(fp);
2683 
2684 		fad->fad_flags |= FAD_WRITE;
2685 
2686 		/* add path name to audit record */
2687 		if (fad->fad_aupath != NULL) {
2688 			au_uwrite(au_to_path(fad->fad_aupath));
2689 		}
2690 		audit_attributes(fp->f_vnode);
2691 
2692 		releasef(fd);
2693 	}
2694 
2695 
2696 	au_uwrite(au_to_arg32(4, "pri", pri));
2697 	au_uwrite(au_to_arg32(5, "flags", flags));
2698 }
2699 
2700 /*ARGSUSED*/
2701 static void
2702 aus_getmsg(struct t_audit_data *tad)
2703 {
2704 	klwp_t *clwp = ttolwp(curthread);
2705 	uint32_t fd, pri;
2706 	struct file *fp;
2707 	struct f_audit_data *fad;
2708 
2709 	struct a {
2710 		long	fdes;
2711 		long	ctl;		/* struct strbuf * */
2712 		long	data;		/* struct strbuf * */
2713 		long	pri;
2714 	} *uap = (struct a *)clwp->lwp_ap;
2715 
2716 	fd  = (uint32_t)uap->fdes;
2717 	pri = (uint32_t)uap->pri;
2718 
2719 	au_uwrite(au_to_arg32(1, "fd", fd));
2720 
2721 	if ((fp = getf(fd)) != NULL) {
2722 		fad = F2A(fp);
2723 
2724 		/*
2725 		 * read operation on this object
2726 		 */
2727 		fad->fad_flags |= FAD_READ;
2728 
2729 		/* add path name to audit record */
2730 		if (fad->fad_aupath != NULL) {
2731 			au_uwrite(au_to_path(fad->fad_aupath));
2732 		}
2733 		audit_attributes(fp->f_vnode);
2734 
2735 		releasef(fd);
2736 	}
2737 
2738 	au_uwrite(au_to_arg32(4, "pri", pri));
2739 }
2740 
2741 /*ARGSUSED*/
2742 static void
2743 aus_getpmsg(struct t_audit_data *tad)
2744 {
2745 	klwp_t *clwp = ttolwp(curthread);
2746 	uint32_t fd;
2747 	struct file *fp;
2748 	struct f_audit_data *fad;
2749 
2750 	struct a {
2751 		long	fdes;
2752 		long	ctl;		/* struct strbuf * */
2753 		long	data;		/* struct strbuf * */
2754 		long	pri;
2755 		long	flags;
2756 	} *uap = (struct a *)clwp->lwp_ap;
2757 
2758 	fd = (uint32_t)uap->fdes;
2759 
2760 	au_uwrite(au_to_arg32(1, "fd", fd));
2761 
2762 	if ((fp = getf(fd)) != NULL) {
2763 		fad = F2A(fp);
2764 
2765 		/*
2766 		 * read operation on this object
2767 		 */
2768 		fad->fad_flags |= FAD_READ;
2769 
2770 		/* add path name to audit record */
2771 		if (fad->fad_aupath != NULL) {
2772 			au_uwrite(au_to_path(fad->fad_aupath));
2773 		}
2774 		audit_attributes(fp->f_vnode);
2775 
2776 		releasef(fd);
2777 	}
2778 }
2779 
2780 static au_event_t
2781 aui_labelsys(au_event_t e)
2782 {
2783 	klwp_t *clwp = ttolwp(curthread);
2784 	uint32_t code;
2785 	uint32_t cmd;
2786 
2787 	struct a {
2788 		long	code;
2789 		long	cmd;
2790 	} *uap = (struct a *)clwp->lwp_ap;
2791 
2792 	code = (uint32_t)uap->code;
2793 	cmd = (uint32_t)uap->cmd;
2794 
2795 	/* not security relevant if not changing kernel cache */
2796 	if (cmd == TNDB_GET)
2797 		return (AUE_NULL);
2798 
2799 	switch (code) {
2800 	case TSOL_TNRH:
2801 		e = AUE_LABELSYS_TNRH;
2802 		break;
2803 	case TSOL_TNRHTP:
2804 		e = AUE_LABELSYS_TNRHTP;
2805 		break;
2806 	case TSOL_TNMLP:
2807 		e = AUE_LABELSYS_TNMLP;
2808 		break;
2809 	default:
2810 		e = AUE_NULL;
2811 		break;
2812 	}
2813 
2814 	return (e);
2815 
2816 }
2817 
2818 static void
2819 aus_labelsys(struct t_audit_data *tad)
2820 {
2821 	klwp_t *clwp = ttolwp(curthread);
2822 	uint32_t cmd;
2823 	uintptr_t a2;
2824 
2825 	struct a {
2826 		long	code;
2827 		long	cmd;
2828 		long	a2;
2829 	} *uap = (struct a *)clwp->lwp_ap;
2830 
2831 	cmd = (uint32_t)uap->cmd;
2832 	a2 = (uintptr_t)uap->a2;
2833 
2834 	switch (tad->tad_event) {
2835 	case AUE_LABELSYS_TNRH:
2836 	{
2837 		tsol_rhent_t	*rhent;
2838 		tnaddr_t	*rh_addr;
2839 
2840 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2841 
2842 		/* Remaining args don't apply for FLUSH, so skip */
2843 		if (cmd == TNDB_FLUSH)
2844 			break;
2845 
2846 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2847 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2848 			kmem_free(rhent, sizeof (tsol_rhent_t));
2849 			return;
2850 		}
2851 
2852 		rh_addr = &rhent->rh_address;
2853 		if (rh_addr->ta_family == AF_INET) {
2854 			struct in_addr	*ipaddr;
2855 
2856 			ipaddr = &(rh_addr->ta_addr_v4);
2857 			au_uwrite(au_to_in_addr(ipaddr));
2858 		} else if (rh_addr->ta_family == AF_INET6) {
2859 			int32_t		*ipaddr;
2860 
2861 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2862 			au_uwrite(au_to_in_addr_ex(ipaddr));
2863 		}
2864 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2865 
2866 		kmem_free(rhent, sizeof (tsol_rhent_t));
2867 
2868 		break;
2869 	}
2870 	case AUE_LABELSYS_TNRHTP:
2871 	{
2872 		tsol_tpent_t	*tpent;
2873 
2874 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2875 
2876 		/* Remaining args don't apply for FLUSH, so skip */
2877 		if (cmd == TNDB_FLUSH)
2878 			break;
2879 
2880 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2881 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2882 			kmem_free(tpent, sizeof (tsol_tpent_t));
2883 			return;
2884 		}
2885 
2886 		/* Make sure that the template name is null-terminated. */
2887 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2888 
2889 		au_uwrite(au_to_text(tpent->name));
2890 		kmem_free(tpent, sizeof (tsol_tpent_t));
2891 
2892 		break;
2893 	}
2894 	case AUE_LABELSYS_TNMLP:
2895 	{
2896 		tsol_mlpent_t	*mlpent;
2897 
2898 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2899 
2900 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2901 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2902 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2903 			return;
2904 		}
2905 
2906 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2907 			au_uwrite(au_to_text("shared"));
2908 		} else {
2909 			zone_t	*zone;
2910 
2911 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2912 			if (zone != NULL) {
2913 				au_uwrite(au_to_text(zone->zone_name));
2914 				zone_rele(zone);
2915 			}
2916 		}
2917 
2918 		/* Remaining args don't apply for FLUSH, so skip */
2919 		if (cmd == TNDB_FLUSH) {
2920 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2921 			break;
2922 		}
2923 
2924 		au_uwrite(au_to_arg32(2, "proto num",
2925 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2926 		au_uwrite(au_to_arg32(2, "mlp_port",
2927 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2928 
2929 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2930 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2931 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2932 
2933 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2934 
2935 		break;
2936 	}
2937 	default:
2938 		break;
2939 	}
2940 }
2941 
2942 
2943 static au_event_t
2944 aui_auditsys(au_event_t e)
2945 {
2946 	klwp_t *clwp = ttolwp(curthread);
2947 	uint32_t code;
2948 
2949 	struct a {
2950 		long	code;
2951 		long	a1;
2952 		long	a2;
2953 		long	a3;
2954 		long	a4;
2955 		long	a5;
2956 		long	a6;
2957 		long	a7;
2958 	} *uap = (struct a *)clwp->lwp_ap;
2959 
2960 	code = (uint32_t)uap->code;
2961 
2962 	switch (code) {
2963 
2964 	case BSM_GETAUID:
2965 		e = AUE_GETAUID;
2966 		break;
2967 	case BSM_SETAUID:
2968 		e = AUE_SETAUID;
2969 		break;
2970 	case BSM_GETAUDIT:
2971 		e = AUE_GETAUDIT;
2972 		break;
2973 	case BSM_GETAUDIT_ADDR:
2974 		e = AUE_GETAUDIT_ADDR;
2975 		break;
2976 	case BSM_SETAUDIT:
2977 		e = AUE_SETAUDIT;
2978 		break;
2979 	case BSM_SETAUDIT_ADDR:
2980 		e = AUE_SETAUDIT_ADDR;
2981 		break;
2982 	case BSM_AUDIT:
2983 		e = AUE_AUDIT;
2984 		break;
2985 	case BSM_AUDITCTL:
2986 		switch ((uint_t)uap->a1) {
2987 
2988 		case A_GETPOLICY:
2989 			e = AUE_AUDITON_GPOLICY;
2990 			break;
2991 		case A_SETPOLICY:
2992 			e = AUE_AUDITON_SPOLICY;
2993 			break;
2994 		case A_GETAMASK:
2995 			e = AUE_AUDITON_GETAMASK;
2996 			break;
2997 		case A_SETAMASK:
2998 			e = AUE_AUDITON_SETAMASK;
2999 			break;
3000 		case A_GETKMASK:
3001 			e = AUE_AUDITON_GETKMASK;
3002 			break;
3003 		case A_SETKMASK:
3004 			e = AUE_AUDITON_SETKMASK;
3005 			break;
3006 		case A_GETQCTRL:
3007 			e = AUE_AUDITON_GQCTRL;
3008 			break;
3009 		case A_SETQCTRL:
3010 			e = AUE_AUDITON_SQCTRL;
3011 			break;
3012 		case A_GETCWD:
3013 			e = AUE_AUDITON_GETCWD;
3014 			break;
3015 		case A_GETCAR:
3016 			e = AUE_AUDITON_GETCAR;
3017 			break;
3018 		case A_GETSTAT:
3019 			e = AUE_AUDITON_GETSTAT;
3020 			break;
3021 		case A_SETSTAT:
3022 			e = AUE_AUDITON_SETSTAT;
3023 			break;
3024 		case A_SETUMASK:
3025 			e = AUE_AUDITON_SETUMASK;
3026 			break;
3027 		case A_SETSMASK:
3028 			e = AUE_AUDITON_SETSMASK;
3029 			break;
3030 		case A_GETCOND:
3031 			e = AUE_AUDITON_GETCOND;
3032 			break;
3033 		case A_SETCOND:
3034 			e = AUE_AUDITON_SETCOND;
3035 			break;
3036 		case A_GETCLASS:
3037 			e = AUE_AUDITON_GETCLASS;
3038 			break;
3039 		case A_SETCLASS:
3040 			e = AUE_AUDITON_SETCLASS;
3041 			break;
3042 		default:
3043 			e = AUE_NULL;
3044 			break;
3045 		}
3046 		break;
3047 	default:
3048 		e = AUE_NULL;
3049 		break;
3050 	}
3051 
3052 	return (e);
3053 
3054 }	/* AUI_AUDITSYS */
3055 
3056 
3057 static void
3058 aus_auditsys(struct t_audit_data *tad)
3059 {
3060 	klwp_t *clwp = ttolwp(curthread);
3061 	uintptr_t a1, a2;
3062 	STRUCT_DECL(auditinfo, ainfo);
3063 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
3064 	au_evclass_map_t event;
3065 	au_mask_t mask;
3066 	int auditstate, policy;
3067 	au_id_t auid;
3068 
3069 
3070 	struct a {
3071 		long	code;
3072 		long	a1;
3073 		long	a2;
3074 		long	a3;
3075 		long	a4;
3076 		long	a5;
3077 		long	a6;
3078 		long	a7;
3079 	} *uap = (struct a *)clwp->lwp_ap;
3080 
3081 	a1   = (uintptr_t)uap->a1;
3082 	a2   = (uintptr_t)uap->a2;
3083 
3084 	switch (tad->tad_event) {
3085 	case AUE_SETAUID:
3086 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3087 				return;
3088 		au_uwrite(au_to_arg32(2, "setauid", auid));
3089 		break;
3090 	case AUE_SETAUDIT:
3091 		STRUCT_INIT(ainfo, get_udatamodel());
3092 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3093 		    STRUCT_SIZE(ainfo))) {
3094 				return;
3095 		}
3096 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3097 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3098 #ifdef _LP64
3099 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
3100 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 #else
3102 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
3103 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3104 #endif
3105 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3106 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3107 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3108 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3109 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3110 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3111 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3112 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3113 		break;
3114 	case AUE_SETAUDIT_ADDR:
3115 		STRUCT_INIT(ainfo_addr, get_udatamodel());
3116 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3117 		    STRUCT_SIZE(ainfo_addr))) {
3118 				return;
3119 		}
3120 		au_uwrite(au_to_arg32((char)1, "auid",
3121 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3122 #ifdef _LP64
3123 		au_uwrite(au_to_arg64((char)1, "port",
3124 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 #else
3126 		au_uwrite(au_to_arg32((char)1, "port",
3127 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3128 #endif
3129 		au_uwrite(au_to_arg32((char)1, "type",
3130 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3131 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3132 		    AU_IPv4) {
3133 			au_uwrite(au_to_in_addr(
3134 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3135 			    ai_termid.at_addr)));
3136 		} else {
3137 			au_uwrite(au_to_in_addr_ex(
3138 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
3139 			    ai_termid.at_addr)));
3140 		}
3141 		au_uwrite(au_to_arg32((char)1, "as_success",
3142 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3143 		au_uwrite(au_to_arg32((char)1, "as_failure",
3144 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3145 		au_uwrite(au_to_arg32((char)1, "asid",
3146 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3147 		break;
3148 	case AUE_AUDITON_SETAMASK:
3149 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3150 				return;
3151 		au_uwrite(au_to_arg32(
3152 		    2, "setamask:as_success", (uint32_t)mask.as_success));
3153 		au_uwrite(au_to_arg32(
3154 		    2, "setamask:as_failure", (uint32_t)mask.as_failure));
3155 		break;
3156 	case AUE_AUDITON_SETKMASK:
3157 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3158 				return;
3159 		au_uwrite(au_to_arg32(
3160 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
3161 		au_uwrite(au_to_arg32(
3162 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3163 		break;
3164 	case AUE_AUDITON_SPOLICY:
3165 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3166 			return;
3167 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3168 		break;
3169 	case AUE_AUDITON_SQCTRL: {
3170 		STRUCT_DECL(au_qctrl, qctrl);
3171 		model_t model;
3172 
3173 		model = get_udatamodel();
3174 		STRUCT_INIT(qctrl, model);
3175 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3176 				return;
3177 		if (model == DATAMODEL_ILP32) {
3178 			au_uwrite(au_to_arg32(
3179 			    3, "setqctrl:aq_hiwater",
3180 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3181 			au_uwrite(au_to_arg32(
3182 			    3, "setqctrl:aq_lowater",
3183 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3184 			au_uwrite(au_to_arg32(
3185 			    3, "setqctrl:aq_bufsz",
3186 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3187 			au_uwrite(au_to_arg32(
3188 			    3, "setqctrl:aq_delay",
3189 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3190 		} else {
3191 			au_uwrite(au_to_arg64(
3192 			    3, "setqctrl:aq_hiwater",
3193 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3194 			au_uwrite(au_to_arg64(
3195 			    3, "setqctrl:aq_lowater",
3196 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3197 			au_uwrite(au_to_arg64(
3198 			    3, "setqctrl:aq_bufsz",
3199 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3200 			au_uwrite(au_to_arg64(
3201 			    3, "setqctrl:aq_delay",
3202 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3203 		}
3204 		break;
3205 	}
3206 	case AUE_AUDITON_SETUMASK:
3207 		STRUCT_INIT(ainfo, get_udatamodel());
3208 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3209 		    STRUCT_SIZE(ainfo))) {
3210 			return;
3211 		}
3212 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3213 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3214 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3215 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3216 		break;
3217 	case AUE_AUDITON_SETSMASK:
3218 		STRUCT_INIT(ainfo, get_udatamodel());
3219 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3220 		    STRUCT_SIZE(ainfo))) {
3221 			return;
3222 		}
3223 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3224 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3225 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3226 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3227 		break;
3228 	case AUE_AUDITON_SETCOND:
3229 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3230 			return;
3231 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3232 		break;
3233 	case AUE_AUDITON_SETCLASS:
3234 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3235 			return;
3236 		au_uwrite(au_to_arg32(
3237 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3238 		au_uwrite(au_to_arg32(
3239 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3240 		break;
3241 	case AUE_GETAUID:
3242 	case AUE_GETAUDIT:
3243 	case AUE_GETAUDIT_ADDR:
3244 	case AUE_AUDIT:
3245 	case AUE_AUDITON_GPOLICY:
3246 	case AUE_AUDITON_GQCTRL:
3247 	case AUE_AUDITON_GETAMASK:
3248 	case AUE_AUDITON_GETKMASK:
3249 	case AUE_AUDITON_GETCWD:
3250 	case AUE_AUDITON_GETCAR:
3251 	case AUE_AUDITON_GETSTAT:
3252 	case AUE_AUDITON_SETSTAT:
3253 	case AUE_AUDITON_GETCOND:
3254 	case AUE_AUDITON_GETCLASS:
3255 		break;
3256 	default:
3257 		break;
3258 	}
3259 
3260 }	/* AUS_AUDITSYS */
3261 
3262 
3263 /* only audit privileged operations for systeminfo(2) system call */
3264 static au_event_t
3265 aui_sysinfo(au_event_t e)
3266 {
3267 	klwp_t *clwp = ttolwp(curthread);
3268 	uint32_t command;
3269 
3270 	struct a {
3271 		long	command;
3272 		long	buf;		/* char * */
3273 		long	count;
3274 	} *uap = (struct a *)clwp->lwp_ap;
3275 
3276 	command = (uint32_t)uap->command;
3277 
3278 	switch (command) {
3279 	case SI_SET_HOSTNAME:
3280 	case SI_SET_SRPC_DOMAIN:
3281 		e = (au_event_t)AUE_SYSINFO;
3282 		break;
3283 	default:
3284 		e = (au_event_t)AUE_NULL;
3285 		break;
3286 	}
3287 	return (e);
3288 }
3289 
3290 /*ARGSUSED*/
3291 static void
3292 aus_sysinfo(struct t_audit_data *tad)
3293 {
3294 	klwp_t *clwp = ttolwp(curthread);
3295 	uint32_t command;
3296 	size_t len, maxlen;
3297 	char *name;
3298 	uintptr_t buf;
3299 
3300 	struct a {
3301 		long	command;
3302 		long	buf;		/* char * */
3303 		long	count;
3304 	} *uap = (struct a *)clwp->lwp_ap;
3305 
3306 	command = (uint32_t)uap->command;
3307 	buf = (uintptr_t)uap->buf;
3308 
3309 	au_uwrite(au_to_arg32(1, "cmd", command));
3310 
3311 	switch (command) {
3312 	case SI_SET_HOSTNAME:
3313 	{
3314 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3315 			return;
3316 
3317 		maxlen = SYS_NMLN;
3318 		name = kmem_alloc(maxlen, KM_SLEEP);
3319 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3320 			break;
3321 
3322 		/*
3323 		 * Must be non-NULL string and string
3324 		 * must be less than SYS_NMLN chars.
3325 		 */
3326 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3327 			break;
3328 
3329 		au_uwrite(au_to_text(name));
3330 		break;
3331 	}
3332 
3333 	case SI_SET_SRPC_DOMAIN:
3334 	{
3335 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3336 			return;
3337 
3338 		maxlen = SYS_NMLN;
3339 		name = kmem_alloc(maxlen, KM_SLEEP);
3340 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3341 			break;
3342 
3343 		/*
3344 		 * If string passed in is longer than length
3345 		 * allowed for domain name, fail.
3346 		 */
3347 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3348 			break;
3349 
3350 		au_uwrite(au_to_text(name));
3351 		break;
3352 	}
3353 
3354 	default:
3355 		return;
3356 	}
3357 
3358 	kmem_free(name, maxlen);
3359 }
3360 
3361 static au_event_t
3362 aui_modctl(au_event_t e)
3363 {
3364 	klwp_t *clwp = ttolwp(curthread);
3365 	uint_t cmd;
3366 
3367 	struct a {
3368 		long	cmd;
3369 	} *uap = (struct a *)clwp->lwp_ap;
3370 
3371 	cmd = (uint_t)uap->cmd;
3372 
3373 	switch (cmd) {
3374 	case MODLOAD:
3375 		e = AUE_MODLOAD;
3376 		break;
3377 	case MODUNLOAD:
3378 		e = AUE_MODUNLOAD;
3379 		break;
3380 	case MODADDMAJBIND:
3381 		e = AUE_MODADDMAJ;
3382 		break;
3383 	case MODSETDEVPOLICY:
3384 		e = AUE_MODDEVPLCY;
3385 		break;
3386 	case MODALLOCPRIV:
3387 		e = AUE_MODADDPRIV;
3388 		break;
3389 	default:
3390 		e = AUE_NULL;
3391 		break;
3392 	}
3393 	return (e);
3394 }
3395 
3396 
3397 /*ARGSUSED*/
3398 static void
3399 aus_modctl(struct t_audit_data *tad)
3400 {
3401 	klwp_t *clwp = ttolwp(curthread);
3402 	void *a	= clwp->lwp_ap;
3403 	uint_t use_path;
3404 
3405 	switch (tad->tad_event) {
3406 	case AUE_MODLOAD: {
3407 		typedef struct {
3408 			long	cmd;
3409 			long	use_path;
3410 			long	filename;		/* char * */
3411 		} modloada_t;
3412 
3413 		char *filenamep;
3414 		uintptr_t fname;
3415 		extern char *default_path;
3416 
3417 		fname = (uintptr_t)((modloada_t *)a)->filename;
3418 		use_path = (uint_t)((modloada_t *)a)->use_path;
3419 
3420 			/* space to hold path */
3421 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3422 			/* get string */
3423 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3424 				/* free allocated path */
3425 			kmem_free(filenamep, MOD_MAXPATH);
3426 			return;
3427 		}
3428 			/* ensure it's null terminated */
3429 		filenamep[MOD_MAXPATH - 1] = 0;
3430 
3431 		if (use_path)
3432 			au_uwrite(au_to_text(default_path));
3433 		au_uwrite(au_to_text(filenamep));
3434 
3435 			/* release temporary memory */
3436 		kmem_free(filenamep, MOD_MAXPATH);
3437 		break;
3438 	}
3439 	case AUE_MODUNLOAD: {
3440 		typedef struct {
3441 			long	cmd;
3442 			long	id;
3443 		} modunloada_t;
3444 
3445 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3446 
3447 		au_uwrite(au_to_arg32(1, "id", id));
3448 		break;
3449 	}
3450 	case AUE_MODADDMAJ: {
3451 		STRUCT_DECL(modconfig, mc);
3452 		typedef struct {
3453 			long	cmd;
3454 			long	subcmd;
3455 			long	data;		/* int * */
3456 		} modconfiga_t;
3457 
3458 		STRUCT_DECL(aliases, alias);
3459 		caddr_t ap;
3460 		int i, num_aliases;
3461 		char *drvname, *mc_drvname;
3462 		char *name;
3463 		extern char *ddi_major_to_name(major_t);
3464 		model_t model;
3465 
3466 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3467 
3468 		model = get_udatamodel();
3469 		STRUCT_INIT(mc, model);
3470 			/* sanitize buffer */
3471 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3472 			/* get user arguments */
3473 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3474 		    STRUCT_SIZE(mc)) != 0)
3475 			return;
3476 
3477 		mc_drvname = STRUCT_FGET(mc, drvname);
3478 		if ((drvname = ddi_major_to_name(
3479 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3480 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3481 				/* safety */
3482 			if (mc_drvname[0] != '\0') {
3483 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3484 				au_uwrite(au_to_text(mc_drvname));
3485 			}
3486 				/* drvname != NULL from test above */
3487 			au_uwrite(au_to_text(drvname));
3488 			return;
3489 		}
3490 
3491 		if (mc_drvname[0] != '\0') {
3492 				/* safety */
3493 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3494 			au_uwrite(au_to_text(mc_drvname));
3495 		} else
3496 			au_uwrite(au_to_text("no drvname"));
3497 
3498 		num_aliases = STRUCT_FGET(mc, num_aliases);
3499 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3500 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3501 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3502 		STRUCT_INIT(alias, model);
3503 		for (i = 0; i < num_aliases; i++) {
3504 			bzero((caddr_t)STRUCT_BUF(alias),
3505 			    STRUCT_SIZE(alias));
3506 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3507 			    STRUCT_SIZE(alias)) != 0)
3508 				break;
3509 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3510 			    MAXMODCONFNAME, NULL) != 0) {
3511 				break;
3512 			}
3513 
3514 			au_uwrite(au_to_text(name));
3515 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3516 		}
3517 		kmem_free(name, MAXMODCONFNAME);
3518 		break;
3519 	}
3520 	default:
3521 		break;
3522 	}
3523 }
3524 
3525 
3526 /*ARGSUSED*/
3527 static void
3528 auf_accept(
3529 	struct t_audit_data *tad,
3530 	int	error,
3531 	rval_t	*rval)
3532 {
3533 	uint32_t scid;
3534 	uint32_t sy_flags;
3535 	int fd;
3536 	struct sonode *so;
3537 	char so_laddr[sizeof (struct sockaddr_in6)];
3538 	char so_faddr[sizeof (struct sockaddr_in6)];
3539 	int err;
3540 	short so_family, so_type;
3541 	int add_sock_token = 0;
3542 
3543 	/* need to determine type of executing binary */
3544 	scid = tad->tad_scid;
3545 #ifdef _SYSCALL32_IMPL
3546 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3547 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3548 	else
3549 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3550 #else
3551 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3552 #endif
3553 	switch (sy_flags) {
3554 	case SE_32RVAL1:
3555 		/* FALLTHRU */
3556 	case SE_32RVAL2|SE_32RVAL1:
3557 		fd = rval->r_val1;
3558 		break;
3559 	case SE_64RVAL:
3560 		fd = (int)rval->r_vals;
3561 		break;
3562 	default:
3563 		/*
3564 		 * should never happen, seems to be an internal error
3565 		 * in sysent => no fd, nothing to audit here, returning
3566 		 */
3567 		return;
3568 	}
3569 
3570 	if (error) {
3571 		/* can't trust socket contents. Just return */
3572 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3573 		return;
3574 	}
3575 
3576 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3577 		/*
3578 		 * not security relevant if doing a accept from non socket
3579 		 * so no extra tokens. Should probably turn off audit record
3580 		 * generation here.
3581 		 */
3582 		return;
3583 	}
3584 
3585 	so_family = so->so_family;
3586 	so_type   = so->so_type;
3587 
3588 	switch (so_family) {
3589 	case AF_INET:
3590 	case AF_INET6:
3591 		/*
3592 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3593 		 */
3594 		if (so->so_type == SOCK_STREAM) {
3595 			socklen_t len;
3596 
3597 			bzero((void *)so_laddr, sizeof (so_laddr));
3598 			bzero((void *)so_faddr, sizeof (so_faddr));
3599 
3600 			len = sizeof (so_laddr);
3601 			(void) socket_getsockname(so,
3602 			    (struct sockaddr *)so_laddr, &len, CRED());
3603 			len = sizeof (so_faddr);
3604 			(void) socket_getpeername(so,
3605 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3606 
3607 			add_sock_token = 1;
3608 		}
3609 		break;
3610 
3611 	default:
3612 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3613 		break;
3614 	}
3615 
3616 	releasef(fd);
3617 
3618 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3619 
3620 	if (add_sock_token == 0) {
3621 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3622 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3623 		return;
3624 	}
3625 
3626 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3627 
3628 }
3629 
3630 /*ARGSUSED*/
3631 static void
3632 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3633 {
3634 	struct a {
3635 		long	fd;
3636 		long	addr;
3637 		long	len;
3638 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3639 
3640 	struct sonode *so;
3641 	char so_laddr[sizeof (struct sockaddr_in6)];
3642 	char so_faddr[sizeof (struct sockaddr_in6)];
3643 	int err, fd;
3644 	socklen_t len;
3645 	short so_family, so_type;
3646 	int add_sock_token = 0;
3647 
3648 	fd = (int)uap->fd;
3649 
3650 	/*
3651 	 * bind failed, then nothing extra to add to audit record.
3652 	 */
3653 	if (error) {
3654 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3655 		/* XXX may want to add failed address some day */
3656 		return;
3657 	}
3658 
3659 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3660 		/*
3661 		 * not security relevant if doing a bind from non socket
3662 		 * so no extra tokens. Should probably turn off audit record
3663 		 * generation here.
3664 		 */
3665 		return;
3666 	}
3667 
3668 	so_family = so->so_family;
3669 	so_type   = so->so_type;
3670 
3671 	switch (so_family) {
3672 	case AF_INET:
3673 	case AF_INET6:
3674 
3675 		bzero(so_faddr, sizeof (so_faddr));
3676 		len = sizeof (so_faddr);
3677 
3678 		(void) socket_getpeername(so,
3679 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3680 		add_sock_token = 1;
3681 
3682 		break;
3683 
3684 	case AF_UNIX:
3685 		/* token added by lookup */
3686 		break;
3687 	default:
3688 		/* AF_ROUTE, AF_KEY do not support accept */
3689 		break;
3690 	}
3691 
3692 	releasef(fd);
3693 
3694 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3695 
3696 	if (add_sock_token == 0) {
3697 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3698 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3699 		return;
3700 	}
3701 
3702 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3703 
3704 }
3705 
3706 /*ARGSUSED*/
3707 static void
3708 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3709 {
3710 	struct a {
3711 		long	fd;
3712 		long	addr;
3713 		long	len;
3714 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3715 
3716 	struct sonode *so;
3717 	char so_laddr[sizeof (struct sockaddr_in6)];
3718 	char so_faddr[sizeof (struct sockaddr_in6)];
3719 	int err, fd;
3720 	socklen_t len;
3721 	short so_family, so_type;
3722 	int add_sock_token = 0;
3723 
3724 	fd = (int)uap->fd;
3725 
3726 
3727 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3728 		/*
3729 		 * not security relevant if doing a connect from non socket
3730 		 * so no extra tokens. Should probably turn off audit record
3731 		 * generation here.
3732 		 */
3733 		return;
3734 	}
3735 
3736 	so_family = so->so_family;
3737 	so_type   = so->so_type;
3738 
3739 	switch (so_family) {
3740 	case AF_INET:
3741 	case AF_INET6:
3742 
3743 		bzero(so_laddr, sizeof (so_laddr));
3744 		bzero(so_faddr, sizeof (so_faddr));
3745 
3746 		len = sizeof (so_laddr);
3747 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3748 		    &len, CRED());
3749 		if (error) {
3750 			if (uap->addr == NULL)
3751 				break;
3752 			if (uap->len <= 0)
3753 				break;
3754 			len = min(uap->len, sizeof (so_faddr));
3755 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3756 				break;
3757 #ifdef NOTYET
3758 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3759 #endif
3760 		} else {
3761 			/* sanity check on length */
3762 			len = sizeof (so_faddr);
3763 			(void) socket_getpeername(so,
3764 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3765 		}
3766 
3767 		add_sock_token = 1;
3768 
3769 		break;
3770 
3771 	case AF_UNIX:
3772 		/* does a lookup on name */
3773 		break;
3774 
3775 	default:
3776 		/* AF_ROUTE, AF_KEY do not support accept */
3777 		break;
3778 	}
3779 
3780 	releasef(fd);
3781 
3782 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3783 
3784 	if (add_sock_token == 0) {
3785 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3786 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3787 		return;
3788 	}
3789 
3790 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3791 
3792 }
3793 
3794 /*ARGSUSED*/
3795 static void
3796 aus_shutdown(struct t_audit_data *tad)
3797 {
3798 	struct a {
3799 		long	fd;
3800 		long	how;
3801 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3802 
3803 	struct sonode *so;
3804 	char so_laddr[sizeof (struct sockaddr_in6)];
3805 	char so_faddr[sizeof (struct sockaddr_in6)];
3806 	int err, fd;
3807 	socklen_t len;
3808 	short so_family, so_type;
3809 	int add_sock_token = 0;
3810 	file_t *fp;				/* unix domain sockets */
3811 	struct f_audit_data *fad;		/* unix domain sockets */
3812 
3813 	fd = (int)uap->fd;
3814 
3815 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3816 		/*
3817 		 * not security relevant if doing a shutdown using non socket
3818 		 * so no extra tokens. Should probably turn off audit record
3819 		 * generation here.
3820 		 */
3821 		return;
3822 	}
3823 
3824 	so_family = so->so_family;
3825 	so_type   = so->so_type;
3826 
3827 	switch (so_family) {
3828 	case AF_INET:
3829 	case AF_INET6:
3830 
3831 		bzero(so_laddr, sizeof (so_laddr));
3832 		bzero(so_faddr, sizeof (so_faddr));
3833 
3834 		len = sizeof (so_laddr);
3835 		(void) socket_getsockname(so,
3836 		    (struct sockaddr *)so_laddr, &len, CRED());
3837 		len = sizeof (so_faddr);
3838 		(void) socket_getpeername(so,
3839 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3840 
3841 		add_sock_token = 1;
3842 
3843 		break;
3844 
3845 	case AF_UNIX:
3846 
3847 		/* get path from file struct here */
3848 		fad = F2A(fp);
3849 		ASSERT(fad);
3850 
3851 		if (fad->fad_aupath != NULL) {
3852 			au_uwrite(au_to_path(fad->fad_aupath));
3853 		} else {
3854 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3855 		}
3856 
3857 		audit_attributes(fp->f_vnode);
3858 
3859 		break;
3860 
3861 	default:
3862 		/*
3863 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3864 		 * added.
3865 		 */
3866 		break;
3867 	}
3868 
3869 	releasef(fd);
3870 
3871 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3872 
3873 	if (add_sock_token == 0) {
3874 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3875 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3876 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3877 		return;
3878 	}
3879 
3880 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3881 
3882 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3883 
3884 }
3885 
3886 /*ARGSUSED*/
3887 static void
3888 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3889 {
3890 	struct a {
3891 		long	fd;
3892 		long	level;
3893 		long	optname;
3894 		long	*optval;
3895 		long	optlen;
3896 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3897 
3898 	struct sonode	*so;
3899 	char so_laddr[sizeof (struct sockaddr_in6)];
3900 	char so_faddr[sizeof (struct sockaddr_in6)];
3901 	char		val[AU_BUFSIZE];
3902 	int		err, fd;
3903 	socklen_t	len;
3904 	short so_family, so_type;
3905 	int		add_sock_token = 0;
3906 	file_t *fp;				/* unix domain sockets */
3907 	struct f_audit_data *fad;		/* unix domain sockets */
3908 
3909 	fd = (int)uap->fd;
3910 
3911 	if (error) {
3912 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3913 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3914 		/* XXX may want to include other arguments */
3915 		return;
3916 	}
3917 
3918 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3919 		/*
3920 		 * not security relevant if doing a setsockopt from non socket
3921 		 * so no extra tokens. Should probably turn off audit record
3922 		 * generation here.
3923 		 */
3924 		return;
3925 	}
3926 
3927 	so_family = so->so_family;
3928 	so_type   = so->so_type;
3929 
3930 	switch (so_family) {
3931 	case AF_INET:
3932 	case AF_INET6:
3933 		bzero((void *)so_laddr, sizeof (so_laddr));
3934 		bzero((void *)so_faddr, sizeof (so_faddr));
3935 
3936 		/* get local and foreign addresses */
3937 		len = sizeof (so_laddr);
3938 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3939 		    &len, CRED());
3940 		len = sizeof (so_faddr);
3941 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3942 		    &len, B_FALSE, CRED());
3943 
3944 		add_sock_token = 1;
3945 
3946 		break;
3947 
3948 	case AF_UNIX:
3949 
3950 		/* get path from file struct here */
3951 		fad = F2A(fp);
3952 		ASSERT(fad);
3953 
3954 		if (fad->fad_aupath != NULL) {
3955 			au_uwrite(au_to_path(fad->fad_aupath));
3956 		} else {
3957 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3958 		}
3959 
3960 		audit_attributes(fp->f_vnode);
3961 
3962 		break;
3963 
3964 	default:
3965 		/*
3966 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3967 		 * added.
3968 		 */
3969 		break;
3970 	}
3971 
3972 	releasef(fd);
3973 
3974 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3975 
3976 	if (add_sock_token == 0) {
3977 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3978 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3979 	}
3980 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3981 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3982 
3983 	bzero(val, sizeof (val));
3984 	len = min(uap->optlen, sizeof (val));
3985 	if ((len > 0) &&
3986 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3987 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3988 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3989 	}
3990 
3991 	if (add_sock_token == 0)
3992 		return;
3993 
3994 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3995 
3996 }
3997 
3998 /*ARGSUSED*/
3999 static void
4000 aus_sockconfig(tad)
4001 	struct t_audit_data *tad;
4002 {
4003 	struct a {
4004 		long	cmd;
4005 		long	arg1;
4006 		long	arg2;
4007 		long	arg3;
4008 		long	arg4;
4009 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4010 
4011 	char	*buf;
4012 	int	buflen;
4013 	size_t	size;
4014 
4015 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4016 	switch (uap->cmd) {
4017 	case SOCKCONFIG_ADD_SOCK:
4018 	case SOCKCONFIG_REMOVE_SOCK:
4019 		au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4020 		au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4021 		au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4022 
4023 		if (uap->arg4 == 0) {
4024 			au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4025 		} else {
4026 			buflen = MAXPATHLEN + 1;
4027 			buf = kmem_alloc(buflen, KM_SLEEP);
4028 			if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4029 			    &size)) {
4030 				kmem_free(buf, buflen);
4031 				return;
4032 			}
4033 
4034 			if (size > MAXPATHLEN) {
4035 				kmem_free(buf, buflen);
4036 				return;
4037 			}
4038 
4039 			au_uwrite(au_to_text(buf));
4040 			kmem_free(buf, buflen);
4041 		}
4042 		break;
4043 	case SOCKCONFIG_ADD_FILTER:
4044 	case SOCKCONFIG_REMOVE_FILTER:
4045 		buflen = FILNAME_MAX;
4046 		buf = kmem_alloc(buflen, KM_SLEEP);
4047 
4048 		if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4049 			kmem_free(buf, buflen);
4050 			return;
4051 		}
4052 
4053 		au_uwrite(au_to_text(buf));
4054 		kmem_free(buf, buflen);
4055 		break;
4056 	default:
4057 		break;
4058 	}
4059 }
4060 
4061 /*
4062  * only audit recvmsg when the system call represents the creation of a new
4063  * circuit. This effectively occurs for all UDP packets and may occur for
4064  * special TCP situations where the local host has not set a local address
4065  * in the socket structure.
4066  */
4067 /*ARGSUSED*/
4068 static void
4069 auf_recvmsg(
4070 	struct t_audit_data *tad,
4071 	int error,
4072 	rval_t *rvp)
4073 {
4074 	struct a {
4075 		long	fd;
4076 		long	msg;	/* struct msghdr */
4077 		long	flags;
4078 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4079 
4080 	struct sonode	*so;
4081 	STRUCT_DECL(msghdr, msg);
4082 	caddr_t msg_name;
4083 	socklen_t msg_namelen;
4084 	int fd;
4085 	int err;
4086 	char so_laddr[sizeof (struct sockaddr_in6)];
4087 	char so_faddr[sizeof (struct sockaddr_in6)];
4088 	socklen_t len;
4089 	file_t *fp;				/* unix domain sockets */
4090 	struct f_audit_data *fad;		/* unix domain sockets */
4091 	short so_family, so_type;
4092 	int add_sock_token = 0;
4093 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4094 
4095 	fd = (int)uap->fd;
4096 
4097 	/* bail if an error */
4098 	if (error) {
4099 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4100 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4101 		return;
4102 	}
4103 
4104 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4105 		/*
4106 		 * not security relevant if doing a recvmsg from non socket
4107 		 * so no extra tokens. Should probably turn off audit record
4108 		 * generation here.
4109 		 */
4110 		return;
4111 	}
4112 
4113 	so_family = so->so_family;
4114 	so_type   = so->so_type;
4115 
4116 	/*
4117 	 * only putout SOCKET_EX token if INET/INET6 family.
4118 	 * XXX - what do we do about other families?
4119 	 */
4120 
4121 	switch (so_family) {
4122 	case AF_INET:
4123 	case AF_INET6:
4124 
4125 		/*
4126 		 * if datagram type socket, then just use what is in
4127 		 * socket structure for local address.
4128 		 * XXX - what do we do for other types?
4129 		 */
4130 		if ((so->so_type == SOCK_DGRAM) ||
4131 		    (so->so_type == SOCK_RAW)) {
4132 			add_sock_token = 1;
4133 
4134 			bzero((void *)so_laddr, sizeof (so_laddr));
4135 			bzero((void *)so_faddr, sizeof (so_faddr));
4136 
4137 			/* get local address */
4138 			len = sizeof (so_laddr);
4139 			(void) socket_getsockname(so,
4140 			    (struct sockaddr *)so_laddr, &len, CRED());
4141 
4142 			/* get peer address */
4143 			STRUCT_INIT(msg, get_udatamodel());
4144 
4145 			if (copyin((caddr_t)(uap->msg),
4146 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4147 				break;
4148 			}
4149 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4150 			if (msg_name == NULL) {
4151 				break;
4152 			}
4153 
4154 			/* length is value from recvmsg - sanity check */
4155 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4156 			if (msg_namelen == 0) {
4157 				break;
4158 			}
4159 			if (copyin(msg_name, so_faddr,
4160 			    sizeof (so_faddr)) != 0) {
4161 				break;
4162 			}
4163 
4164 		} else if (so->so_type == SOCK_STREAM) {
4165 
4166 			/* get path from file struct here */
4167 			fad = F2A(fp);
4168 			ASSERT(fad);
4169 
4170 			/*
4171 			 * already processed this file for read attempt
4172 			 */
4173 			if (fad->fad_flags & FAD_READ) {
4174 				/* don't want to audit every recvmsg attempt */
4175 				tad->tad_flag = 0;
4176 				/* free any residual audit data */
4177 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4178 				releasef(fd);
4179 				return;
4180 			}
4181 			/*
4182 			 * mark things so we know what happened and don't
4183 			 * repeat things
4184 			 */
4185 			fad->fad_flags |= FAD_READ;
4186 
4187 			bzero((void *)so_laddr, sizeof (so_laddr));
4188 			bzero((void *)so_faddr, sizeof (so_faddr));
4189 
4190 			/* get local and foreign addresses */
4191 			len = sizeof (so_laddr);
4192 			(void) socket_getsockname(so,
4193 			    (struct sockaddr *)so_laddr, &len, CRED());
4194 			len = sizeof (so_faddr);
4195 			(void) socket_getpeername(so,
4196 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4197 
4198 			add_sock_token = 1;
4199 		}
4200 
4201 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4202 
4203 		break;
4204 
4205 	case AF_UNIX:
4206 		/*
4207 		 * first check if this is first time through. Too much
4208 		 * duplicate code to put this in an aui_ routine.
4209 		 */
4210 
4211 		/* get path from file struct here */
4212 		fad = F2A(fp);
4213 		ASSERT(fad);
4214 
4215 		/*
4216 		 * already processed this file for read attempt
4217 		 */
4218 		if (fad->fad_flags & FAD_READ) {
4219 			releasef(fd);
4220 			/* don't want to audit every recvmsg attempt */
4221 			tad->tad_flag = 0;
4222 			/* free any residual audit data */
4223 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4224 			return;
4225 		}
4226 		/*
4227 		 * mark things so we know what happened and don't
4228 		 * repeat things
4229 		 */
4230 		fad->fad_flags |= FAD_READ;
4231 
4232 		if (fad->fad_aupath != NULL) {
4233 			au_uwrite(au_to_path(fad->fad_aupath));
4234 		} else {
4235 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4236 		}
4237 
4238 		audit_attributes(fp->f_vnode);
4239 
4240 		releasef(fd);
4241 
4242 		return;
4243 
4244 	default:
4245 		break;
4246 
4247 	}
4248 
4249 	releasef(fd);
4250 
4251 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4252 
4253 	if (add_sock_token == 0) {
4254 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4255 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4256 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4257 		return;
4258 	}
4259 
4260 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4261 
4262 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4263 
4264 }
4265 
4266 /*ARGSUSED*/
4267 static void
4268 auf_recvfrom(
4269 	struct t_audit_data *tad,
4270 	int error,
4271 	rval_t *rvp)
4272 {
4273 
4274 	struct a {
4275 		long	fd;
4276 		long	msg;	/* char */
4277 		long	len;
4278 		long	flags;
4279 		long	from;	/* struct sockaddr */
4280 		long	fromlen;
4281 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4282 
4283 	socklen_t	fromlen;
4284 	struct sonode	*so;
4285 	char so_laddr[sizeof (struct sockaddr_in6)];
4286 	char so_faddr[sizeof (struct sockaddr_in6)];
4287 	int		fd;
4288 	short so_family, so_type;
4289 	int add_sock_token = 0;
4290 	socklen_t len;
4291 	int err;
4292 	struct file *fp;
4293 	struct f_audit_data *fad;		/* unix domain sockets */
4294 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4295 
4296 	fd = (int)uap->fd;
4297 
4298 	/* bail if an error */
4299 	if (error) {
4300 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4301 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4302 		return;
4303 	}
4304 
4305 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4306 		/*
4307 		 * not security relevant if doing a recvmsg from non socket
4308 		 * so no extra tokens. Should probably turn off audit record
4309 		 * generation here.
4310 		 */
4311 		return;
4312 	}
4313 
4314 	so_family = so->so_family;
4315 	so_type   = so->so_type;
4316 
4317 	/*
4318 	 * only putout SOCKET_EX token if INET/INET6 family.
4319 	 * XXX - what do we do about other families?
4320 	 */
4321 
4322 	switch (so_family) {
4323 	case AF_INET:
4324 	case AF_INET6:
4325 
4326 		/*
4327 		 * if datagram type socket, then just use what is in
4328 		 * socket structure for local address.
4329 		 * XXX - what do we do for other types?
4330 		 */
4331 		if ((so->so_type == SOCK_DGRAM) ||
4332 		    (so->so_type == SOCK_RAW)) {
4333 			add_sock_token = 1;
4334 
4335 			/* get local address */
4336 			len = sizeof (so_laddr);
4337 			(void) socket_getsockname(so,
4338 			    (struct sockaddr *)so_laddr, &len, CRED());
4339 
4340 			/* get peer address */
4341 			bzero((void *)so_faddr, sizeof (so_faddr));
4342 
4343 			/* sanity check */
4344 			if (uap->from == NULL)
4345 				break;
4346 
4347 			/* sanity checks */
4348 			if (uap->fromlen == 0)
4349 				break;
4350 
4351 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4352 			    sizeof (fromlen)) != 0)
4353 				break;
4354 
4355 			if (fromlen == 0)
4356 				break;
4357 
4358 			/* enforce maximum size */
4359 			if (fromlen > sizeof (so_faddr))
4360 				fromlen = sizeof (so_faddr);
4361 
4362 			if (copyin((caddr_t)(uap->from), so_faddr,
4363 			    fromlen) != 0)
4364 				break;
4365 
4366 		} else if (so->so_type == SOCK_STREAM) {
4367 
4368 			/* get path from file struct here */
4369 			fad = F2A(fp);
4370 			ASSERT(fad);
4371 
4372 			/*
4373 			 * already processed this file for read attempt
4374 			 */
4375 			if (fad->fad_flags & FAD_READ) {
4376 				/* don't want to audit every recvfrom attempt */
4377 				tad->tad_flag = 0;
4378 				/* free any residual audit data */
4379 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4380 				releasef(fd);
4381 				return;
4382 			}
4383 			/*
4384 			 * mark things so we know what happened and don't
4385 			 * repeat things
4386 			 */
4387 			fad->fad_flags |= FAD_READ;
4388 
4389 			bzero((void *)so_laddr, sizeof (so_laddr));
4390 			bzero((void *)so_faddr, sizeof (so_faddr));
4391 
4392 			/* get local and foreign addresses */
4393 			len = sizeof (so_laddr);
4394 			(void) socket_getsockname(so,
4395 			    (struct sockaddr *)so_laddr, &len, CRED());
4396 			len = sizeof (so_faddr);
4397 			(void) socket_getpeername(so,
4398 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4399 
4400 			add_sock_token = 1;
4401 		}
4402 
4403 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4404 
4405 		break;
4406 
4407 	case AF_UNIX:
4408 		/*
4409 		 * first check if this is first time through. Too much
4410 		 * duplicate code to put this in an aui_ routine.
4411 		 */
4412 
4413 		/* get path from file struct here */
4414 		fad = F2A(fp);
4415 		ASSERT(fad);
4416 
4417 		/*
4418 		 * already processed this file for read attempt
4419 		 */
4420 		if (fad->fad_flags & FAD_READ) {
4421 			/* don't want to audit every recvfrom attempt */
4422 			tad->tad_flag = 0;
4423 			/* free any residual audit data */
4424 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4425 			releasef(fd);
4426 			return;
4427 		}
4428 		/*
4429 		 * mark things so we know what happened and don't
4430 		 * repeat things
4431 		 */
4432 		fad->fad_flags |= FAD_READ;
4433 
4434 		if (fad->fad_aupath != NULL) {
4435 			au_uwrite(au_to_path(fad->fad_aupath));
4436 		} else {
4437 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4438 		}
4439 
4440 		audit_attributes(fp->f_vnode);
4441 
4442 		releasef(fd);
4443 
4444 		return;
4445 
4446 	default:
4447 		break;
4448 
4449 	}
4450 
4451 	releasef(fd);
4452 
4453 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4454 
4455 	if (add_sock_token == 0) {
4456 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4457 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4458 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4459 		return;
4460 	}
4461 
4462 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4463 
4464 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4465 }
4466 
4467 /*ARGSUSED*/
4468 static void
4469 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4470 {
4471 	struct a {
4472 		long	fd;
4473 		long	msg;	/* struct msghdr */
4474 		long	flags;
4475 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4476 
4477 	struct sonode	*so;
4478 	char so_laddr[sizeof (struct sockaddr_in6)];
4479 	char so_faddr[sizeof (struct sockaddr_in6)];
4480 	int		err;
4481 	int		fd;
4482 	short so_family, so_type;
4483 	int		add_sock_token = 0;
4484 	socklen_t	len;
4485 	struct file	*fp;
4486 	struct f_audit_data *fad;
4487 	caddr_t		msg_name;
4488 	socklen_t	msg_namelen;
4489 	STRUCT_DECL(msghdr, msg);
4490 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4491 
4492 	fd = (int)uap->fd;
4493 
4494 	/* bail if an error */
4495 	if (error) {
4496 		/* XXX include destination address from system call arguments */
4497 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4498 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4499 		return;
4500 	}
4501 
4502 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4503 		/*
4504 		 * not security relevant if doing a sendmsg from non socket
4505 		 * so no extra tokens. Should probably turn off audit record
4506 		 * generation here.
4507 		 */
4508 		return;
4509 	}
4510 
4511 	so_family = so->so_family;
4512 	so_type   = so->so_type;
4513 
4514 	switch (so_family) {
4515 	case AF_INET:
4516 	case AF_INET6:
4517 		/*
4518 		 * if datagram type socket, then just use what is in
4519 		 * socket structure for local address.
4520 		 * XXX - what do we do for other types?
4521 		 */
4522 		if ((so->so_type == SOCK_DGRAM) ||
4523 		    (so->so_type == SOCK_RAW)) {
4524 
4525 			bzero((void *)so_laddr, sizeof (so_laddr));
4526 			bzero((void *)so_faddr, sizeof (so_faddr));
4527 
4528 			/* get local address */
4529 			len = sizeof (so_laddr);
4530 			(void) socket_getsockname(so,
4531 			    (struct sockaddr *)so_laddr, &len, CRED());
4532 
4533 			/* get peer address */
4534 			STRUCT_INIT(msg, get_udatamodel());
4535 
4536 			if (copyin((caddr_t)(uap->msg),
4537 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4538 				break;
4539 			}
4540 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4541 			if (msg_name == NULL)
4542 				break;
4543 
4544 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4545 			/* length is value from recvmsg - sanity check */
4546 			if (msg_namelen == 0)
4547 				break;
4548 
4549 			if (copyin(msg_name, so_faddr,
4550 			    sizeof (so_faddr)) != 0)
4551 				break;
4552 
4553 			add_sock_token = 1;
4554 
4555 		} else if (so->so_type == SOCK_STREAM) {
4556 
4557 			/* get path from file struct here */
4558 			fad = F2A(fp);
4559 			ASSERT(fad);
4560 
4561 			/*
4562 			 * already processed this file for write attempt
4563 			 */
4564 			if (fad->fad_flags & FAD_WRITE) {
4565 				releasef(fd);
4566 				/* don't want to audit every sendmsg attempt */
4567 				tad->tad_flag = 0;
4568 				/* free any residual audit data */
4569 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4570 				return;
4571 			}
4572 
4573 			/*
4574 			 * mark things so we know what happened and don't
4575 			 * repeat things
4576 			 */
4577 			fad->fad_flags |= FAD_WRITE;
4578 
4579 			bzero((void *)so_laddr, sizeof (so_laddr));
4580 			bzero((void *)so_faddr, sizeof (so_faddr));
4581 
4582 			/* get local and foreign addresses */
4583 			len = sizeof (so_laddr);
4584 			(void) socket_getsockname(so,
4585 			    (struct sockaddr *)so_laddr, &len, CRED());
4586 			len = sizeof (so_faddr);
4587 			(void) socket_getpeername(so,
4588 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4589 
4590 			add_sock_token = 1;
4591 		}
4592 
4593 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4594 
4595 		break;
4596 
4597 	case AF_UNIX:
4598 		/*
4599 		 * first check if this is first time through. Too much
4600 		 * duplicate code to put this in an aui_ routine.
4601 		 */
4602 
4603 		/* get path from file struct here */
4604 		fad = F2A(fp);
4605 		ASSERT(fad);
4606 
4607 		/*
4608 		 * already processed this file for write attempt
4609 		 */
4610 		if (fad->fad_flags & FAD_WRITE) {
4611 			releasef(fd);
4612 			/* don't want to audit every sendmsg attempt */
4613 			tad->tad_flag = 0;
4614 			/* free any residual audit data */
4615 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4616 			return;
4617 		}
4618 		/*
4619 		 * mark things so we know what happened and don't
4620 		 * repeat things
4621 		 */
4622 		fad->fad_flags |= FAD_WRITE;
4623 
4624 		if (fad->fad_aupath != NULL) {
4625 			au_uwrite(au_to_path(fad->fad_aupath));
4626 		} else {
4627 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4628 		}
4629 
4630 		audit_attributes(fp->f_vnode);
4631 
4632 		releasef(fd);
4633 
4634 		return;
4635 
4636 	default:
4637 		break;
4638 	}
4639 
4640 	releasef(fd);
4641 
4642 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4643 
4644 	if (add_sock_token == 0) {
4645 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4646 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4647 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4648 		return;
4649 	}
4650 
4651 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4652 
4653 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4654 }
4655 
4656 /*ARGSUSED*/
4657 static void
4658 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4659 {
4660 	struct a {
4661 		long	fd;
4662 		long	msg;	/* char */
4663 		long	len;
4664 		long	flags;
4665 		long	to;	/* struct sockaddr */
4666 		long	tolen;
4667 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4668 
4669 	struct sonode	*so;
4670 	char so_laddr[sizeof (struct sockaddr_in6)];
4671 	char so_faddr[sizeof (struct sockaddr_in6)];
4672 	socklen_t	tolen;
4673 	int		err;
4674 	int		fd;
4675 	socklen_t	len;
4676 	short so_family, so_type;
4677 	int		add_sock_token = 0;
4678 	struct file	*fp;
4679 	struct f_audit_data *fad;
4680 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4681 
4682 	fd = (int)uap->fd;
4683 
4684 	/* bail if an error */
4685 	if (error) {
4686 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4687 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4688 		/* XXX include destination address from system call arguments */
4689 		return;
4690 	}
4691 
4692 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4693 		/*
4694 		 * not security relevant if doing a sendto using non socket
4695 		 * so no extra tokens. Should probably turn off audit record
4696 		 * generation here.
4697 		 */
4698 		return;
4699 	}
4700 
4701 	so_family = so->so_family;
4702 	so_type   = so->so_type;
4703 
4704 	/*
4705 	 * only putout SOCKET_EX token if INET/INET6 family.
4706 	 * XXX - what do we do about other families?
4707 	 */
4708 
4709 	switch (so_family) {
4710 	case AF_INET:
4711 	case AF_INET6:
4712 
4713 		/*
4714 		 * if datagram type socket, then just use what is in
4715 		 * socket structure for local address.
4716 		 * XXX - what do we do for other types?
4717 		 */
4718 		if ((so->so_type == SOCK_DGRAM) ||
4719 		    (so->so_type == SOCK_RAW)) {
4720 
4721 			bzero((void *)so_laddr, sizeof (so_laddr));
4722 			bzero((void *)so_faddr, sizeof (so_faddr));
4723 
4724 			/* get local address */
4725 			len = sizeof (so_laddr);
4726 			(void) socket_getsockname(so,
4727 			    (struct sockaddr *)so_laddr, &len, CRED());
4728 
4729 			/* get peer address */
4730 
4731 			/* sanity check */
4732 			if (uap->to == NULL)
4733 				break;
4734 
4735 			/* sanity checks */
4736 			if (uap->tolen == 0)
4737 				break;
4738 
4739 			tolen = (socklen_t)uap->tolen;
4740 
4741 			/* enforce maximum size */
4742 			if (tolen > sizeof (so_faddr))
4743 				tolen = sizeof (so_faddr);
4744 
4745 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4746 				break;
4747 
4748 			add_sock_token = 1;
4749 		} else {
4750 			/*
4751 			 * check if this is first time through.
4752 			 */
4753 
4754 			/* get path from file struct here */
4755 			fad = F2A(fp);
4756 			ASSERT(fad);
4757 
4758 			/*
4759 			 * already processed this file for write attempt
4760 			 */
4761 			if (fad->fad_flags & FAD_WRITE) {
4762 				/* don't want to audit every sendto attempt */
4763 				tad->tad_flag = 0;
4764 				/* free any residual audit data */
4765 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4766 				releasef(fd);
4767 				return;
4768 			}
4769 			/*
4770 			 * mark things so we know what happened and don't
4771 			 * repeat things
4772 			 */
4773 			fad->fad_flags |= FAD_WRITE;
4774 
4775 			bzero((void *)so_laddr, sizeof (so_laddr));
4776 			bzero((void *)so_faddr, sizeof (so_faddr));
4777 
4778 			/* get local and foreign addresses */
4779 			len = sizeof (so_laddr);
4780 			(void) socket_getsockname(so,
4781 			    (struct sockaddr *)so_laddr, &len, CRED());
4782 			len = sizeof (so_faddr);
4783 			(void) socket_getpeername(so,
4784 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4785 
4786 			add_sock_token = 1;
4787 		}
4788 
4789 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4790 
4791 		break;
4792 
4793 	case AF_UNIX:
4794 		/*
4795 		 * first check if this is first time through. Too much
4796 		 * duplicate code to put this in an aui_ routine.
4797 		 */
4798 
4799 		/* get path from file struct here */
4800 		fad = F2A(fp);
4801 		ASSERT(fad);
4802 
4803 		/*
4804 		 * already processed this file for write attempt
4805 		 */
4806 		if (fad->fad_flags & FAD_WRITE) {
4807 			/* don't want to audit every sendto attempt */
4808 			tad->tad_flag = 0;
4809 			/* free any residual audit data */
4810 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4811 			releasef(fd);
4812 			return;
4813 		}
4814 		/*
4815 		 * mark things so we know what happened and don't
4816 		 * repeat things
4817 		 */
4818 		fad->fad_flags |= FAD_WRITE;
4819 
4820 		if (fad->fad_aupath != NULL) {
4821 			au_uwrite(au_to_path(fad->fad_aupath));
4822 		} else {
4823 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4824 		}
4825 
4826 		audit_attributes(fp->f_vnode);
4827 
4828 		releasef(fd);
4829 
4830 		return;
4831 
4832 	default:
4833 		break;
4834 
4835 	}
4836 
4837 	releasef(fd);
4838 
4839 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4840 
4841 	if (add_sock_token == 0) {
4842 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4843 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4844 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4845 		return;
4846 	}
4847 
4848 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4849 
4850 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4851 
4852 }
4853 
4854 /*
4855  * XXX socket(2) may be equivalent to open(2) on a unix domain
4856  * socket. This needs investigation.
4857  */
4858 
4859 /*ARGSUSED*/
4860 static void
4861 aus_socket(struct t_audit_data *tad)
4862 {
4863 	struct a {
4864 		long	domain;
4865 		long	type;
4866 		long	protocol;
4867 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4868 
4869 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4870 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4871 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4872 }
4873 
4874 /*ARGSUSED*/
4875 static void
4876 aus_sigqueue(struct t_audit_data *tad)
4877 {
4878 	struct a {
4879 		long	pid;
4880 		long	signo;
4881 		long	*val;
4882 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4883 	struct proc *p;
4884 	uid_t uid, ruid;
4885 	gid_t gid, rgid;
4886 	pid_t pid;
4887 	const auditinfo_addr_t *ainfo;
4888 	cred_t *cr;
4889 
4890 	pid = (pid_t)uap->pid;
4891 
4892 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4893 	if (pid > 0) {
4894 		mutex_enter(&pidlock);
4895 		if ((p = prfind(pid)) == (struct proc *)0) {
4896 			mutex_exit(&pidlock);
4897 			return;
4898 		}
4899 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4900 		mutex_exit(&pidlock);
4901 
4902 		mutex_enter(&p->p_crlock);
4903 		crhold(cr = p->p_cred);
4904 		mutex_exit(&p->p_crlock);
4905 		mutex_exit(&p->p_lock);
4906 
4907 		ainfo = crgetauinfo(cr);
4908 		if (ainfo == NULL) {
4909 			crfree(cr);
4910 			return;
4911 		}
4912 
4913 		uid  = crgetuid(cr);
4914 		gid  = crgetgid(cr);
4915 		ruid = crgetruid(cr);
4916 		rgid = crgetrgid(cr);
4917 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4918 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4919 		crfree(cr);
4920 	}
4921 	else
4922 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4923 }
4924 
4925 /*ARGSUSED*/
4926 static void
4927 aus_inst_sync(struct t_audit_data *tad)
4928 {
4929 	struct a {
4930 		long	name;	/* char */
4931 		long	flags;
4932 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4933 
4934 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4935 }
4936 
4937 /*ARGSUSED*/
4938 static void
4939 aus_brandsys(struct t_audit_data *tad)
4940 {
4941 	klwp_t *clwp = ttolwp(curthread);
4942 
4943 	struct a {
4944 		long	cmd;
4945 		long	arg1;
4946 		long	arg2;
4947 		long	arg3;
4948 		long	arg4;
4949 		long	arg5;
4950 		long	arg6;
4951 	} *uap = (struct a *)clwp->lwp_ap;
4952 
4953 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4954 #ifdef _LP64
4955 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4956 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4957 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4958 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4959 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4960 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4961 #else
4962 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4963 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4964 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4965 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4966 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4967 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4968 #endif
4969 }
4970 
4971 /*ARGSUSED*/
4972 static void
4973 aus_p_online(struct t_audit_data *tad)
4974 {
4975 	struct a {
4976 		long	processor_id;
4977 		long	flag;
4978 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4979 
4980 	struct flags {
4981 			int	flag;
4982 			char	*cflag;
4983 	} aflags[6] = {
4984 			{ P_ONLINE, "P_ONLINE"},
4985 			{ P_OFFLINE, "P_OFFLINE"},
4986 			{ P_NOINTR, "P_NOINTR"},
4987 			{ P_SPARE, "P_SPARE"},
4988 			{ P_FAULTED, "P_FAULTED"},
4989 			{ P_STATUS, "P_STATUS"}
4990 	};
4991 	int i;
4992 	char *cflag;
4993 
4994 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4995 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4996 
4997 	for (i = 0; i < 6; i++) {
4998 		if (aflags[i].flag == uap->flag)
4999 			break;
5000 	}
5001 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5002 
5003 	au_uwrite(au_to_text(cflag));
5004 }
5005 
5006 /*ARGSUSED*/
5007 static void
5008 aus_processor_bind(struct t_audit_data *tad)
5009 {
5010 	struct a {
5011 		long	id_type;
5012 		long	id;
5013 		long	processor_id;
5014 		long	obind;
5015 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5016 
5017 	struct proc *p;
5018 	int lwpcnt;
5019 	uid_t uid, ruid;
5020 	gid_t gid, rgid;
5021 	pid_t pid;
5022 	const auditinfo_addr_t *ainfo;
5023 	cred_t *cr;
5024 
5025 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5026 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5027 	if (uap->processor_id == PBIND_NONE)
5028 		au_uwrite(au_to_text("PBIND_NONE"));
5029 	else
5030 		au_uwrite(au_to_arg32(3, "processor_id",
5031 		    (uint32_t)uap->processor_id));
5032 
5033 	switch (uap->id_type) {
5034 	case P_MYID:
5035 	case P_LWPID:
5036 		mutex_enter(&pidlock);
5037 		p = ttoproc(curthread);
5038 		if (p == NULL || p->p_as == &kas) {
5039 			mutex_exit(&pidlock);
5040 			return;
5041 		}
5042 		mutex_enter(&p->p_lock);
5043 		mutex_exit(&pidlock);
5044 		lwpcnt = p->p_lwpcnt;
5045 		pid  = p->p_pid;
5046 
5047 		mutex_enter(&p->p_crlock);
5048 		crhold(cr = p->p_cred);
5049 		mutex_exit(&p->p_crlock);
5050 		mutex_exit(&p->p_lock);
5051 
5052 		ainfo = crgetauinfo(cr);
5053 		if (ainfo == NULL) {
5054 			crfree(cr);
5055 			return;
5056 		}
5057 
5058 		uid  = crgetuid(cr);
5059 		gid  = crgetgid(cr);
5060 		ruid = crgetruid(cr);
5061 		rgid = crgetrgid(cr);
5062 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5063 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5064 		crfree(cr);
5065 		break;
5066 	case P_PID:
5067 		mutex_enter(&pidlock);
5068 		p = prfind(uap->id);
5069 		if (p == NULL || p->p_as == &kas) {
5070 			mutex_exit(&pidlock);
5071 			return;
5072 		}
5073 		mutex_enter(&p->p_lock);
5074 		mutex_exit(&pidlock);
5075 		lwpcnt = p->p_lwpcnt;
5076 		pid  = p->p_pid;
5077 
5078 		mutex_enter(&p->p_crlock);
5079 		crhold(cr = p->p_cred);
5080 		mutex_exit(&p->p_crlock);
5081 		mutex_exit(&p->p_lock);
5082 
5083 		ainfo = crgetauinfo(cr);
5084 		if (ainfo == NULL) {
5085 			crfree(cr);
5086 			return;
5087 		}
5088 
5089 		uid  = crgetuid(cr);
5090 		gid  = crgetgid(cr);
5091 		ruid = crgetruid(cr);
5092 		rgid = crgetrgid(cr);
5093 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5094 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5095 		crfree(cr);
5096 
5097 		break;
5098 	default:
5099 		return;
5100 	}
5101 
5102 	if (uap->processor_id == PBIND_NONE &&
5103 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5104 		au_uwrite(au_to_text("PBIND_NONE for process"));
5105 	else
5106 		au_uwrite(au_to_arg32(3, "processor_id",
5107 		    (uint32_t)uap->processor_id));
5108 }
5109 
5110 /*ARGSUSED*/
5111 static au_event_t
5112 aui_doorfs(au_event_t e)
5113 {
5114 	uint32_t code;
5115 
5116 	struct a {		/* doorfs */
5117 		long	a1;
5118 		long	a2;
5119 		long	a3;
5120 		long	a4;
5121 		long	a5;
5122 		long	code;
5123 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5124 
5125 	/*
5126 	 *	audit formats for several of the
5127 	 *	door calls have not yet been determined
5128 	 */
5129 	code = (uint32_t)uap->code;
5130 	switch (code) {
5131 	case DOOR_CALL:
5132 		e = AUE_DOORFS_DOOR_CALL;
5133 		break;
5134 	case DOOR_RETURN:
5135 		e = AUE_NULL;
5136 		break;
5137 	case DOOR_CREATE:
5138 		e = AUE_DOORFS_DOOR_CREATE;
5139 		break;
5140 	case DOOR_REVOKE:
5141 		e = AUE_DOORFS_DOOR_REVOKE;
5142 		break;
5143 	case DOOR_INFO:
5144 		e = AUE_NULL;
5145 		break;
5146 	case DOOR_UCRED:
5147 		e = AUE_NULL;
5148 		break;
5149 	case DOOR_BIND:
5150 		e = AUE_NULL;
5151 		break;
5152 	case DOOR_UNBIND:
5153 		e = AUE_NULL;
5154 		break;
5155 	case DOOR_GETPARAM:
5156 		e = AUE_NULL;
5157 		break;
5158 	case DOOR_SETPARAM:
5159 		e = AUE_NULL;
5160 		break;
5161 	default:	/* illegal system call */
5162 		e = AUE_NULL;
5163 		break;
5164 	}
5165 
5166 	return (e);
5167 }
5168 
5169 static door_node_t *
5170 au_door_lookup(int did)
5171 {
5172 	vnode_t	*vp;
5173 	file_t *fp;
5174 
5175 	if ((fp = getf(did)) == NULL)
5176 		return (NULL);
5177 	/*
5178 	 * Use the underlying vnode (we may be namefs mounted)
5179 	 */
5180 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5181 		vp = fp->f_vnode;
5182 
5183 	if (vp == NULL || vp->v_type != VDOOR) {
5184 		releasef(did);
5185 		return (NULL);
5186 	}
5187 
5188 	return (VTOD(vp));
5189 }
5190 
5191 /*ARGSUSED*/
5192 static void
5193 aus_doorfs(struct t_audit_data *tad)
5194 {
5195 
5196 	struct a {		/* doorfs */
5197 		long	a1;
5198 		long	a2;
5199 		long	a3;
5200 		long	a4;
5201 		long	a5;
5202 		long	code;
5203 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5204 
5205 	door_node_t	*dp;
5206 	struct proc	*p;
5207 	uint32_t	did;
5208 	uid_t uid, ruid;
5209 	gid_t gid, rgid;
5210 	pid_t pid;
5211 	const auditinfo_addr_t *ainfo;
5212 	cred_t *cr;
5213 
5214 	did = (uint32_t)uap->a1;
5215 
5216 	switch (tad->tad_event) {
5217 	case AUE_DOORFS_DOOR_CALL:
5218 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5219 		if ((dp = au_door_lookup(did)) == NULL)
5220 			break;
5221 
5222 		if (DOOR_INVALID(dp)) {
5223 			releasef(did);
5224 			break;
5225 		}
5226 
5227 		if ((p = dp->door_target) == NULL) {
5228 			releasef(did);
5229 			break;
5230 		}
5231 		mutex_enter(&p->p_lock);
5232 		releasef(did);
5233 
5234 		pid  = p->p_pid;
5235 
5236 		mutex_enter(&p->p_crlock);
5237 		crhold(cr = p->p_cred);
5238 		mutex_exit(&p->p_crlock);
5239 		mutex_exit(&p->p_lock);
5240 
5241 		ainfo = crgetauinfo(cr);
5242 		if (ainfo == NULL) {
5243 			crfree(cr);
5244 			return;
5245 		}
5246 		uid  = crgetuid(cr);
5247 		gid  = crgetgid(cr);
5248 		ruid = crgetruid(cr);
5249 		rgid = crgetrgid(cr);
5250 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5251 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5252 		crfree(cr);
5253 		break;
5254 	case AUE_DOORFS_DOOR_RETURN:
5255 		/*
5256 		 * We may want to write information about
5257 		 * all doors (if any) which will be copied
5258 		 * by this call to the user space
5259 		 */
5260 		break;
5261 	case AUE_DOORFS_DOOR_CREATE:
5262 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5263 		break;
5264 	case AUE_DOORFS_DOOR_REVOKE:
5265 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5266 		break;
5267 	case AUE_DOORFS_DOOR_INFO:
5268 		break;
5269 	case AUE_DOORFS_DOOR_CRED:
5270 		break;
5271 	case AUE_DOORFS_DOOR_BIND:
5272 		break;
5273 	case AUE_DOORFS_DOOR_UNBIND: {
5274 		break;
5275 	}
5276 	default:	/* illegal system call */
5277 		break;
5278 	}
5279 }
5280 
5281 /*ARGSUSED*/
5282 static au_event_t
5283 aui_acl(au_event_t e)
5284 {
5285 	struct a {
5286 		union {
5287 			long	name;	/* char */
5288 			long	fd;
5289 		}		obj;
5290 
5291 		long		cmd;
5292 		long		nentries;
5293 		long		arg;	/* aclent_t */
5294 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5295 
5296 	switch (uap->cmd) {
5297 	case SETACL:
5298 	case ACE_SETACL:
5299 		/*
5300 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5301 		 * are expected.
5302 		 */
5303 		break;
5304 	case GETACL:
5305 	case GETACLCNT:
5306 	case ACE_GETACL:
5307 	case ACE_GETACLCNT:
5308 		/* do nothing for these four values. */
5309 		e = AUE_NULL;
5310 		break;
5311 	default:
5312 		/* illegal system call */
5313 		break;
5314 	}
5315 
5316 	return (e);
5317 }
5318 
5319 static void
5320 au_acl(int cmd, int nentries, caddr_t bufp)
5321 {
5322 	size_t		a_size;
5323 	aclent_t	*aclbufp;
5324 	ace_t		*acebufp;
5325 	int		i;
5326 
5327 	switch (cmd) {
5328 	case GETACL:
5329 	case GETACLCNT:
5330 		break;
5331 	case SETACL:
5332 		if (nentries < 3)
5333 			break;
5334 
5335 		a_size = nentries * sizeof (aclent_t);
5336 
5337 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5338 			break;
5339 		if (copyin(bufp, aclbufp, a_size)) {
5340 			kmem_free(aclbufp, a_size);
5341 			break;
5342 		}
5343 		for (i = 0; i < nentries; i++) {
5344 			au_uwrite(au_to_acl(aclbufp + i));
5345 		}
5346 		kmem_free(aclbufp, a_size);
5347 		break;
5348 
5349 	case ACE_SETACL:
5350 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5351 			break;
5352 
5353 		a_size = nentries * sizeof (ace_t);
5354 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5355 			break;
5356 		if (copyin(bufp, acebufp, a_size)) {
5357 			kmem_free(acebufp, a_size);
5358 			break;
5359 		}
5360 		for (i = 0; i < nentries; i++) {
5361 			au_uwrite(au_to_ace(acebufp + i));
5362 		}
5363 		kmem_free(acebufp, a_size);
5364 		break;
5365 	default:
5366 		break;
5367 	}
5368 }
5369 
5370 /*ARGSUSED*/
5371 static void
5372 aus_acl(struct t_audit_data *tad)
5373 {
5374 	struct a {
5375 		long	fname;
5376 		long	cmd;
5377 		long	nentries;
5378 		long	aclbufp;
5379 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5380 
5381 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5382 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5383 
5384 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5385 }
5386 
5387 /*ARGSUSED*/
5388 static void
5389 aus_facl(struct t_audit_data *tad)
5390 {
5391 	struct a {
5392 		long	fd;
5393 		long	cmd;
5394 		long	nentries;
5395 		long	aclbufp;
5396 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5397 	struct file  *fp;
5398 	struct vnode *vp;
5399 	struct f_audit_data *fad;
5400 	int fd;
5401 
5402 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5403 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5404 
5405 	fd = (int)uap->fd;
5406 
5407 	if ((fp = getf(fd)) == NULL)
5408 		return;
5409 
5410 	/* get path from file struct here */
5411 	fad = F2A(fp);
5412 	if (fad->fad_aupath != NULL) {
5413 		au_uwrite(au_to_path(fad->fad_aupath));
5414 	} else {
5415 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5416 	}
5417 
5418 	vp = fp->f_vnode;
5419 	audit_attributes(vp);
5420 
5421 	/* decrement file descriptor reference count */
5422 	releasef(fd);
5423 
5424 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5425 }
5426 
5427 /*ARGSUSED*/
5428 static void
5429 auf_read(tad, error, rval)
5430 	struct t_audit_data *tad;
5431 	int error;
5432 	rval_t *rval;
5433 {
5434 	struct file *fp;
5435 	struct f_audit_data *fad;
5436 	int fd;
5437 	register struct a {
5438 		long	fd;
5439 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5440 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5441 
5442 	fd = (int)uap->fd;
5443 
5444 	/*
5445 	 * convert file pointer to file descriptor
5446 	 *   Note: fd ref count incremented here.
5447 	 */
5448 	if ((fp = getf(fd)) == NULL)
5449 		return;
5450 
5451 	/* get path from file struct here */
5452 	fad = F2A(fp);
5453 	ASSERT(fad);
5454 
5455 	/*
5456 	 * already processed this file for read attempt
5457 	 *
5458 	 * XXX might be better to turn off auditing in a aui_read() routine.
5459 	 */
5460 	if (fad->fad_flags & FAD_READ) {
5461 		/* don't really want to audit every read attempt */
5462 		tad->tad_flag = 0;
5463 		/* free any residual audit data */
5464 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5465 		releasef(fd);
5466 		return;
5467 	}
5468 	/* mark things so we know what happened and don't repeat things */
5469 	fad->fad_flags |= FAD_READ;
5470 
5471 	if (fad->fad_aupath != NULL) {
5472 		au_uwrite(au_to_path(fad->fad_aupath));
5473 	} else {
5474 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5475 	}
5476 
5477 	/* include attributes */
5478 	audit_attributes(fp->f_vnode);
5479 
5480 	/* decrement file descriptor reference count */
5481 	releasef(fd);
5482 }
5483 
5484 /*ARGSUSED*/
5485 static void
5486 auf_write(tad, error, rval)
5487 	struct t_audit_data *tad;
5488 	int error;
5489 	rval_t *rval;
5490 {
5491 	struct file *fp;
5492 	struct f_audit_data *fad;
5493 	int fd;
5494 	register struct a {
5495 		long	fd;
5496 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5497 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5498 
5499 	fd = (int)uap->fd;
5500 
5501 	/*
5502 	 * convert file pointer to file descriptor
5503 	 *   Note: fd ref count incremented here.
5504 	 */
5505 	if ((fp = getf(fd)) == NULL)
5506 		return;
5507 
5508 	/* get path from file struct here */
5509 	fad = F2A(fp);
5510 	ASSERT(fad);
5511 
5512 	/*
5513 	 * already processed this file for write attempt
5514 	 *
5515 	 * XXX might be better to turn off auditing in a aus_write() routine.
5516 	 */
5517 	if (fad->fad_flags & FAD_WRITE) {
5518 		/* don't really want to audit every write attempt */
5519 		tad->tad_flag = 0;
5520 		/* free any residual audit data */
5521 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5522 		releasef(fd);
5523 		return;
5524 	}
5525 	/* mark things so we know what happened and don't repeat things */
5526 	fad->fad_flags |= FAD_WRITE;
5527 
5528 	if (fad->fad_aupath != NULL) {
5529 		au_uwrite(au_to_path(fad->fad_aupath));
5530 	} else {
5531 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5532 	}
5533 
5534 	/* include attributes */
5535 	audit_attributes(fp->f_vnode);
5536 
5537 	/* decrement file descriptor reference count */
5538 	releasef(fd);
5539 }
5540 
5541 /*ARGSUSED*/
5542 static void
5543 auf_recv(tad, error, rval)
5544 	struct t_audit_data *tad;
5545 	int error;
5546 	rval_t *rval;
5547 {
5548 	struct sonode *so;
5549 	char so_laddr[sizeof (struct sockaddr_in6)];
5550 	char so_faddr[sizeof (struct sockaddr_in6)];
5551 	struct file *fp;
5552 	struct f_audit_data *fad;
5553 	int fd;
5554 	int err;
5555 	socklen_t len;
5556 	short so_family, so_type;
5557 	register struct a {
5558 		long	fd;
5559 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5560 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5561 
5562 	/*
5563 	 * If there was an error, then nothing to do. Only generate
5564 	 * audit record on first successful recv.
5565 	 */
5566 	if (error) {
5567 		/* Turn off audit record generation here. */
5568 		tad->tad_flag = 0;
5569 		/* free any residual audit data */
5570 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5571 		return;
5572 	}
5573 
5574 	fd = (int)uap->fd;
5575 
5576 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5577 		/* Turn off audit record generation here. */
5578 		tad->tad_flag = 0;
5579 		/* free any residual audit data */
5580 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5581 		return;
5582 	}
5583 
5584 	/* get path from file struct here */
5585 	fad = F2A(fp);
5586 	ASSERT(fad);
5587 
5588 	/*
5589 	 * already processed this file for read attempt
5590 	 */
5591 	if (fad->fad_flags & FAD_READ) {
5592 		releasef(fd);
5593 		/* don't really want to audit every recv call */
5594 		tad->tad_flag = 0;
5595 		/* free any residual audit data */
5596 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5597 		return;
5598 	}
5599 
5600 	/* mark things so we know what happened and don't repeat things */
5601 	fad->fad_flags |= FAD_READ;
5602 
5603 	so_family = so->so_family;
5604 	so_type   = so->so_type;
5605 
5606 	switch (so_family) {
5607 	case AF_INET:
5608 	case AF_INET6:
5609 		/*
5610 		 * Only for connections.
5611 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5612 		 */
5613 		if (so->so_state & SS_ISBOUND) {
5614 
5615 			bzero((void *)so_laddr, sizeof (so_laddr));
5616 			bzero((void *)so_faddr, sizeof (so_faddr));
5617 
5618 			/* get local and foreign addresses */
5619 			len = sizeof (so_laddr);
5620 			(void) socket_getsockname(so,
5621 			    (struct sockaddr *)so_laddr, &len, CRED());
5622 			len = sizeof (so_faddr);
5623 			(void) socket_getpeername(so,
5624 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5625 
5626 			/*
5627 			 * only way to drop out of switch. Note that we
5628 			 * we release fd below.
5629 			 */
5630 
5631 			break;
5632 		}
5633 
5634 		releasef(fd);
5635 
5636 		/* don't really want to audit every recv call */
5637 		tad->tad_flag = 0;
5638 		/* free any residual audit data */
5639 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5640 
5641 		return;
5642 
5643 	case AF_UNIX:
5644 
5645 		if (fad->fad_aupath != NULL) {
5646 			au_uwrite(au_to_path(fad->fad_aupath));
5647 		} else {
5648 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5649 		}
5650 
5651 		audit_attributes(fp->f_vnode);
5652 
5653 		releasef(fd);
5654 
5655 		return;
5656 
5657 	default:
5658 		releasef(fd);
5659 
5660 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5661 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5662 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5663 
5664 		return;
5665 	}
5666 
5667 	releasef(fd);
5668 
5669 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5670 
5671 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5672 
5673 }
5674 
5675 /*ARGSUSED*/
5676 static void
5677 auf_send(tad, error, rval)
5678 	struct t_audit_data *tad;
5679 	int error;
5680 	rval_t *rval;
5681 {
5682 	struct sonode *so;
5683 	char so_laddr[sizeof (struct sockaddr_in6)];
5684 	char so_faddr[sizeof (struct sockaddr_in6)];
5685 	struct file *fp;
5686 	struct f_audit_data *fad;
5687 	int fd;
5688 	int err;
5689 	socklen_t len;
5690 	short so_family, so_type;
5691 	register struct a {
5692 		long	fd;
5693 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5694 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5695 
5696 	fd = (int)uap->fd;
5697 
5698 	/*
5699 	 * If there was an error, then nothing to do. Only generate
5700 	 * audit record on first successful send.
5701 	 */
5702 	if (error != 0) {
5703 		/* Turn off audit record generation here. */
5704 		tad->tad_flag = 0;
5705 		/* free any residual audit data */
5706 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5707 		return;
5708 	}
5709 
5710 	fd = (int)uap->fd;
5711 
5712 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5713 		/* Turn off audit record generation here. */
5714 		tad->tad_flag = 0;
5715 		/* free any residual audit data */
5716 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5717 		return;
5718 	}
5719 
5720 	/* get path from file struct here */
5721 	fad = F2A(fp);
5722 	ASSERT(fad);
5723 
5724 	/*
5725 	 * already processed this file for write attempt
5726 	 */
5727 	if (fad->fad_flags & FAD_WRITE) {
5728 		releasef(fd);
5729 		/* don't really want to audit every send call */
5730 		tad->tad_flag = 0;
5731 		/* free any residual audit data */
5732 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5733 		return;
5734 	}
5735 
5736 	/* mark things so we know what happened and don't repeat things */
5737 	fad->fad_flags |= FAD_WRITE;
5738 
5739 	so_family = so->so_family;
5740 	so_type   = so->so_type;
5741 
5742 	switch (so_family) {
5743 	case AF_INET:
5744 	case AF_INET6:
5745 		/*
5746 		 * Only for connections.
5747 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5748 		 */
5749 		if (so->so_state & SS_ISBOUND) {
5750 
5751 			bzero((void *)so_laddr, sizeof (so_laddr));
5752 			bzero((void *)so_faddr, sizeof (so_faddr));
5753 
5754 			/* get local and foreign addresses */
5755 			len = sizeof (so_laddr);
5756 			(void) socket_getsockname(so,
5757 			    (struct sockaddr *)so_laddr, &len, CRED());
5758 			len = sizeof (so_faddr);
5759 			(void) socket_getpeername(so,
5760 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5761 
5762 			/*
5763 			 * only way to drop out of switch. Note that we
5764 			 * we release fd below.
5765 			 */
5766 
5767 			break;
5768 		}
5769 
5770 		releasef(fd);
5771 		/* don't really want to audit every send call */
5772 		tad->tad_flag = 0;
5773 		/* free any residual audit data */
5774 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5775 
5776 		return;
5777 
5778 	case AF_UNIX:
5779 
5780 		if (fad->fad_aupath != NULL) {
5781 			au_uwrite(au_to_path(fad->fad_aupath));
5782 		} else {
5783 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5784 		}
5785 
5786 		audit_attributes(fp->f_vnode);
5787 
5788 		releasef(fd);
5789 
5790 		return;
5791 
5792 	default:
5793 		releasef(fd);
5794 
5795 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5796 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5797 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5798 
5799 		return;
5800 	}
5801 
5802 	releasef(fd);
5803 
5804 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5805 
5806 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5807 }
5808 
5809 static au_event_t
5810 aui_forksys(au_event_t e)
5811 {
5812 	struct a {
5813 		long	subcode;
5814 		long	flags;
5815 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5816 
5817 	switch ((uint_t)uap->subcode) {
5818 	case 0:
5819 		e = AUE_FORK1;
5820 		break;
5821 	case 1:
5822 		e = AUE_FORKALL;
5823 		break;
5824 	case 2:
5825 		e = AUE_VFORK;
5826 		break;
5827 	default:
5828 		e = AUE_NULL;
5829 		break;
5830 	}
5831 
5832 	return (e);
5833 }
5834 
5835 /*ARGSUSED*/
5836 static au_event_t
5837 aui_portfs(au_event_t e)
5838 {
5839 	struct a {		/* portfs */
5840 		long	a1;
5841 		long	a2;
5842 		long	a3;
5843 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5844 
5845 	/*
5846 	 * check opcode
5847 	 */
5848 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5849 	case PORT_ASSOCIATE:
5850 		/* check source */
5851 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5852 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5853 			e = AUE_PORTFS_ASSOCIATE;
5854 		} else {
5855 			e = AUE_NULL;
5856 		}
5857 		break;
5858 	case PORT_DISSOCIATE:
5859 		/* check source */
5860 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5861 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5862 			e = AUE_PORTFS_DISSOCIATE;
5863 		} else {
5864 			e = AUE_NULL;
5865 		}
5866 		break;
5867 	default:
5868 		e = AUE_NULL;
5869 	}
5870 	return (e);
5871 }
5872