1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved. 25 * Copyright (c) 2018, Joyent, Inc. 26 */ 27 28 /* 29 * This file contains the audit event table used to control the production 30 * of audit records for each system call. 31 */ 32 33 #include <sys/policy.h> 34 #include <sys/cred.h> 35 #include <sys/types.h> 36 #include <sys/systm.h> 37 #include <sys/systeminfo.h> /* for sysinfo auditing */ 38 #include <sys/utsname.h> /* for sysinfo auditing */ 39 #include <sys/proc.h> 40 #include <sys/vnode.h> 41 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 42 #include <sys/fcntl.h> 43 #include <sys/modctl.h> /* for modctl auditing */ 44 #include <sys/vnode.h> 45 #include <sys/user.h> 46 #include <sys/types.h> 47 #include <sys/processor.h> 48 #include <sys/procset.h> 49 #include <sys/acl.h> 50 #include <sys/ipc.h> 51 #include <sys/door.h> 52 #include <sys/sem.h> 53 #include <sys/msg.h> 54 #include <sys/shm.h> 55 #include <sys/kmem.h> 56 #include <sys/file.h> /* for accept */ 57 #include <sys/utssys.h> /* for fuser */ 58 #include <sys/tsol/label.h> 59 #include <sys/tsol/tndb.h> 60 #include <sys/tsol/tsyscall.h> 61 #include <c2/audit.h> 62 #include <c2/audit_kernel.h> 63 #include <c2/audit_kevents.h> 64 #include <c2/audit_record.h> 65 #include <sys/procset.h> 66 #include <nfs/mount.h> 67 #include <sys/param.h> 68 #include <sys/debug.h> 69 #include <sys/sysmacros.h> 70 #include <sys/stream.h> 71 #include <sys/strsubr.h> 72 #include <sys/stropts.h> 73 #include <sys/tihdr.h> 74 #include <sys/socket.h> 75 #include <sys/socketvar.h> 76 #include <sys/vfs_opreg.h> 77 #include <fs/sockfs/sockcommon.h> 78 #include <netinet/in.h> 79 #include <sys/ddi.h> 80 #include <sys/port_impl.h> 81 #include <sys/secflags.h> 82 83 static au_event_t aui_fchownat(au_event_t); 84 static au_event_t aui_fchmodat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 108 static void aus_exit(struct t_audit_data *); 109 static void aus_open(struct t_audit_data *); 110 static void aus_openat(struct t_audit_data *); 111 static void aus_acl(struct t_audit_data *); 112 static void aus_acct(struct t_audit_data *); 113 static void aus_chown(struct t_audit_data *); 114 static void aus_fchown(struct t_audit_data *); 115 static void aus_lchown(struct t_audit_data *); 116 static void aus_fchownat(struct t_audit_data *); 117 static void aus_chmod(struct t_audit_data *); 118 static void aus_facl(struct t_audit_data *); 119 static void aus_fchmod(struct t_audit_data *); 120 static void aus_fchmodat(struct t_audit_data *); 121 static void aus_fcntl(struct t_audit_data *); 122 static void aus_mkdir(struct t_audit_data *); 123 static void aus_mkdirat(struct t_audit_data *); 124 static void aus_mknod(struct t_audit_data *); 125 static void aus_mknodat(struct t_audit_data *); 126 static void aus_mount(struct t_audit_data *); 127 static void aus_umount2(struct t_audit_data *); 128 static void aus_msgsys(struct t_audit_data *); 129 static void aus_semsys(struct t_audit_data *); 130 static void aus_close(struct t_audit_data *); 131 static void aus_fstatfs(struct t_audit_data *); 132 static void aus_setgid(struct t_audit_data *); 133 static void aus_setpgrp(struct t_audit_data *); 134 static void aus_setuid(struct t_audit_data *); 135 static void aus_shmsys(struct t_audit_data *); 136 static void aus_doorfs(struct t_audit_data *); 137 static void aus_ioctl(struct t_audit_data *); 138 static void aus_memcntl(struct t_audit_data *); 139 static void aus_mmap(struct t_audit_data *); 140 static void aus_munmap(struct t_audit_data *); 141 static void aus_priocntlsys(struct t_audit_data *); 142 static void aus_setegid(struct t_audit_data *); 143 static void aus_setgroups(struct t_audit_data *); 144 static void aus_seteuid(struct t_audit_data *); 145 static void aus_putmsg(struct t_audit_data *); 146 static void aus_putpmsg(struct t_audit_data *); 147 static void aus_getmsg(struct t_audit_data *); 148 static void aus_getpmsg(struct t_audit_data *); 149 static void aus_auditsys(struct t_audit_data *); 150 static void aus_sysinfo(struct t_audit_data *); 151 static void aus_modctl(struct t_audit_data *); 152 static void aus_kill(struct t_audit_data *); 153 static void aus_setregid(struct t_audit_data *); 154 static void aus_setreuid(struct t_audit_data *); 155 static void aus_labelsys(struct t_audit_data *); 156 157 static void auf_mknod(struct t_audit_data *, int, rval_t *); 158 static void auf_mknodat(struct t_audit_data *, int, rval_t *); 159 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 160 static void auf_semsys(struct t_audit_data *, int, rval_t *); 161 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 162 static void auf_read(struct t_audit_data *, int, rval_t *); 163 static void auf_write(struct t_audit_data *, int, rval_t *); 164 165 static void aus_sigqueue(struct t_audit_data *); 166 static void aus_p_online(struct t_audit_data *); 167 static void aus_processor_bind(struct t_audit_data *); 168 static void aus_inst_sync(struct t_audit_data *); 169 static void aus_brandsys(struct t_audit_data *); 170 171 static void auf_accept(struct t_audit_data *, int, rval_t *); 172 173 static void auf_bind(struct t_audit_data *, int, rval_t *); 174 static void auf_connect(struct t_audit_data *, int, rval_t *); 175 static void aus_shutdown(struct t_audit_data *); 176 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 177 static void aus_sockconfig(struct t_audit_data *); 178 static void auf_recv(struct t_audit_data *, int, rval_t *); 179 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 180 static void auf_send(struct t_audit_data *, int, rval_t *); 181 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 182 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 183 static void auf_sendto(struct t_audit_data *, int, rval_t *); 184 static void aus_socket(struct t_audit_data *); 185 /* 186 * This table contains mapping information for converting system call numbers 187 * to audit event IDs. In several cases it is necessary to map a single system 188 * call to several events. 189 */ 190 191 #define aui_null NULL /* NULL initialize function */ 192 #define aus_null NULL /* NULL start function */ 193 #define auf_null NULL /* NULL finish function */ 194 195 struct audit_s2e audit_s2e[] = 196 { 197 /* 198 * ---------- ---------- ---------- ---------- 199 * INITIAL AUDIT START SYSTEM 200 * PROCESSING EVENT PROCESSING CALL 201 * ---------- ---------- ---------- ----------- 202 * FINISH EVENT 203 * PROCESSING CONTROL 204 * ---------------------------------------------------------- 205 */ 206 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 207 auf_null, 0, 208 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 209 auf_null, S2E_NPT, 210 aui_null, AUE_PSECFLAGS, aus_null, /* 2 psecflags */ 211 auf_null, 0, 212 aui_null, AUE_READ, aus_null, /* 3 read */ 213 auf_read, S2E_PUB, 214 aui_null, AUE_WRITE, aus_null, /* 4 write */ 215 auf_write, 0, 216 aui_open, AUE_OPEN, aus_open, /* 5 open */ 217 auf_null, S2E_SP, 218 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 219 auf_null, 0, 220 aui_null, AUE_LINK, aus_null, /* 7 linkat */ 221 auf_null, 0, 222 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 223 auf_null, 0, 224 aui_null, AUE_LINK, aus_null, /* 9 link */ 225 auf_null, 0, 226 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 227 auf_null, 0, 228 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */ 229 auf_null, 0, 230 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 231 auf_null, S2E_SP, 232 aui_null, AUE_NULL, aus_null, /* 13 time */ 233 auf_null, 0, 234 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 235 auf_mknod, S2E_MLD, 236 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 237 auf_null, 0, 238 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 239 auf_null, 0, 240 aui_null, AUE_NULL, aus_null, /* 17 brk */ 241 auf_null, 0, 242 aui_null, AUE_STAT, aus_null, /* 18 stat */ 243 auf_null, S2E_PUB, 244 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 245 auf_null, 0, 246 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 247 auf_null, 0, 248 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 249 auf_null, S2E_MLD, 250 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */ 251 auf_null, S2E_PUB, 252 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 255 auf_null, 0, 256 aui_null, AUE_STIME, aus_null, /* 25 stime */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 263 auf_null, 0, 264 aui_null, AUE_NULL, aus_null, /* 29 pause */ 265 auf_null, 0, 266 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 267 auf_null, 0, 268 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 269 auf_null, 0, 270 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 271 auf_null, 0, 272 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 273 auf_null, S2E_PUB, 274 aui_null, AUE_NICE, aus_null, /* 34 nice */ 275 auf_null, 0, 276 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 277 auf_null, S2E_PUB, 278 aui_null, AUE_NULL, aus_null, /* 36 sync */ 279 auf_null, 0, 280 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 281 auf_null, 0, 282 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 283 auf_null, S2E_PUB, 284 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 289 auf_null, 0, 290 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 291 auf_null, 0, 292 aui_null, AUE_NULL, aus_null, /* 43 times */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 44 profil */ 295 auf_null, 0, 296 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 297 auf_null, S2E_PUB, 298 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 299 auf_null, 0, 300 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 301 auf_null, 0, 302 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */ 303 auf_mknodat, S2E_MLD, 304 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 305 auf_msgsys, 0, 306 #if defined(__x86) 307 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 308 auf_null, 0, 309 #else 310 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 311 auf_null, 0, 312 #endif /* __x86 */ 313 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 314 auf_null, 0, 315 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 316 auf_shmsys, 0, 317 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 318 auf_semsys, 0, 319 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 320 auf_null, 0, 321 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 322 auf_null, 0, 323 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 324 auf_null, 0, 325 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 326 auf_null, 0, 327 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 328 auf_null, 0, 329 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 330 auf_null, S2E_MLD, 331 aui_null, AUE_NULL, aus_null, /* 60 umask */ 332 auf_null, 0, 333 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 334 auf_null, S2E_SP, 335 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 338 auf_null, 0, 339 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 340 auf_null, 0, 341 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 342 auf_null, 0, 343 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 344 auf_null, S2E_PUB, 345 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 346 auf_null, S2E_PUB, 347 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 348 auf_null, S2E_SP, 349 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 350 auf_null, S2E_SP, 351 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 356 auf_null, 0, 357 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 358 auf_null, 0, 359 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 364 auf_null, 0, 365 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 366 auf_null, 0, 367 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 368 auf_null, 0, 369 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 370 auf_null, 0, 371 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 374 auf_null, 0, 375 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 376 auf_null, 0, 377 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 380 auf_null, 0, 381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 382 auf_null, 0, 383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 384 auf_null, 0, 385 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 386 auf_null, 0, 387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 390 auf_null, 0, 391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 392 auf_null, S2E_PUB, 393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 396 auf_null, 0, 397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 398 auf_null, 0, 399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 412 auf_null, 0, 413 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */ 414 auf_null, 0, 415 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */ 416 auf_null, 0, 417 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 418 auf_null, S2E_PUB, 419 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 426 auf_null, 0, 427 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 428 auf_null, 0, 429 #if defined(__x86) 430 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 431 auf_null, 0, 432 #else 433 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 434 auf_null, 0, 435 #endif /* __x86 */ 436 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 437 auf_null, 0, 438 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 439 auf_null, 0, 440 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 441 auf_null, 0, 442 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 443 auf_null, S2E_PUB, 444 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 445 auf_null, 0, 446 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 447 auf_null, 0, 448 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 449 auf_null, 0, 450 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 451 auf_null, 0, 452 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 453 auf_null, 0, 454 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 455 auf_null, 0, 456 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 457 auf_null, 0, 458 aui_null, AUE_READ, aus_null, /* 121 readv */ 459 auf_read, S2E_PUB, 460 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 461 auf_write, 0, 462 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 463 auf_null, 0, 464 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 465 auf_null, 0, 466 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 467 auf_null, 0, 468 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 469 auf_null, 0, 470 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 471 auf_null, 0, 472 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 473 auf_null, 0, 474 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 475 auf_null, 0, 476 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 477 auf_null, 0, 478 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 479 auf_null, 0, 480 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 481 auf_null, 0, 482 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 483 auf_null, 0, 484 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 485 auf_null, 0, 486 aui_null, AUE_NULL, aus_null, /* 135 uname */ 487 auf_null, 0, 488 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 489 auf_null, 0, 490 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 491 auf_null, 0, 492 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 493 auf_null, 0, 494 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 495 auf_null, 0, 496 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 497 auf_null, 0, 498 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 499 auf_null, 0, 500 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 146 yield */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 511 /* was lwp_sema_wait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 518 auf_null, 0, 519 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 520 auf_null, 0, 521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 522 auf_null, 0, 523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 556 /* was lwp_mutex_lock */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 561 auf_null, 0, 562 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 563 auf_null, 0, 564 aui_null, AUE_READ, aus_null, /* 173 pread */ 565 auf_read, S2E_PUB, 566 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 567 auf_write, 0, 568 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 569 auf_null, 0, 570 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 571 auf_null, 0, 572 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 581 auf_null, 0, 582 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 583 auf_null, S2E_MLD, 584 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 585 auf_null, 0, 586 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 587 auf_null, 0, 588 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 589 auf_null, 0, 590 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 591 auf_null, 0, 592 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 593 auf_null, 0, 594 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 595 auf_null, 0, 596 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 601 auf_null, 0, 602 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 617 auf_null, 0, 618 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 619 auf_null, 0, 620 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 621 auf_null, 0, 622 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 623 auf_null, 0, 624 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 645 auf_null, 0, 646 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 647 auf_null, 0, 648 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 653 auf_null, 0, 654 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 655 auf_null, S2E_PUB, 656 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 657 auf_null, 0, 658 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 663 auf_read, S2E_PUB, 664 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 665 auf_write, 0, 666 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 667 auf_null, 0, 668 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 669 auf_null, S2E_SP, 670 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 227 zone */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 677 auf_null, 0, 678 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 679 auf_null, 0, 680 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 681 auf_null, 0, 682 aui_null, AUE_BIND, aus_null, /* 232 bind */ 683 auf_bind, 0, 684 aui_null, AUE_NULL, aus_null, /* 233 listen */ 685 auf_null, 0, 686 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 687 auf_accept, 0, 688 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 689 auf_connect, 0, 690 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 691 auf_null, 0, 692 aui_null, AUE_READ, aus_null, /* 237 recv */ 693 auf_recv, 0, 694 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 695 auf_recvfrom, 0, 696 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 697 auf_recvmsg, 0, 698 aui_null, AUE_WRITE, aus_null, /* 240 send */ 699 auf_send, 0, 700 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 701 auf_sendmsg, 0, 702 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 703 auf_sendto, 0, 704 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 709 auf_null, 0, 710 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 711 auf_setsockopt, 0, 712 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 713 auf_null, 0, 714 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 715 auf_null, 0, 716 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 727 auf_null, 0, 728 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 729 auf_null, 0 730 }; 731 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 733 734 735 /* exit start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_exit(struct t_audit_data *tad) 739 { 740 uint32_t rval; 741 struct a { 742 long rval; 743 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 744 745 rval = (uint32_t)uap->rval; 746 au_uwrite(au_to_arg32(1, "exit status", rval)); 747 } 748 749 750 /* acct start function */ 751 /*ARGSUSED*/ 752 static void 753 aus_acct(struct t_audit_data *tad) 754 { 755 klwp_t *clwp = ttolwp(curthread); 756 uintptr_t fname; 757 758 struct a { 759 long fname; /* char * */ 760 } *uap = (struct a *)clwp->lwp_ap; 761 762 fname = (uintptr_t)uap->fname; 763 764 if (fname == 0) 765 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 766 } 767 768 /* chown start function */ 769 /*ARGSUSED*/ 770 static void 771 aus_chown(struct t_audit_data *tad) 772 { 773 klwp_t *clwp = ttolwp(curthread); 774 uint32_t uid, gid; 775 776 struct a { 777 long fname; /* char * */ 778 long uid; 779 long gid; 780 } *uap = (struct a *)clwp->lwp_ap; 781 782 uid = (uint32_t)uap->uid; 783 gid = (uint32_t)uap->gid; 784 785 au_uwrite(au_to_arg32(2, "new file uid", uid)); 786 au_uwrite(au_to_arg32(3, "new file gid", gid)); 787 } 788 789 /* fchown start function */ 790 /*ARGSUSED*/ 791 static void 792 aus_fchown(struct t_audit_data *tad) 793 { 794 klwp_t *clwp = ttolwp(curthread); 795 uint32_t uid, gid, fd; 796 struct file *fp; 797 struct vnode *vp; 798 struct f_audit_data *fad; 799 800 struct a { 801 long fd; 802 long uid; 803 long gid; 804 } *uap = (struct a *)clwp->lwp_ap; 805 806 fd = (uint32_t)uap->fd; 807 uid = (uint32_t)uap->uid; 808 gid = (uint32_t)uap->gid; 809 810 au_uwrite(au_to_arg32(2, "new file uid", uid)); 811 au_uwrite(au_to_arg32(3, "new file gid", gid)); 812 813 /* 814 * convert file pointer to file descriptor 815 * Note: fd ref count incremented here. 816 */ 817 if ((fp = getf(fd)) == NULL) 818 return; 819 820 /* get path from file struct here */ 821 fad = F2A(fp); 822 if (fad->fad_aupath != NULL) { 823 au_uwrite(au_to_path(fad->fad_aupath)); 824 } else { 825 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 826 } 827 828 vp = fp->f_vnode; 829 audit_attributes(vp); 830 831 /* decrement file descriptor reference count */ 832 releasef(fd); 833 } 834 835 /*ARGSUSED*/ 836 static void 837 aus_lchown(struct t_audit_data *tad) 838 { 839 klwp_t *clwp = ttolwp(curthread); 840 uint32_t uid, gid; 841 842 843 struct a { 844 long fname; /* char * */ 845 long uid; 846 long gid; 847 } *uap = (struct a *)clwp->lwp_ap; 848 849 uid = (uint32_t)uap->uid; 850 gid = (uint32_t)uap->gid; 851 852 au_uwrite(au_to_arg32(2, "new file uid", uid)); 853 au_uwrite(au_to_arg32(3, "new file gid", gid)); 854 } 855 856 static au_event_t 857 aui_fchownat(au_event_t e) 858 { 859 klwp_t *clwp = ttolwp(curthread); 860 861 struct a { 862 long fd; 863 long fname; /* char * */ 864 long uid; 865 long gid; 866 long flags; 867 } *uap = (struct a *)clwp->lwp_ap; 868 869 if (uap->fname == 0) 870 e = AUE_FCHOWN; 871 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 872 e = AUE_LCHOWN; 873 else 874 e = AUE_CHOWN; 875 876 return (e); 877 } 878 879 /*ARGSUSED*/ 880 static void 881 aus_fchownat(struct t_audit_data *tad) 882 { 883 klwp_t *clwp = ttolwp(curthread); 884 uint32_t uid, gid; 885 886 struct a { 887 long fd; 888 long fname; /* char * */ 889 long uid; 890 long gid; 891 long flags; 892 } *uap = (struct a *)clwp->lwp_ap; 893 894 uid = (uint32_t)uap->uid; 895 gid = (uint32_t)uap->gid; 896 897 au_uwrite(au_to_arg32(3, "new file uid", uid)); 898 au_uwrite(au_to_arg32(4, "new file gid", gid)); 899 } 900 901 /*ARGSUSED*/ 902 static void 903 aus_chmod(struct t_audit_data *tad) 904 { 905 klwp_t *clwp = ttolwp(curthread); 906 uint32_t fmode; 907 908 struct a { 909 long fname; /* char * */ 910 long fmode; 911 } *uap = (struct a *)clwp->lwp_ap; 912 913 fmode = (uint32_t)uap->fmode; 914 915 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 916 } 917 918 /*ARGSUSED*/ 919 static void 920 aus_fchmod(struct t_audit_data *tad) 921 { 922 klwp_t *clwp = ttolwp(curthread); 923 uint32_t fmode, fd; 924 struct file *fp; 925 struct vnode *vp; 926 struct f_audit_data *fad; 927 928 struct a { 929 long fd; 930 long fmode; 931 } *uap = (struct a *)clwp->lwp_ap; 932 933 fd = (uint32_t)uap->fd; 934 fmode = (uint32_t)uap->fmode; 935 936 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 937 938 /* 939 * convert file pointer to file descriptor 940 * Note: fd ref count incremented here. 941 */ 942 if ((fp = getf(fd)) == NULL) 943 return; 944 945 /* get path from file struct here */ 946 fad = F2A(fp); 947 if (fad->fad_aupath != NULL) { 948 au_uwrite(au_to_path(fad->fad_aupath)); 949 } else { 950 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 951 } 952 953 vp = fp->f_vnode; 954 audit_attributes(vp); 955 956 /* decrement file descriptor reference count */ 957 releasef(fd); 958 } 959 960 static au_event_t 961 aui_fchmodat(au_event_t e) 962 { 963 klwp_t *clwp = ttolwp(curthread); 964 965 struct a { 966 long fd; 967 long fname; /* char * */ 968 long fmode; 969 long flag; 970 } *uap = (struct a *)clwp->lwp_ap; 971 972 if (uap->fname == 0) 973 e = AUE_FCHMOD; 974 else 975 e = AUE_CHMOD; 976 977 return (e); 978 } 979 980 /*ARGSUSED*/ 981 static void 982 aus_fchmodat(struct t_audit_data *tad) 983 { 984 klwp_t *clwp = ttolwp(curthread); 985 uint32_t fmode; 986 uint32_t fd; 987 struct file *fp; 988 struct vnode *vp; 989 struct f_audit_data *fad; 990 991 struct a { 992 long fd; 993 long fname; /* char * */ 994 long fmode; 995 long flag; 996 } *uap = (struct a *)clwp->lwp_ap; 997 998 fd = (uint32_t)uap->fd; 999 fmode = (uint32_t)uap->fmode; 1000 1001 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 1002 1003 if (fd == AT_FDCWD || uap->fname != 0) /* same as chmod() */ 1004 return; 1005 1006 /* 1007 * convert file pointer to file descriptor 1008 * Note: fd ref count incremented here. 1009 */ 1010 if ((fp = getf(fd)) == NULL) 1011 return; 1012 1013 /* get path from file struct here */ 1014 fad = F2A(fp); 1015 if (fad->fad_aupath != NULL) { 1016 au_uwrite(au_to_path(fad->fad_aupath)); 1017 } else { 1018 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1019 } 1020 1021 vp = fp->f_vnode; 1022 audit_attributes(vp); 1023 1024 /* decrement file descriptor reference count */ 1025 releasef(fd); 1026 } 1027 1028 /* 1029 * convert open mode to appropriate open event 1030 */ 1031 au_event_t 1032 open_event(uint_t fm) 1033 { 1034 au_event_t e; 1035 1036 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) { 1037 case O_RDONLY: 1038 e = AUE_OPEN_R; 1039 break; 1040 case O_RDONLY | O_CREAT: 1041 e = AUE_OPEN_RC; 1042 break; 1043 case O_RDONLY | O_TRUNC: 1044 e = AUE_OPEN_RT; 1045 break; 1046 case O_RDONLY | O_TRUNC | O_CREAT: 1047 e = AUE_OPEN_RTC; 1048 break; 1049 case O_WRONLY: 1050 e = AUE_OPEN_W; 1051 break; 1052 case O_WRONLY | O_CREAT: 1053 e = AUE_OPEN_WC; 1054 break; 1055 case O_WRONLY | O_TRUNC: 1056 e = AUE_OPEN_WT; 1057 break; 1058 case O_WRONLY | O_TRUNC | O_CREAT: 1059 e = AUE_OPEN_WTC; 1060 break; 1061 case O_RDWR: 1062 e = AUE_OPEN_RW; 1063 break; 1064 case O_RDWR | O_CREAT: 1065 e = AUE_OPEN_RWC; 1066 break; 1067 case O_RDWR | O_TRUNC: 1068 e = AUE_OPEN_RWT; 1069 break; 1070 case O_RDWR | O_TRUNC | O_CREAT: 1071 e = AUE_OPEN_RWTC; 1072 break; 1073 case O_SEARCH: 1074 e = AUE_OPEN_S; 1075 break; 1076 case O_EXEC: 1077 e = AUE_OPEN_E; 1078 break; 1079 default: 1080 e = AUE_NULL; 1081 break; 1082 } 1083 1084 return (e); 1085 } 1086 1087 /* ARGSUSED */ 1088 static au_event_t 1089 aui_open(au_event_t e) 1090 { 1091 klwp_t *clwp = ttolwp(curthread); 1092 uint_t fm; 1093 1094 struct a { 1095 long fnamep; /* char * */ 1096 long fmode; 1097 long cmode; 1098 } *uap = (struct a *)clwp->lwp_ap; 1099 1100 fm = (uint_t)uap->fmode; 1101 1102 return (open_event(fm)); 1103 } 1104 1105 static void 1106 aus_open(struct t_audit_data *tad) 1107 { 1108 klwp_t *clwp = ttolwp(curthread); 1109 uint_t fm; 1110 1111 struct a { 1112 long fnamep; /* char * */ 1113 long fmode; 1114 long cmode; 1115 } *uap = (struct a *)clwp->lwp_ap; 1116 1117 fm = (uint_t)uap->fmode; 1118 1119 /* If no write, create, or trunc modes, mark as a public op */ 1120 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1121 tad->tad_ctrl |= TAD_PUBLIC_EV; 1122 } 1123 1124 /* ARGSUSED */ 1125 static au_event_t 1126 aui_openat(au_event_t e) 1127 { 1128 t_audit_data_t *tad = T2A(curthread); 1129 klwp_t *clwp = ttolwp(curthread); 1130 uint_t fm; 1131 1132 struct a { 1133 long filedes; 1134 long fnamep; /* char * */ 1135 long fmode; 1136 long cmode; 1137 } *uap = (struct a *)clwp->lwp_ap; 1138 1139 fm = (uint_t)uap->fmode; 1140 1141 /* 1142 * __openattrdirat() does an extra pathname lookup in order to 1143 * enter the extended system attribute namespace of the referenced 1144 * extended attribute filename. 1145 */ 1146 if (fm & FXATTRDIROPEN) 1147 tad->tad_ctrl |= TAD_MLD; 1148 1149 return (open_event(fm)); 1150 } 1151 1152 static void 1153 aus_openat(struct t_audit_data *tad) 1154 { 1155 klwp_t *clwp = ttolwp(curthread); 1156 uint_t fm; 1157 1158 struct a { 1159 long filedes; 1160 long fnamep; /* char * */ 1161 long fmode; 1162 long cmode; 1163 } *uap = (struct a *)clwp->lwp_ap; 1164 1165 fm = (uint_t)uap->fmode; 1166 1167 /* If no write, create, or trunc modes, mark as a public op */ 1168 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1169 tad->tad_ctrl |= TAD_PUBLIC_EV; 1170 } 1171 1172 static au_event_t 1173 aui_unlinkat(au_event_t e) 1174 { 1175 klwp_t *clwp = ttolwp(curthread); 1176 1177 struct a { 1178 long filedes; 1179 long fnamep; /* char * */ 1180 long flags; 1181 } *uap = (struct a *)clwp->lwp_ap; 1182 1183 if (uap->flags & AT_REMOVEDIR) 1184 e = AUE_RMDIR; 1185 else 1186 e = AUE_UNLINK; 1187 1188 return (e); 1189 } 1190 1191 static au_event_t 1192 aui_fstatat(au_event_t e) 1193 { 1194 klwp_t *clwp = ttolwp(curthread); 1195 1196 struct a { 1197 long filedes; 1198 long fnamep; /* char * */ 1199 long statb; 1200 long flags; 1201 } *uap = (struct a *)clwp->lwp_ap; 1202 1203 if (uap->fnamep == 0) 1204 e = AUE_FSTAT; 1205 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1206 e = AUE_LSTAT; 1207 else 1208 e = AUE_STAT; 1209 1210 return (e); 1211 } 1212 1213 /* msgsys */ 1214 static au_event_t 1215 aui_msgsys(au_event_t e) 1216 { 1217 klwp_t *clwp = ttolwp(curthread); 1218 uint_t fm; 1219 1220 struct a { 1221 long id; /* function code id */ 1222 long ap; /* arg pointer for recvmsg */ 1223 } *uap = (struct a *)clwp->lwp_ap; 1224 1225 struct b { 1226 long msgid; 1227 long cmd; 1228 long buf; /* struct msqid_ds * */ 1229 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1230 1231 fm = (uint_t)uap->id; 1232 1233 switch (fm) { 1234 case 0: /* msgget */ 1235 e = AUE_MSGGET; 1236 break; 1237 case 1: /* msgctl */ 1238 switch ((uint_t)uap1->cmd) { 1239 case IPC_RMID: 1240 e = AUE_MSGCTL_RMID; 1241 break; 1242 case IPC_SET: 1243 e = AUE_MSGCTL_SET; 1244 break; 1245 case IPC_STAT: 1246 e = AUE_MSGCTL_STAT; 1247 break; 1248 default: 1249 e = AUE_MSGCTL; 1250 break; 1251 } 1252 break; 1253 case 2: /* msgrcv */ 1254 e = AUE_MSGRCV; 1255 break; 1256 case 3: /* msgsnd */ 1257 e = AUE_MSGSND; 1258 break; 1259 default: /* illegal system call */ 1260 e = AUE_NULL; 1261 break; 1262 } 1263 1264 return (e); 1265 } 1266 1267 1268 /* shmsys */ 1269 static au_event_t 1270 aui_shmsys(au_event_t e) 1271 { 1272 klwp_t *clwp = ttolwp(curthread); 1273 int fm; 1274 1275 struct a { /* shmsys */ 1276 long id; /* function code id */ 1277 } *uap = (struct a *)clwp->lwp_ap; 1278 1279 struct b { /* ctrl */ 1280 long shmid; 1281 long cmd; 1282 long arg; /* struct shmid_ds * */ 1283 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1284 fm = (uint_t)uap->id; 1285 1286 switch (fm) { 1287 case 0: /* shmat */ 1288 e = AUE_SHMAT; 1289 break; 1290 case 1: /* shmctl */ 1291 switch ((uint_t)uap1->cmd) { 1292 case IPC_RMID: 1293 e = AUE_SHMCTL_RMID; 1294 break; 1295 case IPC_SET: 1296 e = AUE_SHMCTL_SET; 1297 break; 1298 case IPC_STAT: 1299 e = AUE_SHMCTL_STAT; 1300 break; 1301 default: 1302 e = AUE_SHMCTL; 1303 break; 1304 } 1305 break; 1306 case 2: /* shmdt */ 1307 e = AUE_SHMDT; 1308 break; 1309 case 3: /* shmget */ 1310 e = AUE_SHMGET; 1311 break; 1312 default: /* illegal system call */ 1313 e = AUE_NULL; 1314 break; 1315 } 1316 1317 return (e); 1318 } 1319 1320 1321 /* semsys */ 1322 static au_event_t 1323 aui_semsys(au_event_t e) 1324 { 1325 klwp_t *clwp = ttolwp(curthread); 1326 uint_t fm; 1327 1328 struct a { /* semsys */ 1329 long id; 1330 } *uap = (struct a *)clwp->lwp_ap; 1331 1332 struct b { /* ctrl */ 1333 long semid; 1334 long semnum; 1335 long cmd; 1336 long arg; 1337 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1338 1339 fm = (uint_t)uap->id; 1340 1341 switch (fm) { 1342 case 0: /* semctl */ 1343 switch ((uint_t)uap1->cmd) { 1344 case IPC_RMID: 1345 e = AUE_SEMCTL_RMID; 1346 break; 1347 case IPC_SET: 1348 e = AUE_SEMCTL_SET; 1349 break; 1350 case IPC_STAT: 1351 e = AUE_SEMCTL_STAT; 1352 break; 1353 case GETNCNT: 1354 e = AUE_SEMCTL_GETNCNT; 1355 break; 1356 case GETPID: 1357 e = AUE_SEMCTL_GETPID; 1358 break; 1359 case GETVAL: 1360 e = AUE_SEMCTL_GETVAL; 1361 break; 1362 case GETALL: 1363 e = AUE_SEMCTL_GETALL; 1364 break; 1365 case GETZCNT: 1366 e = AUE_SEMCTL_GETZCNT; 1367 break; 1368 case SETVAL: 1369 e = AUE_SEMCTL_SETVAL; 1370 break; 1371 case SETALL: 1372 e = AUE_SEMCTL_SETALL; 1373 break; 1374 default: 1375 e = AUE_SEMCTL; 1376 break; 1377 } 1378 break; 1379 case 1: /* semget */ 1380 e = AUE_SEMGET; 1381 break; 1382 case 2: /* semop */ 1383 e = AUE_SEMOP; 1384 break; 1385 default: /* illegal system call */ 1386 e = AUE_NULL; 1387 break; 1388 } 1389 1390 return (e); 1391 } 1392 1393 /* utssys - uname(2), ustat(2), fusers(2) */ 1394 static au_event_t 1395 aui_utssys(au_event_t e) 1396 { 1397 klwp_t *clwp = ttolwp(curthread); 1398 uint_t type; 1399 1400 struct a { 1401 union { 1402 long cbuf; /* char * */ 1403 long ubuf; /* struct stat * */ 1404 } ub; 1405 union { 1406 long mv; /* for USTAT */ 1407 long flags; /* for FUSERS */ 1408 } un; 1409 long type; 1410 long outbp; /* char * for FUSERS */ 1411 } *uap = (struct a *)clwp->lwp_ap; 1412 1413 type = (uint_t)uap->type; 1414 1415 if (type == UTS_FUSERS) 1416 return (e); 1417 else 1418 return ((au_event_t)AUE_NULL); 1419 } 1420 1421 static au_event_t 1422 aui_fcntl(au_event_t e) 1423 { 1424 klwp_t *clwp = ttolwp(curthread); 1425 uint_t cmd; 1426 1427 struct a { 1428 long fdes; 1429 long cmd; 1430 long arg; 1431 } *uap = (struct a *)clwp->lwp_ap; 1432 1433 cmd = (uint_t)uap->cmd; 1434 1435 switch (cmd) { 1436 case F_GETLK: 1437 case F_SETLK: 1438 case F_SETLKW: 1439 break; 1440 case F_SETFL: 1441 case F_GETFL: 1442 case F_GETFD: 1443 break; 1444 default: 1445 e = (au_event_t)AUE_NULL; 1446 break; 1447 } 1448 return ((au_event_t)e); 1449 } 1450 1451 /* null function for now */ 1452 static au_event_t 1453 aui_execve(au_event_t e) 1454 { 1455 return (e); 1456 } 1457 1458 /*ARGSUSED*/ 1459 static void 1460 aus_fcntl(struct t_audit_data *tad) 1461 { 1462 klwp_t *clwp = ttolwp(curthread); 1463 uint32_t cmd, fd, flags; 1464 struct file *fp; 1465 struct vnode *vp; 1466 struct f_audit_data *fad; 1467 1468 struct a { 1469 long fd; 1470 long cmd; 1471 long arg; 1472 } *uap = (struct a *)clwp->lwp_ap; 1473 1474 cmd = (uint32_t)uap->cmd; 1475 fd = (uint32_t)uap->fd; 1476 flags = (uint32_t)uap->arg; 1477 1478 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1479 1480 if (cmd == F_SETFL) 1481 au_uwrite(au_to_arg32(3, "flags", flags)); 1482 1483 /* 1484 * convert file pointer to file descriptor 1485 * Note: fd ref count incremented here. 1486 */ 1487 if ((fp = getf(fd)) == NULL) 1488 return; 1489 1490 /* get path from file struct here */ 1491 fad = F2A(fp); 1492 if (fad->fad_aupath != NULL) { 1493 au_uwrite(au_to_path(fad->fad_aupath)); 1494 } else { 1495 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1496 } 1497 1498 vp = fp->f_vnode; 1499 audit_attributes(vp); 1500 1501 /* decrement file descriptor reference count */ 1502 releasef(fd); 1503 } 1504 1505 /*ARGSUSED*/ 1506 static void 1507 aus_kill(struct t_audit_data *tad) 1508 { 1509 klwp_t *clwp = ttolwp(curthread); 1510 struct proc *p; 1511 uint32_t signo; 1512 uid_t uid, ruid; 1513 gid_t gid, rgid; 1514 pid_t pid; 1515 const auditinfo_addr_t *ainfo; 1516 cred_t *cr; 1517 1518 struct a { 1519 long pid; 1520 long signo; 1521 } *uap = (struct a *)clwp->lwp_ap; 1522 1523 pid = (pid_t)uap->pid; 1524 signo = (uint32_t)uap->signo; 1525 1526 au_uwrite(au_to_arg32(2, "signal", signo)); 1527 if (pid > 0) { 1528 mutex_enter(&pidlock); 1529 if (((p = prfind(pid)) == (struct proc *)0) || 1530 (p->p_stat == SIDL)) { 1531 mutex_exit(&pidlock); 1532 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1533 return; 1534 } 1535 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1536 mutex_exit(&pidlock); 1537 1538 mutex_enter(&p->p_crlock); 1539 crhold(cr = p->p_cred); 1540 mutex_exit(&p->p_crlock); 1541 mutex_exit(&p->p_lock); 1542 1543 ainfo = crgetauinfo(cr); 1544 if (ainfo == NULL) { 1545 crfree(cr); 1546 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1547 return; 1548 } 1549 1550 uid = crgetuid(cr); 1551 gid = crgetgid(cr); 1552 ruid = crgetruid(cr); 1553 rgid = crgetrgid(cr); 1554 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1555 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1556 1557 if (is_system_labeled()) 1558 au_uwrite(au_to_label(CR_SL(cr))); 1559 1560 crfree(cr); 1561 } 1562 else 1563 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1564 } 1565 1566 /*ARGSUSED*/ 1567 static void 1568 aus_mkdir(struct t_audit_data *tad) 1569 { 1570 klwp_t *clwp = ttolwp(curthread); 1571 uint32_t dmode; 1572 1573 struct a { 1574 long dirnamep; /* char * */ 1575 long dmode; 1576 } *uap = (struct a *)clwp->lwp_ap; 1577 1578 dmode = (uint32_t)uap->dmode; 1579 1580 au_uwrite(au_to_arg32(2, "mode", dmode)); 1581 } 1582 1583 /*ARGSUSED*/ 1584 static void 1585 aus_mkdirat(struct t_audit_data *tad) 1586 { 1587 klwp_t *clwp = ttolwp(curthread); 1588 uint32_t dmode; 1589 1590 struct a { 1591 long fd; 1592 long dirnamep; /* char * */ 1593 long dmode; 1594 } *uap = (struct a *)clwp->lwp_ap; 1595 1596 dmode = (uint32_t)uap->dmode; 1597 1598 au_uwrite(au_to_arg32(2, "mode", dmode)); 1599 } 1600 1601 /*ARGSUSED*/ 1602 static void 1603 aus_mknod(struct t_audit_data *tad) 1604 { 1605 klwp_t *clwp = ttolwp(curthread); 1606 uint32_t fmode; 1607 dev_t dev; 1608 1609 struct a { 1610 long pnamep; /* char * */ 1611 long fmode; 1612 long dev; 1613 } *uap = (struct a *)clwp->lwp_ap; 1614 1615 fmode = (uint32_t)uap->fmode; 1616 dev = (dev_t)uap->dev; 1617 1618 au_uwrite(au_to_arg32(2, "mode", fmode)); 1619 #ifdef _LP64 1620 au_uwrite(au_to_arg64(3, "dev", dev)); 1621 #else 1622 au_uwrite(au_to_arg32(3, "dev", dev)); 1623 #endif 1624 } 1625 1626 /*ARGSUSED*/ 1627 static void 1628 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1629 { 1630 klwp_t *clwp = ttolwp(curthread); 1631 vnode_t *dvp; 1632 caddr_t pnamep; 1633 1634 struct a { 1635 long pnamep; /* char * */ 1636 long fmode; 1637 long dev; 1638 } *uap = (struct a *)clwp->lwp_ap; 1639 1640 /* no error, then already path token in audit record */ 1641 if (error != EPERM && error != EINVAL) 1642 return; 1643 1644 /* do the lookup to force generation of path token */ 1645 pnamep = (caddr_t)uap->pnamep; 1646 tad->tad_ctrl |= TAD_NOATTRB; 1647 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1648 if (error == 0) 1649 VN_RELE(dvp); 1650 } 1651 1652 /*ARGSUSED*/ 1653 static void 1654 aus_mknodat(struct t_audit_data *tad) 1655 { 1656 klwp_t *clwp = ttolwp(curthread); 1657 uint32_t fmode; 1658 dev_t dev; 1659 1660 struct a { 1661 long fd; 1662 long pnamep; /* char * */ 1663 long fmode; 1664 long dev; 1665 } *uap = (struct a *)clwp->lwp_ap; 1666 1667 fmode = (uint32_t)uap->fmode; 1668 dev = (dev_t)uap->dev; 1669 1670 au_uwrite(au_to_arg32(2, "mode", fmode)); 1671 #ifdef _LP64 1672 au_uwrite(au_to_arg64(3, "dev", dev)); 1673 #else 1674 au_uwrite(au_to_arg32(3, "dev", dev)); 1675 #endif 1676 } 1677 1678 /*ARGSUSED*/ 1679 static void 1680 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval) 1681 { 1682 klwp_t *clwp = ttolwp(curthread); 1683 vnode_t *startvp; 1684 vnode_t *dvp; 1685 caddr_t pnamep; 1686 int fd; 1687 1688 struct a { 1689 long fd; 1690 long pnamep; /* char * */ 1691 long fmode; 1692 long dev; 1693 } *uap = (struct a *)clwp->lwp_ap; 1694 1695 /* no error, then already path token in audit record */ 1696 if (error != EPERM && error != EINVAL) 1697 return; 1698 1699 /* do the lookup to force generation of path token */ 1700 fd = (int)uap->fd; 1701 pnamep = (caddr_t)uap->pnamep; 1702 if (pnamep == NULL || 1703 fgetstartvp(fd, pnamep, &startvp) != 0) 1704 return; 1705 tad->tad_ctrl |= TAD_NOATTRB; 1706 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP, 1707 startvp); 1708 if (error == 0) 1709 VN_RELE(dvp); 1710 if (startvp != NULL) 1711 VN_RELE(startvp); 1712 } 1713 1714 /*ARGSUSED*/ 1715 static void 1716 aus_mount(struct t_audit_data *tad) 1717 { 1718 /* AUS_START */ 1719 klwp_t *clwp = ttolwp(curthread); 1720 uint32_t flags; 1721 uintptr_t u_fstype, dataptr; 1722 STRUCT_DECL(nfs_args, nfsargs); 1723 size_t len; 1724 char *fstype, *hostname; 1725 1726 struct a { 1727 long spec; /* char * */ 1728 long dir; /* char * */ 1729 long flags; 1730 long fstype; /* char * */ 1731 long dataptr; /* char * */ 1732 long datalen; 1733 } *uap = (struct a *)clwp->lwp_ap; 1734 1735 u_fstype = (uintptr_t)uap->fstype; 1736 flags = (uint32_t)uap->flags; 1737 dataptr = (uintptr_t)uap->dataptr; 1738 1739 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1740 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1741 goto mount_free_fstype; 1742 1743 au_uwrite(au_to_arg32(3, "flags", flags)); 1744 au_uwrite(au_to_text(fstype)); 1745 1746 if (strncmp(fstype, "nfs", 3) == 0) { 1747 1748 STRUCT_INIT(nfsargs, get_udatamodel()); 1749 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1750 1751 if (copyin((caddr_t)dataptr, STRUCT_BUF(nfsargs), 1752 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1753 /* DEBUG debug_enter((char *)NULL); */ 1754 goto mount_free_fstype; 1755 } 1756 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1757 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1758 (caddr_t)hostname, MAXNAMELEN, &len)) { 1759 goto mount_free_hostname; 1760 } 1761 au_uwrite(au_to_text(hostname)); 1762 au_uwrite(au_to_arg32(3, "internal flags", 1763 (uint_t)STRUCT_FGET(nfsargs, flags))); 1764 1765 mount_free_hostname: 1766 kmem_free(hostname, MAXNAMELEN); 1767 } 1768 1769 mount_free_fstype: 1770 kmem_free(fstype, MAXNAMELEN); 1771 } /* AUS_MOUNT */ 1772 1773 static void 1774 aus_umount_path(caddr_t umount_dir) 1775 { 1776 char *dir_path; 1777 struct audit_path *path; 1778 size_t path_len, dir_len; 1779 1780 /* length alloc'd for two string pointers */ 1781 path_len = sizeof (struct audit_path) + sizeof (char *); 1782 path = kmem_alloc(path_len, KM_SLEEP); 1783 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1784 1785 if (copyinstr(umount_dir, (caddr_t)dir_path, 1786 MAXPATHLEN, &dir_len)) 1787 goto umount2_free_dir; 1788 1789 /* 1790 * the audit_path struct assumes that the buffer pointed to 1791 * by audp_sect[n] contains string 0 immediatedly followed 1792 * by string 1. 1793 */ 1794 path->audp_sect[0] = dir_path; 1795 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1796 path->audp_size = path_len; 1797 path->audp_ref = 1; /* not used */ 1798 path->audp_cnt = 1; /* one path string */ 1799 1800 au_uwrite(au_to_path(path)); 1801 1802 umount2_free_dir: 1803 kmem_free(dir_path, MAXPATHLEN); 1804 kmem_free(path, path_len); 1805 } 1806 1807 /*ARGSUSED*/ 1808 static void 1809 aus_umount2(struct t_audit_data *tad) 1810 { 1811 klwp_t *clwp = ttolwp(curthread); 1812 struct a { 1813 long dir; /* char * */ 1814 long flags; 1815 } *uap = (struct a *)clwp->lwp_ap; 1816 1817 aus_umount_path((caddr_t)uap->dir); 1818 1819 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1820 } 1821 1822 static void 1823 aus_msgsys(struct t_audit_data *tad) 1824 { 1825 klwp_t *clwp = ttolwp(curthread); 1826 uint32_t msgid; 1827 1828 struct b { 1829 long msgid; 1830 long cmd; 1831 long buf; /* struct msqid_ds * */ 1832 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1833 1834 msgid = (uint32_t)uap1->msgid; 1835 1836 1837 switch (tad->tad_event) { 1838 case AUE_MSGGET: /* msgget */ 1839 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1840 break; 1841 case AUE_MSGCTL: /* msgctl */ 1842 case AUE_MSGCTL_RMID: /* msgctl */ 1843 case AUE_MSGCTL_SET: /* msgctl */ 1844 case AUE_MSGCTL_STAT: /* msgctl */ 1845 case AUE_MSGRCV: /* msgrcv */ 1846 case AUE_MSGSND: /* msgsnd */ 1847 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1848 break; 1849 } 1850 } 1851 1852 /*ARGSUSED*/ 1853 static void 1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1855 { 1856 int id; 1857 1858 if (error != 0) 1859 return; 1860 if (tad->tad_event == AUE_MSGGET) { 1861 uint32_t scid; 1862 uint32_t sy_flags; 1863 1864 /* need to determine type of executing binary */ 1865 scid = tad->tad_scid; 1866 #ifdef _SYSCALL32_IMPL 1867 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1868 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1869 else 1870 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1871 #else 1872 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1873 #endif 1874 if (sy_flags == SE_32RVAL1) 1875 id = rval->r_val1; 1876 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1877 id = rval->r_val1; 1878 if (sy_flags == SE_64RVAL) 1879 id = (int)rval->r_vals; 1880 1881 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1882 } 1883 } 1884 1885 static void 1886 aus_semsys(struct t_audit_data *tad) 1887 { 1888 klwp_t *clwp = ttolwp(curthread); 1889 uint32_t semid; 1890 1891 struct b { /* ctrl */ 1892 long semid; 1893 long semnum; 1894 long cmd; 1895 long arg; 1896 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1897 1898 semid = (uint32_t)uap1->semid; 1899 1900 switch (tad->tad_event) { 1901 case AUE_SEMCTL_RMID: 1902 case AUE_SEMCTL_STAT: 1903 case AUE_SEMCTL_GETNCNT: 1904 case AUE_SEMCTL_GETPID: 1905 case AUE_SEMCTL_GETVAL: 1906 case AUE_SEMCTL_GETALL: 1907 case AUE_SEMCTL_GETZCNT: 1908 case AUE_SEMCTL_SET: 1909 case AUE_SEMCTL_SETVAL: 1910 case AUE_SEMCTL_SETALL: 1911 case AUE_SEMCTL: 1912 case AUE_SEMOP: 1913 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1914 break; 1915 case AUE_SEMGET: 1916 au_uwrite(au_to_arg32(1, "sem key", semid)); 1917 break; 1918 } 1919 } 1920 1921 /*ARGSUSED*/ 1922 static void 1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1924 { 1925 int id; 1926 1927 if (error != 0) 1928 return; 1929 if (tad->tad_event == AUE_SEMGET) { 1930 uint32_t scid; 1931 uint32_t sy_flags; 1932 1933 /* need to determine type of executing binary */ 1934 scid = tad->tad_scid; 1935 #ifdef _SYSCALL32_IMPL 1936 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1937 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1938 else 1939 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1940 #else 1941 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1942 #endif 1943 if (sy_flags == SE_32RVAL1) 1944 id = rval->r_val1; 1945 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1946 id = rval->r_val1; 1947 if (sy_flags == SE_64RVAL) 1948 id = (int)rval->r_vals; 1949 1950 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1951 } 1952 } 1953 1954 /*ARGSUSED*/ 1955 static void 1956 aus_close(struct t_audit_data *tad) 1957 { 1958 klwp_t *clwp = ttolwp(curthread); 1959 uint32_t fd; 1960 struct file *fp; 1961 struct f_audit_data *fad; 1962 struct vnode *vp; 1963 struct vattr attr; 1964 au_kcontext_t *kctx = GET_KCTX_PZ; 1965 1966 struct a { 1967 long i; 1968 } *uap = (struct a *)clwp->lwp_ap; 1969 1970 fd = (uint32_t)uap->i; 1971 1972 attr.va_mask = 0; 1973 au_uwrite(au_to_arg32(1, "fd", fd)); 1974 1975 /* 1976 * convert file pointer to file descriptor 1977 * Note: fd ref count incremented here. 1978 */ 1979 if ((fp = getf(fd)) == NULL) 1980 return; 1981 1982 fad = F2A(fp); 1983 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1984 if (fad->fad_aupath != NULL) { 1985 au_uwrite(au_to_path(fad->fad_aupath)); 1986 if ((vp = fp->f_vnode) != NULL) { 1987 attr.va_mask = AT_ALL; 1988 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1989 /* 1990 * When write was not used and the file can be 1991 * considered public, skip the audit. 1992 */ 1993 if (((fp->f_flag & FWRITE) == 0) && 1994 object_is_public(&attr)) { 1995 tad->tad_flag = 0; 1996 tad->tad_evmod = 0; 1997 /* free any residual audit data */ 1998 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1999 releasef(fd); 2000 return; 2001 } 2002 au_uwrite(au_to_attr(&attr)); 2003 audit_sec_attributes(&(u_ad), vp); 2004 } 2005 } 2006 } 2007 2008 /* decrement file descriptor reference count */ 2009 releasef(fd); 2010 } 2011 2012 /*ARGSUSED*/ 2013 static void 2014 aus_fstatfs(struct t_audit_data *tad) 2015 { 2016 klwp_t *clwp = ttolwp(curthread); 2017 uint32_t fd; 2018 struct file *fp; 2019 struct vnode *vp; 2020 struct f_audit_data *fad; 2021 2022 struct a { 2023 long fd; 2024 long buf; /* struct statfs * */ 2025 } *uap = (struct a *)clwp->lwp_ap; 2026 2027 fd = (uint_t)uap->fd; 2028 2029 /* 2030 * convert file pointer to file descriptor 2031 * Note: fd ref count incremented here. 2032 */ 2033 if ((fp = getf(fd)) == NULL) 2034 return; 2035 2036 /* get path from file struct here */ 2037 fad = F2A(fp); 2038 if (fad->fad_aupath != NULL) { 2039 au_uwrite(au_to_path(fad->fad_aupath)); 2040 } else { 2041 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2042 } 2043 2044 vp = fp->f_vnode; 2045 audit_attributes(vp); 2046 2047 /* decrement file descriptor reference count */ 2048 releasef(fd); 2049 } 2050 2051 static au_event_t 2052 aui_setpgrp(au_event_t e) 2053 { 2054 klwp_t *clwp = ttolwp(curthread); 2055 int flag; 2056 2057 struct a { 2058 long flag; 2059 long pid; 2060 long pgid; 2061 } *uap = (struct a *)clwp->lwp_ap; 2062 2063 flag = (int)uap->flag; 2064 2065 2066 switch (flag) { 2067 2068 case 1: /* setpgrp() */ 2069 e = AUE_SETPGRP; 2070 break; 2071 2072 case 3: /* setsid() */ 2073 e = AUE_SETSID; 2074 break; 2075 2076 case 5: /* setpgid() */ 2077 e = AUE_SETPGID; 2078 break; 2079 2080 case 0: /* getpgrp() - not security relevant */ 2081 case 2: /* getsid() - not security relevant */ 2082 case 4: /* getpgid() - not security relevant */ 2083 e = AUE_NULL; 2084 break; 2085 2086 default: 2087 e = AUE_NULL; 2088 break; 2089 } 2090 2091 return (e); 2092 } 2093 2094 /*ARGSUSED*/ 2095 static void 2096 aus_setpgrp(struct t_audit_data *tad) 2097 { 2098 klwp_t *clwp = ttolwp(curthread); 2099 pid_t pgid; 2100 struct proc *p; 2101 uid_t uid, ruid; 2102 gid_t gid, rgid; 2103 pid_t pid; 2104 cred_t *cr; 2105 int flag; 2106 const auditinfo_addr_t *ainfo; 2107 2108 struct a { 2109 long flag; 2110 long pid; 2111 long pgid; 2112 } *uap = (struct a *)clwp->lwp_ap; 2113 2114 flag = (int)uap->flag; 2115 pid = (pid_t)uap->pid; 2116 pgid = (pid_t)uap->pgid; 2117 2118 2119 switch (flag) { 2120 2121 case 0: /* getpgrp() */ 2122 case 1: /* setpgrp() */ 2123 case 2: /* getsid() */ 2124 case 3: /* setsid() */ 2125 case 4: /* getpgid() */ 2126 break; 2127 2128 case 5: /* setpgid() */ 2129 2130 /* current process? */ 2131 if (pid == 0) { 2132 return; 2133 } 2134 2135 mutex_enter(&pidlock); 2136 p = prfind(pid); 2137 if (p == NULL || p->p_as == &kas || 2138 p->p_stat == SIDL || p->p_stat == SZOMB) { 2139 mutex_exit(&pidlock); 2140 return; 2141 } 2142 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2143 mutex_exit(&pidlock); 2144 2145 mutex_enter(&p->p_crlock); 2146 crhold(cr = p->p_cred); 2147 mutex_exit(&p->p_crlock); 2148 mutex_exit(&p->p_lock); 2149 2150 ainfo = crgetauinfo(cr); 2151 if (ainfo == NULL) { 2152 crfree(cr); 2153 return; 2154 } 2155 2156 uid = crgetuid(cr); 2157 gid = crgetgid(cr); 2158 ruid = crgetruid(cr); 2159 rgid = crgetrgid(cr); 2160 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2161 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2162 crfree(cr); 2163 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2164 break; 2165 2166 default: 2167 break; 2168 } 2169 } 2170 2171 2172 /*ARGSUSED*/ 2173 static void 2174 aus_setregid(struct t_audit_data *tad) 2175 { 2176 klwp_t *clwp = ttolwp(curthread); 2177 uint32_t rgid, egid; 2178 2179 struct a { 2180 long rgid; 2181 long egid; 2182 } *uap = (struct a *)clwp->lwp_ap; 2183 2184 rgid = (uint32_t)uap->rgid; 2185 egid = (uint32_t)uap->egid; 2186 2187 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2188 au_uwrite(au_to_arg32(2, "egid", egid)); 2189 } 2190 2191 /*ARGSUSED*/ 2192 static void 2193 aus_setgid(struct t_audit_data *tad) 2194 { 2195 klwp_t *clwp = ttolwp(curthread); 2196 uint32_t gid; 2197 2198 struct a { 2199 long gid; 2200 } *uap = (struct a *)clwp->lwp_ap; 2201 2202 gid = (uint32_t)uap->gid; 2203 2204 au_uwrite(au_to_arg32(1, "gid", gid)); 2205 } 2206 2207 2208 /*ARGSUSED*/ 2209 static void 2210 aus_setreuid(struct t_audit_data *tad) 2211 { 2212 klwp_t *clwp = ttolwp(curthread); 2213 uint32_t ruid, euid; 2214 2215 struct a { 2216 long ruid; 2217 long euid; 2218 } *uap = (struct a *)clwp->lwp_ap; 2219 2220 ruid = (uint32_t)uap->ruid; 2221 euid = (uint32_t)uap->euid; 2222 2223 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2224 au_uwrite(au_to_arg32(2, "euid", euid)); 2225 } 2226 2227 2228 /*ARGSUSED*/ 2229 static void 2230 aus_setuid(struct t_audit_data *tad) 2231 { 2232 klwp_t *clwp = ttolwp(curthread); 2233 uint32_t uid; 2234 2235 struct a { 2236 long uid; 2237 } *uap = (struct a *)clwp->lwp_ap; 2238 2239 uid = (uint32_t)uap->uid; 2240 2241 au_uwrite(au_to_arg32(1, "uid", uid)); 2242 } 2243 2244 /*ARGSUSED*/ 2245 static void 2246 aus_shmsys(struct t_audit_data *tad) 2247 { 2248 klwp_t *clwp = ttolwp(curthread); 2249 uint32_t id, cmd; 2250 2251 struct b { 2252 long id; 2253 long cmd; 2254 long buf; /* struct shmid_ds * */ 2255 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2256 2257 id = (uint32_t)uap1->id; 2258 cmd = (uint32_t)uap1->cmd; 2259 2260 switch (tad->tad_event) { 2261 case AUE_SHMGET: /* shmget */ 2262 au_uwrite(au_to_arg32(1, "shm key", id)); 2263 break; 2264 case AUE_SHMCTL: /* shmctl */ 2265 case AUE_SHMCTL_RMID: /* shmctl */ 2266 case AUE_SHMCTL_STAT: /* shmctl */ 2267 case AUE_SHMCTL_SET: /* shmctl */ 2268 au_uwrite(au_to_arg32(1, "shm ID", id)); 2269 break; 2270 case AUE_SHMDT: /* shmdt */ 2271 au_uwrite(au_to_arg32(1, "shm adr", id)); 2272 break; 2273 case AUE_SHMAT: /* shmat */ 2274 au_uwrite(au_to_arg32(1, "shm ID", id)); 2275 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2276 break; 2277 } 2278 } 2279 2280 /*ARGSUSED*/ 2281 static void 2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2283 { 2284 int id; 2285 2286 if (error != 0) 2287 return; 2288 if (tad->tad_event == AUE_SHMGET) { 2289 uint32_t scid; 2290 uint32_t sy_flags; 2291 2292 /* need to determine type of executing binary */ 2293 scid = tad->tad_scid; 2294 #ifdef _SYSCALL32_IMPL 2295 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2296 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2297 else 2298 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2299 #else 2300 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2301 #endif 2302 if (sy_flags == SE_32RVAL1) 2303 id = rval->r_val1; 2304 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2305 id = rval->r_val1; 2306 if (sy_flags == SE_64RVAL) 2307 id = (int)rval->r_vals; 2308 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2309 } 2310 } 2311 2312 2313 /*ARGSUSED*/ 2314 static void 2315 aus_ioctl(struct t_audit_data *tad) 2316 { 2317 klwp_t *clwp = ttolwp(curthread); 2318 struct file *fp; 2319 struct vnode *vp; 2320 struct f_audit_data *fad; 2321 uint32_t fd, cmd; 2322 uintptr_t cmarg; 2323 2324 /* XX64 */ 2325 struct a { 2326 long fd; 2327 long cmd; 2328 long cmarg; /* caddr_t */ 2329 } *uap = (struct a *)clwp->lwp_ap; 2330 2331 fd = (uint32_t)uap->fd; 2332 cmd = (uint32_t)uap->cmd; 2333 cmarg = (uintptr_t)uap->cmarg; 2334 2335 /* 2336 * convert file pointer to file descriptor 2337 * Note: fd ref count incremented here. 2338 */ 2339 if ((fp = getf(fd)) == NULL) { 2340 au_uwrite(au_to_arg32(1, "fd", fd)); 2341 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2342 #ifndef _LP64 2343 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2344 #else 2345 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2346 #endif 2347 return; 2348 } 2349 2350 /* get path from file struct here */ 2351 fad = F2A(fp); 2352 if (fad->fad_aupath != NULL) { 2353 au_uwrite(au_to_path(fad->fad_aupath)); 2354 } else { 2355 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2356 } 2357 2358 vp = fp->f_vnode; 2359 audit_attributes(vp); 2360 2361 /* decrement file descriptor reference count */ 2362 releasef(fd); 2363 2364 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2365 #ifndef _LP64 2366 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2367 #else 2368 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2369 #endif 2370 } 2371 2372 /* 2373 * null function for memcntl for now. We might want to limit memcntl() 2374 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2375 * require privileges. 2376 */ 2377 static au_event_t 2378 aui_memcntl(au_event_t e) 2379 { 2380 return (e); 2381 } 2382 2383 /*ARGSUSED*/ 2384 static au_event_t 2385 aui_privsys(au_event_t e) 2386 { 2387 klwp_t *clwp = ttolwp(curthread); 2388 2389 struct a { 2390 long opcode; 2391 } *uap = (struct a *)clwp->lwp_ap; 2392 2393 switch (uap->opcode) { 2394 case PRIVSYS_SETPPRIV: 2395 return (AUE_SETPPRIV); 2396 default: 2397 return (AUE_NULL); 2398 } 2399 } 2400 2401 /*ARGSUSED*/ 2402 static void 2403 aus_memcntl(struct t_audit_data *tad) 2404 { 2405 klwp_t *clwp = ttolwp(curthread); 2406 2407 struct a { 2408 long addr; 2409 long len; 2410 long cmd; 2411 long arg; 2412 long attr; 2413 long mask; 2414 } *uap = (struct a *)clwp->lwp_ap; 2415 2416 #ifdef _LP64 2417 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2418 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2419 #else 2420 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2421 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2422 #endif 2423 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2424 #ifdef _LP64 2425 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2426 #else 2427 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2428 #endif 2429 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2430 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2431 } 2432 2433 /*ARGSUSED*/ 2434 static void 2435 aus_mmap(struct t_audit_data *tad) 2436 { 2437 klwp_t *clwp = ttolwp(curthread); 2438 struct file *fp; 2439 struct f_audit_data *fad; 2440 struct vnode *vp; 2441 uint32_t fd; 2442 2443 struct a { 2444 long addr; 2445 long len; 2446 long prot; 2447 long flags; 2448 long fd; 2449 long pos; 2450 } *uap = (struct a *)clwp->lwp_ap; 2451 2452 fd = (uint32_t)uap->fd; 2453 2454 #ifdef _LP64 2455 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2456 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2457 #else 2458 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2459 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2460 #endif 2461 2462 if ((fp = getf(fd)) == NULL) { 2463 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2464 return; 2465 } 2466 2467 /* 2468 * Mark in the tad if write access is NOT requested... if 2469 * this is later detected (in audit_attributes) to be a 2470 * public object, the mmap event may be discarded. 2471 */ 2472 if (((uap->prot) & PROT_WRITE) == 0) { 2473 tad->tad_ctrl |= TAD_PUBLIC_EV; 2474 } 2475 2476 fad = F2A(fp); 2477 if (fad->fad_aupath != NULL) { 2478 au_uwrite(au_to_path(fad->fad_aupath)); 2479 } else { 2480 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2481 } 2482 2483 vp = (struct vnode *)fp->f_vnode; 2484 audit_attributes(vp); 2485 2486 /* mark READ/WRITE since we can't predict access */ 2487 if (uap->prot & PROT_READ) 2488 fad->fad_flags |= FAD_READ; 2489 if (uap->prot & PROT_WRITE) 2490 fad->fad_flags |= FAD_WRITE; 2491 2492 /* decrement file descriptor reference count */ 2493 releasef(fd); 2494 2495 } /* AUS_MMAP */ 2496 2497 2498 2499 2500 /*ARGSUSED*/ 2501 static void 2502 aus_munmap(struct t_audit_data *tad) 2503 { 2504 klwp_t *clwp = ttolwp(curthread); 2505 2506 struct a { 2507 long addr; 2508 long len; 2509 } *uap = (struct a *)clwp->lwp_ap; 2510 2511 #ifdef _LP64 2512 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2513 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2514 #else 2515 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2516 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2517 #endif 2518 2519 } /* AUS_MUNMAP */ 2520 2521 2522 2523 2524 2525 2526 2527 /*ARGSUSED*/ 2528 static void 2529 aus_priocntlsys(struct t_audit_data *tad) 2530 { 2531 klwp_t *clwp = ttolwp(curthread); 2532 2533 struct a { 2534 long pc_version; 2535 long psp; /* procset_t */ 2536 long cmd; 2537 long arg; 2538 } *uap = (struct a *)clwp->lwp_ap; 2539 2540 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2541 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2542 2543 } /* AUS_PRIOCNTLSYS */ 2544 2545 2546 /*ARGSUSED*/ 2547 static void 2548 aus_setegid(struct t_audit_data *tad) 2549 { 2550 klwp_t *clwp = ttolwp(curthread); 2551 uint32_t gid; 2552 2553 struct a { 2554 long gid; 2555 } *uap = (struct a *)clwp->lwp_ap; 2556 2557 gid = (uint32_t)uap->gid; 2558 2559 au_uwrite(au_to_arg32(1, "gid", gid)); 2560 } /* AUS_SETEGID */ 2561 2562 2563 2564 2565 /*ARGSUSED*/ 2566 static void 2567 aus_setgroups(struct t_audit_data *tad) 2568 { 2569 klwp_t *clwp = ttolwp(curthread); 2570 int i; 2571 int gidsetsize; 2572 uintptr_t gidset; 2573 gid_t *gidlist; 2574 2575 struct a { 2576 long gidsetsize; 2577 long gidset; 2578 } *uap = (struct a *)clwp->lwp_ap; 2579 2580 gidsetsize = (uint_t)uap->gidsetsize; 2581 gidset = (uintptr_t)uap->gidset; 2582 2583 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2584 return; 2585 if (gidsetsize != 0) { 2586 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2587 KM_SLEEP); 2588 if (copyin((caddr_t)gidset, gidlist, 2589 gidsetsize * sizeof (gid_t)) == 0) 2590 for (i = 0; i < gidsetsize; i++) 2591 au_uwrite(au_to_arg32(1, "setgroups", 2592 (uint32_t)gidlist[i])); 2593 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2594 } else 2595 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2596 2597 } /* AUS_SETGROUPS */ 2598 2599 2600 2601 2602 2603 /*ARGSUSED*/ 2604 static void 2605 aus_seteuid(struct t_audit_data *tad) 2606 { 2607 klwp_t *clwp = ttolwp(curthread); 2608 uint32_t uid; 2609 2610 struct a { 2611 long uid; 2612 } *uap = (struct a *)clwp->lwp_ap; 2613 2614 uid = (uint32_t)uap->uid; 2615 2616 au_uwrite(au_to_arg32(1, "euid", uid)); 2617 2618 } /* AUS_SETEUID */ 2619 2620 /*ARGSUSED*/ 2621 static void 2622 aus_putmsg(struct t_audit_data *tad) 2623 { 2624 klwp_t *clwp = ttolwp(curthread); 2625 uint32_t fd, pri; 2626 struct file *fp; 2627 struct f_audit_data *fad; 2628 2629 struct a { 2630 long fdes; 2631 long ctl; /* struct strbuf * */ 2632 long data; /* struct strbuf * */ 2633 long pri; 2634 } *uap = (struct a *)clwp->lwp_ap; 2635 2636 fd = (uint32_t)uap->fdes; 2637 pri = (uint32_t)uap->pri; 2638 2639 au_uwrite(au_to_arg32(1, "fd", fd)); 2640 2641 if ((fp = getf(fd)) != NULL) { 2642 fad = F2A(fp); 2643 2644 fad->fad_flags |= FAD_WRITE; 2645 2646 /* add path name to audit record */ 2647 if (fad->fad_aupath != NULL) { 2648 au_uwrite(au_to_path(fad->fad_aupath)); 2649 } 2650 audit_attributes(fp->f_vnode); 2651 2652 releasef(fd); 2653 } 2654 2655 au_uwrite(au_to_arg32(4, "pri", pri)); 2656 } 2657 2658 /*ARGSUSED*/ 2659 static void 2660 aus_putpmsg(struct t_audit_data *tad) 2661 { 2662 klwp_t *clwp = ttolwp(curthread); 2663 uint32_t fd, pri, flags; 2664 struct file *fp; 2665 struct f_audit_data *fad; 2666 2667 struct a { 2668 long fdes; 2669 long ctl; /* struct strbuf * */ 2670 long data; /* struct strbuf * */ 2671 long pri; 2672 long flags; 2673 } *uap = (struct a *)clwp->lwp_ap; 2674 2675 fd = (uint32_t)uap->fdes; 2676 pri = (uint32_t)uap->pri; 2677 flags = (uint32_t)uap->flags; 2678 2679 au_uwrite(au_to_arg32(1, "fd", fd)); 2680 2681 if ((fp = getf(fd)) != NULL) { 2682 fad = F2A(fp); 2683 2684 fad->fad_flags |= FAD_WRITE; 2685 2686 /* add path name to audit record */ 2687 if (fad->fad_aupath != NULL) { 2688 au_uwrite(au_to_path(fad->fad_aupath)); 2689 } 2690 audit_attributes(fp->f_vnode); 2691 2692 releasef(fd); 2693 } 2694 2695 2696 au_uwrite(au_to_arg32(4, "pri", pri)); 2697 au_uwrite(au_to_arg32(5, "flags", flags)); 2698 } 2699 2700 /*ARGSUSED*/ 2701 static void 2702 aus_getmsg(struct t_audit_data *tad) 2703 { 2704 klwp_t *clwp = ttolwp(curthread); 2705 uint32_t fd, pri; 2706 struct file *fp; 2707 struct f_audit_data *fad; 2708 2709 struct a { 2710 long fdes; 2711 long ctl; /* struct strbuf * */ 2712 long data; /* struct strbuf * */ 2713 long pri; 2714 } *uap = (struct a *)clwp->lwp_ap; 2715 2716 fd = (uint32_t)uap->fdes; 2717 pri = (uint32_t)uap->pri; 2718 2719 au_uwrite(au_to_arg32(1, "fd", fd)); 2720 2721 if ((fp = getf(fd)) != NULL) { 2722 fad = F2A(fp); 2723 2724 /* 2725 * read operation on this object 2726 */ 2727 fad->fad_flags |= FAD_READ; 2728 2729 /* add path name to audit record */ 2730 if (fad->fad_aupath != NULL) { 2731 au_uwrite(au_to_path(fad->fad_aupath)); 2732 } 2733 audit_attributes(fp->f_vnode); 2734 2735 releasef(fd); 2736 } 2737 2738 au_uwrite(au_to_arg32(4, "pri", pri)); 2739 } 2740 2741 /*ARGSUSED*/ 2742 static void 2743 aus_getpmsg(struct t_audit_data *tad) 2744 { 2745 klwp_t *clwp = ttolwp(curthread); 2746 uint32_t fd; 2747 struct file *fp; 2748 struct f_audit_data *fad; 2749 2750 struct a { 2751 long fdes; 2752 long ctl; /* struct strbuf * */ 2753 long data; /* struct strbuf * */ 2754 long pri; 2755 long flags; 2756 } *uap = (struct a *)clwp->lwp_ap; 2757 2758 fd = (uint32_t)uap->fdes; 2759 2760 au_uwrite(au_to_arg32(1, "fd", fd)); 2761 2762 if ((fp = getf(fd)) != NULL) { 2763 fad = F2A(fp); 2764 2765 /* 2766 * read operation on this object 2767 */ 2768 fad->fad_flags |= FAD_READ; 2769 2770 /* add path name to audit record */ 2771 if (fad->fad_aupath != NULL) { 2772 au_uwrite(au_to_path(fad->fad_aupath)); 2773 } 2774 audit_attributes(fp->f_vnode); 2775 2776 releasef(fd); 2777 } 2778 } 2779 2780 static au_event_t 2781 aui_labelsys(au_event_t e) 2782 { 2783 klwp_t *clwp = ttolwp(curthread); 2784 uint32_t code; 2785 uint32_t cmd; 2786 2787 struct a { 2788 long code; 2789 long cmd; 2790 } *uap = (struct a *)clwp->lwp_ap; 2791 2792 code = (uint32_t)uap->code; 2793 cmd = (uint32_t)uap->cmd; 2794 2795 /* not security relevant if not changing kernel cache */ 2796 if (cmd == TNDB_GET) 2797 return (AUE_NULL); 2798 2799 switch (code) { 2800 case TSOL_TNRH: 2801 e = AUE_LABELSYS_TNRH; 2802 break; 2803 case TSOL_TNRHTP: 2804 e = AUE_LABELSYS_TNRHTP; 2805 break; 2806 case TSOL_TNMLP: 2807 e = AUE_LABELSYS_TNMLP; 2808 break; 2809 default: 2810 e = AUE_NULL; 2811 break; 2812 } 2813 2814 return (e); 2815 2816 } 2817 2818 static void 2819 aus_labelsys(struct t_audit_data *tad) 2820 { 2821 klwp_t *clwp = ttolwp(curthread); 2822 uint32_t cmd; 2823 uintptr_t a2; 2824 2825 struct a { 2826 long code; 2827 long cmd; 2828 long a2; 2829 } *uap = (struct a *)clwp->lwp_ap; 2830 2831 cmd = (uint32_t)uap->cmd; 2832 a2 = (uintptr_t)uap->a2; 2833 2834 switch (tad->tad_event) { 2835 case AUE_LABELSYS_TNRH: 2836 { 2837 tsol_rhent_t *rhent; 2838 tnaddr_t *rh_addr; 2839 2840 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2841 2842 /* Remaining args don't apply for FLUSH, so skip */ 2843 if (cmd == TNDB_FLUSH) 2844 break; 2845 2846 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2847 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2848 kmem_free(rhent, sizeof (tsol_rhent_t)); 2849 return; 2850 } 2851 2852 rh_addr = &rhent->rh_address; 2853 if (rh_addr->ta_family == AF_INET) { 2854 struct in_addr *ipaddr; 2855 2856 ipaddr = &(rh_addr->ta_addr_v4); 2857 au_uwrite(au_to_in_addr(ipaddr)); 2858 } else if (rh_addr->ta_family == AF_INET6) { 2859 int32_t *ipaddr; 2860 2861 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2862 au_uwrite(au_to_in_addr_ex(ipaddr)); 2863 } 2864 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2865 2866 kmem_free(rhent, sizeof (tsol_rhent_t)); 2867 2868 break; 2869 } 2870 case AUE_LABELSYS_TNRHTP: 2871 { 2872 tsol_tpent_t *tpent; 2873 2874 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2875 2876 /* Remaining args don't apply for FLUSH, so skip */ 2877 if (cmd == TNDB_FLUSH) 2878 break; 2879 2880 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2881 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2882 kmem_free(tpent, sizeof (tsol_tpent_t)); 2883 return; 2884 } 2885 2886 /* Make sure that the template name is null-terminated. */ 2887 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2888 2889 au_uwrite(au_to_text(tpent->name)); 2890 kmem_free(tpent, sizeof (tsol_tpent_t)); 2891 2892 break; 2893 } 2894 case AUE_LABELSYS_TNMLP: 2895 { 2896 tsol_mlpent_t *mlpent; 2897 2898 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2899 2900 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2901 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2902 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2903 return; 2904 } 2905 2906 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2907 au_uwrite(au_to_text("shared")); 2908 } else { 2909 zone_t *zone; 2910 2911 zone = zone_find_by_id(mlpent->tsme_zoneid); 2912 if (zone != NULL) { 2913 au_uwrite(au_to_text(zone->zone_name)); 2914 zone_rele(zone); 2915 } 2916 } 2917 2918 /* Remaining args don't apply for FLUSH, so skip */ 2919 if (cmd == TNDB_FLUSH) { 2920 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2921 break; 2922 } 2923 2924 au_uwrite(au_to_arg32(2, "proto num", 2925 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2926 au_uwrite(au_to_arg32(2, "mlp_port", 2927 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2928 2929 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2930 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2931 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2932 2933 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2934 2935 break; 2936 } 2937 default: 2938 break; 2939 } 2940 } 2941 2942 2943 static au_event_t 2944 aui_auditsys(au_event_t e) 2945 { 2946 klwp_t *clwp = ttolwp(curthread); 2947 uint32_t code; 2948 2949 struct a { 2950 long code; 2951 long a1; 2952 long a2; 2953 long a3; 2954 long a4; 2955 long a5; 2956 long a6; 2957 long a7; 2958 } *uap = (struct a *)clwp->lwp_ap; 2959 2960 code = (uint32_t)uap->code; 2961 2962 switch (code) { 2963 2964 case BSM_GETAUID: 2965 e = AUE_GETAUID; 2966 break; 2967 case BSM_SETAUID: 2968 e = AUE_SETAUID; 2969 break; 2970 case BSM_GETAUDIT: 2971 e = AUE_GETAUDIT; 2972 break; 2973 case BSM_GETAUDIT_ADDR: 2974 e = AUE_GETAUDIT_ADDR; 2975 break; 2976 case BSM_SETAUDIT: 2977 e = AUE_SETAUDIT; 2978 break; 2979 case BSM_SETAUDIT_ADDR: 2980 e = AUE_SETAUDIT_ADDR; 2981 break; 2982 case BSM_AUDIT: 2983 e = AUE_AUDIT; 2984 break; 2985 case BSM_AUDITCTL: 2986 switch ((uint_t)uap->a1) { 2987 2988 case A_GETPOLICY: 2989 e = AUE_AUDITON_GPOLICY; 2990 break; 2991 case A_SETPOLICY: 2992 e = AUE_AUDITON_SPOLICY; 2993 break; 2994 case A_GETAMASK: 2995 e = AUE_AUDITON_GETAMASK; 2996 break; 2997 case A_SETAMASK: 2998 e = AUE_AUDITON_SETAMASK; 2999 break; 3000 case A_GETKMASK: 3001 e = AUE_AUDITON_GETKMASK; 3002 break; 3003 case A_SETKMASK: 3004 e = AUE_AUDITON_SETKMASK; 3005 break; 3006 case A_GETQCTRL: 3007 e = AUE_AUDITON_GQCTRL; 3008 break; 3009 case A_SETQCTRL: 3010 e = AUE_AUDITON_SQCTRL; 3011 break; 3012 case A_GETCWD: 3013 e = AUE_AUDITON_GETCWD; 3014 break; 3015 case A_GETCAR: 3016 e = AUE_AUDITON_GETCAR; 3017 break; 3018 case A_GETSTAT: 3019 e = AUE_AUDITON_GETSTAT; 3020 break; 3021 case A_SETSTAT: 3022 e = AUE_AUDITON_SETSTAT; 3023 break; 3024 case A_SETUMASK: 3025 e = AUE_AUDITON_SETUMASK; 3026 break; 3027 case A_SETSMASK: 3028 e = AUE_AUDITON_SETSMASK; 3029 break; 3030 case A_GETCOND: 3031 e = AUE_AUDITON_GETCOND; 3032 break; 3033 case A_SETCOND: 3034 e = AUE_AUDITON_SETCOND; 3035 break; 3036 case A_GETCLASS: 3037 e = AUE_AUDITON_GETCLASS; 3038 break; 3039 case A_SETCLASS: 3040 e = AUE_AUDITON_SETCLASS; 3041 break; 3042 case A_GETPINFO: 3043 case A_GETPINFO_ADDR: 3044 e = AUE_AUDITON_GETPINFO; 3045 break; 3046 case A_SETPMASK: 3047 e = AUE_AUDITON_SETPMASK; 3048 break; 3049 case A_GETKAUDIT: 3050 e = AUE_AUDITON_GETKAUDIT; 3051 break; 3052 case A_SETKAUDIT: 3053 e = AUE_AUDITON_SETKAUDIT; 3054 break; 3055 default: 3056 e = AUE_AUDITON_OTHER; 3057 break; 3058 } 3059 break; 3060 default: 3061 e = AUE_NULL; 3062 break; 3063 } 3064 3065 return (e); 3066 3067 } /* AUI_AUDITSYS */ 3068 3069 3070 static void 3071 aus_auditsys(struct t_audit_data *tad) 3072 { 3073 klwp_t *clwp = ttolwp(curthread); 3074 uintptr_t a1, a2; 3075 STRUCT_DECL(auditinfo, ainfo); 3076 STRUCT_DECL(auditinfo_addr, ainfo_addr); 3077 STRUCT_DECL(auditpinfo, apinfo); 3078 au_evclass_map_t event; 3079 au_mask_t mask; 3080 int auditstate, policy; 3081 au_id_t auid; 3082 3083 3084 struct a { 3085 long code; 3086 long a1; 3087 long a2; 3088 long a3; 3089 long a4; 3090 long a5; 3091 long a6; 3092 long a7; 3093 } *uap = (struct a *)clwp->lwp_ap; 3094 3095 a1 = (uintptr_t)uap->a1; 3096 a2 = (uintptr_t)uap->a2; 3097 3098 switch (tad->tad_event) { 3099 case AUE_SETAUID: 3100 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 3101 return; 3102 au_uwrite(au_to_arg32(2, "setauid", auid)); 3103 break; 3104 case AUE_SETAUDIT: 3105 STRUCT_INIT(ainfo, get_udatamodel()); 3106 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 3107 STRUCT_SIZE(ainfo))) { 3108 return; 3109 } 3110 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 3111 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 3112 #ifdef _LP64 3113 au_uwrite(au_to_arg64((char)1, "setaudit:port", 3114 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 3115 #else 3116 au_uwrite(au_to_arg32((char)1, "setaudit:port", 3117 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 3118 #endif 3119 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 3120 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 3121 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 3122 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3123 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 3124 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3125 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 3126 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 3127 break; 3128 case AUE_SETAUDIT_ADDR: 3129 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3130 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3131 STRUCT_SIZE(ainfo_addr))) { 3132 return; 3133 } 3134 au_uwrite(au_to_arg32((char)1, "auid", 3135 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3136 #ifdef _LP64 3137 au_uwrite(au_to_arg64((char)1, "port", 3138 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3139 #else 3140 au_uwrite(au_to_arg32((char)1, "port", 3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3142 #endif 3143 au_uwrite(au_to_arg32((char)1, "type", 3144 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3145 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3146 AU_IPv4) { 3147 au_uwrite(au_to_in_addr( 3148 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3149 ai_termid.at_addr))); 3150 } else { 3151 au_uwrite(au_to_in_addr_ex( 3152 (int32_t *)STRUCT_FGETP(ainfo_addr, 3153 ai_termid.at_addr))); 3154 } 3155 au_uwrite(au_to_arg32((char)1, "as_success", 3156 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3157 au_uwrite(au_to_arg32((char)1, "as_failure", 3158 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3159 au_uwrite(au_to_arg32((char)1, "asid", 3160 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3161 break; 3162 case AUE_AUDITON_SETAMASK: 3163 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3164 return; 3165 au_uwrite(au_to_arg32( 3166 2, "setamask:as_success", (uint32_t)mask.as_success)); 3167 au_uwrite(au_to_arg32( 3168 2, "setamask:as_failure", (uint32_t)mask.as_failure)); 3169 break; 3170 case AUE_AUDITON_SETKMASK: 3171 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3172 return; 3173 au_uwrite(au_to_arg32( 3174 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3175 au_uwrite(au_to_arg32( 3176 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3177 break; 3178 case AUE_AUDITON_SPOLICY: 3179 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3180 return; 3181 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3182 break; 3183 case AUE_AUDITON_SQCTRL: { 3184 STRUCT_DECL(au_qctrl, qctrl); 3185 model_t model; 3186 3187 model = get_udatamodel(); 3188 STRUCT_INIT(qctrl, model); 3189 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3190 return; 3191 if (model == DATAMODEL_ILP32) { 3192 au_uwrite(au_to_arg32( 3193 3, "setqctrl:aq_hiwater", 3194 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3195 au_uwrite(au_to_arg32( 3196 3, "setqctrl:aq_lowater", 3197 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3198 au_uwrite(au_to_arg32( 3199 3, "setqctrl:aq_bufsz", 3200 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3201 au_uwrite(au_to_arg32( 3202 3, "setqctrl:aq_delay", 3203 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3204 } else { 3205 au_uwrite(au_to_arg64( 3206 3, "setqctrl:aq_hiwater", 3207 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3208 au_uwrite(au_to_arg64( 3209 3, "setqctrl:aq_lowater", 3210 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3211 au_uwrite(au_to_arg64( 3212 3, "setqctrl:aq_bufsz", 3213 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3214 au_uwrite(au_to_arg64( 3215 3, "setqctrl:aq_delay", 3216 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3217 } 3218 break; 3219 } 3220 case AUE_AUDITON_SETUMASK: 3221 STRUCT_INIT(ainfo, get_udatamodel()); 3222 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3223 STRUCT_SIZE(ainfo))) { 3224 return; 3225 } 3226 au_uwrite(au_to_arg32(3, "setumask:as_success", 3227 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3228 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3229 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3230 break; 3231 case AUE_AUDITON_SETSMASK: 3232 STRUCT_INIT(ainfo, get_udatamodel()); 3233 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3234 STRUCT_SIZE(ainfo))) { 3235 return; 3236 } 3237 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3238 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3239 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3240 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3241 break; 3242 case AUE_AUDITON_SETCOND: 3243 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3244 return; 3245 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3246 break; 3247 case AUE_AUDITON_SETCLASS: 3248 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3249 return; 3250 au_uwrite(au_to_arg32( 3251 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3252 au_uwrite(au_to_arg32( 3253 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3254 break; 3255 case AUE_AUDITON_SETPMASK: 3256 STRUCT_INIT(apinfo, get_udatamodel()); 3257 if (copyin((caddr_t)uap->a2, STRUCT_BUF(apinfo), 3258 STRUCT_SIZE(apinfo))) { 3259 return; 3260 } 3261 au_uwrite(au_to_arg32(3, "setpmask:pid", 3262 (uint32_t)STRUCT_FGET(apinfo, ap_pid))); 3263 au_uwrite(au_to_arg32(3, "setpmask:as_success", 3264 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_success))); 3265 au_uwrite(au_to_arg32(3, "setpmask:as_failure", 3266 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_failure))); 3267 break; 3268 case AUE_AUDITON_SETKAUDIT: 3269 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3270 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3271 STRUCT_SIZE(ainfo_addr))) { 3272 return; 3273 } 3274 au_uwrite(au_to_arg32((char)1, "auid", 3275 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3276 #ifdef _LP64 3277 au_uwrite(au_to_arg64((char)1, "port", 3278 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3279 #else 3280 au_uwrite(au_to_arg32((char)1, "port", 3281 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3282 #endif 3283 au_uwrite(au_to_arg32((char)1, "type", 3284 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3285 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3286 AU_IPv4) { 3287 au_uwrite(au_to_in_addr( 3288 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3289 ai_termid.at_addr))); 3290 } else { 3291 au_uwrite(au_to_in_addr_ex( 3292 (int32_t *)STRUCT_FGETP(ainfo_addr, 3293 ai_termid.at_addr))); 3294 } 3295 au_uwrite(au_to_arg32((char)1, "as_success", 3296 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3297 au_uwrite(au_to_arg32((char)1, "as_failure", 3298 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3299 au_uwrite(au_to_arg32((char)1, "asid", 3300 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3301 break; 3302 case AUE_GETAUID: 3303 case AUE_GETAUDIT: 3304 case AUE_GETAUDIT_ADDR: 3305 case AUE_AUDIT: 3306 case AUE_AUDITON_GPOLICY: 3307 case AUE_AUDITON_GQCTRL: 3308 case AUE_AUDITON_GETAMASK: 3309 case AUE_AUDITON_GETKMASK: 3310 case AUE_AUDITON_GETCWD: 3311 case AUE_AUDITON_GETCAR: 3312 case AUE_AUDITON_GETSTAT: 3313 case AUE_AUDITON_SETSTAT: 3314 case AUE_AUDITON_GETCOND: 3315 case AUE_AUDITON_GETCLASS: 3316 case AUE_AUDITON_GETPINFO: 3317 case AUE_AUDITON_GETKAUDIT: 3318 case AUE_AUDITON_OTHER: 3319 break; 3320 default: 3321 break; 3322 } 3323 3324 } /* AUS_AUDITSYS */ 3325 3326 3327 /* only audit privileged operations for systeminfo(2) system call */ 3328 static au_event_t 3329 aui_sysinfo(au_event_t e) 3330 { 3331 klwp_t *clwp = ttolwp(curthread); 3332 uint32_t command; 3333 3334 struct a { 3335 long command; 3336 long buf; /* char * */ 3337 long count; 3338 } *uap = (struct a *)clwp->lwp_ap; 3339 3340 command = (uint32_t)uap->command; 3341 3342 switch (command) { 3343 case SI_SET_HOSTNAME: 3344 case SI_SET_SRPC_DOMAIN: 3345 e = (au_event_t)AUE_SYSINFO; 3346 break; 3347 default: 3348 e = (au_event_t)AUE_NULL; 3349 break; 3350 } 3351 return (e); 3352 } 3353 3354 /*ARGSUSED*/ 3355 static void 3356 aus_sysinfo(struct t_audit_data *tad) 3357 { 3358 klwp_t *clwp = ttolwp(curthread); 3359 uint32_t command; 3360 size_t len, maxlen; 3361 char *name; 3362 uintptr_t buf; 3363 3364 struct a { 3365 long command; 3366 long buf; /* char * */ 3367 long count; 3368 } *uap = (struct a *)clwp->lwp_ap; 3369 3370 command = (uint32_t)uap->command; 3371 buf = (uintptr_t)uap->buf; 3372 3373 au_uwrite(au_to_arg32(1, "cmd", command)); 3374 3375 switch (command) { 3376 case SI_SET_HOSTNAME: 3377 { 3378 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3379 return; 3380 3381 maxlen = SYS_NMLN; 3382 name = kmem_alloc(maxlen, KM_SLEEP); 3383 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3384 break; 3385 3386 /* 3387 * Must be non-NULL string and string 3388 * must be less than SYS_NMLN chars. 3389 */ 3390 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3391 break; 3392 3393 au_uwrite(au_to_text(name)); 3394 break; 3395 } 3396 3397 case SI_SET_SRPC_DOMAIN: 3398 { 3399 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3400 return; 3401 3402 maxlen = SYS_NMLN; 3403 name = kmem_alloc(maxlen, KM_SLEEP); 3404 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3405 break; 3406 3407 /* 3408 * If string passed in is longer than length 3409 * allowed for domain name, fail. 3410 */ 3411 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3412 break; 3413 3414 au_uwrite(au_to_text(name)); 3415 break; 3416 } 3417 3418 default: 3419 return; 3420 } 3421 3422 kmem_free(name, maxlen); 3423 } 3424 3425 static au_event_t 3426 aui_modctl(au_event_t e) 3427 { 3428 klwp_t *clwp = ttolwp(curthread); 3429 uint_t cmd; 3430 3431 struct a { 3432 long cmd; 3433 } *uap = (struct a *)clwp->lwp_ap; 3434 3435 cmd = (uint_t)uap->cmd; 3436 3437 switch (cmd) { 3438 case MODLOAD: 3439 e = AUE_MODLOAD; 3440 break; 3441 case MODUNLOAD: 3442 e = AUE_MODUNLOAD; 3443 break; 3444 case MODADDMAJBIND: 3445 e = AUE_MODADDMAJ; 3446 break; 3447 case MODSETDEVPOLICY: 3448 e = AUE_MODDEVPLCY; 3449 break; 3450 case MODALLOCPRIV: 3451 e = AUE_MODADDPRIV; 3452 break; 3453 default: 3454 e = AUE_NULL; 3455 break; 3456 } 3457 return (e); 3458 } 3459 3460 3461 /*ARGSUSED*/ 3462 static void 3463 aus_modctl(struct t_audit_data *tad) 3464 { 3465 klwp_t *clwp = ttolwp(curthread); 3466 void *a = clwp->lwp_ap; 3467 uint_t use_path; 3468 3469 switch (tad->tad_event) { 3470 case AUE_MODLOAD: { 3471 typedef struct { 3472 long cmd; 3473 long use_path; 3474 long filename; /* char * */ 3475 } modloada_t; 3476 3477 char *filenamep; 3478 uintptr_t fname; 3479 extern char *default_path; 3480 3481 fname = (uintptr_t)((modloada_t *)a)->filename; 3482 use_path = (uint_t)((modloada_t *)a)->use_path; 3483 3484 /* space to hold path */ 3485 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3486 /* get string */ 3487 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3488 /* free allocated path */ 3489 kmem_free(filenamep, MOD_MAXPATH); 3490 return; 3491 } 3492 /* ensure it's null terminated */ 3493 filenamep[MOD_MAXPATH - 1] = 0; 3494 3495 if (use_path) 3496 au_uwrite(au_to_text(default_path)); 3497 au_uwrite(au_to_text(filenamep)); 3498 3499 /* release temporary memory */ 3500 kmem_free(filenamep, MOD_MAXPATH); 3501 break; 3502 } 3503 case AUE_MODUNLOAD: { 3504 typedef struct { 3505 long cmd; 3506 long id; 3507 } modunloada_t; 3508 3509 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3510 3511 au_uwrite(au_to_arg32(1, "id", id)); 3512 break; 3513 } 3514 case AUE_MODADDMAJ: { 3515 STRUCT_DECL(modconfig, mc); 3516 typedef struct { 3517 long cmd; 3518 long subcmd; 3519 long data; /* int * */ 3520 } modconfiga_t; 3521 3522 STRUCT_DECL(aliases, alias); 3523 caddr_t ap; 3524 int i, num_aliases; 3525 char *drvname, *mc_drvname; 3526 char *name; 3527 extern char *ddi_major_to_name(major_t); 3528 model_t model; 3529 3530 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3531 3532 model = get_udatamodel(); 3533 STRUCT_INIT(mc, model); 3534 /* sanitize buffer */ 3535 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3536 /* get user arguments */ 3537 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3538 STRUCT_SIZE(mc)) != 0) 3539 return; 3540 3541 mc_drvname = STRUCT_FGET(mc, drvname); 3542 if ((drvname = ddi_major_to_name( 3543 (major_t)STRUCT_FGET(mc, major))) != NULL && 3544 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3545 /* safety */ 3546 if (mc_drvname[0] != '\0') { 3547 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3548 au_uwrite(au_to_text(mc_drvname)); 3549 } 3550 /* drvname != NULL from test above */ 3551 au_uwrite(au_to_text(drvname)); 3552 return; 3553 } 3554 3555 if (mc_drvname[0] != '\0') { 3556 /* safety */ 3557 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3558 au_uwrite(au_to_text(mc_drvname)); 3559 } else 3560 au_uwrite(au_to_text("no drvname")); 3561 3562 num_aliases = STRUCT_FGET(mc, num_aliases); 3563 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3564 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3565 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3566 STRUCT_INIT(alias, model); 3567 for (i = 0; i < num_aliases; i++) { 3568 bzero((caddr_t)STRUCT_BUF(alias), 3569 STRUCT_SIZE(alias)); 3570 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3571 STRUCT_SIZE(alias)) != 0) 3572 break; 3573 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3574 MAXMODCONFNAME, NULL) != 0) { 3575 break; 3576 } 3577 3578 au_uwrite(au_to_text(name)); 3579 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3580 } 3581 kmem_free(name, MAXMODCONFNAME); 3582 break; 3583 } 3584 default: 3585 break; 3586 } 3587 } 3588 3589 3590 /*ARGSUSED*/ 3591 static void 3592 auf_accept( 3593 struct t_audit_data *tad, 3594 int error, 3595 rval_t *rval) 3596 { 3597 uint32_t scid; 3598 uint32_t sy_flags; 3599 int fd; 3600 struct sonode *so; 3601 char so_laddr[sizeof (struct sockaddr_in6)]; 3602 char so_faddr[sizeof (struct sockaddr_in6)]; 3603 int err; 3604 short so_family, so_type; 3605 int add_sock_token = 0; 3606 3607 /* need to determine type of executing binary */ 3608 scid = tad->tad_scid; 3609 #ifdef _SYSCALL32_IMPL 3610 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3611 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3612 else 3613 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3614 #else 3615 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3616 #endif 3617 switch (sy_flags) { 3618 case SE_32RVAL1: 3619 /* FALLTHRU */ 3620 case SE_32RVAL2|SE_32RVAL1: 3621 fd = rval->r_val1; 3622 break; 3623 case SE_64RVAL: 3624 fd = (int)rval->r_vals; 3625 break; 3626 default: 3627 /* 3628 * should never happen, seems to be an internal error 3629 * in sysent => no fd, nothing to audit here, returning 3630 */ 3631 return; 3632 } 3633 3634 if (error) { 3635 /* can't trust socket contents. Just return */ 3636 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3637 return; 3638 } 3639 3640 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3641 /* 3642 * not security relevant if doing a accept from non socket 3643 * so no extra tokens. Should probably turn off audit record 3644 * generation here. 3645 */ 3646 return; 3647 } 3648 3649 so_family = so->so_family; 3650 so_type = so->so_type; 3651 3652 switch (so_family) { 3653 case AF_INET: 3654 case AF_INET6: 3655 /* 3656 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3657 */ 3658 if (so->so_type == SOCK_STREAM) { 3659 socklen_t len; 3660 3661 bzero((void *)so_laddr, sizeof (so_laddr)); 3662 bzero((void *)so_faddr, sizeof (so_faddr)); 3663 3664 len = sizeof (so_laddr); 3665 (void) socket_getsockname(so, 3666 (struct sockaddr *)so_laddr, &len, CRED()); 3667 len = sizeof (so_faddr); 3668 (void) socket_getpeername(so, 3669 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3670 3671 add_sock_token = 1; 3672 } 3673 break; 3674 3675 default: 3676 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3677 break; 3678 } 3679 3680 releasef(fd); 3681 3682 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3683 3684 if (add_sock_token == 0) { 3685 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3686 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3687 return; 3688 } 3689 3690 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3691 3692 } 3693 3694 /*ARGSUSED*/ 3695 static void 3696 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3697 { 3698 struct a { 3699 long fd; 3700 long addr; 3701 long len; 3702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3703 3704 struct sonode *so; 3705 char so_laddr[sizeof (struct sockaddr_in6)]; 3706 char so_faddr[sizeof (struct sockaddr_in6)]; 3707 int err, fd; 3708 socklen_t len; 3709 short so_family, so_type; 3710 int add_sock_token = 0; 3711 3712 fd = (int)uap->fd; 3713 3714 /* 3715 * bind failed, then nothing extra to add to audit record. 3716 */ 3717 if (error) { 3718 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3719 /* XXX may want to add failed address some day */ 3720 return; 3721 } 3722 3723 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3724 /* 3725 * not security relevant if doing a bind from non socket 3726 * so no extra tokens. Should probably turn off audit record 3727 * generation here. 3728 */ 3729 return; 3730 } 3731 3732 so_family = so->so_family; 3733 so_type = so->so_type; 3734 3735 switch (so_family) { 3736 case AF_INET: 3737 case AF_INET6: 3738 3739 bzero(so_faddr, sizeof (so_faddr)); 3740 len = sizeof (so_faddr); 3741 3742 (void) socket_getpeername(so, 3743 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3744 add_sock_token = 1; 3745 3746 break; 3747 3748 case AF_UNIX: 3749 /* token added by lookup */ 3750 break; 3751 default: 3752 /* AF_ROUTE, AF_KEY do not support accept */ 3753 break; 3754 } 3755 3756 releasef(fd); 3757 3758 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3759 3760 if (add_sock_token == 0) { 3761 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3762 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3763 return; 3764 } 3765 3766 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3767 3768 } 3769 3770 /*ARGSUSED*/ 3771 static void 3772 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3773 { 3774 struct a { 3775 long fd; 3776 long addr; 3777 long len; 3778 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3779 3780 struct sonode *so; 3781 char so_laddr[sizeof (struct sockaddr_in6)]; 3782 char so_faddr[sizeof (struct sockaddr_in6)]; 3783 int err, fd; 3784 socklen_t len; 3785 short so_family, so_type; 3786 int add_sock_token = 0; 3787 3788 fd = (int)uap->fd; 3789 3790 3791 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3792 /* 3793 * not security relevant if doing a connect from non socket 3794 * so no extra tokens. Should probably turn off audit record 3795 * generation here. 3796 */ 3797 return; 3798 } 3799 3800 so_family = so->so_family; 3801 so_type = so->so_type; 3802 3803 switch (so_family) { 3804 case AF_INET: 3805 case AF_INET6: 3806 3807 bzero(so_laddr, sizeof (so_laddr)); 3808 bzero(so_faddr, sizeof (so_faddr)); 3809 3810 len = sizeof (so_laddr); 3811 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3812 &len, CRED()); 3813 if (error) { 3814 if (uap->addr == 0) 3815 break; 3816 if (uap->len <= 0) 3817 break; 3818 len = min(uap->len, sizeof (so_faddr)); 3819 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3820 break; 3821 #ifdef NOTYET 3822 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3823 #endif 3824 } else { 3825 /* sanity check on length */ 3826 len = sizeof (so_faddr); 3827 (void) socket_getpeername(so, 3828 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3829 } 3830 3831 add_sock_token = 1; 3832 3833 break; 3834 3835 case AF_UNIX: 3836 /* does a lookup on name */ 3837 break; 3838 3839 default: 3840 /* AF_ROUTE, AF_KEY do not support accept */ 3841 break; 3842 } 3843 3844 releasef(fd); 3845 3846 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3847 3848 if (add_sock_token == 0) { 3849 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3850 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3851 return; 3852 } 3853 3854 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3855 3856 } 3857 3858 /*ARGSUSED*/ 3859 static void 3860 aus_shutdown(struct t_audit_data *tad) 3861 { 3862 struct a { 3863 long fd; 3864 long how; 3865 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3866 3867 struct sonode *so; 3868 char so_laddr[sizeof (struct sockaddr_in6)]; 3869 char so_faddr[sizeof (struct sockaddr_in6)]; 3870 int err, fd; 3871 socklen_t len; 3872 short so_family, so_type; 3873 int add_sock_token = 0; 3874 file_t *fp; /* unix domain sockets */ 3875 struct f_audit_data *fad; /* unix domain sockets */ 3876 3877 fd = (int)uap->fd; 3878 3879 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3880 /* 3881 * not security relevant if doing a shutdown using non socket 3882 * so no extra tokens. Should probably turn off audit record 3883 * generation here. 3884 */ 3885 return; 3886 } 3887 3888 so_family = so->so_family; 3889 so_type = so->so_type; 3890 3891 switch (so_family) { 3892 case AF_INET: 3893 case AF_INET6: 3894 3895 bzero(so_laddr, sizeof (so_laddr)); 3896 bzero(so_faddr, sizeof (so_faddr)); 3897 3898 len = sizeof (so_laddr); 3899 (void) socket_getsockname(so, 3900 (struct sockaddr *)so_laddr, &len, CRED()); 3901 len = sizeof (so_faddr); 3902 (void) socket_getpeername(so, 3903 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3904 3905 add_sock_token = 1; 3906 3907 break; 3908 3909 case AF_UNIX: 3910 3911 /* get path from file struct here */ 3912 fad = F2A(fp); 3913 ASSERT(fad); 3914 3915 if (fad->fad_aupath != NULL) { 3916 au_uwrite(au_to_path(fad->fad_aupath)); 3917 } else { 3918 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3919 } 3920 3921 audit_attributes(fp->f_vnode); 3922 3923 break; 3924 3925 default: 3926 /* 3927 * AF_KEY and AF_ROUTE support shutdown. No socket token 3928 * added. 3929 */ 3930 break; 3931 } 3932 3933 releasef(fd); 3934 3935 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3936 3937 if (add_sock_token == 0) { 3938 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3939 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3940 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3941 return; 3942 } 3943 3944 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3945 3946 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3947 3948 } 3949 3950 /*ARGSUSED*/ 3951 static void 3952 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3953 { 3954 struct a { 3955 long fd; 3956 long level; 3957 long optname; 3958 long *optval; 3959 long optlen; 3960 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3961 3962 struct sonode *so; 3963 char so_laddr[sizeof (struct sockaddr_in6)]; 3964 char so_faddr[sizeof (struct sockaddr_in6)]; 3965 char val[AU_BUFSIZE]; 3966 int err, fd; 3967 socklen_t len; 3968 short so_family, so_type; 3969 int add_sock_token = 0; 3970 file_t *fp; /* unix domain sockets */ 3971 struct f_audit_data *fad; /* unix domain sockets */ 3972 3973 fd = (int)uap->fd; 3974 3975 if (error) { 3976 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3977 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3978 /* XXX may want to include other arguments */ 3979 return; 3980 } 3981 3982 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3983 /* 3984 * not security relevant if doing a setsockopt from non socket 3985 * so no extra tokens. Should probably turn off audit record 3986 * generation here. 3987 */ 3988 return; 3989 } 3990 3991 so_family = so->so_family; 3992 so_type = so->so_type; 3993 3994 switch (so_family) { 3995 case AF_INET: 3996 case AF_INET6: 3997 bzero((void *)so_laddr, sizeof (so_laddr)); 3998 bzero((void *)so_faddr, sizeof (so_faddr)); 3999 4000 /* get local and foreign addresses */ 4001 len = sizeof (so_laddr); 4002 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 4003 &len, CRED()); 4004 len = sizeof (so_faddr); 4005 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 4006 &len, B_FALSE, CRED()); 4007 4008 add_sock_token = 1; 4009 4010 break; 4011 4012 case AF_UNIX: 4013 4014 /* get path from file struct here */ 4015 fad = F2A(fp); 4016 ASSERT(fad); 4017 4018 if (fad->fad_aupath != NULL) { 4019 au_uwrite(au_to_path(fad->fad_aupath)); 4020 } else { 4021 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4022 } 4023 4024 audit_attributes(fp->f_vnode); 4025 4026 break; 4027 4028 default: 4029 /* 4030 * AF_KEY and AF_ROUTE support setsockopt. No socket token 4031 * added. 4032 */ 4033 break; 4034 } 4035 4036 releasef(fd); 4037 4038 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4039 4040 if (add_sock_token == 0) { 4041 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 4042 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 4043 } 4044 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 4045 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 4046 4047 bzero(val, sizeof (val)); 4048 len = min(uap->optlen, sizeof (val)); 4049 if ((len > 0) && 4050 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 4051 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 4052 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 4053 } 4054 4055 if (add_sock_token == 0) 4056 return; 4057 4058 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4059 4060 } 4061 4062 /*ARGSUSED*/ 4063 static void 4064 aus_sockconfig(struct t_audit_data *tad) 4065 { 4066 struct a { 4067 long cmd; 4068 long arg1; 4069 long arg2; 4070 long arg3; 4071 long arg4; 4072 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4073 4074 char *buf; 4075 int buflen; 4076 size_t size; 4077 4078 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4079 switch (uap->cmd) { 4080 case SOCKCONFIG_ADD_SOCK: 4081 case SOCKCONFIG_REMOVE_SOCK: 4082 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 4083 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 4084 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 4085 4086 if (uap->arg4 == 0) { 4087 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 4088 } else { 4089 buflen = MAXPATHLEN + 1; 4090 buf = kmem_alloc(buflen, KM_SLEEP); 4091 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 4092 &size)) { 4093 kmem_free(buf, buflen); 4094 return; 4095 } 4096 4097 if (size > MAXPATHLEN) { 4098 kmem_free(buf, buflen); 4099 return; 4100 } 4101 4102 au_uwrite(au_to_text(buf)); 4103 kmem_free(buf, buflen); 4104 } 4105 break; 4106 case SOCKCONFIG_ADD_FILTER: 4107 case SOCKCONFIG_REMOVE_FILTER: 4108 buflen = FILNAME_MAX; 4109 buf = kmem_alloc(buflen, KM_SLEEP); 4110 4111 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 4112 kmem_free(buf, buflen); 4113 return; 4114 } 4115 4116 au_uwrite(au_to_text(buf)); 4117 kmem_free(buf, buflen); 4118 break; 4119 default: 4120 break; 4121 } 4122 } 4123 4124 /* 4125 * only audit recvmsg when the system call represents the creation of a new 4126 * circuit. This effectively occurs for all UDP packets and may occur for 4127 * special TCP situations where the local host has not set a local address 4128 * in the socket structure. 4129 */ 4130 /*ARGSUSED*/ 4131 static void 4132 auf_recvmsg( 4133 struct t_audit_data *tad, 4134 int error, 4135 rval_t *rvp) 4136 { 4137 struct a { 4138 long fd; 4139 long msg; /* struct msghdr */ 4140 long flags; 4141 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4142 4143 struct sonode *so; 4144 STRUCT_DECL(msghdr, msg); 4145 caddr_t msg_name; 4146 socklen_t msg_namelen; 4147 int fd; 4148 int err; 4149 char so_laddr[sizeof (struct sockaddr_in6)]; 4150 char so_faddr[sizeof (struct sockaddr_in6)]; 4151 socklen_t len; 4152 file_t *fp; /* unix domain sockets */ 4153 struct f_audit_data *fad; /* unix domain sockets */ 4154 short so_family, so_type; 4155 int add_sock_token = 0; 4156 au_kcontext_t *kctx = GET_KCTX_PZ; 4157 4158 fd = (int)uap->fd; 4159 4160 /* bail if an error */ 4161 if (error) { 4162 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4163 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4164 return; 4165 } 4166 4167 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4168 /* 4169 * not security relevant if doing a recvmsg from non socket 4170 * so no extra tokens. Should probably turn off audit record 4171 * generation here. 4172 */ 4173 return; 4174 } 4175 4176 so_family = so->so_family; 4177 so_type = so->so_type; 4178 4179 /* 4180 * only putout SOCKET_EX token if INET/INET6 family. 4181 * XXX - what do we do about other families? 4182 */ 4183 4184 switch (so_family) { 4185 case AF_INET: 4186 case AF_INET6: 4187 4188 /* 4189 * if datagram type socket, then just use what is in 4190 * socket structure for local address. 4191 * XXX - what do we do for other types? 4192 */ 4193 if ((so->so_type == SOCK_DGRAM) || 4194 (so->so_type == SOCK_RAW)) { 4195 add_sock_token = 1; 4196 4197 bzero((void *)so_laddr, sizeof (so_laddr)); 4198 bzero((void *)so_faddr, sizeof (so_faddr)); 4199 4200 /* get local address */ 4201 len = sizeof (so_laddr); 4202 (void) socket_getsockname(so, 4203 (struct sockaddr *)so_laddr, &len, CRED()); 4204 4205 /* get peer address */ 4206 STRUCT_INIT(msg, get_udatamodel()); 4207 4208 if (copyin((caddr_t)(uap->msg), 4209 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4210 break; 4211 } 4212 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4213 if (msg_name == NULL) { 4214 break; 4215 } 4216 4217 /* length is value from recvmsg - sanity check */ 4218 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4219 if (msg_namelen == 0) { 4220 break; 4221 } 4222 if (copyin(msg_name, so_faddr, 4223 sizeof (so_faddr)) != 0) { 4224 break; 4225 } 4226 4227 } else if (so->so_type == SOCK_STREAM) { 4228 4229 /* get path from file struct here */ 4230 fad = F2A(fp); 4231 ASSERT(fad); 4232 4233 /* 4234 * already processed this file for read attempt 4235 */ 4236 if (fad->fad_flags & FAD_READ) { 4237 /* don't want to audit every recvmsg attempt */ 4238 tad->tad_flag = 0; 4239 /* free any residual audit data */ 4240 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4241 releasef(fd); 4242 return; 4243 } 4244 /* 4245 * mark things so we know what happened and don't 4246 * repeat things 4247 */ 4248 fad->fad_flags |= FAD_READ; 4249 4250 bzero((void *)so_laddr, sizeof (so_laddr)); 4251 bzero((void *)so_faddr, sizeof (so_faddr)); 4252 4253 /* get local and foreign addresses */ 4254 len = sizeof (so_laddr); 4255 (void) socket_getsockname(so, 4256 (struct sockaddr *)so_laddr, &len, CRED()); 4257 len = sizeof (so_faddr); 4258 (void) socket_getpeername(so, 4259 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4260 4261 add_sock_token = 1; 4262 } 4263 4264 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4265 4266 break; 4267 4268 case AF_UNIX: 4269 /* 4270 * first check if this is first time through. Too much 4271 * duplicate code to put this in an aui_ routine. 4272 */ 4273 4274 /* get path from file struct here */ 4275 fad = F2A(fp); 4276 ASSERT(fad); 4277 4278 /* 4279 * already processed this file for read attempt 4280 */ 4281 if (fad->fad_flags & FAD_READ) { 4282 releasef(fd); 4283 /* don't want to audit every recvmsg attempt */ 4284 tad->tad_flag = 0; 4285 /* free any residual audit data */ 4286 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4287 return; 4288 } 4289 /* 4290 * mark things so we know what happened and don't 4291 * repeat things 4292 */ 4293 fad->fad_flags |= FAD_READ; 4294 4295 if (fad->fad_aupath != NULL) { 4296 au_uwrite(au_to_path(fad->fad_aupath)); 4297 } else { 4298 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4299 } 4300 4301 audit_attributes(fp->f_vnode); 4302 4303 releasef(fd); 4304 4305 return; 4306 4307 default: 4308 break; 4309 4310 } 4311 4312 releasef(fd); 4313 4314 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4315 4316 if (add_sock_token == 0) { 4317 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4318 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4319 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4320 return; 4321 } 4322 4323 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4324 4325 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4326 4327 } 4328 4329 /*ARGSUSED*/ 4330 static void 4331 auf_recvfrom( 4332 struct t_audit_data *tad, 4333 int error, 4334 rval_t *rvp) 4335 { 4336 4337 struct a { 4338 long fd; 4339 long msg; /* char */ 4340 long len; 4341 long flags; 4342 long from; /* struct sockaddr */ 4343 long fromlen; 4344 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4345 4346 socklen_t fromlen; 4347 struct sonode *so; 4348 char so_laddr[sizeof (struct sockaddr_in6)]; 4349 char so_faddr[sizeof (struct sockaddr_in6)]; 4350 int fd; 4351 short so_family, so_type; 4352 int add_sock_token = 0; 4353 socklen_t len; 4354 int err; 4355 struct file *fp; 4356 struct f_audit_data *fad; /* unix domain sockets */ 4357 au_kcontext_t *kctx = GET_KCTX_PZ; 4358 4359 fd = (int)uap->fd; 4360 4361 /* bail if an error */ 4362 if (error) { 4363 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4364 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4365 return; 4366 } 4367 4368 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4369 /* 4370 * not security relevant if doing a recvmsg from non socket 4371 * so no extra tokens. Should probably turn off audit record 4372 * generation here. 4373 */ 4374 return; 4375 } 4376 4377 so_family = so->so_family; 4378 so_type = so->so_type; 4379 4380 /* 4381 * only putout SOCKET_EX token if INET/INET6 family. 4382 * XXX - what do we do about other families? 4383 */ 4384 4385 switch (so_family) { 4386 case AF_INET: 4387 case AF_INET6: 4388 4389 /* 4390 * if datagram type socket, then just use what is in 4391 * socket structure for local address. 4392 * XXX - what do we do for other types? 4393 */ 4394 if ((so->so_type == SOCK_DGRAM) || 4395 (so->so_type == SOCK_RAW)) { 4396 add_sock_token = 1; 4397 4398 /* get local address */ 4399 len = sizeof (so_laddr); 4400 (void) socket_getsockname(so, 4401 (struct sockaddr *)so_laddr, &len, CRED()); 4402 4403 /* get peer address */ 4404 bzero((void *)so_faddr, sizeof (so_faddr)); 4405 4406 /* sanity check */ 4407 if (uap->from == 0) 4408 break; 4409 4410 /* sanity checks */ 4411 if (uap->fromlen == 0) 4412 break; 4413 4414 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4415 sizeof (fromlen)) != 0) 4416 break; 4417 4418 if (fromlen == 0) 4419 break; 4420 4421 /* enforce maximum size */ 4422 if (fromlen > sizeof (so_faddr)) 4423 fromlen = sizeof (so_faddr); 4424 4425 if (copyin((caddr_t)(uap->from), so_faddr, 4426 fromlen) != 0) 4427 break; 4428 4429 } else if (so->so_type == SOCK_STREAM) { 4430 4431 /* get path from file struct here */ 4432 fad = F2A(fp); 4433 ASSERT(fad); 4434 4435 /* 4436 * already processed this file for read attempt 4437 */ 4438 if (fad->fad_flags & FAD_READ) { 4439 /* don't want to audit every recvfrom attempt */ 4440 tad->tad_flag = 0; 4441 /* free any residual audit data */ 4442 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4443 releasef(fd); 4444 return; 4445 } 4446 /* 4447 * mark things so we know what happened and don't 4448 * repeat things 4449 */ 4450 fad->fad_flags |= FAD_READ; 4451 4452 bzero((void *)so_laddr, sizeof (so_laddr)); 4453 bzero((void *)so_faddr, sizeof (so_faddr)); 4454 4455 /* get local and foreign addresses */ 4456 len = sizeof (so_laddr); 4457 (void) socket_getsockname(so, 4458 (struct sockaddr *)so_laddr, &len, CRED()); 4459 len = sizeof (so_faddr); 4460 (void) socket_getpeername(so, 4461 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4462 4463 add_sock_token = 1; 4464 } 4465 4466 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4467 4468 break; 4469 4470 case AF_UNIX: 4471 /* 4472 * first check if this is first time through. Too much 4473 * duplicate code to put this in an aui_ routine. 4474 */ 4475 4476 /* get path from file struct here */ 4477 fad = F2A(fp); 4478 ASSERT(fad); 4479 4480 /* 4481 * already processed this file for read attempt 4482 */ 4483 if (fad->fad_flags & FAD_READ) { 4484 /* don't want to audit every recvfrom attempt */ 4485 tad->tad_flag = 0; 4486 /* free any residual audit data */ 4487 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4488 releasef(fd); 4489 return; 4490 } 4491 /* 4492 * mark things so we know what happened and don't 4493 * repeat things 4494 */ 4495 fad->fad_flags |= FAD_READ; 4496 4497 if (fad->fad_aupath != NULL) { 4498 au_uwrite(au_to_path(fad->fad_aupath)); 4499 } else { 4500 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4501 } 4502 4503 audit_attributes(fp->f_vnode); 4504 4505 releasef(fd); 4506 4507 return; 4508 4509 default: 4510 break; 4511 4512 } 4513 4514 releasef(fd); 4515 4516 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4517 4518 if (add_sock_token == 0) { 4519 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4520 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4521 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4522 return; 4523 } 4524 4525 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4526 4527 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4528 } 4529 4530 /*ARGSUSED*/ 4531 static void 4532 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4533 { 4534 struct a { 4535 long fd; 4536 long msg; /* struct msghdr */ 4537 long flags; 4538 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4539 4540 struct sonode *so; 4541 char so_laddr[sizeof (struct sockaddr_in6)]; 4542 char so_faddr[sizeof (struct sockaddr_in6)]; 4543 int err; 4544 int fd; 4545 short so_family, so_type; 4546 int add_sock_token = 0; 4547 socklen_t len; 4548 struct file *fp; 4549 struct f_audit_data *fad; 4550 caddr_t msg_name; 4551 socklen_t msg_namelen; 4552 STRUCT_DECL(msghdr, msg); 4553 au_kcontext_t *kctx = GET_KCTX_PZ; 4554 4555 fd = (int)uap->fd; 4556 4557 /* bail if an error */ 4558 if (error) { 4559 /* XXX include destination address from system call arguments */ 4560 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4561 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4562 return; 4563 } 4564 4565 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4566 /* 4567 * not security relevant if doing a sendmsg from non socket 4568 * so no extra tokens. Should probably turn off audit record 4569 * generation here. 4570 */ 4571 return; 4572 } 4573 4574 so_family = so->so_family; 4575 so_type = so->so_type; 4576 4577 switch (so_family) { 4578 case AF_INET: 4579 case AF_INET6: 4580 /* 4581 * if datagram type socket, then just use what is in 4582 * socket structure for local address. 4583 * XXX - what do we do for other types? 4584 */ 4585 if ((so->so_type == SOCK_DGRAM) || 4586 (so->so_type == SOCK_RAW)) { 4587 4588 bzero((void *)so_laddr, sizeof (so_laddr)); 4589 bzero((void *)so_faddr, sizeof (so_faddr)); 4590 4591 /* get local address */ 4592 len = sizeof (so_laddr); 4593 (void) socket_getsockname(so, 4594 (struct sockaddr *)so_laddr, &len, CRED()); 4595 4596 /* get peer address */ 4597 STRUCT_INIT(msg, get_udatamodel()); 4598 4599 if (copyin((caddr_t)(uap->msg), 4600 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4601 break; 4602 } 4603 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4604 if (msg_name == NULL) 4605 break; 4606 4607 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4608 /* length is value from recvmsg - sanity check */ 4609 if (msg_namelen == 0) 4610 break; 4611 4612 if (copyin(msg_name, so_faddr, 4613 sizeof (so_faddr)) != 0) 4614 break; 4615 4616 add_sock_token = 1; 4617 4618 } else if (so->so_type == SOCK_STREAM) { 4619 4620 /* get path from file struct here */ 4621 fad = F2A(fp); 4622 ASSERT(fad); 4623 4624 /* 4625 * already processed this file for write attempt 4626 */ 4627 if (fad->fad_flags & FAD_WRITE) { 4628 releasef(fd); 4629 /* don't want to audit every sendmsg attempt */ 4630 tad->tad_flag = 0; 4631 /* free any residual audit data */ 4632 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4633 return; 4634 } 4635 4636 /* 4637 * mark things so we know what happened and don't 4638 * repeat things 4639 */ 4640 fad->fad_flags |= FAD_WRITE; 4641 4642 bzero((void *)so_laddr, sizeof (so_laddr)); 4643 bzero((void *)so_faddr, sizeof (so_faddr)); 4644 4645 /* get local and foreign addresses */ 4646 len = sizeof (so_laddr); 4647 (void) socket_getsockname(so, 4648 (struct sockaddr *)so_laddr, &len, CRED()); 4649 len = sizeof (so_faddr); 4650 (void) socket_getpeername(so, 4651 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4652 4653 add_sock_token = 1; 4654 } 4655 4656 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4657 4658 break; 4659 4660 case AF_UNIX: 4661 /* 4662 * first check if this is first time through. Too much 4663 * duplicate code to put this in an aui_ routine. 4664 */ 4665 4666 /* get path from file struct here */ 4667 fad = F2A(fp); 4668 ASSERT(fad); 4669 4670 /* 4671 * already processed this file for write attempt 4672 */ 4673 if (fad->fad_flags & FAD_WRITE) { 4674 releasef(fd); 4675 /* don't want to audit every sendmsg attempt */ 4676 tad->tad_flag = 0; 4677 /* free any residual audit data */ 4678 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4679 return; 4680 } 4681 /* 4682 * mark things so we know what happened and don't 4683 * repeat things 4684 */ 4685 fad->fad_flags |= FAD_WRITE; 4686 4687 if (fad->fad_aupath != NULL) { 4688 au_uwrite(au_to_path(fad->fad_aupath)); 4689 } else { 4690 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4691 } 4692 4693 audit_attributes(fp->f_vnode); 4694 4695 releasef(fd); 4696 4697 return; 4698 4699 default: 4700 break; 4701 } 4702 4703 releasef(fd); 4704 4705 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4706 4707 if (add_sock_token == 0) { 4708 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4709 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4710 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4711 return; 4712 } 4713 4714 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4715 4716 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4717 } 4718 4719 /*ARGSUSED*/ 4720 static void 4721 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4722 { 4723 struct a { 4724 long fd; 4725 long msg; /* char */ 4726 long len; 4727 long flags; 4728 long to; /* struct sockaddr */ 4729 long tolen; 4730 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4731 4732 struct sonode *so; 4733 char so_laddr[sizeof (struct sockaddr_in6)]; 4734 char so_faddr[sizeof (struct sockaddr_in6)]; 4735 socklen_t tolen; 4736 int err; 4737 int fd; 4738 socklen_t len; 4739 short so_family, so_type; 4740 int add_sock_token = 0; 4741 struct file *fp; 4742 struct f_audit_data *fad; 4743 au_kcontext_t *kctx = GET_KCTX_PZ; 4744 4745 fd = (int)uap->fd; 4746 4747 /* bail if an error */ 4748 if (error) { 4749 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4750 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4751 /* XXX include destination address from system call arguments */ 4752 return; 4753 } 4754 4755 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4756 /* 4757 * not security relevant if doing a sendto using non socket 4758 * so no extra tokens. Should probably turn off audit record 4759 * generation here. 4760 */ 4761 return; 4762 } 4763 4764 so_family = so->so_family; 4765 so_type = so->so_type; 4766 4767 /* 4768 * only putout SOCKET_EX token if INET/INET6 family. 4769 * XXX - what do we do about other families? 4770 */ 4771 4772 switch (so_family) { 4773 case AF_INET: 4774 case AF_INET6: 4775 4776 /* 4777 * if datagram type socket, then just use what is in 4778 * socket structure for local address. 4779 * XXX - what do we do for other types? 4780 */ 4781 if ((so->so_type == SOCK_DGRAM) || 4782 (so->so_type == SOCK_RAW)) { 4783 4784 bzero((void *)so_laddr, sizeof (so_laddr)); 4785 bzero((void *)so_faddr, sizeof (so_faddr)); 4786 4787 /* get local address */ 4788 len = sizeof (so_laddr); 4789 (void) socket_getsockname(so, 4790 (struct sockaddr *)so_laddr, &len, CRED()); 4791 4792 /* get peer address */ 4793 4794 /* sanity check */ 4795 if (uap->to == 0) 4796 break; 4797 4798 /* sanity checks */ 4799 if (uap->tolen == 0) 4800 break; 4801 4802 tolen = (socklen_t)uap->tolen; 4803 4804 /* enforce maximum size */ 4805 if (tolen > sizeof (so_faddr)) 4806 tolen = sizeof (so_faddr); 4807 4808 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4809 break; 4810 4811 add_sock_token = 1; 4812 } else { 4813 /* 4814 * check if this is first time through. 4815 */ 4816 4817 /* get path from file struct here */ 4818 fad = F2A(fp); 4819 ASSERT(fad); 4820 4821 /* 4822 * already processed this file for write attempt 4823 */ 4824 if (fad->fad_flags & FAD_WRITE) { 4825 /* don't want to audit every sendto attempt */ 4826 tad->tad_flag = 0; 4827 /* free any residual audit data */ 4828 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4829 releasef(fd); 4830 return; 4831 } 4832 /* 4833 * mark things so we know what happened and don't 4834 * repeat things 4835 */ 4836 fad->fad_flags |= FAD_WRITE; 4837 4838 bzero((void *)so_laddr, sizeof (so_laddr)); 4839 bzero((void *)so_faddr, sizeof (so_faddr)); 4840 4841 /* get local and foreign addresses */ 4842 len = sizeof (so_laddr); 4843 (void) socket_getsockname(so, 4844 (struct sockaddr *)so_laddr, &len, CRED()); 4845 len = sizeof (so_faddr); 4846 (void) socket_getpeername(so, 4847 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4848 4849 add_sock_token = 1; 4850 } 4851 4852 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4853 4854 break; 4855 4856 case AF_UNIX: 4857 /* 4858 * first check if this is first time through. Too much 4859 * duplicate code to put this in an aui_ routine. 4860 */ 4861 4862 /* get path from file struct here */ 4863 fad = F2A(fp); 4864 ASSERT(fad); 4865 4866 /* 4867 * already processed this file for write attempt 4868 */ 4869 if (fad->fad_flags & FAD_WRITE) { 4870 /* don't want to audit every sendto attempt */ 4871 tad->tad_flag = 0; 4872 /* free any residual audit data */ 4873 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4874 releasef(fd); 4875 return; 4876 } 4877 /* 4878 * mark things so we know what happened and don't 4879 * repeat things 4880 */ 4881 fad->fad_flags |= FAD_WRITE; 4882 4883 if (fad->fad_aupath != NULL) { 4884 au_uwrite(au_to_path(fad->fad_aupath)); 4885 } else { 4886 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4887 } 4888 4889 audit_attributes(fp->f_vnode); 4890 4891 releasef(fd); 4892 4893 return; 4894 4895 default: 4896 break; 4897 4898 } 4899 4900 releasef(fd); 4901 4902 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4903 4904 if (add_sock_token == 0) { 4905 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4906 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4907 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4908 return; 4909 } 4910 4911 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4912 4913 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4914 4915 } 4916 4917 /* 4918 * XXX socket(2) may be equivalent to open(2) on a unix domain 4919 * socket. This needs investigation. 4920 */ 4921 4922 /*ARGSUSED*/ 4923 static void 4924 aus_socket(struct t_audit_data *tad) 4925 { 4926 struct a { 4927 long domain; 4928 long type; 4929 long protocol; 4930 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4931 4932 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4933 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4934 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4935 } 4936 4937 /*ARGSUSED*/ 4938 static void 4939 aus_sigqueue(struct t_audit_data *tad) 4940 { 4941 struct a { 4942 long pid; 4943 long signo; 4944 long *val; 4945 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4946 struct proc *p; 4947 uid_t uid, ruid; 4948 gid_t gid, rgid; 4949 pid_t pid; 4950 const auditinfo_addr_t *ainfo; 4951 cred_t *cr; 4952 4953 pid = (pid_t)uap->pid; 4954 4955 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4956 if (pid > 0) { 4957 mutex_enter(&pidlock); 4958 if ((p = prfind(pid)) == (struct proc *)0) { 4959 mutex_exit(&pidlock); 4960 return; 4961 } 4962 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4963 mutex_exit(&pidlock); 4964 4965 mutex_enter(&p->p_crlock); 4966 crhold(cr = p->p_cred); 4967 mutex_exit(&p->p_crlock); 4968 mutex_exit(&p->p_lock); 4969 4970 ainfo = crgetauinfo(cr); 4971 if (ainfo == NULL) { 4972 crfree(cr); 4973 return; 4974 } 4975 4976 uid = crgetuid(cr); 4977 gid = crgetgid(cr); 4978 ruid = crgetruid(cr); 4979 rgid = crgetrgid(cr); 4980 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4981 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4982 crfree(cr); 4983 } 4984 else 4985 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4986 } 4987 4988 /*ARGSUSED*/ 4989 static void 4990 aus_inst_sync(struct t_audit_data *tad) 4991 { 4992 struct a { 4993 long name; /* char */ 4994 long flags; 4995 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4996 4997 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4998 } 4999 5000 /*ARGSUSED*/ 5001 static void 5002 aus_brandsys(struct t_audit_data *tad) 5003 { 5004 klwp_t *clwp = ttolwp(curthread); 5005 5006 struct a { 5007 long cmd; 5008 long arg1; 5009 long arg2; 5010 long arg3; 5011 long arg4; 5012 long arg5; 5013 long arg6; 5014 } *uap = (struct a *)clwp->lwp_ap; 5015 5016 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 5017 #ifdef _LP64 5018 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 5019 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 5020 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 5021 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 5022 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 5023 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 5024 #else 5025 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 5026 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 5027 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 5028 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 5029 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 5030 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 5031 #endif 5032 } 5033 5034 /*ARGSUSED*/ 5035 static void 5036 aus_p_online(struct t_audit_data *tad) 5037 { 5038 struct a { 5039 long processor_id; 5040 long flag; 5041 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5042 5043 struct flags { 5044 int flag; 5045 char *cflag; 5046 } aflags[6] = { 5047 { P_ONLINE, "P_ONLINE"}, 5048 { P_OFFLINE, "P_OFFLINE"}, 5049 { P_NOINTR, "P_NOINTR"}, 5050 { P_SPARE, "P_SPARE"}, 5051 { P_FAULTED, "P_FAULTED"}, 5052 { P_STATUS, "P_STATUS"} 5053 }; 5054 int i; 5055 char *cflag; 5056 5057 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 5058 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 5059 5060 for (i = 0; i < 6; i++) { 5061 if (aflags[i].flag == uap->flag) 5062 break; 5063 } 5064 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 5065 5066 au_uwrite(au_to_text(cflag)); 5067 } 5068 5069 /*ARGSUSED*/ 5070 static void 5071 aus_processor_bind(struct t_audit_data *tad) 5072 { 5073 struct a { 5074 long id_type; 5075 long id; 5076 long processor_id; 5077 long obind; 5078 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5079 5080 struct proc *p; 5081 int lwpcnt; 5082 uid_t uid, ruid; 5083 gid_t gid, rgid; 5084 pid_t pid; 5085 const auditinfo_addr_t *ainfo; 5086 cred_t *cr; 5087 5088 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 5089 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 5090 if (uap->processor_id == PBIND_NONE) 5091 au_uwrite(au_to_text("PBIND_NONE")); 5092 else 5093 au_uwrite(au_to_arg32(3, "processor_id", 5094 (uint32_t)uap->processor_id)); 5095 5096 switch (uap->id_type) { 5097 case P_MYID: 5098 case P_LWPID: 5099 mutex_enter(&pidlock); 5100 p = ttoproc(curthread); 5101 if (p == NULL || p->p_as == &kas) { 5102 mutex_exit(&pidlock); 5103 return; 5104 } 5105 mutex_enter(&p->p_lock); 5106 mutex_exit(&pidlock); 5107 lwpcnt = p->p_lwpcnt; 5108 pid = p->p_pid; 5109 5110 mutex_enter(&p->p_crlock); 5111 crhold(cr = p->p_cred); 5112 mutex_exit(&p->p_crlock); 5113 mutex_exit(&p->p_lock); 5114 5115 ainfo = crgetauinfo(cr); 5116 if (ainfo == NULL) { 5117 crfree(cr); 5118 return; 5119 } 5120 5121 uid = crgetuid(cr); 5122 gid = crgetgid(cr); 5123 ruid = crgetruid(cr); 5124 rgid = crgetrgid(cr); 5125 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5126 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5127 crfree(cr); 5128 break; 5129 case P_PID: 5130 mutex_enter(&pidlock); 5131 p = prfind(uap->id); 5132 if (p == NULL || p->p_as == &kas) { 5133 mutex_exit(&pidlock); 5134 return; 5135 } 5136 mutex_enter(&p->p_lock); 5137 mutex_exit(&pidlock); 5138 lwpcnt = p->p_lwpcnt; 5139 pid = p->p_pid; 5140 5141 mutex_enter(&p->p_crlock); 5142 crhold(cr = p->p_cred); 5143 mutex_exit(&p->p_crlock); 5144 mutex_exit(&p->p_lock); 5145 5146 ainfo = crgetauinfo(cr); 5147 if (ainfo == NULL) { 5148 crfree(cr); 5149 return; 5150 } 5151 5152 uid = crgetuid(cr); 5153 gid = crgetgid(cr); 5154 ruid = crgetruid(cr); 5155 rgid = crgetrgid(cr); 5156 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5157 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5158 crfree(cr); 5159 5160 break; 5161 default: 5162 return; 5163 } 5164 5165 if (uap->processor_id == PBIND_NONE && 5166 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 5167 au_uwrite(au_to_text("PBIND_NONE for process")); 5168 else 5169 au_uwrite(au_to_arg32(3, "processor_id", 5170 (uint32_t)uap->processor_id)); 5171 } 5172 5173 /*ARGSUSED*/ 5174 static au_event_t 5175 aui_doorfs(au_event_t e) 5176 { 5177 uint32_t code; 5178 5179 struct a { /* doorfs */ 5180 long a1; 5181 long a2; 5182 long a3; 5183 long a4; 5184 long a5; 5185 long code; 5186 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5187 5188 /* 5189 * audit formats for several of the 5190 * door calls have not yet been determined 5191 */ 5192 code = (uint32_t)uap->code; 5193 switch (code) { 5194 case DOOR_CALL: 5195 e = AUE_DOORFS_DOOR_CALL; 5196 break; 5197 case DOOR_RETURN: 5198 e = AUE_NULL; 5199 break; 5200 case DOOR_CREATE: 5201 e = AUE_DOORFS_DOOR_CREATE; 5202 break; 5203 case DOOR_REVOKE: 5204 e = AUE_DOORFS_DOOR_REVOKE; 5205 break; 5206 case DOOR_INFO: 5207 e = AUE_NULL; 5208 break; 5209 case DOOR_UCRED: 5210 e = AUE_NULL; 5211 break; 5212 case DOOR_BIND: 5213 e = AUE_NULL; 5214 break; 5215 case DOOR_UNBIND: 5216 e = AUE_NULL; 5217 break; 5218 case DOOR_GETPARAM: 5219 e = AUE_NULL; 5220 break; 5221 case DOOR_SETPARAM: 5222 e = AUE_NULL; 5223 break; 5224 default: /* illegal system call */ 5225 e = AUE_NULL; 5226 break; 5227 } 5228 5229 return (e); 5230 } 5231 5232 static door_node_t * 5233 au_door_lookup(int did) 5234 { 5235 vnode_t *vp; 5236 file_t *fp; 5237 5238 if ((fp = getf(did)) == NULL) 5239 return (NULL); 5240 /* 5241 * Use the underlying vnode (we may be namefs mounted) 5242 */ 5243 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5244 vp = fp->f_vnode; 5245 5246 if (vp == NULL || vp->v_type != VDOOR) { 5247 releasef(did); 5248 return (NULL); 5249 } 5250 5251 return (VTOD(vp)); 5252 } 5253 5254 /*ARGSUSED*/ 5255 static void 5256 aus_doorfs(struct t_audit_data *tad) 5257 { 5258 5259 struct a { /* doorfs */ 5260 long a1; 5261 long a2; 5262 long a3; 5263 long a4; 5264 long a5; 5265 long code; 5266 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5267 5268 door_node_t *dp; 5269 struct proc *p; 5270 uint32_t did; 5271 uid_t uid, ruid; 5272 gid_t gid, rgid; 5273 pid_t pid; 5274 const auditinfo_addr_t *ainfo; 5275 cred_t *cr; 5276 5277 did = (uint32_t)uap->a1; 5278 5279 switch (tad->tad_event) { 5280 case AUE_DOORFS_DOOR_CALL: 5281 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5282 if ((dp = au_door_lookup(did)) == NULL) 5283 break; 5284 5285 if (DOOR_INVALID(dp)) { 5286 releasef(did); 5287 break; 5288 } 5289 5290 if ((p = dp->door_target) == NULL) { 5291 releasef(did); 5292 break; 5293 } 5294 mutex_enter(&p->p_lock); 5295 releasef(did); 5296 5297 pid = p->p_pid; 5298 5299 mutex_enter(&p->p_crlock); 5300 crhold(cr = p->p_cred); 5301 mutex_exit(&p->p_crlock); 5302 mutex_exit(&p->p_lock); 5303 5304 ainfo = crgetauinfo(cr); 5305 if (ainfo == NULL) { 5306 crfree(cr); 5307 return; 5308 } 5309 uid = crgetuid(cr); 5310 gid = crgetgid(cr); 5311 ruid = crgetruid(cr); 5312 rgid = crgetrgid(cr); 5313 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5314 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5315 crfree(cr); 5316 break; 5317 case AUE_DOORFS_DOOR_RETURN: 5318 /* 5319 * We may want to write information about 5320 * all doors (if any) which will be copied 5321 * by this call to the user space 5322 */ 5323 break; 5324 case AUE_DOORFS_DOOR_CREATE: 5325 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5326 break; 5327 case AUE_DOORFS_DOOR_REVOKE: 5328 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5329 break; 5330 case AUE_DOORFS_DOOR_INFO: 5331 break; 5332 case AUE_DOORFS_DOOR_CRED: 5333 break; 5334 case AUE_DOORFS_DOOR_BIND: 5335 break; 5336 case AUE_DOORFS_DOOR_UNBIND: { 5337 break; 5338 } 5339 default: /* illegal system call */ 5340 break; 5341 } 5342 } 5343 5344 /*ARGSUSED*/ 5345 static au_event_t 5346 aui_acl(au_event_t e) 5347 { 5348 struct a { 5349 union { 5350 long name; /* char */ 5351 long fd; 5352 } obj; 5353 5354 long cmd; 5355 long nentries; 5356 long arg; /* aclent_t */ 5357 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5358 5359 switch (uap->cmd) { 5360 case SETACL: 5361 case ACE_SETACL: 5362 /* 5363 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5364 * are expected. 5365 */ 5366 break; 5367 case GETACL: 5368 case GETACLCNT: 5369 case ACE_GETACL: 5370 case ACE_GETACLCNT: 5371 /* do nothing for these four values. */ 5372 e = AUE_NULL; 5373 break; 5374 default: 5375 /* illegal system call */ 5376 break; 5377 } 5378 5379 return (e); 5380 } 5381 5382 static void 5383 au_acl(int cmd, int nentries, caddr_t bufp) 5384 { 5385 size_t a_size; 5386 aclent_t *aclbufp; 5387 ace_t *acebufp; 5388 int i; 5389 5390 switch (cmd) { 5391 case GETACL: 5392 case GETACLCNT: 5393 break; 5394 case SETACL: 5395 if (nentries < 3) 5396 break; 5397 5398 a_size = nentries * sizeof (aclent_t); 5399 5400 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5401 break; 5402 if (copyin(bufp, aclbufp, a_size)) { 5403 kmem_free(aclbufp, a_size); 5404 break; 5405 } 5406 for (i = 0; i < nentries; i++) { 5407 au_uwrite(au_to_acl(aclbufp + i)); 5408 } 5409 kmem_free(aclbufp, a_size); 5410 break; 5411 5412 case ACE_SETACL: 5413 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5414 break; 5415 5416 a_size = nentries * sizeof (ace_t); 5417 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5418 break; 5419 if (copyin(bufp, acebufp, a_size)) { 5420 kmem_free(acebufp, a_size); 5421 break; 5422 } 5423 for (i = 0; i < nentries; i++) { 5424 au_uwrite(au_to_ace(acebufp + i)); 5425 } 5426 kmem_free(acebufp, a_size); 5427 break; 5428 default: 5429 break; 5430 } 5431 } 5432 5433 /*ARGSUSED*/ 5434 static void 5435 aus_acl(struct t_audit_data *tad) 5436 { 5437 struct a { 5438 long fname; 5439 long cmd; 5440 long nentries; 5441 long aclbufp; 5442 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5443 5444 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5445 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5446 5447 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5448 } 5449 5450 /*ARGSUSED*/ 5451 static void 5452 aus_facl(struct t_audit_data *tad) 5453 { 5454 struct a { 5455 long fd; 5456 long cmd; 5457 long nentries; 5458 long aclbufp; 5459 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5460 struct file *fp; 5461 struct vnode *vp; 5462 struct f_audit_data *fad; 5463 int fd; 5464 5465 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5466 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5467 5468 fd = (int)uap->fd; 5469 5470 if ((fp = getf(fd)) == NULL) 5471 return; 5472 5473 /* get path from file struct here */ 5474 fad = F2A(fp); 5475 if (fad->fad_aupath != NULL) { 5476 au_uwrite(au_to_path(fad->fad_aupath)); 5477 } else { 5478 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5479 } 5480 5481 vp = fp->f_vnode; 5482 audit_attributes(vp); 5483 5484 /* decrement file descriptor reference count */ 5485 releasef(fd); 5486 5487 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5488 } 5489 5490 /*ARGSUSED*/ 5491 static void 5492 auf_read(struct t_audit_data *tad, int error, rval_t *rval) 5493 { 5494 struct file *fp; 5495 struct f_audit_data *fad; 5496 int fd; 5497 register struct a { 5498 long fd; 5499 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5500 au_kcontext_t *kctx = GET_KCTX_PZ; 5501 5502 fd = (int)uap->fd; 5503 5504 /* 5505 * convert file pointer to file descriptor 5506 * Note: fd ref count incremented here. 5507 */ 5508 if ((fp = getf(fd)) == NULL) 5509 return; 5510 5511 /* get path from file struct here */ 5512 fad = F2A(fp); 5513 ASSERT(fad); 5514 5515 /* 5516 * already processed this file for read attempt 5517 * 5518 * XXX might be better to turn off auditing in a aui_read() routine. 5519 */ 5520 if (fad->fad_flags & FAD_READ) { 5521 /* don't really want to audit every read attempt */ 5522 tad->tad_flag = 0; 5523 /* free any residual audit data */ 5524 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5525 releasef(fd); 5526 return; 5527 } 5528 /* mark things so we know what happened and don't repeat things */ 5529 fad->fad_flags |= FAD_READ; 5530 5531 if (fad->fad_aupath != NULL) { 5532 au_uwrite(au_to_path(fad->fad_aupath)); 5533 } else { 5534 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5535 } 5536 5537 /* include attributes */ 5538 audit_attributes(fp->f_vnode); 5539 5540 /* decrement file descriptor reference count */ 5541 releasef(fd); 5542 } 5543 5544 /*ARGSUSED*/ 5545 static void 5546 auf_write(struct t_audit_data *tad, int error, rval_t *rval) 5547 { 5548 struct file *fp; 5549 struct f_audit_data *fad; 5550 int fd; 5551 register struct a { 5552 long fd; 5553 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5554 au_kcontext_t *kctx = GET_KCTX_PZ; 5555 5556 fd = (int)uap->fd; 5557 5558 /* 5559 * convert file pointer to file descriptor 5560 * Note: fd ref count incremented here. 5561 */ 5562 if ((fp = getf(fd)) == NULL) 5563 return; 5564 5565 /* get path from file struct here */ 5566 fad = F2A(fp); 5567 ASSERT(fad); 5568 5569 /* 5570 * already processed this file for write attempt 5571 * 5572 * XXX might be better to turn off auditing in a aus_write() routine. 5573 */ 5574 if (fad->fad_flags & FAD_WRITE) { 5575 /* don't really want to audit every write attempt */ 5576 tad->tad_flag = 0; 5577 /* free any residual audit data */ 5578 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5579 releasef(fd); 5580 return; 5581 } 5582 /* mark things so we know what happened and don't repeat things */ 5583 fad->fad_flags |= FAD_WRITE; 5584 5585 if (fad->fad_aupath != NULL) { 5586 au_uwrite(au_to_path(fad->fad_aupath)); 5587 } else { 5588 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5589 } 5590 5591 /* include attributes */ 5592 audit_attributes(fp->f_vnode); 5593 5594 /* decrement file descriptor reference count */ 5595 releasef(fd); 5596 } 5597 5598 /*ARGSUSED*/ 5599 static void 5600 auf_recv(struct t_audit_data *tad, int error, rval_t *rval) 5601 { 5602 struct sonode *so; 5603 char so_laddr[sizeof (struct sockaddr_in6)]; 5604 char so_faddr[sizeof (struct sockaddr_in6)]; 5605 struct file *fp; 5606 struct f_audit_data *fad; 5607 int fd; 5608 int err; 5609 socklen_t len; 5610 short so_family, so_type; 5611 register struct a { 5612 long fd; 5613 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5614 au_kcontext_t *kctx = GET_KCTX_PZ; 5615 5616 /* 5617 * If there was an error, then nothing to do. Only generate 5618 * audit record on first successful recv. 5619 */ 5620 if (error) { 5621 /* Turn off audit record generation here. */ 5622 tad->tad_flag = 0; 5623 /* free any residual audit data */ 5624 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5625 return; 5626 } 5627 5628 fd = (int)uap->fd; 5629 5630 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5631 /* Turn off audit record generation here. */ 5632 tad->tad_flag = 0; 5633 /* free any residual audit data */ 5634 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5635 return; 5636 } 5637 5638 /* get path from file struct here */ 5639 fad = F2A(fp); 5640 ASSERT(fad); 5641 5642 /* 5643 * already processed this file for read attempt 5644 */ 5645 if (fad->fad_flags & FAD_READ) { 5646 releasef(fd); 5647 /* don't really want to audit every recv call */ 5648 tad->tad_flag = 0; 5649 /* free any residual audit data */ 5650 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5651 return; 5652 } 5653 5654 /* mark things so we know what happened and don't repeat things */ 5655 fad->fad_flags |= FAD_READ; 5656 5657 so_family = so->so_family; 5658 so_type = so->so_type; 5659 5660 switch (so_family) { 5661 case AF_INET: 5662 case AF_INET6: 5663 /* 5664 * Only for connections. 5665 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5666 */ 5667 if (so->so_state & SS_ISBOUND) { 5668 5669 bzero((void *)so_laddr, sizeof (so_laddr)); 5670 bzero((void *)so_faddr, sizeof (so_faddr)); 5671 5672 /* get local and foreign addresses */ 5673 len = sizeof (so_laddr); 5674 (void) socket_getsockname(so, 5675 (struct sockaddr *)so_laddr, &len, CRED()); 5676 len = sizeof (so_faddr); 5677 (void) socket_getpeername(so, 5678 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5679 5680 /* 5681 * only way to drop out of switch. Note that we 5682 * we release fd below. 5683 */ 5684 5685 break; 5686 } 5687 5688 releasef(fd); 5689 5690 /* don't really want to audit every recv call */ 5691 tad->tad_flag = 0; 5692 /* free any residual audit data */ 5693 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5694 5695 return; 5696 5697 case AF_UNIX: 5698 5699 if (fad->fad_aupath != NULL) { 5700 au_uwrite(au_to_path(fad->fad_aupath)); 5701 } else { 5702 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5703 } 5704 5705 audit_attributes(fp->f_vnode); 5706 5707 releasef(fd); 5708 5709 return; 5710 5711 default: 5712 releasef(fd); 5713 5714 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5715 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5716 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5717 5718 return; 5719 } 5720 5721 releasef(fd); 5722 5723 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5724 5725 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5726 5727 } 5728 5729 /*ARGSUSED*/ 5730 static void 5731 auf_send(struct t_audit_data *tad, int error, rval_t *rval) 5732 { 5733 struct sonode *so; 5734 char so_laddr[sizeof (struct sockaddr_in6)]; 5735 char so_faddr[sizeof (struct sockaddr_in6)]; 5736 struct file *fp; 5737 struct f_audit_data *fad; 5738 int fd; 5739 int err; 5740 socklen_t len; 5741 short so_family, so_type; 5742 register struct a { 5743 long fd; 5744 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5745 au_kcontext_t *kctx = GET_KCTX_PZ; 5746 5747 fd = (int)uap->fd; 5748 5749 /* 5750 * If there was an error, then nothing to do. Only generate 5751 * audit record on first successful send. 5752 */ 5753 if (error != 0) { 5754 /* Turn off audit record generation here. */ 5755 tad->tad_flag = 0; 5756 /* free any residual audit data */ 5757 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5758 return; 5759 } 5760 5761 fd = (int)uap->fd; 5762 5763 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5764 /* Turn off audit record generation here. */ 5765 tad->tad_flag = 0; 5766 /* free any residual audit data */ 5767 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5768 return; 5769 } 5770 5771 /* get path from file struct here */ 5772 fad = F2A(fp); 5773 ASSERT(fad); 5774 5775 /* 5776 * already processed this file for write attempt 5777 */ 5778 if (fad->fad_flags & FAD_WRITE) { 5779 releasef(fd); 5780 /* don't really want to audit every send call */ 5781 tad->tad_flag = 0; 5782 /* free any residual audit data */ 5783 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5784 return; 5785 } 5786 5787 /* mark things so we know what happened and don't repeat things */ 5788 fad->fad_flags |= FAD_WRITE; 5789 5790 so_family = so->so_family; 5791 so_type = so->so_type; 5792 5793 switch (so_family) { 5794 case AF_INET: 5795 case AF_INET6: 5796 /* 5797 * Only for connections. 5798 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5799 */ 5800 if (so->so_state & SS_ISBOUND) { 5801 5802 bzero((void *)so_laddr, sizeof (so_laddr)); 5803 bzero((void *)so_faddr, sizeof (so_faddr)); 5804 5805 /* get local and foreign addresses */ 5806 len = sizeof (so_laddr); 5807 (void) socket_getsockname(so, 5808 (struct sockaddr *)so_laddr, &len, CRED()); 5809 len = sizeof (so_faddr); 5810 (void) socket_getpeername(so, 5811 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5812 5813 /* 5814 * only way to drop out of switch. Note that we 5815 * we release fd below. 5816 */ 5817 5818 break; 5819 } 5820 5821 releasef(fd); 5822 /* don't really want to audit every send call */ 5823 tad->tad_flag = 0; 5824 /* free any residual audit data */ 5825 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5826 5827 return; 5828 5829 case AF_UNIX: 5830 5831 if (fad->fad_aupath != NULL) { 5832 au_uwrite(au_to_path(fad->fad_aupath)); 5833 } else { 5834 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5835 } 5836 5837 audit_attributes(fp->f_vnode); 5838 5839 releasef(fd); 5840 5841 return; 5842 5843 default: 5844 releasef(fd); 5845 5846 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5847 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5848 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5849 5850 return; 5851 } 5852 5853 releasef(fd); 5854 5855 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5856 5857 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5858 } 5859 5860 static au_event_t 5861 aui_forksys(au_event_t e) 5862 { 5863 struct a { 5864 long subcode; 5865 long flags; 5866 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5867 5868 switch ((uint_t)uap->subcode) { 5869 case 0: 5870 e = AUE_FORK1; 5871 break; 5872 case 1: 5873 e = AUE_FORKALL; 5874 break; 5875 case 2: 5876 e = AUE_VFORK; 5877 break; 5878 default: 5879 e = AUE_NULL; 5880 break; 5881 } 5882 5883 return (e); 5884 } 5885 5886 /*ARGSUSED*/ 5887 static au_event_t 5888 aui_portfs(au_event_t e) 5889 { 5890 struct a { /* portfs */ 5891 long a1; 5892 long a2; 5893 long a3; 5894 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5895 5896 /* 5897 * check opcode 5898 */ 5899 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5900 case PORT_ASSOCIATE: 5901 /* check source */ 5902 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5903 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5904 e = AUE_PORTFS_ASSOCIATE; 5905 } else { 5906 e = AUE_NULL; 5907 } 5908 break; 5909 case PORT_DISSOCIATE: 5910 /* check source */ 5911 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5912 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5913 e = AUE_PORTFS_DISSOCIATE; 5914 } else { 5915 e = AUE_NULL; 5916 } 5917 break; 5918 default: 5919 e = AUE_NULL; 5920 } 5921 return (e); 5922 } 5923