1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved. 25 * Copyright (c) 2018, Joyent, Inc. 26 * Copyright 2024 Oxide Computer Company 27 */ 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <sys/tsol/tndb.h> 61 #include <sys/tsol/tsyscall.h> 62 #include <c2/audit.h> 63 #include <c2/audit_kernel.h> 64 #include <c2/audit_kevents.h> 65 #include <c2/audit_record.h> 66 #include <sys/procset.h> 67 #include <nfs/mount.h> 68 #include <sys/param.h> 69 #include <sys/debug.h> 70 #include <sys/sysmacros.h> 71 #include <sys/stream.h> 72 #include <sys/strsubr.h> 73 #include <sys/stropts.h> 74 #include <sys/tihdr.h> 75 #include <sys/socket.h> 76 #include <sys/socketvar.h> 77 #include <sys/vfs_opreg.h> 78 #include <fs/sockfs/sockcommon.h> 79 #include <netinet/in.h> 80 #include <sys/ddi.h> 81 #include <sys/port_impl.h> 82 #include <sys/secflags.h> 83 #include <sys/execx.h> 84 85 static au_event_t aui_fchownat(au_event_t); 86 static au_event_t aui_fchmodat(au_event_t); 87 static au_event_t aui_open(au_event_t); 88 static au_event_t aui_openat(au_event_t); 89 static au_event_t aui_unlinkat(au_event_t); 90 static au_event_t aui_fstatat(au_event_t); 91 static au_event_t aui_msgsys(au_event_t); 92 static au_event_t aui_shmsys(au_event_t); 93 static au_event_t aui_semsys(au_event_t); 94 static au_event_t aui_utssys(au_event_t); 95 static au_event_t aui_fcntl(au_event_t); 96 static au_event_t aui_execve(au_event_t); 97 static au_event_t aui_memcntl(au_event_t); 98 static au_event_t aui_sysinfo(au_event_t); 99 static au_event_t aui_portfs(au_event_t); 100 static au_event_t aui_auditsys(au_event_t); 101 static au_event_t aui_modctl(au_event_t); 102 static au_event_t aui_acl(au_event_t); 103 static au_event_t aui_doorfs(au_event_t); 104 static au_event_t aui_privsys(au_event_t); 105 static au_event_t aui_forksys(au_event_t); 106 static au_event_t aui_labelsys(au_event_t); 107 static au_event_t aui_setpgrp(au_event_t); 108 109 110 static void aus_exit(struct t_audit_data *); 111 static void aus_open(struct t_audit_data *); 112 static void aus_openat(struct t_audit_data *); 113 static void aus_acl(struct t_audit_data *); 114 static void aus_acct(struct t_audit_data *); 115 static void aus_chown(struct t_audit_data *); 116 static void aus_fchown(struct t_audit_data *); 117 static void aus_lchown(struct t_audit_data *); 118 static void aus_fchownat(struct t_audit_data *); 119 static void aus_chmod(struct t_audit_data *); 120 static void aus_facl(struct t_audit_data *); 121 static void aus_fchmod(struct t_audit_data *); 122 static void aus_fchmodat(struct t_audit_data *); 123 static void aus_fcntl(struct t_audit_data *); 124 static void aus_execve(struct t_audit_data *); 125 static void aus_mkdir(struct t_audit_data *); 126 static void aus_mkdirat(struct t_audit_data *); 127 static void aus_mknod(struct t_audit_data *); 128 static void aus_mknodat(struct t_audit_data *); 129 static void aus_mount(struct t_audit_data *); 130 static void aus_umount2(struct t_audit_data *); 131 static void aus_msgsys(struct t_audit_data *); 132 static void aus_semsys(struct t_audit_data *); 133 static void aus_close(struct t_audit_data *); 134 static void aus_fstatfs(struct t_audit_data *); 135 static void aus_setgid(struct t_audit_data *); 136 static void aus_setpgrp(struct t_audit_data *); 137 static void aus_setuid(struct t_audit_data *); 138 static void aus_shmsys(struct t_audit_data *); 139 static void aus_doorfs(struct t_audit_data *); 140 static void aus_ioctl(struct t_audit_data *); 141 static void aus_memcntl(struct t_audit_data *); 142 static void aus_mmap(struct t_audit_data *); 143 static void aus_munmap(struct t_audit_data *); 144 static void aus_priocntlsys(struct t_audit_data *); 145 static void aus_setegid(struct t_audit_data *); 146 static void aus_setgroups(struct t_audit_data *); 147 static void aus_seteuid(struct t_audit_data *); 148 static void aus_putmsg(struct t_audit_data *); 149 static void aus_putpmsg(struct t_audit_data *); 150 static void aus_getmsg(struct t_audit_data *); 151 static void aus_getpmsg(struct t_audit_data *); 152 static void aus_auditsys(struct t_audit_data *); 153 static void aus_sysinfo(struct t_audit_data *); 154 static void aus_modctl(struct t_audit_data *); 155 static void aus_kill(struct t_audit_data *); 156 static void aus_setregid(struct t_audit_data *); 157 static void aus_setreuid(struct t_audit_data *); 158 static void aus_labelsys(struct t_audit_data *); 159 160 static void auf_mknod(struct t_audit_data *, int, rval_t *); 161 static void auf_mknodat(struct t_audit_data *, int, rval_t *); 162 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 163 static void auf_semsys(struct t_audit_data *, int, rval_t *); 164 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 165 static void auf_read(struct t_audit_data *, int, rval_t *); 166 static void auf_write(struct t_audit_data *, int, rval_t *); 167 168 static void aus_sigqueue(struct t_audit_data *); 169 static void aus_p_online(struct t_audit_data *); 170 static void aus_processor_bind(struct t_audit_data *); 171 static void aus_inst_sync(struct t_audit_data *); 172 static void aus_brandsys(struct t_audit_data *); 173 174 static void auf_accept(struct t_audit_data *, int, rval_t *); 175 176 static void auf_bind(struct t_audit_data *, int, rval_t *); 177 static void auf_connect(struct t_audit_data *, int, rval_t *); 178 static void aus_shutdown(struct t_audit_data *); 179 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 180 static void aus_sockconfig(struct t_audit_data *); 181 static void auf_recv(struct t_audit_data *, int, rval_t *); 182 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 183 static void auf_send(struct t_audit_data *, int, rval_t *); 184 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 185 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 186 static void auf_sendto(struct t_audit_data *, int, rval_t *); 187 static void aus_socket(struct t_audit_data *); 188 /* 189 * This table contains mapping information for converting system call numbers 190 * to audit event IDs. In several cases it is necessary to map a single system 191 * call to several events. 192 */ 193 194 #define aui_null NULL /* NULL initialize function */ 195 #define aus_null NULL /* NULL start function */ 196 #define auf_null NULL /* NULL finish function */ 197 198 struct audit_s2e audit_s2e[] = 199 { 200 /* 201 * ---------- ---------- ---------- ---------- 202 * INITIAL AUDIT START SYSTEM 203 * PROCESSING EVENT PROCESSING CALL 204 * ---------- ---------- ---------- ----------- 205 * FINISH EVENT 206 * PROCESSING CONTROL 207 * ---------------------------------------------------------- 208 */ 209 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 210 auf_null, 0, 211 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 212 auf_null, S2E_NPT, 213 aui_null, AUE_PSECFLAGS, aus_null, /* 2 psecflags */ 214 auf_null, 0, 215 aui_null, AUE_READ, aus_null, /* 3 read */ 216 auf_read, S2E_PUB, 217 aui_null, AUE_WRITE, aus_null, /* 4 write */ 218 auf_write, 0, 219 aui_open, AUE_OPEN, aus_open, /* 5 open */ 220 auf_null, S2E_SP, 221 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 222 auf_null, 0, 223 aui_null, AUE_LINK, aus_null, /* 7 linkat */ 224 auf_null, 0, 225 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 226 auf_null, 0, 227 aui_null, AUE_LINK, aus_null, /* 9 link */ 228 auf_null, 0, 229 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 230 auf_null, 0, 231 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */ 232 auf_null, 0, 233 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 234 auf_null, S2E_SP, 235 aui_null, AUE_NULL, aus_null, /* 13 time */ 236 auf_null, 0, 237 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 238 auf_mknod, S2E_MLD, 239 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 240 auf_null, 0, 241 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 242 auf_null, 0, 243 aui_null, AUE_NULL, aus_null, /* 17 brk */ 244 auf_null, 0, 245 aui_null, AUE_STAT, aus_null, /* 18 stat */ 246 auf_null, S2E_PUB, 247 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 250 auf_null, 0, 251 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 252 auf_null, S2E_MLD, 253 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */ 254 auf_null, S2E_PUB, 255 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 258 auf_null, 0, 259 aui_null, AUE_STIME, aus_null, /* 25 stime */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 264 auf_null, 0, 265 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 266 auf_null, 0, 267 aui_null, AUE_NULL, aus_null, /* 29 pause */ 268 auf_null, 0, 269 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 270 auf_null, 0, 271 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 272 auf_null, 0, 273 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 274 auf_null, 0, 275 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 276 auf_null, S2E_PUB, 277 aui_null, AUE_NICE, aus_null, /* 34 nice */ 278 auf_null, 0, 279 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 280 auf_null, S2E_PUB, 281 aui_null, AUE_NULL, aus_null, /* 36 sync */ 282 auf_null, 0, 283 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 284 auf_null, 0, 285 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 286 auf_null, S2E_PUB, 287 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 288 auf_null, 0, 289 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 292 auf_null, 0, 293 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 43 times */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 44 profil */ 298 auf_null, 0, 299 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 300 auf_null, S2E_PUB, 301 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 302 auf_null, 0, 303 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 304 auf_null, 0, 305 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */ 306 auf_mknodat, S2E_MLD, 307 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 308 auf_msgsys, 0, 309 #if defined(__x86) 310 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 311 auf_null, 0, 312 #else 313 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 314 auf_null, 0, 315 #endif /* __x86 */ 316 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 317 auf_null, 0, 318 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 319 auf_shmsys, 0, 320 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 321 auf_semsys, 0, 322 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 323 auf_null, 0, 324 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 325 auf_null, 0, 326 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 327 auf_null, 0, 328 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 331 auf_null, 0, 332 aui_execve, AUE_EXECVE, aus_execve, /* 59 exece */ 333 auf_null, S2E_MLD, 334 aui_null, AUE_NULL, aus_null, /* 60 umask */ 335 auf_null, 0, 336 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 337 auf_null, S2E_SP, 338 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 341 auf_null, 0, 342 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 343 auf_null, 0, 344 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 345 auf_null, 0, 346 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 347 auf_null, S2E_PUB, 348 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 349 auf_null, S2E_PUB, 350 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 351 auf_null, S2E_SP, 352 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 353 auf_null, S2E_SP, 354 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 367 auf_null, 0, 368 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 371 auf_null, 0, 372 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 373 auf_null, 0, 374 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 377 auf_null, 0, 378 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 379 auf_null, 0, 380 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 381 auf_null, 0, 382 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 383 auf_null, 0, 384 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 385 auf_null, 0, 386 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 387 auf_null, 0, 388 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 389 auf_null, 0, 390 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 391 auf_null, S2E_PUB, 392 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 393 auf_null, 0, 394 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 395 auf_null, S2E_PUB, 396 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 399 auf_null, 0, 400 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 401 auf_null, 0, 402 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 411 auf_null, 0, 412 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 413 auf_null, 0, 414 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 415 auf_null, 0, 416 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */ 417 auf_null, 0, 418 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */ 419 auf_null, 0, 420 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 421 auf_null, S2E_PUB, 422 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 427 auf_null, 0, 428 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 429 auf_null, 0, 430 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 431 auf_null, 0, 432 #if defined(__x86) 433 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 434 auf_null, 0, 435 #else 436 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 437 auf_null, 0, 438 #endif /* __x86 */ 439 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 440 auf_null, 0, 441 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 442 auf_null, 0, 443 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 444 auf_null, 0, 445 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 446 auf_null, S2E_PUB, 447 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 448 auf_null, 0, 449 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 450 auf_null, 0, 451 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 452 auf_null, 0, 453 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 454 auf_null, 0, 455 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 456 auf_null, 0, 457 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 458 auf_null, 0, 459 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 460 auf_null, 0, 461 aui_null, AUE_READ, aus_null, /* 121 readv */ 462 auf_read, S2E_PUB, 463 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 464 auf_write, 0, 465 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 468 auf_null, 0, 469 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 470 auf_null, 0, 471 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 472 auf_null, 0, 473 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 474 auf_null, 0, 475 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 476 auf_null, 0, 477 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 478 auf_null, 0, 479 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 480 auf_null, 0, 481 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 482 auf_null, 0, 483 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 484 auf_null, 0, 485 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 486 auf_null, 0, 487 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 135 uname */ 490 auf_null, 0, 491 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 492 auf_null, 0, 493 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 494 auf_null, 0, 495 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 496 auf_null, 0, 497 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 500 auf_null, 0, 501 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 502 auf_null, 0, 503 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 146 yield */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 514 /* was lwp_sema_wait */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 523 auf_null, 0, 524 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 525 auf_null, 0, 526 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 559 /* was lwp_mutex_lock */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 562 auf_null, 0, 563 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 564 auf_null, 0, 565 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 566 auf_null, 0, 567 aui_null, AUE_READ, aus_null, /* 173 pread */ 568 auf_read, S2E_PUB, 569 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 570 auf_write, 0, 571 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 572 auf_null, 0, 573 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 574 auf_null, 0, 575 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 580 auf_null, 0, 581 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 582 auf_null, 0, 583 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 584 auf_null, 0, 585 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 586 auf_null, S2E_MLD, 587 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 588 auf_null, 0, 589 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 590 auf_null, 0, 591 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 592 auf_null, 0, 593 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 594 auf_null, 0, 595 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 598 auf_null, 0, 599 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 604 auf_null, 0, 605 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 616 auf_null, 0, 617 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 618 auf_null, 0, 619 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 620 auf_null, 0, 621 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 622 auf_null, 0, 623 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 624 auf_null, 0, 625 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 626 auf_null, 0, 627 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 644 auf_null, 0, 645 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 646 auf_null, 0, 647 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 648 auf_null, 0, 649 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 650 auf_null, 0, 651 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 652 auf_null, S2E_PUB, 653 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 656 auf_null, 0, 657 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 658 auf_null, S2E_PUB, 659 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 660 auf_null, 0, 661 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 662 auf_null, 0, 663 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 664 auf_null, 0, 665 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 666 auf_read, S2E_PUB, 667 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 668 auf_write, 0, 669 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 670 auf_null, 0, 671 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 672 auf_null, S2E_SP, 673 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 227 zone */ 676 auf_null, 0, 677 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 680 auf_null, 0, 681 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 682 auf_null, 0, 683 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 684 auf_null, 0, 685 aui_null, AUE_BIND, aus_null, /* 232 bind */ 686 auf_bind, 0, 687 aui_null, AUE_NULL, aus_null, /* 233 listen */ 688 auf_null, 0, 689 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 690 auf_accept, 0, 691 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 692 auf_connect, 0, 693 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 694 auf_null, 0, 695 aui_null, AUE_READ, aus_null, /* 237 recv */ 696 auf_recv, 0, 697 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 698 auf_recvfrom, 0, 699 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 700 auf_recvmsg, 0, 701 aui_null, AUE_WRITE, aus_null, /* 240 send */ 702 auf_send, 0, 703 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 704 auf_sendmsg, 0, 705 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 706 auf_sendto, 0, 707 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 708 auf_null, 0, 709 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 710 auf_null, 0, 711 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 712 auf_null, 0, 713 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 714 auf_setsockopt, 0, 715 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 718 auf_null, 0, 719 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 726 auf_null, 0, 727 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 728 auf_null, 0, 729 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 730 auf_null, 0, 731 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 732 auf_null, 0 733 }; 734 735 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 736 737 738 /* exit start function */ 739 /*ARGSUSED*/ 740 static void 741 aus_exit(struct t_audit_data *tad) 742 { 743 uint32_t rval; 744 struct a { 745 long rval; 746 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 747 748 rval = (uint32_t)uap->rval; 749 au_uwrite(au_to_arg32(1, "exit status", rval)); 750 } 751 752 753 /* acct start function */ 754 /*ARGSUSED*/ 755 static void 756 aus_acct(struct t_audit_data *tad) 757 { 758 klwp_t *clwp = ttolwp(curthread); 759 uintptr_t fname; 760 761 struct a { 762 long fname; /* char * */ 763 } *uap = (struct a *)clwp->lwp_ap; 764 765 fname = (uintptr_t)uap->fname; 766 767 if (fname == 0) 768 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 769 } 770 771 /* chown start function */ 772 /*ARGSUSED*/ 773 static void 774 aus_chown(struct t_audit_data *tad) 775 { 776 klwp_t *clwp = ttolwp(curthread); 777 uint32_t uid, gid; 778 779 struct a { 780 long fname; /* char * */ 781 long uid; 782 long gid; 783 } *uap = (struct a *)clwp->lwp_ap; 784 785 uid = (uint32_t)uap->uid; 786 gid = (uint32_t)uap->gid; 787 788 au_uwrite(au_to_arg32(2, "new file uid", uid)); 789 au_uwrite(au_to_arg32(3, "new file gid", gid)); 790 } 791 792 /* fchown start function */ 793 /*ARGSUSED*/ 794 static void 795 aus_fchown(struct t_audit_data *tad) 796 { 797 klwp_t *clwp = ttolwp(curthread); 798 uint32_t uid, gid, fd; 799 struct file *fp; 800 struct vnode *vp; 801 struct f_audit_data *fad; 802 803 struct a { 804 long fd; 805 long uid; 806 long gid; 807 } *uap = (struct a *)clwp->lwp_ap; 808 809 fd = (uint32_t)uap->fd; 810 uid = (uint32_t)uap->uid; 811 gid = (uint32_t)uap->gid; 812 813 au_uwrite(au_to_arg32(2, "new file uid", uid)); 814 au_uwrite(au_to_arg32(3, "new file gid", gid)); 815 816 /* 817 * convert file pointer to file descriptor 818 * Note: fd ref count incremented here. 819 */ 820 if ((fp = getf(fd)) == NULL) 821 return; 822 823 /* get path from file struct here */ 824 fad = F2A(fp); 825 if (fad->fad_aupath != NULL) { 826 au_uwrite(au_to_path(fad->fad_aupath)); 827 } else { 828 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 829 } 830 831 vp = fp->f_vnode; 832 audit_attributes(vp); 833 834 /* decrement file descriptor reference count */ 835 releasef(fd); 836 } 837 838 /*ARGSUSED*/ 839 static void 840 aus_lchown(struct t_audit_data *tad) 841 { 842 klwp_t *clwp = ttolwp(curthread); 843 uint32_t uid, gid; 844 845 846 struct a { 847 long fname; /* char * */ 848 long uid; 849 long gid; 850 } *uap = (struct a *)clwp->lwp_ap; 851 852 uid = (uint32_t)uap->uid; 853 gid = (uint32_t)uap->gid; 854 855 au_uwrite(au_to_arg32(2, "new file uid", uid)); 856 au_uwrite(au_to_arg32(3, "new file gid", gid)); 857 } 858 859 static au_event_t 860 aui_fchownat(au_event_t e) 861 { 862 klwp_t *clwp = ttolwp(curthread); 863 864 struct a { 865 long fd; 866 long fname; /* char * */ 867 long uid; 868 long gid; 869 long flags; 870 } *uap = (struct a *)clwp->lwp_ap; 871 872 if (uap->fname == 0) 873 e = AUE_FCHOWN; 874 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 875 e = AUE_LCHOWN; 876 else 877 e = AUE_CHOWN; 878 879 return (e); 880 } 881 882 /*ARGSUSED*/ 883 static void 884 aus_fchownat(struct t_audit_data *tad) 885 { 886 klwp_t *clwp = ttolwp(curthread); 887 uint32_t uid, gid; 888 889 struct a { 890 long fd; 891 long fname; /* char * */ 892 long uid; 893 long gid; 894 long flags; 895 } *uap = (struct a *)clwp->lwp_ap; 896 897 uid = (uint32_t)uap->uid; 898 gid = (uint32_t)uap->gid; 899 900 au_uwrite(au_to_arg32(3, "new file uid", uid)); 901 au_uwrite(au_to_arg32(4, "new file gid", gid)); 902 } 903 904 /*ARGSUSED*/ 905 static void 906 aus_chmod(struct t_audit_data *tad) 907 { 908 klwp_t *clwp = ttolwp(curthread); 909 uint32_t fmode; 910 911 struct a { 912 long fname; /* char * */ 913 long fmode; 914 } *uap = (struct a *)clwp->lwp_ap; 915 916 fmode = (uint32_t)uap->fmode; 917 918 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 919 } 920 921 /*ARGSUSED*/ 922 static void 923 aus_fchmod(struct t_audit_data *tad) 924 { 925 klwp_t *clwp = ttolwp(curthread); 926 uint32_t fmode, fd; 927 struct file *fp; 928 struct vnode *vp; 929 struct f_audit_data *fad; 930 931 struct a { 932 long fd; 933 long fmode; 934 } *uap = (struct a *)clwp->lwp_ap; 935 936 fd = (uint32_t)uap->fd; 937 fmode = (uint32_t)uap->fmode; 938 939 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 940 941 /* 942 * convert file pointer to file descriptor 943 * Note: fd ref count incremented here. 944 */ 945 if ((fp = getf(fd)) == NULL) 946 return; 947 948 /* get path from file struct here */ 949 fad = F2A(fp); 950 if (fad->fad_aupath != NULL) { 951 au_uwrite(au_to_path(fad->fad_aupath)); 952 } else { 953 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 954 } 955 956 vp = fp->f_vnode; 957 audit_attributes(vp); 958 959 /* decrement file descriptor reference count */ 960 releasef(fd); 961 } 962 963 static au_event_t 964 aui_fchmodat(au_event_t e) 965 { 966 klwp_t *clwp = ttolwp(curthread); 967 968 struct a { 969 long fd; 970 long fname; /* char * */ 971 long fmode; 972 long flag; 973 } *uap = (struct a *)clwp->lwp_ap; 974 975 if (uap->fname == 0) 976 e = AUE_FCHMOD; 977 else 978 e = AUE_CHMOD; 979 980 return (e); 981 } 982 983 /*ARGSUSED*/ 984 static void 985 aus_fchmodat(struct t_audit_data *tad) 986 { 987 klwp_t *clwp = ttolwp(curthread); 988 uint32_t fmode; 989 uint32_t fd; 990 struct file *fp; 991 struct vnode *vp; 992 struct f_audit_data *fad; 993 994 struct a { 995 long fd; 996 long fname; /* char * */ 997 long fmode; 998 long flag; 999 } *uap = (struct a *)clwp->lwp_ap; 1000 1001 fd = (uint32_t)uap->fd; 1002 fmode = (uint32_t)uap->fmode; 1003 1004 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 1005 1006 if (fd == AT_FDCWD || uap->fname != 0) /* same as chmod() */ 1007 return; 1008 1009 /* 1010 * convert file pointer to file descriptor 1011 * Note: fd ref count incremented here. 1012 */ 1013 if ((fp = getf(fd)) == NULL) 1014 return; 1015 1016 /* get path from file struct here */ 1017 fad = F2A(fp); 1018 if (fad->fad_aupath != NULL) { 1019 au_uwrite(au_to_path(fad->fad_aupath)); 1020 } else { 1021 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1022 } 1023 1024 vp = fp->f_vnode; 1025 audit_attributes(vp); 1026 1027 /* decrement file descriptor reference count */ 1028 releasef(fd); 1029 } 1030 1031 /* 1032 * convert open mode to appropriate open event 1033 */ 1034 au_event_t 1035 open_event(uint_t fm) 1036 { 1037 au_event_t e; 1038 1039 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) { 1040 case O_RDONLY: 1041 e = AUE_OPEN_R; 1042 break; 1043 case O_RDONLY | O_CREAT: 1044 e = AUE_OPEN_RC; 1045 break; 1046 case O_RDONLY | O_TRUNC: 1047 e = AUE_OPEN_RT; 1048 break; 1049 case O_RDONLY | O_TRUNC | O_CREAT: 1050 e = AUE_OPEN_RTC; 1051 break; 1052 case O_WRONLY: 1053 e = AUE_OPEN_W; 1054 break; 1055 case O_WRONLY | O_CREAT: 1056 e = AUE_OPEN_WC; 1057 break; 1058 case O_WRONLY | O_TRUNC: 1059 e = AUE_OPEN_WT; 1060 break; 1061 case O_WRONLY | O_TRUNC | O_CREAT: 1062 e = AUE_OPEN_WTC; 1063 break; 1064 case O_RDWR: 1065 e = AUE_OPEN_RW; 1066 break; 1067 case O_RDWR | O_CREAT: 1068 e = AUE_OPEN_RWC; 1069 break; 1070 case O_RDWR | O_TRUNC: 1071 e = AUE_OPEN_RWT; 1072 break; 1073 case O_RDWR | O_TRUNC | O_CREAT: 1074 e = AUE_OPEN_RWTC; 1075 break; 1076 case O_SEARCH: 1077 e = AUE_OPEN_S; 1078 break; 1079 case O_EXEC: 1080 e = AUE_OPEN_E; 1081 break; 1082 default: 1083 e = AUE_NULL; 1084 break; 1085 } 1086 1087 return (e); 1088 } 1089 1090 /* ARGSUSED */ 1091 static au_event_t 1092 aui_open(au_event_t e) 1093 { 1094 klwp_t *clwp = ttolwp(curthread); 1095 uint_t fm; 1096 1097 struct a { 1098 long fnamep; /* char * */ 1099 long fmode; 1100 long cmode; 1101 } *uap = (struct a *)clwp->lwp_ap; 1102 1103 fm = (uint_t)uap->fmode; 1104 1105 return (open_event(fm)); 1106 } 1107 1108 static void 1109 aus_open(struct t_audit_data *tad) 1110 { 1111 klwp_t *clwp = ttolwp(curthread); 1112 uint_t fm; 1113 1114 struct a { 1115 long fnamep; /* char * */ 1116 long fmode; 1117 long cmode; 1118 } *uap = (struct a *)clwp->lwp_ap; 1119 1120 fm = (uint_t)uap->fmode; 1121 1122 /* If no write, create, or trunc modes, mark as a public op */ 1123 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1124 tad->tad_ctrl |= TAD_PUBLIC_EV; 1125 } 1126 1127 /* ARGSUSED */ 1128 static au_event_t 1129 aui_openat(au_event_t e) 1130 { 1131 t_audit_data_t *tad = T2A(curthread); 1132 klwp_t *clwp = ttolwp(curthread); 1133 uint_t fm; 1134 1135 struct a { 1136 long filedes; 1137 long fnamep; /* char * */ 1138 long fmode; 1139 long cmode; 1140 } *uap = (struct a *)clwp->lwp_ap; 1141 1142 fm = (uint_t)uap->fmode; 1143 1144 /* 1145 * __openattrdirat() does an extra pathname lookup in order to 1146 * enter the extended system attribute namespace of the referenced 1147 * extended attribute filename. 1148 */ 1149 if (fm & FXATTRDIROPEN) 1150 tad->tad_ctrl |= TAD_MLD; 1151 1152 return (open_event(fm)); 1153 } 1154 1155 static void 1156 aus_openat(struct t_audit_data *tad) 1157 { 1158 klwp_t *clwp = ttolwp(curthread); 1159 uint_t fm; 1160 1161 struct a { 1162 long filedes; 1163 long fnamep; /* char * */ 1164 long fmode; 1165 long cmode; 1166 } *uap = (struct a *)clwp->lwp_ap; 1167 1168 fm = (uint_t)uap->fmode; 1169 1170 /* If no write, create, or trunc modes, mark as a public op */ 1171 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1172 tad->tad_ctrl |= TAD_PUBLIC_EV; 1173 } 1174 1175 static au_event_t 1176 aui_unlinkat(au_event_t e) 1177 { 1178 klwp_t *clwp = ttolwp(curthread); 1179 1180 struct a { 1181 long filedes; 1182 long fnamep; /* char * */ 1183 long flags; 1184 } *uap = (struct a *)clwp->lwp_ap; 1185 1186 if (uap->flags & AT_REMOVEDIR) 1187 e = AUE_RMDIR; 1188 else 1189 e = AUE_UNLINK; 1190 1191 return (e); 1192 } 1193 1194 static au_event_t 1195 aui_fstatat(au_event_t e) 1196 { 1197 klwp_t *clwp = ttolwp(curthread); 1198 1199 struct a { 1200 long filedes; 1201 long fnamep; /* char * */ 1202 long statb; 1203 long flags; 1204 } *uap = (struct a *)clwp->lwp_ap; 1205 1206 if (uap->fnamep == 0) 1207 e = AUE_FSTAT; 1208 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1209 e = AUE_LSTAT; 1210 else 1211 e = AUE_STAT; 1212 1213 return (e); 1214 } 1215 1216 /* msgsys */ 1217 static au_event_t 1218 aui_msgsys(au_event_t e) 1219 { 1220 klwp_t *clwp = ttolwp(curthread); 1221 uint_t fm; 1222 1223 struct a { 1224 long id; /* function code id */ 1225 long ap; /* arg pointer for recvmsg */ 1226 } *uap = (struct a *)clwp->lwp_ap; 1227 1228 struct b { 1229 long msgid; 1230 long cmd; 1231 long buf; /* struct msqid_ds * */ 1232 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1233 1234 fm = (uint_t)uap->id; 1235 1236 switch (fm) { 1237 case 0: /* msgget */ 1238 e = AUE_MSGGET; 1239 break; 1240 case 1: /* msgctl */ 1241 switch ((uint_t)uap1->cmd) { 1242 case IPC_RMID: 1243 e = AUE_MSGCTL_RMID; 1244 break; 1245 case IPC_SET: 1246 e = AUE_MSGCTL_SET; 1247 break; 1248 case IPC_STAT: 1249 e = AUE_MSGCTL_STAT; 1250 break; 1251 default: 1252 e = AUE_MSGCTL; 1253 break; 1254 } 1255 break; 1256 case 2: /* msgrcv */ 1257 e = AUE_MSGRCV; 1258 break; 1259 case 3: /* msgsnd */ 1260 e = AUE_MSGSND; 1261 break; 1262 default: /* illegal system call */ 1263 e = AUE_NULL; 1264 break; 1265 } 1266 1267 return (e); 1268 } 1269 1270 1271 /* shmsys */ 1272 static au_event_t 1273 aui_shmsys(au_event_t e) 1274 { 1275 klwp_t *clwp = ttolwp(curthread); 1276 int fm; 1277 1278 struct a { /* shmsys */ 1279 long id; /* function code id */ 1280 } *uap = (struct a *)clwp->lwp_ap; 1281 1282 struct b { /* ctrl */ 1283 long shmid; 1284 long cmd; 1285 long arg; /* struct shmid_ds * */ 1286 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1287 fm = (uint_t)uap->id; 1288 1289 switch (fm) { 1290 case 0: /* shmat */ 1291 e = AUE_SHMAT; 1292 break; 1293 case 1: /* shmctl */ 1294 switch ((uint_t)uap1->cmd) { 1295 case IPC_RMID: 1296 e = AUE_SHMCTL_RMID; 1297 break; 1298 case IPC_SET: 1299 e = AUE_SHMCTL_SET; 1300 break; 1301 case IPC_STAT: 1302 e = AUE_SHMCTL_STAT; 1303 break; 1304 default: 1305 e = AUE_SHMCTL; 1306 break; 1307 } 1308 break; 1309 case 2: /* shmdt */ 1310 e = AUE_SHMDT; 1311 break; 1312 case 3: /* shmget */ 1313 e = AUE_SHMGET; 1314 break; 1315 default: /* illegal system call */ 1316 e = AUE_NULL; 1317 break; 1318 } 1319 1320 return (e); 1321 } 1322 1323 1324 /* semsys */ 1325 static au_event_t 1326 aui_semsys(au_event_t e) 1327 { 1328 klwp_t *clwp = ttolwp(curthread); 1329 uint_t fm; 1330 1331 struct a { /* semsys */ 1332 long id; 1333 } *uap = (struct a *)clwp->lwp_ap; 1334 1335 struct b { /* ctrl */ 1336 long semid; 1337 long semnum; 1338 long cmd; 1339 long arg; 1340 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1341 1342 fm = (uint_t)uap->id; 1343 1344 switch (fm) { 1345 case 0: /* semctl */ 1346 switch ((uint_t)uap1->cmd) { 1347 case IPC_RMID: 1348 e = AUE_SEMCTL_RMID; 1349 break; 1350 case IPC_SET: 1351 e = AUE_SEMCTL_SET; 1352 break; 1353 case IPC_STAT: 1354 e = AUE_SEMCTL_STAT; 1355 break; 1356 case GETNCNT: 1357 e = AUE_SEMCTL_GETNCNT; 1358 break; 1359 case GETPID: 1360 e = AUE_SEMCTL_GETPID; 1361 break; 1362 case GETVAL: 1363 e = AUE_SEMCTL_GETVAL; 1364 break; 1365 case GETALL: 1366 e = AUE_SEMCTL_GETALL; 1367 break; 1368 case GETZCNT: 1369 e = AUE_SEMCTL_GETZCNT; 1370 break; 1371 case SETVAL: 1372 e = AUE_SEMCTL_SETVAL; 1373 break; 1374 case SETALL: 1375 e = AUE_SEMCTL_SETALL; 1376 break; 1377 default: 1378 e = AUE_SEMCTL; 1379 break; 1380 } 1381 break; 1382 case 1: /* semget */ 1383 e = AUE_SEMGET; 1384 break; 1385 case 2: /* semop */ 1386 e = AUE_SEMOP; 1387 break; 1388 default: /* illegal system call */ 1389 e = AUE_NULL; 1390 break; 1391 } 1392 1393 return (e); 1394 } 1395 1396 /* utssys - uname(2), ustat(2), fusers(2) */ 1397 static au_event_t 1398 aui_utssys(au_event_t e) 1399 { 1400 klwp_t *clwp = ttolwp(curthread); 1401 uint_t type; 1402 1403 struct a { 1404 union { 1405 long cbuf; /* char * */ 1406 long ubuf; /* struct stat * */ 1407 } ub; 1408 union { 1409 long mv; /* for USTAT */ 1410 long flags; /* for FUSERS */ 1411 } un; 1412 long type; 1413 long outbp; /* char * for FUSERS */ 1414 } *uap = (struct a *)clwp->lwp_ap; 1415 1416 type = (uint_t)uap->type; 1417 1418 if (type == UTS_FUSERS) 1419 return (e); 1420 else 1421 return ((au_event_t)AUE_NULL); 1422 } 1423 1424 static au_event_t 1425 aui_fcntl(au_event_t e) 1426 { 1427 klwp_t *clwp = ttolwp(curthread); 1428 uint_t cmd; 1429 1430 struct a { 1431 long fdes; 1432 long cmd; 1433 long arg; 1434 } *uap = (struct a *)clwp->lwp_ap; 1435 1436 cmd = (uint_t)uap->cmd; 1437 1438 switch (cmd) { 1439 case F_GETLK: 1440 case F_SETLK: 1441 case F_SETLKW: 1442 break; 1443 case F_SETFL: 1444 case F_GETFL: 1445 case F_GETFD: 1446 break; 1447 default: 1448 e = (au_event_t)AUE_NULL; 1449 break; 1450 } 1451 return ((au_event_t)e); 1452 } 1453 1454 /* null function for now */ 1455 static au_event_t 1456 aui_execve(au_event_t e) 1457 { 1458 return (e); 1459 } 1460 1461 static void 1462 aus_execve(struct t_audit_data *tad) 1463 { 1464 klwp_t *clwp = ttolwp(curthread); 1465 uint32_t flags, fd; 1466 struct file *fp; 1467 struct f_audit_data *fad; 1468 1469 struct a { 1470 long file; 1471 long argv; 1472 long envp; 1473 long flags; 1474 } *uap = (struct a *)clwp->lwp_ap; 1475 1476 fd = (uint32_t)uap->file; 1477 flags = (uint32_t)uap->flags; 1478 1479 if ((flags & EXEC_DESCRIPTOR) == 0) 1480 return; 1481 1482 if ((fp = getf(fd)) == NULL) 1483 return; 1484 1485 fad = F2A(fp); 1486 1487 if (fad->fad_aupath != NULL) 1488 au_uwrite(au_to_path(fad->fad_aupath)); 1489 else 1490 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1491 1492 audit_attributes(fp->f_vnode); 1493 1494 /* Flag that the path is already included in this audit record */ 1495 tad->tad_ctrl |= TAD_PATHFND; 1496 1497 releasef(fd); 1498 } 1499 1500 /*ARGSUSED*/ 1501 static void 1502 aus_fcntl(struct t_audit_data *tad) 1503 { 1504 klwp_t *clwp = ttolwp(curthread); 1505 uint32_t cmd, fd, flags; 1506 struct file *fp; 1507 struct vnode *vp; 1508 struct f_audit_data *fad; 1509 1510 struct a { 1511 long fd; 1512 long cmd; 1513 long arg; 1514 } *uap = (struct a *)clwp->lwp_ap; 1515 1516 cmd = (uint32_t)uap->cmd; 1517 fd = (uint32_t)uap->fd; 1518 flags = (uint32_t)uap->arg; 1519 1520 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1521 1522 if (cmd == F_SETFL) 1523 au_uwrite(au_to_arg32(3, "flags", flags)); 1524 1525 /* 1526 * convert file pointer to file descriptor 1527 * Note: fd ref count incremented here. 1528 */ 1529 if ((fp = getf(fd)) == NULL) 1530 return; 1531 1532 /* get path from file struct here */ 1533 fad = F2A(fp); 1534 if (fad->fad_aupath != NULL) { 1535 au_uwrite(au_to_path(fad->fad_aupath)); 1536 } else { 1537 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1538 } 1539 1540 vp = fp->f_vnode; 1541 audit_attributes(vp); 1542 1543 /* decrement file descriptor reference count */ 1544 releasef(fd); 1545 } 1546 1547 /*ARGSUSED*/ 1548 static void 1549 aus_kill(struct t_audit_data *tad) 1550 { 1551 klwp_t *clwp = ttolwp(curthread); 1552 struct proc *p; 1553 uint32_t signo; 1554 uid_t uid, ruid; 1555 gid_t gid, rgid; 1556 pid_t pid; 1557 const auditinfo_addr_t *ainfo; 1558 cred_t *cr; 1559 1560 struct a { 1561 long pid; 1562 long signo; 1563 } *uap = (struct a *)clwp->lwp_ap; 1564 1565 pid = (pid_t)uap->pid; 1566 signo = (uint32_t)uap->signo; 1567 1568 au_uwrite(au_to_arg32(2, "signal", signo)); 1569 if (pid > 0) { 1570 mutex_enter(&pidlock); 1571 if (((p = prfind(pid)) == (struct proc *)0) || 1572 (p->p_stat == SIDL)) { 1573 mutex_exit(&pidlock); 1574 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1575 return; 1576 } 1577 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1578 mutex_exit(&pidlock); 1579 1580 mutex_enter(&p->p_crlock); 1581 crhold(cr = p->p_cred); 1582 mutex_exit(&p->p_crlock); 1583 mutex_exit(&p->p_lock); 1584 1585 ainfo = crgetauinfo(cr); 1586 if (ainfo == NULL) { 1587 crfree(cr); 1588 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1589 return; 1590 } 1591 1592 uid = crgetuid(cr); 1593 gid = crgetgid(cr); 1594 ruid = crgetruid(cr); 1595 rgid = crgetrgid(cr); 1596 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1597 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1598 1599 if (is_system_labeled()) 1600 au_uwrite(au_to_label(CR_SL(cr))); 1601 1602 crfree(cr); 1603 } 1604 else 1605 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1606 } 1607 1608 /*ARGSUSED*/ 1609 static void 1610 aus_mkdir(struct t_audit_data *tad) 1611 { 1612 klwp_t *clwp = ttolwp(curthread); 1613 uint32_t dmode; 1614 1615 struct a { 1616 long dirnamep; /* char * */ 1617 long dmode; 1618 } *uap = (struct a *)clwp->lwp_ap; 1619 1620 dmode = (uint32_t)uap->dmode; 1621 1622 au_uwrite(au_to_arg32(2, "mode", dmode)); 1623 } 1624 1625 /*ARGSUSED*/ 1626 static void 1627 aus_mkdirat(struct t_audit_data *tad) 1628 { 1629 klwp_t *clwp = ttolwp(curthread); 1630 uint32_t dmode; 1631 1632 struct a { 1633 long fd; 1634 long dirnamep; /* char * */ 1635 long dmode; 1636 } *uap = (struct a *)clwp->lwp_ap; 1637 1638 dmode = (uint32_t)uap->dmode; 1639 1640 au_uwrite(au_to_arg32(2, "mode", dmode)); 1641 } 1642 1643 /*ARGSUSED*/ 1644 static void 1645 aus_mknod(struct t_audit_data *tad) 1646 { 1647 klwp_t *clwp = ttolwp(curthread); 1648 uint32_t fmode; 1649 dev_t dev; 1650 1651 struct a { 1652 long pnamep; /* char * */ 1653 long fmode; 1654 long dev; 1655 } *uap = (struct a *)clwp->lwp_ap; 1656 1657 fmode = (uint32_t)uap->fmode; 1658 dev = (dev_t)uap->dev; 1659 1660 au_uwrite(au_to_arg32(2, "mode", fmode)); 1661 #ifdef _LP64 1662 au_uwrite(au_to_arg64(3, "dev", dev)); 1663 #else 1664 au_uwrite(au_to_arg32(3, "dev", dev)); 1665 #endif 1666 } 1667 1668 /*ARGSUSED*/ 1669 static void 1670 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1671 { 1672 klwp_t *clwp = ttolwp(curthread); 1673 vnode_t *dvp; 1674 caddr_t pnamep; 1675 1676 struct a { 1677 long pnamep; /* char * */ 1678 long fmode; 1679 long dev; 1680 } *uap = (struct a *)clwp->lwp_ap; 1681 1682 /* no error, then already path token in audit record */ 1683 if (error != EPERM && error != EINVAL) 1684 return; 1685 1686 /* do the lookup to force generation of path token */ 1687 pnamep = (caddr_t)uap->pnamep; 1688 tad->tad_ctrl |= TAD_NOATTRB; 1689 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1690 if (error == 0) 1691 VN_RELE(dvp); 1692 } 1693 1694 /*ARGSUSED*/ 1695 static void 1696 aus_mknodat(struct t_audit_data *tad) 1697 { 1698 klwp_t *clwp = ttolwp(curthread); 1699 uint32_t fmode; 1700 dev_t dev; 1701 1702 struct a { 1703 long fd; 1704 long pnamep; /* char * */ 1705 long fmode; 1706 long dev; 1707 } *uap = (struct a *)clwp->lwp_ap; 1708 1709 fmode = (uint32_t)uap->fmode; 1710 dev = (dev_t)uap->dev; 1711 1712 au_uwrite(au_to_arg32(2, "mode", fmode)); 1713 #ifdef _LP64 1714 au_uwrite(au_to_arg64(3, "dev", dev)); 1715 #else 1716 au_uwrite(au_to_arg32(3, "dev", dev)); 1717 #endif 1718 } 1719 1720 /*ARGSUSED*/ 1721 static void 1722 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval) 1723 { 1724 klwp_t *clwp = ttolwp(curthread); 1725 vnode_t *startvp; 1726 vnode_t *dvp; 1727 caddr_t pnamep; 1728 int fd; 1729 1730 struct a { 1731 long fd; 1732 long pnamep; /* char * */ 1733 long fmode; 1734 long dev; 1735 } *uap = (struct a *)clwp->lwp_ap; 1736 1737 /* no error, then already path token in audit record */ 1738 if (error != EPERM && error != EINVAL) 1739 return; 1740 1741 /* do the lookup to force generation of path token */ 1742 fd = (int)uap->fd; 1743 pnamep = (caddr_t)uap->pnamep; 1744 if (pnamep == NULL || 1745 fgetstartvp(fd, pnamep, &startvp) != 0) 1746 return; 1747 tad->tad_ctrl |= TAD_NOATTRB; 1748 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP, 1749 startvp); 1750 if (error == 0) 1751 VN_RELE(dvp); 1752 if (startvp != NULL) 1753 VN_RELE(startvp); 1754 } 1755 1756 /*ARGSUSED*/ 1757 static void 1758 aus_mount(struct t_audit_data *tad) 1759 { 1760 /* AUS_START */ 1761 klwp_t *clwp = ttolwp(curthread); 1762 uint32_t flags; 1763 uintptr_t u_fstype, dataptr; 1764 STRUCT_DECL(nfs_args, nfsargs); 1765 size_t len; 1766 char *fstype, *hostname; 1767 1768 struct a { 1769 long spec; /* char * */ 1770 long dir; /* char * */ 1771 long flags; 1772 long fstype; /* char * */ 1773 long dataptr; /* char * */ 1774 long datalen; 1775 } *uap = (struct a *)clwp->lwp_ap; 1776 1777 u_fstype = (uintptr_t)uap->fstype; 1778 flags = (uint32_t)uap->flags; 1779 dataptr = (uintptr_t)uap->dataptr; 1780 1781 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1782 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1783 goto mount_free_fstype; 1784 1785 au_uwrite(au_to_arg32(3, "flags", flags)); 1786 au_uwrite(au_to_text(fstype)); 1787 1788 if (strncmp(fstype, "nfs", 3) == 0) { 1789 1790 STRUCT_INIT(nfsargs, get_udatamodel()); 1791 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1792 1793 if (copyin((caddr_t)dataptr, STRUCT_BUF(nfsargs), 1794 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1795 /* DEBUG debug_enter((char *)NULL); */ 1796 goto mount_free_fstype; 1797 } 1798 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1799 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1800 (caddr_t)hostname, MAXNAMELEN, &len)) { 1801 goto mount_free_hostname; 1802 } 1803 au_uwrite(au_to_text(hostname)); 1804 au_uwrite(au_to_arg32(3, "internal flags", 1805 (uint_t)STRUCT_FGET(nfsargs, flags))); 1806 1807 mount_free_hostname: 1808 kmem_free(hostname, MAXNAMELEN); 1809 } 1810 1811 mount_free_fstype: 1812 kmem_free(fstype, MAXNAMELEN); 1813 } /* AUS_MOUNT */ 1814 1815 static void 1816 aus_umount_path(caddr_t umount_dir) 1817 { 1818 char *dir_path; 1819 struct audit_path *path; 1820 size_t path_len, dir_len; 1821 1822 /* length alloc'd for two string pointers */ 1823 path_len = sizeof (struct audit_path) + sizeof (char *); 1824 path = kmem_alloc(path_len, KM_SLEEP); 1825 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1826 1827 if (copyinstr(umount_dir, (caddr_t)dir_path, 1828 MAXPATHLEN, &dir_len)) 1829 goto umount2_free_dir; 1830 1831 /* 1832 * the audit_path struct assumes that the buffer pointed to 1833 * by audp_sect[n] contains string 0 immediatedly followed 1834 * by string 1. 1835 */ 1836 path->audp_sect[0] = dir_path; 1837 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1838 path->audp_size = path_len; 1839 path->audp_ref = 1; /* not used */ 1840 path->audp_cnt = 1; /* one path string */ 1841 1842 au_uwrite(au_to_path(path)); 1843 1844 umount2_free_dir: 1845 kmem_free(dir_path, MAXPATHLEN); 1846 kmem_free(path, path_len); 1847 } 1848 1849 /*ARGSUSED*/ 1850 static void 1851 aus_umount2(struct t_audit_data *tad) 1852 { 1853 klwp_t *clwp = ttolwp(curthread); 1854 struct a { 1855 long dir; /* char * */ 1856 long flags; 1857 } *uap = (struct a *)clwp->lwp_ap; 1858 1859 aus_umount_path((caddr_t)uap->dir); 1860 1861 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1862 } 1863 1864 static void 1865 aus_msgsys(struct t_audit_data *tad) 1866 { 1867 klwp_t *clwp = ttolwp(curthread); 1868 uint32_t msgid; 1869 1870 struct b { 1871 long msgid; 1872 long cmd; 1873 long buf; /* struct msqid_ds * */ 1874 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1875 1876 msgid = (uint32_t)uap1->msgid; 1877 1878 1879 switch (tad->tad_event) { 1880 case AUE_MSGGET: /* msgget */ 1881 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1882 break; 1883 case AUE_MSGCTL: /* msgctl */ 1884 case AUE_MSGCTL_RMID: /* msgctl */ 1885 case AUE_MSGCTL_SET: /* msgctl */ 1886 case AUE_MSGCTL_STAT: /* msgctl */ 1887 case AUE_MSGRCV: /* msgrcv */ 1888 case AUE_MSGSND: /* msgsnd */ 1889 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1890 break; 1891 } 1892 } 1893 1894 /*ARGSUSED*/ 1895 static void 1896 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1897 { 1898 int id; 1899 1900 if (error != 0) 1901 return; 1902 if (tad->tad_event == AUE_MSGGET) { 1903 uint32_t scid; 1904 uint32_t sy_flags; 1905 1906 /* need to determine type of executing binary */ 1907 scid = tad->tad_scid; 1908 #ifdef _SYSCALL32_IMPL 1909 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1910 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1911 else 1912 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1913 #else 1914 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1915 #endif 1916 if (sy_flags == SE_32RVAL1) 1917 id = rval->r_val1; 1918 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1919 id = rval->r_val1; 1920 if (sy_flags == SE_64RVAL) 1921 id = (int)rval->r_vals; 1922 1923 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1924 } 1925 } 1926 1927 static void 1928 aus_semsys(struct t_audit_data *tad) 1929 { 1930 klwp_t *clwp = ttolwp(curthread); 1931 uint32_t semid; 1932 1933 struct b { /* ctrl */ 1934 long semid; 1935 long semnum; 1936 long cmd; 1937 long arg; 1938 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1939 1940 semid = (uint32_t)uap1->semid; 1941 1942 switch (tad->tad_event) { 1943 case AUE_SEMCTL_RMID: 1944 case AUE_SEMCTL_STAT: 1945 case AUE_SEMCTL_GETNCNT: 1946 case AUE_SEMCTL_GETPID: 1947 case AUE_SEMCTL_GETVAL: 1948 case AUE_SEMCTL_GETALL: 1949 case AUE_SEMCTL_GETZCNT: 1950 case AUE_SEMCTL_SET: 1951 case AUE_SEMCTL_SETVAL: 1952 case AUE_SEMCTL_SETALL: 1953 case AUE_SEMCTL: 1954 case AUE_SEMOP: 1955 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1956 break; 1957 case AUE_SEMGET: 1958 au_uwrite(au_to_arg32(1, "sem key", semid)); 1959 break; 1960 } 1961 } 1962 1963 /*ARGSUSED*/ 1964 static void 1965 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1966 { 1967 int id; 1968 1969 if (error != 0) 1970 return; 1971 if (tad->tad_event == AUE_SEMGET) { 1972 uint32_t scid; 1973 uint32_t sy_flags; 1974 1975 /* need to determine type of executing binary */ 1976 scid = tad->tad_scid; 1977 #ifdef _SYSCALL32_IMPL 1978 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1979 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1980 else 1981 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1982 #else 1983 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1984 #endif 1985 if (sy_flags == SE_32RVAL1) 1986 id = rval->r_val1; 1987 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1988 id = rval->r_val1; 1989 if (sy_flags == SE_64RVAL) 1990 id = (int)rval->r_vals; 1991 1992 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1993 } 1994 } 1995 1996 /*ARGSUSED*/ 1997 static void 1998 aus_close(struct t_audit_data *tad) 1999 { 2000 klwp_t *clwp = ttolwp(curthread); 2001 uint32_t fd; 2002 struct file *fp; 2003 struct f_audit_data *fad; 2004 struct vnode *vp; 2005 struct vattr attr; 2006 au_kcontext_t *kctx = GET_KCTX_PZ; 2007 2008 struct a { 2009 long i; 2010 } *uap = (struct a *)clwp->lwp_ap; 2011 2012 fd = (uint32_t)uap->i; 2013 2014 attr.va_mask = 0; 2015 au_uwrite(au_to_arg32(1, "fd", fd)); 2016 2017 /* 2018 * convert file pointer to file descriptor 2019 * Note: fd ref count incremented here. 2020 */ 2021 if ((fp = getf(fd)) == NULL) 2022 return; 2023 2024 fad = F2A(fp); 2025 tad->tad_evmod = (au_emod_t)fad->fad_flags; 2026 if (fad->fad_aupath != NULL) { 2027 au_uwrite(au_to_path(fad->fad_aupath)); 2028 if ((vp = fp->f_vnode) != NULL) { 2029 attr.va_mask = AT_ALL; 2030 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 2031 /* 2032 * When write was not used and the file can be 2033 * considered public, skip the audit. 2034 */ 2035 if (((fp->f_flag & FWRITE) == 0) && 2036 object_is_public(&attr)) { 2037 tad->tad_flag = 0; 2038 tad->tad_evmod = 0; 2039 /* free any residual audit data */ 2040 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 2041 releasef(fd); 2042 return; 2043 } 2044 au_uwrite(au_to_attr(&attr)); 2045 audit_sec_attributes(&(u_ad), vp); 2046 } 2047 } 2048 } 2049 2050 /* decrement file descriptor reference count */ 2051 releasef(fd); 2052 } 2053 2054 /*ARGSUSED*/ 2055 static void 2056 aus_fstatfs(struct t_audit_data *tad) 2057 { 2058 klwp_t *clwp = ttolwp(curthread); 2059 uint32_t fd; 2060 struct file *fp; 2061 struct vnode *vp; 2062 struct f_audit_data *fad; 2063 2064 struct a { 2065 long fd; 2066 long buf; /* struct statfs * */ 2067 } *uap = (struct a *)clwp->lwp_ap; 2068 2069 fd = (uint_t)uap->fd; 2070 2071 /* 2072 * convert file pointer to file descriptor 2073 * Note: fd ref count incremented here. 2074 */ 2075 if ((fp = getf(fd)) == NULL) 2076 return; 2077 2078 /* get path from file struct here */ 2079 fad = F2A(fp); 2080 if (fad->fad_aupath != NULL) { 2081 au_uwrite(au_to_path(fad->fad_aupath)); 2082 } else { 2083 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2084 } 2085 2086 vp = fp->f_vnode; 2087 audit_attributes(vp); 2088 2089 /* decrement file descriptor reference count */ 2090 releasef(fd); 2091 } 2092 2093 static au_event_t 2094 aui_setpgrp(au_event_t e) 2095 { 2096 klwp_t *clwp = ttolwp(curthread); 2097 int flag; 2098 2099 struct a { 2100 long flag; 2101 long pid; 2102 long pgid; 2103 } *uap = (struct a *)clwp->lwp_ap; 2104 2105 flag = (int)uap->flag; 2106 2107 2108 switch (flag) { 2109 2110 case 1: /* setpgrp() */ 2111 e = AUE_SETPGRP; 2112 break; 2113 2114 case 3: /* setsid() */ 2115 e = AUE_SETSID; 2116 break; 2117 2118 case 5: /* setpgid() */ 2119 e = AUE_SETPGID; 2120 break; 2121 2122 case 0: /* getpgrp() - not security relevant */ 2123 case 2: /* getsid() - not security relevant */ 2124 case 4: /* getpgid() - not security relevant */ 2125 e = AUE_NULL; 2126 break; 2127 2128 default: 2129 e = AUE_NULL; 2130 break; 2131 } 2132 2133 return (e); 2134 } 2135 2136 /*ARGSUSED*/ 2137 static void 2138 aus_setpgrp(struct t_audit_data *tad) 2139 { 2140 klwp_t *clwp = ttolwp(curthread); 2141 pid_t pgid; 2142 struct proc *p; 2143 uid_t uid, ruid; 2144 gid_t gid, rgid; 2145 pid_t pid; 2146 cred_t *cr; 2147 int flag; 2148 const auditinfo_addr_t *ainfo; 2149 2150 struct a { 2151 long flag; 2152 long pid; 2153 long pgid; 2154 } *uap = (struct a *)clwp->lwp_ap; 2155 2156 flag = (int)uap->flag; 2157 pid = (pid_t)uap->pid; 2158 pgid = (pid_t)uap->pgid; 2159 2160 2161 switch (flag) { 2162 2163 case 0: /* getpgrp() */ 2164 case 1: /* setpgrp() */ 2165 case 2: /* getsid() */ 2166 case 3: /* setsid() */ 2167 case 4: /* getpgid() */ 2168 break; 2169 2170 case 5: /* setpgid() */ 2171 2172 /* current process? */ 2173 if (pid == 0) { 2174 return; 2175 } 2176 2177 mutex_enter(&pidlock); 2178 p = prfind(pid); 2179 if (p == NULL || p->p_as == &kas || 2180 p->p_stat == SIDL || p->p_stat == SZOMB) { 2181 mutex_exit(&pidlock); 2182 return; 2183 } 2184 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2185 mutex_exit(&pidlock); 2186 2187 mutex_enter(&p->p_crlock); 2188 crhold(cr = p->p_cred); 2189 mutex_exit(&p->p_crlock); 2190 mutex_exit(&p->p_lock); 2191 2192 ainfo = crgetauinfo(cr); 2193 if (ainfo == NULL) { 2194 crfree(cr); 2195 return; 2196 } 2197 2198 uid = crgetuid(cr); 2199 gid = crgetgid(cr); 2200 ruid = crgetruid(cr); 2201 rgid = crgetrgid(cr); 2202 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2203 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2204 crfree(cr); 2205 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2206 break; 2207 2208 default: 2209 break; 2210 } 2211 } 2212 2213 2214 /*ARGSUSED*/ 2215 static void 2216 aus_setregid(struct t_audit_data *tad) 2217 { 2218 klwp_t *clwp = ttolwp(curthread); 2219 uint32_t rgid, egid; 2220 2221 struct a { 2222 long rgid; 2223 long egid; 2224 } *uap = (struct a *)clwp->lwp_ap; 2225 2226 rgid = (uint32_t)uap->rgid; 2227 egid = (uint32_t)uap->egid; 2228 2229 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2230 au_uwrite(au_to_arg32(2, "egid", egid)); 2231 } 2232 2233 /*ARGSUSED*/ 2234 static void 2235 aus_setgid(struct t_audit_data *tad) 2236 { 2237 klwp_t *clwp = ttolwp(curthread); 2238 uint32_t gid; 2239 2240 struct a { 2241 long gid; 2242 } *uap = (struct a *)clwp->lwp_ap; 2243 2244 gid = (uint32_t)uap->gid; 2245 2246 au_uwrite(au_to_arg32(1, "gid", gid)); 2247 } 2248 2249 2250 /*ARGSUSED*/ 2251 static void 2252 aus_setreuid(struct t_audit_data *tad) 2253 { 2254 klwp_t *clwp = ttolwp(curthread); 2255 uint32_t ruid, euid; 2256 2257 struct a { 2258 long ruid; 2259 long euid; 2260 } *uap = (struct a *)clwp->lwp_ap; 2261 2262 ruid = (uint32_t)uap->ruid; 2263 euid = (uint32_t)uap->euid; 2264 2265 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2266 au_uwrite(au_to_arg32(2, "euid", euid)); 2267 } 2268 2269 2270 /*ARGSUSED*/ 2271 static void 2272 aus_setuid(struct t_audit_data *tad) 2273 { 2274 klwp_t *clwp = ttolwp(curthread); 2275 uint32_t uid; 2276 2277 struct a { 2278 long uid; 2279 } *uap = (struct a *)clwp->lwp_ap; 2280 2281 uid = (uint32_t)uap->uid; 2282 2283 au_uwrite(au_to_arg32(1, "uid", uid)); 2284 } 2285 2286 /*ARGSUSED*/ 2287 static void 2288 aus_shmsys(struct t_audit_data *tad) 2289 { 2290 klwp_t *clwp = ttolwp(curthread); 2291 uint32_t id, cmd; 2292 2293 struct b { 2294 long id; 2295 long cmd; 2296 long buf; /* struct shmid_ds * */ 2297 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2298 2299 id = (uint32_t)uap1->id; 2300 cmd = (uint32_t)uap1->cmd; 2301 2302 switch (tad->tad_event) { 2303 case AUE_SHMGET: /* shmget */ 2304 au_uwrite(au_to_arg32(1, "shm key", id)); 2305 break; 2306 case AUE_SHMCTL: /* shmctl */ 2307 case AUE_SHMCTL_RMID: /* shmctl */ 2308 case AUE_SHMCTL_STAT: /* shmctl */ 2309 case AUE_SHMCTL_SET: /* shmctl */ 2310 au_uwrite(au_to_arg32(1, "shm ID", id)); 2311 break; 2312 case AUE_SHMDT: /* shmdt */ 2313 au_uwrite(au_to_arg32(1, "shm adr", id)); 2314 break; 2315 case AUE_SHMAT: /* shmat */ 2316 au_uwrite(au_to_arg32(1, "shm ID", id)); 2317 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2318 break; 2319 } 2320 } 2321 2322 /*ARGSUSED*/ 2323 static void 2324 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2325 { 2326 int id; 2327 2328 if (error != 0) 2329 return; 2330 if (tad->tad_event == AUE_SHMGET) { 2331 uint32_t scid; 2332 uint32_t sy_flags; 2333 2334 /* need to determine type of executing binary */ 2335 scid = tad->tad_scid; 2336 #ifdef _SYSCALL32_IMPL 2337 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2338 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2339 else 2340 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2341 #else 2342 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2343 #endif 2344 if (sy_flags == SE_32RVAL1) 2345 id = rval->r_val1; 2346 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2347 id = rval->r_val1; 2348 if (sy_flags == SE_64RVAL) 2349 id = (int)rval->r_vals; 2350 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2351 } 2352 } 2353 2354 2355 /*ARGSUSED*/ 2356 static void 2357 aus_ioctl(struct t_audit_data *tad) 2358 { 2359 klwp_t *clwp = ttolwp(curthread); 2360 struct file *fp; 2361 struct vnode *vp; 2362 struct f_audit_data *fad; 2363 uint32_t fd, cmd; 2364 uintptr_t cmarg; 2365 2366 /* XX64 */ 2367 struct a { 2368 long fd; 2369 long cmd; 2370 long cmarg; /* caddr_t */ 2371 } *uap = (struct a *)clwp->lwp_ap; 2372 2373 fd = (uint32_t)uap->fd; 2374 cmd = (uint32_t)uap->cmd; 2375 cmarg = (uintptr_t)uap->cmarg; 2376 2377 /* 2378 * convert file pointer to file descriptor 2379 * Note: fd ref count incremented here. 2380 */ 2381 if ((fp = getf(fd)) == NULL) { 2382 au_uwrite(au_to_arg32(1, "fd", fd)); 2383 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2384 #ifndef _LP64 2385 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2386 #else 2387 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2388 #endif 2389 return; 2390 } 2391 2392 /* get path from file struct here */ 2393 fad = F2A(fp); 2394 if (fad->fad_aupath != NULL) { 2395 au_uwrite(au_to_path(fad->fad_aupath)); 2396 } else { 2397 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2398 } 2399 2400 vp = fp->f_vnode; 2401 audit_attributes(vp); 2402 2403 /* decrement file descriptor reference count */ 2404 releasef(fd); 2405 2406 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2407 #ifndef _LP64 2408 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2409 #else 2410 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2411 #endif 2412 } 2413 2414 /* 2415 * null function for memcntl for now. We might want to limit memcntl() 2416 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2417 * require privileges. 2418 */ 2419 static au_event_t 2420 aui_memcntl(au_event_t e) 2421 { 2422 return (e); 2423 } 2424 2425 /*ARGSUSED*/ 2426 static au_event_t 2427 aui_privsys(au_event_t e) 2428 { 2429 klwp_t *clwp = ttolwp(curthread); 2430 2431 struct a { 2432 long opcode; 2433 } *uap = (struct a *)clwp->lwp_ap; 2434 2435 switch (uap->opcode) { 2436 case PRIVSYS_SETPPRIV: 2437 return (AUE_SETPPRIV); 2438 default: 2439 return (AUE_NULL); 2440 } 2441 } 2442 2443 /*ARGSUSED*/ 2444 static void 2445 aus_memcntl(struct t_audit_data *tad) 2446 { 2447 klwp_t *clwp = ttolwp(curthread); 2448 2449 struct a { 2450 long addr; 2451 long len; 2452 long cmd; 2453 long arg; 2454 long attr; 2455 long mask; 2456 } *uap = (struct a *)clwp->lwp_ap; 2457 2458 #ifdef _LP64 2459 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2460 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2461 #else 2462 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2463 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2464 #endif 2465 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2466 #ifdef _LP64 2467 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2468 #else 2469 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2470 #endif 2471 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2472 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2473 } 2474 2475 /*ARGSUSED*/ 2476 static void 2477 aus_mmap(struct t_audit_data *tad) 2478 { 2479 klwp_t *clwp = ttolwp(curthread); 2480 struct file *fp; 2481 struct f_audit_data *fad; 2482 struct vnode *vp; 2483 uint32_t fd; 2484 2485 struct a { 2486 long addr; 2487 long len; 2488 long prot; 2489 long flags; 2490 long fd; 2491 long pos; 2492 } *uap = (struct a *)clwp->lwp_ap; 2493 2494 fd = (uint32_t)uap->fd; 2495 2496 #ifdef _LP64 2497 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2498 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2499 #else 2500 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2501 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2502 #endif 2503 2504 if ((fp = getf(fd)) == NULL) { 2505 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2506 return; 2507 } 2508 2509 /* 2510 * Mark in the tad if write access is NOT requested... if 2511 * this is later detected (in audit_attributes) to be a 2512 * public object, the mmap event may be discarded. 2513 */ 2514 if (((uap->prot) & PROT_WRITE) == 0) { 2515 tad->tad_ctrl |= TAD_PUBLIC_EV; 2516 } 2517 2518 fad = F2A(fp); 2519 if (fad->fad_aupath != NULL) { 2520 au_uwrite(au_to_path(fad->fad_aupath)); 2521 } else { 2522 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2523 } 2524 2525 vp = (struct vnode *)fp->f_vnode; 2526 audit_attributes(vp); 2527 2528 /* mark READ/WRITE since we can't predict access */ 2529 if (uap->prot & PROT_READ) 2530 fad->fad_flags |= FAD_READ; 2531 if (uap->prot & PROT_WRITE) 2532 fad->fad_flags |= FAD_WRITE; 2533 2534 /* decrement file descriptor reference count */ 2535 releasef(fd); 2536 2537 } /* AUS_MMAP */ 2538 2539 2540 2541 2542 /*ARGSUSED*/ 2543 static void 2544 aus_munmap(struct t_audit_data *tad) 2545 { 2546 klwp_t *clwp = ttolwp(curthread); 2547 2548 struct a { 2549 long addr; 2550 long len; 2551 } *uap = (struct a *)clwp->lwp_ap; 2552 2553 #ifdef _LP64 2554 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2555 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2556 #else 2557 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2558 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2559 #endif 2560 2561 } /* AUS_MUNMAP */ 2562 2563 2564 2565 2566 2567 2568 2569 /*ARGSUSED*/ 2570 static void 2571 aus_priocntlsys(struct t_audit_data *tad) 2572 { 2573 klwp_t *clwp = ttolwp(curthread); 2574 2575 struct a { 2576 long pc_version; 2577 long psp; /* procset_t */ 2578 long cmd; 2579 long arg; 2580 } *uap = (struct a *)clwp->lwp_ap; 2581 2582 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2583 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2584 2585 } /* AUS_PRIOCNTLSYS */ 2586 2587 2588 /*ARGSUSED*/ 2589 static void 2590 aus_setegid(struct t_audit_data *tad) 2591 { 2592 klwp_t *clwp = ttolwp(curthread); 2593 uint32_t gid; 2594 2595 struct a { 2596 long gid; 2597 } *uap = (struct a *)clwp->lwp_ap; 2598 2599 gid = (uint32_t)uap->gid; 2600 2601 au_uwrite(au_to_arg32(1, "gid", gid)); 2602 } /* AUS_SETEGID */ 2603 2604 2605 2606 2607 /*ARGSUSED*/ 2608 static void 2609 aus_setgroups(struct t_audit_data *tad) 2610 { 2611 klwp_t *clwp = ttolwp(curthread); 2612 int i; 2613 int gidsetsize; 2614 uintptr_t gidset; 2615 gid_t *gidlist; 2616 2617 struct a { 2618 long gidsetsize; 2619 long gidset; 2620 } *uap = (struct a *)clwp->lwp_ap; 2621 2622 gidsetsize = (uint_t)uap->gidsetsize; 2623 gidset = (uintptr_t)uap->gidset; 2624 2625 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2626 return; 2627 if (gidsetsize != 0) { 2628 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2629 KM_SLEEP); 2630 if (copyin((caddr_t)gidset, gidlist, 2631 gidsetsize * sizeof (gid_t)) == 0) 2632 for (i = 0; i < gidsetsize; i++) 2633 au_uwrite(au_to_arg32(1, "setgroups", 2634 (uint32_t)gidlist[i])); 2635 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2636 } else 2637 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2638 2639 } /* AUS_SETGROUPS */ 2640 2641 2642 2643 2644 2645 /*ARGSUSED*/ 2646 static void 2647 aus_seteuid(struct t_audit_data *tad) 2648 { 2649 klwp_t *clwp = ttolwp(curthread); 2650 uint32_t uid; 2651 2652 struct a { 2653 long uid; 2654 } *uap = (struct a *)clwp->lwp_ap; 2655 2656 uid = (uint32_t)uap->uid; 2657 2658 au_uwrite(au_to_arg32(1, "euid", uid)); 2659 2660 } /* AUS_SETEUID */ 2661 2662 /*ARGSUSED*/ 2663 static void 2664 aus_putmsg(struct t_audit_data *tad) 2665 { 2666 klwp_t *clwp = ttolwp(curthread); 2667 uint32_t fd, pri; 2668 struct file *fp; 2669 struct f_audit_data *fad; 2670 2671 struct a { 2672 long fdes; 2673 long ctl; /* struct strbuf * */ 2674 long data; /* struct strbuf * */ 2675 long pri; 2676 } *uap = (struct a *)clwp->lwp_ap; 2677 2678 fd = (uint32_t)uap->fdes; 2679 pri = (uint32_t)uap->pri; 2680 2681 au_uwrite(au_to_arg32(1, "fd", fd)); 2682 2683 if ((fp = getf(fd)) != NULL) { 2684 fad = F2A(fp); 2685 2686 fad->fad_flags |= FAD_WRITE; 2687 2688 /* add path name to audit record */ 2689 if (fad->fad_aupath != NULL) { 2690 au_uwrite(au_to_path(fad->fad_aupath)); 2691 } 2692 audit_attributes(fp->f_vnode); 2693 2694 releasef(fd); 2695 } 2696 2697 au_uwrite(au_to_arg32(4, "pri", pri)); 2698 } 2699 2700 /*ARGSUSED*/ 2701 static void 2702 aus_putpmsg(struct t_audit_data *tad) 2703 { 2704 klwp_t *clwp = ttolwp(curthread); 2705 uint32_t fd, pri, flags; 2706 struct file *fp; 2707 struct f_audit_data *fad; 2708 2709 struct a { 2710 long fdes; 2711 long ctl; /* struct strbuf * */ 2712 long data; /* struct strbuf * */ 2713 long pri; 2714 long flags; 2715 } *uap = (struct a *)clwp->lwp_ap; 2716 2717 fd = (uint32_t)uap->fdes; 2718 pri = (uint32_t)uap->pri; 2719 flags = (uint32_t)uap->flags; 2720 2721 au_uwrite(au_to_arg32(1, "fd", fd)); 2722 2723 if ((fp = getf(fd)) != NULL) { 2724 fad = F2A(fp); 2725 2726 fad->fad_flags |= FAD_WRITE; 2727 2728 /* add path name to audit record */ 2729 if (fad->fad_aupath != NULL) { 2730 au_uwrite(au_to_path(fad->fad_aupath)); 2731 } 2732 audit_attributes(fp->f_vnode); 2733 2734 releasef(fd); 2735 } 2736 2737 2738 au_uwrite(au_to_arg32(4, "pri", pri)); 2739 au_uwrite(au_to_arg32(5, "flags", flags)); 2740 } 2741 2742 /*ARGSUSED*/ 2743 static void 2744 aus_getmsg(struct t_audit_data *tad) 2745 { 2746 klwp_t *clwp = ttolwp(curthread); 2747 uint32_t fd, pri; 2748 struct file *fp; 2749 struct f_audit_data *fad; 2750 2751 struct a { 2752 long fdes; 2753 long ctl; /* struct strbuf * */ 2754 long data; /* struct strbuf * */ 2755 long pri; 2756 } *uap = (struct a *)clwp->lwp_ap; 2757 2758 fd = (uint32_t)uap->fdes; 2759 pri = (uint32_t)uap->pri; 2760 2761 au_uwrite(au_to_arg32(1, "fd", fd)); 2762 2763 if ((fp = getf(fd)) != NULL) { 2764 fad = F2A(fp); 2765 2766 /* 2767 * read operation on this object 2768 */ 2769 fad->fad_flags |= FAD_READ; 2770 2771 /* add path name to audit record */ 2772 if (fad->fad_aupath != NULL) { 2773 au_uwrite(au_to_path(fad->fad_aupath)); 2774 } 2775 audit_attributes(fp->f_vnode); 2776 2777 releasef(fd); 2778 } 2779 2780 au_uwrite(au_to_arg32(4, "pri", pri)); 2781 } 2782 2783 /*ARGSUSED*/ 2784 static void 2785 aus_getpmsg(struct t_audit_data *tad) 2786 { 2787 klwp_t *clwp = ttolwp(curthread); 2788 uint32_t fd; 2789 struct file *fp; 2790 struct f_audit_data *fad; 2791 2792 struct a { 2793 long fdes; 2794 long ctl; /* struct strbuf * */ 2795 long data; /* struct strbuf * */ 2796 long pri; 2797 long flags; 2798 } *uap = (struct a *)clwp->lwp_ap; 2799 2800 fd = (uint32_t)uap->fdes; 2801 2802 au_uwrite(au_to_arg32(1, "fd", fd)); 2803 2804 if ((fp = getf(fd)) != NULL) { 2805 fad = F2A(fp); 2806 2807 /* 2808 * read operation on this object 2809 */ 2810 fad->fad_flags |= FAD_READ; 2811 2812 /* add path name to audit record */ 2813 if (fad->fad_aupath != NULL) { 2814 au_uwrite(au_to_path(fad->fad_aupath)); 2815 } 2816 audit_attributes(fp->f_vnode); 2817 2818 releasef(fd); 2819 } 2820 } 2821 2822 static au_event_t 2823 aui_labelsys(au_event_t e) 2824 { 2825 klwp_t *clwp = ttolwp(curthread); 2826 uint32_t code; 2827 uint32_t cmd; 2828 2829 struct a { 2830 long code; 2831 long cmd; 2832 } *uap = (struct a *)clwp->lwp_ap; 2833 2834 code = (uint32_t)uap->code; 2835 cmd = (uint32_t)uap->cmd; 2836 2837 /* not security relevant if not changing kernel cache */ 2838 if (cmd == TNDB_GET) 2839 return (AUE_NULL); 2840 2841 switch (code) { 2842 case TSOL_TNRH: 2843 e = AUE_LABELSYS_TNRH; 2844 break; 2845 case TSOL_TNRHTP: 2846 e = AUE_LABELSYS_TNRHTP; 2847 break; 2848 case TSOL_TNMLP: 2849 e = AUE_LABELSYS_TNMLP; 2850 break; 2851 default: 2852 e = AUE_NULL; 2853 break; 2854 } 2855 2856 return (e); 2857 2858 } 2859 2860 static void 2861 aus_labelsys(struct t_audit_data *tad) 2862 { 2863 klwp_t *clwp = ttolwp(curthread); 2864 uint32_t cmd; 2865 uintptr_t a2; 2866 2867 struct a { 2868 long code; 2869 long cmd; 2870 long a2; 2871 } *uap = (struct a *)clwp->lwp_ap; 2872 2873 cmd = (uint32_t)uap->cmd; 2874 a2 = (uintptr_t)uap->a2; 2875 2876 switch (tad->tad_event) { 2877 case AUE_LABELSYS_TNRH: 2878 { 2879 tsol_rhent_t *rhent; 2880 tnaddr_t *rh_addr; 2881 2882 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2883 2884 /* Remaining args don't apply for FLUSH, so skip */ 2885 if (cmd == TNDB_FLUSH) 2886 break; 2887 2888 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2889 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2890 kmem_free(rhent, sizeof (tsol_rhent_t)); 2891 return; 2892 } 2893 2894 rh_addr = &rhent->rh_address; 2895 if (rh_addr->ta_family == AF_INET) { 2896 struct in_addr *ipaddr; 2897 2898 ipaddr = &(rh_addr->ta_addr_v4); 2899 au_uwrite(au_to_in_addr(ipaddr)); 2900 } else if (rh_addr->ta_family == AF_INET6) { 2901 int32_t *ipaddr; 2902 2903 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2904 au_uwrite(au_to_in_addr_ex(ipaddr)); 2905 } 2906 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2907 2908 kmem_free(rhent, sizeof (tsol_rhent_t)); 2909 2910 break; 2911 } 2912 case AUE_LABELSYS_TNRHTP: 2913 { 2914 tsol_tpent_t *tpent; 2915 2916 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2917 2918 /* Remaining args don't apply for FLUSH, so skip */ 2919 if (cmd == TNDB_FLUSH) 2920 break; 2921 2922 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2923 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2924 kmem_free(tpent, sizeof (tsol_tpent_t)); 2925 return; 2926 } 2927 2928 /* Make sure that the template name is null-terminated. */ 2929 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2930 2931 au_uwrite(au_to_text(tpent->name)); 2932 kmem_free(tpent, sizeof (tsol_tpent_t)); 2933 2934 break; 2935 } 2936 case AUE_LABELSYS_TNMLP: 2937 { 2938 tsol_mlpent_t *mlpent; 2939 2940 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2941 2942 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2943 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2944 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2945 return; 2946 } 2947 2948 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2949 au_uwrite(au_to_text("shared")); 2950 } else { 2951 zone_t *zone; 2952 2953 zone = zone_find_by_id(mlpent->tsme_zoneid); 2954 if (zone != NULL) { 2955 au_uwrite(au_to_text(zone->zone_name)); 2956 zone_rele(zone); 2957 } 2958 } 2959 2960 /* Remaining args don't apply for FLUSH, so skip */ 2961 if (cmd == TNDB_FLUSH) { 2962 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2963 break; 2964 } 2965 2966 au_uwrite(au_to_arg32(2, "proto num", 2967 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2968 au_uwrite(au_to_arg32(2, "mlp_port", 2969 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2970 2971 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2972 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2973 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2974 2975 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2976 2977 break; 2978 } 2979 default: 2980 break; 2981 } 2982 } 2983 2984 2985 static au_event_t 2986 aui_auditsys(au_event_t e) 2987 { 2988 klwp_t *clwp = ttolwp(curthread); 2989 uint32_t code; 2990 2991 struct a { 2992 long code; 2993 long a1; 2994 long a2; 2995 long a3; 2996 long a4; 2997 long a5; 2998 long a6; 2999 long a7; 3000 } *uap = (struct a *)clwp->lwp_ap; 3001 3002 code = (uint32_t)uap->code; 3003 3004 switch (code) { 3005 3006 case BSM_GETAUID: 3007 e = AUE_GETAUID; 3008 break; 3009 case BSM_SETAUID: 3010 e = AUE_SETAUID; 3011 break; 3012 case BSM_GETAUDIT: 3013 e = AUE_GETAUDIT; 3014 break; 3015 case BSM_GETAUDIT_ADDR: 3016 e = AUE_GETAUDIT_ADDR; 3017 break; 3018 case BSM_SETAUDIT: 3019 e = AUE_SETAUDIT; 3020 break; 3021 case BSM_SETAUDIT_ADDR: 3022 e = AUE_SETAUDIT_ADDR; 3023 break; 3024 case BSM_AUDIT: 3025 e = AUE_AUDIT; 3026 break; 3027 case BSM_AUDITCTL: 3028 switch ((uint_t)uap->a1) { 3029 3030 case A_GETPOLICY: 3031 e = AUE_AUDITON_GPOLICY; 3032 break; 3033 case A_SETPOLICY: 3034 e = AUE_AUDITON_SPOLICY; 3035 break; 3036 case A_GETAMASK: 3037 e = AUE_AUDITON_GETAMASK; 3038 break; 3039 case A_SETAMASK: 3040 e = AUE_AUDITON_SETAMASK; 3041 break; 3042 case A_GETKMASK: 3043 e = AUE_AUDITON_GETKMASK; 3044 break; 3045 case A_SETKMASK: 3046 e = AUE_AUDITON_SETKMASK; 3047 break; 3048 case A_GETQCTRL: 3049 e = AUE_AUDITON_GQCTRL; 3050 break; 3051 case A_SETQCTRL: 3052 e = AUE_AUDITON_SQCTRL; 3053 break; 3054 case A_GETCWD: 3055 e = AUE_AUDITON_GETCWD; 3056 break; 3057 case A_GETCAR: 3058 e = AUE_AUDITON_GETCAR; 3059 break; 3060 case A_GETSTAT: 3061 e = AUE_AUDITON_GETSTAT; 3062 break; 3063 case A_SETSTAT: 3064 e = AUE_AUDITON_SETSTAT; 3065 break; 3066 case A_SETUMASK: 3067 e = AUE_AUDITON_SETUMASK; 3068 break; 3069 case A_SETSMASK: 3070 e = AUE_AUDITON_SETSMASK; 3071 break; 3072 case A_GETCOND: 3073 e = AUE_AUDITON_GETCOND; 3074 break; 3075 case A_SETCOND: 3076 e = AUE_AUDITON_SETCOND; 3077 break; 3078 case A_GETCLASS: 3079 e = AUE_AUDITON_GETCLASS; 3080 break; 3081 case A_SETCLASS: 3082 e = AUE_AUDITON_SETCLASS; 3083 break; 3084 case A_GETPINFO: 3085 case A_GETPINFO_ADDR: 3086 e = AUE_AUDITON_GETPINFO; 3087 break; 3088 case A_SETPMASK: 3089 e = AUE_AUDITON_SETPMASK; 3090 break; 3091 case A_GETKAUDIT: 3092 e = AUE_AUDITON_GETKAUDIT; 3093 break; 3094 case A_SETKAUDIT: 3095 e = AUE_AUDITON_SETKAUDIT; 3096 break; 3097 default: 3098 e = AUE_AUDITON_OTHER; 3099 break; 3100 } 3101 break; 3102 default: 3103 e = AUE_NULL; 3104 break; 3105 } 3106 3107 return (e); 3108 3109 } /* AUI_AUDITSYS */ 3110 3111 3112 static void 3113 aus_auditsys(struct t_audit_data *tad) 3114 { 3115 klwp_t *clwp = ttolwp(curthread); 3116 uintptr_t a1, a2; 3117 STRUCT_DECL(auditinfo, ainfo); 3118 STRUCT_DECL(auditinfo_addr, ainfo_addr); 3119 STRUCT_DECL(auditpinfo, apinfo); 3120 au_evclass_map_t event; 3121 au_mask_t mask; 3122 int auditstate, policy; 3123 au_id_t auid; 3124 3125 3126 struct a { 3127 long code; 3128 long a1; 3129 long a2; 3130 long a3; 3131 long a4; 3132 long a5; 3133 long a6; 3134 long a7; 3135 } *uap = (struct a *)clwp->lwp_ap; 3136 3137 a1 = (uintptr_t)uap->a1; 3138 a2 = (uintptr_t)uap->a2; 3139 3140 switch (tad->tad_event) { 3141 case AUE_SETAUID: 3142 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 3143 return; 3144 au_uwrite(au_to_arg32(2, "setauid", auid)); 3145 break; 3146 case AUE_SETAUDIT: 3147 STRUCT_INIT(ainfo, get_udatamodel()); 3148 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 3149 STRUCT_SIZE(ainfo))) { 3150 return; 3151 } 3152 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 3153 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 3154 #ifdef _LP64 3155 au_uwrite(au_to_arg64((char)1, "setaudit:port", 3156 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 3157 #else 3158 au_uwrite(au_to_arg32((char)1, "setaudit:port", 3159 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 3160 #endif 3161 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 3162 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 3163 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 3164 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3165 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 3166 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3167 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 3168 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 3169 break; 3170 case AUE_SETAUDIT_ADDR: 3171 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3172 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3173 STRUCT_SIZE(ainfo_addr))) { 3174 return; 3175 } 3176 au_uwrite(au_to_arg32((char)1, "auid", 3177 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3178 #ifdef _LP64 3179 au_uwrite(au_to_arg64((char)1, "port", 3180 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3181 #else 3182 au_uwrite(au_to_arg32((char)1, "port", 3183 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3184 #endif 3185 au_uwrite(au_to_arg32((char)1, "type", 3186 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3187 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3188 AU_IPv4) { 3189 au_uwrite(au_to_in_addr( 3190 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3191 ai_termid.at_addr))); 3192 } else { 3193 au_uwrite(au_to_in_addr_ex( 3194 (int32_t *)STRUCT_FGETP(ainfo_addr, 3195 ai_termid.at_addr))); 3196 } 3197 au_uwrite(au_to_arg32((char)1, "as_success", 3198 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3199 au_uwrite(au_to_arg32((char)1, "as_failure", 3200 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3201 au_uwrite(au_to_arg32((char)1, "asid", 3202 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3203 break; 3204 case AUE_AUDITON_SETAMASK: 3205 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3206 return; 3207 au_uwrite(au_to_arg32( 3208 2, "setamask:as_success", (uint32_t)mask.as_success)); 3209 au_uwrite(au_to_arg32( 3210 2, "setamask:as_failure", (uint32_t)mask.as_failure)); 3211 break; 3212 case AUE_AUDITON_SETKMASK: 3213 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3214 return; 3215 au_uwrite(au_to_arg32( 3216 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3217 au_uwrite(au_to_arg32( 3218 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3219 break; 3220 case AUE_AUDITON_SPOLICY: 3221 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3222 return; 3223 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3224 break; 3225 case AUE_AUDITON_SQCTRL: { 3226 STRUCT_DECL(au_qctrl, qctrl); 3227 model_t model; 3228 3229 model = get_udatamodel(); 3230 STRUCT_INIT(qctrl, model); 3231 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3232 return; 3233 if (model == DATAMODEL_ILP32) { 3234 au_uwrite(au_to_arg32( 3235 3, "setqctrl:aq_hiwater", 3236 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3237 au_uwrite(au_to_arg32( 3238 3, "setqctrl:aq_lowater", 3239 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3240 au_uwrite(au_to_arg32( 3241 3, "setqctrl:aq_bufsz", 3242 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3243 au_uwrite(au_to_arg32( 3244 3, "setqctrl:aq_delay", 3245 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3246 } else { 3247 au_uwrite(au_to_arg64( 3248 3, "setqctrl:aq_hiwater", 3249 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3250 au_uwrite(au_to_arg64( 3251 3, "setqctrl:aq_lowater", 3252 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3253 au_uwrite(au_to_arg64( 3254 3, "setqctrl:aq_bufsz", 3255 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3256 au_uwrite(au_to_arg64( 3257 3, "setqctrl:aq_delay", 3258 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3259 } 3260 break; 3261 } 3262 case AUE_AUDITON_SETUMASK: 3263 STRUCT_INIT(ainfo, get_udatamodel()); 3264 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3265 STRUCT_SIZE(ainfo))) { 3266 return; 3267 } 3268 au_uwrite(au_to_arg32(3, "setumask:as_success", 3269 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3270 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3271 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3272 break; 3273 case AUE_AUDITON_SETSMASK: 3274 STRUCT_INIT(ainfo, get_udatamodel()); 3275 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3276 STRUCT_SIZE(ainfo))) { 3277 return; 3278 } 3279 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3280 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3281 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3282 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3283 break; 3284 case AUE_AUDITON_SETCOND: 3285 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3286 return; 3287 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3288 break; 3289 case AUE_AUDITON_SETCLASS: 3290 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3291 return; 3292 au_uwrite(au_to_arg32( 3293 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3294 au_uwrite(au_to_arg32( 3295 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3296 break; 3297 case AUE_AUDITON_SETPMASK: 3298 STRUCT_INIT(apinfo, get_udatamodel()); 3299 if (copyin((caddr_t)uap->a2, STRUCT_BUF(apinfo), 3300 STRUCT_SIZE(apinfo))) { 3301 return; 3302 } 3303 au_uwrite(au_to_arg32(3, "setpmask:pid", 3304 (uint32_t)STRUCT_FGET(apinfo, ap_pid))); 3305 au_uwrite(au_to_arg32(3, "setpmask:as_success", 3306 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_success))); 3307 au_uwrite(au_to_arg32(3, "setpmask:as_failure", 3308 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_failure))); 3309 break; 3310 case AUE_AUDITON_SETKAUDIT: 3311 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3312 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3313 STRUCT_SIZE(ainfo_addr))) { 3314 return; 3315 } 3316 au_uwrite(au_to_arg32((char)1, "auid", 3317 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3318 #ifdef _LP64 3319 au_uwrite(au_to_arg64((char)1, "port", 3320 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3321 #else 3322 au_uwrite(au_to_arg32((char)1, "port", 3323 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3324 #endif 3325 au_uwrite(au_to_arg32((char)1, "type", 3326 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3327 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3328 AU_IPv4) { 3329 au_uwrite(au_to_in_addr( 3330 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3331 ai_termid.at_addr))); 3332 } else { 3333 au_uwrite(au_to_in_addr_ex( 3334 (int32_t *)STRUCT_FGETP(ainfo_addr, 3335 ai_termid.at_addr))); 3336 } 3337 au_uwrite(au_to_arg32((char)1, "as_success", 3338 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3339 au_uwrite(au_to_arg32((char)1, "as_failure", 3340 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3341 au_uwrite(au_to_arg32((char)1, "asid", 3342 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3343 break; 3344 case AUE_GETAUID: 3345 case AUE_GETAUDIT: 3346 case AUE_GETAUDIT_ADDR: 3347 case AUE_AUDIT: 3348 case AUE_AUDITON_GPOLICY: 3349 case AUE_AUDITON_GQCTRL: 3350 case AUE_AUDITON_GETAMASK: 3351 case AUE_AUDITON_GETKMASK: 3352 case AUE_AUDITON_GETCWD: 3353 case AUE_AUDITON_GETCAR: 3354 case AUE_AUDITON_GETSTAT: 3355 case AUE_AUDITON_SETSTAT: 3356 case AUE_AUDITON_GETCOND: 3357 case AUE_AUDITON_GETCLASS: 3358 case AUE_AUDITON_GETPINFO: 3359 case AUE_AUDITON_GETKAUDIT: 3360 case AUE_AUDITON_OTHER: 3361 break; 3362 default: 3363 break; 3364 } 3365 3366 } /* AUS_AUDITSYS */ 3367 3368 3369 /* only audit privileged operations for systeminfo(2) system call */ 3370 static au_event_t 3371 aui_sysinfo(au_event_t e) 3372 { 3373 klwp_t *clwp = ttolwp(curthread); 3374 uint32_t command; 3375 3376 struct a { 3377 long command; 3378 long buf; /* char * */ 3379 long count; 3380 } *uap = (struct a *)clwp->lwp_ap; 3381 3382 command = (uint32_t)uap->command; 3383 3384 switch (command) { 3385 case SI_SET_HOSTNAME: 3386 case SI_SET_SRPC_DOMAIN: 3387 e = (au_event_t)AUE_SYSINFO; 3388 break; 3389 default: 3390 e = (au_event_t)AUE_NULL; 3391 break; 3392 } 3393 return (e); 3394 } 3395 3396 /*ARGSUSED*/ 3397 static void 3398 aus_sysinfo(struct t_audit_data *tad) 3399 { 3400 klwp_t *clwp = ttolwp(curthread); 3401 uint32_t command; 3402 size_t len, maxlen; 3403 char *name; 3404 uintptr_t buf; 3405 3406 struct a { 3407 long command; 3408 long buf; /* char * */ 3409 long count; 3410 } *uap = (struct a *)clwp->lwp_ap; 3411 3412 command = (uint32_t)uap->command; 3413 buf = (uintptr_t)uap->buf; 3414 3415 au_uwrite(au_to_arg32(1, "cmd", command)); 3416 3417 switch (command) { 3418 case SI_SET_HOSTNAME: 3419 { 3420 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3421 return; 3422 3423 maxlen = SYS_NMLN; 3424 name = kmem_alloc(maxlen, KM_SLEEP); 3425 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3426 break; 3427 3428 /* 3429 * Must be non-NULL string and string 3430 * must be less than SYS_NMLN chars. 3431 */ 3432 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3433 break; 3434 3435 au_uwrite(au_to_text(name)); 3436 break; 3437 } 3438 3439 case SI_SET_SRPC_DOMAIN: 3440 { 3441 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3442 return; 3443 3444 maxlen = SYS_NMLN; 3445 name = kmem_alloc(maxlen, KM_SLEEP); 3446 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3447 break; 3448 3449 /* 3450 * If string passed in is longer than length 3451 * allowed for domain name, fail. 3452 */ 3453 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3454 break; 3455 3456 au_uwrite(au_to_text(name)); 3457 break; 3458 } 3459 3460 default: 3461 return; 3462 } 3463 3464 kmem_free(name, maxlen); 3465 } 3466 3467 static au_event_t 3468 aui_modctl(au_event_t e) 3469 { 3470 klwp_t *clwp = ttolwp(curthread); 3471 uint_t cmd; 3472 3473 struct a { 3474 long cmd; 3475 } *uap = (struct a *)clwp->lwp_ap; 3476 3477 cmd = (uint_t)uap->cmd; 3478 3479 switch (cmd) { 3480 case MODLOAD: 3481 e = AUE_MODLOAD; 3482 break; 3483 case MODUNLOAD: 3484 e = AUE_MODUNLOAD; 3485 break; 3486 case MODADDMAJBIND: 3487 e = AUE_MODADDMAJ; 3488 break; 3489 case MODSETDEVPOLICY: 3490 e = AUE_MODDEVPLCY; 3491 break; 3492 case MODALLOCPRIV: 3493 e = AUE_MODADDPRIV; 3494 break; 3495 default: 3496 e = AUE_NULL; 3497 break; 3498 } 3499 return (e); 3500 } 3501 3502 3503 /*ARGSUSED*/ 3504 static void 3505 aus_modctl(struct t_audit_data *tad) 3506 { 3507 klwp_t *clwp = ttolwp(curthread); 3508 void *a = clwp->lwp_ap; 3509 uint_t use_path; 3510 3511 switch (tad->tad_event) { 3512 case AUE_MODLOAD: { 3513 typedef struct { 3514 long cmd; 3515 long use_path; 3516 long filename; /* char * */ 3517 } modloada_t; 3518 3519 char *filenamep; 3520 uintptr_t fname; 3521 extern char *default_path; 3522 3523 fname = (uintptr_t)((modloada_t *)a)->filename; 3524 use_path = (uint_t)((modloada_t *)a)->use_path; 3525 3526 /* space to hold path */ 3527 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3528 /* get string */ 3529 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3530 /* free allocated path */ 3531 kmem_free(filenamep, MOD_MAXPATH); 3532 return; 3533 } 3534 /* ensure it's null terminated */ 3535 filenamep[MOD_MAXPATH - 1] = 0; 3536 3537 if (use_path) 3538 au_uwrite(au_to_text(default_path)); 3539 au_uwrite(au_to_text(filenamep)); 3540 3541 /* release temporary memory */ 3542 kmem_free(filenamep, MOD_MAXPATH); 3543 break; 3544 } 3545 case AUE_MODUNLOAD: { 3546 typedef struct { 3547 long cmd; 3548 long id; 3549 } modunloada_t; 3550 3551 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3552 3553 au_uwrite(au_to_arg32(1, "id", id)); 3554 break; 3555 } 3556 case AUE_MODADDMAJ: { 3557 STRUCT_DECL(modconfig, mc); 3558 typedef struct { 3559 long cmd; 3560 long subcmd; 3561 long data; /* int * */ 3562 } modconfiga_t; 3563 3564 STRUCT_DECL(aliases, alias); 3565 caddr_t ap; 3566 int i, num_aliases; 3567 char *drvname, *mc_drvname; 3568 char *name; 3569 extern char *ddi_major_to_name(major_t); 3570 model_t model; 3571 3572 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3573 3574 model = get_udatamodel(); 3575 STRUCT_INIT(mc, model); 3576 /* sanitize buffer */ 3577 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3578 /* get user arguments */ 3579 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3580 STRUCT_SIZE(mc)) != 0) 3581 return; 3582 3583 mc_drvname = STRUCT_FGET(mc, drvname); 3584 if ((drvname = ddi_major_to_name( 3585 (major_t)STRUCT_FGET(mc, major))) != NULL && 3586 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3587 /* safety */ 3588 if (mc_drvname[0] != '\0') { 3589 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3590 au_uwrite(au_to_text(mc_drvname)); 3591 } 3592 /* drvname != NULL from test above */ 3593 au_uwrite(au_to_text(drvname)); 3594 return; 3595 } 3596 3597 if (mc_drvname[0] != '\0') { 3598 /* safety */ 3599 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3600 au_uwrite(au_to_text(mc_drvname)); 3601 } else 3602 au_uwrite(au_to_text("no drvname")); 3603 3604 num_aliases = STRUCT_FGET(mc, num_aliases); 3605 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3606 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3607 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3608 STRUCT_INIT(alias, model); 3609 for (i = 0; i < num_aliases; i++) { 3610 bzero((caddr_t)STRUCT_BUF(alias), 3611 STRUCT_SIZE(alias)); 3612 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3613 STRUCT_SIZE(alias)) != 0) 3614 break; 3615 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3616 MAXMODCONFNAME, NULL) != 0) { 3617 break; 3618 } 3619 3620 au_uwrite(au_to_text(name)); 3621 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3622 } 3623 kmem_free(name, MAXMODCONFNAME); 3624 break; 3625 } 3626 default: 3627 break; 3628 } 3629 } 3630 3631 3632 /*ARGSUSED*/ 3633 static void 3634 auf_accept( 3635 struct t_audit_data *tad, 3636 int error, 3637 rval_t *rval) 3638 { 3639 uint32_t scid; 3640 uint32_t sy_flags; 3641 int fd; 3642 struct sonode *so; 3643 char so_laddr[sizeof (struct sockaddr_in6)]; 3644 char so_faddr[sizeof (struct sockaddr_in6)]; 3645 int err; 3646 short so_family, so_type; 3647 int add_sock_token = 0; 3648 3649 /* need to determine type of executing binary */ 3650 scid = tad->tad_scid; 3651 #ifdef _SYSCALL32_IMPL 3652 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3653 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3654 else 3655 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3656 #else 3657 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3658 #endif 3659 switch (sy_flags) { 3660 case SE_32RVAL1: 3661 /* FALLTHRU */ 3662 case SE_32RVAL2|SE_32RVAL1: 3663 fd = rval->r_val1; 3664 break; 3665 case SE_64RVAL: 3666 fd = (int)rval->r_vals; 3667 break; 3668 default: 3669 /* 3670 * should never happen, seems to be an internal error 3671 * in sysent => no fd, nothing to audit here, returning 3672 */ 3673 return; 3674 } 3675 3676 if (error) { 3677 /* can't trust socket contents. Just return */ 3678 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3679 return; 3680 } 3681 3682 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3683 /* 3684 * not security relevant if doing a accept from non socket 3685 * so no extra tokens. Should probably turn off audit record 3686 * generation here. 3687 */ 3688 return; 3689 } 3690 3691 so_family = so->so_family; 3692 so_type = so->so_type; 3693 3694 switch (so_family) { 3695 case AF_INET: 3696 case AF_INET6: 3697 /* 3698 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3699 */ 3700 if (so->so_type == SOCK_STREAM) { 3701 socklen_t len; 3702 3703 bzero((void *)so_laddr, sizeof (so_laddr)); 3704 bzero((void *)so_faddr, sizeof (so_faddr)); 3705 3706 len = sizeof (so_laddr); 3707 (void) socket_getsockname(so, 3708 (struct sockaddr *)so_laddr, &len, CRED()); 3709 len = sizeof (so_faddr); 3710 (void) socket_getpeername(so, 3711 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3712 3713 add_sock_token = 1; 3714 } 3715 break; 3716 3717 default: 3718 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3719 break; 3720 } 3721 3722 releasef(fd); 3723 3724 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3725 3726 if (add_sock_token == 0) { 3727 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3728 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3729 return; 3730 } 3731 3732 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3733 3734 } 3735 3736 /*ARGSUSED*/ 3737 static void 3738 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3739 { 3740 struct a { 3741 long fd; 3742 long addr; 3743 long len; 3744 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3745 3746 struct sonode *so; 3747 char so_laddr[sizeof (struct sockaddr_in6)]; 3748 char so_faddr[sizeof (struct sockaddr_in6)]; 3749 int err, fd; 3750 socklen_t len; 3751 short so_family, so_type; 3752 int add_sock_token = 0; 3753 3754 fd = (int)uap->fd; 3755 3756 /* 3757 * bind failed, then nothing extra to add to audit record. 3758 */ 3759 if (error) { 3760 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3761 /* XXX may want to add failed address some day */ 3762 return; 3763 } 3764 3765 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3766 /* 3767 * not security relevant if doing a bind from non socket 3768 * so no extra tokens. Should probably turn off audit record 3769 * generation here. 3770 */ 3771 return; 3772 } 3773 3774 so_family = so->so_family; 3775 so_type = so->so_type; 3776 3777 switch (so_family) { 3778 case AF_INET: 3779 case AF_INET6: 3780 3781 bzero(so_faddr, sizeof (so_faddr)); 3782 len = sizeof (so_faddr); 3783 3784 (void) socket_getpeername(so, 3785 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3786 add_sock_token = 1; 3787 3788 break; 3789 3790 case AF_UNIX: 3791 /* token added by lookup */ 3792 break; 3793 default: 3794 /* AF_ROUTE, AF_KEY do not support accept */ 3795 break; 3796 } 3797 3798 releasef(fd); 3799 3800 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3801 3802 if (add_sock_token == 0) { 3803 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3804 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3805 return; 3806 } 3807 3808 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3809 3810 } 3811 3812 /*ARGSUSED*/ 3813 static void 3814 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3815 { 3816 struct a { 3817 long fd; 3818 long addr; 3819 long len; 3820 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3821 3822 struct sonode *so; 3823 char so_laddr[sizeof (struct sockaddr_in6)]; 3824 char so_faddr[sizeof (struct sockaddr_in6)]; 3825 int err, fd; 3826 socklen_t len; 3827 short so_family, so_type; 3828 int add_sock_token = 0; 3829 3830 fd = (int)uap->fd; 3831 3832 3833 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3834 /* 3835 * not security relevant if doing a connect from non socket 3836 * so no extra tokens. Should probably turn off audit record 3837 * generation here. 3838 */ 3839 return; 3840 } 3841 3842 so_family = so->so_family; 3843 so_type = so->so_type; 3844 3845 switch (so_family) { 3846 case AF_INET: 3847 case AF_INET6: 3848 3849 bzero(so_laddr, sizeof (so_laddr)); 3850 bzero(so_faddr, sizeof (so_faddr)); 3851 3852 len = sizeof (so_laddr); 3853 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3854 &len, CRED()); 3855 if (error) { 3856 if (uap->addr == 0) 3857 break; 3858 if (uap->len <= 0) 3859 break; 3860 len = min(uap->len, sizeof (so_faddr)); 3861 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3862 break; 3863 #ifdef NOTYET 3864 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3865 #endif 3866 } else { 3867 /* sanity check on length */ 3868 len = sizeof (so_faddr); 3869 (void) socket_getpeername(so, 3870 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3871 } 3872 3873 add_sock_token = 1; 3874 3875 break; 3876 3877 case AF_UNIX: 3878 /* does a lookup on name */ 3879 break; 3880 3881 default: 3882 /* AF_ROUTE, AF_KEY do not support accept */ 3883 break; 3884 } 3885 3886 releasef(fd); 3887 3888 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3889 3890 if (add_sock_token == 0) { 3891 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3892 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3893 return; 3894 } 3895 3896 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3897 3898 } 3899 3900 /*ARGSUSED*/ 3901 static void 3902 aus_shutdown(struct t_audit_data *tad) 3903 { 3904 struct a { 3905 long fd; 3906 long how; 3907 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3908 3909 struct sonode *so; 3910 char so_laddr[sizeof (struct sockaddr_in6)]; 3911 char so_faddr[sizeof (struct sockaddr_in6)]; 3912 int err, fd; 3913 socklen_t len; 3914 short so_family, so_type; 3915 int add_sock_token = 0; 3916 file_t *fp; /* unix domain sockets */ 3917 struct f_audit_data *fad; /* unix domain sockets */ 3918 3919 fd = (int)uap->fd; 3920 3921 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3922 /* 3923 * not security relevant if doing a shutdown using non socket 3924 * so no extra tokens. Should probably turn off audit record 3925 * generation here. 3926 */ 3927 return; 3928 } 3929 3930 so_family = so->so_family; 3931 so_type = so->so_type; 3932 3933 switch (so_family) { 3934 case AF_INET: 3935 case AF_INET6: 3936 3937 bzero(so_laddr, sizeof (so_laddr)); 3938 bzero(so_faddr, sizeof (so_faddr)); 3939 3940 len = sizeof (so_laddr); 3941 (void) socket_getsockname(so, 3942 (struct sockaddr *)so_laddr, &len, CRED()); 3943 len = sizeof (so_faddr); 3944 (void) socket_getpeername(so, 3945 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3946 3947 add_sock_token = 1; 3948 3949 break; 3950 3951 case AF_UNIX: 3952 3953 /* get path from file struct here */ 3954 fad = F2A(fp); 3955 ASSERT(fad); 3956 3957 if (fad->fad_aupath != NULL) { 3958 au_uwrite(au_to_path(fad->fad_aupath)); 3959 } else { 3960 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3961 } 3962 3963 audit_attributes(fp->f_vnode); 3964 3965 break; 3966 3967 default: 3968 /* 3969 * AF_KEY and AF_ROUTE support shutdown. No socket token 3970 * added. 3971 */ 3972 break; 3973 } 3974 3975 releasef(fd); 3976 3977 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3978 3979 if (add_sock_token == 0) { 3980 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3981 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3982 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3983 return; 3984 } 3985 3986 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3987 3988 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3989 3990 } 3991 3992 /*ARGSUSED*/ 3993 static void 3994 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3995 { 3996 struct a { 3997 long fd; 3998 long level; 3999 long optname; 4000 long *optval; 4001 long optlen; 4002 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4003 4004 struct sonode *so; 4005 char so_laddr[sizeof (struct sockaddr_in6)]; 4006 char so_faddr[sizeof (struct sockaddr_in6)]; 4007 char val[AU_BUFSIZE]; 4008 int err, fd; 4009 socklen_t len; 4010 short so_family, so_type; 4011 int add_sock_token = 0; 4012 file_t *fp; /* unix domain sockets */ 4013 struct f_audit_data *fad; /* unix domain sockets */ 4014 4015 fd = (int)uap->fd; 4016 4017 if (error) { 4018 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4019 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 4020 /* XXX may want to include other arguments */ 4021 return; 4022 } 4023 4024 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4025 /* 4026 * not security relevant if doing a setsockopt from non socket 4027 * so no extra tokens. Should probably turn off audit record 4028 * generation here. 4029 */ 4030 return; 4031 } 4032 4033 so_family = so->so_family; 4034 so_type = so->so_type; 4035 4036 switch (so_family) { 4037 case AF_INET: 4038 case AF_INET6: 4039 bzero((void *)so_laddr, sizeof (so_laddr)); 4040 bzero((void *)so_faddr, sizeof (so_faddr)); 4041 4042 /* get local and foreign addresses */ 4043 len = sizeof (so_laddr); 4044 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 4045 &len, CRED()); 4046 len = sizeof (so_faddr); 4047 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 4048 &len, B_FALSE, CRED()); 4049 4050 add_sock_token = 1; 4051 4052 break; 4053 4054 case AF_UNIX: 4055 4056 /* get path from file struct here */ 4057 fad = F2A(fp); 4058 ASSERT(fad); 4059 4060 if (fad->fad_aupath != NULL) { 4061 au_uwrite(au_to_path(fad->fad_aupath)); 4062 } else { 4063 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4064 } 4065 4066 audit_attributes(fp->f_vnode); 4067 4068 break; 4069 4070 default: 4071 /* 4072 * AF_KEY and AF_ROUTE support setsockopt. No socket token 4073 * added. 4074 */ 4075 break; 4076 } 4077 4078 releasef(fd); 4079 4080 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4081 4082 if (add_sock_token == 0) { 4083 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 4084 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 4085 } 4086 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 4087 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 4088 4089 bzero(val, sizeof (val)); 4090 len = min(uap->optlen, sizeof (val)); 4091 if ((len > 0) && 4092 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 4093 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 4094 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 4095 } 4096 4097 if (add_sock_token == 0) 4098 return; 4099 4100 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4101 4102 } 4103 4104 /*ARGSUSED*/ 4105 static void 4106 aus_sockconfig(struct t_audit_data *tad) 4107 { 4108 struct a { 4109 long cmd; 4110 long arg1; 4111 long arg2; 4112 long arg3; 4113 long arg4; 4114 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4115 4116 char *buf; 4117 int buflen; 4118 size_t size; 4119 4120 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4121 switch (uap->cmd) { 4122 case SOCKCONFIG_ADD_SOCK: 4123 case SOCKCONFIG_REMOVE_SOCK: 4124 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 4125 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 4126 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 4127 4128 if (uap->arg4 == 0) { 4129 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 4130 } else { 4131 buflen = MAXPATHLEN + 1; 4132 buf = kmem_alloc(buflen, KM_SLEEP); 4133 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 4134 &size)) { 4135 kmem_free(buf, buflen); 4136 return; 4137 } 4138 4139 if (size > MAXPATHLEN) { 4140 kmem_free(buf, buflen); 4141 return; 4142 } 4143 4144 au_uwrite(au_to_text(buf)); 4145 kmem_free(buf, buflen); 4146 } 4147 break; 4148 case SOCKCONFIG_ADD_FILTER: 4149 case SOCKCONFIG_REMOVE_FILTER: 4150 buflen = FILNAME_MAX; 4151 buf = kmem_alloc(buflen, KM_SLEEP); 4152 4153 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 4154 kmem_free(buf, buflen); 4155 return; 4156 } 4157 4158 au_uwrite(au_to_text(buf)); 4159 kmem_free(buf, buflen); 4160 break; 4161 default: 4162 break; 4163 } 4164 } 4165 4166 /* 4167 * only audit recvmsg when the system call represents the creation of a new 4168 * circuit. This effectively occurs for all UDP packets and may occur for 4169 * special TCP situations where the local host has not set a local address 4170 * in the socket structure. 4171 */ 4172 /*ARGSUSED*/ 4173 static void 4174 auf_recvmsg( 4175 struct t_audit_data *tad, 4176 int error, 4177 rval_t *rvp) 4178 { 4179 struct a { 4180 long fd; 4181 long msg; /* struct msghdr */ 4182 long flags; 4183 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4184 4185 struct sonode *so; 4186 STRUCT_DECL(msghdr, msg); 4187 caddr_t msg_name; 4188 socklen_t msg_namelen; 4189 int fd; 4190 int err; 4191 char so_laddr[sizeof (struct sockaddr_in6)]; 4192 char so_faddr[sizeof (struct sockaddr_in6)]; 4193 socklen_t len; 4194 file_t *fp; /* unix domain sockets */ 4195 struct f_audit_data *fad; /* unix domain sockets */ 4196 short so_family, so_type; 4197 int add_sock_token = 0; 4198 au_kcontext_t *kctx = GET_KCTX_PZ; 4199 4200 fd = (int)uap->fd; 4201 4202 /* bail if an error */ 4203 if (error) { 4204 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4205 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4206 return; 4207 } 4208 4209 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4210 /* 4211 * not security relevant if doing a recvmsg from non socket 4212 * so no extra tokens. Should probably turn off audit record 4213 * generation here. 4214 */ 4215 return; 4216 } 4217 4218 so_family = so->so_family; 4219 so_type = so->so_type; 4220 4221 /* 4222 * only putout SOCKET_EX token if INET/INET6 family. 4223 * XXX - what do we do about other families? 4224 */ 4225 4226 switch (so_family) { 4227 case AF_INET: 4228 case AF_INET6: 4229 4230 /* 4231 * if datagram type socket, then just use what is in 4232 * socket structure for local address. 4233 * XXX - what do we do for other types? 4234 */ 4235 if ((so->so_type == SOCK_DGRAM) || 4236 (so->so_type == SOCK_RAW)) { 4237 add_sock_token = 1; 4238 4239 bzero((void *)so_laddr, sizeof (so_laddr)); 4240 bzero((void *)so_faddr, sizeof (so_faddr)); 4241 4242 /* get local address */ 4243 len = sizeof (so_laddr); 4244 (void) socket_getsockname(so, 4245 (struct sockaddr *)so_laddr, &len, CRED()); 4246 4247 /* get peer address */ 4248 STRUCT_INIT(msg, get_udatamodel()); 4249 4250 if (copyin((caddr_t)(uap->msg), 4251 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4252 break; 4253 } 4254 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4255 if (msg_name == NULL) { 4256 break; 4257 } 4258 4259 /* length is value from recvmsg - sanity check */ 4260 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4261 if (msg_namelen == 0) { 4262 break; 4263 } 4264 if (copyin(msg_name, so_faddr, 4265 sizeof (so_faddr)) != 0) { 4266 break; 4267 } 4268 4269 } else if (so->so_type == SOCK_STREAM) { 4270 4271 /* get path from file struct here */ 4272 fad = F2A(fp); 4273 ASSERT(fad); 4274 4275 /* 4276 * already processed this file for read attempt 4277 */ 4278 if (fad->fad_flags & FAD_READ) { 4279 /* don't want to audit every recvmsg attempt */ 4280 tad->tad_flag = 0; 4281 /* free any residual audit data */ 4282 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4283 releasef(fd); 4284 return; 4285 } 4286 /* 4287 * mark things so we know what happened and don't 4288 * repeat things 4289 */ 4290 fad->fad_flags |= FAD_READ; 4291 4292 bzero((void *)so_laddr, sizeof (so_laddr)); 4293 bzero((void *)so_faddr, sizeof (so_faddr)); 4294 4295 /* get local and foreign addresses */ 4296 len = sizeof (so_laddr); 4297 (void) socket_getsockname(so, 4298 (struct sockaddr *)so_laddr, &len, CRED()); 4299 len = sizeof (so_faddr); 4300 (void) socket_getpeername(so, 4301 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4302 4303 add_sock_token = 1; 4304 } 4305 4306 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4307 4308 break; 4309 4310 case AF_UNIX: 4311 /* 4312 * first check if this is first time through. Too much 4313 * duplicate code to put this in an aui_ routine. 4314 */ 4315 4316 /* get path from file struct here */ 4317 fad = F2A(fp); 4318 ASSERT(fad); 4319 4320 /* 4321 * already processed this file for read attempt 4322 */ 4323 if (fad->fad_flags & FAD_READ) { 4324 releasef(fd); 4325 /* don't want to audit every recvmsg attempt */ 4326 tad->tad_flag = 0; 4327 /* free any residual audit data */ 4328 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4329 return; 4330 } 4331 /* 4332 * mark things so we know what happened and don't 4333 * repeat things 4334 */ 4335 fad->fad_flags |= FAD_READ; 4336 4337 if (fad->fad_aupath != NULL) { 4338 au_uwrite(au_to_path(fad->fad_aupath)); 4339 } else { 4340 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4341 } 4342 4343 audit_attributes(fp->f_vnode); 4344 4345 releasef(fd); 4346 4347 return; 4348 4349 default: 4350 break; 4351 4352 } 4353 4354 releasef(fd); 4355 4356 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4357 4358 if (add_sock_token == 0) { 4359 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4360 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4361 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4362 return; 4363 } 4364 4365 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4366 4367 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4368 4369 } 4370 4371 /*ARGSUSED*/ 4372 static void 4373 auf_recvfrom( 4374 struct t_audit_data *tad, 4375 int error, 4376 rval_t *rvp) 4377 { 4378 4379 struct a { 4380 long fd; 4381 long msg; /* char */ 4382 long len; 4383 long flags; 4384 long from; /* struct sockaddr */ 4385 long fromlen; 4386 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4387 4388 socklen_t fromlen; 4389 struct sonode *so; 4390 char so_laddr[sizeof (struct sockaddr_in6)]; 4391 char so_faddr[sizeof (struct sockaddr_in6)]; 4392 int fd; 4393 short so_family, so_type; 4394 int add_sock_token = 0; 4395 socklen_t len; 4396 int err; 4397 struct file *fp; 4398 struct f_audit_data *fad; /* unix domain sockets */ 4399 au_kcontext_t *kctx = GET_KCTX_PZ; 4400 4401 fd = (int)uap->fd; 4402 4403 /* bail if an error */ 4404 if (error) { 4405 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4406 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4407 return; 4408 } 4409 4410 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4411 /* 4412 * not security relevant if doing a recvmsg from non socket 4413 * so no extra tokens. Should probably turn off audit record 4414 * generation here. 4415 */ 4416 return; 4417 } 4418 4419 so_family = so->so_family; 4420 so_type = so->so_type; 4421 4422 /* 4423 * only putout SOCKET_EX token if INET/INET6 family. 4424 * XXX - what do we do about other families? 4425 */ 4426 4427 switch (so_family) { 4428 case AF_INET: 4429 case AF_INET6: 4430 4431 /* 4432 * if datagram type socket, then just use what is in 4433 * socket structure for local address. 4434 * XXX - what do we do for other types? 4435 */ 4436 if ((so->so_type == SOCK_DGRAM) || 4437 (so->so_type == SOCK_RAW)) { 4438 add_sock_token = 1; 4439 4440 /* get local address */ 4441 len = sizeof (so_laddr); 4442 (void) socket_getsockname(so, 4443 (struct sockaddr *)so_laddr, &len, CRED()); 4444 4445 /* get peer address */ 4446 bzero((void *)so_faddr, sizeof (so_faddr)); 4447 4448 /* sanity check */ 4449 if (uap->from == 0) 4450 break; 4451 4452 /* sanity checks */ 4453 if (uap->fromlen == 0) 4454 break; 4455 4456 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4457 sizeof (fromlen)) != 0) 4458 break; 4459 4460 if (fromlen == 0) 4461 break; 4462 4463 /* enforce maximum size */ 4464 if (fromlen > sizeof (so_faddr)) 4465 fromlen = sizeof (so_faddr); 4466 4467 if (copyin((caddr_t)(uap->from), so_faddr, 4468 fromlen) != 0) 4469 break; 4470 4471 } else if (so->so_type == SOCK_STREAM) { 4472 4473 /* get path from file struct here */ 4474 fad = F2A(fp); 4475 ASSERT(fad); 4476 4477 /* 4478 * already processed this file for read attempt 4479 */ 4480 if (fad->fad_flags & FAD_READ) { 4481 /* don't want to audit every recvfrom attempt */ 4482 tad->tad_flag = 0; 4483 /* free any residual audit data */ 4484 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4485 releasef(fd); 4486 return; 4487 } 4488 /* 4489 * mark things so we know what happened and don't 4490 * repeat things 4491 */ 4492 fad->fad_flags |= FAD_READ; 4493 4494 bzero((void *)so_laddr, sizeof (so_laddr)); 4495 bzero((void *)so_faddr, sizeof (so_faddr)); 4496 4497 /* get local and foreign addresses */ 4498 len = sizeof (so_laddr); 4499 (void) socket_getsockname(so, 4500 (struct sockaddr *)so_laddr, &len, CRED()); 4501 len = sizeof (so_faddr); 4502 (void) socket_getpeername(so, 4503 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4504 4505 add_sock_token = 1; 4506 } 4507 4508 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4509 4510 break; 4511 4512 case AF_UNIX: 4513 /* 4514 * first check if this is first time through. Too much 4515 * duplicate code to put this in an aui_ routine. 4516 */ 4517 4518 /* get path from file struct here */ 4519 fad = F2A(fp); 4520 ASSERT(fad); 4521 4522 /* 4523 * already processed this file for read attempt 4524 */ 4525 if (fad->fad_flags & FAD_READ) { 4526 /* don't want to audit every recvfrom attempt */ 4527 tad->tad_flag = 0; 4528 /* free any residual audit data */ 4529 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4530 releasef(fd); 4531 return; 4532 } 4533 /* 4534 * mark things so we know what happened and don't 4535 * repeat things 4536 */ 4537 fad->fad_flags |= FAD_READ; 4538 4539 if (fad->fad_aupath != NULL) { 4540 au_uwrite(au_to_path(fad->fad_aupath)); 4541 } else { 4542 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4543 } 4544 4545 audit_attributes(fp->f_vnode); 4546 4547 releasef(fd); 4548 4549 return; 4550 4551 default: 4552 break; 4553 4554 } 4555 4556 releasef(fd); 4557 4558 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4559 4560 if (add_sock_token == 0) { 4561 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4562 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4563 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4564 return; 4565 } 4566 4567 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4568 4569 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4570 } 4571 4572 /*ARGSUSED*/ 4573 static void 4574 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4575 { 4576 struct a { 4577 long fd; 4578 long msg; /* struct msghdr */ 4579 long flags; 4580 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4581 4582 struct sonode *so; 4583 char so_laddr[sizeof (struct sockaddr_in6)]; 4584 char so_faddr[sizeof (struct sockaddr_in6)]; 4585 int err; 4586 int fd; 4587 short so_family, so_type; 4588 int add_sock_token = 0; 4589 socklen_t len; 4590 struct file *fp; 4591 struct f_audit_data *fad; 4592 caddr_t msg_name; 4593 socklen_t msg_namelen; 4594 STRUCT_DECL(msghdr, msg); 4595 au_kcontext_t *kctx = GET_KCTX_PZ; 4596 4597 fd = (int)uap->fd; 4598 4599 /* bail if an error */ 4600 if (error) { 4601 /* XXX include destination address from system call arguments */ 4602 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4603 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4604 return; 4605 } 4606 4607 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4608 /* 4609 * not security relevant if doing a sendmsg from non socket 4610 * so no extra tokens. Should probably turn off audit record 4611 * generation here. 4612 */ 4613 return; 4614 } 4615 4616 so_family = so->so_family; 4617 so_type = so->so_type; 4618 4619 switch (so_family) { 4620 case AF_INET: 4621 case AF_INET6: 4622 /* 4623 * if datagram type socket, then just use what is in 4624 * socket structure for local address. 4625 * XXX - what do we do for other types? 4626 */ 4627 if ((so->so_type == SOCK_DGRAM) || 4628 (so->so_type == SOCK_RAW)) { 4629 4630 bzero((void *)so_laddr, sizeof (so_laddr)); 4631 bzero((void *)so_faddr, sizeof (so_faddr)); 4632 4633 /* get local address */ 4634 len = sizeof (so_laddr); 4635 (void) socket_getsockname(so, 4636 (struct sockaddr *)so_laddr, &len, CRED()); 4637 4638 /* get peer address */ 4639 STRUCT_INIT(msg, get_udatamodel()); 4640 4641 if (copyin((caddr_t)(uap->msg), 4642 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4643 break; 4644 } 4645 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4646 if (msg_name == NULL) 4647 break; 4648 4649 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4650 /* length is value from recvmsg - sanity check */ 4651 if (msg_namelen == 0) 4652 break; 4653 4654 if (copyin(msg_name, so_faddr, 4655 sizeof (so_faddr)) != 0) 4656 break; 4657 4658 add_sock_token = 1; 4659 4660 } else if (so->so_type == SOCK_STREAM) { 4661 4662 /* get path from file struct here */ 4663 fad = F2A(fp); 4664 ASSERT(fad); 4665 4666 /* 4667 * already processed this file for write attempt 4668 */ 4669 if (fad->fad_flags & FAD_WRITE) { 4670 releasef(fd); 4671 /* don't want to audit every sendmsg attempt */ 4672 tad->tad_flag = 0; 4673 /* free any residual audit data */ 4674 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4675 return; 4676 } 4677 4678 /* 4679 * mark things so we know what happened and don't 4680 * repeat things 4681 */ 4682 fad->fad_flags |= FAD_WRITE; 4683 4684 bzero((void *)so_laddr, sizeof (so_laddr)); 4685 bzero((void *)so_faddr, sizeof (so_faddr)); 4686 4687 /* get local and foreign addresses */ 4688 len = sizeof (so_laddr); 4689 (void) socket_getsockname(so, 4690 (struct sockaddr *)so_laddr, &len, CRED()); 4691 len = sizeof (so_faddr); 4692 (void) socket_getpeername(so, 4693 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4694 4695 add_sock_token = 1; 4696 } 4697 4698 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4699 4700 break; 4701 4702 case AF_UNIX: 4703 /* 4704 * first check if this is first time through. Too much 4705 * duplicate code to put this in an aui_ routine. 4706 */ 4707 4708 /* get path from file struct here */ 4709 fad = F2A(fp); 4710 ASSERT(fad); 4711 4712 /* 4713 * already processed this file for write attempt 4714 */ 4715 if (fad->fad_flags & FAD_WRITE) { 4716 releasef(fd); 4717 /* don't want to audit every sendmsg attempt */ 4718 tad->tad_flag = 0; 4719 /* free any residual audit data */ 4720 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4721 return; 4722 } 4723 /* 4724 * mark things so we know what happened and don't 4725 * repeat things 4726 */ 4727 fad->fad_flags |= FAD_WRITE; 4728 4729 if (fad->fad_aupath != NULL) { 4730 au_uwrite(au_to_path(fad->fad_aupath)); 4731 } else { 4732 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4733 } 4734 4735 audit_attributes(fp->f_vnode); 4736 4737 releasef(fd); 4738 4739 return; 4740 4741 default: 4742 break; 4743 } 4744 4745 releasef(fd); 4746 4747 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4748 4749 if (add_sock_token == 0) { 4750 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4751 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4752 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4753 return; 4754 } 4755 4756 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4757 4758 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4759 } 4760 4761 /*ARGSUSED*/ 4762 static void 4763 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4764 { 4765 struct a { 4766 long fd; 4767 long msg; /* char */ 4768 long len; 4769 long flags; 4770 long to; /* struct sockaddr */ 4771 long tolen; 4772 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4773 4774 struct sonode *so; 4775 char so_laddr[sizeof (struct sockaddr_in6)]; 4776 char so_faddr[sizeof (struct sockaddr_in6)]; 4777 socklen_t tolen; 4778 int err; 4779 int fd; 4780 socklen_t len; 4781 short so_family, so_type; 4782 int add_sock_token = 0; 4783 struct file *fp; 4784 struct f_audit_data *fad; 4785 au_kcontext_t *kctx = GET_KCTX_PZ; 4786 4787 fd = (int)uap->fd; 4788 4789 /* bail if an error */ 4790 if (error) { 4791 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4792 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4793 /* XXX include destination address from system call arguments */ 4794 return; 4795 } 4796 4797 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4798 /* 4799 * not security relevant if doing a sendto using non socket 4800 * so no extra tokens. Should probably turn off audit record 4801 * generation here. 4802 */ 4803 return; 4804 } 4805 4806 so_family = so->so_family; 4807 so_type = so->so_type; 4808 4809 /* 4810 * only putout SOCKET_EX token if INET/INET6 family. 4811 * XXX - what do we do about other families? 4812 */ 4813 4814 switch (so_family) { 4815 case AF_INET: 4816 case AF_INET6: 4817 4818 /* 4819 * if datagram type socket, then just use what is in 4820 * socket structure for local address. 4821 * XXX - what do we do for other types? 4822 */ 4823 if ((so->so_type == SOCK_DGRAM) || 4824 (so->so_type == SOCK_RAW)) { 4825 4826 bzero((void *)so_laddr, sizeof (so_laddr)); 4827 bzero((void *)so_faddr, sizeof (so_faddr)); 4828 4829 /* get local address */ 4830 len = sizeof (so_laddr); 4831 (void) socket_getsockname(so, 4832 (struct sockaddr *)so_laddr, &len, CRED()); 4833 4834 /* get peer address */ 4835 4836 /* sanity check */ 4837 if (uap->to == 0) 4838 break; 4839 4840 /* sanity checks */ 4841 if (uap->tolen == 0) 4842 break; 4843 4844 tolen = (socklen_t)uap->tolen; 4845 4846 /* enforce maximum size */ 4847 if (tolen > sizeof (so_faddr)) 4848 tolen = sizeof (so_faddr); 4849 4850 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4851 break; 4852 4853 add_sock_token = 1; 4854 } else { 4855 /* 4856 * check if this is first time through. 4857 */ 4858 4859 /* get path from file struct here */ 4860 fad = F2A(fp); 4861 ASSERT(fad); 4862 4863 /* 4864 * already processed this file for write attempt 4865 */ 4866 if (fad->fad_flags & FAD_WRITE) { 4867 /* don't want to audit every sendto attempt */ 4868 tad->tad_flag = 0; 4869 /* free any residual audit data */ 4870 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4871 releasef(fd); 4872 return; 4873 } 4874 /* 4875 * mark things so we know what happened and don't 4876 * repeat things 4877 */ 4878 fad->fad_flags |= FAD_WRITE; 4879 4880 bzero((void *)so_laddr, sizeof (so_laddr)); 4881 bzero((void *)so_faddr, sizeof (so_faddr)); 4882 4883 /* get local and foreign addresses */ 4884 len = sizeof (so_laddr); 4885 (void) socket_getsockname(so, 4886 (struct sockaddr *)so_laddr, &len, CRED()); 4887 len = sizeof (so_faddr); 4888 (void) socket_getpeername(so, 4889 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4890 4891 add_sock_token = 1; 4892 } 4893 4894 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4895 4896 break; 4897 4898 case AF_UNIX: 4899 /* 4900 * first check if this is first time through. Too much 4901 * duplicate code to put this in an aui_ routine. 4902 */ 4903 4904 /* get path from file struct here */ 4905 fad = F2A(fp); 4906 ASSERT(fad); 4907 4908 /* 4909 * already processed this file for write attempt 4910 */ 4911 if (fad->fad_flags & FAD_WRITE) { 4912 /* don't want to audit every sendto attempt */ 4913 tad->tad_flag = 0; 4914 /* free any residual audit data */ 4915 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4916 releasef(fd); 4917 return; 4918 } 4919 /* 4920 * mark things so we know what happened and don't 4921 * repeat things 4922 */ 4923 fad->fad_flags |= FAD_WRITE; 4924 4925 if (fad->fad_aupath != NULL) { 4926 au_uwrite(au_to_path(fad->fad_aupath)); 4927 } else { 4928 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4929 } 4930 4931 audit_attributes(fp->f_vnode); 4932 4933 releasef(fd); 4934 4935 return; 4936 4937 default: 4938 break; 4939 4940 } 4941 4942 releasef(fd); 4943 4944 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4945 4946 if (add_sock_token == 0) { 4947 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4948 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4949 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4950 return; 4951 } 4952 4953 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4954 4955 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4956 4957 } 4958 4959 /* 4960 * XXX socket(2) may be equivalent to open(2) on a unix domain 4961 * socket. This needs investigation. 4962 */ 4963 4964 /*ARGSUSED*/ 4965 static void 4966 aus_socket(struct t_audit_data *tad) 4967 { 4968 struct a { 4969 long domain; 4970 long type; 4971 long protocol; 4972 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4973 4974 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4975 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4976 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4977 } 4978 4979 /*ARGSUSED*/ 4980 static void 4981 aus_sigqueue(struct t_audit_data *tad) 4982 { 4983 struct a { 4984 long pid; 4985 long signo; 4986 long *val; 4987 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4988 struct proc *p; 4989 uid_t uid, ruid; 4990 gid_t gid, rgid; 4991 pid_t pid; 4992 const auditinfo_addr_t *ainfo; 4993 cred_t *cr; 4994 4995 pid = (pid_t)uap->pid; 4996 4997 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4998 if (pid > 0) { 4999 mutex_enter(&pidlock); 5000 if ((p = prfind(pid)) == (struct proc *)0) { 5001 mutex_exit(&pidlock); 5002 return; 5003 } 5004 mutex_enter(&p->p_lock); /* so process doesn't go away */ 5005 mutex_exit(&pidlock); 5006 5007 mutex_enter(&p->p_crlock); 5008 crhold(cr = p->p_cred); 5009 mutex_exit(&p->p_crlock); 5010 mutex_exit(&p->p_lock); 5011 5012 ainfo = crgetauinfo(cr); 5013 if (ainfo == NULL) { 5014 crfree(cr); 5015 return; 5016 } 5017 5018 uid = crgetuid(cr); 5019 gid = crgetgid(cr); 5020 ruid = crgetruid(cr); 5021 rgid = crgetrgid(cr); 5022 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5023 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5024 crfree(cr); 5025 } 5026 else 5027 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 5028 } 5029 5030 /*ARGSUSED*/ 5031 static void 5032 aus_inst_sync(struct t_audit_data *tad) 5033 { 5034 struct a { 5035 long name; /* char */ 5036 long flags; 5037 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5038 5039 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 5040 } 5041 5042 /*ARGSUSED*/ 5043 static void 5044 aus_brandsys(struct t_audit_data *tad) 5045 { 5046 klwp_t *clwp = ttolwp(curthread); 5047 5048 struct a { 5049 long cmd; 5050 long arg1; 5051 long arg2; 5052 long arg3; 5053 long arg4; 5054 long arg5; 5055 long arg6; 5056 } *uap = (struct a *)clwp->lwp_ap; 5057 5058 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 5059 #ifdef _LP64 5060 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 5061 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 5062 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 5063 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 5064 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 5065 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 5066 #else 5067 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 5068 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 5069 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 5070 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 5071 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 5072 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 5073 #endif 5074 } 5075 5076 /*ARGSUSED*/ 5077 static void 5078 aus_p_online(struct t_audit_data *tad) 5079 { 5080 struct a { 5081 long processor_id; 5082 long flag; 5083 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5084 5085 struct flags { 5086 int flag; 5087 char *cflag; 5088 } aflags[6] = { 5089 { P_ONLINE, "P_ONLINE"}, 5090 { P_OFFLINE, "P_OFFLINE"}, 5091 { P_NOINTR, "P_NOINTR"}, 5092 { P_SPARE, "P_SPARE"}, 5093 { P_FAULTED, "P_FAULTED"}, 5094 { P_STATUS, "P_STATUS"} 5095 }; 5096 int i; 5097 char *cflag; 5098 5099 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 5100 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 5101 5102 for (i = 0; i < 6; i++) { 5103 if (aflags[i].flag == uap->flag) 5104 break; 5105 } 5106 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 5107 5108 au_uwrite(au_to_text(cflag)); 5109 } 5110 5111 /*ARGSUSED*/ 5112 static void 5113 aus_processor_bind(struct t_audit_data *tad) 5114 { 5115 struct a { 5116 long id_type; 5117 long id; 5118 long processor_id; 5119 long obind; 5120 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5121 5122 struct proc *p; 5123 int lwpcnt; 5124 uid_t uid, ruid; 5125 gid_t gid, rgid; 5126 pid_t pid; 5127 const auditinfo_addr_t *ainfo; 5128 cred_t *cr; 5129 5130 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 5131 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 5132 if (uap->processor_id == PBIND_NONE) 5133 au_uwrite(au_to_text("PBIND_NONE")); 5134 else 5135 au_uwrite(au_to_arg32(3, "processor_id", 5136 (uint32_t)uap->processor_id)); 5137 5138 switch (uap->id_type) { 5139 case P_MYID: 5140 case P_LWPID: 5141 mutex_enter(&pidlock); 5142 p = ttoproc(curthread); 5143 if (p == NULL || p->p_as == &kas) { 5144 mutex_exit(&pidlock); 5145 return; 5146 } 5147 mutex_enter(&p->p_lock); 5148 mutex_exit(&pidlock); 5149 lwpcnt = p->p_lwpcnt; 5150 pid = p->p_pid; 5151 5152 mutex_enter(&p->p_crlock); 5153 crhold(cr = p->p_cred); 5154 mutex_exit(&p->p_crlock); 5155 mutex_exit(&p->p_lock); 5156 5157 ainfo = crgetauinfo(cr); 5158 if (ainfo == NULL) { 5159 crfree(cr); 5160 return; 5161 } 5162 5163 uid = crgetuid(cr); 5164 gid = crgetgid(cr); 5165 ruid = crgetruid(cr); 5166 rgid = crgetrgid(cr); 5167 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5168 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5169 crfree(cr); 5170 break; 5171 case P_PID: 5172 mutex_enter(&pidlock); 5173 p = prfind(uap->id); 5174 if (p == NULL || p->p_as == &kas) { 5175 mutex_exit(&pidlock); 5176 return; 5177 } 5178 mutex_enter(&p->p_lock); 5179 mutex_exit(&pidlock); 5180 lwpcnt = p->p_lwpcnt; 5181 pid = p->p_pid; 5182 5183 mutex_enter(&p->p_crlock); 5184 crhold(cr = p->p_cred); 5185 mutex_exit(&p->p_crlock); 5186 mutex_exit(&p->p_lock); 5187 5188 ainfo = crgetauinfo(cr); 5189 if (ainfo == NULL) { 5190 crfree(cr); 5191 return; 5192 } 5193 5194 uid = crgetuid(cr); 5195 gid = crgetgid(cr); 5196 ruid = crgetruid(cr); 5197 rgid = crgetrgid(cr); 5198 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5199 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5200 crfree(cr); 5201 5202 break; 5203 default: 5204 return; 5205 } 5206 5207 if (uap->processor_id == PBIND_NONE && 5208 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 5209 au_uwrite(au_to_text("PBIND_NONE for process")); 5210 else 5211 au_uwrite(au_to_arg32(3, "processor_id", 5212 (uint32_t)uap->processor_id)); 5213 } 5214 5215 /*ARGSUSED*/ 5216 static au_event_t 5217 aui_doorfs(au_event_t e) 5218 { 5219 uint32_t code; 5220 5221 struct a { /* doorfs */ 5222 long a1; 5223 long a2; 5224 long a3; 5225 long a4; 5226 long a5; 5227 long code; 5228 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5229 5230 /* 5231 * audit formats for several of the 5232 * door calls have not yet been determined 5233 */ 5234 code = (uint32_t)uap->code; 5235 switch (code) { 5236 case DOOR_CALL: 5237 e = AUE_DOORFS_DOOR_CALL; 5238 break; 5239 case DOOR_RETURN: 5240 e = AUE_NULL; 5241 break; 5242 case DOOR_CREATE: 5243 e = AUE_DOORFS_DOOR_CREATE; 5244 break; 5245 case DOOR_REVOKE: 5246 e = AUE_DOORFS_DOOR_REVOKE; 5247 break; 5248 case DOOR_INFO: 5249 e = AUE_NULL; 5250 break; 5251 case DOOR_UCRED: 5252 e = AUE_NULL; 5253 break; 5254 case DOOR_BIND: 5255 e = AUE_NULL; 5256 break; 5257 case DOOR_UNBIND: 5258 e = AUE_NULL; 5259 break; 5260 case DOOR_GETPARAM: 5261 e = AUE_NULL; 5262 break; 5263 case DOOR_SETPARAM: 5264 e = AUE_NULL; 5265 break; 5266 default: /* illegal system call */ 5267 e = AUE_NULL; 5268 break; 5269 } 5270 5271 return (e); 5272 } 5273 5274 static door_node_t * 5275 au_door_lookup(int did) 5276 { 5277 vnode_t *vp; 5278 file_t *fp; 5279 5280 if ((fp = getf(did)) == NULL) 5281 return (NULL); 5282 /* 5283 * Use the underlying vnode (we may be namefs mounted) 5284 */ 5285 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5286 vp = fp->f_vnode; 5287 5288 if (vp == NULL || vp->v_type != VDOOR) { 5289 releasef(did); 5290 return (NULL); 5291 } 5292 5293 return (VTOD(vp)); 5294 } 5295 5296 /*ARGSUSED*/ 5297 static void 5298 aus_doorfs(struct t_audit_data *tad) 5299 { 5300 5301 struct a { /* doorfs */ 5302 long a1; 5303 long a2; 5304 long a3; 5305 long a4; 5306 long a5; 5307 long code; 5308 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5309 5310 door_node_t *dp; 5311 struct proc *p; 5312 uint32_t did; 5313 uid_t uid, ruid; 5314 gid_t gid, rgid; 5315 pid_t pid; 5316 const auditinfo_addr_t *ainfo; 5317 cred_t *cr; 5318 5319 did = (uint32_t)uap->a1; 5320 5321 switch (tad->tad_event) { 5322 case AUE_DOORFS_DOOR_CALL: 5323 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5324 if ((dp = au_door_lookup(did)) == NULL) 5325 break; 5326 5327 if (DOOR_INVALID(dp)) { 5328 releasef(did); 5329 break; 5330 } 5331 5332 if ((p = dp->door_target) == NULL) { 5333 releasef(did); 5334 break; 5335 } 5336 mutex_enter(&p->p_lock); 5337 releasef(did); 5338 5339 pid = p->p_pid; 5340 5341 mutex_enter(&p->p_crlock); 5342 crhold(cr = p->p_cred); 5343 mutex_exit(&p->p_crlock); 5344 mutex_exit(&p->p_lock); 5345 5346 ainfo = crgetauinfo(cr); 5347 if (ainfo == NULL) { 5348 crfree(cr); 5349 return; 5350 } 5351 uid = crgetuid(cr); 5352 gid = crgetgid(cr); 5353 ruid = crgetruid(cr); 5354 rgid = crgetrgid(cr); 5355 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5356 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5357 crfree(cr); 5358 break; 5359 case AUE_DOORFS_DOOR_RETURN: 5360 /* 5361 * We may want to write information about 5362 * all doors (if any) which will be copied 5363 * by this call to the user space 5364 */ 5365 break; 5366 case AUE_DOORFS_DOOR_CREATE: 5367 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5368 break; 5369 case AUE_DOORFS_DOOR_REVOKE: 5370 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5371 break; 5372 case AUE_DOORFS_DOOR_INFO: 5373 break; 5374 case AUE_DOORFS_DOOR_CRED: 5375 break; 5376 case AUE_DOORFS_DOOR_BIND: 5377 break; 5378 case AUE_DOORFS_DOOR_UNBIND: { 5379 break; 5380 } 5381 default: /* illegal system call */ 5382 break; 5383 } 5384 } 5385 5386 /*ARGSUSED*/ 5387 static au_event_t 5388 aui_acl(au_event_t e) 5389 { 5390 struct a { 5391 union { 5392 long name; /* char */ 5393 long fd; 5394 } obj; 5395 5396 long cmd; 5397 long nentries; 5398 long arg; /* aclent_t */ 5399 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5400 5401 switch (uap->cmd) { 5402 case SETACL: 5403 case ACE_SETACL: 5404 /* 5405 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5406 * are expected. 5407 */ 5408 break; 5409 case GETACL: 5410 case GETACLCNT: 5411 case ACE_GETACL: 5412 case ACE_GETACLCNT: 5413 /* do nothing for these four values. */ 5414 e = AUE_NULL; 5415 break; 5416 default: 5417 /* illegal system call */ 5418 break; 5419 } 5420 5421 return (e); 5422 } 5423 5424 static void 5425 au_acl(int cmd, int nentries, caddr_t bufp) 5426 { 5427 size_t a_size; 5428 aclent_t *aclbufp; 5429 ace_t *acebufp; 5430 int i; 5431 5432 switch (cmd) { 5433 case GETACL: 5434 case GETACLCNT: 5435 break; 5436 case SETACL: 5437 if (nentries < 3) 5438 break; 5439 5440 a_size = nentries * sizeof (aclent_t); 5441 5442 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5443 break; 5444 if (copyin(bufp, aclbufp, a_size)) { 5445 kmem_free(aclbufp, a_size); 5446 break; 5447 } 5448 for (i = 0; i < nentries; i++) { 5449 au_uwrite(au_to_acl(aclbufp + i)); 5450 } 5451 kmem_free(aclbufp, a_size); 5452 break; 5453 5454 case ACE_SETACL: 5455 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5456 break; 5457 5458 a_size = nentries * sizeof (ace_t); 5459 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5460 break; 5461 if (copyin(bufp, acebufp, a_size)) { 5462 kmem_free(acebufp, a_size); 5463 break; 5464 } 5465 for (i = 0; i < nentries; i++) { 5466 au_uwrite(au_to_ace(acebufp + i)); 5467 } 5468 kmem_free(acebufp, a_size); 5469 break; 5470 default: 5471 break; 5472 } 5473 } 5474 5475 /*ARGSUSED*/ 5476 static void 5477 aus_acl(struct t_audit_data *tad) 5478 { 5479 struct a { 5480 long fname; 5481 long cmd; 5482 long nentries; 5483 long aclbufp; 5484 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5485 5486 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5487 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5488 5489 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5490 } 5491 5492 /*ARGSUSED*/ 5493 static void 5494 aus_facl(struct t_audit_data *tad) 5495 { 5496 struct a { 5497 long fd; 5498 long cmd; 5499 long nentries; 5500 long aclbufp; 5501 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5502 struct file *fp; 5503 struct vnode *vp; 5504 struct f_audit_data *fad; 5505 int fd; 5506 5507 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5508 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5509 5510 fd = (int)uap->fd; 5511 5512 if ((fp = getf(fd)) == NULL) 5513 return; 5514 5515 /* get path from file struct here */ 5516 fad = F2A(fp); 5517 if (fad->fad_aupath != NULL) { 5518 au_uwrite(au_to_path(fad->fad_aupath)); 5519 } else { 5520 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5521 } 5522 5523 vp = fp->f_vnode; 5524 audit_attributes(vp); 5525 5526 /* decrement file descriptor reference count */ 5527 releasef(fd); 5528 5529 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5530 } 5531 5532 /*ARGSUSED*/ 5533 static void 5534 auf_read(struct t_audit_data *tad, int error, rval_t *rval) 5535 { 5536 struct file *fp; 5537 struct f_audit_data *fad; 5538 int fd; 5539 register struct a { 5540 long fd; 5541 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5542 au_kcontext_t *kctx = GET_KCTX_PZ; 5543 5544 fd = (int)uap->fd; 5545 5546 /* 5547 * convert file pointer to file descriptor 5548 * Note: fd ref count incremented here. 5549 */ 5550 if ((fp = getf(fd)) == NULL) 5551 return; 5552 5553 /* get path from file struct here */ 5554 fad = F2A(fp); 5555 ASSERT(fad); 5556 5557 /* 5558 * already processed this file for read attempt 5559 * 5560 * XXX might be better to turn off auditing in a aui_read() routine. 5561 */ 5562 if (fad->fad_flags & FAD_READ) { 5563 /* don't really want to audit every read attempt */ 5564 tad->tad_flag = 0; 5565 /* free any residual audit data */ 5566 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5567 releasef(fd); 5568 return; 5569 } 5570 /* mark things so we know what happened and don't repeat things */ 5571 fad->fad_flags |= FAD_READ; 5572 5573 if (fad->fad_aupath != NULL) { 5574 au_uwrite(au_to_path(fad->fad_aupath)); 5575 } else { 5576 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5577 } 5578 5579 /* include attributes */ 5580 audit_attributes(fp->f_vnode); 5581 5582 /* decrement file descriptor reference count */ 5583 releasef(fd); 5584 } 5585 5586 /*ARGSUSED*/ 5587 static void 5588 auf_write(struct t_audit_data *tad, int error, rval_t *rval) 5589 { 5590 struct file *fp; 5591 struct f_audit_data *fad; 5592 int fd; 5593 register struct a { 5594 long fd; 5595 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5596 au_kcontext_t *kctx = GET_KCTX_PZ; 5597 5598 fd = (int)uap->fd; 5599 5600 /* 5601 * convert file pointer to file descriptor 5602 * Note: fd ref count incremented here. 5603 */ 5604 if ((fp = getf(fd)) == NULL) 5605 return; 5606 5607 /* get path from file struct here */ 5608 fad = F2A(fp); 5609 ASSERT(fad); 5610 5611 /* 5612 * already processed this file for write attempt 5613 * 5614 * XXX might be better to turn off auditing in a aus_write() routine. 5615 */ 5616 if (fad->fad_flags & FAD_WRITE) { 5617 /* don't really want to audit every write attempt */ 5618 tad->tad_flag = 0; 5619 /* free any residual audit data */ 5620 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5621 releasef(fd); 5622 return; 5623 } 5624 /* mark things so we know what happened and don't repeat things */ 5625 fad->fad_flags |= FAD_WRITE; 5626 5627 if (fad->fad_aupath != NULL) { 5628 au_uwrite(au_to_path(fad->fad_aupath)); 5629 } else { 5630 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5631 } 5632 5633 /* include attributes */ 5634 audit_attributes(fp->f_vnode); 5635 5636 /* decrement file descriptor reference count */ 5637 releasef(fd); 5638 } 5639 5640 /*ARGSUSED*/ 5641 static void 5642 auf_recv(struct t_audit_data *tad, int error, rval_t *rval) 5643 { 5644 struct sonode *so; 5645 char so_laddr[sizeof (struct sockaddr_in6)]; 5646 char so_faddr[sizeof (struct sockaddr_in6)]; 5647 struct file *fp; 5648 struct f_audit_data *fad; 5649 int fd; 5650 int err; 5651 socklen_t len; 5652 short so_family, so_type; 5653 register struct a { 5654 long fd; 5655 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5656 au_kcontext_t *kctx = GET_KCTX_PZ; 5657 5658 /* 5659 * If there was an error, then nothing to do. Only generate 5660 * audit record on first successful recv. 5661 */ 5662 if (error) { 5663 /* Turn off audit record generation here. */ 5664 tad->tad_flag = 0; 5665 /* free any residual audit data */ 5666 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5667 return; 5668 } 5669 5670 fd = (int)uap->fd; 5671 5672 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5673 /* Turn off audit record generation here. */ 5674 tad->tad_flag = 0; 5675 /* free any residual audit data */ 5676 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5677 return; 5678 } 5679 5680 /* get path from file struct here */ 5681 fad = F2A(fp); 5682 ASSERT(fad); 5683 5684 /* 5685 * already processed this file for read attempt 5686 */ 5687 if (fad->fad_flags & FAD_READ) { 5688 releasef(fd); 5689 /* don't really want to audit every recv call */ 5690 tad->tad_flag = 0; 5691 /* free any residual audit data */ 5692 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5693 return; 5694 } 5695 5696 /* mark things so we know what happened and don't repeat things */ 5697 fad->fad_flags |= FAD_READ; 5698 5699 so_family = so->so_family; 5700 so_type = so->so_type; 5701 5702 switch (so_family) { 5703 case AF_INET: 5704 case AF_INET6: 5705 /* 5706 * Only for connections. 5707 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5708 */ 5709 if (so->so_state & SS_ISBOUND) { 5710 5711 bzero((void *)so_laddr, sizeof (so_laddr)); 5712 bzero((void *)so_faddr, sizeof (so_faddr)); 5713 5714 /* get local and foreign addresses */ 5715 len = sizeof (so_laddr); 5716 (void) socket_getsockname(so, 5717 (struct sockaddr *)so_laddr, &len, CRED()); 5718 len = sizeof (so_faddr); 5719 (void) socket_getpeername(so, 5720 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5721 5722 /* 5723 * only way to drop out of switch. Note that we 5724 * we release fd below. 5725 */ 5726 5727 break; 5728 } 5729 5730 releasef(fd); 5731 5732 /* don't really want to audit every recv call */ 5733 tad->tad_flag = 0; 5734 /* free any residual audit data */ 5735 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5736 5737 return; 5738 5739 case AF_UNIX: 5740 5741 if (fad->fad_aupath != NULL) { 5742 au_uwrite(au_to_path(fad->fad_aupath)); 5743 } else { 5744 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5745 } 5746 5747 audit_attributes(fp->f_vnode); 5748 5749 releasef(fd); 5750 5751 return; 5752 5753 default: 5754 releasef(fd); 5755 5756 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5757 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5758 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5759 5760 return; 5761 } 5762 5763 releasef(fd); 5764 5765 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5766 5767 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5768 5769 } 5770 5771 /*ARGSUSED*/ 5772 static void 5773 auf_send(struct t_audit_data *tad, int error, rval_t *rval) 5774 { 5775 struct sonode *so; 5776 char so_laddr[sizeof (struct sockaddr_in6)]; 5777 char so_faddr[sizeof (struct sockaddr_in6)]; 5778 struct file *fp; 5779 struct f_audit_data *fad; 5780 int fd; 5781 int err; 5782 socklen_t len; 5783 short so_family, so_type; 5784 register struct a { 5785 long fd; 5786 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5787 au_kcontext_t *kctx = GET_KCTX_PZ; 5788 5789 fd = (int)uap->fd; 5790 5791 /* 5792 * If there was an error, then nothing to do. Only generate 5793 * audit record on first successful send. 5794 */ 5795 if (error != 0) { 5796 /* Turn off audit record generation here. */ 5797 tad->tad_flag = 0; 5798 /* free any residual audit data */ 5799 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5800 return; 5801 } 5802 5803 fd = (int)uap->fd; 5804 5805 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5806 /* Turn off audit record generation here. */ 5807 tad->tad_flag = 0; 5808 /* free any residual audit data */ 5809 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5810 return; 5811 } 5812 5813 /* get path from file struct here */ 5814 fad = F2A(fp); 5815 ASSERT(fad); 5816 5817 /* 5818 * already processed this file for write attempt 5819 */ 5820 if (fad->fad_flags & FAD_WRITE) { 5821 releasef(fd); 5822 /* don't really want to audit every send call */ 5823 tad->tad_flag = 0; 5824 /* free any residual audit data */ 5825 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5826 return; 5827 } 5828 5829 /* mark things so we know what happened and don't repeat things */ 5830 fad->fad_flags |= FAD_WRITE; 5831 5832 so_family = so->so_family; 5833 so_type = so->so_type; 5834 5835 switch (so_family) { 5836 case AF_INET: 5837 case AF_INET6: 5838 /* 5839 * Only for connections. 5840 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5841 */ 5842 if (so->so_state & SS_ISBOUND) { 5843 5844 bzero((void *)so_laddr, sizeof (so_laddr)); 5845 bzero((void *)so_faddr, sizeof (so_faddr)); 5846 5847 /* get local and foreign addresses */ 5848 len = sizeof (so_laddr); 5849 (void) socket_getsockname(so, 5850 (struct sockaddr *)so_laddr, &len, CRED()); 5851 len = sizeof (so_faddr); 5852 (void) socket_getpeername(so, 5853 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5854 5855 /* 5856 * only way to drop out of switch. Note that we 5857 * we release fd below. 5858 */ 5859 5860 break; 5861 } 5862 5863 releasef(fd); 5864 /* don't really want to audit every send call */ 5865 tad->tad_flag = 0; 5866 /* free any residual audit data */ 5867 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5868 5869 return; 5870 5871 case AF_UNIX: 5872 5873 if (fad->fad_aupath != NULL) { 5874 au_uwrite(au_to_path(fad->fad_aupath)); 5875 } else { 5876 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5877 } 5878 5879 audit_attributes(fp->f_vnode); 5880 5881 releasef(fd); 5882 5883 return; 5884 5885 default: 5886 releasef(fd); 5887 5888 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5889 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5890 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5891 5892 return; 5893 } 5894 5895 releasef(fd); 5896 5897 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5898 5899 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5900 } 5901 5902 static au_event_t 5903 aui_forksys(au_event_t e) 5904 { 5905 struct a { 5906 long subcode; 5907 long flags; 5908 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5909 5910 switch ((uint_t)uap->subcode) { 5911 case 0: 5912 e = AUE_FORK1; 5913 break; 5914 case 1: 5915 e = AUE_FORKALL; 5916 break; 5917 case 2: 5918 e = AUE_VFORK; 5919 break; 5920 default: 5921 e = AUE_NULL; 5922 break; 5923 } 5924 5925 return (e); 5926 } 5927 5928 /*ARGSUSED*/ 5929 static au_event_t 5930 aui_portfs(au_event_t e) 5931 { 5932 struct a { /* portfs */ 5933 long a1; 5934 long a2; 5935 long a3; 5936 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5937 5938 /* 5939 * check opcode 5940 */ 5941 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5942 case PORT_ASSOCIATE: 5943 /* check source */ 5944 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5945 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5946 e = AUE_PORTFS_ASSOCIATE; 5947 } else { 5948 e = AUE_NULL; 5949 } 5950 break; 5951 case PORT_DISSOCIATE: 5952 /* check source */ 5953 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5954 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5955 e = AUE_PORTFS_DISSOCIATE; 5956 } else { 5957 e = AUE_NULL; 5958 } 5959 break; 5960 default: 5961 e = AUE_NULL; 5962 } 5963 return (e); 5964 } 5965