1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved. 25 * Copyright (c) 2018, Joyent, Inc. 26 */ 27 28 /* 29 * This file contains the audit event table used to control the production 30 * of audit records for each system call. 31 */ 32 33 #include <sys/policy.h> 34 #include <sys/cred.h> 35 #include <sys/types.h> 36 #include <sys/systm.h> 37 #include <sys/systeminfo.h> /* for sysinfo auditing */ 38 #include <sys/utsname.h> /* for sysinfo auditing */ 39 #include <sys/proc.h> 40 #include <sys/vnode.h> 41 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 42 #include <sys/fcntl.h> 43 #include <sys/modctl.h> /* for modctl auditing */ 44 #include <sys/vnode.h> 45 #include <sys/user.h> 46 #include <sys/types.h> 47 #include <sys/processor.h> 48 #include <sys/procset.h> 49 #include <sys/acl.h> 50 #include <sys/ipc.h> 51 #include <sys/door.h> 52 #include <sys/sem.h> 53 #include <sys/msg.h> 54 #include <sys/shm.h> 55 #include <sys/kmem.h> 56 #include <sys/file.h> /* for accept */ 57 #include <sys/utssys.h> /* for fuser */ 58 #include <sys/tsol/label.h> 59 #include <sys/tsol/tndb.h> 60 #include <sys/tsol/tsyscall.h> 61 #include <c2/audit.h> 62 #include <c2/audit_kernel.h> 63 #include <c2/audit_kevents.h> 64 #include <c2/audit_record.h> 65 #include <sys/procset.h> 66 #include <nfs/mount.h> 67 #include <sys/param.h> 68 #include <sys/debug.h> 69 #include <sys/sysmacros.h> 70 #include <sys/stream.h> 71 #include <sys/strsubr.h> 72 #include <sys/stropts.h> 73 #include <sys/tihdr.h> 74 #include <sys/socket.h> 75 #include <sys/socketvar.h> 76 #include <sys/vfs_opreg.h> 77 #include <fs/sockfs/sockcommon.h> 78 #include <netinet/in.h> 79 #include <sys/ddi.h> 80 #include <sys/port_impl.h> 81 #include <sys/secflags.h> 82 83 static au_event_t aui_fchownat(au_event_t); 84 static au_event_t aui_fchmodat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 108 static void aus_exit(struct t_audit_data *); 109 static void aus_open(struct t_audit_data *); 110 static void aus_openat(struct t_audit_data *); 111 static void aus_acl(struct t_audit_data *); 112 static void aus_acct(struct t_audit_data *); 113 static void aus_chown(struct t_audit_data *); 114 static void aus_fchown(struct t_audit_data *); 115 static void aus_lchown(struct t_audit_data *); 116 static void aus_fchownat(struct t_audit_data *); 117 static void aus_chmod(struct t_audit_data *); 118 static void aus_facl(struct t_audit_data *); 119 static void aus_fchmod(struct t_audit_data *); 120 static void aus_fchmodat(struct t_audit_data *); 121 static void aus_fcntl(struct t_audit_data *); 122 static void aus_mkdir(struct t_audit_data *); 123 static void aus_mkdirat(struct t_audit_data *); 124 static void aus_mknod(struct t_audit_data *); 125 static void aus_mknodat(struct t_audit_data *); 126 static void aus_mount(struct t_audit_data *); 127 static void aus_umount2(struct t_audit_data *); 128 static void aus_msgsys(struct t_audit_data *); 129 static void aus_semsys(struct t_audit_data *); 130 static void aus_close(struct t_audit_data *); 131 static void aus_fstatfs(struct t_audit_data *); 132 static void aus_setgid(struct t_audit_data *); 133 static void aus_setpgrp(struct t_audit_data *); 134 static void aus_setuid(struct t_audit_data *); 135 static void aus_shmsys(struct t_audit_data *); 136 static void aus_doorfs(struct t_audit_data *); 137 static void aus_ioctl(struct t_audit_data *); 138 static void aus_memcntl(struct t_audit_data *); 139 static void aus_mmap(struct t_audit_data *); 140 static void aus_munmap(struct t_audit_data *); 141 static void aus_priocntlsys(struct t_audit_data *); 142 static void aus_setegid(struct t_audit_data *); 143 static void aus_setgroups(struct t_audit_data *); 144 static void aus_seteuid(struct t_audit_data *); 145 static void aus_putmsg(struct t_audit_data *); 146 static void aus_putpmsg(struct t_audit_data *); 147 static void aus_getmsg(struct t_audit_data *); 148 static void aus_getpmsg(struct t_audit_data *); 149 static void aus_auditsys(struct t_audit_data *); 150 static void aus_sysinfo(struct t_audit_data *); 151 static void aus_modctl(struct t_audit_data *); 152 static void aus_kill(struct t_audit_data *); 153 static void aus_setregid(struct t_audit_data *); 154 static void aus_setreuid(struct t_audit_data *); 155 static void aus_labelsys(struct t_audit_data *); 156 157 static void auf_mknod(struct t_audit_data *, int, rval_t *); 158 static void auf_mknodat(struct t_audit_data *, int, rval_t *); 159 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 160 static void auf_semsys(struct t_audit_data *, int, rval_t *); 161 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 162 static void auf_read(struct t_audit_data *, int, rval_t *); 163 static void auf_write(struct t_audit_data *, int, rval_t *); 164 165 static void aus_sigqueue(struct t_audit_data *); 166 static void aus_p_online(struct t_audit_data *); 167 static void aus_processor_bind(struct t_audit_data *); 168 static void aus_inst_sync(struct t_audit_data *); 169 static void aus_brandsys(struct t_audit_data *); 170 171 static void auf_accept(struct t_audit_data *, int, rval_t *); 172 173 static void auf_bind(struct t_audit_data *, int, rval_t *); 174 static void auf_connect(struct t_audit_data *, int, rval_t *); 175 static void aus_shutdown(struct t_audit_data *); 176 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 177 static void aus_sockconfig(struct t_audit_data *); 178 static void auf_recv(struct t_audit_data *, int, rval_t *); 179 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 180 static void auf_send(struct t_audit_data *, int, rval_t *); 181 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 182 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 183 static void auf_sendto(struct t_audit_data *, int, rval_t *); 184 static void aus_socket(struct t_audit_data *); 185 /* 186 * This table contains mapping information for converting system call numbers 187 * to audit event IDs. In several cases it is necessary to map a single system 188 * call to several events. 189 */ 190 191 #define aui_null NULL /* NULL initialize function */ 192 #define aus_null NULL /* NULL start function */ 193 #define auf_null NULL /* NULL finish function */ 194 195 struct audit_s2e audit_s2e[] = 196 { 197 /* 198 * ---------- ---------- ---------- ---------- 199 * INITIAL AUDIT START SYSTEM 200 * PROCESSING EVENT PROCESSING CALL 201 * ---------- ---------- ---------- ----------- 202 * FINISH EVENT 203 * PROCESSING CONTROL 204 * ---------------------------------------------------------- 205 */ 206 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 207 auf_null, 0, 208 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 209 auf_null, S2E_NPT, 210 aui_null, AUE_PSECFLAGS, aus_null, /* 2 psecflags */ 211 auf_null, 0, 212 aui_null, AUE_READ, aus_null, /* 3 read */ 213 auf_read, S2E_PUB, 214 aui_null, AUE_WRITE, aus_null, /* 4 write */ 215 auf_write, 0, 216 aui_open, AUE_OPEN, aus_open, /* 5 open */ 217 auf_null, S2E_SP, 218 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 219 auf_null, 0, 220 aui_null, AUE_LINK, aus_null, /* 7 linkat */ 221 auf_null, 0, 222 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 223 auf_null, 0, 224 aui_null, AUE_LINK, aus_null, /* 9 link */ 225 auf_null, 0, 226 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 227 auf_null, 0, 228 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */ 229 auf_null, 0, 230 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 231 auf_null, S2E_SP, 232 aui_null, AUE_NULL, aus_null, /* 13 time */ 233 auf_null, 0, 234 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 235 auf_mknod, S2E_MLD, 236 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 237 auf_null, 0, 238 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 239 auf_null, 0, 240 aui_null, AUE_NULL, aus_null, /* 17 brk */ 241 auf_null, 0, 242 aui_null, AUE_STAT, aus_null, /* 18 stat */ 243 auf_null, S2E_PUB, 244 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 245 auf_null, 0, 246 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 247 auf_null, 0, 248 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 249 auf_null, S2E_MLD, 250 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */ 251 auf_null, S2E_PUB, 252 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 255 auf_null, 0, 256 aui_null, AUE_STIME, aus_null, /* 25 stime */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 263 auf_null, 0, 264 aui_null, AUE_NULL, aus_null, /* 29 pause */ 265 auf_null, 0, 266 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 267 auf_null, 0, 268 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 269 auf_null, 0, 270 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 271 auf_null, 0, 272 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 273 auf_null, S2E_PUB, 274 aui_null, AUE_NICE, aus_null, /* 34 nice */ 275 auf_null, 0, 276 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 277 auf_null, S2E_PUB, 278 aui_null, AUE_NULL, aus_null, /* 36 sync */ 279 auf_null, 0, 280 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 281 auf_null, 0, 282 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 283 auf_null, S2E_PUB, 284 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 289 auf_null, 0, 290 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 291 auf_null, 0, 292 aui_null, AUE_NULL, aus_null, /* 43 times */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 44 profil */ 295 auf_null, 0, 296 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 297 auf_null, S2E_PUB, 298 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 299 auf_null, 0, 300 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 301 auf_null, 0, 302 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */ 303 auf_mknodat, S2E_MLD, 304 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 305 auf_msgsys, 0, 306 #if defined(__x86) 307 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 308 auf_null, 0, 309 #else 310 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 311 auf_null, 0, 312 #endif /* __x86 */ 313 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 314 auf_null, 0, 315 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 316 auf_shmsys, 0, 317 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 318 auf_semsys, 0, 319 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 320 auf_null, 0, 321 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 322 auf_null, 0, 323 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 324 auf_null, 0, 325 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 326 auf_null, 0, 327 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 328 auf_null, 0, 329 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 330 auf_null, S2E_MLD, 331 aui_null, AUE_NULL, aus_null, /* 60 umask */ 332 auf_null, 0, 333 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 334 auf_null, S2E_SP, 335 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 338 auf_null, 0, 339 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 340 auf_null, 0, 341 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 342 auf_null, 0, 343 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 344 auf_null, S2E_PUB, 345 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 346 auf_null, S2E_PUB, 347 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 348 auf_null, S2E_SP, 349 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 350 auf_null, S2E_SP, 351 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 356 auf_null, 0, 357 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 358 auf_null, 0, 359 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 364 auf_null, 0, 365 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 366 auf_null, 0, 367 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 368 auf_null, 0, 369 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 370 auf_null, 0, 371 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 374 auf_null, 0, 375 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 376 auf_null, 0, 377 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 380 auf_null, 0, 381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 382 auf_null, 0, 383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 384 auf_null, 0, 385 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 386 auf_null, 0, 387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 390 auf_null, 0, 391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 392 auf_null, S2E_PUB, 393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 396 auf_null, 0, 397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 398 auf_null, 0, 399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 412 auf_null, 0, 413 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */ 414 auf_null, 0, 415 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */ 416 auf_null, 0, 417 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 418 auf_null, S2E_PUB, 419 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 426 auf_null, 0, 427 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 428 auf_null, 0, 429 #if defined(__x86) 430 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 431 auf_null, 0, 432 #else 433 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 434 auf_null, 0, 435 #endif /* __x86 */ 436 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 437 auf_null, 0, 438 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 439 auf_null, 0, 440 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 441 auf_null, 0, 442 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 443 auf_null, S2E_PUB, 444 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 445 auf_null, 0, 446 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 447 auf_null, 0, 448 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 449 auf_null, 0, 450 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 451 auf_null, 0, 452 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 453 auf_null, 0, 454 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 455 auf_null, 0, 456 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 457 auf_null, 0, 458 aui_null, AUE_READ, aus_null, /* 121 readv */ 459 auf_read, S2E_PUB, 460 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 461 auf_write, 0, 462 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 463 auf_null, 0, 464 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 465 auf_null, 0, 466 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 467 auf_null, 0, 468 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 469 auf_null, 0, 470 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 471 auf_null, 0, 472 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 473 auf_null, 0, 474 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 475 auf_null, 0, 476 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 477 auf_null, 0, 478 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 479 auf_null, 0, 480 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 481 auf_null, 0, 482 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 483 auf_null, 0, 484 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 485 auf_null, 0, 486 aui_null, AUE_NULL, aus_null, /* 135 uname */ 487 auf_null, 0, 488 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 489 auf_null, 0, 490 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 491 auf_null, 0, 492 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 493 auf_null, 0, 494 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 495 auf_null, 0, 496 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 497 auf_null, 0, 498 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 499 auf_null, 0, 500 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 146 yield */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 511 /* was lwp_sema_wait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 518 auf_null, 0, 519 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 520 auf_null, 0, 521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 522 auf_null, 0, 523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 556 /* was lwp_mutex_lock */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 561 auf_null, 0, 562 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 563 auf_null, 0, 564 aui_null, AUE_READ, aus_null, /* 173 pread */ 565 auf_read, S2E_PUB, 566 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 567 auf_write, 0, 568 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 569 auf_null, 0, 570 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 571 auf_null, 0, 572 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 581 auf_null, 0, 582 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 583 auf_null, S2E_MLD, 584 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 585 auf_null, 0, 586 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 587 auf_null, 0, 588 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 589 auf_null, 0, 590 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 591 auf_null, 0, 592 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 593 auf_null, 0, 594 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 595 auf_null, 0, 596 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 601 auf_null, 0, 602 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 617 auf_null, 0, 618 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 619 auf_null, 0, 620 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 621 auf_null, 0, 622 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 623 auf_null, 0, 624 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 645 auf_null, 0, 646 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 647 auf_null, 0, 648 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 653 auf_null, 0, 654 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 655 auf_null, S2E_PUB, 656 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 657 auf_null, 0, 658 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 663 auf_read, S2E_PUB, 664 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 665 auf_write, 0, 666 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 667 auf_null, 0, 668 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 669 auf_null, S2E_SP, 670 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 227 zone */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 677 auf_null, 0, 678 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 679 auf_null, 0, 680 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 681 auf_null, 0, 682 aui_null, AUE_BIND, aus_null, /* 232 bind */ 683 auf_bind, 0, 684 aui_null, AUE_NULL, aus_null, /* 233 listen */ 685 auf_null, 0, 686 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 687 auf_accept, 0, 688 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 689 auf_connect, 0, 690 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 691 auf_null, 0, 692 aui_null, AUE_READ, aus_null, /* 237 recv */ 693 auf_recv, 0, 694 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 695 auf_recvfrom, 0, 696 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 697 auf_recvmsg, 0, 698 aui_null, AUE_WRITE, aus_null, /* 240 send */ 699 auf_send, 0, 700 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 701 auf_sendmsg, 0, 702 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 703 auf_sendto, 0, 704 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 709 auf_null, 0, 710 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 711 auf_setsockopt, 0, 712 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 713 auf_null, 0, 714 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 715 auf_null, 0, 716 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 727 auf_null, 0, 728 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 729 auf_null, 0 730 }; 731 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 733 734 735 /* exit start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_exit(struct t_audit_data *tad) 739 { 740 uint32_t rval; 741 struct a { 742 long rval; 743 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 744 745 rval = (uint32_t)uap->rval; 746 au_uwrite(au_to_arg32(1, "exit status", rval)); 747 } 748 749 750 /* acct start function */ 751 /*ARGSUSED*/ 752 static void 753 aus_acct(struct t_audit_data *tad) 754 { 755 klwp_t *clwp = ttolwp(curthread); 756 uintptr_t fname; 757 758 struct a { 759 long fname; /* char * */ 760 } *uap = (struct a *)clwp->lwp_ap; 761 762 fname = (uintptr_t)uap->fname; 763 764 if (fname == 0) 765 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 766 } 767 768 /* chown start function */ 769 /*ARGSUSED*/ 770 static void 771 aus_chown(struct t_audit_data *tad) 772 { 773 klwp_t *clwp = ttolwp(curthread); 774 uint32_t uid, gid; 775 776 struct a { 777 long fname; /* char * */ 778 long uid; 779 long gid; 780 } *uap = (struct a *)clwp->lwp_ap; 781 782 uid = (uint32_t)uap->uid; 783 gid = (uint32_t)uap->gid; 784 785 au_uwrite(au_to_arg32(2, "new file uid", uid)); 786 au_uwrite(au_to_arg32(3, "new file gid", gid)); 787 } 788 789 /* fchown start function */ 790 /*ARGSUSED*/ 791 static void 792 aus_fchown(struct t_audit_data *tad) 793 { 794 klwp_t *clwp = ttolwp(curthread); 795 uint32_t uid, gid, fd; 796 struct file *fp; 797 struct vnode *vp; 798 struct f_audit_data *fad; 799 800 struct a { 801 long fd; 802 long uid; 803 long gid; 804 } *uap = (struct a *)clwp->lwp_ap; 805 806 fd = (uint32_t)uap->fd; 807 uid = (uint32_t)uap->uid; 808 gid = (uint32_t)uap->gid; 809 810 au_uwrite(au_to_arg32(2, "new file uid", uid)); 811 au_uwrite(au_to_arg32(3, "new file gid", gid)); 812 813 /* 814 * convert file pointer to file descriptor 815 * Note: fd ref count incremented here. 816 */ 817 if ((fp = getf(fd)) == NULL) 818 return; 819 820 /* get path from file struct here */ 821 fad = F2A(fp); 822 if (fad->fad_aupath != NULL) { 823 au_uwrite(au_to_path(fad->fad_aupath)); 824 } else { 825 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 826 } 827 828 vp = fp->f_vnode; 829 audit_attributes(vp); 830 831 /* decrement file descriptor reference count */ 832 releasef(fd); 833 } 834 835 /*ARGSUSED*/ 836 static void 837 aus_lchown(struct t_audit_data *tad) 838 { 839 klwp_t *clwp = ttolwp(curthread); 840 uint32_t uid, gid; 841 842 843 struct a { 844 long fname; /* char * */ 845 long uid; 846 long gid; 847 } *uap = (struct a *)clwp->lwp_ap; 848 849 uid = (uint32_t)uap->uid; 850 gid = (uint32_t)uap->gid; 851 852 au_uwrite(au_to_arg32(2, "new file uid", uid)); 853 au_uwrite(au_to_arg32(3, "new file gid", gid)); 854 } 855 856 static au_event_t 857 aui_fchownat(au_event_t e) 858 { 859 klwp_t *clwp = ttolwp(curthread); 860 861 struct a { 862 long fd; 863 long fname; /* char * */ 864 long uid; 865 long gid; 866 long flags; 867 } *uap = (struct a *)clwp->lwp_ap; 868 869 if (uap->fname == NULL) 870 e = AUE_FCHOWN; 871 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 872 e = AUE_LCHOWN; 873 else 874 e = AUE_CHOWN; 875 876 return (e); 877 } 878 879 /*ARGSUSED*/ 880 static void 881 aus_fchownat(struct t_audit_data *tad) 882 { 883 klwp_t *clwp = ttolwp(curthread); 884 uint32_t uid, gid; 885 886 struct a { 887 long fd; 888 long fname; /* char * */ 889 long uid; 890 long gid; 891 long flags; 892 } *uap = (struct a *)clwp->lwp_ap; 893 894 uid = (uint32_t)uap->uid; 895 gid = (uint32_t)uap->gid; 896 897 au_uwrite(au_to_arg32(3, "new file uid", uid)); 898 au_uwrite(au_to_arg32(4, "new file gid", gid)); 899 } 900 901 /*ARGSUSED*/ 902 static void 903 aus_chmod(struct t_audit_data *tad) 904 { 905 klwp_t *clwp = ttolwp(curthread); 906 uint32_t fmode; 907 908 struct a { 909 long fname; /* char * */ 910 long fmode; 911 } *uap = (struct a *)clwp->lwp_ap; 912 913 fmode = (uint32_t)uap->fmode; 914 915 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 916 } 917 918 /*ARGSUSED*/ 919 static void 920 aus_fchmod(struct t_audit_data *tad) 921 { 922 klwp_t *clwp = ttolwp(curthread); 923 uint32_t fmode, fd; 924 struct file *fp; 925 struct vnode *vp; 926 struct f_audit_data *fad; 927 928 struct a { 929 long fd; 930 long fmode; 931 } *uap = (struct a *)clwp->lwp_ap; 932 933 fd = (uint32_t)uap->fd; 934 fmode = (uint32_t)uap->fmode; 935 936 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 937 938 /* 939 * convert file pointer to file descriptor 940 * Note: fd ref count incremented here. 941 */ 942 if ((fp = getf(fd)) == NULL) 943 return; 944 945 /* get path from file struct here */ 946 fad = F2A(fp); 947 if (fad->fad_aupath != NULL) { 948 au_uwrite(au_to_path(fad->fad_aupath)); 949 } else { 950 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 951 } 952 953 vp = fp->f_vnode; 954 audit_attributes(vp); 955 956 /* decrement file descriptor reference count */ 957 releasef(fd); 958 } 959 960 static au_event_t 961 aui_fchmodat(au_event_t e) 962 { 963 klwp_t *clwp = ttolwp(curthread); 964 965 struct a { 966 long fd; 967 long fname; /* char * */ 968 long fmode; 969 long flag; 970 } *uap = (struct a *)clwp->lwp_ap; 971 972 if (uap->fname == NULL) 973 e = AUE_FCHMOD; 974 else 975 e = AUE_CHMOD; 976 977 return (e); 978 } 979 980 /*ARGSUSED*/ 981 static void 982 aus_fchmodat(struct t_audit_data *tad) 983 { 984 klwp_t *clwp = ttolwp(curthread); 985 uint32_t fmode; 986 uint32_t fd; 987 struct file *fp; 988 struct vnode *vp; 989 struct f_audit_data *fad; 990 991 struct a { 992 long fd; 993 long fname; /* char * */ 994 long fmode; 995 long flag; 996 } *uap = (struct a *)clwp->lwp_ap; 997 998 fd = (uint32_t)uap->fd; 999 fmode = (uint32_t)uap->fmode; 1000 1001 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 1002 1003 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */ 1004 return; 1005 1006 /* 1007 * convert file pointer to file descriptor 1008 * Note: fd ref count incremented here. 1009 */ 1010 if ((fp = getf(fd)) == NULL) 1011 return; 1012 1013 /* get path from file struct here */ 1014 fad = F2A(fp); 1015 if (fad->fad_aupath != NULL) { 1016 au_uwrite(au_to_path(fad->fad_aupath)); 1017 } else { 1018 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1019 } 1020 1021 vp = fp->f_vnode; 1022 audit_attributes(vp); 1023 1024 /* decrement file descriptor reference count */ 1025 releasef(fd); 1026 } 1027 1028 /* 1029 * convert open mode to appropriate open event 1030 */ 1031 au_event_t 1032 open_event(uint_t fm) 1033 { 1034 au_event_t e; 1035 1036 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) { 1037 case O_RDONLY: 1038 e = AUE_OPEN_R; 1039 break; 1040 case O_RDONLY | O_CREAT: 1041 e = AUE_OPEN_RC; 1042 break; 1043 case O_RDONLY | O_TRUNC: 1044 e = AUE_OPEN_RT; 1045 break; 1046 case O_RDONLY | O_TRUNC | O_CREAT: 1047 e = AUE_OPEN_RTC; 1048 break; 1049 case O_WRONLY: 1050 e = AUE_OPEN_W; 1051 break; 1052 case O_WRONLY | O_CREAT: 1053 e = AUE_OPEN_WC; 1054 break; 1055 case O_WRONLY | O_TRUNC: 1056 e = AUE_OPEN_WT; 1057 break; 1058 case O_WRONLY | O_TRUNC | O_CREAT: 1059 e = AUE_OPEN_WTC; 1060 break; 1061 case O_RDWR: 1062 e = AUE_OPEN_RW; 1063 break; 1064 case O_RDWR | O_CREAT: 1065 e = AUE_OPEN_RWC; 1066 break; 1067 case O_RDWR | O_TRUNC: 1068 e = AUE_OPEN_RWT; 1069 break; 1070 case O_RDWR | O_TRUNC | O_CREAT: 1071 e = AUE_OPEN_RWTC; 1072 break; 1073 case O_SEARCH: 1074 e = AUE_OPEN_S; 1075 break; 1076 case O_EXEC: 1077 e = AUE_OPEN_E; 1078 break; 1079 default: 1080 e = AUE_NULL; 1081 break; 1082 } 1083 1084 return (e); 1085 } 1086 1087 /* ARGSUSED */ 1088 static au_event_t 1089 aui_open(au_event_t e) 1090 { 1091 klwp_t *clwp = ttolwp(curthread); 1092 uint_t fm; 1093 1094 struct a { 1095 long fnamep; /* char * */ 1096 long fmode; 1097 long cmode; 1098 } *uap = (struct a *)clwp->lwp_ap; 1099 1100 fm = (uint_t)uap->fmode; 1101 1102 return (open_event(fm)); 1103 } 1104 1105 static void 1106 aus_open(struct t_audit_data *tad) 1107 { 1108 klwp_t *clwp = ttolwp(curthread); 1109 uint_t fm; 1110 1111 struct a { 1112 long fnamep; /* char * */ 1113 long fmode; 1114 long cmode; 1115 } *uap = (struct a *)clwp->lwp_ap; 1116 1117 fm = (uint_t)uap->fmode; 1118 1119 /* If no write, create, or trunc modes, mark as a public op */ 1120 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1121 tad->tad_ctrl |= TAD_PUBLIC_EV; 1122 } 1123 1124 /* ARGSUSED */ 1125 static au_event_t 1126 aui_openat(au_event_t e) 1127 { 1128 t_audit_data_t *tad = T2A(curthread); 1129 klwp_t *clwp = ttolwp(curthread); 1130 uint_t fm; 1131 1132 struct a { 1133 long filedes; 1134 long fnamep; /* char * */ 1135 long fmode; 1136 long cmode; 1137 } *uap = (struct a *)clwp->lwp_ap; 1138 1139 fm = (uint_t)uap->fmode; 1140 1141 /* 1142 * __openattrdirat() does an extra pathname lookup in order to 1143 * enter the extended system attribute namespace of the referenced 1144 * extended attribute filename. 1145 */ 1146 if (fm & FXATTRDIROPEN) 1147 tad->tad_ctrl |= TAD_MLD; 1148 1149 return (open_event(fm)); 1150 } 1151 1152 static void 1153 aus_openat(struct t_audit_data *tad) 1154 { 1155 klwp_t *clwp = ttolwp(curthread); 1156 uint_t fm; 1157 1158 struct a { 1159 long filedes; 1160 long fnamep; /* char * */ 1161 long fmode; 1162 long cmode; 1163 } *uap = (struct a *)clwp->lwp_ap; 1164 1165 fm = (uint_t)uap->fmode; 1166 1167 /* If no write, create, or trunc modes, mark as a public op */ 1168 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1169 tad->tad_ctrl |= TAD_PUBLIC_EV; 1170 } 1171 1172 static au_event_t 1173 aui_unlinkat(au_event_t e) 1174 { 1175 klwp_t *clwp = ttolwp(curthread); 1176 1177 struct a { 1178 long filedes; 1179 long fnamep; /* char * */ 1180 long flags; 1181 } *uap = (struct a *)clwp->lwp_ap; 1182 1183 if (uap->flags & AT_REMOVEDIR) 1184 e = AUE_RMDIR; 1185 else 1186 e = AUE_UNLINK; 1187 1188 return (e); 1189 } 1190 1191 static au_event_t 1192 aui_fstatat(au_event_t e) 1193 { 1194 klwp_t *clwp = ttolwp(curthread); 1195 1196 struct a { 1197 long filedes; 1198 long fnamep; /* char * */ 1199 long statb; 1200 long flags; 1201 } *uap = (struct a *)clwp->lwp_ap; 1202 1203 if (uap->fnamep == NULL) 1204 e = AUE_FSTAT; 1205 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1206 e = AUE_LSTAT; 1207 else 1208 e = AUE_STAT; 1209 1210 return (e); 1211 } 1212 1213 /* msgsys */ 1214 static au_event_t 1215 aui_msgsys(au_event_t e) 1216 { 1217 klwp_t *clwp = ttolwp(curthread); 1218 uint_t fm; 1219 1220 struct a { 1221 long id; /* function code id */ 1222 long ap; /* arg pointer for recvmsg */ 1223 } *uap = (struct a *)clwp->lwp_ap; 1224 1225 struct b { 1226 long msgid; 1227 long cmd; 1228 long buf; /* struct msqid_ds * */ 1229 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1230 1231 fm = (uint_t)uap->id; 1232 1233 switch (fm) { 1234 case 0: /* msgget */ 1235 e = AUE_MSGGET; 1236 break; 1237 case 1: /* msgctl */ 1238 switch ((uint_t)uap1->cmd) { 1239 case IPC_RMID: 1240 e = AUE_MSGCTL_RMID; 1241 break; 1242 case IPC_SET: 1243 e = AUE_MSGCTL_SET; 1244 break; 1245 case IPC_STAT: 1246 e = AUE_MSGCTL_STAT; 1247 break; 1248 default: 1249 e = AUE_MSGCTL; 1250 break; 1251 } 1252 break; 1253 case 2: /* msgrcv */ 1254 e = AUE_MSGRCV; 1255 break; 1256 case 3: /* msgsnd */ 1257 e = AUE_MSGSND; 1258 break; 1259 default: /* illegal system call */ 1260 e = AUE_NULL; 1261 break; 1262 } 1263 1264 return (e); 1265 } 1266 1267 1268 /* shmsys */ 1269 static au_event_t 1270 aui_shmsys(au_event_t e) 1271 { 1272 klwp_t *clwp = ttolwp(curthread); 1273 int fm; 1274 1275 struct a { /* shmsys */ 1276 long id; /* function code id */ 1277 } *uap = (struct a *)clwp->lwp_ap; 1278 1279 struct b { /* ctrl */ 1280 long shmid; 1281 long cmd; 1282 long arg; /* struct shmid_ds * */ 1283 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1284 fm = (uint_t)uap->id; 1285 1286 switch (fm) { 1287 case 0: /* shmat */ 1288 e = AUE_SHMAT; 1289 break; 1290 case 1: /* shmctl */ 1291 switch ((uint_t)uap1->cmd) { 1292 case IPC_RMID: 1293 e = AUE_SHMCTL_RMID; 1294 break; 1295 case IPC_SET: 1296 e = AUE_SHMCTL_SET; 1297 break; 1298 case IPC_STAT: 1299 e = AUE_SHMCTL_STAT; 1300 break; 1301 default: 1302 e = AUE_SHMCTL; 1303 break; 1304 } 1305 break; 1306 case 2: /* shmdt */ 1307 e = AUE_SHMDT; 1308 break; 1309 case 3: /* shmget */ 1310 e = AUE_SHMGET; 1311 break; 1312 default: /* illegal system call */ 1313 e = AUE_NULL; 1314 break; 1315 } 1316 1317 return (e); 1318 } 1319 1320 1321 /* semsys */ 1322 static au_event_t 1323 aui_semsys(au_event_t e) 1324 { 1325 klwp_t *clwp = ttolwp(curthread); 1326 uint_t fm; 1327 1328 struct a { /* semsys */ 1329 long id; 1330 } *uap = (struct a *)clwp->lwp_ap; 1331 1332 struct b { /* ctrl */ 1333 long semid; 1334 long semnum; 1335 long cmd; 1336 long arg; 1337 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1338 1339 fm = (uint_t)uap->id; 1340 1341 switch (fm) { 1342 case 0: /* semctl */ 1343 switch ((uint_t)uap1->cmd) { 1344 case IPC_RMID: 1345 e = AUE_SEMCTL_RMID; 1346 break; 1347 case IPC_SET: 1348 e = AUE_SEMCTL_SET; 1349 break; 1350 case IPC_STAT: 1351 e = AUE_SEMCTL_STAT; 1352 break; 1353 case GETNCNT: 1354 e = AUE_SEMCTL_GETNCNT; 1355 break; 1356 case GETPID: 1357 e = AUE_SEMCTL_GETPID; 1358 break; 1359 case GETVAL: 1360 e = AUE_SEMCTL_GETVAL; 1361 break; 1362 case GETALL: 1363 e = AUE_SEMCTL_GETALL; 1364 break; 1365 case GETZCNT: 1366 e = AUE_SEMCTL_GETZCNT; 1367 break; 1368 case SETVAL: 1369 e = AUE_SEMCTL_SETVAL; 1370 break; 1371 case SETALL: 1372 e = AUE_SEMCTL_SETALL; 1373 break; 1374 default: 1375 e = AUE_SEMCTL; 1376 break; 1377 } 1378 break; 1379 case 1: /* semget */ 1380 e = AUE_SEMGET; 1381 break; 1382 case 2: /* semop */ 1383 e = AUE_SEMOP; 1384 break; 1385 default: /* illegal system call */ 1386 e = AUE_NULL; 1387 break; 1388 } 1389 1390 return (e); 1391 } 1392 1393 /* utssys - uname(2), ustat(2), fusers(2) */ 1394 static au_event_t 1395 aui_utssys(au_event_t e) 1396 { 1397 klwp_t *clwp = ttolwp(curthread); 1398 uint_t type; 1399 1400 struct a { 1401 union { 1402 long cbuf; /* char * */ 1403 long ubuf; /* struct stat * */ 1404 } ub; 1405 union { 1406 long mv; /* for USTAT */ 1407 long flags; /* for FUSERS */ 1408 } un; 1409 long type; 1410 long outbp; /* char * for FUSERS */ 1411 } *uap = (struct a *)clwp->lwp_ap; 1412 1413 type = (uint_t)uap->type; 1414 1415 if (type == UTS_FUSERS) 1416 return (e); 1417 else 1418 return ((au_event_t)AUE_NULL); 1419 } 1420 1421 static au_event_t 1422 aui_fcntl(au_event_t e) 1423 { 1424 klwp_t *clwp = ttolwp(curthread); 1425 uint_t cmd; 1426 1427 struct a { 1428 long fdes; 1429 long cmd; 1430 long arg; 1431 } *uap = (struct a *)clwp->lwp_ap; 1432 1433 cmd = (uint_t)uap->cmd; 1434 1435 switch (cmd) { 1436 case F_GETLK: 1437 case F_SETLK: 1438 case F_SETLKW: 1439 break; 1440 case F_SETFL: 1441 case F_GETFL: 1442 case F_GETFD: 1443 break; 1444 default: 1445 e = (au_event_t)AUE_NULL; 1446 break; 1447 } 1448 return ((au_event_t)e); 1449 } 1450 1451 /* null function for now */ 1452 static au_event_t 1453 aui_execve(au_event_t e) 1454 { 1455 return (e); 1456 } 1457 1458 /*ARGSUSED*/ 1459 static void 1460 aus_fcntl(struct t_audit_data *tad) 1461 { 1462 klwp_t *clwp = ttolwp(curthread); 1463 uint32_t cmd, fd, flags; 1464 struct file *fp; 1465 struct vnode *vp; 1466 struct f_audit_data *fad; 1467 1468 struct a { 1469 long fd; 1470 long cmd; 1471 long arg; 1472 } *uap = (struct a *)clwp->lwp_ap; 1473 1474 cmd = (uint32_t)uap->cmd; 1475 fd = (uint32_t)uap->fd; 1476 flags = (uint32_t)uap->arg; 1477 1478 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1479 1480 if (cmd == F_SETFL) 1481 au_uwrite(au_to_arg32(3, "flags", flags)); 1482 1483 /* 1484 * convert file pointer to file descriptor 1485 * Note: fd ref count incremented here. 1486 */ 1487 if ((fp = getf(fd)) == NULL) 1488 return; 1489 1490 /* get path from file struct here */ 1491 fad = F2A(fp); 1492 if (fad->fad_aupath != NULL) { 1493 au_uwrite(au_to_path(fad->fad_aupath)); 1494 } else { 1495 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1496 } 1497 1498 vp = fp->f_vnode; 1499 audit_attributes(vp); 1500 1501 /* decrement file descriptor reference count */ 1502 releasef(fd); 1503 } 1504 1505 /*ARGSUSED*/ 1506 static void 1507 aus_kill(struct t_audit_data *tad) 1508 { 1509 klwp_t *clwp = ttolwp(curthread); 1510 struct proc *p; 1511 uint32_t signo; 1512 uid_t uid, ruid; 1513 gid_t gid, rgid; 1514 pid_t pid; 1515 const auditinfo_addr_t *ainfo; 1516 cred_t *cr; 1517 1518 struct a { 1519 long pid; 1520 long signo; 1521 } *uap = (struct a *)clwp->lwp_ap; 1522 1523 pid = (pid_t)uap->pid; 1524 signo = (uint32_t)uap->signo; 1525 1526 au_uwrite(au_to_arg32(2, "signal", signo)); 1527 if (pid > 0) { 1528 mutex_enter(&pidlock); 1529 if (((p = prfind(pid)) == (struct proc *)0) || 1530 (p->p_stat == SIDL)) { 1531 mutex_exit(&pidlock); 1532 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1533 return; 1534 } 1535 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1536 mutex_exit(&pidlock); 1537 1538 mutex_enter(&p->p_crlock); 1539 crhold(cr = p->p_cred); 1540 mutex_exit(&p->p_crlock); 1541 mutex_exit(&p->p_lock); 1542 1543 ainfo = crgetauinfo(cr); 1544 if (ainfo == NULL) { 1545 crfree(cr); 1546 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1547 return; 1548 } 1549 1550 uid = crgetuid(cr); 1551 gid = crgetgid(cr); 1552 ruid = crgetruid(cr); 1553 rgid = crgetrgid(cr); 1554 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1555 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1556 1557 if (is_system_labeled()) 1558 au_uwrite(au_to_label(CR_SL(cr))); 1559 1560 crfree(cr); 1561 } 1562 else 1563 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1564 } 1565 1566 /*ARGSUSED*/ 1567 static void 1568 aus_mkdir(struct t_audit_data *tad) 1569 { 1570 klwp_t *clwp = ttolwp(curthread); 1571 uint32_t dmode; 1572 1573 struct a { 1574 long dirnamep; /* char * */ 1575 long dmode; 1576 } *uap = (struct a *)clwp->lwp_ap; 1577 1578 dmode = (uint32_t)uap->dmode; 1579 1580 au_uwrite(au_to_arg32(2, "mode", dmode)); 1581 } 1582 1583 /*ARGSUSED*/ 1584 static void 1585 aus_mkdirat(struct t_audit_data *tad) 1586 { 1587 klwp_t *clwp = ttolwp(curthread); 1588 uint32_t dmode; 1589 1590 struct a { 1591 long fd; 1592 long dirnamep; /* char * */ 1593 long dmode; 1594 } *uap = (struct a *)clwp->lwp_ap; 1595 1596 dmode = (uint32_t)uap->dmode; 1597 1598 au_uwrite(au_to_arg32(2, "mode", dmode)); 1599 } 1600 1601 /*ARGSUSED*/ 1602 static void 1603 aus_mknod(struct t_audit_data *tad) 1604 { 1605 klwp_t *clwp = ttolwp(curthread); 1606 uint32_t fmode; 1607 dev_t dev; 1608 1609 struct a { 1610 long pnamep; /* char * */ 1611 long fmode; 1612 long dev; 1613 } *uap = (struct a *)clwp->lwp_ap; 1614 1615 fmode = (uint32_t)uap->fmode; 1616 dev = (dev_t)uap->dev; 1617 1618 au_uwrite(au_to_arg32(2, "mode", fmode)); 1619 #ifdef _LP64 1620 au_uwrite(au_to_arg64(3, "dev", dev)); 1621 #else 1622 au_uwrite(au_to_arg32(3, "dev", dev)); 1623 #endif 1624 } 1625 1626 /*ARGSUSED*/ 1627 static void 1628 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1629 { 1630 klwp_t *clwp = ttolwp(curthread); 1631 vnode_t *dvp; 1632 caddr_t pnamep; 1633 1634 struct a { 1635 long pnamep; /* char * */ 1636 long fmode; 1637 long dev; 1638 } *uap = (struct a *)clwp->lwp_ap; 1639 1640 /* no error, then already path token in audit record */ 1641 if (error != EPERM && error != EINVAL) 1642 return; 1643 1644 /* do the lookup to force generation of path token */ 1645 pnamep = (caddr_t)uap->pnamep; 1646 tad->tad_ctrl |= TAD_NOATTRB; 1647 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1648 if (error == 0) 1649 VN_RELE(dvp); 1650 } 1651 1652 /*ARGSUSED*/ 1653 static void 1654 aus_mknodat(struct t_audit_data *tad) 1655 { 1656 klwp_t *clwp = ttolwp(curthread); 1657 uint32_t fmode; 1658 dev_t dev; 1659 1660 struct a { 1661 long fd; 1662 long pnamep; /* char * */ 1663 long fmode; 1664 long dev; 1665 } *uap = (struct a *)clwp->lwp_ap; 1666 1667 fmode = (uint32_t)uap->fmode; 1668 dev = (dev_t)uap->dev; 1669 1670 au_uwrite(au_to_arg32(2, "mode", fmode)); 1671 #ifdef _LP64 1672 au_uwrite(au_to_arg64(3, "dev", dev)); 1673 #else 1674 au_uwrite(au_to_arg32(3, "dev", dev)); 1675 #endif 1676 } 1677 1678 /*ARGSUSED*/ 1679 static void 1680 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval) 1681 { 1682 klwp_t *clwp = ttolwp(curthread); 1683 vnode_t *startvp; 1684 vnode_t *dvp; 1685 caddr_t pnamep; 1686 int fd; 1687 1688 struct a { 1689 long fd; 1690 long pnamep; /* char * */ 1691 long fmode; 1692 long dev; 1693 } *uap = (struct a *)clwp->lwp_ap; 1694 1695 /* no error, then already path token in audit record */ 1696 if (error != EPERM && error != EINVAL) 1697 return; 1698 1699 /* do the lookup to force generation of path token */ 1700 fd = (int)uap->fd; 1701 pnamep = (caddr_t)uap->pnamep; 1702 if (pnamep == NULL || 1703 fgetstartvp(fd, pnamep, &startvp) != 0) 1704 return; 1705 tad->tad_ctrl |= TAD_NOATTRB; 1706 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP, 1707 startvp); 1708 if (error == 0) 1709 VN_RELE(dvp); 1710 if (startvp != NULL) 1711 VN_RELE(startvp); 1712 } 1713 1714 /*ARGSUSED*/ 1715 static void 1716 aus_mount(struct t_audit_data *tad) 1717 { /* AUS_START */ 1718 klwp_t *clwp = ttolwp(curthread); 1719 uint32_t flags; 1720 uintptr_t u_fstype, dataptr; 1721 STRUCT_DECL(nfs_args, nfsargs); 1722 size_t len; 1723 char *fstype, *hostname; 1724 1725 struct a { 1726 long spec; /* char * */ 1727 long dir; /* char * */ 1728 long flags; 1729 long fstype; /* char * */ 1730 long dataptr; /* char * */ 1731 long datalen; 1732 } *uap = (struct a *)clwp->lwp_ap; 1733 1734 u_fstype = (uintptr_t)uap->fstype; 1735 flags = (uint32_t)uap->flags; 1736 dataptr = (uintptr_t)uap->dataptr; 1737 1738 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1739 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1740 goto mount_free_fstype; 1741 1742 au_uwrite(au_to_arg32(3, "flags", flags)); 1743 au_uwrite(au_to_text(fstype)); 1744 1745 if (strncmp(fstype, "nfs", 3) == 0) { 1746 1747 STRUCT_INIT(nfsargs, get_udatamodel()); 1748 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1749 1750 if (copyin((caddr_t)dataptr, 1751 STRUCT_BUF(nfsargs), 1752 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1753 /* DEBUG debug_enter((char *)NULL); */ 1754 goto mount_free_fstype; 1755 } 1756 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1757 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1758 (caddr_t)hostname, 1759 MAXNAMELEN, &len)) { 1760 goto mount_free_hostname; 1761 } 1762 au_uwrite(au_to_text(hostname)); 1763 au_uwrite(au_to_arg32(3, "internal flags", 1764 (uint_t)STRUCT_FGET(nfsargs, flags))); 1765 1766 mount_free_hostname: 1767 kmem_free(hostname, MAXNAMELEN); 1768 } 1769 1770 mount_free_fstype: 1771 kmem_free(fstype, MAXNAMELEN); 1772 } /* AUS_MOUNT */ 1773 1774 static void 1775 aus_umount_path(caddr_t umount_dir) 1776 { 1777 char *dir_path; 1778 struct audit_path *path; 1779 size_t path_len, dir_len; 1780 1781 /* length alloc'd for two string pointers */ 1782 path_len = sizeof (struct audit_path) + sizeof (char *); 1783 path = kmem_alloc(path_len, KM_SLEEP); 1784 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1785 1786 if (copyinstr(umount_dir, (caddr_t)dir_path, 1787 MAXPATHLEN, &dir_len)) 1788 goto umount2_free_dir; 1789 1790 /* 1791 * the audit_path struct assumes that the buffer pointed to 1792 * by audp_sect[n] contains string 0 immediatedly followed 1793 * by string 1. 1794 */ 1795 path->audp_sect[0] = dir_path; 1796 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1797 path->audp_size = path_len; 1798 path->audp_ref = 1; /* not used */ 1799 path->audp_cnt = 1; /* one path string */ 1800 1801 au_uwrite(au_to_path(path)); 1802 1803 umount2_free_dir: 1804 kmem_free(dir_path, MAXPATHLEN); 1805 kmem_free(path, path_len); 1806 } 1807 1808 /*ARGSUSED*/ 1809 static void 1810 aus_umount2(struct t_audit_data *tad) 1811 { 1812 klwp_t *clwp = ttolwp(curthread); 1813 struct a { 1814 long dir; /* char * */ 1815 long flags; 1816 } *uap = (struct a *)clwp->lwp_ap; 1817 1818 aus_umount_path((caddr_t)uap->dir); 1819 1820 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1821 } 1822 1823 static void 1824 aus_msgsys(struct t_audit_data *tad) 1825 { 1826 klwp_t *clwp = ttolwp(curthread); 1827 uint32_t msgid; 1828 1829 struct b { 1830 long msgid; 1831 long cmd; 1832 long buf; /* struct msqid_ds * */ 1833 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1834 1835 msgid = (uint32_t)uap1->msgid; 1836 1837 1838 switch (tad->tad_event) { 1839 case AUE_MSGGET: /* msgget */ 1840 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1841 break; 1842 case AUE_MSGCTL: /* msgctl */ 1843 case AUE_MSGCTL_RMID: /* msgctl */ 1844 case AUE_MSGCTL_SET: /* msgctl */ 1845 case AUE_MSGCTL_STAT: /* msgctl */ 1846 case AUE_MSGRCV: /* msgrcv */ 1847 case AUE_MSGSND: /* msgsnd */ 1848 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1849 break; 1850 } 1851 } 1852 1853 /*ARGSUSED*/ 1854 static void 1855 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1856 { 1857 int id; 1858 1859 if (error != 0) 1860 return; 1861 if (tad->tad_event == AUE_MSGGET) { 1862 uint32_t scid; 1863 uint32_t sy_flags; 1864 1865 /* need to determine type of executing binary */ 1866 scid = tad->tad_scid; 1867 #ifdef _SYSCALL32_IMPL 1868 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1869 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1870 else 1871 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1872 #else 1873 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1874 #endif 1875 if (sy_flags == SE_32RVAL1) 1876 id = rval->r_val1; 1877 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1878 id = rval->r_val1; 1879 if (sy_flags == SE_64RVAL) 1880 id = (int)rval->r_vals; 1881 1882 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1883 } 1884 } 1885 1886 static void 1887 aus_semsys(struct t_audit_data *tad) 1888 { 1889 klwp_t *clwp = ttolwp(curthread); 1890 uint32_t semid; 1891 1892 struct b { /* ctrl */ 1893 long semid; 1894 long semnum; 1895 long cmd; 1896 long arg; 1897 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1898 1899 semid = (uint32_t)uap1->semid; 1900 1901 switch (tad->tad_event) { 1902 case AUE_SEMCTL_RMID: 1903 case AUE_SEMCTL_STAT: 1904 case AUE_SEMCTL_GETNCNT: 1905 case AUE_SEMCTL_GETPID: 1906 case AUE_SEMCTL_GETVAL: 1907 case AUE_SEMCTL_GETALL: 1908 case AUE_SEMCTL_GETZCNT: 1909 case AUE_SEMCTL_SET: 1910 case AUE_SEMCTL_SETVAL: 1911 case AUE_SEMCTL_SETALL: 1912 case AUE_SEMCTL: 1913 case AUE_SEMOP: 1914 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1915 break; 1916 case AUE_SEMGET: 1917 au_uwrite(au_to_arg32(1, "sem key", semid)); 1918 break; 1919 } 1920 } 1921 1922 /*ARGSUSED*/ 1923 static void 1924 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1925 { 1926 int id; 1927 1928 if (error != 0) 1929 return; 1930 if (tad->tad_event == AUE_SEMGET) { 1931 uint32_t scid; 1932 uint32_t sy_flags; 1933 1934 /* need to determine type of executing binary */ 1935 scid = tad->tad_scid; 1936 #ifdef _SYSCALL32_IMPL 1937 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1938 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1939 else 1940 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1941 #else 1942 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1943 #endif 1944 if (sy_flags == SE_32RVAL1) 1945 id = rval->r_val1; 1946 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1947 id = rval->r_val1; 1948 if (sy_flags == SE_64RVAL) 1949 id = (int)rval->r_vals; 1950 1951 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1952 } 1953 } 1954 1955 /*ARGSUSED*/ 1956 static void 1957 aus_close(struct t_audit_data *tad) 1958 { 1959 klwp_t *clwp = ttolwp(curthread); 1960 uint32_t fd; 1961 struct file *fp; 1962 struct f_audit_data *fad; 1963 struct vnode *vp; 1964 struct vattr attr; 1965 au_kcontext_t *kctx = GET_KCTX_PZ; 1966 1967 struct a { 1968 long i; 1969 } *uap = (struct a *)clwp->lwp_ap; 1970 1971 fd = (uint32_t)uap->i; 1972 1973 attr.va_mask = 0; 1974 au_uwrite(au_to_arg32(1, "fd", fd)); 1975 1976 /* 1977 * convert file pointer to file descriptor 1978 * Note: fd ref count incremented here. 1979 */ 1980 if ((fp = getf(fd)) == NULL) 1981 return; 1982 1983 fad = F2A(fp); 1984 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1985 if (fad->fad_aupath != NULL) { 1986 au_uwrite(au_to_path(fad->fad_aupath)); 1987 if ((vp = fp->f_vnode) != NULL) { 1988 attr.va_mask = AT_ALL; 1989 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1990 /* 1991 * When write was not used and the file can be 1992 * considered public, skip the audit. 1993 */ 1994 if (((fp->f_flag & FWRITE) == 0) && 1995 object_is_public(&attr)) { 1996 tad->tad_flag = 0; 1997 tad->tad_evmod = 0; 1998 /* free any residual audit data */ 1999 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 2000 releasef(fd); 2001 return; 2002 } 2003 au_uwrite(au_to_attr(&attr)); 2004 audit_sec_attributes(&(u_ad), vp); 2005 } 2006 } 2007 } 2008 2009 /* decrement file descriptor reference count */ 2010 releasef(fd); 2011 } 2012 2013 /*ARGSUSED*/ 2014 static void 2015 aus_fstatfs(struct t_audit_data *tad) 2016 { 2017 klwp_t *clwp = ttolwp(curthread); 2018 uint32_t fd; 2019 struct file *fp; 2020 struct vnode *vp; 2021 struct f_audit_data *fad; 2022 2023 struct a { 2024 long fd; 2025 long buf; /* struct statfs * */ 2026 } *uap = (struct a *)clwp->lwp_ap; 2027 2028 fd = (uint_t)uap->fd; 2029 2030 /* 2031 * convert file pointer to file descriptor 2032 * Note: fd ref count incremented here. 2033 */ 2034 if ((fp = getf(fd)) == NULL) 2035 return; 2036 2037 /* get path from file struct here */ 2038 fad = F2A(fp); 2039 if (fad->fad_aupath != NULL) { 2040 au_uwrite(au_to_path(fad->fad_aupath)); 2041 } else { 2042 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2043 } 2044 2045 vp = fp->f_vnode; 2046 audit_attributes(vp); 2047 2048 /* decrement file descriptor reference count */ 2049 releasef(fd); 2050 } 2051 2052 static au_event_t 2053 aui_setpgrp(au_event_t e) 2054 { 2055 klwp_t *clwp = ttolwp(curthread); 2056 int flag; 2057 2058 struct a { 2059 long flag; 2060 long pid; 2061 long pgid; 2062 } *uap = (struct a *)clwp->lwp_ap; 2063 2064 flag = (int)uap->flag; 2065 2066 2067 switch (flag) { 2068 2069 case 1: /* setpgrp() */ 2070 e = AUE_SETPGRP; 2071 break; 2072 2073 case 3: /* setsid() */ 2074 e = AUE_SETSID; 2075 break; 2076 2077 case 5: /* setpgid() */ 2078 e = AUE_SETPGID; 2079 break; 2080 2081 case 0: /* getpgrp() - not security relevant */ 2082 case 2: /* getsid() - not security relevant */ 2083 case 4: /* getpgid() - not security relevant */ 2084 e = AUE_NULL; 2085 break; 2086 2087 default: 2088 e = AUE_NULL; 2089 break; 2090 } 2091 2092 return (e); 2093 } 2094 2095 /*ARGSUSED*/ 2096 static void 2097 aus_setpgrp(struct t_audit_data *tad) 2098 { 2099 klwp_t *clwp = ttolwp(curthread); 2100 pid_t pgid; 2101 struct proc *p; 2102 uid_t uid, ruid; 2103 gid_t gid, rgid; 2104 pid_t pid; 2105 cred_t *cr; 2106 int flag; 2107 const auditinfo_addr_t *ainfo; 2108 2109 struct a { 2110 long flag; 2111 long pid; 2112 long pgid; 2113 } *uap = (struct a *)clwp->lwp_ap; 2114 2115 flag = (int)uap->flag; 2116 pid = (pid_t)uap->pid; 2117 pgid = (pid_t)uap->pgid; 2118 2119 2120 switch (flag) { 2121 2122 case 0: /* getpgrp() */ 2123 case 1: /* setpgrp() */ 2124 case 2: /* getsid() */ 2125 case 3: /* setsid() */ 2126 case 4: /* getpgid() */ 2127 break; 2128 2129 case 5: /* setpgid() */ 2130 2131 /* current process? */ 2132 if (pid == 0) { 2133 return; 2134 } 2135 2136 mutex_enter(&pidlock); 2137 p = prfind(pid); 2138 if (p == NULL || p->p_as == &kas || 2139 p->p_stat == SIDL || p->p_stat == SZOMB) { 2140 mutex_exit(&pidlock); 2141 return; 2142 } 2143 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2144 mutex_exit(&pidlock); 2145 2146 mutex_enter(&p->p_crlock); 2147 crhold(cr = p->p_cred); 2148 mutex_exit(&p->p_crlock); 2149 mutex_exit(&p->p_lock); 2150 2151 ainfo = crgetauinfo(cr); 2152 if (ainfo == NULL) { 2153 crfree(cr); 2154 return; 2155 } 2156 2157 uid = crgetuid(cr); 2158 gid = crgetgid(cr); 2159 ruid = crgetruid(cr); 2160 rgid = crgetrgid(cr); 2161 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2162 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2163 crfree(cr); 2164 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2165 break; 2166 2167 default: 2168 break; 2169 } 2170 } 2171 2172 2173 /*ARGSUSED*/ 2174 static void 2175 aus_setregid(struct t_audit_data *tad) 2176 { 2177 klwp_t *clwp = ttolwp(curthread); 2178 uint32_t rgid, egid; 2179 2180 struct a { 2181 long rgid; 2182 long egid; 2183 } *uap = (struct a *)clwp->lwp_ap; 2184 2185 rgid = (uint32_t)uap->rgid; 2186 egid = (uint32_t)uap->egid; 2187 2188 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2189 au_uwrite(au_to_arg32(2, "egid", egid)); 2190 } 2191 2192 /*ARGSUSED*/ 2193 static void 2194 aus_setgid(struct t_audit_data *tad) 2195 { 2196 klwp_t *clwp = ttolwp(curthread); 2197 uint32_t gid; 2198 2199 struct a { 2200 long gid; 2201 } *uap = (struct a *)clwp->lwp_ap; 2202 2203 gid = (uint32_t)uap->gid; 2204 2205 au_uwrite(au_to_arg32(1, "gid", gid)); 2206 } 2207 2208 2209 /*ARGSUSED*/ 2210 static void 2211 aus_setreuid(struct t_audit_data *tad) 2212 { 2213 klwp_t *clwp = ttolwp(curthread); 2214 uint32_t ruid, euid; 2215 2216 struct a { 2217 long ruid; 2218 long euid; 2219 } *uap = (struct a *)clwp->lwp_ap; 2220 2221 ruid = (uint32_t)uap->ruid; 2222 euid = (uint32_t)uap->euid; 2223 2224 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2225 au_uwrite(au_to_arg32(2, "euid", euid)); 2226 } 2227 2228 2229 /*ARGSUSED*/ 2230 static void 2231 aus_setuid(struct t_audit_data *tad) 2232 { 2233 klwp_t *clwp = ttolwp(curthread); 2234 uint32_t uid; 2235 2236 struct a { 2237 long uid; 2238 } *uap = (struct a *)clwp->lwp_ap; 2239 2240 uid = (uint32_t)uap->uid; 2241 2242 au_uwrite(au_to_arg32(1, "uid", uid)); 2243 } 2244 2245 /*ARGSUSED*/ 2246 static void 2247 aus_shmsys(struct t_audit_data *tad) 2248 { 2249 klwp_t *clwp = ttolwp(curthread); 2250 uint32_t id, cmd; 2251 2252 struct b { 2253 long id; 2254 long cmd; 2255 long buf; /* struct shmid_ds * */ 2256 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2257 2258 id = (uint32_t)uap1->id; 2259 cmd = (uint32_t)uap1->cmd; 2260 2261 switch (tad->tad_event) { 2262 case AUE_SHMGET: /* shmget */ 2263 au_uwrite(au_to_arg32(1, "shm key", id)); 2264 break; 2265 case AUE_SHMCTL: /* shmctl */ 2266 case AUE_SHMCTL_RMID: /* shmctl */ 2267 case AUE_SHMCTL_STAT: /* shmctl */ 2268 case AUE_SHMCTL_SET: /* shmctl */ 2269 au_uwrite(au_to_arg32(1, "shm ID", id)); 2270 break; 2271 case AUE_SHMDT: /* shmdt */ 2272 au_uwrite(au_to_arg32(1, "shm adr", id)); 2273 break; 2274 case AUE_SHMAT: /* shmat */ 2275 au_uwrite(au_to_arg32(1, "shm ID", id)); 2276 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2277 break; 2278 } 2279 } 2280 2281 /*ARGSUSED*/ 2282 static void 2283 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2284 { 2285 int id; 2286 2287 if (error != 0) 2288 return; 2289 if (tad->tad_event == AUE_SHMGET) { 2290 uint32_t scid; 2291 uint32_t sy_flags; 2292 2293 /* need to determine type of executing binary */ 2294 scid = tad->tad_scid; 2295 #ifdef _SYSCALL32_IMPL 2296 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2297 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2298 else 2299 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2300 #else 2301 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2302 #endif 2303 if (sy_flags == SE_32RVAL1) 2304 id = rval->r_val1; 2305 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2306 id = rval->r_val1; 2307 if (sy_flags == SE_64RVAL) 2308 id = (int)rval->r_vals; 2309 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2310 } 2311 } 2312 2313 2314 /*ARGSUSED*/ 2315 static void 2316 aus_ioctl(struct t_audit_data *tad) 2317 { 2318 klwp_t *clwp = ttolwp(curthread); 2319 struct file *fp; 2320 struct vnode *vp; 2321 struct f_audit_data *fad; 2322 uint32_t fd, cmd; 2323 uintptr_t cmarg; 2324 2325 /* XX64 */ 2326 struct a { 2327 long fd; 2328 long cmd; 2329 long cmarg; /* caddr_t */ 2330 } *uap = (struct a *)clwp->lwp_ap; 2331 2332 fd = (uint32_t)uap->fd; 2333 cmd = (uint32_t)uap->cmd; 2334 cmarg = (uintptr_t)uap->cmarg; 2335 2336 /* 2337 * convert file pointer to file descriptor 2338 * Note: fd ref count incremented here. 2339 */ 2340 if ((fp = getf(fd)) == NULL) { 2341 au_uwrite(au_to_arg32(1, "fd", fd)); 2342 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2343 #ifndef _LP64 2344 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2345 #else 2346 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2347 #endif 2348 return; 2349 } 2350 2351 /* get path from file struct here */ 2352 fad = F2A(fp); 2353 if (fad->fad_aupath != NULL) { 2354 au_uwrite(au_to_path(fad->fad_aupath)); 2355 } else { 2356 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2357 } 2358 2359 vp = fp->f_vnode; 2360 audit_attributes(vp); 2361 2362 /* decrement file descriptor reference count */ 2363 releasef(fd); 2364 2365 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2366 #ifndef _LP64 2367 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2368 #else 2369 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2370 #endif 2371 } 2372 2373 /* 2374 * null function for memcntl for now. We might want to limit memcntl() 2375 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2376 * require privileges. 2377 */ 2378 static au_event_t 2379 aui_memcntl(au_event_t e) 2380 { 2381 return (e); 2382 } 2383 2384 /*ARGSUSED*/ 2385 static au_event_t 2386 aui_privsys(au_event_t e) 2387 { 2388 klwp_t *clwp = ttolwp(curthread); 2389 2390 struct a { 2391 long opcode; 2392 } *uap = (struct a *)clwp->lwp_ap; 2393 2394 switch (uap->opcode) { 2395 case PRIVSYS_SETPPRIV: 2396 return (AUE_SETPPRIV); 2397 default: 2398 return (AUE_NULL); 2399 } 2400 } 2401 2402 /*ARGSUSED*/ 2403 static void 2404 aus_memcntl(struct t_audit_data *tad) 2405 { 2406 klwp_t *clwp = ttolwp(curthread); 2407 2408 struct a { 2409 long addr; 2410 long len; 2411 long cmd; 2412 long arg; 2413 long attr; 2414 long mask; 2415 } *uap = (struct a *)clwp->lwp_ap; 2416 2417 #ifdef _LP64 2418 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2419 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2420 #else 2421 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2422 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2423 #endif 2424 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2425 #ifdef _LP64 2426 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2427 #else 2428 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2429 #endif 2430 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2431 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2432 } 2433 2434 /*ARGSUSED*/ 2435 static void 2436 aus_mmap(struct t_audit_data *tad) 2437 { 2438 klwp_t *clwp = ttolwp(curthread); 2439 struct file *fp; 2440 struct f_audit_data *fad; 2441 struct vnode *vp; 2442 uint32_t fd; 2443 2444 struct a { 2445 long addr; 2446 long len; 2447 long prot; 2448 long flags; 2449 long fd; 2450 long pos; 2451 } *uap = (struct a *)clwp->lwp_ap; 2452 2453 fd = (uint32_t)uap->fd; 2454 2455 #ifdef _LP64 2456 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2457 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2458 #else 2459 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2460 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2461 #endif 2462 2463 if ((fp = getf(fd)) == NULL) { 2464 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2465 return; 2466 } 2467 2468 /* 2469 * Mark in the tad if write access is NOT requested... if 2470 * this is later detected (in audit_attributes) to be a 2471 * public object, the mmap event may be discarded. 2472 */ 2473 if (((uap->prot) & PROT_WRITE) == 0) { 2474 tad->tad_ctrl |= TAD_PUBLIC_EV; 2475 } 2476 2477 fad = F2A(fp); 2478 if (fad->fad_aupath != NULL) { 2479 au_uwrite(au_to_path(fad->fad_aupath)); 2480 } else { 2481 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2482 } 2483 2484 vp = (struct vnode *)fp->f_vnode; 2485 audit_attributes(vp); 2486 2487 /* mark READ/WRITE since we can't predict access */ 2488 if (uap->prot & PROT_READ) 2489 fad->fad_flags |= FAD_READ; 2490 if (uap->prot & PROT_WRITE) 2491 fad->fad_flags |= FAD_WRITE; 2492 2493 /* decrement file descriptor reference count */ 2494 releasef(fd); 2495 2496 } /* AUS_MMAP */ 2497 2498 2499 2500 2501 /*ARGSUSED*/ 2502 static void 2503 aus_munmap(struct t_audit_data *tad) 2504 { 2505 klwp_t *clwp = ttolwp(curthread); 2506 2507 struct a { 2508 long addr; 2509 long len; 2510 } *uap = (struct a *)clwp->lwp_ap; 2511 2512 #ifdef _LP64 2513 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2514 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2515 #else 2516 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2517 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2518 #endif 2519 2520 } /* AUS_MUNMAP */ 2521 2522 2523 2524 2525 2526 2527 2528 /*ARGSUSED*/ 2529 static void 2530 aus_priocntlsys(struct t_audit_data *tad) 2531 { 2532 klwp_t *clwp = ttolwp(curthread); 2533 2534 struct a { 2535 long pc_version; 2536 long psp; /* procset_t */ 2537 long cmd; 2538 long arg; 2539 } *uap = (struct a *)clwp->lwp_ap; 2540 2541 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2542 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2543 2544 } /* AUS_PRIOCNTLSYS */ 2545 2546 2547 /*ARGSUSED*/ 2548 static void 2549 aus_setegid(struct t_audit_data *tad) 2550 { 2551 klwp_t *clwp = ttolwp(curthread); 2552 uint32_t gid; 2553 2554 struct a { 2555 long gid; 2556 } *uap = (struct a *)clwp->lwp_ap; 2557 2558 gid = (uint32_t)uap->gid; 2559 2560 au_uwrite(au_to_arg32(1, "gid", gid)); 2561 } /* AUS_SETEGID */ 2562 2563 2564 2565 2566 /*ARGSUSED*/ 2567 static void 2568 aus_setgroups(struct t_audit_data *tad) 2569 { 2570 klwp_t *clwp = ttolwp(curthread); 2571 int i; 2572 int gidsetsize; 2573 uintptr_t gidset; 2574 gid_t *gidlist; 2575 2576 struct a { 2577 long gidsetsize; 2578 long gidset; 2579 } *uap = (struct a *)clwp->lwp_ap; 2580 2581 gidsetsize = (uint_t)uap->gidsetsize; 2582 gidset = (uintptr_t)uap->gidset; 2583 2584 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2585 return; 2586 if (gidsetsize != 0) { 2587 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2588 KM_SLEEP); 2589 if (copyin((caddr_t)gidset, gidlist, 2590 gidsetsize * sizeof (gid_t)) == 0) 2591 for (i = 0; i < gidsetsize; i++) 2592 au_uwrite(au_to_arg32(1, "setgroups", 2593 (uint32_t)gidlist[i])); 2594 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2595 } else 2596 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2597 2598 } /* AUS_SETGROUPS */ 2599 2600 2601 2602 2603 2604 /*ARGSUSED*/ 2605 static void 2606 aus_seteuid(struct t_audit_data *tad) 2607 { 2608 klwp_t *clwp = ttolwp(curthread); 2609 uint32_t uid; 2610 2611 struct a { 2612 long uid; 2613 } *uap = (struct a *)clwp->lwp_ap; 2614 2615 uid = (uint32_t)uap->uid; 2616 2617 au_uwrite(au_to_arg32(1, "euid", uid)); 2618 2619 } /* AUS_SETEUID */ 2620 2621 /*ARGSUSED*/ 2622 static void 2623 aus_putmsg(struct t_audit_data *tad) 2624 { 2625 klwp_t *clwp = ttolwp(curthread); 2626 uint32_t fd, pri; 2627 struct file *fp; 2628 struct f_audit_data *fad; 2629 2630 struct a { 2631 long fdes; 2632 long ctl; /* struct strbuf * */ 2633 long data; /* struct strbuf * */ 2634 long pri; 2635 } *uap = (struct a *)clwp->lwp_ap; 2636 2637 fd = (uint32_t)uap->fdes; 2638 pri = (uint32_t)uap->pri; 2639 2640 au_uwrite(au_to_arg32(1, "fd", fd)); 2641 2642 if ((fp = getf(fd)) != NULL) { 2643 fad = F2A(fp); 2644 2645 fad->fad_flags |= FAD_WRITE; 2646 2647 /* add path name to audit record */ 2648 if (fad->fad_aupath != NULL) { 2649 au_uwrite(au_to_path(fad->fad_aupath)); 2650 } 2651 audit_attributes(fp->f_vnode); 2652 2653 releasef(fd); 2654 } 2655 2656 au_uwrite(au_to_arg32(4, "pri", pri)); 2657 } 2658 2659 /*ARGSUSED*/ 2660 static void 2661 aus_putpmsg(struct t_audit_data *tad) 2662 { 2663 klwp_t *clwp = ttolwp(curthread); 2664 uint32_t fd, pri, flags; 2665 struct file *fp; 2666 struct f_audit_data *fad; 2667 2668 struct a { 2669 long fdes; 2670 long ctl; /* struct strbuf * */ 2671 long data; /* struct strbuf * */ 2672 long pri; 2673 long flags; 2674 } *uap = (struct a *)clwp->lwp_ap; 2675 2676 fd = (uint32_t)uap->fdes; 2677 pri = (uint32_t)uap->pri; 2678 flags = (uint32_t)uap->flags; 2679 2680 au_uwrite(au_to_arg32(1, "fd", fd)); 2681 2682 if ((fp = getf(fd)) != NULL) { 2683 fad = F2A(fp); 2684 2685 fad->fad_flags |= FAD_WRITE; 2686 2687 /* add path name to audit record */ 2688 if (fad->fad_aupath != NULL) { 2689 au_uwrite(au_to_path(fad->fad_aupath)); 2690 } 2691 audit_attributes(fp->f_vnode); 2692 2693 releasef(fd); 2694 } 2695 2696 2697 au_uwrite(au_to_arg32(4, "pri", pri)); 2698 au_uwrite(au_to_arg32(5, "flags", flags)); 2699 } 2700 2701 /*ARGSUSED*/ 2702 static void 2703 aus_getmsg(struct t_audit_data *tad) 2704 { 2705 klwp_t *clwp = ttolwp(curthread); 2706 uint32_t fd, pri; 2707 struct file *fp; 2708 struct f_audit_data *fad; 2709 2710 struct a { 2711 long fdes; 2712 long ctl; /* struct strbuf * */ 2713 long data; /* struct strbuf * */ 2714 long pri; 2715 } *uap = (struct a *)clwp->lwp_ap; 2716 2717 fd = (uint32_t)uap->fdes; 2718 pri = (uint32_t)uap->pri; 2719 2720 au_uwrite(au_to_arg32(1, "fd", fd)); 2721 2722 if ((fp = getf(fd)) != NULL) { 2723 fad = F2A(fp); 2724 2725 /* 2726 * read operation on this object 2727 */ 2728 fad->fad_flags |= FAD_READ; 2729 2730 /* add path name to audit record */ 2731 if (fad->fad_aupath != NULL) { 2732 au_uwrite(au_to_path(fad->fad_aupath)); 2733 } 2734 audit_attributes(fp->f_vnode); 2735 2736 releasef(fd); 2737 } 2738 2739 au_uwrite(au_to_arg32(4, "pri", pri)); 2740 } 2741 2742 /*ARGSUSED*/ 2743 static void 2744 aus_getpmsg(struct t_audit_data *tad) 2745 { 2746 klwp_t *clwp = ttolwp(curthread); 2747 uint32_t fd; 2748 struct file *fp; 2749 struct f_audit_data *fad; 2750 2751 struct a { 2752 long fdes; 2753 long ctl; /* struct strbuf * */ 2754 long data; /* struct strbuf * */ 2755 long pri; 2756 long flags; 2757 } *uap = (struct a *)clwp->lwp_ap; 2758 2759 fd = (uint32_t)uap->fdes; 2760 2761 au_uwrite(au_to_arg32(1, "fd", fd)); 2762 2763 if ((fp = getf(fd)) != NULL) { 2764 fad = F2A(fp); 2765 2766 /* 2767 * read operation on this object 2768 */ 2769 fad->fad_flags |= FAD_READ; 2770 2771 /* add path name to audit record */ 2772 if (fad->fad_aupath != NULL) { 2773 au_uwrite(au_to_path(fad->fad_aupath)); 2774 } 2775 audit_attributes(fp->f_vnode); 2776 2777 releasef(fd); 2778 } 2779 } 2780 2781 static au_event_t 2782 aui_labelsys(au_event_t e) 2783 { 2784 klwp_t *clwp = ttolwp(curthread); 2785 uint32_t code; 2786 uint32_t cmd; 2787 2788 struct a { 2789 long code; 2790 long cmd; 2791 } *uap = (struct a *)clwp->lwp_ap; 2792 2793 code = (uint32_t)uap->code; 2794 cmd = (uint32_t)uap->cmd; 2795 2796 /* not security relevant if not changing kernel cache */ 2797 if (cmd == TNDB_GET) 2798 return (AUE_NULL); 2799 2800 switch (code) { 2801 case TSOL_TNRH: 2802 e = AUE_LABELSYS_TNRH; 2803 break; 2804 case TSOL_TNRHTP: 2805 e = AUE_LABELSYS_TNRHTP; 2806 break; 2807 case TSOL_TNMLP: 2808 e = AUE_LABELSYS_TNMLP; 2809 break; 2810 default: 2811 e = AUE_NULL; 2812 break; 2813 } 2814 2815 return (e); 2816 2817 } 2818 2819 static void 2820 aus_labelsys(struct t_audit_data *tad) 2821 { 2822 klwp_t *clwp = ttolwp(curthread); 2823 uint32_t cmd; 2824 uintptr_t a2; 2825 2826 struct a { 2827 long code; 2828 long cmd; 2829 long a2; 2830 } *uap = (struct a *)clwp->lwp_ap; 2831 2832 cmd = (uint32_t)uap->cmd; 2833 a2 = (uintptr_t)uap->a2; 2834 2835 switch (tad->tad_event) { 2836 case AUE_LABELSYS_TNRH: 2837 { 2838 tsol_rhent_t *rhent; 2839 tnaddr_t *rh_addr; 2840 2841 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2842 2843 /* Remaining args don't apply for FLUSH, so skip */ 2844 if (cmd == TNDB_FLUSH) 2845 break; 2846 2847 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2848 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2849 kmem_free(rhent, sizeof (tsol_rhent_t)); 2850 return; 2851 } 2852 2853 rh_addr = &rhent->rh_address; 2854 if (rh_addr->ta_family == AF_INET) { 2855 struct in_addr *ipaddr; 2856 2857 ipaddr = &(rh_addr->ta_addr_v4); 2858 au_uwrite(au_to_in_addr(ipaddr)); 2859 } else if (rh_addr->ta_family == AF_INET6) { 2860 int32_t *ipaddr; 2861 2862 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2863 au_uwrite(au_to_in_addr_ex(ipaddr)); 2864 } 2865 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2866 2867 kmem_free(rhent, sizeof (tsol_rhent_t)); 2868 2869 break; 2870 } 2871 case AUE_LABELSYS_TNRHTP: 2872 { 2873 tsol_tpent_t *tpent; 2874 2875 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2876 2877 /* Remaining args don't apply for FLUSH, so skip */ 2878 if (cmd == TNDB_FLUSH) 2879 break; 2880 2881 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2882 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2883 kmem_free(tpent, sizeof (tsol_tpent_t)); 2884 return; 2885 } 2886 2887 /* Make sure that the template name is null-terminated. */ 2888 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2889 2890 au_uwrite(au_to_text(tpent->name)); 2891 kmem_free(tpent, sizeof (tsol_tpent_t)); 2892 2893 break; 2894 } 2895 case AUE_LABELSYS_TNMLP: 2896 { 2897 tsol_mlpent_t *mlpent; 2898 2899 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2900 2901 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2902 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2903 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2904 return; 2905 } 2906 2907 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2908 au_uwrite(au_to_text("shared")); 2909 } else { 2910 zone_t *zone; 2911 2912 zone = zone_find_by_id(mlpent->tsme_zoneid); 2913 if (zone != NULL) { 2914 au_uwrite(au_to_text(zone->zone_name)); 2915 zone_rele(zone); 2916 } 2917 } 2918 2919 /* Remaining args don't apply for FLUSH, so skip */ 2920 if (cmd == TNDB_FLUSH) { 2921 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2922 break; 2923 } 2924 2925 au_uwrite(au_to_arg32(2, "proto num", 2926 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2927 au_uwrite(au_to_arg32(2, "mlp_port", 2928 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2929 2930 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2931 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2932 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2933 2934 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2935 2936 break; 2937 } 2938 default: 2939 break; 2940 } 2941 } 2942 2943 2944 static au_event_t 2945 aui_auditsys(au_event_t e) 2946 { 2947 klwp_t *clwp = ttolwp(curthread); 2948 uint32_t code; 2949 2950 struct a { 2951 long code; 2952 long a1; 2953 long a2; 2954 long a3; 2955 long a4; 2956 long a5; 2957 long a6; 2958 long a7; 2959 } *uap = (struct a *)clwp->lwp_ap; 2960 2961 code = (uint32_t)uap->code; 2962 2963 switch (code) { 2964 2965 case BSM_GETAUID: 2966 e = AUE_GETAUID; 2967 break; 2968 case BSM_SETAUID: 2969 e = AUE_SETAUID; 2970 break; 2971 case BSM_GETAUDIT: 2972 e = AUE_GETAUDIT; 2973 break; 2974 case BSM_GETAUDIT_ADDR: 2975 e = AUE_GETAUDIT_ADDR; 2976 break; 2977 case BSM_SETAUDIT: 2978 e = AUE_SETAUDIT; 2979 break; 2980 case BSM_SETAUDIT_ADDR: 2981 e = AUE_SETAUDIT_ADDR; 2982 break; 2983 case BSM_AUDIT: 2984 e = AUE_AUDIT; 2985 break; 2986 case BSM_AUDITCTL: 2987 switch ((uint_t)uap->a1) { 2988 2989 case A_GETPOLICY: 2990 e = AUE_AUDITON_GPOLICY; 2991 break; 2992 case A_SETPOLICY: 2993 e = AUE_AUDITON_SPOLICY; 2994 break; 2995 case A_GETAMASK: 2996 e = AUE_AUDITON_GETAMASK; 2997 break; 2998 case A_SETAMASK: 2999 e = AUE_AUDITON_SETAMASK; 3000 break; 3001 case A_GETKMASK: 3002 e = AUE_AUDITON_GETKMASK; 3003 break; 3004 case A_SETKMASK: 3005 e = AUE_AUDITON_SETKMASK; 3006 break; 3007 case A_GETQCTRL: 3008 e = AUE_AUDITON_GQCTRL; 3009 break; 3010 case A_SETQCTRL: 3011 e = AUE_AUDITON_SQCTRL; 3012 break; 3013 case A_GETCWD: 3014 e = AUE_AUDITON_GETCWD; 3015 break; 3016 case A_GETCAR: 3017 e = AUE_AUDITON_GETCAR; 3018 break; 3019 case A_GETSTAT: 3020 e = AUE_AUDITON_GETSTAT; 3021 break; 3022 case A_SETSTAT: 3023 e = AUE_AUDITON_SETSTAT; 3024 break; 3025 case A_SETUMASK: 3026 e = AUE_AUDITON_SETUMASK; 3027 break; 3028 case A_SETSMASK: 3029 e = AUE_AUDITON_SETSMASK; 3030 break; 3031 case A_GETCOND: 3032 e = AUE_AUDITON_GETCOND; 3033 break; 3034 case A_SETCOND: 3035 e = AUE_AUDITON_SETCOND; 3036 break; 3037 case A_GETCLASS: 3038 e = AUE_AUDITON_GETCLASS; 3039 break; 3040 case A_SETCLASS: 3041 e = AUE_AUDITON_SETCLASS; 3042 break; 3043 default: 3044 e = AUE_NULL; 3045 break; 3046 } 3047 break; 3048 default: 3049 e = AUE_NULL; 3050 break; 3051 } 3052 3053 return (e); 3054 3055 } /* AUI_AUDITSYS */ 3056 3057 3058 static void 3059 aus_auditsys(struct t_audit_data *tad) 3060 { 3061 klwp_t *clwp = ttolwp(curthread); 3062 uintptr_t a1, a2; 3063 STRUCT_DECL(auditinfo, ainfo); 3064 STRUCT_DECL(auditinfo_addr, ainfo_addr); 3065 au_evclass_map_t event; 3066 au_mask_t mask; 3067 int auditstate, policy; 3068 au_id_t auid; 3069 3070 3071 struct a { 3072 long code; 3073 long a1; 3074 long a2; 3075 long a3; 3076 long a4; 3077 long a5; 3078 long a6; 3079 long a7; 3080 } *uap = (struct a *)clwp->lwp_ap; 3081 3082 a1 = (uintptr_t)uap->a1; 3083 a2 = (uintptr_t)uap->a2; 3084 3085 switch (tad->tad_event) { 3086 case AUE_SETAUID: 3087 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 3088 return; 3089 au_uwrite(au_to_arg32(2, "setauid", auid)); 3090 break; 3091 case AUE_SETAUDIT: 3092 STRUCT_INIT(ainfo, get_udatamodel()); 3093 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 3094 STRUCT_SIZE(ainfo))) { 3095 return; 3096 } 3097 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 3098 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 3099 #ifdef _LP64 3100 au_uwrite(au_to_arg64((char)1, "setaudit:port", 3101 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 3102 #else 3103 au_uwrite(au_to_arg32((char)1, "setaudit:port", 3104 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 3105 #endif 3106 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 3107 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 3108 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 3109 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3110 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 3111 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3112 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 3113 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 3114 break; 3115 case AUE_SETAUDIT_ADDR: 3116 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3117 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3118 STRUCT_SIZE(ainfo_addr))) { 3119 return; 3120 } 3121 au_uwrite(au_to_arg32((char)1, "auid", 3122 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3123 #ifdef _LP64 3124 au_uwrite(au_to_arg64((char)1, "port", 3125 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3126 #else 3127 au_uwrite(au_to_arg32((char)1, "port", 3128 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3129 #endif 3130 au_uwrite(au_to_arg32((char)1, "type", 3131 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3132 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3133 AU_IPv4) { 3134 au_uwrite(au_to_in_addr( 3135 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3136 ai_termid.at_addr))); 3137 } else { 3138 au_uwrite(au_to_in_addr_ex( 3139 (int32_t *)STRUCT_FGETP(ainfo_addr, 3140 ai_termid.at_addr))); 3141 } 3142 au_uwrite(au_to_arg32((char)1, "as_success", 3143 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3144 au_uwrite(au_to_arg32((char)1, "as_failure", 3145 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3146 au_uwrite(au_to_arg32((char)1, "asid", 3147 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3148 break; 3149 case AUE_AUDITON_SETAMASK: 3150 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3151 return; 3152 au_uwrite(au_to_arg32( 3153 2, "setamask:as_success", (uint32_t)mask.as_success)); 3154 au_uwrite(au_to_arg32( 3155 2, "setamask:as_failure", (uint32_t)mask.as_failure)); 3156 break; 3157 case AUE_AUDITON_SETKMASK: 3158 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3159 return; 3160 au_uwrite(au_to_arg32( 3161 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3162 au_uwrite(au_to_arg32( 3163 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3164 break; 3165 case AUE_AUDITON_SPOLICY: 3166 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3167 return; 3168 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3169 break; 3170 case AUE_AUDITON_SQCTRL: { 3171 STRUCT_DECL(au_qctrl, qctrl); 3172 model_t model; 3173 3174 model = get_udatamodel(); 3175 STRUCT_INIT(qctrl, model); 3176 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3177 return; 3178 if (model == DATAMODEL_ILP32) { 3179 au_uwrite(au_to_arg32( 3180 3, "setqctrl:aq_hiwater", 3181 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3182 au_uwrite(au_to_arg32( 3183 3, "setqctrl:aq_lowater", 3184 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3185 au_uwrite(au_to_arg32( 3186 3, "setqctrl:aq_bufsz", 3187 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3188 au_uwrite(au_to_arg32( 3189 3, "setqctrl:aq_delay", 3190 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3191 } else { 3192 au_uwrite(au_to_arg64( 3193 3, "setqctrl:aq_hiwater", 3194 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3195 au_uwrite(au_to_arg64( 3196 3, "setqctrl:aq_lowater", 3197 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3198 au_uwrite(au_to_arg64( 3199 3, "setqctrl:aq_bufsz", 3200 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3201 au_uwrite(au_to_arg64( 3202 3, "setqctrl:aq_delay", 3203 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3204 } 3205 break; 3206 } 3207 case AUE_AUDITON_SETUMASK: 3208 STRUCT_INIT(ainfo, get_udatamodel()); 3209 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3210 STRUCT_SIZE(ainfo))) { 3211 return; 3212 } 3213 au_uwrite(au_to_arg32(3, "setumask:as_success", 3214 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3215 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3216 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3217 break; 3218 case AUE_AUDITON_SETSMASK: 3219 STRUCT_INIT(ainfo, get_udatamodel()); 3220 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3221 STRUCT_SIZE(ainfo))) { 3222 return; 3223 } 3224 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3225 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3226 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3227 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3228 break; 3229 case AUE_AUDITON_SETCOND: 3230 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3231 return; 3232 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3233 break; 3234 case AUE_AUDITON_SETCLASS: 3235 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3236 return; 3237 au_uwrite(au_to_arg32( 3238 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3239 au_uwrite(au_to_arg32( 3240 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3241 break; 3242 case AUE_GETAUID: 3243 case AUE_GETAUDIT: 3244 case AUE_GETAUDIT_ADDR: 3245 case AUE_AUDIT: 3246 case AUE_AUDITON_GPOLICY: 3247 case AUE_AUDITON_GQCTRL: 3248 case AUE_AUDITON_GETAMASK: 3249 case AUE_AUDITON_GETKMASK: 3250 case AUE_AUDITON_GETCWD: 3251 case AUE_AUDITON_GETCAR: 3252 case AUE_AUDITON_GETSTAT: 3253 case AUE_AUDITON_SETSTAT: 3254 case AUE_AUDITON_GETCOND: 3255 case AUE_AUDITON_GETCLASS: 3256 break; 3257 default: 3258 break; 3259 } 3260 3261 } /* AUS_AUDITSYS */ 3262 3263 3264 /* only audit privileged operations for systeminfo(2) system call */ 3265 static au_event_t 3266 aui_sysinfo(au_event_t e) 3267 { 3268 klwp_t *clwp = ttolwp(curthread); 3269 uint32_t command; 3270 3271 struct a { 3272 long command; 3273 long buf; /* char * */ 3274 long count; 3275 } *uap = (struct a *)clwp->lwp_ap; 3276 3277 command = (uint32_t)uap->command; 3278 3279 switch (command) { 3280 case SI_SET_HOSTNAME: 3281 case SI_SET_SRPC_DOMAIN: 3282 e = (au_event_t)AUE_SYSINFO; 3283 break; 3284 default: 3285 e = (au_event_t)AUE_NULL; 3286 break; 3287 } 3288 return (e); 3289 } 3290 3291 /*ARGSUSED*/ 3292 static void 3293 aus_sysinfo(struct t_audit_data *tad) 3294 { 3295 klwp_t *clwp = ttolwp(curthread); 3296 uint32_t command; 3297 size_t len, maxlen; 3298 char *name; 3299 uintptr_t buf; 3300 3301 struct a { 3302 long command; 3303 long buf; /* char * */ 3304 long count; 3305 } *uap = (struct a *)clwp->lwp_ap; 3306 3307 command = (uint32_t)uap->command; 3308 buf = (uintptr_t)uap->buf; 3309 3310 au_uwrite(au_to_arg32(1, "cmd", command)); 3311 3312 switch (command) { 3313 case SI_SET_HOSTNAME: 3314 { 3315 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3316 return; 3317 3318 maxlen = SYS_NMLN; 3319 name = kmem_alloc(maxlen, KM_SLEEP); 3320 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3321 break; 3322 3323 /* 3324 * Must be non-NULL string and string 3325 * must be less than SYS_NMLN chars. 3326 */ 3327 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3328 break; 3329 3330 au_uwrite(au_to_text(name)); 3331 break; 3332 } 3333 3334 case SI_SET_SRPC_DOMAIN: 3335 { 3336 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3337 return; 3338 3339 maxlen = SYS_NMLN; 3340 name = kmem_alloc(maxlen, KM_SLEEP); 3341 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3342 break; 3343 3344 /* 3345 * If string passed in is longer than length 3346 * allowed for domain name, fail. 3347 */ 3348 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3349 break; 3350 3351 au_uwrite(au_to_text(name)); 3352 break; 3353 } 3354 3355 default: 3356 return; 3357 } 3358 3359 kmem_free(name, maxlen); 3360 } 3361 3362 static au_event_t 3363 aui_modctl(au_event_t e) 3364 { 3365 klwp_t *clwp = ttolwp(curthread); 3366 uint_t cmd; 3367 3368 struct a { 3369 long cmd; 3370 } *uap = (struct a *)clwp->lwp_ap; 3371 3372 cmd = (uint_t)uap->cmd; 3373 3374 switch (cmd) { 3375 case MODLOAD: 3376 e = AUE_MODLOAD; 3377 break; 3378 case MODUNLOAD: 3379 e = AUE_MODUNLOAD; 3380 break; 3381 case MODADDMAJBIND: 3382 e = AUE_MODADDMAJ; 3383 break; 3384 case MODSETDEVPOLICY: 3385 e = AUE_MODDEVPLCY; 3386 break; 3387 case MODALLOCPRIV: 3388 e = AUE_MODADDPRIV; 3389 break; 3390 default: 3391 e = AUE_NULL; 3392 break; 3393 } 3394 return (e); 3395 } 3396 3397 3398 /*ARGSUSED*/ 3399 static void 3400 aus_modctl(struct t_audit_data *tad) 3401 { 3402 klwp_t *clwp = ttolwp(curthread); 3403 void *a = clwp->lwp_ap; 3404 uint_t use_path; 3405 3406 switch (tad->tad_event) { 3407 case AUE_MODLOAD: { 3408 typedef struct { 3409 long cmd; 3410 long use_path; 3411 long filename; /* char * */ 3412 } modloada_t; 3413 3414 char *filenamep; 3415 uintptr_t fname; 3416 extern char *default_path; 3417 3418 fname = (uintptr_t)((modloada_t *)a)->filename; 3419 use_path = (uint_t)((modloada_t *)a)->use_path; 3420 3421 /* space to hold path */ 3422 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3423 /* get string */ 3424 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3425 /* free allocated path */ 3426 kmem_free(filenamep, MOD_MAXPATH); 3427 return; 3428 } 3429 /* ensure it's null terminated */ 3430 filenamep[MOD_MAXPATH - 1] = 0; 3431 3432 if (use_path) 3433 au_uwrite(au_to_text(default_path)); 3434 au_uwrite(au_to_text(filenamep)); 3435 3436 /* release temporary memory */ 3437 kmem_free(filenamep, MOD_MAXPATH); 3438 break; 3439 } 3440 case AUE_MODUNLOAD: { 3441 typedef struct { 3442 long cmd; 3443 long id; 3444 } modunloada_t; 3445 3446 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3447 3448 au_uwrite(au_to_arg32(1, "id", id)); 3449 break; 3450 } 3451 case AUE_MODADDMAJ: { 3452 STRUCT_DECL(modconfig, mc); 3453 typedef struct { 3454 long cmd; 3455 long subcmd; 3456 long data; /* int * */ 3457 } modconfiga_t; 3458 3459 STRUCT_DECL(aliases, alias); 3460 caddr_t ap; 3461 int i, num_aliases; 3462 char *drvname, *mc_drvname; 3463 char *name; 3464 extern char *ddi_major_to_name(major_t); 3465 model_t model; 3466 3467 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3468 3469 model = get_udatamodel(); 3470 STRUCT_INIT(mc, model); 3471 /* sanitize buffer */ 3472 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3473 /* get user arguments */ 3474 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3475 STRUCT_SIZE(mc)) != 0) 3476 return; 3477 3478 mc_drvname = STRUCT_FGET(mc, drvname); 3479 if ((drvname = ddi_major_to_name( 3480 (major_t)STRUCT_FGET(mc, major))) != NULL && 3481 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3482 /* safety */ 3483 if (mc_drvname[0] != '\0') { 3484 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3485 au_uwrite(au_to_text(mc_drvname)); 3486 } 3487 /* drvname != NULL from test above */ 3488 au_uwrite(au_to_text(drvname)); 3489 return; 3490 } 3491 3492 if (mc_drvname[0] != '\0') { 3493 /* safety */ 3494 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3495 au_uwrite(au_to_text(mc_drvname)); 3496 } else 3497 au_uwrite(au_to_text("no drvname")); 3498 3499 num_aliases = STRUCT_FGET(mc, num_aliases); 3500 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3501 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3502 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3503 STRUCT_INIT(alias, model); 3504 for (i = 0; i < num_aliases; i++) { 3505 bzero((caddr_t)STRUCT_BUF(alias), 3506 STRUCT_SIZE(alias)); 3507 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3508 STRUCT_SIZE(alias)) != 0) 3509 break; 3510 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3511 MAXMODCONFNAME, NULL) != 0) { 3512 break; 3513 } 3514 3515 au_uwrite(au_to_text(name)); 3516 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3517 } 3518 kmem_free(name, MAXMODCONFNAME); 3519 break; 3520 } 3521 default: 3522 break; 3523 } 3524 } 3525 3526 3527 /*ARGSUSED*/ 3528 static void 3529 auf_accept( 3530 struct t_audit_data *tad, 3531 int error, 3532 rval_t *rval) 3533 { 3534 uint32_t scid; 3535 uint32_t sy_flags; 3536 int fd; 3537 struct sonode *so; 3538 char so_laddr[sizeof (struct sockaddr_in6)]; 3539 char so_faddr[sizeof (struct sockaddr_in6)]; 3540 int err; 3541 short so_family, so_type; 3542 int add_sock_token = 0; 3543 3544 /* need to determine type of executing binary */ 3545 scid = tad->tad_scid; 3546 #ifdef _SYSCALL32_IMPL 3547 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3548 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3549 else 3550 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3551 #else 3552 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3553 #endif 3554 switch (sy_flags) { 3555 case SE_32RVAL1: 3556 /* FALLTHRU */ 3557 case SE_32RVAL2|SE_32RVAL1: 3558 fd = rval->r_val1; 3559 break; 3560 case SE_64RVAL: 3561 fd = (int)rval->r_vals; 3562 break; 3563 default: 3564 /* 3565 * should never happen, seems to be an internal error 3566 * in sysent => no fd, nothing to audit here, returning 3567 */ 3568 return; 3569 } 3570 3571 if (error) { 3572 /* can't trust socket contents. Just return */ 3573 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3574 return; 3575 } 3576 3577 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3578 /* 3579 * not security relevant if doing a accept from non socket 3580 * so no extra tokens. Should probably turn off audit record 3581 * generation here. 3582 */ 3583 return; 3584 } 3585 3586 so_family = so->so_family; 3587 so_type = so->so_type; 3588 3589 switch (so_family) { 3590 case AF_INET: 3591 case AF_INET6: 3592 /* 3593 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3594 */ 3595 if (so->so_type == SOCK_STREAM) { 3596 socklen_t len; 3597 3598 bzero((void *)so_laddr, sizeof (so_laddr)); 3599 bzero((void *)so_faddr, sizeof (so_faddr)); 3600 3601 len = sizeof (so_laddr); 3602 (void) socket_getsockname(so, 3603 (struct sockaddr *)so_laddr, &len, CRED()); 3604 len = sizeof (so_faddr); 3605 (void) socket_getpeername(so, 3606 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3607 3608 add_sock_token = 1; 3609 } 3610 break; 3611 3612 default: 3613 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3614 break; 3615 } 3616 3617 releasef(fd); 3618 3619 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3620 3621 if (add_sock_token == 0) { 3622 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3623 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3624 return; 3625 } 3626 3627 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3628 3629 } 3630 3631 /*ARGSUSED*/ 3632 static void 3633 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3634 { 3635 struct a { 3636 long fd; 3637 long addr; 3638 long len; 3639 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3640 3641 struct sonode *so; 3642 char so_laddr[sizeof (struct sockaddr_in6)]; 3643 char so_faddr[sizeof (struct sockaddr_in6)]; 3644 int err, fd; 3645 socklen_t len; 3646 short so_family, so_type; 3647 int add_sock_token = 0; 3648 3649 fd = (int)uap->fd; 3650 3651 /* 3652 * bind failed, then nothing extra to add to audit record. 3653 */ 3654 if (error) { 3655 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3656 /* XXX may want to add failed address some day */ 3657 return; 3658 } 3659 3660 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3661 /* 3662 * not security relevant if doing a bind from non socket 3663 * so no extra tokens. Should probably turn off audit record 3664 * generation here. 3665 */ 3666 return; 3667 } 3668 3669 so_family = so->so_family; 3670 so_type = so->so_type; 3671 3672 switch (so_family) { 3673 case AF_INET: 3674 case AF_INET6: 3675 3676 bzero(so_faddr, sizeof (so_faddr)); 3677 len = sizeof (so_faddr); 3678 3679 (void) socket_getpeername(so, 3680 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3681 add_sock_token = 1; 3682 3683 break; 3684 3685 case AF_UNIX: 3686 /* token added by lookup */ 3687 break; 3688 default: 3689 /* AF_ROUTE, AF_KEY do not support accept */ 3690 break; 3691 } 3692 3693 releasef(fd); 3694 3695 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3696 3697 if (add_sock_token == 0) { 3698 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3699 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3700 return; 3701 } 3702 3703 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3704 3705 } 3706 3707 /*ARGSUSED*/ 3708 static void 3709 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3710 { 3711 struct a { 3712 long fd; 3713 long addr; 3714 long len; 3715 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3716 3717 struct sonode *so; 3718 char so_laddr[sizeof (struct sockaddr_in6)]; 3719 char so_faddr[sizeof (struct sockaddr_in6)]; 3720 int err, fd; 3721 socklen_t len; 3722 short so_family, so_type; 3723 int add_sock_token = 0; 3724 3725 fd = (int)uap->fd; 3726 3727 3728 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3729 /* 3730 * not security relevant if doing a connect from non socket 3731 * so no extra tokens. Should probably turn off audit record 3732 * generation here. 3733 */ 3734 return; 3735 } 3736 3737 so_family = so->so_family; 3738 so_type = so->so_type; 3739 3740 switch (so_family) { 3741 case AF_INET: 3742 case AF_INET6: 3743 3744 bzero(so_laddr, sizeof (so_laddr)); 3745 bzero(so_faddr, sizeof (so_faddr)); 3746 3747 len = sizeof (so_laddr); 3748 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3749 &len, CRED()); 3750 if (error) { 3751 if (uap->addr == NULL) 3752 break; 3753 if (uap->len <= 0) 3754 break; 3755 len = min(uap->len, sizeof (so_faddr)); 3756 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3757 break; 3758 #ifdef NOTYET 3759 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3760 #endif 3761 } else { 3762 /* sanity check on length */ 3763 len = sizeof (so_faddr); 3764 (void) socket_getpeername(so, 3765 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3766 } 3767 3768 add_sock_token = 1; 3769 3770 break; 3771 3772 case AF_UNIX: 3773 /* does a lookup on name */ 3774 break; 3775 3776 default: 3777 /* AF_ROUTE, AF_KEY do not support accept */ 3778 break; 3779 } 3780 3781 releasef(fd); 3782 3783 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3784 3785 if (add_sock_token == 0) { 3786 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3787 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3788 return; 3789 } 3790 3791 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3792 3793 } 3794 3795 /*ARGSUSED*/ 3796 static void 3797 aus_shutdown(struct t_audit_data *tad) 3798 { 3799 struct a { 3800 long fd; 3801 long how; 3802 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3803 3804 struct sonode *so; 3805 char so_laddr[sizeof (struct sockaddr_in6)]; 3806 char so_faddr[sizeof (struct sockaddr_in6)]; 3807 int err, fd; 3808 socklen_t len; 3809 short so_family, so_type; 3810 int add_sock_token = 0; 3811 file_t *fp; /* unix domain sockets */ 3812 struct f_audit_data *fad; /* unix domain sockets */ 3813 3814 fd = (int)uap->fd; 3815 3816 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3817 /* 3818 * not security relevant if doing a shutdown using non socket 3819 * so no extra tokens. Should probably turn off audit record 3820 * generation here. 3821 */ 3822 return; 3823 } 3824 3825 so_family = so->so_family; 3826 so_type = so->so_type; 3827 3828 switch (so_family) { 3829 case AF_INET: 3830 case AF_INET6: 3831 3832 bzero(so_laddr, sizeof (so_laddr)); 3833 bzero(so_faddr, sizeof (so_faddr)); 3834 3835 len = sizeof (so_laddr); 3836 (void) socket_getsockname(so, 3837 (struct sockaddr *)so_laddr, &len, CRED()); 3838 len = sizeof (so_faddr); 3839 (void) socket_getpeername(so, 3840 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3841 3842 add_sock_token = 1; 3843 3844 break; 3845 3846 case AF_UNIX: 3847 3848 /* get path from file struct here */ 3849 fad = F2A(fp); 3850 ASSERT(fad); 3851 3852 if (fad->fad_aupath != NULL) { 3853 au_uwrite(au_to_path(fad->fad_aupath)); 3854 } else { 3855 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3856 } 3857 3858 audit_attributes(fp->f_vnode); 3859 3860 break; 3861 3862 default: 3863 /* 3864 * AF_KEY and AF_ROUTE support shutdown. No socket token 3865 * added. 3866 */ 3867 break; 3868 } 3869 3870 releasef(fd); 3871 3872 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3873 3874 if (add_sock_token == 0) { 3875 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3876 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3877 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3878 return; 3879 } 3880 3881 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3882 3883 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3884 3885 } 3886 3887 /*ARGSUSED*/ 3888 static void 3889 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3890 { 3891 struct a { 3892 long fd; 3893 long level; 3894 long optname; 3895 long *optval; 3896 long optlen; 3897 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3898 3899 struct sonode *so; 3900 char so_laddr[sizeof (struct sockaddr_in6)]; 3901 char so_faddr[sizeof (struct sockaddr_in6)]; 3902 char val[AU_BUFSIZE]; 3903 int err, fd; 3904 socklen_t len; 3905 short so_family, so_type; 3906 int add_sock_token = 0; 3907 file_t *fp; /* unix domain sockets */ 3908 struct f_audit_data *fad; /* unix domain sockets */ 3909 3910 fd = (int)uap->fd; 3911 3912 if (error) { 3913 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3914 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3915 /* XXX may want to include other arguments */ 3916 return; 3917 } 3918 3919 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3920 /* 3921 * not security relevant if doing a setsockopt from non socket 3922 * so no extra tokens. Should probably turn off audit record 3923 * generation here. 3924 */ 3925 return; 3926 } 3927 3928 so_family = so->so_family; 3929 so_type = so->so_type; 3930 3931 switch (so_family) { 3932 case AF_INET: 3933 case AF_INET6: 3934 bzero((void *)so_laddr, sizeof (so_laddr)); 3935 bzero((void *)so_faddr, sizeof (so_faddr)); 3936 3937 /* get local and foreign addresses */ 3938 len = sizeof (so_laddr); 3939 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3940 &len, CRED()); 3941 len = sizeof (so_faddr); 3942 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3943 &len, B_FALSE, CRED()); 3944 3945 add_sock_token = 1; 3946 3947 break; 3948 3949 case AF_UNIX: 3950 3951 /* get path from file struct here */ 3952 fad = F2A(fp); 3953 ASSERT(fad); 3954 3955 if (fad->fad_aupath != NULL) { 3956 au_uwrite(au_to_path(fad->fad_aupath)); 3957 } else { 3958 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3959 } 3960 3961 audit_attributes(fp->f_vnode); 3962 3963 break; 3964 3965 default: 3966 /* 3967 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3968 * added. 3969 */ 3970 break; 3971 } 3972 3973 releasef(fd); 3974 3975 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3976 3977 if (add_sock_token == 0) { 3978 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3979 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3980 } 3981 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3982 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3983 3984 bzero(val, sizeof (val)); 3985 len = min(uap->optlen, sizeof (val)); 3986 if ((len > 0) && 3987 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3988 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3989 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3990 } 3991 3992 if (add_sock_token == 0) 3993 return; 3994 3995 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3996 3997 } 3998 3999 /*ARGSUSED*/ 4000 static void 4001 aus_sockconfig(tad) 4002 struct t_audit_data *tad; 4003 { 4004 struct a { 4005 long cmd; 4006 long arg1; 4007 long arg2; 4008 long arg3; 4009 long arg4; 4010 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4011 4012 char *buf; 4013 int buflen; 4014 size_t size; 4015 4016 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4017 switch (uap->cmd) { 4018 case SOCKCONFIG_ADD_SOCK: 4019 case SOCKCONFIG_REMOVE_SOCK: 4020 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 4021 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 4022 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 4023 4024 if (uap->arg4 == 0) { 4025 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 4026 } else { 4027 buflen = MAXPATHLEN + 1; 4028 buf = kmem_alloc(buflen, KM_SLEEP); 4029 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 4030 &size)) { 4031 kmem_free(buf, buflen); 4032 return; 4033 } 4034 4035 if (size > MAXPATHLEN) { 4036 kmem_free(buf, buflen); 4037 return; 4038 } 4039 4040 au_uwrite(au_to_text(buf)); 4041 kmem_free(buf, buflen); 4042 } 4043 break; 4044 case SOCKCONFIG_ADD_FILTER: 4045 case SOCKCONFIG_REMOVE_FILTER: 4046 buflen = FILNAME_MAX; 4047 buf = kmem_alloc(buflen, KM_SLEEP); 4048 4049 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 4050 kmem_free(buf, buflen); 4051 return; 4052 } 4053 4054 au_uwrite(au_to_text(buf)); 4055 kmem_free(buf, buflen); 4056 break; 4057 default: 4058 break; 4059 } 4060 } 4061 4062 /* 4063 * only audit recvmsg when the system call represents the creation of a new 4064 * circuit. This effectively occurs for all UDP packets and may occur for 4065 * special TCP situations where the local host has not set a local address 4066 * in the socket structure. 4067 */ 4068 /*ARGSUSED*/ 4069 static void 4070 auf_recvmsg( 4071 struct t_audit_data *tad, 4072 int error, 4073 rval_t *rvp) 4074 { 4075 struct a { 4076 long fd; 4077 long msg; /* struct msghdr */ 4078 long flags; 4079 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4080 4081 struct sonode *so; 4082 STRUCT_DECL(msghdr, msg); 4083 caddr_t msg_name; 4084 socklen_t msg_namelen; 4085 int fd; 4086 int err; 4087 char so_laddr[sizeof (struct sockaddr_in6)]; 4088 char so_faddr[sizeof (struct sockaddr_in6)]; 4089 socklen_t len; 4090 file_t *fp; /* unix domain sockets */ 4091 struct f_audit_data *fad; /* unix domain sockets */ 4092 short so_family, so_type; 4093 int add_sock_token = 0; 4094 au_kcontext_t *kctx = GET_KCTX_PZ; 4095 4096 fd = (int)uap->fd; 4097 4098 /* bail if an error */ 4099 if (error) { 4100 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4101 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4102 return; 4103 } 4104 4105 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4106 /* 4107 * not security relevant if doing a recvmsg from non socket 4108 * so no extra tokens. Should probably turn off audit record 4109 * generation here. 4110 */ 4111 return; 4112 } 4113 4114 so_family = so->so_family; 4115 so_type = so->so_type; 4116 4117 /* 4118 * only putout SOCKET_EX token if INET/INET6 family. 4119 * XXX - what do we do about other families? 4120 */ 4121 4122 switch (so_family) { 4123 case AF_INET: 4124 case AF_INET6: 4125 4126 /* 4127 * if datagram type socket, then just use what is in 4128 * socket structure for local address. 4129 * XXX - what do we do for other types? 4130 */ 4131 if ((so->so_type == SOCK_DGRAM) || 4132 (so->so_type == SOCK_RAW)) { 4133 add_sock_token = 1; 4134 4135 bzero((void *)so_laddr, sizeof (so_laddr)); 4136 bzero((void *)so_faddr, sizeof (so_faddr)); 4137 4138 /* get local address */ 4139 len = sizeof (so_laddr); 4140 (void) socket_getsockname(so, 4141 (struct sockaddr *)so_laddr, &len, CRED()); 4142 4143 /* get peer address */ 4144 STRUCT_INIT(msg, get_udatamodel()); 4145 4146 if (copyin((caddr_t)(uap->msg), 4147 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4148 break; 4149 } 4150 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4151 if (msg_name == NULL) { 4152 break; 4153 } 4154 4155 /* length is value from recvmsg - sanity check */ 4156 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4157 if (msg_namelen == 0) { 4158 break; 4159 } 4160 if (copyin(msg_name, so_faddr, 4161 sizeof (so_faddr)) != 0) { 4162 break; 4163 } 4164 4165 } else if (so->so_type == SOCK_STREAM) { 4166 4167 /* get path from file struct here */ 4168 fad = F2A(fp); 4169 ASSERT(fad); 4170 4171 /* 4172 * already processed this file for read attempt 4173 */ 4174 if (fad->fad_flags & FAD_READ) { 4175 /* don't want to audit every recvmsg attempt */ 4176 tad->tad_flag = 0; 4177 /* free any residual audit data */ 4178 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4179 releasef(fd); 4180 return; 4181 } 4182 /* 4183 * mark things so we know what happened and don't 4184 * repeat things 4185 */ 4186 fad->fad_flags |= FAD_READ; 4187 4188 bzero((void *)so_laddr, sizeof (so_laddr)); 4189 bzero((void *)so_faddr, sizeof (so_faddr)); 4190 4191 /* get local and foreign addresses */ 4192 len = sizeof (so_laddr); 4193 (void) socket_getsockname(so, 4194 (struct sockaddr *)so_laddr, &len, CRED()); 4195 len = sizeof (so_faddr); 4196 (void) socket_getpeername(so, 4197 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4198 4199 add_sock_token = 1; 4200 } 4201 4202 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4203 4204 break; 4205 4206 case AF_UNIX: 4207 /* 4208 * first check if this is first time through. Too much 4209 * duplicate code to put this in an aui_ routine. 4210 */ 4211 4212 /* get path from file struct here */ 4213 fad = F2A(fp); 4214 ASSERT(fad); 4215 4216 /* 4217 * already processed this file for read attempt 4218 */ 4219 if (fad->fad_flags & FAD_READ) { 4220 releasef(fd); 4221 /* don't want to audit every recvmsg attempt */ 4222 tad->tad_flag = 0; 4223 /* free any residual audit data */ 4224 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4225 return; 4226 } 4227 /* 4228 * mark things so we know what happened and don't 4229 * repeat things 4230 */ 4231 fad->fad_flags |= FAD_READ; 4232 4233 if (fad->fad_aupath != NULL) { 4234 au_uwrite(au_to_path(fad->fad_aupath)); 4235 } else { 4236 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4237 } 4238 4239 audit_attributes(fp->f_vnode); 4240 4241 releasef(fd); 4242 4243 return; 4244 4245 default: 4246 break; 4247 4248 } 4249 4250 releasef(fd); 4251 4252 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4253 4254 if (add_sock_token == 0) { 4255 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4256 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4257 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4258 return; 4259 } 4260 4261 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4262 4263 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4264 4265 } 4266 4267 /*ARGSUSED*/ 4268 static void 4269 auf_recvfrom( 4270 struct t_audit_data *tad, 4271 int error, 4272 rval_t *rvp) 4273 { 4274 4275 struct a { 4276 long fd; 4277 long msg; /* char */ 4278 long len; 4279 long flags; 4280 long from; /* struct sockaddr */ 4281 long fromlen; 4282 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4283 4284 socklen_t fromlen; 4285 struct sonode *so; 4286 char so_laddr[sizeof (struct sockaddr_in6)]; 4287 char so_faddr[sizeof (struct sockaddr_in6)]; 4288 int fd; 4289 short so_family, so_type; 4290 int add_sock_token = 0; 4291 socklen_t len; 4292 int err; 4293 struct file *fp; 4294 struct f_audit_data *fad; /* unix domain sockets */ 4295 au_kcontext_t *kctx = GET_KCTX_PZ; 4296 4297 fd = (int)uap->fd; 4298 4299 /* bail if an error */ 4300 if (error) { 4301 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4302 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4303 return; 4304 } 4305 4306 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4307 /* 4308 * not security relevant if doing a recvmsg from non socket 4309 * so no extra tokens. Should probably turn off audit record 4310 * generation here. 4311 */ 4312 return; 4313 } 4314 4315 so_family = so->so_family; 4316 so_type = so->so_type; 4317 4318 /* 4319 * only putout SOCKET_EX token if INET/INET6 family. 4320 * XXX - what do we do about other families? 4321 */ 4322 4323 switch (so_family) { 4324 case AF_INET: 4325 case AF_INET6: 4326 4327 /* 4328 * if datagram type socket, then just use what is in 4329 * socket structure for local address. 4330 * XXX - what do we do for other types? 4331 */ 4332 if ((so->so_type == SOCK_DGRAM) || 4333 (so->so_type == SOCK_RAW)) { 4334 add_sock_token = 1; 4335 4336 /* get local address */ 4337 len = sizeof (so_laddr); 4338 (void) socket_getsockname(so, 4339 (struct sockaddr *)so_laddr, &len, CRED()); 4340 4341 /* get peer address */ 4342 bzero((void *)so_faddr, sizeof (so_faddr)); 4343 4344 /* sanity check */ 4345 if (uap->from == NULL) 4346 break; 4347 4348 /* sanity checks */ 4349 if (uap->fromlen == 0) 4350 break; 4351 4352 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4353 sizeof (fromlen)) != 0) 4354 break; 4355 4356 if (fromlen == 0) 4357 break; 4358 4359 /* enforce maximum size */ 4360 if (fromlen > sizeof (so_faddr)) 4361 fromlen = sizeof (so_faddr); 4362 4363 if (copyin((caddr_t)(uap->from), so_faddr, 4364 fromlen) != 0) 4365 break; 4366 4367 } else if (so->so_type == SOCK_STREAM) { 4368 4369 /* get path from file struct here */ 4370 fad = F2A(fp); 4371 ASSERT(fad); 4372 4373 /* 4374 * already processed this file for read attempt 4375 */ 4376 if (fad->fad_flags & FAD_READ) { 4377 /* don't want to audit every recvfrom attempt */ 4378 tad->tad_flag = 0; 4379 /* free any residual audit data */ 4380 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4381 releasef(fd); 4382 return; 4383 } 4384 /* 4385 * mark things so we know what happened and don't 4386 * repeat things 4387 */ 4388 fad->fad_flags |= FAD_READ; 4389 4390 bzero((void *)so_laddr, sizeof (so_laddr)); 4391 bzero((void *)so_faddr, sizeof (so_faddr)); 4392 4393 /* get local and foreign addresses */ 4394 len = sizeof (so_laddr); 4395 (void) socket_getsockname(so, 4396 (struct sockaddr *)so_laddr, &len, CRED()); 4397 len = sizeof (so_faddr); 4398 (void) socket_getpeername(so, 4399 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4400 4401 add_sock_token = 1; 4402 } 4403 4404 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4405 4406 break; 4407 4408 case AF_UNIX: 4409 /* 4410 * first check if this is first time through. Too much 4411 * duplicate code to put this in an aui_ routine. 4412 */ 4413 4414 /* get path from file struct here */ 4415 fad = F2A(fp); 4416 ASSERT(fad); 4417 4418 /* 4419 * already processed this file for read attempt 4420 */ 4421 if (fad->fad_flags & FAD_READ) { 4422 /* don't want to audit every recvfrom attempt */ 4423 tad->tad_flag = 0; 4424 /* free any residual audit data */ 4425 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4426 releasef(fd); 4427 return; 4428 } 4429 /* 4430 * mark things so we know what happened and don't 4431 * repeat things 4432 */ 4433 fad->fad_flags |= FAD_READ; 4434 4435 if (fad->fad_aupath != NULL) { 4436 au_uwrite(au_to_path(fad->fad_aupath)); 4437 } else { 4438 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4439 } 4440 4441 audit_attributes(fp->f_vnode); 4442 4443 releasef(fd); 4444 4445 return; 4446 4447 default: 4448 break; 4449 4450 } 4451 4452 releasef(fd); 4453 4454 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4455 4456 if (add_sock_token == 0) { 4457 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4458 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4459 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4460 return; 4461 } 4462 4463 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4464 4465 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4466 } 4467 4468 /*ARGSUSED*/ 4469 static void 4470 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4471 { 4472 struct a { 4473 long fd; 4474 long msg; /* struct msghdr */ 4475 long flags; 4476 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4477 4478 struct sonode *so; 4479 char so_laddr[sizeof (struct sockaddr_in6)]; 4480 char so_faddr[sizeof (struct sockaddr_in6)]; 4481 int err; 4482 int fd; 4483 short so_family, so_type; 4484 int add_sock_token = 0; 4485 socklen_t len; 4486 struct file *fp; 4487 struct f_audit_data *fad; 4488 caddr_t msg_name; 4489 socklen_t msg_namelen; 4490 STRUCT_DECL(msghdr, msg); 4491 au_kcontext_t *kctx = GET_KCTX_PZ; 4492 4493 fd = (int)uap->fd; 4494 4495 /* bail if an error */ 4496 if (error) { 4497 /* XXX include destination address from system call arguments */ 4498 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4499 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4500 return; 4501 } 4502 4503 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4504 /* 4505 * not security relevant if doing a sendmsg from non socket 4506 * so no extra tokens. Should probably turn off audit record 4507 * generation here. 4508 */ 4509 return; 4510 } 4511 4512 so_family = so->so_family; 4513 so_type = so->so_type; 4514 4515 switch (so_family) { 4516 case AF_INET: 4517 case AF_INET6: 4518 /* 4519 * if datagram type socket, then just use what is in 4520 * socket structure for local address. 4521 * XXX - what do we do for other types? 4522 */ 4523 if ((so->so_type == SOCK_DGRAM) || 4524 (so->so_type == SOCK_RAW)) { 4525 4526 bzero((void *)so_laddr, sizeof (so_laddr)); 4527 bzero((void *)so_faddr, sizeof (so_faddr)); 4528 4529 /* get local address */ 4530 len = sizeof (so_laddr); 4531 (void) socket_getsockname(so, 4532 (struct sockaddr *)so_laddr, &len, CRED()); 4533 4534 /* get peer address */ 4535 STRUCT_INIT(msg, get_udatamodel()); 4536 4537 if (copyin((caddr_t)(uap->msg), 4538 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4539 break; 4540 } 4541 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4542 if (msg_name == NULL) 4543 break; 4544 4545 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4546 /* length is value from recvmsg - sanity check */ 4547 if (msg_namelen == 0) 4548 break; 4549 4550 if (copyin(msg_name, so_faddr, 4551 sizeof (so_faddr)) != 0) 4552 break; 4553 4554 add_sock_token = 1; 4555 4556 } else if (so->so_type == SOCK_STREAM) { 4557 4558 /* get path from file struct here */ 4559 fad = F2A(fp); 4560 ASSERT(fad); 4561 4562 /* 4563 * already processed this file for write attempt 4564 */ 4565 if (fad->fad_flags & FAD_WRITE) { 4566 releasef(fd); 4567 /* don't want to audit every sendmsg attempt */ 4568 tad->tad_flag = 0; 4569 /* free any residual audit data */ 4570 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4571 return; 4572 } 4573 4574 /* 4575 * mark things so we know what happened and don't 4576 * repeat things 4577 */ 4578 fad->fad_flags |= FAD_WRITE; 4579 4580 bzero((void *)so_laddr, sizeof (so_laddr)); 4581 bzero((void *)so_faddr, sizeof (so_faddr)); 4582 4583 /* get local and foreign addresses */ 4584 len = sizeof (so_laddr); 4585 (void) socket_getsockname(so, 4586 (struct sockaddr *)so_laddr, &len, CRED()); 4587 len = sizeof (so_faddr); 4588 (void) socket_getpeername(so, 4589 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4590 4591 add_sock_token = 1; 4592 } 4593 4594 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4595 4596 break; 4597 4598 case AF_UNIX: 4599 /* 4600 * first check if this is first time through. Too much 4601 * duplicate code to put this in an aui_ routine. 4602 */ 4603 4604 /* get path from file struct here */ 4605 fad = F2A(fp); 4606 ASSERT(fad); 4607 4608 /* 4609 * already processed this file for write attempt 4610 */ 4611 if (fad->fad_flags & FAD_WRITE) { 4612 releasef(fd); 4613 /* don't want to audit every sendmsg attempt */ 4614 tad->tad_flag = 0; 4615 /* free any residual audit data */ 4616 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4617 return; 4618 } 4619 /* 4620 * mark things so we know what happened and don't 4621 * repeat things 4622 */ 4623 fad->fad_flags |= FAD_WRITE; 4624 4625 if (fad->fad_aupath != NULL) { 4626 au_uwrite(au_to_path(fad->fad_aupath)); 4627 } else { 4628 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4629 } 4630 4631 audit_attributes(fp->f_vnode); 4632 4633 releasef(fd); 4634 4635 return; 4636 4637 default: 4638 break; 4639 } 4640 4641 releasef(fd); 4642 4643 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4644 4645 if (add_sock_token == 0) { 4646 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4647 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4648 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4649 return; 4650 } 4651 4652 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4653 4654 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4655 } 4656 4657 /*ARGSUSED*/ 4658 static void 4659 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4660 { 4661 struct a { 4662 long fd; 4663 long msg; /* char */ 4664 long len; 4665 long flags; 4666 long to; /* struct sockaddr */ 4667 long tolen; 4668 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4669 4670 struct sonode *so; 4671 char so_laddr[sizeof (struct sockaddr_in6)]; 4672 char so_faddr[sizeof (struct sockaddr_in6)]; 4673 socklen_t tolen; 4674 int err; 4675 int fd; 4676 socklen_t len; 4677 short so_family, so_type; 4678 int add_sock_token = 0; 4679 struct file *fp; 4680 struct f_audit_data *fad; 4681 au_kcontext_t *kctx = GET_KCTX_PZ; 4682 4683 fd = (int)uap->fd; 4684 4685 /* bail if an error */ 4686 if (error) { 4687 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4688 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4689 /* XXX include destination address from system call arguments */ 4690 return; 4691 } 4692 4693 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4694 /* 4695 * not security relevant if doing a sendto using non socket 4696 * so no extra tokens. Should probably turn off audit record 4697 * generation here. 4698 */ 4699 return; 4700 } 4701 4702 so_family = so->so_family; 4703 so_type = so->so_type; 4704 4705 /* 4706 * only putout SOCKET_EX token if INET/INET6 family. 4707 * XXX - what do we do about other families? 4708 */ 4709 4710 switch (so_family) { 4711 case AF_INET: 4712 case AF_INET6: 4713 4714 /* 4715 * if datagram type socket, then just use what is in 4716 * socket structure for local address. 4717 * XXX - what do we do for other types? 4718 */ 4719 if ((so->so_type == SOCK_DGRAM) || 4720 (so->so_type == SOCK_RAW)) { 4721 4722 bzero((void *)so_laddr, sizeof (so_laddr)); 4723 bzero((void *)so_faddr, sizeof (so_faddr)); 4724 4725 /* get local address */ 4726 len = sizeof (so_laddr); 4727 (void) socket_getsockname(so, 4728 (struct sockaddr *)so_laddr, &len, CRED()); 4729 4730 /* get peer address */ 4731 4732 /* sanity check */ 4733 if (uap->to == NULL) 4734 break; 4735 4736 /* sanity checks */ 4737 if (uap->tolen == 0) 4738 break; 4739 4740 tolen = (socklen_t)uap->tolen; 4741 4742 /* enforce maximum size */ 4743 if (tolen > sizeof (so_faddr)) 4744 tolen = sizeof (so_faddr); 4745 4746 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4747 break; 4748 4749 add_sock_token = 1; 4750 } else { 4751 /* 4752 * check if this is first time through. 4753 */ 4754 4755 /* get path from file struct here */ 4756 fad = F2A(fp); 4757 ASSERT(fad); 4758 4759 /* 4760 * already processed this file for write attempt 4761 */ 4762 if (fad->fad_flags & FAD_WRITE) { 4763 /* don't want to audit every sendto attempt */ 4764 tad->tad_flag = 0; 4765 /* free any residual audit data */ 4766 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4767 releasef(fd); 4768 return; 4769 } 4770 /* 4771 * mark things so we know what happened and don't 4772 * repeat things 4773 */ 4774 fad->fad_flags |= FAD_WRITE; 4775 4776 bzero((void *)so_laddr, sizeof (so_laddr)); 4777 bzero((void *)so_faddr, sizeof (so_faddr)); 4778 4779 /* get local and foreign addresses */ 4780 len = sizeof (so_laddr); 4781 (void) socket_getsockname(so, 4782 (struct sockaddr *)so_laddr, &len, CRED()); 4783 len = sizeof (so_faddr); 4784 (void) socket_getpeername(so, 4785 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4786 4787 add_sock_token = 1; 4788 } 4789 4790 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4791 4792 break; 4793 4794 case AF_UNIX: 4795 /* 4796 * first check if this is first time through. Too much 4797 * duplicate code to put this in an aui_ routine. 4798 */ 4799 4800 /* get path from file struct here */ 4801 fad = F2A(fp); 4802 ASSERT(fad); 4803 4804 /* 4805 * already processed this file for write attempt 4806 */ 4807 if (fad->fad_flags & FAD_WRITE) { 4808 /* don't want to audit every sendto attempt */ 4809 tad->tad_flag = 0; 4810 /* free any residual audit data */ 4811 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4812 releasef(fd); 4813 return; 4814 } 4815 /* 4816 * mark things so we know what happened and don't 4817 * repeat things 4818 */ 4819 fad->fad_flags |= FAD_WRITE; 4820 4821 if (fad->fad_aupath != NULL) { 4822 au_uwrite(au_to_path(fad->fad_aupath)); 4823 } else { 4824 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4825 } 4826 4827 audit_attributes(fp->f_vnode); 4828 4829 releasef(fd); 4830 4831 return; 4832 4833 default: 4834 break; 4835 4836 } 4837 4838 releasef(fd); 4839 4840 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4841 4842 if (add_sock_token == 0) { 4843 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4844 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4845 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4846 return; 4847 } 4848 4849 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4850 4851 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4852 4853 } 4854 4855 /* 4856 * XXX socket(2) may be equivalent to open(2) on a unix domain 4857 * socket. This needs investigation. 4858 */ 4859 4860 /*ARGSUSED*/ 4861 static void 4862 aus_socket(struct t_audit_data *tad) 4863 { 4864 struct a { 4865 long domain; 4866 long type; 4867 long protocol; 4868 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4869 4870 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4871 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4872 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4873 } 4874 4875 /*ARGSUSED*/ 4876 static void 4877 aus_sigqueue(struct t_audit_data *tad) 4878 { 4879 struct a { 4880 long pid; 4881 long signo; 4882 long *val; 4883 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4884 struct proc *p; 4885 uid_t uid, ruid; 4886 gid_t gid, rgid; 4887 pid_t pid; 4888 const auditinfo_addr_t *ainfo; 4889 cred_t *cr; 4890 4891 pid = (pid_t)uap->pid; 4892 4893 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4894 if (pid > 0) { 4895 mutex_enter(&pidlock); 4896 if ((p = prfind(pid)) == (struct proc *)0) { 4897 mutex_exit(&pidlock); 4898 return; 4899 } 4900 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4901 mutex_exit(&pidlock); 4902 4903 mutex_enter(&p->p_crlock); 4904 crhold(cr = p->p_cred); 4905 mutex_exit(&p->p_crlock); 4906 mutex_exit(&p->p_lock); 4907 4908 ainfo = crgetauinfo(cr); 4909 if (ainfo == NULL) { 4910 crfree(cr); 4911 return; 4912 } 4913 4914 uid = crgetuid(cr); 4915 gid = crgetgid(cr); 4916 ruid = crgetruid(cr); 4917 rgid = crgetrgid(cr); 4918 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4919 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4920 crfree(cr); 4921 } 4922 else 4923 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4924 } 4925 4926 /*ARGSUSED*/ 4927 static void 4928 aus_inst_sync(struct t_audit_data *tad) 4929 { 4930 struct a { 4931 long name; /* char */ 4932 long flags; 4933 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4934 4935 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4936 } 4937 4938 /*ARGSUSED*/ 4939 static void 4940 aus_brandsys(struct t_audit_data *tad) 4941 { 4942 klwp_t *clwp = ttolwp(curthread); 4943 4944 struct a { 4945 long cmd; 4946 long arg1; 4947 long arg2; 4948 long arg3; 4949 long arg4; 4950 long arg5; 4951 long arg6; 4952 } *uap = (struct a *)clwp->lwp_ap; 4953 4954 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4955 #ifdef _LP64 4956 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4957 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4958 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4959 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4960 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4961 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4962 #else 4963 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4964 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4965 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4966 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4967 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4968 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4969 #endif 4970 } 4971 4972 /*ARGSUSED*/ 4973 static void 4974 aus_p_online(struct t_audit_data *tad) 4975 { 4976 struct a { 4977 long processor_id; 4978 long flag; 4979 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4980 4981 struct flags { 4982 int flag; 4983 char *cflag; 4984 } aflags[6] = { 4985 { P_ONLINE, "P_ONLINE"}, 4986 { P_OFFLINE, "P_OFFLINE"}, 4987 { P_NOINTR, "P_NOINTR"}, 4988 { P_SPARE, "P_SPARE"}, 4989 { P_FAULTED, "P_FAULTED"}, 4990 { P_STATUS, "P_STATUS"} 4991 }; 4992 int i; 4993 char *cflag; 4994 4995 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4996 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4997 4998 for (i = 0; i < 6; i++) { 4999 if (aflags[i].flag == uap->flag) 5000 break; 5001 } 5002 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 5003 5004 au_uwrite(au_to_text(cflag)); 5005 } 5006 5007 /*ARGSUSED*/ 5008 static void 5009 aus_processor_bind(struct t_audit_data *tad) 5010 { 5011 struct a { 5012 long id_type; 5013 long id; 5014 long processor_id; 5015 long obind; 5016 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5017 5018 struct proc *p; 5019 int lwpcnt; 5020 uid_t uid, ruid; 5021 gid_t gid, rgid; 5022 pid_t pid; 5023 const auditinfo_addr_t *ainfo; 5024 cred_t *cr; 5025 5026 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 5027 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 5028 if (uap->processor_id == PBIND_NONE) 5029 au_uwrite(au_to_text("PBIND_NONE")); 5030 else 5031 au_uwrite(au_to_arg32(3, "processor_id", 5032 (uint32_t)uap->processor_id)); 5033 5034 switch (uap->id_type) { 5035 case P_MYID: 5036 case P_LWPID: 5037 mutex_enter(&pidlock); 5038 p = ttoproc(curthread); 5039 if (p == NULL || p->p_as == &kas) { 5040 mutex_exit(&pidlock); 5041 return; 5042 } 5043 mutex_enter(&p->p_lock); 5044 mutex_exit(&pidlock); 5045 lwpcnt = p->p_lwpcnt; 5046 pid = p->p_pid; 5047 5048 mutex_enter(&p->p_crlock); 5049 crhold(cr = p->p_cred); 5050 mutex_exit(&p->p_crlock); 5051 mutex_exit(&p->p_lock); 5052 5053 ainfo = crgetauinfo(cr); 5054 if (ainfo == NULL) { 5055 crfree(cr); 5056 return; 5057 } 5058 5059 uid = crgetuid(cr); 5060 gid = crgetgid(cr); 5061 ruid = crgetruid(cr); 5062 rgid = crgetrgid(cr); 5063 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5064 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5065 crfree(cr); 5066 break; 5067 case P_PID: 5068 mutex_enter(&pidlock); 5069 p = prfind(uap->id); 5070 if (p == NULL || p->p_as == &kas) { 5071 mutex_exit(&pidlock); 5072 return; 5073 } 5074 mutex_enter(&p->p_lock); 5075 mutex_exit(&pidlock); 5076 lwpcnt = p->p_lwpcnt; 5077 pid = p->p_pid; 5078 5079 mutex_enter(&p->p_crlock); 5080 crhold(cr = p->p_cred); 5081 mutex_exit(&p->p_crlock); 5082 mutex_exit(&p->p_lock); 5083 5084 ainfo = crgetauinfo(cr); 5085 if (ainfo == NULL) { 5086 crfree(cr); 5087 return; 5088 } 5089 5090 uid = crgetuid(cr); 5091 gid = crgetgid(cr); 5092 ruid = crgetruid(cr); 5093 rgid = crgetrgid(cr); 5094 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5095 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5096 crfree(cr); 5097 5098 break; 5099 default: 5100 return; 5101 } 5102 5103 if (uap->processor_id == PBIND_NONE && 5104 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 5105 au_uwrite(au_to_text("PBIND_NONE for process")); 5106 else 5107 au_uwrite(au_to_arg32(3, "processor_id", 5108 (uint32_t)uap->processor_id)); 5109 } 5110 5111 /*ARGSUSED*/ 5112 static au_event_t 5113 aui_doorfs(au_event_t e) 5114 { 5115 uint32_t code; 5116 5117 struct a { /* doorfs */ 5118 long a1; 5119 long a2; 5120 long a3; 5121 long a4; 5122 long a5; 5123 long code; 5124 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5125 5126 /* 5127 * audit formats for several of the 5128 * door calls have not yet been determined 5129 */ 5130 code = (uint32_t)uap->code; 5131 switch (code) { 5132 case DOOR_CALL: 5133 e = AUE_DOORFS_DOOR_CALL; 5134 break; 5135 case DOOR_RETURN: 5136 e = AUE_NULL; 5137 break; 5138 case DOOR_CREATE: 5139 e = AUE_DOORFS_DOOR_CREATE; 5140 break; 5141 case DOOR_REVOKE: 5142 e = AUE_DOORFS_DOOR_REVOKE; 5143 break; 5144 case DOOR_INFO: 5145 e = AUE_NULL; 5146 break; 5147 case DOOR_UCRED: 5148 e = AUE_NULL; 5149 break; 5150 case DOOR_BIND: 5151 e = AUE_NULL; 5152 break; 5153 case DOOR_UNBIND: 5154 e = AUE_NULL; 5155 break; 5156 case DOOR_GETPARAM: 5157 e = AUE_NULL; 5158 break; 5159 case DOOR_SETPARAM: 5160 e = AUE_NULL; 5161 break; 5162 default: /* illegal system call */ 5163 e = AUE_NULL; 5164 break; 5165 } 5166 5167 return (e); 5168 } 5169 5170 static door_node_t * 5171 au_door_lookup(int did) 5172 { 5173 vnode_t *vp; 5174 file_t *fp; 5175 5176 if ((fp = getf(did)) == NULL) 5177 return (NULL); 5178 /* 5179 * Use the underlying vnode (we may be namefs mounted) 5180 */ 5181 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5182 vp = fp->f_vnode; 5183 5184 if (vp == NULL || vp->v_type != VDOOR) { 5185 releasef(did); 5186 return (NULL); 5187 } 5188 5189 return (VTOD(vp)); 5190 } 5191 5192 /*ARGSUSED*/ 5193 static void 5194 aus_doorfs(struct t_audit_data *tad) 5195 { 5196 5197 struct a { /* doorfs */ 5198 long a1; 5199 long a2; 5200 long a3; 5201 long a4; 5202 long a5; 5203 long code; 5204 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5205 5206 door_node_t *dp; 5207 struct proc *p; 5208 uint32_t did; 5209 uid_t uid, ruid; 5210 gid_t gid, rgid; 5211 pid_t pid; 5212 const auditinfo_addr_t *ainfo; 5213 cred_t *cr; 5214 5215 did = (uint32_t)uap->a1; 5216 5217 switch (tad->tad_event) { 5218 case AUE_DOORFS_DOOR_CALL: 5219 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5220 if ((dp = au_door_lookup(did)) == NULL) 5221 break; 5222 5223 if (DOOR_INVALID(dp)) { 5224 releasef(did); 5225 break; 5226 } 5227 5228 if ((p = dp->door_target) == NULL) { 5229 releasef(did); 5230 break; 5231 } 5232 mutex_enter(&p->p_lock); 5233 releasef(did); 5234 5235 pid = p->p_pid; 5236 5237 mutex_enter(&p->p_crlock); 5238 crhold(cr = p->p_cred); 5239 mutex_exit(&p->p_crlock); 5240 mutex_exit(&p->p_lock); 5241 5242 ainfo = crgetauinfo(cr); 5243 if (ainfo == NULL) { 5244 crfree(cr); 5245 return; 5246 } 5247 uid = crgetuid(cr); 5248 gid = crgetgid(cr); 5249 ruid = crgetruid(cr); 5250 rgid = crgetrgid(cr); 5251 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5252 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5253 crfree(cr); 5254 break; 5255 case AUE_DOORFS_DOOR_RETURN: 5256 /* 5257 * We may want to write information about 5258 * all doors (if any) which will be copied 5259 * by this call to the user space 5260 */ 5261 break; 5262 case AUE_DOORFS_DOOR_CREATE: 5263 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5264 break; 5265 case AUE_DOORFS_DOOR_REVOKE: 5266 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5267 break; 5268 case AUE_DOORFS_DOOR_INFO: 5269 break; 5270 case AUE_DOORFS_DOOR_CRED: 5271 break; 5272 case AUE_DOORFS_DOOR_BIND: 5273 break; 5274 case AUE_DOORFS_DOOR_UNBIND: { 5275 break; 5276 } 5277 default: /* illegal system call */ 5278 break; 5279 } 5280 } 5281 5282 /*ARGSUSED*/ 5283 static au_event_t 5284 aui_acl(au_event_t e) 5285 { 5286 struct a { 5287 union { 5288 long name; /* char */ 5289 long fd; 5290 } obj; 5291 5292 long cmd; 5293 long nentries; 5294 long arg; /* aclent_t */ 5295 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5296 5297 switch (uap->cmd) { 5298 case SETACL: 5299 case ACE_SETACL: 5300 /* 5301 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5302 * are expected. 5303 */ 5304 break; 5305 case GETACL: 5306 case GETACLCNT: 5307 case ACE_GETACL: 5308 case ACE_GETACLCNT: 5309 /* do nothing for these four values. */ 5310 e = AUE_NULL; 5311 break; 5312 default: 5313 /* illegal system call */ 5314 break; 5315 } 5316 5317 return (e); 5318 } 5319 5320 static void 5321 au_acl(int cmd, int nentries, caddr_t bufp) 5322 { 5323 size_t a_size; 5324 aclent_t *aclbufp; 5325 ace_t *acebufp; 5326 int i; 5327 5328 switch (cmd) { 5329 case GETACL: 5330 case GETACLCNT: 5331 break; 5332 case SETACL: 5333 if (nentries < 3) 5334 break; 5335 5336 a_size = nentries * sizeof (aclent_t); 5337 5338 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5339 break; 5340 if (copyin(bufp, aclbufp, a_size)) { 5341 kmem_free(aclbufp, a_size); 5342 break; 5343 } 5344 for (i = 0; i < nentries; i++) { 5345 au_uwrite(au_to_acl(aclbufp + i)); 5346 } 5347 kmem_free(aclbufp, a_size); 5348 break; 5349 5350 case ACE_SETACL: 5351 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5352 break; 5353 5354 a_size = nentries * sizeof (ace_t); 5355 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5356 break; 5357 if (copyin(bufp, acebufp, a_size)) { 5358 kmem_free(acebufp, a_size); 5359 break; 5360 } 5361 for (i = 0; i < nentries; i++) { 5362 au_uwrite(au_to_ace(acebufp + i)); 5363 } 5364 kmem_free(acebufp, a_size); 5365 break; 5366 default: 5367 break; 5368 } 5369 } 5370 5371 /*ARGSUSED*/ 5372 static void 5373 aus_acl(struct t_audit_data *tad) 5374 { 5375 struct a { 5376 long fname; 5377 long cmd; 5378 long nentries; 5379 long aclbufp; 5380 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5381 5382 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5383 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5384 5385 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5386 } 5387 5388 /*ARGSUSED*/ 5389 static void 5390 aus_facl(struct t_audit_data *tad) 5391 { 5392 struct a { 5393 long fd; 5394 long cmd; 5395 long nentries; 5396 long aclbufp; 5397 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5398 struct file *fp; 5399 struct vnode *vp; 5400 struct f_audit_data *fad; 5401 int fd; 5402 5403 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5404 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5405 5406 fd = (int)uap->fd; 5407 5408 if ((fp = getf(fd)) == NULL) 5409 return; 5410 5411 /* get path from file struct here */ 5412 fad = F2A(fp); 5413 if (fad->fad_aupath != NULL) { 5414 au_uwrite(au_to_path(fad->fad_aupath)); 5415 } else { 5416 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5417 } 5418 5419 vp = fp->f_vnode; 5420 audit_attributes(vp); 5421 5422 /* decrement file descriptor reference count */ 5423 releasef(fd); 5424 5425 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5426 } 5427 5428 /*ARGSUSED*/ 5429 static void 5430 auf_read(tad, error, rval) 5431 struct t_audit_data *tad; 5432 int error; 5433 rval_t *rval; 5434 { 5435 struct file *fp; 5436 struct f_audit_data *fad; 5437 int fd; 5438 register struct a { 5439 long fd; 5440 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5441 au_kcontext_t *kctx = GET_KCTX_PZ; 5442 5443 fd = (int)uap->fd; 5444 5445 /* 5446 * convert file pointer to file descriptor 5447 * Note: fd ref count incremented here. 5448 */ 5449 if ((fp = getf(fd)) == NULL) 5450 return; 5451 5452 /* get path from file struct here */ 5453 fad = F2A(fp); 5454 ASSERT(fad); 5455 5456 /* 5457 * already processed this file for read attempt 5458 * 5459 * XXX might be better to turn off auditing in a aui_read() routine. 5460 */ 5461 if (fad->fad_flags & FAD_READ) { 5462 /* don't really want to audit every read attempt */ 5463 tad->tad_flag = 0; 5464 /* free any residual audit data */ 5465 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5466 releasef(fd); 5467 return; 5468 } 5469 /* mark things so we know what happened and don't repeat things */ 5470 fad->fad_flags |= FAD_READ; 5471 5472 if (fad->fad_aupath != NULL) { 5473 au_uwrite(au_to_path(fad->fad_aupath)); 5474 } else { 5475 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5476 } 5477 5478 /* include attributes */ 5479 audit_attributes(fp->f_vnode); 5480 5481 /* decrement file descriptor reference count */ 5482 releasef(fd); 5483 } 5484 5485 /*ARGSUSED*/ 5486 static void 5487 auf_write(tad, error, rval) 5488 struct t_audit_data *tad; 5489 int error; 5490 rval_t *rval; 5491 { 5492 struct file *fp; 5493 struct f_audit_data *fad; 5494 int fd; 5495 register struct a { 5496 long fd; 5497 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5498 au_kcontext_t *kctx = GET_KCTX_PZ; 5499 5500 fd = (int)uap->fd; 5501 5502 /* 5503 * convert file pointer to file descriptor 5504 * Note: fd ref count incremented here. 5505 */ 5506 if ((fp = getf(fd)) == NULL) 5507 return; 5508 5509 /* get path from file struct here */ 5510 fad = F2A(fp); 5511 ASSERT(fad); 5512 5513 /* 5514 * already processed this file for write attempt 5515 * 5516 * XXX might be better to turn off auditing in a aus_write() routine. 5517 */ 5518 if (fad->fad_flags & FAD_WRITE) { 5519 /* don't really want to audit every write attempt */ 5520 tad->tad_flag = 0; 5521 /* free any residual audit data */ 5522 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5523 releasef(fd); 5524 return; 5525 } 5526 /* mark things so we know what happened and don't repeat things */ 5527 fad->fad_flags |= FAD_WRITE; 5528 5529 if (fad->fad_aupath != NULL) { 5530 au_uwrite(au_to_path(fad->fad_aupath)); 5531 } else { 5532 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5533 } 5534 5535 /* include attributes */ 5536 audit_attributes(fp->f_vnode); 5537 5538 /* decrement file descriptor reference count */ 5539 releasef(fd); 5540 } 5541 5542 /*ARGSUSED*/ 5543 static void 5544 auf_recv(tad, error, rval) 5545 struct t_audit_data *tad; 5546 int error; 5547 rval_t *rval; 5548 { 5549 struct sonode *so; 5550 char so_laddr[sizeof (struct sockaddr_in6)]; 5551 char so_faddr[sizeof (struct sockaddr_in6)]; 5552 struct file *fp; 5553 struct f_audit_data *fad; 5554 int fd; 5555 int err; 5556 socklen_t len; 5557 short so_family, so_type; 5558 register struct a { 5559 long fd; 5560 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5561 au_kcontext_t *kctx = GET_KCTX_PZ; 5562 5563 /* 5564 * If there was an error, then nothing to do. Only generate 5565 * audit record on first successful recv. 5566 */ 5567 if (error) { 5568 /* Turn off audit record generation here. */ 5569 tad->tad_flag = 0; 5570 /* free any residual audit data */ 5571 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5572 return; 5573 } 5574 5575 fd = (int)uap->fd; 5576 5577 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5578 /* Turn off audit record generation here. */ 5579 tad->tad_flag = 0; 5580 /* free any residual audit data */ 5581 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5582 return; 5583 } 5584 5585 /* get path from file struct here */ 5586 fad = F2A(fp); 5587 ASSERT(fad); 5588 5589 /* 5590 * already processed this file for read attempt 5591 */ 5592 if (fad->fad_flags & FAD_READ) { 5593 releasef(fd); 5594 /* don't really want to audit every recv call */ 5595 tad->tad_flag = 0; 5596 /* free any residual audit data */ 5597 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5598 return; 5599 } 5600 5601 /* mark things so we know what happened and don't repeat things */ 5602 fad->fad_flags |= FAD_READ; 5603 5604 so_family = so->so_family; 5605 so_type = so->so_type; 5606 5607 switch (so_family) { 5608 case AF_INET: 5609 case AF_INET6: 5610 /* 5611 * Only for connections. 5612 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5613 */ 5614 if (so->so_state & SS_ISBOUND) { 5615 5616 bzero((void *)so_laddr, sizeof (so_laddr)); 5617 bzero((void *)so_faddr, sizeof (so_faddr)); 5618 5619 /* get local and foreign addresses */ 5620 len = sizeof (so_laddr); 5621 (void) socket_getsockname(so, 5622 (struct sockaddr *)so_laddr, &len, CRED()); 5623 len = sizeof (so_faddr); 5624 (void) socket_getpeername(so, 5625 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5626 5627 /* 5628 * only way to drop out of switch. Note that we 5629 * we release fd below. 5630 */ 5631 5632 break; 5633 } 5634 5635 releasef(fd); 5636 5637 /* don't really want to audit every recv call */ 5638 tad->tad_flag = 0; 5639 /* free any residual audit data */ 5640 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5641 5642 return; 5643 5644 case AF_UNIX: 5645 5646 if (fad->fad_aupath != NULL) { 5647 au_uwrite(au_to_path(fad->fad_aupath)); 5648 } else { 5649 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5650 } 5651 5652 audit_attributes(fp->f_vnode); 5653 5654 releasef(fd); 5655 5656 return; 5657 5658 default: 5659 releasef(fd); 5660 5661 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5662 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5663 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5664 5665 return; 5666 } 5667 5668 releasef(fd); 5669 5670 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5671 5672 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5673 5674 } 5675 5676 /*ARGSUSED*/ 5677 static void 5678 auf_send(tad, error, rval) 5679 struct t_audit_data *tad; 5680 int error; 5681 rval_t *rval; 5682 { 5683 struct sonode *so; 5684 char so_laddr[sizeof (struct sockaddr_in6)]; 5685 char so_faddr[sizeof (struct sockaddr_in6)]; 5686 struct file *fp; 5687 struct f_audit_data *fad; 5688 int fd; 5689 int err; 5690 socklen_t len; 5691 short so_family, so_type; 5692 register struct a { 5693 long fd; 5694 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5695 au_kcontext_t *kctx = GET_KCTX_PZ; 5696 5697 fd = (int)uap->fd; 5698 5699 /* 5700 * If there was an error, then nothing to do. Only generate 5701 * audit record on first successful send. 5702 */ 5703 if (error != 0) { 5704 /* Turn off audit record generation here. */ 5705 tad->tad_flag = 0; 5706 /* free any residual audit data */ 5707 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5708 return; 5709 } 5710 5711 fd = (int)uap->fd; 5712 5713 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5714 /* Turn off audit record generation here. */ 5715 tad->tad_flag = 0; 5716 /* free any residual audit data */ 5717 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5718 return; 5719 } 5720 5721 /* get path from file struct here */ 5722 fad = F2A(fp); 5723 ASSERT(fad); 5724 5725 /* 5726 * already processed this file for write attempt 5727 */ 5728 if (fad->fad_flags & FAD_WRITE) { 5729 releasef(fd); 5730 /* don't really want to audit every send call */ 5731 tad->tad_flag = 0; 5732 /* free any residual audit data */ 5733 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5734 return; 5735 } 5736 5737 /* mark things so we know what happened and don't repeat things */ 5738 fad->fad_flags |= FAD_WRITE; 5739 5740 so_family = so->so_family; 5741 so_type = so->so_type; 5742 5743 switch (so_family) { 5744 case AF_INET: 5745 case AF_INET6: 5746 /* 5747 * Only for connections. 5748 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5749 */ 5750 if (so->so_state & SS_ISBOUND) { 5751 5752 bzero((void *)so_laddr, sizeof (so_laddr)); 5753 bzero((void *)so_faddr, sizeof (so_faddr)); 5754 5755 /* get local and foreign addresses */ 5756 len = sizeof (so_laddr); 5757 (void) socket_getsockname(so, 5758 (struct sockaddr *)so_laddr, &len, CRED()); 5759 len = sizeof (so_faddr); 5760 (void) socket_getpeername(so, 5761 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5762 5763 /* 5764 * only way to drop out of switch. Note that we 5765 * we release fd below. 5766 */ 5767 5768 break; 5769 } 5770 5771 releasef(fd); 5772 /* don't really want to audit every send call */ 5773 tad->tad_flag = 0; 5774 /* free any residual audit data */ 5775 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5776 5777 return; 5778 5779 case AF_UNIX: 5780 5781 if (fad->fad_aupath != NULL) { 5782 au_uwrite(au_to_path(fad->fad_aupath)); 5783 } else { 5784 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5785 } 5786 5787 audit_attributes(fp->f_vnode); 5788 5789 releasef(fd); 5790 5791 return; 5792 5793 default: 5794 releasef(fd); 5795 5796 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5797 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5798 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5799 5800 return; 5801 } 5802 5803 releasef(fd); 5804 5805 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5806 5807 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5808 } 5809 5810 static au_event_t 5811 aui_forksys(au_event_t e) 5812 { 5813 struct a { 5814 long subcode; 5815 long flags; 5816 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5817 5818 switch ((uint_t)uap->subcode) { 5819 case 0: 5820 e = AUE_FORK1; 5821 break; 5822 case 1: 5823 e = AUE_FORKALL; 5824 break; 5825 case 2: 5826 e = AUE_VFORK; 5827 break; 5828 default: 5829 e = AUE_NULL; 5830 break; 5831 } 5832 5833 return (e); 5834 } 5835 5836 /*ARGSUSED*/ 5837 static au_event_t 5838 aui_portfs(au_event_t e) 5839 { 5840 struct a { /* portfs */ 5841 long a1; 5842 long a2; 5843 long a3; 5844 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5845 5846 /* 5847 * check opcode 5848 */ 5849 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5850 case PORT_ASSOCIATE: 5851 /* check source */ 5852 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5853 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5854 e = AUE_PORTFS_ASSOCIATE; 5855 } else { 5856 e = AUE_NULL; 5857 } 5858 break; 5859 case PORT_DISSOCIATE: 5860 /* check source */ 5861 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5862 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5863 e = AUE_PORTFS_DISSOCIATE; 5864 } else { 5865 e = AUE_NULL; 5866 } 5867 break; 5868 default: 5869 e = AUE_NULL; 5870 } 5871 return (e); 5872 } 5873