1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 extern token_t *au_to_sock_inet(struct sockaddr_in *); 81 82 int au_naevent; 83 char _depends_on[] = "fs/sockfs"; 84 85 static au_event_t aui_null(au_event_t); 86 static au_event_t aui_open(au_event_t); 87 static au_event_t aui_fsat(au_event_t); 88 static au_event_t aui_msgsys(au_event_t); 89 static au_event_t aui_shmsys(au_event_t); 90 static au_event_t aui_semsys(au_event_t); 91 static au_event_t aui_utssys(au_event_t); 92 static au_event_t aui_fcntl(au_event_t); 93 static au_event_t aui_execv(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 105 static void aus_null(struct t_audit_data *); 106 static void aus_open(struct t_audit_data *); 107 static void aus_acl(struct t_audit_data *); 108 static void aus_acct(struct t_audit_data *); 109 static void aus_chown(struct t_audit_data *); 110 static void aus_fchown(struct t_audit_data *); 111 static void aus_lchown(struct t_audit_data *); 112 static void aus_chmod(struct t_audit_data *); 113 static void aus_facl(struct t_audit_data *); 114 static void aus_fchmod(struct t_audit_data *); 115 static void aus_fcntl(struct t_audit_data *); 116 static void aus_fsat(struct t_audit_data *); 117 static void aus_mkdir(struct t_audit_data *); 118 static void aus_mknod(struct t_audit_data *); 119 static void aus_mount(struct t_audit_data *); 120 static void aus_umount(struct t_audit_data *); 121 static void aus_umount2(struct t_audit_data *); 122 static void aus_msgsys(struct t_audit_data *); 123 static void aus_semsys(struct t_audit_data *); 124 static void aus_close(struct t_audit_data *); 125 static void aus_fstatfs(struct t_audit_data *); 126 static void aus_setgid(struct t_audit_data *); 127 static void aus_setuid(struct t_audit_data *); 128 static void aus_shmsys(struct t_audit_data *); 129 static void aus_doorfs(struct t_audit_data *); 130 static void aus_ioctl(struct t_audit_data *); 131 static void aus_memcntl(struct t_audit_data *); 132 static void aus_mmap(struct t_audit_data *); 133 static void aus_munmap(struct t_audit_data *); 134 static void aus_priocntlsys(struct t_audit_data *); 135 static void aus_setegid(struct t_audit_data *); 136 static void aus_setgroups(struct t_audit_data *); 137 static void aus_seteuid(struct t_audit_data *); 138 static void aus_putmsg(struct t_audit_data *); 139 static void aus_putpmsg(struct t_audit_data *); 140 static void aus_getmsg(struct t_audit_data *); 141 static void aus_getpmsg(struct t_audit_data *); 142 static void aus_auditsys(struct t_audit_data *); 143 static void aus_sysinfo(struct t_audit_data *); 144 static void aus_modctl(struct t_audit_data *); 145 static void aus_kill(struct t_audit_data *); 146 static void aus_xmknod(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 150 static void auf_null(struct t_audit_data *, int, rval_t *); 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 #if 0 156 static void auf_open(struct t_audit_data *, int, rval_t *); 157 #endif 158 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 159 static void auf_read(struct t_audit_data *, int, rval_t *); 160 static void auf_write(struct t_audit_data *, int, rval_t *); 161 162 static void aus_sigqueue(struct t_audit_data *); 163 static void aus_p_online(struct t_audit_data *); 164 static void aus_processor_bind(struct t_audit_data *); 165 static void aus_inst_sync(struct t_audit_data *); 166 static void aus_brandsys(struct t_audit_data *); 167 168 static void auf_accept(struct t_audit_data *, int, rval_t *); 169 170 static void auf_bind(struct t_audit_data *, int, rval_t *); 171 static void auf_connect(struct t_audit_data *, int, rval_t *); 172 static void aus_shutdown(struct t_audit_data *); 173 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 174 static void aus_sockconfig(struct t_audit_data *); 175 static void auf_recv(struct t_audit_data *, int, rval_t *); 176 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 177 static void auf_send(struct t_audit_data *, int, rval_t *); 178 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 179 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 180 static void auf_sendto(struct t_audit_data *, int, rval_t *); 181 static void aus_socket(struct t_audit_data *); 182 /* 183 * This table contains mapping information for converting system call numbers 184 * to audit event IDs. In several cases it is necessary to map a single system 185 * call to several events. 186 */ 187 188 struct audit_s2e audit_s2e[] = 189 { 190 /* 191 * ---------- ---------- ---------- ---------- 192 * INITIAL AUDIT START SYSTEM 193 * PROCESSING EVENT PROCESSING CALL 194 * ---------- ---------- ---------- ----------- 195 * FINISH EVENT 196 * PROCESSING CONTROL 197 * ---------------------------------------------------------- 198 */ 199 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 200 auf_null, 0, 201 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 202 auf_null, S2E_NPT, 203 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 204 auf_null, 0, 205 aui_null, AUE_READ, aus_null, /* 3 read */ 206 auf_read, S2E_PUB, 207 aui_null, AUE_WRITE, aus_null, /* 4 write */ 208 auf_write, 0, 209 aui_open, AUE_OPEN, aus_open, /* 5 open */ 210 auf_null, S2E_SP, 211 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 212 auf_null, 0, 213 aui_null, AUE_NULL, aus_null, /* 7 wait */ 214 auf_null, 0, 215 aui_null, AUE_CREAT, aus_null, /* 8 create */ 216 auf_null, S2E_SP, 217 aui_null, AUE_LINK, aus_null, /* 9 link */ 218 auf_null, 0, 219 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 220 auf_null, 0, 221 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 222 auf_null, S2E_MLD, 223 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 224 auf_null, S2E_SP, 225 aui_null, AUE_NULL, aus_null, /* 13 time */ 226 auf_null, 0, 227 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 228 auf_mknod, 0, 229 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 230 auf_null, 0, 231 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 232 auf_null, 0, 233 aui_null, AUE_NULL, aus_null, /* 17 brk */ 234 auf_null, 0, 235 aui_null, AUE_STAT, aus_null, /* 18 stat */ 236 auf_null, S2E_PUB, 237 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 240 auf_null, 0, 241 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 242 auf_null, S2E_MLD, 243 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 244 auf_null, 0, 245 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 248 auf_null, 0, 249 aui_null, AUE_STIME, aus_null, /* 25 stime */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 29 pause */ 258 auf_null, 0, 259 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 264 auf_null, 0, 265 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 266 auf_null, S2E_PUB, 267 aui_null, AUE_NICE, aus_null, /* 34 nice */ 268 auf_null, 0, 269 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_NULL, aus_null, /* 36 sync */ 272 auf_null, 0, 273 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 274 auf_null, 0, 275 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 276 auf_null, S2E_PUB, 277 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 41 dup */ 282 auf_null, 0, 283 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 43 times */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 44 profil */ 288 auf_null, 0, 289 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 290 /* was proc lock */ 291 auf_null, 0, 292 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 295 auf_null, 0, 296 aui_null, AUE_NULL, aus_null, /* 48 sig */ 297 auf_null, 0, 298 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 299 auf_msgsys, 0, 300 #if defined(__x86) 301 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 302 auf_null, 0, 303 #else 304 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 305 auf_null, 0, 306 #endif /* __x86 */ 307 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 308 auf_null, 0, 309 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 310 auf_shmsys, 0, 311 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 312 auf_semsys, 0, 313 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 316 auf_null, 0, 317 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 318 auf_null, 0, 319 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 320 auf_null, 0, 321 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 322 auf_null, 0, 323 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 324 auf_null, S2E_MLD, 325 aui_null, AUE_NULL, aus_null, /* 60 umask */ 326 auf_null, 0, 327 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 328 auf_null, S2E_SP, 329 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 334 auf_null, 0, 335 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 338 auf_null, 0, 339 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 340 /* file locking call */ 341 auf_null, 0, 342 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 343 /* local system calls */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 356 auf_null, 0, 357 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 358 /* was sigret (SunOS) */ 359 auf_null, 0, 360 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 365 auf_null, 0, 366 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 367 auf_null, 0, 368 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 371 auf_null, 0, 372 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 373 /* was libattach */ 374 auf_null, 0, 375 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 376 /* was libdetach */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 379 auf_null, 0, 380 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 381 auf_null, 0, 382 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 383 auf_null, 0, 384 aui_null, AUE_NULL, aus_null, /* 87 poll */ 385 auf_null, 0, 386 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 389 auf_null, 0, 390 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 391 auf_null, S2E_PUB, 392 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 395 auf_null, 0, 396 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 397 auf_null, 0, 398 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 411 auf_null, 0, 412 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 413 auf_null, 0, 414 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 415 /* was evtrapret */ 416 auf_null, 0, 417 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 418 auf_null, S2E_PUB, 419 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 426 auf_null, 0, 427 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 428 auf_null, 0, 429 #if defined(__x86) 430 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 431 auf_null, 0, 432 #else 433 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 434 auf_null, 0, 435 #endif /* __x86 */ 436 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 437 auf_null, 0, 438 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 439 auf_null, 0, 440 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 441 auf_null, 0, /* 112 priocntlsys */ 442 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 443 auf_null, S2E_PUB, 444 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 445 auf_null, 0, 446 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 447 auf_null, 0, 448 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 449 auf_null, 0, 450 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 451 auf_null, 0, 452 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 453 auf_null, 0, 454 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 455 auf_null, 0, 456 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 457 auf_null, 0, 458 aui_null, AUE_READ, aus_null, /* 121 readv */ 459 auf_read, S2E_PUB, 460 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 461 auf_write, 0, 462 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 463 auf_null, S2E_PUB, 464 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 465 auf_null, S2E_PUB, 466 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 467 auf_null, 0, 468 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 469 auf_xmknod, 0, 470 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 471 auf_null, 0, 472 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 473 auf_null, 0, 474 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 475 auf_null, 0, 476 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 477 auf_null, 0, 478 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 479 auf_null, 0, 480 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 481 auf_null, 0, 482 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 483 auf_null, 0, 484 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 485 auf_null, 0, 486 aui_null, AUE_NULL, aus_null, /* 135 uname */ 487 auf_null, 0, 488 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 489 auf_null, 0, 490 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 491 auf_null, 0, 492 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 493 auf_null, 0, 494 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 495 auf_null, 0, 496 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 497 auf_null, 0, 498 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 499 auf_null, 0, 500 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 501 auf_null, 0, 502 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 146 yield */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 519 auf_null, 0, 520 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 521 auf_null, 0, 522 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 523 auf_null, 0, 524 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 547 /* was lwp_setprivate */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 550 /* was lwp_getprivate */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 561 auf_null, 0, 562 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 563 auf_null, 0, 564 aui_null, AUE_READ, aus_null, /* 173 pread */ 565 auf_read, S2E_PUB, 566 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 567 auf_write, 0, 568 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 569 auf_null, 0, 570 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 571 /* aus_inst_sync */ 572 auf_null, 0, 573 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 580 auf_null, 0, 581 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 582 auf_null, 0, 583 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 584 auf_null, 0, 585 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 586 auf_null, 0, 587 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 588 auf_null, 0, 589 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 590 auf_null, 0, 591 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 592 auf_null, 0, 593 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 594 auf_null, 0, /* 187 processor_bind */ 595 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 596 auf_null, 0, 597 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 602 auf_null, 0, 603 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 616 auf_null, 0, 617 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 618 auf_null, 0, 619 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 620 auf_null, 0, 621 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 622 auf_null, 0, 623 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 624 auf_null, 0, 625 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 644 auf_null, 0, 645 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 646 auf_null, 0, 647 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 648 auf_null, 0, 649 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 652 auf_null, S2E_PUB, 653 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 654 auf_null, 0, 655 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 656 auf_null, S2E_PUB, 657 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 658 auf_null, 0, 659 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 662 auf_null, 0, 663 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 664 auf_read, S2E_PUB, 665 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 666 auf_write, 0, 667 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 668 auf_null, S2E_SP, 669 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 670 auf_null, S2E_SP, 671 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 676 auf_null, 0, 677 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 678 auf_null, 0, 679 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 680 auf_null, 0, 681 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 682 auf_null, 0, 683 aui_null, AUE_BIND, aus_null, /* 232 bind */ 684 auf_bind, 0, 685 aui_null, AUE_NULL, aus_null, /* 233 listen */ 686 auf_null, 0, 687 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 688 auf_accept, 0, 689 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 690 auf_connect, 0, 691 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 692 auf_null, 0, 693 aui_null, AUE_READ, aus_null, /* 237 recv */ 694 auf_recv, 0, 695 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 696 auf_recvfrom, 0, 697 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 698 auf_recvmsg, 0, 699 aui_null, AUE_WRITE, aus_null, /* 240 send */ 700 auf_send, 0, 701 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 702 auf_sendmsg, 0, 703 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 704 auf_sendto, 0, 705 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 708 auf_null, 0, 709 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 710 auf_null, 0, 711 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 712 auf_setsockopt, 0, 713 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 716 auf_null, 0, 717 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 726 auf_null, 0, 727 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 728 auf_null, 0, 729 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 730 auf_null, 0 731 }; 732 733 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 734 735 char *so_not_bound = "socket not bound"; 736 char *so_not_conn = "socket not connected"; 737 char *so_bad_addr = "bad socket address"; 738 char *so_bad_peer_addr = "bad peer address"; 739 740 /* null start function */ 741 /*ARGSUSED*/ 742 static void 743 aus_null(struct t_audit_data *tad) 744 { 745 } 746 747 /* acct start function */ 748 /*ARGSUSED*/ 749 static void 750 aus_acct(struct t_audit_data *tad) 751 { 752 klwp_t *clwp = ttolwp(curthread); 753 uintptr_t fname; 754 755 struct a { 756 long fname; /* char * */ 757 } *uap = (struct a *)clwp->lwp_ap; 758 759 fname = (uintptr_t)uap->fname; 760 761 if (fname == 0) 762 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 763 } 764 765 /* chown start function */ 766 /*ARGSUSED*/ 767 static void 768 aus_chown(struct t_audit_data *tad) 769 { 770 klwp_t *clwp = ttolwp(curthread); 771 uint32_t uid, gid; 772 773 struct a { 774 long fname; /* char * */ 775 long uid; 776 long gid; 777 } *uap = (struct a *)clwp->lwp_ap; 778 779 uid = (uint32_t)uap->uid; 780 gid = (uint32_t)uap->gid; 781 782 au_uwrite(au_to_arg32(2, "new file uid", uid)); 783 au_uwrite(au_to_arg32(3, "new file gid", gid)); 784 } 785 786 /* fchown start function */ 787 /*ARGSUSED*/ 788 static void 789 aus_fchown(struct t_audit_data *tad) 790 { 791 klwp_t *clwp = ttolwp(curthread); 792 uint32_t uid, gid, fd; 793 struct file *fp; 794 struct vnode *vp; 795 struct f_audit_data *fad; 796 797 struct a { 798 long fd; 799 long uid; 800 long gid; 801 } *uap = (struct a *)clwp->lwp_ap; 802 803 fd = (uint32_t)uap->fd; 804 uid = (uint32_t)uap->uid; 805 gid = (uint32_t)uap->gid; 806 807 au_uwrite(au_to_arg32(2, "new file uid", uid)); 808 au_uwrite(au_to_arg32(3, "new file gid", gid)); 809 810 /* 811 * convert file pointer to file descriptor 812 * Note: fd ref count incremented here. 813 */ 814 if ((fp = getf(fd)) == NULL) 815 return; 816 817 /* get path from file struct here */ 818 fad = F2A(fp); 819 if (fad->fad_aupath != NULL) { 820 au_uwrite(au_to_path(fad->fad_aupath)); 821 } else { 822 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 823 } 824 825 vp = fp->f_vnode; 826 audit_attributes(vp); 827 828 /* decrement file descriptor reference count */ 829 releasef(fd); 830 } 831 832 /*ARGSUSED*/ 833 static void 834 aus_lchown(struct t_audit_data *tad) 835 { 836 klwp_t *clwp = ttolwp(curthread); 837 uint32_t uid, gid; 838 839 840 struct a { 841 long fname; /* char * */ 842 long uid; 843 long gid; 844 } *uap = (struct a *)clwp->lwp_ap; 845 846 uid = (uint32_t)uap->uid; 847 gid = (uint32_t)uap->gid; 848 849 au_uwrite(au_to_arg32(2, "new file uid", uid)); 850 au_uwrite(au_to_arg32(3, "new file gid", gid)); 851 } 852 853 /* chmod start function */ 854 /*ARGSUSED*/ 855 static void 856 aus_chmod(struct t_audit_data *tad) 857 { 858 klwp_t *clwp = ttolwp(curthread); 859 uint32_t fmode; 860 861 struct a { 862 long fname; /* char * */ 863 long fmode; 864 } *uap = (struct a *)clwp->lwp_ap; 865 866 fmode = (uint32_t)uap->fmode; 867 868 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 869 } 870 871 /* chmod start function */ 872 /*ARGSUSED*/ 873 static void 874 aus_fchmod(struct t_audit_data *tad) 875 { 876 klwp_t *clwp = ttolwp(curthread); 877 uint32_t fmode, fd; 878 struct file *fp; 879 struct vnode *vp; 880 struct f_audit_data *fad; 881 882 struct a { 883 long fd; 884 long fmode; 885 } *uap = (struct a *)clwp->lwp_ap; 886 887 fd = (uint32_t)uap->fd; 888 fmode = (uint32_t)uap->fmode; 889 890 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 891 892 /* 893 * convert file pointer to file descriptor 894 * Note: fd ref count incremented here. 895 */ 896 if ((fp = getf(fd)) == NULL) 897 return; 898 899 /* get path from file struct here */ 900 fad = F2A(fp); 901 if (fad->fad_aupath != NULL) { 902 au_uwrite(au_to_path(fad->fad_aupath)); 903 } else { 904 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 905 } 906 907 vp = fp->f_vnode; 908 audit_attributes(vp); 909 910 /* decrement file descriptor reference count */ 911 releasef(fd); 912 } 913 914 /* null function */ 915 /*ARGSUSED*/ 916 static void 917 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 918 { 919 } 920 921 /* null function */ 922 static au_event_t 923 aui_null(au_event_t e) 924 { 925 return (e); 926 } 927 928 /* convert open to appropriate event */ 929 static au_event_t 930 aui_open(au_event_t e) 931 { 932 klwp_t *clwp = ttolwp(curthread); 933 uint_t fm; 934 935 struct a { 936 long fnamep; /* char * */ 937 long fmode; 938 long cmode; 939 } *uap = (struct a *)clwp->lwp_ap; 940 941 fm = (uint_t)uap->fmode; 942 943 if (fm & O_WRONLY) 944 e = AUE_OPEN_W; 945 else if (fm & O_RDWR) 946 e = AUE_OPEN_RW; 947 else 948 e = AUE_OPEN_R; 949 950 if (fm & O_CREAT) 951 e += 1; 952 if (fm & O_TRUNC) 953 e += 2; 954 955 return (e); 956 } 957 958 /*ARGSUSED*/ 959 static void 960 aus_open(struct t_audit_data *tad) 961 { 962 klwp_t *clwp = ttolwp(curthread); 963 uint_t fm; 964 965 struct a { 966 long fnamep; /* char * */ 967 long fmode; 968 long cmode; 969 } *uap = (struct a *)clwp->lwp_ap; 970 971 fm = (uint_t)uap->fmode; 972 973 /* If no write, create, or trunc modes, mark as a public op */ 974 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 975 tad->tad_ctrl |= PAD_PUBLIC_EV; 976 } 977 978 /* convert openat(2) to appropriate event */ 979 static au_event_t 980 aui_fsat(au_event_t e) 981 { 982 t_audit_data_t *tad = U2A(u); 983 klwp_t *clwp = ttolwp(curthread); 984 uint_t fmcode, fm; 985 struct a { 986 long id; 987 long arg1; 988 long arg2; 989 long arg3; 990 long arg4; 991 long arg5; 992 } *uap = (struct a *)clwp->lwp_ap; 993 994 fmcode = (uint_t)uap->id; 995 996 switch (fmcode) { 997 998 case 0: /* openat */ 999 case 1: /* openat64 */ 1000 fm = (uint_t)uap->arg3; 1001 if (fm & O_WRONLY) 1002 e = AUE_OPENAT_W; 1003 else if (fm & O_RDWR) 1004 e = AUE_OPENAT_RW; 1005 else 1006 e = AUE_OPENAT_R; 1007 1008 /* 1009 * openat modes are defined in the following order: 1010 * Read only 1011 * Read|Create 1012 * Read|Trunc 1013 * Read|Create|Trunc 1014 * Write Only 1015 * Write|Create 1016 * Write|Trunc 1017 * Write|Create|Trunc * RW Only 1018 * RW|Create 1019 * RW|Trunc 1020 * RW|Create|Trunc 1021 */ 1022 if (fm & O_CREAT) 1023 e += 1; /* increment to include CREAT in mode */ 1024 if (fm & O_TRUNC) 1025 e += 2; /* increment to include TRUNC in mode */ 1026 1027 /* convert to appropriate au_ctrl */ 1028 tad->tad_ctrl |= PAD_SAVPATH; 1029 if (fm & FXATTR) 1030 tad->tad_ctrl |= PAD_ATPATH; 1031 1032 1033 break; 1034 case 2: /* fstatat64 */ 1035 case 3: /* fstatat */ 1036 e = AUE_FSTATAT; 1037 break; 1038 case 4: /* fchownat */ 1039 e = AUE_FCHOWNAT; 1040 break; 1041 case 5: /* unlinkat */ 1042 e = AUE_UNLINKAT; 1043 break; 1044 case 6: /* futimesat */ 1045 e = AUE_FUTIMESAT; 1046 break; 1047 case 7: /* renameat */ 1048 e = AUE_RENAMEAT; 1049 break; 1050 default: 1051 e = AUE_NULL; 1052 break; 1053 } 1054 1055 return (e); 1056 } 1057 1058 /*ARGSUSED*/ 1059 static void 1060 aus_fsat(struct t_audit_data *tad) 1061 { 1062 klwp_t *clwp = ttolwp(curthread); 1063 uint_t fmcode, fm; 1064 struct a { 1065 long id; 1066 long arg1; 1067 long arg2; 1068 long arg3; 1069 long arg4; 1070 long arg5; 1071 } *uap = (struct a *)clwp->lwp_ap; 1072 1073 fmcode = (uint_t)uap->id; 1074 1075 switch (fmcode) { 1076 1077 case 0: /* openat */ 1078 case 1: /* openat64 */ 1079 fm = (uint_t)uap->arg3; 1080 /* If no write, create, or trunc modes, mark as a public op */ 1081 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1082 tad->tad_ctrl |= PAD_PUBLIC_EV; 1083 1084 break; 1085 case 2: /* fstatat64 */ 1086 case 3: /* fstatat */ 1087 tad->tad_ctrl |= PAD_PUBLIC_EV; 1088 break; 1089 default: 1090 break; 1091 } 1092 } 1093 1094 /* msgsys */ 1095 static au_event_t 1096 aui_msgsys(au_event_t e) 1097 { 1098 klwp_t *clwp = ttolwp(curthread); 1099 uint_t fm; 1100 1101 struct a { 1102 long id; /* function code id */ 1103 long ap; /* arg pointer for recvmsg */ 1104 } *uap = (struct a *)clwp->lwp_ap; 1105 1106 struct b { 1107 long msgid; 1108 long cmd; 1109 long buf; /* struct msqid_ds * */ 1110 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1111 1112 fm = (uint_t)uap->id; 1113 1114 switch (fm) { 1115 case 0: /* msgget */ 1116 e = AUE_MSGGET; 1117 break; 1118 case 1: /* msgctl */ 1119 switch ((uint_t)uap1->cmd) { 1120 case IPC_RMID: 1121 e = AUE_MSGCTL_RMID; 1122 break; 1123 case IPC_SET: 1124 e = AUE_MSGCTL_SET; 1125 break; 1126 case IPC_STAT: 1127 e = AUE_MSGCTL_STAT; 1128 break; 1129 default: 1130 e = AUE_MSGCTL; 1131 break; 1132 } 1133 break; 1134 case 2: /* msgrcv */ 1135 e = AUE_MSGRCV; 1136 break; 1137 case 3: /* msgsnd */ 1138 e = AUE_MSGSND; 1139 break; 1140 default: /* illegal system call */ 1141 e = AUE_NULL; 1142 break; 1143 } 1144 1145 return (e); 1146 } 1147 1148 1149 /* shmsys */ 1150 static au_event_t 1151 aui_shmsys(au_event_t e) 1152 { 1153 klwp_t *clwp = ttolwp(curthread); 1154 int fm; 1155 1156 struct a { /* shmsys */ 1157 long id; /* function code id */ 1158 } *uap = (struct a *)clwp->lwp_ap; 1159 1160 struct b { /* ctrl */ 1161 long shmid; 1162 long cmd; 1163 long arg; /* struct shmid_ds * */ 1164 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1165 fm = (uint_t)uap->id; 1166 1167 switch (fm) { 1168 case 0: /* shmat */ 1169 e = AUE_SHMAT; 1170 break; 1171 case 1: /* shmctl */ 1172 switch ((uint_t)uap1->cmd) { 1173 case IPC_RMID: 1174 e = AUE_SHMCTL_RMID; 1175 break; 1176 case IPC_SET: 1177 e = AUE_SHMCTL_SET; 1178 break; 1179 case IPC_STAT: 1180 e = AUE_SHMCTL_STAT; 1181 break; 1182 default: 1183 e = AUE_SHMCTL; 1184 break; 1185 } 1186 break; 1187 case 2: /* shmdt */ 1188 e = AUE_SHMDT; 1189 break; 1190 case 3: /* shmget */ 1191 e = AUE_SHMGET; 1192 break; 1193 default: /* illegal system call */ 1194 e = AUE_NULL; 1195 break; 1196 } 1197 1198 return (e); 1199 } 1200 1201 1202 /* semsys */ 1203 static au_event_t 1204 aui_semsys(au_event_t e) 1205 { 1206 klwp_t *clwp = ttolwp(curthread); 1207 uint_t fm; 1208 1209 struct a { /* semsys */ 1210 long id; 1211 } *uap = (struct a *)clwp->lwp_ap; 1212 1213 struct b { /* ctrl */ 1214 long semid; 1215 long semnum; 1216 long cmd; 1217 long arg; 1218 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1219 1220 fm = (uint_t)uap->id; 1221 1222 switch (fm) { 1223 case 0: /* semctl */ 1224 switch ((uint_t)uap1->cmd) { 1225 case IPC_RMID: 1226 e = AUE_SEMCTL_RMID; 1227 break; 1228 case IPC_SET: 1229 e = AUE_SEMCTL_SET; 1230 break; 1231 case IPC_STAT: 1232 e = AUE_SEMCTL_STAT; 1233 break; 1234 case GETNCNT: 1235 e = AUE_SEMCTL_GETNCNT; 1236 break; 1237 case GETPID: 1238 e = AUE_SEMCTL_GETPID; 1239 break; 1240 case GETVAL: 1241 e = AUE_SEMCTL_GETVAL; 1242 break; 1243 case GETALL: 1244 e = AUE_SEMCTL_GETALL; 1245 break; 1246 case GETZCNT: 1247 e = AUE_SEMCTL_GETZCNT; 1248 break; 1249 case SETVAL: 1250 e = AUE_SEMCTL_SETVAL; 1251 break; 1252 case SETALL: 1253 e = AUE_SEMCTL_SETALL; 1254 break; 1255 default: 1256 e = AUE_SEMCTL; 1257 break; 1258 } 1259 break; 1260 case 1: /* semget */ 1261 e = AUE_SEMGET; 1262 break; 1263 case 2: /* semop */ 1264 e = AUE_SEMOP; 1265 break; 1266 default: /* illegal system call */ 1267 e = AUE_NULL; 1268 break; 1269 } 1270 1271 return (e); 1272 } 1273 1274 /* utssys - uname(2), ustat(2), fusers(2) */ 1275 static au_event_t 1276 aui_utssys(au_event_t e) 1277 { 1278 klwp_t *clwp = ttolwp(curthread); 1279 uint_t type; 1280 1281 struct a { 1282 union { 1283 long cbuf; /* char * */ 1284 long ubuf; /* struct stat * */ 1285 } ub; 1286 union { 1287 long mv; /* for USTAT */ 1288 long flags; /* for FUSERS */ 1289 } un; 1290 long type; 1291 long outbp; /* char * for FUSERS */ 1292 } *uap = (struct a *)clwp->lwp_ap; 1293 1294 type = (uint_t)uap->type; 1295 1296 if (type == UTS_FUSERS) 1297 return (e); 1298 else 1299 return ((au_event_t)AUE_NULL); 1300 } 1301 1302 static au_event_t 1303 aui_fcntl(au_event_t e) 1304 { 1305 klwp_t *clwp = ttolwp(curthread); 1306 uint_t cmd; 1307 1308 struct a { 1309 long fdes; 1310 long cmd; 1311 long arg; 1312 } *uap = (struct a *)clwp->lwp_ap; 1313 1314 cmd = (uint_t)uap->cmd; 1315 1316 switch (cmd) { 1317 case F_GETLK: 1318 case F_SETLK: 1319 case F_SETLKW: 1320 break; 1321 case F_SETFL: 1322 case F_GETFL: 1323 case F_GETFD: 1324 break; 1325 default: 1326 e = (au_event_t)AUE_NULL; 1327 break; 1328 } 1329 return ((au_event_t)e); 1330 } 1331 1332 /* null function for now */ 1333 static au_event_t 1334 aui_execv(au_event_t e) 1335 { 1336 return (e); 1337 } 1338 1339 /* null function for now */ 1340 static au_event_t 1341 aui_execve(au_event_t e) 1342 { 1343 return (e); 1344 } 1345 1346 /*ARGSUSED*/ 1347 static void 1348 aus_fcntl(struct t_audit_data *tad) 1349 { 1350 klwp_t *clwp = ttolwp(curthread); 1351 uint32_t cmd, fd; 1352 struct file *fp; 1353 struct vnode *vp; 1354 struct f_audit_data *fad; 1355 1356 struct a { 1357 long fd; 1358 long cmd; 1359 long arg; 1360 } *uap = (struct a *)clwp->lwp_ap; 1361 1362 cmd = (uint32_t)uap->cmd; 1363 fd = (uint32_t)uap->fd; 1364 1365 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1366 1367 /* 1368 * convert file pointer to file descriptor 1369 * Note: fd ref count incremented here. 1370 */ 1371 if ((fp = getf(fd)) == NULL) 1372 return; 1373 1374 /* get path from file struct here */ 1375 fad = F2A(fp); 1376 if (fad->fad_aupath != NULL) { 1377 au_uwrite(au_to_path(fad->fad_aupath)); 1378 } else { 1379 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1380 } 1381 1382 vp = fp->f_vnode; 1383 audit_attributes(vp); 1384 1385 /* decrement file descriptor reference count */ 1386 releasef(fd); 1387 } 1388 1389 /*ARGSUSED*/ 1390 static void 1391 aus_kill(struct t_audit_data *tad) 1392 { 1393 klwp_t *clwp = ttolwp(curthread); 1394 struct proc *p; 1395 uint32_t signo; 1396 uid_t uid, ruid; 1397 gid_t gid, rgid; 1398 pid_t pid; 1399 const auditinfo_addr_t *ainfo; 1400 cred_t *cr; 1401 1402 struct a { 1403 long pid; 1404 long signo; 1405 } *uap = (struct a *)clwp->lwp_ap; 1406 1407 pid = (pid_t)uap->pid; 1408 signo = (uint32_t)uap->signo; 1409 1410 au_uwrite(au_to_arg32(2, "signal", signo)); 1411 if (pid > 0) { 1412 mutex_enter(&pidlock); 1413 if (((p = prfind(pid)) == (struct proc *)0) || 1414 (p->p_stat == SIDL)) { 1415 mutex_exit(&pidlock); 1416 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1417 return; 1418 } 1419 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1420 mutex_exit(&pidlock); 1421 1422 mutex_enter(&p->p_crlock); 1423 crhold(cr = p->p_cred); 1424 mutex_exit(&p->p_crlock); 1425 mutex_exit(&p->p_lock); 1426 1427 ainfo = crgetauinfo(cr); 1428 if (ainfo == NULL) { 1429 crfree(cr); 1430 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1431 return; 1432 } 1433 1434 uid = crgetuid(cr); 1435 gid = crgetgid(cr); 1436 ruid = crgetruid(cr); 1437 rgid = crgetrgid(cr); 1438 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1439 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1440 1441 if (is_system_labeled()) 1442 au_uwrite(au_to_label(CR_SL(cr))); 1443 1444 crfree(cr); 1445 } 1446 else 1447 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1448 } 1449 1450 /*ARGSUSED*/ 1451 static void 1452 aus_mkdir(struct t_audit_data *tad) 1453 { 1454 klwp_t *clwp = ttolwp(curthread); 1455 uint32_t dmode; 1456 1457 struct a { 1458 long dirnamep; /* char * */ 1459 long dmode; 1460 } *uap = (struct a *)clwp->lwp_ap; 1461 1462 dmode = (uint32_t)uap->dmode; 1463 1464 au_uwrite(au_to_arg32(2, "mode", dmode)); 1465 } 1466 1467 /*ARGSUSED*/ 1468 static void 1469 aus_mknod(struct t_audit_data *tad) 1470 { 1471 klwp_t *clwp = ttolwp(curthread); 1472 uint32_t fmode; 1473 dev_t dev; 1474 1475 struct a { 1476 long pnamep; /* char * */ 1477 long fmode; 1478 long dev; 1479 } *uap = (struct a *)clwp->lwp_ap; 1480 1481 fmode = (uint32_t)uap->fmode; 1482 dev = (dev_t)uap->dev; 1483 1484 au_uwrite(au_to_arg32(2, "mode", fmode)); 1485 #ifdef _LP64 1486 au_uwrite(au_to_arg64(3, "dev", dev)); 1487 #else 1488 au_uwrite(au_to_arg32(3, "dev", dev)); 1489 #endif 1490 } 1491 1492 /*ARGSUSED*/ 1493 static void 1494 aus_xmknod(struct t_audit_data *tad) 1495 { 1496 klwp_t *clwp = ttolwp(curthread); 1497 uint32_t fmode; 1498 dev_t dev; 1499 1500 struct a { 1501 long version; /* version */ 1502 long pnamep; /* char * */ 1503 long fmode; 1504 long dev; 1505 } *uap = (struct a *)clwp->lwp_ap; 1506 1507 fmode = (uint32_t)uap->fmode; 1508 dev = (dev_t)uap->dev; 1509 1510 au_uwrite(au_to_arg32(2, "mode", fmode)); 1511 #ifdef _LP64 1512 au_uwrite(au_to_arg64(3, "dev", dev)); 1513 #else 1514 au_uwrite(au_to_arg32(3, "dev", dev)); 1515 #endif 1516 } 1517 1518 /*ARGSUSED*/ 1519 static void 1520 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1521 { 1522 klwp_t *clwp = ttolwp(curthread); 1523 vnode_t *dvp; 1524 caddr_t pnamep; 1525 1526 struct a { 1527 long pnamep; /* char * */ 1528 long fmode; 1529 long dev; 1530 } *uap = (struct a *)clwp->lwp_ap; 1531 1532 /* no error, then already path token in audit record */ 1533 if (error != EPERM) 1534 return; 1535 1536 /* not auditing this event, nothing then to do */ 1537 if (tad->tad_flag == 0) 1538 return; 1539 1540 /* do the lookup to force generation of path token */ 1541 pnamep = (caddr_t)uap->pnamep; 1542 tad->tad_ctrl |= PAD_NOATTRB; 1543 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1544 if (error == 0) 1545 VN_RELE(dvp); 1546 } 1547 1548 /*ARGSUSED*/ 1549 static void 1550 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1551 { 1552 klwp_t *clwp = ttolwp(curthread); 1553 vnode_t *dvp; 1554 caddr_t pnamep; 1555 1556 struct a { 1557 long version; /* version */ 1558 long pnamep; /* char * */ 1559 long fmode; 1560 long dev; 1561 } *uap = (struct a *)clwp->lwp_arg; 1562 1563 1564 /* no error, then already path token in audit record */ 1565 if (error != EPERM) 1566 return; 1567 1568 /* not auditing this event, nothing then to do */ 1569 if (tad->tad_flag == 0) 1570 return; 1571 1572 /* do the lookup to force generation of path token */ 1573 pnamep = (caddr_t)uap->pnamep; 1574 tad->tad_ctrl |= PAD_NOATTRB; 1575 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1576 if (error == 0) 1577 VN_RELE(dvp); 1578 } 1579 1580 /*ARGSUSED*/ 1581 static void 1582 aus_mount(struct t_audit_data *tad) 1583 { /* AUS_START */ 1584 klwp_t *clwp = ttolwp(curthread); 1585 uint32_t flags; 1586 uintptr_t u_fstype, dataptr; 1587 STRUCT_DECL(nfs_args, nfsargs); 1588 size_t len; 1589 char *fstype, *hostname; 1590 1591 struct a { 1592 long spec; /* char * */ 1593 long dir; /* char * */ 1594 long flags; 1595 long fstype; /* char * */ 1596 long dataptr; /* char * */ 1597 long datalen; 1598 } *uap = (struct a *)clwp->lwp_ap; 1599 1600 u_fstype = (uintptr_t)uap->fstype; 1601 flags = (uint32_t)uap->flags; 1602 dataptr = (uintptr_t)uap->dataptr; 1603 1604 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1605 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1606 goto mount_free_fstype; 1607 1608 au_uwrite(au_to_arg32(3, "flags", flags)); 1609 au_uwrite(au_to_text(fstype)); 1610 1611 if (strncmp(fstype, "nfs", 3) == 0) { 1612 1613 STRUCT_INIT(nfsargs, get_udatamodel()); 1614 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1615 1616 if (copyin((caddr_t)dataptr, 1617 STRUCT_BUF(nfsargs), 1618 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1619 /* DEBUG debug_enter((char *)NULL); */ 1620 goto mount_free_fstype; 1621 } 1622 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1623 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1624 (caddr_t)hostname, 1625 MAXNAMELEN, &len)) { 1626 goto mount_free_hostname; 1627 } 1628 au_uwrite(au_to_text(hostname)); 1629 au_uwrite(au_to_arg32(3, "internal flags", 1630 (uint_t)STRUCT_FGET(nfsargs, flags))); 1631 1632 mount_free_hostname: 1633 kmem_free(hostname, MAXNAMELEN); 1634 } 1635 1636 mount_free_fstype: 1637 kmem_free(fstype, MAXNAMELEN); 1638 } /* AUS_MOUNT */ 1639 1640 static void 1641 aus_umount_path(caddr_t umount_dir) 1642 { 1643 char *dir_path; 1644 struct audit_path *path; 1645 size_t path_len, dir_len; 1646 1647 /* length alloc'd for two string pointers */ 1648 path_len = sizeof (struct audit_path) + sizeof (char *); 1649 path = kmem_alloc(path_len, KM_SLEEP); 1650 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1651 1652 if (copyinstr(umount_dir, (caddr_t)dir_path, 1653 MAXPATHLEN, &dir_len)) 1654 goto umount2_free_dir; 1655 1656 /* 1657 * the audit_path struct assumes that the buffer pointed to 1658 * by audp_sect[n] contains string 0 immediatedly followed 1659 * by string 1. 1660 */ 1661 path->audp_sect[0] = dir_path; 1662 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1663 path->audp_size = path_len; 1664 path->audp_ref = 1; /* not used */ 1665 path->audp_cnt = 1; /* one path string */ 1666 1667 au_uwrite(au_to_path(path)); 1668 1669 umount2_free_dir: 1670 kmem_free(dir_path, MAXPATHLEN); 1671 kmem_free(path, path_len); 1672 } 1673 1674 /* 1675 * the umount syscall is implemented as a call to umount2, but the args 1676 * are different... 1677 */ 1678 1679 /*ARGSUSED*/ 1680 static void 1681 aus_umount(struct t_audit_data *tad) 1682 { 1683 klwp_t *clwp = ttolwp(curthread); 1684 struct a { 1685 long dir; /* char * */ 1686 } *uap = (struct a *)clwp->lwp_ap; 1687 1688 aus_umount_path((caddr_t)uap->dir); 1689 } 1690 1691 /*ARGSUSED*/ 1692 static void 1693 aus_umount2(struct t_audit_data *tad) 1694 { 1695 klwp_t *clwp = ttolwp(curthread); 1696 struct a { 1697 long dir; /* char * */ 1698 long flags; 1699 } *uap = (struct a *)clwp->lwp_ap; 1700 1701 aus_umount_path((caddr_t)uap->dir); 1702 1703 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1704 } 1705 1706 static void 1707 aus_msgsys(struct t_audit_data *tad) 1708 { 1709 klwp_t *clwp = ttolwp(curthread); 1710 uint32_t msgid; 1711 1712 struct b { 1713 long msgid; 1714 long cmd; 1715 long buf; /* struct msqid_ds * */ 1716 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1717 1718 msgid = (uint32_t)uap1->msgid; 1719 1720 1721 switch (tad->tad_event) { 1722 case AUE_MSGGET: /* msgget */ 1723 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1724 break; 1725 case AUE_MSGCTL: /* msgctl */ 1726 case AUE_MSGCTL_RMID: /* msgctl */ 1727 case AUE_MSGCTL_STAT: /* msgctl */ 1728 case AUE_MSGRCV: /* msgrcv */ 1729 case AUE_MSGSND: /* msgsnd */ 1730 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1731 break; 1732 case AUE_MSGCTL_SET: /* msgctl */ 1733 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1734 break; 1735 } 1736 } 1737 1738 /*ARGSUSED*/ 1739 static void 1740 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1741 { 1742 int id; 1743 1744 if (error != 0) 1745 return; 1746 if (tad->tad_event == AUE_MSGGET) { 1747 uint32_t scid; 1748 uint32_t sy_flags; 1749 1750 /* need to determine type of executing binary */ 1751 scid = tad->tad_scid; 1752 #ifdef _SYSCALL32_IMPL 1753 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1754 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1755 else 1756 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1757 #else 1758 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1759 #endif 1760 if (sy_flags == SE_32RVAL1) 1761 id = rval->r_val1; 1762 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1763 id = rval->r_val1; 1764 if (sy_flags == SE_64RVAL) 1765 id = (int)rval->r_vals; 1766 1767 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1768 } 1769 } 1770 1771 static void 1772 aus_semsys(struct t_audit_data *tad) 1773 { 1774 klwp_t *clwp = ttolwp(curthread); 1775 uint32_t semid; 1776 1777 struct b { /* ctrl */ 1778 long semid; 1779 long semnum; 1780 long cmd; 1781 long arg; 1782 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1783 1784 semid = (uint32_t)uap1->semid; 1785 1786 switch (tad->tad_event) { 1787 case AUE_SEMCTL_RMID: 1788 case AUE_SEMCTL_STAT: 1789 case AUE_SEMCTL_GETNCNT: 1790 case AUE_SEMCTL_GETPID: 1791 case AUE_SEMCTL_GETVAL: 1792 case AUE_SEMCTL_GETALL: 1793 case AUE_SEMCTL_GETZCNT: 1794 case AUE_SEMCTL_SETVAL: 1795 case AUE_SEMCTL_SETALL: 1796 case AUE_SEMCTL: 1797 case AUE_SEMOP: 1798 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1799 break; 1800 case AUE_SEMCTL_SET: 1801 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1802 break; 1803 case AUE_SEMGET: 1804 au_uwrite(au_to_arg32(1, "sem key", semid)); 1805 break; 1806 } 1807 } 1808 1809 /*ARGSUSED*/ 1810 static void 1811 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1812 { 1813 int id; 1814 1815 if (error != 0) 1816 return; 1817 if (tad->tad_event == AUE_SEMGET) { 1818 uint32_t scid; 1819 uint32_t sy_flags; 1820 1821 /* need to determine type of executing binary */ 1822 scid = tad->tad_scid; 1823 #ifdef _SYSCALL32_IMPL 1824 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1825 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1826 else 1827 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1828 #else 1829 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1830 #endif 1831 if (sy_flags == SE_32RVAL1) 1832 id = rval->r_val1; 1833 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1834 id = rval->r_val1; 1835 if (sy_flags == SE_64RVAL) 1836 id = (int)rval->r_vals; 1837 1838 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1839 } 1840 } 1841 1842 /*ARGSUSED*/ 1843 static void 1844 aus_close(struct t_audit_data *tad) 1845 { 1846 klwp_t *clwp = ttolwp(curthread); 1847 uint32_t fd; 1848 struct file *fp; 1849 struct f_audit_data *fad; 1850 struct vnode *vp; 1851 struct vattr attr; 1852 au_kcontext_t *kctx = GET_KCTX_PZ; 1853 1854 struct a { 1855 long i; 1856 } *uap = (struct a *)clwp->lwp_ap; 1857 1858 fd = (uint32_t)uap->i; 1859 1860 attr.va_mask = 0; 1861 au_uwrite(au_to_arg32(1, "fd", fd)); 1862 1863 /* 1864 * convert file pointer to file descriptor 1865 * Note: fd ref count incremented here. 1866 */ 1867 if ((fp = getf(fd)) == NULL) 1868 return; 1869 1870 fad = F2A(fp); 1871 tad->tad_evmod = (short)fad->fad_flags; 1872 if (fad->fad_aupath != NULL) { 1873 au_uwrite(au_to_path(fad->fad_aupath)); 1874 if ((vp = fp->f_vnode) != NULL) { 1875 attr.va_mask = AT_ALL; 1876 if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) { 1877 /* 1878 * When write was not used and the file can be 1879 * considered public, skip the audit. 1880 */ 1881 if (((fp->f_flag & FWRITE) == 0) && 1882 file_is_public(&attr)) { 1883 tad->tad_flag = 0; 1884 tad->tad_evmod = 0; 1885 /* free any residual audit data */ 1886 au_close(kctx, &(u_ad), 0, 0, 0); 1887 releasef(fd); 1888 return; 1889 } 1890 au_uwrite(au_to_attr(&attr)); 1891 audit_sec_attributes(&(u_ad), vp); 1892 } 1893 } 1894 } 1895 1896 /* decrement file descriptor reference count */ 1897 releasef(fd); 1898 } 1899 1900 /*ARGSUSED*/ 1901 static void 1902 aus_fstatfs(struct t_audit_data *tad) 1903 { 1904 klwp_t *clwp = ttolwp(curthread); 1905 uint32_t fd; 1906 struct file *fp; 1907 struct vnode *vp; 1908 struct f_audit_data *fad; 1909 1910 struct a { 1911 long fd; 1912 long buf; /* struct statfs * */ 1913 } *uap = (struct a *)clwp->lwp_ap; 1914 1915 fd = (uint_t)uap->fd; 1916 1917 /* 1918 * convert file pointer to file descriptor 1919 * Note: fd ref count incremented here. 1920 */ 1921 if ((fp = getf(fd)) == NULL) 1922 return; 1923 1924 /* get path from file struct here */ 1925 fad = F2A(fp); 1926 if (fad->fad_aupath != NULL) { 1927 au_uwrite(au_to_path(fad->fad_aupath)); 1928 } else { 1929 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1930 } 1931 1932 vp = fp->f_vnode; 1933 audit_attributes(vp); 1934 1935 /* decrement file descriptor reference count */ 1936 releasef(fd); 1937 } 1938 1939 #ifdef NOTYET 1940 /*ARGSUSED*/ 1941 static void 1942 aus_setpgrp(struct t_audit_data *tad) 1943 { 1944 klwp_t *clwp = ttolwp(curthread); 1945 uint32_t pgrp; 1946 struct proc *p; 1947 uid_t uid, ruid; 1948 gid_t gid, rgid; 1949 pid_t pid; 1950 const auditinfo_addr_t *ainfo; 1951 cred_t *cr; 1952 1953 struct a { 1954 long pid; 1955 long pgrp; 1956 } *uap = (struct a *)clwp->lwp_ap; 1957 1958 pid = (pid_t)uap->pid; 1959 pgrp = (uint32_t)uap->pgrp; 1960 1961 /* current process? */ 1962 if (pid == 0) 1963 (return); 1964 1965 mutex_enter(&pidlock); 1966 p = prfind(pid); 1967 if (p == NULL || p->p_as == &kas) { 1968 mutex_exit(&pidlock); 1969 return; 1970 } 1971 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1972 mutex_exit(&pidlock); 1973 1974 mutex_enter(&p->p_crlock); 1975 crhold(cr = p->p_cred); 1976 mutex_exit(&p->p_crlock); 1977 mutex_exit(&p->p_lock); 1978 1979 ainfo = crgetauinfo(cr); 1980 if (ainfo == NULL) { 1981 crfree(cr); 1982 return; 1983 } 1984 1985 uid = crgetuid(cr); 1986 gid = crgetgid(cr); 1987 ruid = crgetruid(cr); 1988 rgid = crgetrgid(cr); 1989 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1990 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1991 crfree(cr); 1992 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1993 } 1994 #endif 1995 1996 /*ARGSUSED*/ 1997 static void 1998 aus_setregid(struct t_audit_data *tad) 1999 { 2000 klwp_t *clwp = ttolwp(curthread); 2001 uint32_t rgid, egid; 2002 2003 struct a { 2004 long rgid; 2005 long egid; 2006 } *uap = (struct a *)clwp->lwp_ap; 2007 2008 rgid = (uint32_t)uap->rgid; 2009 egid = (uint32_t)uap->egid; 2010 2011 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2012 au_uwrite(au_to_arg32(2, "egid", egid)); 2013 } 2014 2015 /*ARGSUSED*/ 2016 static void 2017 aus_setgid(struct t_audit_data *tad) 2018 { 2019 klwp_t *clwp = ttolwp(curthread); 2020 uint32_t gid; 2021 2022 struct a { 2023 long gid; 2024 } *uap = (struct a *)clwp->lwp_ap; 2025 2026 gid = (uint32_t)uap->gid; 2027 2028 au_uwrite(au_to_arg32(1, "gid", gid)); 2029 } 2030 2031 2032 /*ARGSUSED*/ 2033 static void 2034 aus_setreuid(struct t_audit_data *tad) 2035 { 2036 klwp_t *clwp = ttolwp(curthread); 2037 uint32_t ruid, euid; 2038 2039 struct a { 2040 long ruid; 2041 long euid; 2042 } *uap = (struct a *)clwp->lwp_ap; 2043 2044 ruid = (uint32_t)uap->ruid; 2045 euid = (uint32_t)uap->euid; 2046 2047 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2048 au_uwrite(au_to_arg32(2, "euid", euid)); 2049 } 2050 2051 2052 /*ARGSUSED*/ 2053 static void 2054 aus_setuid(struct t_audit_data *tad) 2055 { 2056 klwp_t *clwp = ttolwp(curthread); 2057 uint32_t uid; 2058 2059 struct a { 2060 long uid; 2061 } *uap = (struct a *)clwp->lwp_ap; 2062 2063 uid = (uint32_t)uap->uid; 2064 2065 au_uwrite(au_to_arg32(1, "uid", uid)); 2066 } 2067 2068 /*ARGSUSED*/ 2069 static void 2070 aus_shmsys(struct t_audit_data *tad) 2071 { 2072 klwp_t *clwp = ttolwp(curthread); 2073 uint32_t id, cmd; 2074 2075 struct b { 2076 long id; 2077 long cmd; 2078 long buf; /* struct shmid_ds * */ 2079 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2080 2081 id = (uint32_t)uap1->id; 2082 cmd = (uint32_t)uap1->cmd; 2083 2084 switch (tad->tad_event) { 2085 case AUE_SHMGET: /* shmget */ 2086 au_uwrite(au_to_arg32(1, "shm key", id)); 2087 break; 2088 case AUE_SHMCTL: /* shmctl */ 2089 case AUE_SHMCTL_RMID: /* shmctl */ 2090 case AUE_SHMCTL_STAT: /* shmctl */ 2091 case AUE_SHMCTL_SET: /* shmctl */ 2092 au_uwrite(au_to_arg32(1, "shm ID", id)); 2093 break; 2094 case AUE_SHMDT: /* shmdt */ 2095 au_uwrite(au_to_arg32(1, "shm adr", id)); 2096 break; 2097 case AUE_SHMAT: /* shmat */ 2098 au_uwrite(au_to_arg32(1, "shm ID", id)); 2099 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2100 break; 2101 } 2102 } 2103 2104 /*ARGSUSED*/ 2105 static void 2106 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2107 { 2108 int id; 2109 2110 if (error != 0) 2111 return; 2112 if (tad->tad_event == AUE_SHMGET) { 2113 uint32_t scid; 2114 uint32_t sy_flags; 2115 2116 /* need to determine type of executing binary */ 2117 scid = tad->tad_scid; 2118 #ifdef _SYSCALL32_IMPL 2119 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2120 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2121 else 2122 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2123 #else 2124 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2125 #endif 2126 if (sy_flags == SE_32RVAL1) 2127 id = rval->r_val1; 2128 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2129 id = rval->r_val1; 2130 if (sy_flags == SE_64RVAL) 2131 id = (int)rval->r_vals; 2132 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2133 } 2134 } 2135 2136 2137 /*ARGSUSED*/ 2138 static void 2139 aus_ioctl(struct t_audit_data *tad) 2140 { 2141 klwp_t *clwp = ttolwp(curthread); 2142 struct file *fp; 2143 struct vnode *vp; 2144 struct f_audit_data *fad; 2145 uint32_t fd, cmd; 2146 uintptr_t cmarg; 2147 2148 /* XX64 */ 2149 struct a { 2150 long fd; 2151 long cmd; 2152 long cmarg; /* caddr_t */ 2153 } *uap = (struct a *)clwp->lwp_ap; 2154 2155 fd = (uint32_t)uap->fd; 2156 cmd = (uint32_t)uap->cmd; 2157 cmarg = (uintptr_t)uap->cmarg; 2158 2159 /* 2160 * convert file pointer to file descriptor 2161 * Note: fd ref count incremented here. 2162 */ 2163 if ((fp = getf(fd)) == NULL) { 2164 au_uwrite(au_to_arg32(1, "fd", fd)); 2165 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2166 #ifndef _LP64 2167 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2168 #else 2169 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2170 #endif 2171 return; 2172 } 2173 2174 /* get path from file struct here */ 2175 fad = F2A(fp); 2176 if (fad->fad_aupath != NULL) { 2177 au_uwrite(au_to_path(fad->fad_aupath)); 2178 } else { 2179 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2180 } 2181 2182 vp = fp->f_vnode; 2183 audit_attributes(vp); 2184 2185 /* decrement file descriptor reference count */ 2186 releasef(fd); 2187 2188 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2189 #ifndef _LP64 2190 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2191 #else 2192 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2193 #endif 2194 } 2195 2196 /* 2197 * null function for memcntl for now. We might want to limit memcntl() 2198 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2199 * require privileges. 2200 */ 2201 static au_event_t 2202 aui_memcntl(au_event_t e) 2203 { 2204 return (e); 2205 } 2206 2207 /*ARGSUSED*/ 2208 static au_event_t 2209 aui_privsys(au_event_t e) 2210 { 2211 klwp_t *clwp = ttolwp(curthread); 2212 2213 struct a { 2214 long opcode; 2215 } *uap = (struct a *)clwp->lwp_ap; 2216 2217 switch (uap->opcode) { 2218 case PRIVSYS_SETPPRIV: 2219 return (AUE_SETPPRIV); 2220 default: 2221 return (AUE_NULL); 2222 } 2223 } 2224 2225 /*ARGSUSED*/ 2226 static void 2227 aus_memcntl(struct t_audit_data *tad) 2228 { 2229 klwp_t *clwp = ttolwp(curthread); 2230 2231 struct a { 2232 long addr; 2233 long len; 2234 long cmd; 2235 long arg; 2236 long attr; 2237 long mask; 2238 } *uap = (struct a *)clwp->lwp_ap; 2239 2240 #ifdef _LP64 2241 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2242 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2243 #else 2244 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2245 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2246 #endif 2247 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2248 #ifdef _LP64 2249 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2250 #else 2251 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2252 #endif 2253 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2254 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2255 } 2256 2257 /*ARGSUSED*/ 2258 static void 2259 aus_mmap(struct t_audit_data *tad) 2260 { 2261 klwp_t *clwp = ttolwp(curthread); 2262 struct file *fp; 2263 struct f_audit_data *fad; 2264 struct vnode *vp; 2265 uint32_t fd; 2266 2267 struct a { 2268 long addr; 2269 long len; 2270 long prot; 2271 long flags; 2272 long fd; 2273 long pos; 2274 } *uap = (struct a *)clwp->lwp_ap; 2275 2276 fd = (uint32_t)uap->fd; 2277 2278 #ifdef _LP64 2279 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2280 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2281 #else 2282 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2283 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2284 #endif 2285 2286 if ((fp = getf(fd)) == NULL) { 2287 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2288 return; 2289 } 2290 2291 /* 2292 * Mark in the tad if write access is NOT requested... if 2293 * this is later detected (in audit_attributes) to be a 2294 * public object, the mmap event may be discarded. 2295 */ 2296 if (((uap->prot) & PROT_WRITE) == 0) { 2297 tad->tad_ctrl |= PAD_PUBLIC_EV; 2298 } 2299 2300 fad = F2A(fp); 2301 if (fad->fad_aupath != NULL) { 2302 au_uwrite(au_to_path(fad->fad_aupath)); 2303 } else { 2304 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2305 } 2306 2307 vp = (struct vnode *)fp->f_vnode; 2308 audit_attributes(vp); 2309 2310 /* mark READ/WRITE since we can't predict access */ 2311 if (uap->prot & PROT_READ) 2312 fad->fad_flags |= FAD_READ; 2313 if (uap->prot & PROT_WRITE) 2314 fad->fad_flags |= FAD_WRITE; 2315 2316 /* decrement file descriptor reference count */ 2317 releasef(fd); 2318 2319 } /* AUS_MMAP */ 2320 2321 2322 2323 2324 /*ARGSUSED*/ 2325 static void 2326 aus_munmap(struct t_audit_data *tad) 2327 { 2328 klwp_t *clwp = ttolwp(curthread); 2329 2330 struct a { 2331 long addr; 2332 long len; 2333 } *uap = (struct a *)clwp->lwp_ap; 2334 2335 #ifdef _LP64 2336 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2337 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2338 #else 2339 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2340 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2341 #endif 2342 2343 } /* AUS_MUNMAP */ 2344 2345 2346 2347 2348 2349 2350 2351 /*ARGSUSED*/ 2352 static void 2353 aus_priocntlsys(struct t_audit_data *tad) 2354 { 2355 klwp_t *clwp = ttolwp(curthread); 2356 2357 struct a { 2358 long pc_version; 2359 long psp; /* procset_t */ 2360 long cmd; 2361 long arg; 2362 } *uap = (struct a *)clwp->lwp_ap; 2363 2364 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2365 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2366 2367 } /* AUS_PRIOCNTLSYS */ 2368 2369 2370 /*ARGSUSED*/ 2371 static void 2372 aus_setegid(struct t_audit_data *tad) 2373 { 2374 klwp_t *clwp = ttolwp(curthread); 2375 uint32_t gid; 2376 2377 struct a { 2378 long gid; 2379 } *uap = (struct a *)clwp->lwp_ap; 2380 2381 gid = (uint32_t)uap->gid; 2382 2383 au_uwrite(au_to_arg32(1, "gid", gid)); 2384 } /* AUS_SETEGID */ 2385 2386 2387 2388 2389 /*ARGSUSED*/ 2390 static void 2391 aus_setgroups(struct t_audit_data *tad) 2392 { 2393 klwp_t *clwp = ttolwp(curthread); 2394 int i; 2395 int gidsetsize; 2396 uintptr_t gidset; 2397 gid_t *gidlist; 2398 2399 struct a { 2400 long gidsetsize; 2401 long gidset; 2402 } *uap = (struct a *)clwp->lwp_ap; 2403 2404 gidsetsize = (uint_t)uap->gidsetsize; 2405 gidset = (uintptr_t)uap->gidset; 2406 2407 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2408 return; 2409 if (gidsetsize != 0) { 2410 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2411 KM_SLEEP); 2412 if (copyin((caddr_t)gidset, gidlist, 2413 gidsetsize * sizeof (gid_t)) == 0) 2414 for (i = 0; i < gidsetsize; i++) 2415 au_uwrite(au_to_arg32(1, "setgroups", 2416 (uint32_t)gidlist[i])); 2417 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2418 } else 2419 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2420 2421 } /* AUS_SETGROUPS */ 2422 2423 2424 2425 2426 2427 /*ARGSUSED*/ 2428 static void 2429 aus_seteuid(struct t_audit_data *tad) 2430 { 2431 klwp_t *clwp = ttolwp(curthread); 2432 uint32_t uid; 2433 2434 struct a { 2435 long uid; 2436 } *uap = (struct a *)clwp->lwp_ap; 2437 2438 uid = (uint32_t)uap->uid; 2439 2440 au_uwrite(au_to_arg32(1, "euid", uid)); 2441 2442 } /* AUS_SETEUID */ 2443 2444 /*ARGSUSED*/ 2445 static void 2446 aus_putmsg(struct t_audit_data *tad) 2447 { 2448 klwp_t *clwp = ttolwp(curthread); 2449 uint32_t fd, pri; 2450 struct file *fp; 2451 struct f_audit_data *fad; 2452 2453 struct a { 2454 long fdes; 2455 long ctl; /* struct strbuf * */ 2456 long data; /* struct strbuf * */ 2457 long pri; 2458 } *uap = (struct a *)clwp->lwp_ap; 2459 2460 fd = (uint32_t)uap->fdes; 2461 pri = (uint32_t)uap->pri; 2462 2463 au_uwrite(au_to_arg32(1, "fd", fd)); 2464 2465 if ((fp = getf(fd)) != NULL) { 2466 fad = F2A(fp); 2467 2468 fad->fad_flags |= FAD_WRITE; 2469 2470 /* add path name to audit record */ 2471 if (fad->fad_aupath != NULL) { 2472 au_uwrite(au_to_path(fad->fad_aupath)); 2473 } 2474 audit_attributes(fp->f_vnode); 2475 2476 releasef(fd); 2477 } 2478 2479 au_uwrite(au_to_arg32(4, "pri", pri)); 2480 } 2481 2482 /*ARGSUSED*/ 2483 static void 2484 aus_putpmsg(struct t_audit_data *tad) 2485 { 2486 klwp_t *clwp = ttolwp(curthread); 2487 uint32_t fd, pri, flags; 2488 struct file *fp; 2489 struct f_audit_data *fad; 2490 2491 struct a { 2492 long fdes; 2493 long ctl; /* struct strbuf * */ 2494 long data; /* struct strbuf * */ 2495 long pri; 2496 long flags; 2497 } *uap = (struct a *)clwp->lwp_ap; 2498 2499 fd = (uint32_t)uap->fdes; 2500 pri = (uint32_t)uap->pri; 2501 flags = (uint32_t)uap->flags; 2502 2503 au_uwrite(au_to_arg32(1, "fd", fd)); 2504 2505 if ((fp = getf(fd)) != NULL) { 2506 fad = F2A(fp); 2507 2508 fad->fad_flags |= FAD_WRITE; 2509 2510 /* add path name to audit record */ 2511 if (fad->fad_aupath != NULL) { 2512 au_uwrite(au_to_path(fad->fad_aupath)); 2513 } 2514 audit_attributes(fp->f_vnode); 2515 2516 releasef(fd); 2517 } 2518 2519 2520 au_uwrite(au_to_arg32(4, "pri", pri)); 2521 au_uwrite(au_to_arg32(5, "flags", flags)); 2522 } 2523 2524 /*ARGSUSED*/ 2525 static void 2526 aus_getmsg(struct t_audit_data *tad) 2527 { 2528 klwp_t *clwp = ttolwp(curthread); 2529 uint32_t fd, pri; 2530 struct file *fp; 2531 struct f_audit_data *fad; 2532 2533 struct a { 2534 long fdes; 2535 long ctl; /* struct strbuf * */ 2536 long data; /* struct strbuf * */ 2537 long pri; 2538 } *uap = (struct a *)clwp->lwp_ap; 2539 2540 fd = (uint32_t)uap->fdes; 2541 pri = (uint32_t)uap->pri; 2542 2543 au_uwrite(au_to_arg32(1, "fd", fd)); 2544 2545 if ((fp = getf(fd)) != NULL) { 2546 fad = F2A(fp); 2547 2548 /* 2549 * read operation on this object 2550 */ 2551 fad->fad_flags |= FAD_READ; 2552 2553 /* add path name to audit record */ 2554 if (fad->fad_aupath != NULL) { 2555 au_uwrite(au_to_path(fad->fad_aupath)); 2556 } 2557 audit_attributes(fp->f_vnode); 2558 2559 releasef(fd); 2560 } 2561 2562 au_uwrite(au_to_arg32(4, "pri", pri)); 2563 } 2564 2565 /*ARGSUSED*/ 2566 static void 2567 aus_getpmsg(struct t_audit_data *tad) 2568 { 2569 klwp_t *clwp = ttolwp(curthread); 2570 uint32_t fd; 2571 struct file *fp; 2572 struct f_audit_data *fad; 2573 2574 struct a { 2575 long fdes; 2576 long ctl; /* struct strbuf * */ 2577 long data; /* struct strbuf * */ 2578 long pri; 2579 long flags; 2580 } *uap = (struct a *)clwp->lwp_ap; 2581 2582 fd = (uint32_t)uap->fdes; 2583 2584 au_uwrite(au_to_arg32(1, "fd", fd)); 2585 2586 if ((fp = getf(fd)) != NULL) { 2587 fad = F2A(fp); 2588 2589 /* 2590 * read operation on this object 2591 */ 2592 fad->fad_flags |= FAD_READ; 2593 2594 /* add path name to audit record */ 2595 if (fad->fad_aupath != NULL) { 2596 au_uwrite(au_to_path(fad->fad_aupath)); 2597 } 2598 audit_attributes(fp->f_vnode); 2599 2600 releasef(fd); 2601 } 2602 } 2603 2604 static au_event_t 2605 aui_auditsys(au_event_t e) 2606 { 2607 klwp_t *clwp = ttolwp(curthread); 2608 uint32_t code; 2609 2610 struct a { 2611 long code; 2612 long a1; 2613 long a2; 2614 long a3; 2615 long a4; 2616 long a5; 2617 long a6; 2618 long a7; 2619 } *uap = (struct a *)clwp->lwp_ap; 2620 2621 code = (uint32_t)uap->code; 2622 2623 switch (code) { 2624 2625 case BSM_GETAUID: 2626 e = AUE_GETAUID; 2627 break; 2628 case BSM_SETAUID: 2629 e = AUE_SETAUID; 2630 break; 2631 case BSM_GETAUDIT: 2632 e = AUE_GETAUDIT; 2633 break; 2634 case BSM_GETAUDIT_ADDR: 2635 e = AUE_GETAUDIT_ADDR; 2636 break; 2637 case BSM_SETAUDIT: 2638 e = AUE_SETAUDIT; 2639 break; 2640 case BSM_SETAUDIT_ADDR: 2641 e = AUE_SETAUDIT_ADDR; 2642 break; 2643 case BSM_AUDIT: 2644 e = AUE_AUDIT; 2645 break; 2646 case BSM_AUDITSVC: 2647 e = AUE_AUDITSVC; 2648 break; 2649 case BSM_GETPORTAUDIT: 2650 e = AUE_GETPORTAUDIT; 2651 break; 2652 case BSM_AUDITON: 2653 case BSM_AUDITCTL: 2654 2655 switch ((uint_t)uap->a1) { 2656 2657 case A_GETPOLICY: 2658 e = AUE_AUDITON_GPOLICY; 2659 break; 2660 case A_SETPOLICY: 2661 e = AUE_AUDITON_SPOLICY; 2662 break; 2663 case A_GETKMASK: 2664 e = AUE_AUDITON_GETKMASK; 2665 break; 2666 case A_SETKMASK: 2667 e = AUE_AUDITON_SETKMASK; 2668 break; 2669 case A_GETQCTRL: 2670 e = AUE_AUDITON_GQCTRL; 2671 break; 2672 case A_SETQCTRL: 2673 e = AUE_AUDITON_SQCTRL; 2674 break; 2675 case A_GETCWD: 2676 e = AUE_AUDITON_GETCWD; 2677 break; 2678 case A_GETCAR: 2679 e = AUE_AUDITON_GETCAR; 2680 break; 2681 case A_GETSTAT: 2682 e = AUE_AUDITON_GETSTAT; 2683 break; 2684 case A_SETSTAT: 2685 e = AUE_AUDITON_SETSTAT; 2686 break; 2687 case A_SETUMASK: 2688 e = AUE_AUDITON_SETUMASK; 2689 break; 2690 case A_SETSMASK: 2691 e = AUE_AUDITON_SETSMASK; 2692 break; 2693 case A_GETCOND: 2694 e = AUE_AUDITON_GETCOND; 2695 break; 2696 case A_SETCOND: 2697 e = AUE_AUDITON_SETCOND; 2698 break; 2699 case A_GETCLASS: 2700 e = AUE_AUDITON_GETCLASS; 2701 break; 2702 case A_SETCLASS: 2703 e = AUE_AUDITON_SETCLASS; 2704 break; 2705 default: 2706 e = AUE_NULL; 2707 break; 2708 } 2709 break; 2710 default: 2711 e = AUE_NULL; 2712 break; 2713 } 2714 2715 return (e); 2716 2717 2718 2719 2720 } /* AUI_AUDITSYS */ 2721 2722 2723 2724 2725 2726 2727 2728 static void 2729 aus_auditsys(struct t_audit_data *tad) 2730 { 2731 klwp_t *clwp = ttolwp(curthread); 2732 uintptr_t a1, a2; 2733 struct file *fp; 2734 struct f_audit_data *fad; 2735 struct vnode *vp; 2736 STRUCT_DECL(auditinfo, ainfo); 2737 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2738 au_evclass_map_t event; 2739 au_mask_t mask; 2740 int auditstate, policy; 2741 au_id_t auid; 2742 2743 2744 struct a { 2745 long code; 2746 long a1; 2747 long a2; 2748 long a3; 2749 long a4; 2750 long a5; 2751 long a6; 2752 long a7; 2753 } *uap = (struct a *)clwp->lwp_ap; 2754 2755 a1 = (uintptr_t)uap->a1; 2756 a2 = (uintptr_t)uap->a2; 2757 2758 switch (tad->tad_event) { 2759 case AUE_SETAUID: 2760 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2761 return; 2762 au_uwrite(au_to_arg32(2, "setauid", auid)); 2763 break; 2764 case AUE_SETAUDIT: 2765 STRUCT_INIT(ainfo, get_udatamodel()); 2766 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2767 STRUCT_SIZE(ainfo))) { 2768 return; 2769 } 2770 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2771 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2772 #ifdef _LP64 2773 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2774 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2775 #else 2776 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2777 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2778 #endif 2779 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2780 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2781 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2782 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2783 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2784 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2785 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2786 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2787 break; 2788 case AUE_SETAUDIT_ADDR: 2789 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2790 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2791 STRUCT_SIZE(ainfo_addr))) { 2792 return; 2793 } 2794 au_uwrite(au_to_arg32((char)1, "auid", 2795 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2796 #ifdef _LP64 2797 au_uwrite(au_to_arg64((char)1, "port", 2798 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2799 #else 2800 au_uwrite(au_to_arg32((char)1, "port", 2801 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2802 #endif 2803 au_uwrite(au_to_arg32((char)1, "type", 2804 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2805 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2806 AU_IPv4) { 2807 au_uwrite(au_to_in_addr( 2808 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2809 ai_termid.at_addr))); 2810 } else { 2811 au_uwrite(au_to_in_addr_ex( 2812 (int32_t *)STRUCT_FGETP(ainfo_addr, 2813 ai_termid.at_addr))); 2814 } 2815 au_uwrite(au_to_arg32((char)1, "as_success", 2816 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2817 au_uwrite(au_to_arg32((char)1, "as_failure", 2818 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2819 au_uwrite(au_to_arg32((char)1, "asid", 2820 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2821 break; 2822 case AUE_AUDITSVC: 2823 /* 2824 * convert file pointer to file descriptor 2825 * Note: fd ref count incremented here 2826 */ 2827 if ((fp = getf((uint_t)a1)) == NULL) 2828 return; 2829 fad = F2A(fp); 2830 if (fad->fad_aupath != NULL) { 2831 au_uwrite(au_to_path(fad->fad_aupath)); 2832 } else { 2833 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2834 } 2835 2836 vp = fp->f_vnode; /* include vnode attributes */ 2837 audit_attributes(vp); 2838 2839 /* decrement file descriptor ref count */ 2840 releasef((uint_t)a1); 2841 2842 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2843 break; 2844 case AUE_AUDITON_SETKMASK: 2845 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2846 return; 2847 au_uwrite(au_to_arg32( 2848 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2849 au_uwrite(au_to_arg32( 2850 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2851 break; 2852 case AUE_AUDITON_SPOLICY: 2853 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2854 return; 2855 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2856 break; 2857 case AUE_AUDITON_SQCTRL: { 2858 STRUCT_DECL(au_qctrl, qctrl); 2859 model_t model; 2860 2861 model = get_udatamodel(); 2862 STRUCT_INIT(qctrl, model); 2863 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2864 return; 2865 if (model == DATAMODEL_ILP32) { 2866 au_uwrite(au_to_arg32( 2867 3, "setqctrl:aq_hiwater", 2868 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2869 au_uwrite(au_to_arg32( 2870 3, "setqctrl:aq_lowater", 2871 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2872 au_uwrite(au_to_arg32( 2873 3, "setqctrl:aq_bufsz", 2874 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2875 au_uwrite(au_to_arg32( 2876 3, "setqctrl:aq_delay", 2877 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2878 } else { 2879 au_uwrite(au_to_arg64( 2880 3, "setqctrl:aq_hiwater", 2881 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2882 au_uwrite(au_to_arg64( 2883 3, "setqctrl:aq_lowater", 2884 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2885 au_uwrite(au_to_arg64( 2886 3, "setqctrl:aq_bufsz", 2887 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2888 au_uwrite(au_to_arg64( 2889 3, "setqctrl:aq_delay", 2890 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2891 } 2892 break; 2893 } 2894 case AUE_AUDITON_SETUMASK: 2895 STRUCT_INIT(ainfo, get_udatamodel()); 2896 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2897 STRUCT_SIZE(ainfo))) { 2898 return; 2899 } 2900 au_uwrite(au_to_arg32(3, "setumask:as_success", 2901 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2902 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2903 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2904 break; 2905 case AUE_AUDITON_SETSMASK: 2906 STRUCT_INIT(ainfo, get_udatamodel()); 2907 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2908 STRUCT_SIZE(ainfo))) { 2909 return; 2910 } 2911 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2912 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2913 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2914 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2915 break; 2916 case AUE_AUDITON_SETCOND: 2917 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2918 return; 2919 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2920 break; 2921 case AUE_AUDITON_SETCLASS: 2922 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2923 return; 2924 au_uwrite(au_to_arg32( 2925 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2926 au_uwrite(au_to_arg32( 2927 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2928 break; 2929 case AUE_GETAUID: 2930 case AUE_GETAUDIT: 2931 case AUE_GETAUDIT_ADDR: 2932 case AUE_AUDIT: 2933 case AUE_GETPORTAUDIT: 2934 case AUE_AUDITON_GPOLICY: 2935 case AUE_AUDITON_GQCTRL: 2936 case AUE_AUDITON_GETKMASK: 2937 case AUE_AUDITON_GETCWD: 2938 case AUE_AUDITON_GETCAR: 2939 case AUE_AUDITON_GETSTAT: 2940 case AUE_AUDITON_SETSTAT: 2941 case AUE_AUDITON_GETCOND: 2942 case AUE_AUDITON_GETCLASS: 2943 break; 2944 default: 2945 break; 2946 } 2947 2948 } /* AUS_AUDITSYS */ 2949 2950 2951 /* only audit privileged operations for systeminfo(2) system call */ 2952 static au_event_t 2953 aui_sysinfo(au_event_t e) 2954 { 2955 klwp_t *clwp = ttolwp(curthread); 2956 uint32_t command; 2957 2958 struct a { 2959 long command; 2960 long buf; /* char * */ 2961 long count; 2962 } *uap = (struct a *)clwp->lwp_ap; 2963 2964 command = (uint32_t)uap->command; 2965 2966 switch (command) { 2967 case SI_SET_HOSTNAME: 2968 case SI_SET_SRPC_DOMAIN: 2969 e = (au_event_t)AUE_SYSINFO; 2970 break; 2971 default: 2972 e = (au_event_t)AUE_NULL; 2973 break; 2974 } 2975 return (e); 2976 } 2977 2978 /*ARGSUSED*/ 2979 static void 2980 aus_sysinfo(struct t_audit_data *tad) 2981 { 2982 klwp_t *clwp = ttolwp(curthread); 2983 uint32_t command; 2984 size_t len, maxlen; 2985 char *name; 2986 uintptr_t buf; 2987 2988 struct a { 2989 long command; 2990 long buf; /* char * */ 2991 long count; 2992 } *uap = (struct a *)clwp->lwp_ap; 2993 2994 command = (uint32_t)uap->command; 2995 buf = (uintptr_t)uap->buf; 2996 2997 au_uwrite(au_to_arg32(1, "cmd", command)); 2998 2999 switch (command) { 3000 case SI_SET_HOSTNAME: 3001 { 3002 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3003 return; 3004 3005 maxlen = SYS_NMLN; 3006 name = kmem_alloc(maxlen, KM_SLEEP); 3007 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3008 break; 3009 3010 /* 3011 * Must be non-NULL string and string 3012 * must be less than SYS_NMLN chars. 3013 */ 3014 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3015 break; 3016 3017 au_uwrite(au_to_text(name)); 3018 break; 3019 } 3020 3021 case SI_SET_SRPC_DOMAIN: 3022 { 3023 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3024 return; 3025 3026 maxlen = SYS_NMLN; 3027 name = kmem_alloc(maxlen, KM_SLEEP); 3028 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3029 break; 3030 3031 /* 3032 * If string passed in is longer than length 3033 * allowed for domain name, fail. 3034 */ 3035 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3036 break; 3037 3038 au_uwrite(au_to_text(name)); 3039 break; 3040 } 3041 3042 default: 3043 return; 3044 } 3045 3046 kmem_free(name, maxlen); 3047 } 3048 3049 static au_event_t 3050 aui_modctl(au_event_t e) 3051 { 3052 klwp_t *clwp = ttolwp(curthread); 3053 uint_t cmd; 3054 3055 struct a { 3056 long cmd; 3057 } *uap = (struct a *)clwp->lwp_ap; 3058 3059 cmd = (uint_t)uap->cmd; 3060 3061 switch (cmd) { 3062 case MODLOAD: 3063 e = AUE_MODLOAD; 3064 break; 3065 case MODUNLOAD: 3066 e = AUE_MODUNLOAD; 3067 break; 3068 case MODADDMAJBIND: 3069 e = AUE_MODADDMAJ; 3070 break; 3071 case MODSETDEVPOLICY: 3072 e = AUE_MODDEVPLCY; 3073 break; 3074 case MODALLOCPRIV: 3075 e = AUE_MODADDPRIV; 3076 break; 3077 default: 3078 e = AUE_NULL; 3079 break; 3080 } 3081 return (e); 3082 } 3083 3084 3085 /*ARGSUSED*/ 3086 static void 3087 aus_modctl(struct t_audit_data *tad) 3088 { 3089 klwp_t *clwp = ttolwp(curthread); 3090 void *a = clwp->lwp_ap; 3091 uint_t use_path; 3092 3093 switch (tad->tad_event) { 3094 case AUE_MODLOAD: { 3095 typedef struct { 3096 long cmd; 3097 long use_path; 3098 long filename; /* char * */ 3099 } modloada_t; 3100 3101 char *filenamep; 3102 uintptr_t fname; 3103 extern char *default_path; 3104 3105 fname = (uintptr_t)((modloada_t *)a)->filename; 3106 use_path = (uint_t)((modloada_t *)a)->use_path; 3107 3108 /* space to hold path */ 3109 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3110 /* get string */ 3111 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3112 /* free allocated path */ 3113 kmem_free(filenamep, MOD_MAXPATH); 3114 return; 3115 } 3116 /* ensure it's null terminated */ 3117 filenamep[MOD_MAXPATH - 1] = 0; 3118 3119 if (use_path) 3120 au_uwrite(au_to_text(default_path)); 3121 au_uwrite(au_to_text(filenamep)); 3122 3123 /* release temporary memory */ 3124 kmem_free(filenamep, MOD_MAXPATH); 3125 break; 3126 } 3127 case AUE_MODUNLOAD: { 3128 typedef struct { 3129 long cmd; 3130 long id; 3131 } modunloada_t; 3132 3133 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3134 3135 au_uwrite(au_to_arg32(1, "id", id)); 3136 break; 3137 } 3138 case AUE_MODADDMAJ: { 3139 STRUCT_DECL(modconfig, mc); 3140 typedef struct { 3141 long cmd; 3142 long subcmd; 3143 long data; /* int * */ 3144 } modconfiga_t; 3145 3146 STRUCT_DECL(aliases, alias); 3147 caddr_t ap; 3148 int i, num_aliases; 3149 char *drvname, *mc_drvname; 3150 char *name; 3151 extern char *ddi_major_to_name(major_t); 3152 model_t model; 3153 3154 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3155 3156 model = get_udatamodel(); 3157 STRUCT_INIT(mc, model); 3158 /* sanitize buffer */ 3159 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3160 /* get user arguments */ 3161 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3162 STRUCT_SIZE(mc)) != 0) 3163 return; 3164 3165 mc_drvname = STRUCT_FGET(mc, drvname); 3166 if ((drvname = ddi_major_to_name( 3167 (major_t)STRUCT_FGET(mc, major))) != NULL && 3168 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3169 /* safety */ 3170 if (mc_drvname[0] != '\0') { 3171 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3172 au_uwrite(au_to_text(mc_drvname)); 3173 } 3174 /* drvname != NULL from test above */ 3175 au_uwrite(au_to_text(drvname)); 3176 return; 3177 } 3178 3179 if (mc_drvname[0] != '\0') { 3180 /* safety */ 3181 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3182 au_uwrite(au_to_text(mc_drvname)); 3183 } else 3184 au_uwrite(au_to_text("no drvname")); 3185 3186 num_aliases = STRUCT_FGET(mc, num_aliases); 3187 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3188 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3189 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3190 STRUCT_INIT(alias, model); 3191 for (i = 0; i < num_aliases; i++) { 3192 bzero((caddr_t)STRUCT_BUF(alias), 3193 STRUCT_SIZE(alias)); 3194 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3195 STRUCT_SIZE(alias)) != 0) 3196 break; 3197 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3198 MAXMODCONFNAME, NULL) != 0) { 3199 break; 3200 } 3201 3202 au_uwrite(au_to_text(name)); 3203 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3204 } 3205 kmem_free(name, MAXMODCONFNAME); 3206 break; 3207 } 3208 default: 3209 break; 3210 } 3211 } 3212 3213 /* 3214 * private version of getsonode that does not do eprintsoline() 3215 */ 3216 static struct sonode * 3217 au_getsonode(int sock, int *errorp, file_t **fpp) 3218 { 3219 file_t *fp; 3220 register vnode_t *vp; 3221 struct sonode *so; 3222 3223 if ((fp = getf(sock)) == NULL) { 3224 *errorp = EBADF; 3225 return (NULL); 3226 } 3227 vp = fp->f_vnode; 3228 /* Check if it is a socket */ 3229 if (vp->v_type != VSOCK) { 3230 releasef(sock); 3231 *errorp = ENOTSOCK; 3232 return (NULL); 3233 } 3234 /* 3235 * Use the stream head to find the real socket vnode. 3236 * This is needed when namefs sits above sockfs. 3237 */ 3238 ASSERT(vp->v_stream); 3239 ASSERT(vp->v_stream->sd_vnode); 3240 vp = vp->v_stream->sd_vnode; 3241 so = VTOSO(vp); 3242 if (so->so_version == SOV_STREAM) { 3243 releasef(sock); 3244 *errorp = ENOTSOCK; 3245 return (NULL); 3246 } 3247 if (fpp) 3248 *fpp = fp; 3249 return (so); 3250 } 3251 3252 /*ARGSUSED*/ 3253 static void 3254 auf_accept( 3255 struct t_audit_data *tad, 3256 int error, 3257 rval_t *rval) 3258 { 3259 uint32_t scid; 3260 uint32_t sy_flags; 3261 int fd; 3262 struct sonode *so; 3263 char so_laddr[sizeof (struct sockaddr_in6)]; 3264 char so_faddr[sizeof (struct sockaddr_in6)]; 3265 int err; 3266 int len; 3267 short so_family, so_type; 3268 int add_sock_token = 0; 3269 3270 /* need to determine type of executing binary */ 3271 scid = tad->tad_scid; 3272 #ifdef _SYSCALL32_IMPL 3273 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3274 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3275 else 3276 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3277 #else 3278 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3279 #endif 3280 if (sy_flags == SE_32RVAL1) 3281 fd = rval->r_val1; 3282 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3283 fd = rval->r_val1; 3284 if (sy_flags == SE_64RVAL) 3285 fd = (int)rval->r_vals; 3286 3287 if (error) { 3288 /* can't trust socket contents. Just return */ 3289 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3290 return; 3291 } 3292 3293 if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) { 3294 /* 3295 * not security relevant if doing a accept from non socket 3296 * so no extra tokens. Should probably turn off audit record 3297 * generation here. 3298 */ 3299 return; 3300 } 3301 3302 so_family = so->so_family; 3303 so_type = so->so_type; 3304 3305 switch (so_family) { 3306 case AF_INET: 3307 case AF_INET6: 3308 /* 3309 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3310 */ 3311 if (so->so_type == SOCK_STREAM) { 3312 3313 bzero((void *)so_laddr, sizeof (so_laddr)); 3314 bzero((void *)so_faddr, sizeof (so_faddr)); 3315 3316 /* 3317 * no local address then need to get it from lower 3318 * levels. only put out record on first read ala 3319 * AUE_WRITE. 3320 */ 3321 if (so->so_state & SS_ISBOUND) { 3322 /* only done once on a connection */ 3323 (void) SOP_GETSOCKNAME(so); 3324 (void) SOP_GETPEERNAME(so); 3325 3326 /* get local and foreign addresses */ 3327 mutex_enter(&so->so_lock); 3328 len = min(so->so_laddr_len, sizeof (so_laddr)); 3329 bcopy(so->so_laddr_sa, so_laddr, len); 3330 len = min(so->so_faddr_len, sizeof (so_faddr)); 3331 bcopy(so->so_faddr_sa, so_faddr, len); 3332 mutex_exit(&so->so_lock); 3333 } 3334 3335 add_sock_token = 1; 3336 } 3337 break; 3338 3339 default: 3340 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3341 break; 3342 } 3343 3344 releasef(fd); 3345 3346 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3347 3348 if (add_sock_token == 0) { 3349 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3350 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3351 return; 3352 } 3353 3354 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3355 3356 } 3357 3358 /*ARGSUSED*/ 3359 static void 3360 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3361 { 3362 struct a { 3363 long fd; 3364 long addr; 3365 long len; 3366 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3367 3368 struct sonode *so; 3369 char so_laddr[sizeof (struct sockaddr_in6)]; 3370 char so_faddr[sizeof (struct sockaddr_in6)]; 3371 int err, fd; 3372 int len; 3373 short so_family, so_type; 3374 int add_sock_token = 0; 3375 3376 fd = (int)uap->fd; 3377 3378 /* 3379 * bind failed, then nothing extra to add to audit record. 3380 */ 3381 if (error) { 3382 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3383 /* XXX may want to add failed address some day */ 3384 return; 3385 } 3386 3387 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3388 /* 3389 * not security relevant if doing a bind from non socket 3390 * so no extra tokens. Should probably turn off audit record 3391 * generation here. 3392 */ 3393 return; 3394 } 3395 3396 so_family = so->so_family; 3397 so_type = so->so_type; 3398 3399 switch (so_family) { 3400 case AF_INET: 3401 case AF_INET6: 3402 3403 bzero(so_faddr, sizeof (so_faddr)); 3404 3405 if (so->so_state & SS_ISBOUND) { 3406 /* only done once on a connection */ 3407 (void) SOP_GETSOCKNAME(so); 3408 } 3409 3410 mutex_enter(&so->so_lock); 3411 len = min(so->so_laddr_len, sizeof (so_laddr)); 3412 bcopy(so->so_laddr_sa, so_laddr, len); 3413 mutex_exit(&so->so_lock); 3414 3415 add_sock_token = 1; 3416 3417 break; 3418 3419 case AF_UNIX: 3420 /* token added by lookup */ 3421 break; 3422 default: 3423 /* AF_ROUTE, AF_KEY do not support accept */ 3424 break; 3425 } 3426 3427 releasef(fd); 3428 3429 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3430 3431 if (add_sock_token == 0) { 3432 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3433 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3434 return; 3435 } 3436 3437 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3438 3439 } 3440 3441 /*ARGSUSED*/ 3442 static void 3443 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3444 { 3445 struct a { 3446 long fd; 3447 long addr; 3448 long len; 3449 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3450 3451 struct sonode *so; 3452 char so_laddr[sizeof (struct sockaddr_in6)]; 3453 char so_faddr[sizeof (struct sockaddr_in6)]; 3454 int err, fd; 3455 int len; 3456 short so_family, so_type; 3457 int add_sock_token = 0; 3458 3459 fd = (int)uap->fd; 3460 3461 3462 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3463 /* 3464 * not security relevant if doing a connect from non socket 3465 * so no extra tokens. Should probably turn off audit record 3466 * generation here. 3467 */ 3468 return; 3469 } 3470 3471 so_family = so->so_family; 3472 so_type = so->so_type; 3473 3474 switch (so_family) { 3475 case AF_INET: 3476 case AF_INET6: 3477 /* 3478 * no local address then need to get it from lower 3479 * levels. 3480 */ 3481 if (so->so_state & SS_ISBOUND) { 3482 /* only done once on a connection */ 3483 (void) SOP_GETSOCKNAME(so); 3484 (void) SOP_GETPEERNAME(so); 3485 } 3486 3487 bzero(so_laddr, sizeof (so_laddr)); 3488 bzero(so_faddr, sizeof (so_faddr)); 3489 3490 mutex_enter(&so->so_lock); 3491 len = min(so->so_laddr_len, sizeof (so_laddr)); 3492 bcopy(so->so_laddr_sa, so_laddr, len); 3493 if (error) { 3494 mutex_exit(&so->so_lock); 3495 if (uap->addr == NULL) 3496 break; 3497 if (uap->len <= 0) 3498 break; 3499 len = min(uap->len, sizeof (so_faddr)); 3500 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3501 break; 3502 #ifdef NOTYET 3503 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3504 #endif 3505 } else { 3506 /* sanity check on length */ 3507 len = min(so->so_faddr_len, sizeof (so_faddr)); 3508 bcopy(so->so_faddr_sa, so_faddr, len); 3509 mutex_exit(&so->so_lock); 3510 } 3511 3512 add_sock_token = 1; 3513 3514 break; 3515 3516 case AF_UNIX: 3517 /* does a lookup on name */ 3518 break; 3519 3520 default: 3521 /* AF_ROUTE, AF_KEY do not support accept */ 3522 break; 3523 } 3524 3525 releasef(fd); 3526 3527 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3528 3529 if (add_sock_token == 0) { 3530 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3531 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3532 return; 3533 } 3534 3535 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3536 3537 } 3538 3539 /*ARGSUSED*/ 3540 static void 3541 aus_shutdown(struct t_audit_data *tad) 3542 { 3543 struct a { 3544 long fd; 3545 long how; 3546 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3547 3548 struct sonode *so; 3549 char so_laddr[sizeof (struct sockaddr_in6)]; 3550 char so_faddr[sizeof (struct sockaddr_in6)]; 3551 int err, fd; 3552 int len; 3553 short so_family, so_type; 3554 int add_sock_token = 0; 3555 file_t *fp; /* unix domain sockets */ 3556 struct f_audit_data *fad; /* unix domain sockets */ 3557 3558 fd = (int)uap->fd; 3559 3560 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3561 /* 3562 * not security relevant if doing a shutdown using non socket 3563 * so no extra tokens. Should probably turn off audit record 3564 * generation here. 3565 */ 3566 return; 3567 } 3568 3569 so_family = so->so_family; 3570 so_type = so->so_type; 3571 3572 switch (so_family) { 3573 case AF_INET: 3574 case AF_INET6: 3575 3576 bzero(so_laddr, sizeof (so_laddr)); 3577 bzero(so_faddr, sizeof (so_faddr)); 3578 3579 if (so->so_state & SS_ISBOUND) { 3580 /* 3581 * no local address then need to get it from lower 3582 * levels. 3583 */ 3584 if (so->so_laddr_len == 0) 3585 (void) SOP_GETSOCKNAME(so); 3586 if (so->so_faddr_len == 0) 3587 (void) SOP_GETPEERNAME(so); 3588 } 3589 3590 mutex_enter(&so->so_lock); 3591 len = min(so->so_laddr_len, sizeof (so_laddr)); 3592 bcopy(so->so_laddr_sa, so_laddr, len); 3593 len = min(so->so_faddr_len, sizeof (so_faddr)); 3594 bcopy(so->so_faddr_sa, so_faddr, len); 3595 mutex_exit(&so->so_lock); 3596 3597 add_sock_token = 1; 3598 3599 break; 3600 3601 case AF_UNIX: 3602 3603 /* get path from file struct here */ 3604 fad = F2A(fp); 3605 ASSERT(fad); 3606 3607 if (fad->fad_aupath != NULL) { 3608 au_uwrite(au_to_path(fad->fad_aupath)); 3609 } else { 3610 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3611 } 3612 3613 audit_attributes(fp->f_vnode); 3614 3615 break; 3616 3617 default: 3618 /* 3619 * AF_KEY and AF_ROUTE support shutdown. No socket token 3620 * added. 3621 */ 3622 break; 3623 } 3624 3625 releasef(fd); 3626 3627 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3628 3629 if (add_sock_token == 0) { 3630 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3631 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3632 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3633 return; 3634 } 3635 3636 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3637 3638 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3639 3640 } 3641 3642 /*ARGSUSED*/ 3643 static void 3644 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3645 { 3646 struct a { 3647 long fd; 3648 long level; 3649 long optname; 3650 long *optval; 3651 long optlen; 3652 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3653 3654 struct sonode *so; 3655 char so_laddr[sizeof (struct sockaddr_in6)]; 3656 char so_faddr[sizeof (struct sockaddr_in6)]; 3657 char val[AU_BUFSIZE]; 3658 int err, fd; 3659 int len; 3660 short so_family, so_type; 3661 int add_sock_token = 0; 3662 file_t *fp; /* unix domain sockets */ 3663 struct f_audit_data *fad; /* unix domain sockets */ 3664 3665 fd = (int)uap->fd; 3666 3667 if (error) { 3668 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3669 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3670 /* XXX may want to include other arguments */ 3671 return; 3672 } 3673 3674 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3675 /* 3676 * not security relevant if doing a setsockopt from non socket 3677 * so no extra tokens. Should probably turn off audit record 3678 * generation here. 3679 */ 3680 return; 3681 } 3682 3683 so_family = so->so_family; 3684 so_type = so->so_type; 3685 3686 switch (so_family) { 3687 case AF_INET: 3688 case AF_INET6: 3689 3690 bzero((void *)so_laddr, sizeof (so_laddr)); 3691 bzero((void *)so_faddr, sizeof (so_faddr)); 3692 3693 if (so->so_state & SS_ISBOUND) { 3694 if (so->so_laddr_len == 0) 3695 (void) SOP_GETSOCKNAME(so); 3696 if (so->so_faddr_len == 0) 3697 (void) SOP_GETPEERNAME(so); 3698 } 3699 3700 /* get local and foreign addresses */ 3701 mutex_enter(&so->so_lock); 3702 len = min(so->so_laddr_len, sizeof (so_laddr)); 3703 bcopy(so->so_laddr_sa, so_laddr, len); 3704 len = min(so->so_faddr_len, sizeof (so_faddr)); 3705 bcopy(so->so_faddr_sa, so_faddr, len); 3706 mutex_exit(&so->so_lock); 3707 3708 add_sock_token = 1; 3709 3710 break; 3711 3712 case AF_UNIX: 3713 3714 /* get path from file struct here */ 3715 fad = F2A(fp); 3716 ASSERT(fad); 3717 3718 if (fad->fad_aupath != NULL) { 3719 au_uwrite(au_to_path(fad->fad_aupath)); 3720 } else { 3721 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3722 } 3723 3724 audit_attributes(fp->f_vnode); 3725 3726 break; 3727 3728 default: 3729 /* 3730 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3731 * added. 3732 */ 3733 break; 3734 } 3735 3736 releasef(fd); 3737 3738 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3739 3740 if (add_sock_token == 0) { 3741 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3742 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3743 } 3744 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3745 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3746 3747 bzero(val, sizeof (val)); 3748 len = min(uap->optlen, sizeof (val)); 3749 if ((len > 0) && 3750 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3751 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3752 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3753 } 3754 3755 if (add_sock_token == 0) 3756 return; 3757 3758 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3759 3760 } 3761 3762 /*ARGSUSED*/ 3763 static void 3764 aus_sockconfig(tad) 3765 struct t_audit_data *tad; 3766 { 3767 struct a { 3768 long domain; 3769 long type; 3770 long protocol; 3771 long devpath; 3772 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3773 3774 char *kdevpath; 3775 int kdevpathlen = MAXPATHLEN + 1; 3776 size_t size; 3777 3778 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3779 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3780 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3781 3782 if (uap->devpath == 0) { 3783 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3784 } else { 3785 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3786 3787 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3788 &size)) { 3789 kmem_free(kdevpath, kdevpathlen); 3790 return; 3791 } 3792 3793 if (size > MAXPATHLEN) { 3794 kmem_free(kdevpath, kdevpathlen); 3795 return; 3796 } 3797 3798 au_uwrite(au_to_text(kdevpath)); 3799 kmem_free(kdevpath, kdevpathlen); 3800 } 3801 } 3802 3803 /* 3804 * only audit recvmsg when the system call represents the creation of a new 3805 * circuit. This effectively occurs for all UDP packets and may occur for 3806 * special TCP situations where the local host has not set a local address 3807 * in the socket structure. 3808 */ 3809 /*ARGSUSED*/ 3810 static void 3811 auf_recvmsg( 3812 struct t_audit_data *tad, 3813 int error, 3814 rval_t *rvp) 3815 { 3816 struct a { 3817 long fd; 3818 long msg; /* struct msghdr */ 3819 long flags; 3820 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3821 3822 struct sonode *so; 3823 STRUCT_DECL(msghdr, msg); 3824 caddr_t msg_name; 3825 socklen_t msg_namelen; 3826 int fd; 3827 int err; 3828 char so_laddr[sizeof (struct sockaddr_in6)]; 3829 char so_faddr[sizeof (struct sockaddr_in6)]; 3830 int len; 3831 file_t *fp; /* unix domain sockets */ 3832 struct f_audit_data *fad; /* unix domain sockets */ 3833 short so_family, so_type; 3834 int add_sock_token = 0; 3835 au_kcontext_t *kctx = GET_KCTX_PZ; 3836 3837 fd = (int)uap->fd; 3838 3839 /* bail if an error */ 3840 if (error) { 3841 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3842 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3843 return; 3844 } 3845 3846 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3847 /* 3848 * not security relevant if doing a recvmsg from non socket 3849 * so no extra tokens. Should probably turn off audit record 3850 * generation here. 3851 */ 3852 return; 3853 } 3854 3855 so_family = so->so_family; 3856 so_type = so->so_type; 3857 3858 /* 3859 * only putout SOCKET_EX token if INET/INET6 family. 3860 * XXX - what do we do about other families? 3861 */ 3862 3863 switch (so_family) { 3864 case AF_INET: 3865 case AF_INET6: 3866 3867 /* 3868 * if datagram type socket, then just use what is in 3869 * socket structure for local address. 3870 * XXX - what do we do for other types? 3871 */ 3872 if ((so->so_type == SOCK_DGRAM) || 3873 (so->so_type == SOCK_RAW)) { 3874 add_sock_token = 1; 3875 3876 bzero((void *)so_laddr, sizeof (so_laddr)); 3877 bzero((void *)so_faddr, sizeof (so_faddr)); 3878 3879 /* get local address */ 3880 mutex_enter(&so->so_lock); 3881 len = min(so->so_laddr_len, sizeof (so_laddr)); 3882 bcopy(so->so_laddr_sa, so_laddr, len); 3883 mutex_exit(&so->so_lock); 3884 3885 /* get peer address */ 3886 STRUCT_INIT(msg, get_udatamodel()); 3887 3888 if (copyin((caddr_t)(uap->msg), 3889 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3890 break; 3891 } 3892 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3893 if (msg_name == NULL) { 3894 break; 3895 } 3896 3897 /* length is value from recvmsg - sanity check */ 3898 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3899 if (msg_namelen == 0) { 3900 break; 3901 } 3902 if (copyin(msg_name, so_faddr, 3903 sizeof (so_faddr)) != 0) { 3904 break; 3905 } 3906 3907 } else if (so->so_type == SOCK_STREAM) { 3908 3909 /* get path from file struct here */ 3910 fad = F2A(fp); 3911 ASSERT(fad); 3912 3913 /* 3914 * already processed this file for read attempt 3915 */ 3916 if (fad->fad_flags & FAD_READ) { 3917 /* don't want to audit every recvmsg attempt */ 3918 tad->tad_flag = 0; 3919 /* free any residual audit data */ 3920 au_close(kctx, &(u_ad), 0, 0, 0); 3921 releasef(fd); 3922 return; 3923 } 3924 /* 3925 * mark things so we know what happened and don't 3926 * repeat things 3927 */ 3928 fad->fad_flags |= FAD_READ; 3929 3930 bzero((void *)so_laddr, sizeof (so_laddr)); 3931 bzero((void *)so_faddr, sizeof (so_faddr)); 3932 3933 if (so->so_state & SS_ISBOUND) { 3934 3935 if (so->so_laddr_len == 0) 3936 (void) SOP_GETSOCKNAME(so); 3937 if (so->so_faddr_len == 0) 3938 (void) SOP_GETPEERNAME(so); 3939 3940 /* get local and foreign addresses */ 3941 mutex_enter(&so->so_lock); 3942 len = min(so->so_laddr_len, sizeof (so_laddr)); 3943 bcopy(so->so_laddr_sa, so_laddr, len); 3944 len = min(so->so_faddr_len, sizeof (so_faddr)); 3945 bcopy(so->so_faddr_sa, so_faddr, len); 3946 mutex_exit(&so->so_lock); 3947 } 3948 3949 add_sock_token = 1; 3950 } 3951 3952 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3953 3954 break; 3955 3956 case AF_UNIX: 3957 /* 3958 * first check if this is first time through. Too much 3959 * duplicate code to put this in an aui_ routine. 3960 */ 3961 3962 /* get path from file struct here */ 3963 fad = F2A(fp); 3964 ASSERT(fad); 3965 3966 /* 3967 * already processed this file for read attempt 3968 */ 3969 if (fad->fad_flags & FAD_READ) { 3970 releasef(fd); 3971 /* don't want to audit every recvmsg attempt */ 3972 tad->tad_flag = 0; 3973 /* free any residual audit data */ 3974 au_close(kctx, &(u_ad), 0, 0, 0); 3975 return; 3976 } 3977 /* 3978 * mark things so we know what happened and don't 3979 * repeat things 3980 */ 3981 fad->fad_flags |= FAD_READ; 3982 3983 if (fad->fad_aupath != NULL) { 3984 au_uwrite(au_to_path(fad->fad_aupath)); 3985 } else { 3986 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3987 } 3988 3989 audit_attributes(fp->f_vnode); 3990 3991 releasef(fd); 3992 3993 return; 3994 3995 default: 3996 break; 3997 3998 } 3999 4000 releasef(fd); 4001 4002 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4003 4004 if (add_sock_token == 0) { 4005 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4006 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4007 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4008 return; 4009 } 4010 4011 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4012 4013 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4014 4015 } 4016 4017 /*ARGSUSED*/ 4018 static void 4019 auf_recvfrom( 4020 struct t_audit_data *tad, 4021 int error, 4022 rval_t *rvp) 4023 { 4024 4025 struct a { 4026 long fd; 4027 long msg; /* char */ 4028 long len; 4029 long flags; 4030 long from; /* struct sockaddr */ 4031 long fromlen; 4032 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4033 4034 socklen_t fromlen; 4035 struct sonode *so; 4036 char so_laddr[sizeof (struct sockaddr_in6)]; 4037 char so_faddr[sizeof (struct sockaddr_in6)]; 4038 int fd; 4039 short so_family, so_type; 4040 int add_sock_token = 0; 4041 int len; 4042 int err; 4043 struct file *fp; 4044 struct f_audit_data *fad; /* unix domain sockets */ 4045 au_kcontext_t *kctx = GET_KCTX_PZ; 4046 4047 fd = (int)uap->fd; 4048 4049 /* bail if an error */ 4050 if (error) { 4051 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4052 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4053 return; 4054 } 4055 4056 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4057 /* 4058 * not security relevant if doing a recvmsg from non socket 4059 * so no extra tokens. Should probably turn off audit record 4060 * generation here. 4061 */ 4062 return; 4063 } 4064 4065 so_family = so->so_family; 4066 so_type = so->so_type; 4067 4068 /* 4069 * only putout SOCKET_EX token if INET/INET6 family. 4070 * XXX - what do we do about other families? 4071 */ 4072 4073 switch (so_family) { 4074 case AF_INET: 4075 case AF_INET6: 4076 4077 /* 4078 * if datagram type socket, then just use what is in 4079 * socket structure for local address. 4080 * XXX - what do we do for other types? 4081 */ 4082 if ((so->so_type == SOCK_DGRAM) || 4083 (so->so_type == SOCK_RAW)) { 4084 add_sock_token = 1; 4085 4086 /* get local address */ 4087 mutex_enter(&so->so_lock); 4088 len = min(so->so_laddr_len, sizeof (so_laddr)); 4089 bcopy(so->so_laddr_sa, so_laddr, len); 4090 mutex_exit(&so->so_lock); 4091 4092 /* get peer address */ 4093 bzero((void *)so_faddr, sizeof (so_faddr)); 4094 4095 /* sanity check */ 4096 if (uap->from == NULL) 4097 break; 4098 4099 /* sanity checks */ 4100 if (uap->fromlen == 0) 4101 break; 4102 4103 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4104 sizeof (fromlen)) != 0) 4105 break; 4106 4107 if (fromlen == 0) 4108 break; 4109 4110 /* enforce maximum size */ 4111 if (fromlen > sizeof (so_faddr)) 4112 fromlen = sizeof (so_faddr); 4113 4114 if (copyin((caddr_t)(uap->from), so_faddr, 4115 fromlen) != 0) 4116 break; 4117 4118 } else if (so->so_type == SOCK_STREAM) { 4119 4120 /* get path from file struct here */ 4121 fad = F2A(fp); 4122 ASSERT(fad); 4123 4124 /* 4125 * already processed this file for read attempt 4126 */ 4127 if (fad->fad_flags & FAD_READ) { 4128 /* don't want to audit every recvfrom attempt */ 4129 tad->tad_flag = 0; 4130 /* free any residual audit data */ 4131 au_close(kctx, &(u_ad), 0, 0, 0); 4132 releasef(fd); 4133 return; 4134 } 4135 /* 4136 * mark things so we know what happened and don't 4137 * repeat things 4138 */ 4139 fad->fad_flags |= FAD_READ; 4140 4141 bzero((void *)so_laddr, sizeof (so_laddr)); 4142 bzero((void *)so_faddr, sizeof (so_faddr)); 4143 4144 if (so->so_state & SS_ISBOUND) { 4145 4146 if (so->so_laddr_len == 0) 4147 (void) SOP_GETSOCKNAME(so); 4148 if (so->so_faddr_len == 0) 4149 (void) SOP_GETPEERNAME(so); 4150 4151 /* get local and foreign addresses */ 4152 mutex_enter(&so->so_lock); 4153 len = min(so->so_laddr_len, sizeof (so_laddr)); 4154 bcopy(so->so_laddr_sa, so_laddr, len); 4155 len = min(so->so_faddr_len, sizeof (so_faddr)); 4156 bcopy(so->so_faddr_sa, so_faddr, len); 4157 mutex_exit(&so->so_lock); 4158 } 4159 4160 add_sock_token = 1; 4161 } 4162 4163 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4164 4165 break; 4166 4167 case AF_UNIX: 4168 /* 4169 * first check if this is first time through. Too much 4170 * duplicate code to put this in an aui_ routine. 4171 */ 4172 4173 /* get path from file struct here */ 4174 fad = F2A(fp); 4175 ASSERT(fad); 4176 4177 /* 4178 * already processed this file for read attempt 4179 */ 4180 if (fad->fad_flags & FAD_READ) { 4181 /* don't want to audit every recvfrom attempt */ 4182 tad->tad_flag = 0; 4183 /* free any residual audit data */ 4184 au_close(kctx, &(u_ad), 0, 0, 0); 4185 releasef(fd); 4186 return; 4187 } 4188 /* 4189 * mark things so we know what happened and don't 4190 * repeat things 4191 */ 4192 fad->fad_flags |= FAD_READ; 4193 4194 if (fad->fad_aupath != NULL) { 4195 au_uwrite(au_to_path(fad->fad_aupath)); 4196 } else { 4197 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4198 } 4199 4200 audit_attributes(fp->f_vnode); 4201 4202 releasef(fd); 4203 4204 return; 4205 4206 default: 4207 break; 4208 4209 } 4210 4211 releasef(fd); 4212 4213 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4214 4215 if (add_sock_token == 0) { 4216 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4217 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4218 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4219 return; 4220 } 4221 4222 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4223 4224 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4225 } 4226 4227 /*ARGSUSED*/ 4228 static void 4229 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4230 { 4231 struct a { 4232 long fd; 4233 long msg; /* struct msghdr */ 4234 long flags; 4235 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4236 4237 struct sonode *so; 4238 char so_laddr[sizeof (struct sockaddr_in6)]; 4239 char so_faddr[sizeof (struct sockaddr_in6)]; 4240 int err; 4241 int fd; 4242 short so_family, so_type; 4243 int add_sock_token = 0; 4244 int len; 4245 struct file *fp; 4246 struct f_audit_data *fad; 4247 caddr_t msg_name; 4248 socklen_t msg_namelen; 4249 STRUCT_DECL(msghdr, msg); 4250 au_kcontext_t *kctx = GET_KCTX_PZ; 4251 4252 fd = (int)uap->fd; 4253 4254 /* bail if an error */ 4255 if (error) { 4256 /* XXX include destination address from system call arguments */ 4257 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4258 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4259 return; 4260 } 4261 4262 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4263 /* 4264 * not security relevant if doing a sendmsg from non socket 4265 * so no extra tokens. Should probably turn off audit record 4266 * generation here. 4267 */ 4268 return; 4269 } 4270 4271 so_family = so->so_family; 4272 so_type = so->so_type; 4273 4274 switch (so_family) { 4275 case AF_INET: 4276 case AF_INET6: 4277 /* 4278 * if datagram type socket, then just use what is in 4279 * socket structure for local address. 4280 * XXX - what do we do for other types? 4281 */ 4282 if ((so->so_type == SOCK_DGRAM) || 4283 (so->so_type == SOCK_RAW)) { 4284 4285 bzero((void *)so_laddr, sizeof (so_laddr)); 4286 bzero((void *)so_faddr, sizeof (so_faddr)); 4287 4288 /* get local address */ 4289 mutex_enter(&so->so_lock); 4290 len = min(so->so_laddr_len, sizeof (so_laddr)); 4291 bcopy(so->so_laddr_sa, so_laddr, len); 4292 mutex_exit(&so->so_lock); 4293 4294 /* get peer address */ 4295 STRUCT_INIT(msg, get_udatamodel()); 4296 4297 if (copyin((caddr_t)(uap->msg), 4298 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4299 break; 4300 } 4301 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4302 if (msg_name == NULL) 4303 break; 4304 4305 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4306 /* length is value from recvmsg - sanity check */ 4307 if (msg_namelen == 0) 4308 break; 4309 4310 if (copyin(msg_name, so_faddr, 4311 sizeof (so_faddr)) != 0) 4312 break; 4313 4314 add_sock_token = 1; 4315 4316 } else if (so->so_type == SOCK_STREAM) { 4317 4318 /* get path from file struct here */ 4319 fad = F2A(fp); 4320 ASSERT(fad); 4321 4322 /* 4323 * already processed this file for write attempt 4324 */ 4325 if (fad->fad_flags & FAD_WRITE) { 4326 releasef(fd); 4327 /* don't want to audit every sendmsg attempt */ 4328 tad->tad_flag = 0; 4329 /* free any residual audit data */ 4330 au_close(kctx, &(u_ad), 0, 0, 0); 4331 return; 4332 } 4333 4334 /* 4335 * mark things so we know what happened and don't 4336 * repeat things 4337 */ 4338 fad->fad_flags |= FAD_WRITE; 4339 4340 bzero((void *)so_laddr, sizeof (so_laddr)); 4341 bzero((void *)so_faddr, sizeof (so_faddr)); 4342 4343 if (so->so_state & SS_ISBOUND) { 4344 4345 if (so->so_laddr_len == 0) 4346 (void) SOP_GETSOCKNAME(so); 4347 if (so->so_faddr_len == 0) 4348 (void) SOP_GETPEERNAME(so); 4349 4350 /* get local and foreign addresses */ 4351 mutex_enter(&so->so_lock); 4352 len = min(so->so_laddr_len, sizeof (so_laddr)); 4353 bcopy(so->so_laddr_sa, so_laddr, len); 4354 len = min(so->so_faddr_len, sizeof (so_faddr)); 4355 bcopy(so->so_faddr_sa, so_faddr, len); 4356 mutex_exit(&so->so_lock); 4357 } 4358 4359 add_sock_token = 1; 4360 } 4361 4362 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4363 4364 break; 4365 4366 case AF_UNIX: 4367 /* 4368 * first check if this is first time through. Too much 4369 * duplicate code to put this in an aui_ routine. 4370 */ 4371 4372 /* get path from file struct here */ 4373 fad = F2A(fp); 4374 ASSERT(fad); 4375 4376 /* 4377 * already processed this file for write attempt 4378 */ 4379 if (fad->fad_flags & FAD_WRITE) { 4380 releasef(fd); 4381 /* don't want to audit every sendmsg attempt */ 4382 tad->tad_flag = 0; 4383 /* free any residual audit data */ 4384 au_close(kctx, &(u_ad), 0, 0, 0); 4385 return; 4386 } 4387 /* 4388 * mark things so we know what happened and don't 4389 * repeat things 4390 */ 4391 fad->fad_flags |= FAD_WRITE; 4392 4393 if (fad->fad_aupath != NULL) { 4394 au_uwrite(au_to_path(fad->fad_aupath)); 4395 } else { 4396 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4397 } 4398 4399 audit_attributes(fp->f_vnode); 4400 4401 releasef(fd); 4402 4403 return; 4404 4405 default: 4406 break; 4407 } 4408 4409 releasef(fd); 4410 4411 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4412 4413 if (add_sock_token == 0) { 4414 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4415 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4416 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4417 return; 4418 } 4419 4420 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4421 4422 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4423 } 4424 4425 /*ARGSUSED*/ 4426 static void 4427 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4428 { 4429 struct a { 4430 long fd; 4431 long msg; /* char */ 4432 long len; 4433 long flags; 4434 long to; /* struct sockaddr */ 4435 long tolen; 4436 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4437 4438 struct sonode *so; 4439 char so_laddr[sizeof (struct sockaddr_in6)]; 4440 char so_faddr[sizeof (struct sockaddr_in6)]; 4441 socklen_t tolen; 4442 int err; 4443 int fd; 4444 int len; 4445 short so_family, so_type; 4446 int add_sock_token = 0; 4447 struct file *fp; 4448 struct f_audit_data *fad; 4449 au_kcontext_t *kctx = GET_KCTX_PZ; 4450 4451 fd = (int)uap->fd; 4452 4453 /* bail if an error */ 4454 if (error) { 4455 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4456 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4457 /* XXX include destination address from system call arguments */ 4458 return; 4459 } 4460 4461 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4462 /* 4463 * not security relevant if doing a sendto using non socket 4464 * so no extra tokens. Should probably turn off audit record 4465 * generation here. 4466 */ 4467 return; 4468 } 4469 4470 so_family = so->so_family; 4471 so_type = so->so_type; 4472 4473 /* 4474 * only putout SOCKET_EX token if INET/INET6 family. 4475 * XXX - what do we do about other families? 4476 */ 4477 4478 switch (so_family) { 4479 case AF_INET: 4480 case AF_INET6: 4481 4482 /* 4483 * if datagram type socket, then just use what is in 4484 * socket structure for local address. 4485 * XXX - what do we do for other types? 4486 */ 4487 if ((so->so_type == SOCK_DGRAM) || 4488 (so->so_type == SOCK_RAW)) { 4489 4490 bzero((void *)so_laddr, sizeof (so_laddr)); 4491 bzero((void *)so_faddr, sizeof (so_faddr)); 4492 4493 /* get local address */ 4494 mutex_enter(&so->so_lock); 4495 len = min(so->so_laddr_len, sizeof (so_laddr)); 4496 bcopy(so->so_laddr_sa, so_laddr, len); 4497 mutex_exit(&so->so_lock); 4498 4499 /* get peer address */ 4500 4501 /* sanity check */ 4502 if (uap->to == NULL) 4503 break; 4504 4505 /* sanity checks */ 4506 if (uap->tolen == 0) 4507 break; 4508 4509 tolen = (socklen_t)uap->tolen; 4510 4511 /* enforce maximum size */ 4512 if (tolen > sizeof (so_faddr)) 4513 tolen = sizeof (so_faddr); 4514 4515 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4516 break; 4517 4518 add_sock_token = 1; 4519 } else { 4520 /* 4521 * check if this is first time through. 4522 */ 4523 4524 /* get path from file struct here */ 4525 fad = F2A(fp); 4526 ASSERT(fad); 4527 4528 /* 4529 * already processed this file for write attempt 4530 */ 4531 if (fad->fad_flags & FAD_WRITE) { 4532 /* don't want to audit every sendto attempt */ 4533 tad->tad_flag = 0; 4534 /* free any residual audit data */ 4535 au_close(kctx, &(u_ad), 0, 0, 0); 4536 releasef(fd); 4537 return; 4538 } 4539 /* 4540 * mark things so we know what happened and don't 4541 * repeat things 4542 */ 4543 fad->fad_flags |= FAD_WRITE; 4544 4545 bzero((void *)so_laddr, sizeof (so_laddr)); 4546 bzero((void *)so_faddr, sizeof (so_faddr)); 4547 4548 if (so->so_state & SS_ISBOUND) { 4549 4550 if (so->so_laddr_len == 0) 4551 (void) SOP_GETSOCKNAME(so); 4552 if (so->so_faddr_len == 0) 4553 (void) SOP_GETPEERNAME(so); 4554 4555 /* get local and foreign addresses */ 4556 mutex_enter(&so->so_lock); 4557 len = min(so->so_laddr_len, sizeof (so_laddr)); 4558 bcopy(so->so_laddr_sa, so_laddr, len); 4559 len = min(so->so_faddr_len, sizeof (so_faddr)); 4560 bcopy(so->so_faddr_sa, so_faddr, len); 4561 mutex_exit(&so->so_lock); 4562 } 4563 4564 add_sock_token = 1; 4565 } 4566 4567 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4568 4569 break; 4570 4571 case AF_UNIX: 4572 /* 4573 * first check if this is first time through. Too much 4574 * duplicate code to put this in an aui_ routine. 4575 */ 4576 4577 /* get path from file struct here */ 4578 fad = F2A(fp); 4579 ASSERT(fad); 4580 4581 /* 4582 * already processed this file for write attempt 4583 */ 4584 if (fad->fad_flags & FAD_WRITE) { 4585 /* don't want to audit every sendto attempt */ 4586 tad->tad_flag = 0; 4587 /* free any residual audit data */ 4588 au_close(kctx, &(u_ad), 0, 0, 0); 4589 releasef(fd); 4590 return; 4591 } 4592 /* 4593 * mark things so we know what happened and don't 4594 * repeat things 4595 */ 4596 fad->fad_flags |= FAD_WRITE; 4597 4598 if (fad->fad_aupath != NULL) { 4599 au_uwrite(au_to_path(fad->fad_aupath)); 4600 } else { 4601 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4602 } 4603 4604 audit_attributes(fp->f_vnode); 4605 4606 releasef(fd); 4607 4608 return; 4609 4610 default: 4611 break; 4612 4613 } 4614 4615 releasef(fd); 4616 4617 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4618 4619 if (add_sock_token == 0) { 4620 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4621 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4622 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4623 return; 4624 } 4625 4626 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4627 4628 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4629 4630 } 4631 4632 /* 4633 * XXX socket(2) may be equivilent to open(2) on a unix domain 4634 * socket. This needs investigation. 4635 */ 4636 4637 /*ARGSUSED*/ 4638 static void 4639 aus_socket(struct t_audit_data *tad) 4640 { 4641 struct a { 4642 long domain; 4643 long type; 4644 long protocol; 4645 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4646 4647 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4648 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4649 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4650 } 4651 4652 /*ARGSUSED*/ 4653 static void 4654 aus_sigqueue(struct t_audit_data *tad) 4655 { 4656 struct a { 4657 long pid; 4658 long signo; 4659 long *val; 4660 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4661 struct proc *p; 4662 uid_t uid, ruid; 4663 gid_t gid, rgid; 4664 pid_t pid; 4665 const auditinfo_addr_t *ainfo; 4666 cred_t *cr; 4667 4668 pid = (pid_t)uap->pid; 4669 4670 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4671 if (pid > 0) { 4672 mutex_enter(&pidlock); 4673 if ((p = prfind(pid)) == (struct proc *)0) { 4674 mutex_exit(&pidlock); 4675 return; 4676 } 4677 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4678 mutex_exit(&pidlock); 4679 4680 mutex_enter(&p->p_crlock); 4681 crhold(cr = p->p_cred); 4682 mutex_exit(&p->p_crlock); 4683 mutex_exit(&p->p_lock); 4684 4685 ainfo = crgetauinfo(cr); 4686 if (ainfo == NULL) { 4687 crfree(cr); 4688 return; 4689 } 4690 4691 uid = crgetuid(cr); 4692 gid = crgetgid(cr); 4693 ruid = crgetruid(cr); 4694 rgid = crgetrgid(cr); 4695 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4696 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4697 crfree(cr); 4698 } 4699 else 4700 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4701 } 4702 4703 /*ARGSUSED*/ 4704 static void 4705 aus_inst_sync(struct t_audit_data *tad) 4706 { 4707 struct a { 4708 long name; /* char */ 4709 long flags; 4710 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4711 4712 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4713 } 4714 4715 /*ARGSUSED*/ 4716 static void 4717 aus_brandsys(struct t_audit_data *tad) 4718 { 4719 klwp_t *clwp = ttolwp(curthread); 4720 4721 struct a { 4722 long cmd; 4723 long arg1; 4724 long arg2; 4725 long arg3; 4726 long arg4; 4727 long arg5; 4728 long arg6; 4729 } *uap = (struct a *)clwp->lwp_ap; 4730 4731 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4732 #ifdef _LP64 4733 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4734 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4735 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4736 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4737 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4738 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4739 #else 4740 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4741 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4742 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4743 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4744 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4745 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4746 #endif 4747 } 4748 4749 /*ARGSUSED*/ 4750 static void 4751 aus_p_online(struct t_audit_data *tad) 4752 { 4753 struct a { 4754 long processor_id; 4755 long flag; 4756 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4757 4758 struct flags { 4759 int flag; 4760 char *cflag; 4761 } aflags[6] = { 4762 { P_ONLINE, "P_ONLINE"}, 4763 { P_OFFLINE, "P_OFFLINE"}, 4764 { P_NOINTR, "P_NOINTR"}, 4765 { P_SPARE, "P_SPARE"}, 4766 { P_FAULTED, "P_FAULTED"}, 4767 { P_STATUS, "P_STATUS"} 4768 }; 4769 int i; 4770 char *cflag; 4771 4772 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4773 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4774 4775 for (i = 0; i < 6; i++) { 4776 if (aflags[i].flag == uap->flag) 4777 break; 4778 } 4779 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4780 4781 au_uwrite(au_to_text(cflag)); 4782 } 4783 4784 /*ARGSUSED*/ 4785 static void 4786 aus_processor_bind(struct t_audit_data *tad) 4787 { 4788 struct a { 4789 long id_type; 4790 long id; 4791 long processor_id; 4792 long obind; 4793 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4794 4795 struct proc *p; 4796 int lwpcnt; 4797 uid_t uid, ruid; 4798 gid_t gid, rgid; 4799 pid_t pid; 4800 const auditinfo_addr_t *ainfo; 4801 cred_t *cr; 4802 4803 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4804 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4805 if (uap->processor_id == PBIND_NONE) 4806 au_uwrite(au_to_text("PBIND_NONE")); 4807 else 4808 au_uwrite(au_to_arg32(3, "processor_id", 4809 (uint32_t)uap->processor_id)); 4810 4811 switch (uap->id_type) { 4812 case P_MYID: 4813 case P_LWPID: 4814 mutex_enter(&pidlock); 4815 p = ttoproc(curthread); 4816 if (p == NULL || p->p_as == &kas) { 4817 mutex_exit(&pidlock); 4818 return; 4819 } 4820 mutex_enter(&p->p_lock); 4821 mutex_exit(&pidlock); 4822 lwpcnt = p->p_lwpcnt; 4823 pid = p->p_pid; 4824 4825 mutex_enter(&p->p_crlock); 4826 crhold(cr = p->p_cred); 4827 mutex_exit(&p->p_crlock); 4828 mutex_exit(&p->p_lock); 4829 4830 ainfo = crgetauinfo(cr); 4831 if (ainfo == NULL) { 4832 crfree(cr); 4833 return; 4834 } 4835 4836 uid = crgetuid(cr); 4837 gid = crgetgid(cr); 4838 ruid = crgetruid(cr); 4839 rgid = crgetrgid(cr); 4840 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4841 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4842 crfree(cr); 4843 break; 4844 case P_PID: 4845 mutex_enter(&pidlock); 4846 p = prfind(uap->id); 4847 if (p == NULL || p->p_as == &kas) { 4848 mutex_exit(&pidlock); 4849 return; 4850 } 4851 mutex_enter(&p->p_lock); 4852 mutex_exit(&pidlock); 4853 lwpcnt = p->p_lwpcnt; 4854 pid = p->p_pid; 4855 4856 mutex_enter(&p->p_crlock); 4857 crhold(cr = p->p_cred); 4858 mutex_exit(&p->p_crlock); 4859 mutex_exit(&p->p_lock); 4860 4861 ainfo = crgetauinfo(cr); 4862 if (ainfo == NULL) { 4863 crfree(cr); 4864 return; 4865 } 4866 4867 uid = crgetuid(cr); 4868 gid = crgetgid(cr); 4869 ruid = crgetruid(cr); 4870 rgid = crgetrgid(cr); 4871 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4872 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4873 crfree(cr); 4874 4875 break; 4876 default: 4877 return; 4878 } 4879 4880 if (uap->processor_id == PBIND_NONE && 4881 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4882 au_uwrite(au_to_text("PBIND_NONE for process")); 4883 else 4884 au_uwrite(au_to_arg32(3, "processor_id", 4885 (uint32_t)uap->processor_id)); 4886 } 4887 4888 /*ARGSUSED*/ 4889 static au_event_t 4890 aui_doorfs(au_event_t e) 4891 { 4892 uint32_t code; 4893 4894 struct a { /* doorfs */ 4895 long a1; 4896 long a2; 4897 long a3; 4898 long a4; 4899 long a5; 4900 long code; 4901 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4902 4903 /* 4904 * audit formats for several of the 4905 * door calls have not yet been determined 4906 */ 4907 code = (uint32_t)uap->code; 4908 switch (code) { 4909 case DOOR_CALL: 4910 e = AUE_DOORFS_DOOR_CALL; 4911 break; 4912 case DOOR_RETURN: 4913 e = AUE_NULL; 4914 break; 4915 case DOOR_CREATE: 4916 e = AUE_DOORFS_DOOR_CREATE; 4917 break; 4918 case DOOR_REVOKE: 4919 e = AUE_DOORFS_DOOR_REVOKE; 4920 break; 4921 case DOOR_INFO: 4922 e = AUE_NULL; 4923 break; 4924 case DOOR_UCRED: 4925 e = AUE_NULL; 4926 break; 4927 case DOOR_BIND: 4928 e = AUE_NULL; 4929 break; 4930 case DOOR_UNBIND: 4931 e = AUE_NULL; 4932 break; 4933 case DOOR_GETPARAM: 4934 e = AUE_NULL; 4935 break; 4936 case DOOR_SETPARAM: 4937 e = AUE_NULL; 4938 break; 4939 default: /* illegal system call */ 4940 e = AUE_NULL; 4941 break; 4942 } 4943 4944 return (e); 4945 } 4946 4947 static door_node_t * 4948 au_door_lookup(int did) 4949 { 4950 vnode_t *vp; 4951 file_t *fp; 4952 4953 if ((fp = getf(did)) == NULL) 4954 return (NULL); 4955 /* 4956 * Use the underlying vnode (we may be namefs mounted) 4957 */ 4958 if (VOP_REALVP(fp->f_vnode, &vp)) 4959 vp = fp->f_vnode; 4960 4961 if (vp == NULL || vp->v_type != VDOOR) { 4962 releasef(did); 4963 return (NULL); 4964 } 4965 4966 return (VTOD(vp)); 4967 } 4968 4969 /*ARGSUSED*/ 4970 static void 4971 aus_doorfs(struct t_audit_data *tad) 4972 { 4973 4974 struct a { /* doorfs */ 4975 long a1; 4976 long a2; 4977 long a3; 4978 long a4; 4979 long a5; 4980 long code; 4981 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4982 4983 door_node_t *dp; 4984 struct proc *p; 4985 uint32_t did; 4986 uid_t uid, ruid; 4987 gid_t gid, rgid; 4988 pid_t pid; 4989 const auditinfo_addr_t *ainfo; 4990 cred_t *cr; 4991 4992 did = (uint32_t)uap->a1; 4993 4994 switch (tad->tad_event) { 4995 case AUE_DOORFS_DOOR_CALL: 4996 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4997 if ((dp = au_door_lookup(did)) == NULL) 4998 break; 4999 5000 if (DOOR_INVALID(dp)) { 5001 releasef(did); 5002 break; 5003 } 5004 5005 if ((p = dp->door_target) == NULL) { 5006 releasef(did); 5007 break; 5008 } 5009 mutex_enter(&p->p_lock); 5010 releasef(did); 5011 5012 pid = p->p_pid; 5013 5014 mutex_enter(&p->p_crlock); 5015 crhold(cr = p->p_cred); 5016 mutex_exit(&p->p_crlock); 5017 mutex_exit(&p->p_lock); 5018 5019 ainfo = crgetauinfo(cr); 5020 if (ainfo == NULL) { 5021 crfree(cr); 5022 return; 5023 } 5024 uid = crgetuid(cr); 5025 gid = crgetgid(cr); 5026 ruid = crgetruid(cr); 5027 rgid = crgetrgid(cr); 5028 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5029 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5030 crfree(cr); 5031 break; 5032 case AUE_DOORFS_DOOR_RETURN: 5033 /* 5034 * We may want to write information about 5035 * all doors (if any) which will be copied 5036 * by this call to the user space 5037 */ 5038 break; 5039 case AUE_DOORFS_DOOR_CREATE: 5040 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5041 break; 5042 case AUE_DOORFS_DOOR_REVOKE: 5043 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5044 break; 5045 case AUE_DOORFS_DOOR_INFO: 5046 break; 5047 case AUE_DOORFS_DOOR_CRED: 5048 break; 5049 case AUE_DOORFS_DOOR_BIND: 5050 break; 5051 case AUE_DOORFS_DOOR_UNBIND: { 5052 break; 5053 } 5054 default: /* illegal system call */ 5055 break; 5056 } 5057 } 5058 5059 /*ARGSUSED*/ 5060 static au_event_t 5061 aui_acl(au_event_t e) 5062 { 5063 struct a { 5064 union { 5065 long name; /* char */ 5066 long fd; 5067 } obj; 5068 5069 long cmd; 5070 long nentries; 5071 long arg; /* aclent_t */ 5072 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5073 5074 switch (uap->cmd) { 5075 case SETACL: 5076 /* ok, acl(SETACL, ...) and facl(SETACL, ...) are expected. */ 5077 break; 5078 case GETACL: 5079 case GETACLCNT: 5080 /* do nothing for these two values. */ 5081 e = AUE_NULL; 5082 break; 5083 default: 5084 /* illegal system call */ 5085 break; 5086 } 5087 5088 return (e); 5089 } 5090 5091 5092 /*ARGSUSED*/ 5093 static void 5094 aus_acl(struct t_audit_data *tad) 5095 { 5096 struct a { 5097 long fname; 5098 long cmd; 5099 long nentries; 5100 long aclbufp; 5101 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5102 struct acl *aclbufp; 5103 5104 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5105 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5106 5107 switch (uap->cmd) { 5108 case GETACL: 5109 case GETACLCNT: 5110 break; 5111 case SETACL: 5112 if (uap->nentries < 3) 5113 break; 5114 else { 5115 size_t a_size = uap->nentries * sizeof (struct acl); 5116 int i; 5117 5118 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5119 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5120 kmem_free(aclbufp, a_size); 5121 break; 5122 } 5123 for (i = 0; i < uap->nentries; i++) { 5124 au_uwrite(au_to_acl(aclbufp + i)); 5125 } 5126 kmem_free(aclbufp, a_size); 5127 break; 5128 } 5129 default: 5130 break; 5131 } 5132 } 5133 5134 /*ARGSUSED*/ 5135 static void 5136 aus_facl(struct t_audit_data *tad) 5137 { 5138 struct a { 5139 long fd; 5140 long cmd; 5141 long nentries; 5142 long aclbufp; 5143 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5144 struct file *fp; 5145 struct vnode *vp; 5146 struct f_audit_data *fad; 5147 struct acl *aclbufp; 5148 int fd; 5149 5150 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5151 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5152 5153 fd = (int)uap->fd; 5154 5155 if ((fp = getf(fd)) == NULL) 5156 return; 5157 5158 /* get path from file struct here */ 5159 fad = F2A(fp); 5160 if (fad->fad_aupath != NULL) { 5161 au_uwrite(au_to_path(fad->fad_aupath)); 5162 } else { 5163 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5164 } 5165 5166 vp = fp->f_vnode; 5167 audit_attributes(vp); 5168 5169 /* decrement file descriptor reference count */ 5170 releasef(fd); 5171 5172 switch (uap->cmd) { 5173 case GETACL: 5174 case GETACLCNT: 5175 break; 5176 case SETACL: 5177 if (uap->nentries < 3) 5178 break; 5179 else { 5180 size_t a_size = uap->nentries * sizeof (struct acl); 5181 int i; 5182 5183 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5184 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5185 kmem_free(aclbufp, a_size); 5186 break; 5187 } 5188 for (i = 0; i < uap->nentries; i++) { 5189 au_uwrite(au_to_acl(aclbufp + i)); 5190 } 5191 kmem_free(aclbufp, a_size); 5192 break; 5193 } 5194 default: 5195 break; 5196 } 5197 } 5198 5199 /*ARGSUSED*/ 5200 static void 5201 auf_read(tad, error, rval) 5202 struct t_audit_data *tad; 5203 int error; 5204 rval_t *rval; 5205 { 5206 struct file *fp; 5207 struct f_audit_data *fad; 5208 int fd; 5209 register struct a { 5210 long fd; 5211 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5212 au_kcontext_t *kctx = GET_KCTX_PZ; 5213 5214 fd = (int)uap->fd; 5215 5216 /* 5217 * convert file pointer to file descriptor 5218 * Note: fd ref count incremented here. 5219 */ 5220 if ((fp = getf(fd)) == NULL) 5221 return; 5222 5223 /* get path from file struct here */ 5224 fad = F2A(fp); 5225 ASSERT(fad); 5226 5227 /* 5228 * already processed this file for read attempt 5229 * 5230 * XXX might be better to turn off auditing in a aui_read() routine. 5231 */ 5232 if (fad->fad_flags & FAD_READ) { 5233 /* don't really want to audit every read attempt */ 5234 tad->tad_flag = 0; 5235 /* free any residual audit data */ 5236 au_close(kctx, &(u_ad), 0, 0, 0); 5237 releasef(fd); 5238 return; 5239 } 5240 /* mark things so we know what happened and don't repeat things */ 5241 fad->fad_flags |= FAD_READ; 5242 5243 if (fad->fad_aupath != NULL) { 5244 au_uwrite(au_to_path(fad->fad_aupath)); 5245 } else { 5246 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5247 } 5248 5249 /* include attributes */ 5250 audit_attributes(fp->f_vnode); 5251 5252 /* decrement file descriptor reference count */ 5253 releasef(fd); 5254 } 5255 5256 /*ARGSUSED*/ 5257 static void 5258 auf_write(tad, error, rval) 5259 struct t_audit_data *tad; 5260 int error; 5261 rval_t *rval; 5262 { 5263 struct file *fp; 5264 struct f_audit_data *fad; 5265 int fd; 5266 register struct a { 5267 long fd; 5268 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5269 au_kcontext_t *kctx = GET_KCTX_PZ; 5270 5271 fd = (int)uap->fd; 5272 5273 /* 5274 * convert file pointer to file descriptor 5275 * Note: fd ref count incremented here. 5276 */ 5277 if ((fp = getf(fd)) == NULL) 5278 return; 5279 5280 /* get path from file struct here */ 5281 fad = F2A(fp); 5282 ASSERT(fad); 5283 5284 /* 5285 * already processed this file for write attempt 5286 * 5287 * XXX might be better to turn off auditing in a aus_write() routine. 5288 */ 5289 if (fad->fad_flags & FAD_WRITE) { 5290 /* don't really want to audit every write attempt */ 5291 tad->tad_flag = 0; 5292 /* free any residual audit data */ 5293 au_close(kctx, &(u_ad), 0, 0, 0); 5294 releasef(fd); 5295 return; 5296 } 5297 /* mark things so we know what happened and don't repeat things */ 5298 fad->fad_flags |= FAD_WRITE; 5299 5300 if (fad->fad_aupath != NULL) { 5301 au_uwrite(au_to_path(fad->fad_aupath)); 5302 } else { 5303 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5304 } 5305 5306 /* include attributes */ 5307 audit_attributes(fp->f_vnode); 5308 5309 /* decrement file descriptor reference count */ 5310 releasef(fd); 5311 } 5312 5313 /*ARGSUSED*/ 5314 static void 5315 auf_recv(tad, error, rval) 5316 struct t_audit_data *tad; 5317 int error; 5318 rval_t *rval; 5319 { 5320 struct sonode *so; 5321 char so_laddr[sizeof (struct sockaddr_in6)]; 5322 char so_faddr[sizeof (struct sockaddr_in6)]; 5323 struct file *fp; 5324 struct f_audit_data *fad; 5325 int fd; 5326 int err; 5327 int len; 5328 short so_family, so_type; 5329 register struct a { 5330 long fd; 5331 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5332 au_kcontext_t *kctx = GET_KCTX_PZ; 5333 5334 /* 5335 * If there was an error, then nothing to do. Only generate 5336 * audit record on first successful recv. 5337 */ 5338 if (error) { 5339 /* Turn off audit record generation here. */ 5340 tad->tad_flag = 0; 5341 /* free any residual audit data */ 5342 au_close(kctx, &(u_ad), 0, 0, 0); 5343 return; 5344 } 5345 5346 fd = (int)uap->fd; 5347 5348 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5349 /* Turn off audit record generation here. */ 5350 tad->tad_flag = 0; 5351 /* free any residual audit data */ 5352 au_close(kctx, &(u_ad), 0, 0, 0); 5353 return; 5354 } 5355 5356 /* get path from file struct here */ 5357 fad = F2A(fp); 5358 ASSERT(fad); 5359 5360 /* 5361 * already processed this file for read attempt 5362 */ 5363 if (fad->fad_flags & FAD_READ) { 5364 releasef(fd); 5365 /* don't really want to audit every recv call */ 5366 tad->tad_flag = 0; 5367 /* free any residual audit data */ 5368 au_close(kctx, &(u_ad), 0, 0, 0); 5369 return; 5370 } 5371 5372 /* mark things so we know what happened and don't repeat things */ 5373 fad->fad_flags |= FAD_READ; 5374 5375 so_family = so->so_family; 5376 so_type = so->so_type; 5377 5378 switch (so_family) { 5379 case AF_INET: 5380 case AF_INET6: 5381 /* 5382 * Only for connections. 5383 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5384 */ 5385 if (so->so_state & SS_ISBOUND) { 5386 5387 bzero((void *)so_laddr, sizeof (so_laddr)); 5388 bzero((void *)so_faddr, sizeof (so_faddr)); 5389 5390 /* only done once on a connection */ 5391 (void) SOP_GETSOCKNAME(so); 5392 (void) SOP_GETPEERNAME(so); 5393 5394 /* get local and foreign addresses */ 5395 mutex_enter(&so->so_lock); 5396 len = min(so->so_laddr_len, sizeof (so_laddr)); 5397 bcopy(so->so_laddr_sa, so_laddr, len); 5398 len = min(so->so_faddr_len, sizeof (so_faddr)); 5399 bcopy(so->so_faddr_sa, so_faddr, len); 5400 mutex_exit(&so->so_lock); 5401 5402 /* 5403 * only way to drop out of switch. Note that we 5404 * we release fd below. 5405 */ 5406 5407 break; 5408 } 5409 5410 releasef(fd); 5411 5412 /* don't really want to audit every recv call */ 5413 tad->tad_flag = 0; 5414 /* free any residual audit data */ 5415 au_close(kctx, &(u_ad), 0, 0, 0); 5416 5417 return; 5418 5419 case AF_UNIX: 5420 5421 if (fad->fad_aupath != NULL) { 5422 au_uwrite(au_to_path(fad->fad_aupath)); 5423 } else { 5424 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5425 } 5426 5427 audit_attributes(fp->f_vnode); 5428 5429 releasef(fd); 5430 5431 return; 5432 5433 default: 5434 releasef(fd); 5435 5436 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5437 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5438 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5439 5440 return; 5441 } 5442 5443 releasef(fd); 5444 5445 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5446 5447 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5448 5449 } 5450 5451 /*ARGSUSED*/ 5452 static void 5453 auf_send(tad, error, rval) 5454 struct t_audit_data *tad; 5455 int error; 5456 rval_t *rval; 5457 { 5458 struct sonode *so; 5459 char so_laddr[sizeof (struct sockaddr_in6)]; 5460 char so_faddr[sizeof (struct sockaddr_in6)]; 5461 struct file *fp; 5462 struct f_audit_data *fad; 5463 int fd; 5464 int err; 5465 int len; 5466 short so_family, so_type; 5467 register struct a { 5468 long fd; 5469 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5470 au_kcontext_t *kctx = GET_KCTX_PZ; 5471 5472 fd = (int)uap->fd; 5473 5474 /* 5475 * If there was an error, then nothing to do. Only generate 5476 * audit record on first successful send. 5477 */ 5478 if (error != 0) { 5479 /* Turn off audit record generation here. */ 5480 tad->tad_flag = 0; 5481 /* free any residual audit data */ 5482 au_close(kctx, &(u_ad), 0, 0, 0); 5483 return; 5484 } 5485 5486 fd = (int)uap->fd; 5487 5488 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5489 /* Turn off audit record generation here. */ 5490 tad->tad_flag = 0; 5491 /* free any residual audit data */ 5492 au_close(kctx, &(u_ad), 0, 0, 0); 5493 return; 5494 } 5495 5496 /* get path from file struct here */ 5497 fad = F2A(fp); 5498 ASSERT(fad); 5499 5500 /* 5501 * already processed this file for write attempt 5502 */ 5503 if (fad->fad_flags & FAD_WRITE) { 5504 releasef(fd); 5505 /* don't really want to audit every send call */ 5506 tad->tad_flag = 0; 5507 /* free any residual audit data */ 5508 au_close(kctx, &(u_ad), 0, 0, 0); 5509 return; 5510 } 5511 5512 /* mark things so we know what happened and don't repeat things */ 5513 fad->fad_flags |= FAD_WRITE; 5514 5515 so_family = so->so_family; 5516 so_type = so->so_type; 5517 5518 switch (so_family) { 5519 case AF_INET: 5520 case AF_INET6: 5521 /* 5522 * Only for connections. 5523 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5524 */ 5525 if (so->so_state & SS_ISBOUND) { 5526 5527 bzero((void *)so_laddr, sizeof (so_laddr)); 5528 bzero((void *)so_faddr, sizeof (so_faddr)); 5529 5530 /* only done once on a connection */ 5531 (void) SOP_GETSOCKNAME(so); 5532 (void) SOP_GETPEERNAME(so); 5533 5534 /* get local and foreign addresses */ 5535 mutex_enter(&so->so_lock); 5536 len = min(so->so_laddr_len, sizeof (so_laddr)); 5537 bcopy(so->so_laddr_sa, so_laddr, len); 5538 len = min(so->so_faddr_len, sizeof (so_faddr)); 5539 bcopy(so->so_faddr_sa, so_faddr, len); 5540 mutex_exit(&so->so_lock); 5541 5542 /* 5543 * only way to drop out of switch. Note that we 5544 * we release fd below. 5545 */ 5546 5547 break; 5548 } 5549 5550 releasef(fd); 5551 /* don't really want to audit every send call */ 5552 tad->tad_flag = 0; 5553 /* free any residual audit data */ 5554 au_close(kctx, &(u_ad), 0, 0, 0); 5555 5556 return; 5557 5558 case AF_UNIX: 5559 5560 if (fad->fad_aupath != NULL) { 5561 au_uwrite(au_to_path(fad->fad_aupath)); 5562 } else { 5563 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5564 } 5565 5566 audit_attributes(fp->f_vnode); 5567 5568 releasef(fd); 5569 5570 return; 5571 5572 default: 5573 releasef(fd); 5574 5575 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5576 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5577 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5578 5579 return; 5580 } 5581 5582 releasef(fd); 5583 5584 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5585 5586 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5587 } 5588 5589 static au_event_t 5590 aui_forksys(au_event_t e) 5591 { 5592 struct a { 5593 long subcode; 5594 long flags; 5595 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5596 5597 switch ((uint_t)uap->subcode) { 5598 case 0: 5599 e = AUE_FORK1; 5600 break; 5601 case 1: 5602 e = AUE_FORKALL; 5603 break; 5604 case 2: 5605 e = AUE_VFORK; 5606 break; 5607 default: 5608 e = AUE_NULL; 5609 break; 5610 } 5611 5612 return (e); 5613 } 5614 5615 /*ARGSUSED*/ 5616 static au_event_t 5617 aui_portfs(au_event_t e) 5618 { 5619 struct a { /* portfs */ 5620 long a1; 5621 long a2; 5622 long a3; 5623 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5624 5625 /* 5626 * check opcode 5627 */ 5628 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5629 case PORT_ASSOCIATE: 5630 case PORT_DISSOCIATE: 5631 /* 5632 * check source 5633 */ 5634 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5635 e = AUE_PORTFS; 5636 } else { 5637 e = AUE_NULL; 5638 } 5639 break; 5640 default: 5641 e = AUE_NULL; 5642 } 5643 return (e); 5644 } 5645