xref: /illumos-gate/usr/src/uts/common/c2/audit_event.c (revision f9e0b1dc6f25356fd35837dc9e1124b2d91ed6f3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * This file contains the audit event table used to control the production
28  * of audit records for each system call.
29  */
30 
31 #include <sys/policy.h>
32 #include <sys/cred.h>
33 #include <sys/types.h>
34 #include <sys/systm.h>
35 #include <sys/systeminfo.h>	/* for sysinfo auditing */
36 #include <sys/utsname.h>	/* for sysinfo auditing */
37 #include <sys/proc.h>
38 #include <sys/vnode.h>
39 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
40 #include <sys/fcntl.h>
41 #include <sys/modctl.h>		/* for modctl auditing */
42 #include <sys/vnode.h>
43 #include <sys/user.h>
44 #include <sys/types.h>
45 #include <sys/processor.h>
46 #include <sys/procset.h>
47 #include <sys/acl.h>
48 #include <sys/ipc.h>
49 #include <sys/door.h>
50 #include <sys/sem.h>
51 #include <sys/msg.h>
52 #include <sys/shm.h>
53 #include <sys/kmem.h>
54 #include <sys/file.h>		/* for accept */
55 #include <sys/utssys.h>		/* for fuser */
56 #include <sys/tsol/label.h>
57 #include <sys/tsol/tndb.h>
58 #include <sys/tsol/tsyscall.h>
59 #include <c2/audit.h>
60 #include <c2/audit_kernel.h>
61 #include <c2/audit_kevents.h>
62 #include <c2/audit_record.h>
63 #include <sys/procset.h>
64 #include <nfs/mount.h>
65 #include <sys/param.h>
66 #include <sys/debug.h>
67 #include <sys/sysmacros.h>
68 #include <sys/stream.h>
69 #include <sys/strsubr.h>
70 #include <sys/stropts.h>
71 #include <sys/tihdr.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/vfs_opreg.h>
75 #include <fs/sockfs/sockcommon.h>
76 #include <netinet/in.h>
77 #include <sys/ddi.h>
78 #include <sys/port_impl.h>
79 
80 
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_fchownat(au_event_t);
84 static au_event_t	aui_fchmodat(au_event_t);
85 static au_event_t	aui_open(au_event_t);
86 static au_event_t	aui_openat(au_event_t);
87 static au_event_t	aui_unlinkat(au_event_t);
88 static au_event_t	aui_fstatat(au_event_t);
89 static au_event_t	aui_msgsys(au_event_t);
90 static au_event_t	aui_shmsys(au_event_t);
91 static au_event_t	aui_semsys(au_event_t);
92 static au_event_t	aui_utssys(au_event_t);
93 static au_event_t	aui_fcntl(au_event_t);
94 static au_event_t	aui_execve(au_event_t);
95 static au_event_t	aui_memcntl(au_event_t);
96 static au_event_t	aui_sysinfo(au_event_t);
97 static au_event_t	aui_portfs(au_event_t);
98 static au_event_t	aui_auditsys(au_event_t);
99 static au_event_t	aui_modctl(au_event_t);
100 static au_event_t	aui_acl(au_event_t);
101 static au_event_t	aui_doorfs(au_event_t);
102 static au_event_t	aui_privsys(au_event_t);
103 static au_event_t	aui_forksys(au_event_t);
104 static au_event_t	aui_labelsys(au_event_t);
105 static au_event_t	aui_setpgrp(au_event_t);
106 
107 static void	aus_exit(struct t_audit_data *);
108 static void	aus_open(struct t_audit_data *);
109 static void	aus_openat(struct t_audit_data *);
110 static void	aus_acl(struct t_audit_data *);
111 static void	aus_acct(struct t_audit_data *);
112 static void	aus_chown(struct t_audit_data *);
113 static void	aus_fchown(struct t_audit_data *);
114 static void	aus_lchown(struct t_audit_data *);
115 static void	aus_fchownat(struct t_audit_data *);
116 static void	aus_chmod(struct t_audit_data *);
117 static void	aus_facl(struct t_audit_data *);
118 static void	aus_fchmod(struct t_audit_data *);
119 static void	aus_fchmodat(struct t_audit_data *);
120 static void	aus_fcntl(struct t_audit_data *);
121 static void	aus_mkdir(struct t_audit_data *);
122 static void	aus_mkdirat(struct t_audit_data *);
123 static void	aus_mknod(struct t_audit_data *);
124 static void	aus_mknodat(struct t_audit_data *);
125 static void	aus_mount(struct t_audit_data *);
126 static void	aus_umount2(struct t_audit_data *);
127 static void	aus_msgsys(struct t_audit_data *);
128 static void	aus_semsys(struct t_audit_data *);
129 static void	aus_close(struct t_audit_data *);
130 static void	aus_fstatfs(struct t_audit_data *);
131 static void	aus_setgid(struct t_audit_data *);
132 static void	aus_setpgrp(struct t_audit_data *);
133 static void	aus_setuid(struct t_audit_data *);
134 static void	aus_shmsys(struct t_audit_data *);
135 static void	aus_doorfs(struct t_audit_data *);
136 static void	aus_ioctl(struct t_audit_data *);
137 static void	aus_memcntl(struct t_audit_data *);
138 static void	aus_mmap(struct t_audit_data *);
139 static void	aus_munmap(struct t_audit_data *);
140 static void	aus_priocntlsys(struct t_audit_data *);
141 static void	aus_setegid(struct t_audit_data *);
142 static void	aus_setgroups(struct t_audit_data *);
143 static void	aus_seteuid(struct t_audit_data *);
144 static void	aus_putmsg(struct t_audit_data *);
145 static void	aus_putpmsg(struct t_audit_data *);
146 static void	aus_getmsg(struct t_audit_data *);
147 static void	aus_getpmsg(struct t_audit_data *);
148 static void	aus_auditsys(struct t_audit_data *);
149 static void	aus_sysinfo(struct t_audit_data *);
150 static void	aus_modctl(struct t_audit_data *);
151 static void	aus_kill(struct t_audit_data *);
152 static void	aus_setregid(struct t_audit_data *);
153 static void	aus_setreuid(struct t_audit_data *);
154 static void	aus_labelsys(struct t_audit_data *);
155 
156 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
157 static void	auf_mknodat(struct t_audit_data *, int, rval_t *);
158 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
159 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
160 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
161 static void	auf_read(struct t_audit_data *, int, rval_t *);
162 static void	auf_write(struct t_audit_data *, int, rval_t *);
163 
164 static void	aus_sigqueue(struct t_audit_data *);
165 static void	aus_p_online(struct t_audit_data *);
166 static void	aus_processor_bind(struct t_audit_data *);
167 static void	aus_inst_sync(struct t_audit_data *);
168 static void	aus_brandsys(struct t_audit_data *);
169 
170 static void	auf_accept(struct t_audit_data *, int, rval_t *);
171 
172 static void	auf_bind(struct t_audit_data *, int, rval_t *);
173 static void	auf_connect(struct t_audit_data *, int, rval_t *);
174 static void	aus_shutdown(struct t_audit_data *);
175 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
176 static void	aus_sockconfig(struct t_audit_data *);
177 static void	auf_recv(struct t_audit_data *, int, rval_t *);
178 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
179 static void	auf_send(struct t_audit_data *, int, rval_t *);
180 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
181 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
182 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
183 static void	aus_socket(struct t_audit_data *);
184 /*
185  * This table contains mapping information for converting system call numbers
186  * to audit event IDs. In several cases it is necessary to map a single system
187  * call to several events.
188  */
189 
190 #define	aui_null	NULL	/* NULL initialize function */
191 #define	aus_null	NULL	/* NULL start function */
192 #define	auf_null	NULL	/* NULL finish function */
193 
194 struct audit_s2e audit_s2e[] =
195 {
196 /*
197  * ----------	---------- 	----------	----------
198  * INITIAL	AUDIT		START		SYSTEM
199  * PROCESSING	EVENT		PROCESSING	CALL
200  * ----------	----------	----------	-----------
201  *		FINISH		EVENT
202  *		PROCESSING	CONTROL
203  * ----------------------------------------------------------
204  */
205 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
206 		auf_null,	0,
207 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
208 		auf_null,	S2E_NPT,
209 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
210 		auf_null,	0,
211 aui_null,	AUE_READ,	aus_null,	/* 3 read */
212 		auf_read,	S2E_PUB,
213 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
214 		auf_write,	0,
215 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
216 		auf_null,	S2E_SP,
217 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
218 		auf_null,	0,
219 aui_null,	AUE_LINK,	aus_null,	/* 7 linkat */
220 		auf_null,	0,
221 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
222 		auf_null,	0,
223 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
224 		auf_null,	0,
225 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
226 		auf_null,	0,
227 aui_null,	AUE_SYMLINK,	aus_null,	/* 11 symlinkat */
228 		auf_null,	0,
229 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
230 		auf_null,	S2E_SP,
231 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
232 		auf_null,	0,
233 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
234 		auf_mknod,	S2E_MLD,
235 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
236 		auf_null,	0,
237 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
238 		auf_null,	0,
239 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
240 		auf_null,	0,
241 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
242 		auf_null,	S2E_PUB,
243 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
244 		auf_null,	0,
245 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
246 		auf_null,	0,
247 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
248 		auf_null,	S2E_MLD,
249 aui_null,	AUE_READLINK,	aus_null,	/* 22 readlinkat */
250 		auf_null,	S2E_PUB,
251 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
254 		auf_null,	0,
255 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
264 		auf_null,	0,
265 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
266 		auf_null,	0,
267 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
268 		auf_null,	0,
269 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
270 		auf_null,	0,
271 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
272 		auf_null,	S2E_PUB,
273 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
274 		auf_null,	0,
275 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
276 		auf_null,	S2E_PUB,
277 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
278 		auf_null,	0,
279 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
280 		auf_null,	0,
281 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
282 		auf_null,	S2E_PUB,
283 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
288 		auf_null,	0,
289 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
290 		auf_null,	0,
291 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
294 		auf_null,	0,
295 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
296 		auf_null,	S2E_PUB,
297 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
298 		auf_null,	0,
299 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
300 		auf_null,	0,
301 aui_null,	AUE_MKNOD,	aus_mknodat,	/* 48 mknodat */
302 		auf_mknodat,	S2E_MLD,
303 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
304 		auf_msgsys,	0,
305 #if defined(__x86)
306 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
307 		auf_null,	0,
308 #else
309 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
310 		auf_null,	0,
311 #endif /* __x86 */
312 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
313 		auf_null,	0,
314 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
315 		auf_shmsys,	0,
316 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
317 		auf_semsys,	0,
318 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
319 		auf_null,	0,
320 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
321 		auf_null,	0,
322 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
323 		auf_null,	0,
324 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
325 		auf_null,	0,
326 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
327 		auf_null,	0,
328 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
329 		auf_null,	S2E_MLD,
330 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
331 		auf_null,	0,
332 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
333 		auf_null,	S2E_SP,
334 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
337 		auf_null,	0,
338 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
339 		auf_null,	0,
340 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
341 		auf_null,	0,
342 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
343 		auf_null,	S2E_PUB,
344 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
345 		auf_null,	S2E_PUB,
346 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
347 		auf_null,	S2E_SP,
348 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
349 		auf_null,	S2E_SP,
350 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
363 		auf_null,	0,
364 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
365 		auf_null,	0,
366 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
367 		auf_null,	0,
368 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
369 		auf_null,	0,
370 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
373 		auf_null,	0,
374 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
379 		auf_null,	0,
380 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
381 		auf_null,	0,
382 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
383 		auf_null,	0,
384 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
385 		auf_null,	0,
386 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
389 		auf_null,	0,
390 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
391 		auf_null,	S2E_PUB,
392 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
395 		auf_null,	0,
396 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
397 		auf_null,	0,
398 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
411 		auf_null,	0,
412 aui_fchmodat,	AUE_NULL,	aus_fchmodat,	/* 101 fchmodat */
413 		auf_null,	0,
414 aui_null,	AUE_MKDIR,	aus_mkdirat,	/* 102 mkdirat */
415 		auf_null,	0,
416 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
417 		auf_null,	S2E_PUB,
418 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
425 		auf_null,	0,
426 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
427 		auf_null,	0,
428 #if defined(__x86)
429 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
430 		auf_null,	0,
431 #else
432 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
433 		auf_null,	0,
434 #endif /* __x86 */
435 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
436 		auf_null,	0,
437 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
438 		auf_null,	0,
439 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
440 		auf_null,	0,
441 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
442 		auf_null,	S2E_PUB,
443 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
444 		auf_null,	0,
445 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
446 		auf_null,	0,
447 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
448 		auf_null,	0,
449 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
450 		auf_null,	0,
451 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
452 		auf_null,	0,
453 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
454 		auf_null,	0,
455 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
456 		auf_null,	0,
457 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
458 		auf_read,	S2E_PUB,
459 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
460 		auf_write,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
464 		auf_null,	0,
465 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
466 		auf_null,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
468 		auf_null,	0,
469 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
470 		auf_null,	0,
471 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
472 		auf_null,	0,
473 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
474 		auf_null,	0,
475 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
476 		auf_null,	0,
477 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
478 		auf_null,	0,
479 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
480 		auf_null,	0,
481 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
482 		auf_null,	0,
483 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
484 		auf_null,	0,
485 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
486 		auf_null,	0,
487 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
488 		auf_null,	0,
489 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
490 		auf_null,	0,
491 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
492 		auf_null,	0,
493 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
494 		auf_null,	0,
495 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
496 		auf_null,	0,
497 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
498 		auf_null,	0,
499 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
510 						/*	was lwp_sema_wait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
517 		auf_null,	0,
518 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
519 		auf_null,	0,
520 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
521 		auf_null,	0,
522 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
555 						/*	was lwp_mutex_lock */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
560 		auf_null,	0,
561 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
562 		auf_null,	0,
563 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
564 		auf_read,	S2E_PUB,
565 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
566 		auf_write,	0,
567 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
568 		auf_null,	0,
569 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
570 		auf_null,	0,
571 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
580 		auf_null,	0,
581 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
582 		auf_null,	S2E_MLD,
583 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
584 		auf_null,	0,
585 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
586 		auf_null,	0,
587 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
588 		auf_null,	0,
589 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
590 		auf_null,	0,
591 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
594 		auf_null,	0,
595 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
600 		auf_null,	0,
601 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
616 		auf_null,	0,
617 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
618 		auf_null,	0,
619 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
620 		auf_null,	0,
621 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
622 		auf_null,	0,
623 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
644 		auf_null,	0,
645 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
646 		auf_null,	0,
647 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
652 		auf_null,	0,
653 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
654 		auf_null,	S2E_PUB,
655 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
656 		auf_null,	0,
657 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
662 		auf_read,	S2E_PUB,
663 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
664 		auf_write,	0,
665 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
666 		auf_null,	0,
667 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
668 		auf_null,	S2E_SP,
669 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
676 		auf_null,	0,
677 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
678 		auf_null,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
680 		auf_null,	0,
681 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
682 		auf_bind,	0,
683 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
684 		auf_null,	0,
685 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
686 		auf_accept,	0,
687 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
688 		auf_connect,	0,
689 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
690 		auf_null,	0,
691 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
692 		auf_recv,	0,
693 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
694 		auf_recvfrom,	0,
695 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
696 		auf_recvmsg,	0,
697 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
698 		auf_send,	0,
699 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
700 		auf_sendmsg,	0,
701 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
702 		auf_sendto,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
708 		auf_null,	0,
709 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
710 		auf_setsockopt,	0,
711 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
714 		auf_null,	0,
715 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
726 		auf_null,	0,
727 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
728 		auf_null,	0
729 };
730 
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732 
733 
734 /* exit start function */
735 /*ARGSUSED*/
736 static void
737 aus_exit(struct t_audit_data *tad)
738 {
739 	uint32_t rval;
740 	struct a {
741 		long rval;
742 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
743 
744 	rval = (uint32_t)uap->rval;
745 	au_uwrite(au_to_arg32(1, "exit status", rval));
746 }
747 
748 /* acct start function */
749 /*ARGSUSED*/
750 static void
751 aus_acct(struct t_audit_data *tad)
752 {
753 	klwp_t *clwp = ttolwp(curthread);
754 	uintptr_t fname;
755 
756 	struct a {
757 		long	fname;		/* char * */
758 	} *uap = (struct a *)clwp->lwp_ap;
759 
760 	fname = (uintptr_t)uap->fname;
761 
762 	if (fname == 0)
763 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
764 }
765 
766 /* chown start function */
767 /*ARGSUSED*/
768 static void
769 aus_chown(struct t_audit_data *tad)
770 {
771 	klwp_t *clwp = ttolwp(curthread);
772 	uint32_t uid, gid;
773 
774 	struct a {
775 		long	fname;		/* char * */
776 		long	uid;
777 		long	gid;
778 	} *uap = (struct a *)clwp->lwp_ap;
779 
780 	uid = (uint32_t)uap->uid;
781 	gid = (uint32_t)uap->gid;
782 
783 	au_uwrite(au_to_arg32(2, "new file uid", uid));
784 	au_uwrite(au_to_arg32(3, "new file gid", gid));
785 }
786 
787 /* fchown start function */
788 /*ARGSUSED*/
789 static void
790 aus_fchown(struct t_audit_data *tad)
791 {
792 	klwp_t *clwp = ttolwp(curthread);
793 	uint32_t uid, gid, fd;
794 	struct file  *fp;
795 	struct vnode *vp;
796 	struct f_audit_data *fad;
797 
798 	struct a {
799 		long fd;
800 		long uid;
801 		long gid;
802 	} *uap = (struct a *)clwp->lwp_ap;
803 
804 	fd  = (uint32_t)uap->fd;
805 	uid = (uint32_t)uap->uid;
806 	gid = (uint32_t)uap->gid;
807 
808 	au_uwrite(au_to_arg32(2, "new file uid", uid));
809 	au_uwrite(au_to_arg32(3, "new file gid", gid));
810 
811 		/*
812 		 * convert file pointer to file descriptor
813 		 *   Note: fd ref count incremented here.
814 		 */
815 	if ((fp = getf(fd)) == NULL)
816 		return;
817 
818 	/* get path from file struct here */
819 	fad = F2A(fp);
820 	if (fad->fad_aupath != NULL) {
821 		au_uwrite(au_to_path(fad->fad_aupath));
822 	} else {
823 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
824 	}
825 
826 	vp = fp->f_vnode;
827 	audit_attributes(vp);
828 
829 	/* decrement file descriptor reference count */
830 	releasef(fd);
831 }
832 
833 /*ARGSUSED*/
834 static void
835 aus_lchown(struct t_audit_data *tad)
836 {
837 	klwp_t *clwp = ttolwp(curthread);
838 	uint32_t uid, gid;
839 
840 
841 	struct a {
842 		long	fname;		/* char	* */
843 		long	uid;
844 		long	gid;
845 	} *uap = (struct a *)clwp->lwp_ap;
846 
847 	uid = (uint32_t)uap->uid;
848 	gid = (uint32_t)uap->gid;
849 
850 	au_uwrite(au_to_arg32(2, "new file uid", uid));
851 	au_uwrite(au_to_arg32(3, "new file gid", gid));
852 }
853 
854 static au_event_t
855 aui_fchownat(au_event_t e)
856 {
857 	klwp_t *clwp = ttolwp(curthread);
858 
859 	struct a {
860 		long	fd;
861 		long	fname;		/* char * */
862 		long	uid;
863 		long	gid;
864 		long	flags;
865 	} *uap = (struct a *)clwp->lwp_ap;
866 
867 	if (uap->fname == NULL)
868 		e = AUE_FCHOWN;
869 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
870 		e = AUE_LCHOWN;
871 	else
872 		e = AUE_CHOWN;
873 
874 	return (e);
875 }
876 
877 /*ARGSUSED*/
878 static void
879 aus_fchownat(struct t_audit_data *tad)
880 {
881 	klwp_t *clwp = ttolwp(curthread);
882 	uint32_t uid, gid;
883 
884 	struct a {
885 		long	fd;
886 		long	fname;		/* char * */
887 		long	uid;
888 		long	gid;
889 		long	flags;
890 	} *uap = (struct a *)clwp->lwp_ap;
891 
892 	uid = (uint32_t)uap->uid;
893 	gid = (uint32_t)uap->gid;
894 
895 	au_uwrite(au_to_arg32(3, "new file uid", uid));
896 	au_uwrite(au_to_arg32(4, "new file gid", gid));
897 }
898 
899 /*ARGSUSED*/
900 static void
901 aus_chmod(struct t_audit_data *tad)
902 {
903 	klwp_t *clwp = ttolwp(curthread);
904 	uint32_t fmode;
905 
906 	struct a {
907 		long	fname;		/* char	* */
908 		long	fmode;
909 	} *uap = (struct a *)clwp->lwp_ap;
910 
911 	fmode = (uint32_t)uap->fmode;
912 
913 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
914 }
915 
916 /*ARGSUSED*/
917 static void
918 aus_fchmod(struct t_audit_data *tad)
919 {
920 	klwp_t *clwp = ttolwp(curthread);
921 	uint32_t fmode, fd;
922 	struct file  *fp;
923 	struct vnode *vp;
924 	struct f_audit_data *fad;
925 
926 	struct a {
927 		long	fd;
928 		long	fmode;
929 	} *uap = (struct a *)clwp->lwp_ap;
930 
931 	fd = (uint32_t)uap->fd;
932 	fmode = (uint32_t)uap->fmode;
933 
934 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
935 
936 	/*
937 	 * convert file pointer to file descriptor
938 	 *   Note: fd ref count incremented here.
939 	 */
940 	if ((fp = getf(fd)) == NULL)
941 		return;
942 
943 	/* get path from file struct here */
944 	fad = F2A(fp);
945 	if (fad->fad_aupath != NULL) {
946 		au_uwrite(au_to_path(fad->fad_aupath));
947 	} else {
948 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
949 	}
950 
951 	vp = fp->f_vnode;
952 	audit_attributes(vp);
953 
954 	/* decrement file descriptor reference count */
955 	releasef(fd);
956 }
957 
958 static au_event_t
959 aui_fchmodat(au_event_t e)
960 {
961 	klwp_t *clwp = ttolwp(curthread);
962 
963 	struct a {
964 		long	fd;
965 		long	fname;		/* char	* */
966 		long	fmode;
967 		long	flag;
968 	} *uap = (struct a *)clwp->lwp_ap;
969 
970 	if (uap->fname == NULL)
971 		e = AUE_FCHMOD;
972 	else
973 		e = AUE_CHMOD;
974 
975 	return (e);
976 }
977 
978 /*ARGSUSED*/
979 static void
980 aus_fchmodat(struct t_audit_data *tad)
981 {
982 	klwp_t *clwp = ttolwp(curthread);
983 	uint32_t fmode;
984 	uint32_t fd;
985 	struct file  *fp;
986 	struct vnode *vp;
987 	struct f_audit_data *fad;
988 
989 	struct a {
990 		long	fd;
991 		long	fname;		/* char	* */
992 		long	fmode;
993 		long	flag;
994 	} *uap = (struct a *)clwp->lwp_ap;
995 
996 	fd = (uint32_t)uap->fd;
997 	fmode = (uint32_t)uap->fmode;
998 
999 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1000 
1001 	if (fd == AT_FDCWD || uap->fname != NULL)	/* same as chmod() */
1002 		return;
1003 
1004 	/*
1005 	 * convert file pointer to file descriptor
1006 	 *   Note: fd ref count incremented here.
1007 	 */
1008 	if ((fp = getf(fd)) == NULL)
1009 		return;
1010 
1011 	/* get path from file struct here */
1012 	fad = F2A(fp);
1013 	if (fad->fad_aupath != NULL) {
1014 		au_uwrite(au_to_path(fad->fad_aupath));
1015 	} else {
1016 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1017 	}
1018 
1019 	vp = fp->f_vnode;
1020 	audit_attributes(vp);
1021 
1022 	/* decrement file descriptor reference count */
1023 	releasef(fd);
1024 }
1025 
1026 /*
1027  * convert open mode to appropriate open event
1028  */
1029 au_event_t
1030 open_event(uint_t fm)
1031 {
1032 	au_event_t e;
1033 
1034 	switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1035 	case O_RDONLY:
1036 		e = AUE_OPEN_R;
1037 		break;
1038 	case O_RDONLY | O_CREAT:
1039 		e = AUE_OPEN_RC;
1040 		break;
1041 	case O_RDONLY | O_TRUNC:
1042 		e = AUE_OPEN_RT;
1043 		break;
1044 	case O_RDONLY | O_TRUNC | O_CREAT:
1045 		e = AUE_OPEN_RTC;
1046 		break;
1047 	case O_WRONLY:
1048 		e = AUE_OPEN_W;
1049 		break;
1050 	case O_WRONLY | O_CREAT:
1051 		e = AUE_OPEN_WC;
1052 		break;
1053 	case O_WRONLY | O_TRUNC:
1054 		e = AUE_OPEN_WT;
1055 		break;
1056 	case O_WRONLY | O_TRUNC | O_CREAT:
1057 		e = AUE_OPEN_WTC;
1058 		break;
1059 	case O_RDWR:
1060 		e = AUE_OPEN_RW;
1061 		break;
1062 	case O_RDWR | O_CREAT:
1063 		e = AUE_OPEN_RWC;
1064 		break;
1065 	case O_RDWR | O_TRUNC:
1066 		e = AUE_OPEN_RWT;
1067 		break;
1068 	case O_RDWR | O_TRUNC | O_CREAT:
1069 		e = AUE_OPEN_RWTC;
1070 		break;
1071 	case O_SEARCH:
1072 		e = AUE_OPEN_S;
1073 		break;
1074 	case O_EXEC:
1075 		e = AUE_OPEN_E;
1076 		break;
1077 	default:
1078 		e = AUE_NULL;
1079 		break;
1080 	}
1081 
1082 	return (e);
1083 }
1084 
1085 /* ARGSUSED */
1086 static au_event_t
1087 aui_open(au_event_t e)
1088 {
1089 	klwp_t *clwp = ttolwp(curthread);
1090 	uint_t fm;
1091 
1092 	struct a {
1093 		long	fnamep;		/* char	* */
1094 		long	fmode;
1095 		long	cmode;
1096 	} *uap = (struct a *)clwp->lwp_ap;
1097 
1098 	fm = (uint_t)uap->fmode;
1099 
1100 	return (open_event(fm));
1101 }
1102 
1103 static void
1104 aus_open(struct t_audit_data *tad)
1105 {
1106 	klwp_t *clwp = ttolwp(curthread);
1107 	uint_t fm;
1108 
1109 	struct a {
1110 		long	fnamep;		/* char	* */
1111 		long	fmode;
1112 		long	cmode;
1113 	} *uap = (struct a *)clwp->lwp_ap;
1114 
1115 	fm = (uint_t)uap->fmode;
1116 
1117 	/* If no write, create, or trunc modes, mark as a public op */
1118 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1119 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1120 }
1121 
1122 /* ARGSUSED */
1123 static au_event_t
1124 aui_openat(au_event_t e)
1125 {
1126 	t_audit_data_t *tad = T2A(curthread);
1127 	klwp_t *clwp = ttolwp(curthread);
1128 	uint_t fm;
1129 
1130 	struct a {
1131 		long	filedes;
1132 		long	fnamep;		/* char	* */
1133 		long	fmode;
1134 		long	cmode;
1135 	} *uap = (struct a *)clwp->lwp_ap;
1136 
1137 	fm = (uint_t)uap->fmode;
1138 
1139 	/*
1140 	 * __openattrdirat() does an extra pathname lookup in order to
1141 	 * enter the extended system attribute namespace of the referenced
1142 	 * extended attribute filename.
1143 	 */
1144 	if (fm & FXATTRDIROPEN)
1145 		tad->tad_ctrl |= TAD_MLD;
1146 
1147 	return (open_event(fm));
1148 }
1149 
1150 static void
1151 aus_openat(struct t_audit_data *tad)
1152 {
1153 	klwp_t *clwp = ttolwp(curthread);
1154 	uint_t fm;
1155 
1156 	struct a {
1157 		long	filedes;
1158 		long	fnamep;		/* char	* */
1159 		long	fmode;
1160 		long	cmode;
1161 	} *uap = (struct a *)clwp->lwp_ap;
1162 
1163 	fm = (uint_t)uap->fmode;
1164 
1165 	/* If no write, create, or trunc modes, mark as a public op */
1166 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1167 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1168 }
1169 
1170 static au_event_t
1171 aui_unlinkat(au_event_t e)
1172 {
1173 	klwp_t *clwp = ttolwp(curthread);
1174 
1175 	struct a {
1176 		long	filedes;
1177 		long	fnamep;		/* char	* */
1178 		long	flags;
1179 	} *uap = (struct a *)clwp->lwp_ap;
1180 
1181 	if (uap->flags & AT_REMOVEDIR)
1182 		e = AUE_RMDIR;
1183 	else
1184 		e = AUE_UNLINK;
1185 
1186 	return (e);
1187 }
1188 
1189 static au_event_t
1190 aui_fstatat(au_event_t e)
1191 {
1192 	klwp_t *clwp = ttolwp(curthread);
1193 
1194 	struct a {
1195 		long	filedes;
1196 		long	fnamep;		/* char	* */
1197 		long	statb;
1198 		long	flags;
1199 	} *uap = (struct a *)clwp->lwp_ap;
1200 
1201 	if (uap->fnamep == NULL)
1202 		e = AUE_FSTAT;
1203 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1204 		e = AUE_LSTAT;
1205 	else
1206 		e = AUE_STAT;
1207 
1208 	return (e);
1209 }
1210 
1211 /* msgsys */
1212 static au_event_t
1213 aui_msgsys(au_event_t e)
1214 {
1215 	klwp_t *clwp = ttolwp(curthread);
1216 	uint_t fm;
1217 
1218 	struct a {
1219 		long	id;	/* function code id */
1220 		long	ap;	/* arg pointer for recvmsg */
1221 	} *uap = (struct a *)clwp->lwp_ap;
1222 
1223 	struct b {
1224 		long	msgid;
1225 		long	cmd;
1226 		long	buf;	/* struct msqid_ds * */
1227 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1228 
1229 	fm  = (uint_t)uap->id;
1230 
1231 	switch (fm) {
1232 	case 0:		/* msgget */
1233 		e = AUE_MSGGET;
1234 		break;
1235 	case 1:		/* msgctl */
1236 		switch ((uint_t)uap1->cmd) {
1237 		case IPC_RMID:
1238 			e = AUE_MSGCTL_RMID;
1239 			break;
1240 		case IPC_SET:
1241 			e = AUE_MSGCTL_SET;
1242 			break;
1243 		case IPC_STAT:
1244 			e = AUE_MSGCTL_STAT;
1245 			break;
1246 		default:
1247 			e = AUE_MSGCTL;
1248 			break;
1249 		}
1250 		break;
1251 	case 2:		/* msgrcv */
1252 		e = AUE_MSGRCV;
1253 		break;
1254 	case 3:		/* msgsnd */
1255 		e = AUE_MSGSND;
1256 		break;
1257 	default:	/* illegal system call */
1258 		e = AUE_NULL;
1259 		break;
1260 	}
1261 
1262 	return (e);
1263 }
1264 
1265 
1266 /* shmsys */
1267 static au_event_t
1268 aui_shmsys(au_event_t e)
1269 {
1270 	klwp_t *clwp = ttolwp(curthread);
1271 	int fm;
1272 
1273 	struct a {		/* shmsys */
1274 		long	id;	/* function code id */
1275 	} *uap = (struct a *)clwp->lwp_ap;
1276 
1277 	struct b {		/* ctrl */
1278 		long	shmid;
1279 		long	cmd;
1280 		long	arg;		/* struct shmid_ds * */
1281 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1282 	fm  = (uint_t)uap->id;
1283 
1284 	switch (fm) {
1285 	case 0:		/* shmat */
1286 		e = AUE_SHMAT;
1287 		break;
1288 	case 1:		/* shmctl */
1289 		switch ((uint_t)uap1->cmd) {
1290 		case IPC_RMID:
1291 			e = AUE_SHMCTL_RMID;
1292 			break;
1293 		case IPC_SET:
1294 			e = AUE_SHMCTL_SET;
1295 			break;
1296 		case IPC_STAT:
1297 			e = AUE_SHMCTL_STAT;
1298 			break;
1299 		default:
1300 			e = AUE_SHMCTL;
1301 			break;
1302 		}
1303 		break;
1304 	case 2:		/* shmdt */
1305 		e = AUE_SHMDT;
1306 		break;
1307 	case 3:		/* shmget */
1308 		e = AUE_SHMGET;
1309 		break;
1310 	default:	/* illegal system call */
1311 		e = AUE_NULL;
1312 		break;
1313 	}
1314 
1315 	return (e);
1316 }
1317 
1318 
1319 /* semsys */
1320 static au_event_t
1321 aui_semsys(au_event_t e)
1322 {
1323 	klwp_t *clwp = ttolwp(curthread);
1324 	uint_t fm;
1325 
1326 	struct a {		/* semsys */
1327 		long	id;
1328 	} *uap = (struct a *)clwp->lwp_ap;
1329 
1330 	struct b {		/* ctrl */
1331 		long	semid;
1332 		long	semnum;
1333 		long	cmd;
1334 		long	arg;
1335 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1336 
1337 	fm = (uint_t)uap->id;
1338 
1339 	switch (fm) {
1340 	case 0:		/* semctl */
1341 		switch ((uint_t)uap1->cmd) {
1342 		case IPC_RMID:
1343 			e = AUE_SEMCTL_RMID;
1344 			break;
1345 		case IPC_SET:
1346 			e = AUE_SEMCTL_SET;
1347 			break;
1348 		case IPC_STAT:
1349 			e = AUE_SEMCTL_STAT;
1350 			break;
1351 		case GETNCNT:
1352 			e = AUE_SEMCTL_GETNCNT;
1353 			break;
1354 		case GETPID:
1355 			e = AUE_SEMCTL_GETPID;
1356 			break;
1357 		case GETVAL:
1358 			e = AUE_SEMCTL_GETVAL;
1359 			break;
1360 		case GETALL:
1361 			e = AUE_SEMCTL_GETALL;
1362 			break;
1363 		case GETZCNT:
1364 			e = AUE_SEMCTL_GETZCNT;
1365 			break;
1366 		case SETVAL:
1367 			e = AUE_SEMCTL_SETVAL;
1368 			break;
1369 		case SETALL:
1370 			e = AUE_SEMCTL_SETALL;
1371 			break;
1372 		default:
1373 			e = AUE_SEMCTL;
1374 			break;
1375 		}
1376 		break;
1377 	case 1:		/* semget */
1378 		e = AUE_SEMGET;
1379 		break;
1380 	case 2:		/* semop */
1381 		e = AUE_SEMOP;
1382 		break;
1383 	default:	/* illegal system call */
1384 		e = AUE_NULL;
1385 		break;
1386 	}
1387 
1388 	return (e);
1389 }
1390 
1391 /* utssys - uname(2), ustat(2), fusers(2) */
1392 static au_event_t
1393 aui_utssys(au_event_t e)
1394 {
1395 	klwp_t *clwp = ttolwp(curthread);
1396 	uint_t type;
1397 
1398 	struct a {
1399 		union {
1400 			long	cbuf;		/* char * */
1401 			long	ubuf;		/* struct stat * */
1402 		} ub;
1403 		union {
1404 			long	mv;	/* for USTAT */
1405 			long	flags;	/* for FUSERS */
1406 		} un;
1407 		long	type;
1408 		long	outbp;		/* char * for FUSERS */
1409 	} *uap = (struct a *)clwp->lwp_ap;
1410 
1411 	type = (uint_t)uap->type;
1412 
1413 	if (type == UTS_FUSERS)
1414 		return (e);
1415 	else
1416 		return ((au_event_t)AUE_NULL);
1417 }
1418 
1419 static au_event_t
1420 aui_fcntl(au_event_t e)
1421 {
1422 	klwp_t *clwp = ttolwp(curthread);
1423 	uint_t cmd;
1424 
1425 	struct a {
1426 		long	fdes;
1427 		long	cmd;
1428 		long	arg;
1429 	} *uap = (struct a *)clwp->lwp_ap;
1430 
1431 	cmd = (uint_t)uap->cmd;
1432 
1433 	switch (cmd) {
1434 	case F_GETLK:
1435 	case F_SETLK:
1436 	case F_SETLKW:
1437 		break;
1438 	case F_SETFL:
1439 	case F_GETFL:
1440 	case F_GETFD:
1441 		break;
1442 	default:
1443 		e = (au_event_t)AUE_NULL;
1444 		break;
1445 	}
1446 	return ((au_event_t)e);
1447 }
1448 
1449 /* null function for now */
1450 static au_event_t
1451 aui_execve(au_event_t e)
1452 {
1453 	return (e);
1454 }
1455 
1456 /*ARGSUSED*/
1457 static void
1458 aus_fcntl(struct t_audit_data *tad)
1459 {
1460 	klwp_t *clwp = ttolwp(curthread);
1461 	uint32_t cmd, fd, flags;
1462 	struct file  *fp;
1463 	struct vnode *vp;
1464 	struct f_audit_data *fad;
1465 
1466 	struct a {
1467 		long	fd;
1468 		long	cmd;
1469 		long	arg;
1470 	} *uap = (struct a *)clwp->lwp_ap;
1471 
1472 	cmd	= (uint32_t)uap->cmd;
1473 	fd	= (uint32_t)uap->fd;
1474 	flags	= (uint32_t)uap->arg;
1475 
1476 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1477 
1478 	if (cmd == F_SETFL)
1479 		au_uwrite(au_to_arg32(3, "flags", flags));
1480 
1481 		/*
1482 		 * convert file pointer to file descriptor
1483 		 *   Note: fd ref count incremented here.
1484 		 */
1485 	if ((fp = getf(fd)) == NULL)
1486 		return;
1487 
1488 	/* get path from file struct here */
1489 	fad = F2A(fp);
1490 	if (fad->fad_aupath != NULL) {
1491 		au_uwrite(au_to_path(fad->fad_aupath));
1492 	} else {
1493 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1494 	}
1495 
1496 	vp = fp->f_vnode;
1497 	audit_attributes(vp);
1498 
1499 	/* decrement file descriptor reference count */
1500 	releasef(fd);
1501 }
1502 
1503 /*ARGSUSED*/
1504 static void
1505 aus_kill(struct t_audit_data *tad)
1506 {
1507 	klwp_t *clwp = ttolwp(curthread);
1508 	struct proc *p;
1509 	uint32_t signo;
1510 	uid_t uid, ruid;
1511 	gid_t gid, rgid;
1512 	pid_t pid;
1513 	const auditinfo_addr_t *ainfo;
1514 	cred_t *cr;
1515 
1516 	struct a {
1517 		long	pid;
1518 		long	signo;
1519 	} *uap = (struct a *)clwp->lwp_ap;
1520 
1521 	pid   = (pid_t)uap->pid;
1522 	signo = (uint32_t)uap->signo;
1523 
1524 	au_uwrite(au_to_arg32(2, "signal", signo));
1525 	if (pid > 0) {
1526 		mutex_enter(&pidlock);
1527 		if (((p = prfind(pid)) == (struct proc *)0) ||
1528 		    (p->p_stat == SIDL)) {
1529 			mutex_exit(&pidlock);
1530 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1531 			return;
1532 		}
1533 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1534 		mutex_exit(&pidlock);
1535 
1536 		mutex_enter(&p->p_crlock);
1537 		crhold(cr = p->p_cred);
1538 		mutex_exit(&p->p_crlock);
1539 		mutex_exit(&p->p_lock);
1540 
1541 		ainfo = crgetauinfo(cr);
1542 		if (ainfo == NULL) {
1543 			crfree(cr);
1544 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1545 			return;
1546 		}
1547 
1548 		uid  = crgetuid(cr);
1549 		gid  = crgetgid(cr);
1550 		ruid = crgetruid(cr);
1551 		rgid = crgetrgid(cr);
1552 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1553 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1554 
1555 		if (is_system_labeled())
1556 			au_uwrite(au_to_label(CR_SL(cr)));
1557 
1558 		crfree(cr);
1559 	}
1560 	else
1561 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1562 }
1563 
1564 /*ARGSUSED*/
1565 static void
1566 aus_mkdir(struct t_audit_data *tad)
1567 {
1568 	klwp_t *clwp = ttolwp(curthread);
1569 	uint32_t dmode;
1570 
1571 	struct a {
1572 		long	dirnamep;		/* char * */
1573 		long	dmode;
1574 	} *uap = (struct a *)clwp->lwp_ap;
1575 
1576 	dmode = (uint32_t)uap->dmode;
1577 
1578 	au_uwrite(au_to_arg32(2, "mode", dmode));
1579 }
1580 
1581 /*ARGSUSED*/
1582 static void
1583 aus_mkdirat(struct t_audit_data *tad)
1584 {
1585 	klwp_t *clwp = ttolwp(curthread);
1586 	uint32_t dmode;
1587 
1588 	struct a {
1589 		long	fd;
1590 		long	dirnamep;		/* char * */
1591 		long	dmode;
1592 	} *uap = (struct a *)clwp->lwp_ap;
1593 
1594 	dmode = (uint32_t)uap->dmode;
1595 
1596 	au_uwrite(au_to_arg32(2, "mode", dmode));
1597 }
1598 
1599 /*ARGSUSED*/
1600 static void
1601 aus_mknod(struct t_audit_data *tad)
1602 {
1603 	klwp_t *clwp = ttolwp(curthread);
1604 	uint32_t fmode;
1605 	dev_t dev;
1606 
1607 	struct a {
1608 		long	pnamep;		/* char * */
1609 		long	fmode;
1610 		long	dev;
1611 	} *uap = (struct a *)clwp->lwp_ap;
1612 
1613 	fmode = (uint32_t)uap->fmode;
1614 	dev   = (dev_t)uap->dev;
1615 
1616 	au_uwrite(au_to_arg32(2, "mode", fmode));
1617 #ifdef _LP64
1618 	au_uwrite(au_to_arg64(3, "dev", dev));
1619 #else
1620 	au_uwrite(au_to_arg32(3, "dev", dev));
1621 #endif
1622 }
1623 
1624 /*ARGSUSED*/
1625 static void
1626 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1627 {
1628 	klwp_t *clwp = ttolwp(curthread);
1629 	vnode_t	*dvp;
1630 	caddr_t pnamep;
1631 
1632 	struct a {
1633 		long	pnamep;		/* char * */
1634 		long	fmode;
1635 		long	dev;
1636 	} *uap = (struct a *)clwp->lwp_ap;
1637 
1638 	/* no error, then already path token in audit record */
1639 	if (error != EPERM && error != EINVAL)
1640 		return;
1641 
1642 	/* do the lookup to force generation of path token */
1643 	pnamep = (caddr_t)uap->pnamep;
1644 	tad->tad_ctrl |= TAD_NOATTRB;
1645 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1646 	if (error == 0)
1647 		VN_RELE(dvp);
1648 }
1649 
1650 /*ARGSUSED*/
1651 static void
1652 aus_mknodat(struct t_audit_data *tad)
1653 {
1654 	klwp_t *clwp = ttolwp(curthread);
1655 	uint32_t fmode;
1656 	dev_t dev;
1657 
1658 	struct a {
1659 		long	fd;
1660 		long	pnamep;		/* char * */
1661 		long	fmode;
1662 		long	dev;
1663 	} *uap = (struct a *)clwp->lwp_ap;
1664 
1665 	fmode = (uint32_t)uap->fmode;
1666 	dev   = (dev_t)uap->dev;
1667 
1668 	au_uwrite(au_to_arg32(2, "mode", fmode));
1669 #ifdef _LP64
1670 	au_uwrite(au_to_arg64(3, "dev", dev));
1671 #else
1672 	au_uwrite(au_to_arg32(3, "dev", dev));
1673 #endif
1674 }
1675 
1676 /*ARGSUSED*/
1677 static void
1678 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1679 {
1680 	klwp_t *clwp = ttolwp(curthread);
1681 	vnode_t	*startvp;
1682 	vnode_t	*dvp;
1683 	caddr_t pnamep;
1684 	int fd;
1685 
1686 	struct a {
1687 		long	fd;
1688 		long	pnamep;		/* char * */
1689 		long	fmode;
1690 		long	dev;
1691 	} *uap = (struct a *)clwp->lwp_ap;
1692 
1693 	/* no error, then already path token in audit record */
1694 	if (error != EPERM && error != EINVAL)
1695 		return;
1696 
1697 	/* do the lookup to force generation of path token */
1698 	fd = (int)uap->fd;
1699 	pnamep = (caddr_t)uap->pnamep;
1700 	if (pnamep == NULL ||
1701 	    fgetstartvp(fd, pnamep, &startvp) != 0)
1702 		return;
1703 	tad->tad_ctrl |= TAD_NOATTRB;
1704 	error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1705 	    startvp);
1706 	if (error == 0)
1707 		VN_RELE(dvp);
1708 	if (startvp != NULL)
1709 		VN_RELE(startvp);
1710 }
1711 
1712 /*ARGSUSED*/
1713 static void
1714 aus_mount(struct t_audit_data *tad)
1715 {	/* AUS_START */
1716 	klwp_t *clwp = ttolwp(curthread);
1717 	uint32_t flags;
1718 	uintptr_t u_fstype, dataptr;
1719 	STRUCT_DECL(nfs_args, nfsargs);
1720 	size_t len;
1721 	char *fstype, *hostname;
1722 
1723 	struct a {
1724 		long	spec;		/* char    * */
1725 		long	dir;		/* char    * */
1726 		long	flags;
1727 		long	fstype;		/* char    * */
1728 		long	dataptr;	/* char    * */
1729 		long	datalen;
1730 	} *uap = (struct a *)clwp->lwp_ap;
1731 
1732 	u_fstype = (uintptr_t)uap->fstype;
1733 	flags    = (uint32_t)uap->flags;
1734 	dataptr  = (uintptr_t)uap->dataptr;
1735 
1736 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1737 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1738 		goto mount_free_fstype;
1739 
1740 	au_uwrite(au_to_arg32(3, "flags", flags));
1741 	au_uwrite(au_to_text(fstype));
1742 
1743 	if (strncmp(fstype, "nfs", 3) == 0) {
1744 
1745 		STRUCT_INIT(nfsargs, get_udatamodel());
1746 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1747 
1748 		if (copyin((caddr_t)dataptr,
1749 				STRUCT_BUF(nfsargs),
1750 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1751 			/* DEBUG debug_enter((char *)NULL); */
1752 			goto mount_free_fstype;
1753 		}
1754 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1755 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1756 				(caddr_t)hostname,
1757 				MAXNAMELEN, &len)) {
1758 			goto mount_free_hostname;
1759 		}
1760 		au_uwrite(au_to_text(hostname));
1761 		au_uwrite(au_to_arg32(3, "internal flags",
1762 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1763 
1764 mount_free_hostname:
1765 		kmem_free(hostname, MAXNAMELEN);
1766 	}
1767 
1768 mount_free_fstype:
1769 	kmem_free(fstype, MAXNAMELEN);
1770 }	/* AUS_MOUNT */
1771 
1772 static void
1773 aus_umount_path(caddr_t umount_dir)
1774 {
1775 	char			*dir_path;
1776 	struct audit_path	*path;
1777 	size_t			path_len, dir_len;
1778 
1779 	/* length alloc'd for two string pointers */
1780 	path_len = sizeof (struct audit_path) + sizeof (char *);
1781 	path = kmem_alloc(path_len, KM_SLEEP);
1782 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1783 
1784 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1785 	    MAXPATHLEN, &dir_len))
1786 		goto umount2_free_dir;
1787 
1788 	/*
1789 	 * the audit_path struct assumes that the buffer pointed to
1790 	 * by audp_sect[n] contains string 0 immediatedly followed
1791 	 * by string 1.
1792 	 */
1793 	path->audp_sect[0] = dir_path;
1794 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1795 	path->audp_size = path_len;
1796 	path->audp_ref = 1;		/* not used */
1797 	path->audp_cnt = 1;		/* one path string */
1798 
1799 	au_uwrite(au_to_path(path));
1800 
1801 umount2_free_dir:
1802 	kmem_free(dir_path, MAXPATHLEN);
1803 	kmem_free(path, path_len);
1804 }
1805 
1806 /*ARGSUSED*/
1807 static void
1808 aus_umount2(struct t_audit_data *tad)
1809 {
1810 	klwp_t			*clwp = ttolwp(curthread);
1811 	struct a {
1812 		long	dir;		/* char    * */
1813 		long	flags;
1814 	} *uap = (struct a *)clwp->lwp_ap;
1815 
1816 	aus_umount_path((caddr_t)uap->dir);
1817 
1818 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1819 }
1820 
1821 static void
1822 aus_msgsys(struct t_audit_data *tad)
1823 {
1824 	klwp_t *clwp = ttolwp(curthread);
1825 	uint32_t msgid;
1826 
1827 	struct b {
1828 		long	msgid;
1829 		long	cmd;
1830 		long	buf;		/* struct msqid_ds * */
1831 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1832 
1833 	msgid = (uint32_t)uap1->msgid;
1834 
1835 
1836 	switch (tad->tad_event) {
1837 	case AUE_MSGGET:		/* msgget */
1838 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1839 		break;
1840 	case AUE_MSGCTL:		/* msgctl */
1841 	case AUE_MSGCTL_RMID:		/* msgctl */
1842 	case AUE_MSGCTL_SET:		/* msgctl */
1843 	case AUE_MSGCTL_STAT:		/* msgctl */
1844 	case AUE_MSGRCV:		/* msgrcv */
1845 	case AUE_MSGSND:		/* msgsnd */
1846 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1847 		break;
1848 	}
1849 }
1850 
1851 /*ARGSUSED*/
1852 static void
1853 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1854 {
1855 	int id;
1856 
1857 	if (error != 0)
1858 		return;
1859 	if (tad->tad_event == AUE_MSGGET) {
1860 		uint32_t scid;
1861 		uint32_t sy_flags;
1862 
1863 		/* need to determine type of executing binary */
1864 		scid = tad->tad_scid;
1865 #ifdef _SYSCALL32_IMPL
1866 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1867 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1868 		else
1869 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1870 #else
1871 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1872 #endif
1873 		if (sy_flags == SE_32RVAL1)
1874 			id = rval->r_val1;
1875 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1876 			id = rval->r_val1;
1877 		if (sy_flags == SE_64RVAL)
1878 			id = (int)rval->r_vals;
1879 
1880 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1881 	}
1882 }
1883 
1884 static void
1885 aus_semsys(struct t_audit_data *tad)
1886 {
1887 	klwp_t *clwp = ttolwp(curthread);
1888 	uint32_t semid;
1889 
1890 	struct b {		/* ctrl */
1891 		long	semid;
1892 		long	semnum;
1893 		long	cmd;
1894 		long	arg;
1895 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1896 
1897 	semid = (uint32_t)uap1->semid;
1898 
1899 	switch (tad->tad_event) {
1900 	case AUE_SEMCTL_RMID:
1901 	case AUE_SEMCTL_STAT:
1902 	case AUE_SEMCTL_GETNCNT:
1903 	case AUE_SEMCTL_GETPID:
1904 	case AUE_SEMCTL_GETVAL:
1905 	case AUE_SEMCTL_GETALL:
1906 	case AUE_SEMCTL_GETZCNT:
1907 	case AUE_SEMCTL_SET:
1908 	case AUE_SEMCTL_SETVAL:
1909 	case AUE_SEMCTL_SETALL:
1910 	case AUE_SEMCTL:
1911 	case AUE_SEMOP:
1912 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1913 		break;
1914 	case AUE_SEMGET:
1915 		au_uwrite(au_to_arg32(1, "sem key", semid));
1916 		break;
1917 	}
1918 }
1919 
1920 /*ARGSUSED*/
1921 static void
1922 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1923 {
1924 	int id;
1925 
1926 	if (error != 0)
1927 		return;
1928 	if (tad->tad_event == AUE_SEMGET) {
1929 		uint32_t scid;
1930 		uint32_t sy_flags;
1931 
1932 		/* need to determine type of executing binary */
1933 		scid = tad->tad_scid;
1934 #ifdef _SYSCALL32_IMPL
1935 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1936 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1937 		else
1938 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1939 #else
1940 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1941 #endif
1942 		if (sy_flags == SE_32RVAL1)
1943 			id = rval->r_val1;
1944 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1945 			id = rval->r_val1;
1946 		if (sy_flags == SE_64RVAL)
1947 			id = (int)rval->r_vals;
1948 
1949 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1950 	}
1951 }
1952 
1953 /*ARGSUSED*/
1954 static void
1955 aus_close(struct t_audit_data *tad)
1956 {
1957 	klwp_t *clwp = ttolwp(curthread);
1958 	uint32_t fd;
1959 	struct file *fp;
1960 	struct f_audit_data *fad;
1961 	struct vnode *vp;
1962 	struct vattr attr;
1963 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1964 
1965 	struct a {
1966 		long	i;
1967 	} *uap = (struct a *)clwp->lwp_ap;
1968 
1969 	fd = (uint32_t)uap->i;
1970 
1971 	attr.va_mask = 0;
1972 	au_uwrite(au_to_arg32(1, "fd", fd));
1973 
1974 		/*
1975 		 * convert file pointer to file descriptor
1976 		 *   Note: fd ref count incremented here.
1977 		 */
1978 	if ((fp = getf(fd)) == NULL)
1979 		return;
1980 
1981 	fad = F2A(fp);
1982 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1983 	if (fad->fad_aupath != NULL) {
1984 		au_uwrite(au_to_path(fad->fad_aupath));
1985 		if ((vp = fp->f_vnode) != NULL) {
1986 			attr.va_mask = AT_ALL;
1987 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1988 				/*
1989 				 * When write was not used and the file can be
1990 				 * considered public, skip the audit.
1991 				 */
1992 				if (((fp->f_flag & FWRITE) == 0) &&
1993 				    object_is_public(&attr)) {
1994 					tad->tad_flag = 0;
1995 					tad->tad_evmod = 0;
1996 					/* free any residual audit data */
1997 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1998 					releasef(fd);
1999 					return;
2000 				}
2001 				au_uwrite(au_to_attr(&attr));
2002 				audit_sec_attributes(&(u_ad), vp);
2003 			}
2004 		}
2005 	}
2006 
2007 	/* decrement file descriptor reference count */
2008 	releasef(fd);
2009 }
2010 
2011 /*ARGSUSED*/
2012 static void
2013 aus_fstatfs(struct t_audit_data *tad)
2014 {
2015 	klwp_t *clwp = ttolwp(curthread);
2016 	uint32_t fd;
2017 	struct file  *fp;
2018 	struct vnode *vp;
2019 	struct f_audit_data *fad;
2020 
2021 	struct a {
2022 		long	fd;
2023 		long	buf;		/* struct statfs * */
2024 	} *uap = (struct a *)clwp->lwp_ap;
2025 
2026 	fd = (uint_t)uap->fd;
2027 
2028 		/*
2029 		 * convert file pointer to file descriptor
2030 		 *   Note: fd ref count incremented here.
2031 		 */
2032 	if ((fp = getf(fd)) == NULL)
2033 		return;
2034 
2035 		/* get path from file struct here */
2036 	fad = F2A(fp);
2037 	if (fad->fad_aupath != NULL) {
2038 		au_uwrite(au_to_path(fad->fad_aupath));
2039 	} else {
2040 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2041 	}
2042 
2043 	vp = fp->f_vnode;
2044 	audit_attributes(vp);
2045 
2046 	/* decrement file descriptor reference count */
2047 	releasef(fd);
2048 }
2049 
2050 static au_event_t
2051 aui_setpgrp(au_event_t e)
2052 {
2053 	klwp_t *clwp = ttolwp(curthread);
2054 	int flag;
2055 
2056 	struct a {
2057 		long	flag;
2058 		long	pid;
2059 		long	pgid;
2060 	} *uap = (struct a *)clwp->lwp_ap;
2061 
2062 	flag = (int)uap->flag;
2063 
2064 
2065 	switch (flag) {
2066 
2067 	case 1:	/* setpgrp() */
2068 		e = AUE_SETPGRP;
2069 		break;
2070 
2071 	case 3: /* setsid() */
2072 		e = AUE_SETSID;
2073 		break;
2074 
2075 	case 5: /* setpgid() */
2076 		e = AUE_SETPGID;
2077 		break;
2078 
2079 	case 0: /* getpgrp()	- not security relevant */
2080 	case 2: /* getsid()	- not security relevant */
2081 	case 4: /* getpgid() 	- not security relevant */
2082 		e = AUE_NULL;
2083 		break;
2084 
2085 	default:
2086 		e = AUE_NULL;
2087 		break;
2088 	}
2089 
2090 	return (e);
2091 }
2092 
2093 /*ARGSUSED*/
2094 static void
2095 aus_setpgrp(struct t_audit_data *tad)
2096 {
2097 	klwp_t		*clwp = ttolwp(curthread);
2098 	pid_t		pgid;
2099 	struct proc	*p;
2100 	uid_t		uid, ruid;
2101 	gid_t		gid, rgid;
2102 	pid_t		pid;
2103 	cred_t		*cr;
2104 	int		flag;
2105 	const auditinfo_addr_t	*ainfo;
2106 
2107 	struct a {
2108 		long	flag;
2109 		long	pid;
2110 		long	pgid;
2111 	} *uap = (struct a *)clwp->lwp_ap;
2112 
2113 	flag = (int)uap->flag;
2114 	pid  = (pid_t)uap->pid;
2115 	pgid = (pid_t)uap->pgid;
2116 
2117 
2118 	switch (flag) {
2119 
2120 	case 0: /* getpgrp() */
2121 	case 1: /* setpgrp() */
2122 	case 2: /* getsid() */
2123 	case 3: /* setsid() */
2124 	case 4: /* getpgid() */
2125 		break;
2126 
2127 	case 5: /* setpgid() */
2128 
2129 		/* current process? */
2130 		if (pid == 0) {
2131 			return;
2132 		}
2133 
2134 		mutex_enter(&pidlock);
2135 		p = prfind(pid);
2136 		if (p == NULL || p->p_as == &kas ||
2137 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
2138 			mutex_exit(&pidlock);
2139 			return;
2140 		}
2141 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
2142 		mutex_exit(&pidlock);
2143 
2144 		mutex_enter(&p->p_crlock);
2145 		crhold(cr = p->p_cred);
2146 		mutex_exit(&p->p_crlock);
2147 		mutex_exit(&p->p_lock);
2148 
2149 		ainfo = crgetauinfo(cr);
2150 		if (ainfo == NULL) {
2151 			crfree(cr);
2152 			return;
2153 		}
2154 
2155 		uid  = crgetuid(cr);
2156 		gid  = crgetgid(cr);
2157 		ruid = crgetruid(cr);
2158 		rgid = crgetrgid(cr);
2159 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2160 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2161 		crfree(cr);
2162 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2163 		break;
2164 
2165 	default:
2166 		break;
2167 	}
2168 }
2169 
2170 
2171 /*ARGSUSED*/
2172 static void
2173 aus_setregid(struct t_audit_data *tad)
2174 {
2175 	klwp_t *clwp = ttolwp(curthread);
2176 	uint32_t rgid, egid;
2177 
2178 	struct a {
2179 		long	 rgid;
2180 		long	 egid;
2181 	} *uap = (struct a *)clwp->lwp_ap;
2182 
2183 	rgid  = (uint32_t)uap->rgid;
2184 	egid  = (uint32_t)uap->egid;
2185 
2186 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2187 	au_uwrite(au_to_arg32(2, "egid", egid));
2188 }
2189 
2190 /*ARGSUSED*/
2191 static void
2192 aus_setgid(struct t_audit_data *tad)
2193 {
2194 	klwp_t *clwp = ttolwp(curthread);
2195 	uint32_t gid;
2196 
2197 	struct a {
2198 		long	gid;
2199 	} *uap = (struct a *)clwp->lwp_ap;
2200 
2201 	gid = (uint32_t)uap->gid;
2202 
2203 	au_uwrite(au_to_arg32(1, "gid", gid));
2204 }
2205 
2206 
2207 /*ARGSUSED*/
2208 static void
2209 aus_setreuid(struct t_audit_data *tad)
2210 {
2211 	klwp_t *clwp = ttolwp(curthread);
2212 	uint32_t ruid, euid;
2213 
2214 	struct a {
2215 		long	ruid;
2216 		long	euid;
2217 	} *uap = (struct a *)clwp->lwp_ap;
2218 
2219 	ruid = (uint32_t)uap->ruid;
2220 	euid  = (uint32_t)uap->euid;
2221 
2222 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2223 	au_uwrite(au_to_arg32(2, "euid", euid));
2224 }
2225 
2226 
2227 /*ARGSUSED*/
2228 static void
2229 aus_setuid(struct t_audit_data *tad)
2230 {
2231 	klwp_t *clwp = ttolwp(curthread);
2232 	uint32_t uid;
2233 
2234 	struct a {
2235 		long	uid;
2236 	} *uap = (struct a *)clwp->lwp_ap;
2237 
2238 	uid = (uint32_t)uap->uid;
2239 
2240 	au_uwrite(au_to_arg32(1, "uid", uid));
2241 }
2242 
2243 /*ARGSUSED*/
2244 static void
2245 aus_shmsys(struct t_audit_data *tad)
2246 {
2247 	klwp_t *clwp = ttolwp(curthread);
2248 	uint32_t id, cmd;
2249 
2250 	struct b {
2251 		long	id;
2252 		long	cmd;
2253 		long	buf;		/* struct shmid_ds * */
2254 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2255 
2256 	id  = (uint32_t)uap1->id;
2257 	cmd = (uint32_t)uap1->cmd;
2258 
2259 	switch (tad->tad_event) {
2260 	case AUE_SHMGET:			/* shmget */
2261 		au_uwrite(au_to_arg32(1, "shm key", id));
2262 		break;
2263 	case AUE_SHMCTL:			/* shmctl */
2264 	case AUE_SHMCTL_RMID:			/* shmctl */
2265 	case AUE_SHMCTL_STAT:			/* shmctl */
2266 	case AUE_SHMCTL_SET:			/* shmctl */
2267 		au_uwrite(au_to_arg32(1, "shm ID", id));
2268 		break;
2269 	case AUE_SHMDT:				/* shmdt */
2270 		au_uwrite(au_to_arg32(1, "shm adr", id));
2271 		break;
2272 	case AUE_SHMAT:				/* shmat */
2273 		au_uwrite(au_to_arg32(1, "shm ID", id));
2274 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2275 		break;
2276 	}
2277 }
2278 
2279 /*ARGSUSED*/
2280 static void
2281 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2282 {
2283 	int id;
2284 
2285 	if (error != 0)
2286 		return;
2287 	if (tad->tad_event == AUE_SHMGET) {
2288 		uint32_t scid;
2289 		uint32_t sy_flags;
2290 
2291 		/* need to determine type of executing binary */
2292 		scid = tad->tad_scid;
2293 #ifdef _SYSCALL32_IMPL
2294 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2295 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2296 		else
2297 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2298 #else
2299 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2300 #endif
2301 		if (sy_flags == SE_32RVAL1)
2302 			id = rval->r_val1;
2303 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2304 			id = rval->r_val1;
2305 		if (sy_flags == SE_64RVAL)
2306 			id = (int)rval->r_vals;
2307 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2308 	}
2309 }
2310 
2311 
2312 /*ARGSUSED*/
2313 static void
2314 aus_ioctl(struct t_audit_data *tad)
2315 {
2316 	klwp_t *clwp = ttolwp(curthread);
2317 	struct file *fp;
2318 	struct vnode *vp;
2319 	struct f_audit_data *fad;
2320 	uint32_t fd, cmd;
2321 	uintptr_t cmarg;
2322 
2323 	/* XX64 */
2324 	struct a {
2325 		long	fd;
2326 		long	cmd;
2327 		long	cmarg;		/* caddr_t */
2328 	} *uap = (struct a *)clwp->lwp_ap;
2329 
2330 	fd    = (uint32_t)uap->fd;
2331 	cmd   = (uint32_t)uap->cmd;
2332 	cmarg = (uintptr_t)uap->cmarg;
2333 
2334 		/*
2335 		 * convert file pointer to file descriptor
2336 		 *   Note: fd ref count incremented here.
2337 		 */
2338 	if ((fp = getf(fd)) == NULL) {
2339 		au_uwrite(au_to_arg32(1, "fd", fd));
2340 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2341 #ifndef _LP64
2342 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2343 #else
2344 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2345 #endif
2346 		return;
2347 	}
2348 
2349 	/* get path from file struct here */
2350 	fad = F2A(fp);
2351 	if (fad->fad_aupath != NULL) {
2352 		au_uwrite(au_to_path(fad->fad_aupath));
2353 	} else {
2354 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2355 	}
2356 
2357 	vp = fp->f_vnode;
2358 	audit_attributes(vp);
2359 
2360 	/* decrement file descriptor reference count */
2361 	releasef(fd);
2362 
2363 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2364 #ifndef _LP64
2365 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2366 #else
2367 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2368 #endif
2369 }
2370 
2371 /*
2372  * null function for memcntl for now. We might want to limit memcntl()
2373  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2374  * require privileges.
2375  */
2376 static au_event_t
2377 aui_memcntl(au_event_t e)
2378 {
2379 	return (e);
2380 }
2381 
2382 /*ARGSUSED*/
2383 static au_event_t
2384 aui_privsys(au_event_t e)
2385 {
2386 	klwp_t *clwp = ttolwp(curthread);
2387 
2388 	struct a {
2389 		long	opcode;
2390 	} *uap = (struct a *)clwp->lwp_ap;
2391 
2392 	switch (uap->opcode) {
2393 	case PRIVSYS_SETPPRIV:
2394 		return (AUE_SETPPRIV);
2395 	default:
2396 		return (AUE_NULL);
2397 	}
2398 }
2399 
2400 /*ARGSUSED*/
2401 static void
2402 aus_memcntl(struct t_audit_data *tad)
2403 {
2404 	klwp_t *clwp = ttolwp(curthread);
2405 
2406 	struct a {
2407 		long	addr;
2408 		long	len;
2409 		long	cmd;
2410 		long	arg;
2411 		long	attr;
2412 		long	mask;
2413 	} *uap = (struct a *)clwp->lwp_ap;
2414 
2415 #ifdef _LP64
2416 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2417 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2418 #else
2419 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2420 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2421 #endif
2422 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2423 #ifdef _LP64
2424 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2425 #else
2426 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2427 #endif
2428 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2429 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2430 }
2431 
2432 /*ARGSUSED*/
2433 static void
2434 aus_mmap(struct t_audit_data *tad)
2435 {
2436 	klwp_t *clwp = ttolwp(curthread);
2437 	struct file *fp;
2438 	struct f_audit_data *fad;
2439 	struct vnode *vp;
2440 	uint32_t fd;
2441 
2442 	struct a {
2443 		long	addr;
2444 		long	len;
2445 		long	prot;
2446 		long	flags;
2447 		long	fd;
2448 		long	pos;
2449 	} *uap = (struct a *)clwp->lwp_ap;
2450 
2451 	fd = (uint32_t)uap->fd;
2452 
2453 #ifdef _LP64
2454 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2455 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2456 #else
2457 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2458 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2459 #endif
2460 
2461 	if ((fp = getf(fd)) == NULL) {
2462 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2463 		return;
2464 	}
2465 
2466 	/*
2467 	 * Mark in the tad if write access is NOT requested... if
2468 	 * this is later detected (in audit_attributes) to be a
2469 	 * public object, the mmap event may be discarded.
2470 	 */
2471 	if (((uap->prot) & PROT_WRITE) == 0) {
2472 		tad->tad_ctrl |= TAD_PUBLIC_EV;
2473 	}
2474 
2475 	fad = F2A(fp);
2476 	if (fad->fad_aupath != NULL) {
2477 		au_uwrite(au_to_path(fad->fad_aupath));
2478 	} else {
2479 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2480 	}
2481 
2482 	vp = (struct vnode *)fp->f_vnode;
2483 	audit_attributes(vp);
2484 
2485 	/* mark READ/WRITE since we can't predict access */
2486 	if (uap->prot & PROT_READ)
2487 		fad->fad_flags |= FAD_READ;
2488 	if (uap->prot & PROT_WRITE)
2489 		fad->fad_flags |= FAD_WRITE;
2490 
2491 	/* decrement file descriptor reference count */
2492 	releasef(fd);
2493 
2494 }	/* AUS_MMAP */
2495 
2496 
2497 
2498 
2499 /*ARGSUSED*/
2500 static void
2501 aus_munmap(struct t_audit_data *tad)
2502 {
2503 	klwp_t *clwp = ttolwp(curthread);
2504 
2505 	struct a {
2506 		long	addr;
2507 		long	len;
2508 	} *uap = (struct a *)clwp->lwp_ap;
2509 
2510 #ifdef _LP64
2511 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2512 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2513 #else
2514 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2515 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2516 #endif
2517 
2518 }	/* AUS_MUNMAP */
2519 
2520 
2521 
2522 
2523 
2524 
2525 
2526 /*ARGSUSED*/
2527 static void
2528 aus_priocntlsys(struct t_audit_data *tad)
2529 {
2530 	klwp_t *clwp = ttolwp(curthread);
2531 
2532 	struct a {
2533 		long	pc_version;
2534 		long	psp;		/* procset_t */
2535 		long	cmd;
2536 		long	arg;
2537 	} *uap = (struct a *)clwp->lwp_ap;
2538 
2539 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2540 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2541 
2542 }	/* AUS_PRIOCNTLSYS */
2543 
2544 
2545 /*ARGSUSED*/
2546 static void
2547 aus_setegid(struct t_audit_data *tad)
2548 {
2549 	klwp_t *clwp = ttolwp(curthread);
2550 	uint32_t gid;
2551 
2552 	struct a {
2553 		long	gid;
2554 	} *uap = (struct a *)clwp->lwp_ap;
2555 
2556 	gid = (uint32_t)uap->gid;
2557 
2558 	au_uwrite(au_to_arg32(1, "gid", gid));
2559 }	/* AUS_SETEGID */
2560 
2561 
2562 
2563 
2564 /*ARGSUSED*/
2565 static void
2566 aus_setgroups(struct t_audit_data *tad)
2567 {
2568 	klwp_t *clwp = ttolwp(curthread);
2569 	int i;
2570 	int gidsetsize;
2571 	uintptr_t gidset;
2572 	gid_t *gidlist;
2573 
2574 	struct a {
2575 		long	gidsetsize;
2576 		long	gidset;
2577 	} *uap = (struct a *)clwp->lwp_ap;
2578 
2579 	gidsetsize = (uint_t)uap->gidsetsize;
2580 	gidset = (uintptr_t)uap->gidset;
2581 
2582 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2583 		return;
2584 	if (gidsetsize != 0) {
2585 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2586 		    KM_SLEEP);
2587 		if (copyin((caddr_t)gidset, gidlist,
2588 		    gidsetsize * sizeof (gid_t)) == 0)
2589 			for (i = 0; i < gidsetsize; i++)
2590 				au_uwrite(au_to_arg32(1, "setgroups",
2591 				    (uint32_t)gidlist[i]));
2592 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2593 	} else
2594 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2595 
2596 }	/* AUS_SETGROUPS */
2597 
2598 
2599 
2600 
2601 
2602 /*ARGSUSED*/
2603 static void
2604 aus_seteuid(struct t_audit_data *tad)
2605 {
2606 	klwp_t *clwp = ttolwp(curthread);
2607 	uint32_t uid;
2608 
2609 	struct a {
2610 		long	uid;
2611 	} *uap = (struct a *)clwp->lwp_ap;
2612 
2613 	uid = (uint32_t)uap->uid;
2614 
2615 	au_uwrite(au_to_arg32(1, "euid", uid));
2616 
2617 }	/* AUS_SETEUID */
2618 
2619 /*ARGSUSED*/
2620 static void
2621 aus_putmsg(struct t_audit_data *tad)
2622 {
2623 	klwp_t *clwp = ttolwp(curthread);
2624 	uint32_t fd, pri;
2625 	struct file *fp;
2626 	struct f_audit_data *fad;
2627 
2628 	struct a {
2629 		long	fdes;
2630 		long	ctl;		/* struct strbuf * */
2631 		long	data;		/* struct strbuf * */
2632 		long	pri;
2633 	} *uap = (struct a *)clwp->lwp_ap;
2634 
2635 	fd  = (uint32_t)uap->fdes;
2636 	pri = (uint32_t)uap->pri;
2637 
2638 	au_uwrite(au_to_arg32(1, "fd", fd));
2639 
2640 	if ((fp = getf(fd)) != NULL) {
2641 		fad = F2A(fp);
2642 
2643 		fad->fad_flags |= FAD_WRITE;
2644 
2645 		/* add path name to audit record */
2646 		if (fad->fad_aupath != NULL) {
2647 			au_uwrite(au_to_path(fad->fad_aupath));
2648 		}
2649 		audit_attributes(fp->f_vnode);
2650 
2651 		releasef(fd);
2652 	}
2653 
2654 	au_uwrite(au_to_arg32(4, "pri", pri));
2655 }
2656 
2657 /*ARGSUSED*/
2658 static void
2659 aus_putpmsg(struct t_audit_data *tad)
2660 {
2661 	klwp_t *clwp = ttolwp(curthread);
2662 	uint32_t fd, pri, flags;
2663 	struct file *fp;
2664 	struct f_audit_data *fad;
2665 
2666 	struct a {
2667 		long	fdes;
2668 		long	ctl;		/* struct strbuf * */
2669 		long	data;		/* struct strbuf * */
2670 		long	pri;
2671 		long	flags;
2672 	} *uap = (struct a *)clwp->lwp_ap;
2673 
2674 	fd = (uint32_t)uap->fdes;
2675 	pri  = (uint32_t)uap->pri;
2676 	flags  = (uint32_t)uap->flags;
2677 
2678 	au_uwrite(au_to_arg32(1, "fd", fd));
2679 
2680 	if ((fp = getf(fd)) != NULL) {
2681 		fad = F2A(fp);
2682 
2683 		fad->fad_flags |= FAD_WRITE;
2684 
2685 		/* add path name to audit record */
2686 		if (fad->fad_aupath != NULL) {
2687 			au_uwrite(au_to_path(fad->fad_aupath));
2688 		}
2689 		audit_attributes(fp->f_vnode);
2690 
2691 		releasef(fd);
2692 	}
2693 
2694 
2695 	au_uwrite(au_to_arg32(4, "pri", pri));
2696 	au_uwrite(au_to_arg32(5, "flags", flags));
2697 }
2698 
2699 /*ARGSUSED*/
2700 static void
2701 aus_getmsg(struct t_audit_data *tad)
2702 {
2703 	klwp_t *clwp = ttolwp(curthread);
2704 	uint32_t fd, pri;
2705 	struct file *fp;
2706 	struct f_audit_data *fad;
2707 
2708 	struct a {
2709 		long	fdes;
2710 		long	ctl;		/* struct strbuf * */
2711 		long	data;		/* struct strbuf * */
2712 		long	pri;
2713 	} *uap = (struct a *)clwp->lwp_ap;
2714 
2715 	fd  = (uint32_t)uap->fdes;
2716 	pri = (uint32_t)uap->pri;
2717 
2718 	au_uwrite(au_to_arg32(1, "fd", fd));
2719 
2720 	if ((fp = getf(fd)) != NULL) {
2721 		fad = F2A(fp);
2722 
2723 		/*
2724 		 * read operation on this object
2725 		 */
2726 		fad->fad_flags |= FAD_READ;
2727 
2728 		/* add path name to audit record */
2729 		if (fad->fad_aupath != NULL) {
2730 			au_uwrite(au_to_path(fad->fad_aupath));
2731 		}
2732 		audit_attributes(fp->f_vnode);
2733 
2734 		releasef(fd);
2735 	}
2736 
2737 	au_uwrite(au_to_arg32(4, "pri", pri));
2738 }
2739 
2740 /*ARGSUSED*/
2741 static void
2742 aus_getpmsg(struct t_audit_data *tad)
2743 {
2744 	klwp_t *clwp = ttolwp(curthread);
2745 	uint32_t fd;
2746 	struct file *fp;
2747 	struct f_audit_data *fad;
2748 
2749 	struct a {
2750 		long	fdes;
2751 		long	ctl;		/* struct strbuf * */
2752 		long	data;		/* struct strbuf * */
2753 		long	pri;
2754 		long	flags;
2755 	} *uap = (struct a *)clwp->lwp_ap;
2756 
2757 	fd = (uint32_t)uap->fdes;
2758 
2759 	au_uwrite(au_to_arg32(1, "fd", fd));
2760 
2761 	if ((fp = getf(fd)) != NULL) {
2762 		fad = F2A(fp);
2763 
2764 		/*
2765 		 * read operation on this object
2766 		 */
2767 		fad->fad_flags |= FAD_READ;
2768 
2769 		/* add path name to audit record */
2770 		if (fad->fad_aupath != NULL) {
2771 			au_uwrite(au_to_path(fad->fad_aupath));
2772 		}
2773 		audit_attributes(fp->f_vnode);
2774 
2775 		releasef(fd);
2776 	}
2777 }
2778 
2779 static au_event_t
2780 aui_labelsys(au_event_t e)
2781 {
2782 	klwp_t *clwp = ttolwp(curthread);
2783 	uint32_t code;
2784 	uint32_t cmd;
2785 
2786 	struct a {
2787 		long	code;
2788 		long	cmd;
2789 	} *uap = (struct a *)clwp->lwp_ap;
2790 
2791 	code = (uint32_t)uap->code;
2792 	cmd = (uint32_t)uap->cmd;
2793 
2794 	/* not security relevant if not changing kernel cache */
2795 	if (cmd == TNDB_GET)
2796 		return (AUE_NULL);
2797 
2798 	switch (code) {
2799 	case TSOL_TNRH:
2800 		e = AUE_LABELSYS_TNRH;
2801 		break;
2802 	case TSOL_TNRHTP:
2803 		e = AUE_LABELSYS_TNRHTP;
2804 		break;
2805 	case TSOL_TNMLP:
2806 		e = AUE_LABELSYS_TNMLP;
2807 		break;
2808 	default:
2809 		e = AUE_NULL;
2810 		break;
2811 	}
2812 
2813 	return (e);
2814 
2815 }
2816 
2817 static void
2818 aus_labelsys(struct t_audit_data *tad)
2819 {
2820 	klwp_t *clwp = ttolwp(curthread);
2821 	uint32_t cmd;
2822 	uintptr_t a2;
2823 
2824 	struct a {
2825 		long	code;
2826 		long	cmd;
2827 		long	a2;
2828 	} *uap = (struct a *)clwp->lwp_ap;
2829 
2830 	cmd = (uint32_t)uap->cmd;
2831 	a2 = (uintptr_t)uap->a2;
2832 
2833 	switch (tad->tad_event) {
2834 	case AUE_LABELSYS_TNRH:
2835 	{
2836 		tsol_rhent_t	*rhent;
2837 		tnaddr_t	*rh_addr;
2838 
2839 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2840 
2841 		/* Remaining args don't apply for FLUSH, so skip */
2842 		if (cmd == TNDB_FLUSH)
2843 			break;
2844 
2845 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2846 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2847 			kmem_free(rhent, sizeof (tsol_rhent_t));
2848 			return;
2849 		}
2850 
2851 		rh_addr = &rhent->rh_address;
2852 		if (rh_addr->ta_family == AF_INET) {
2853 			struct in_addr	*ipaddr;
2854 
2855 			ipaddr = &(rh_addr->ta_addr_v4);
2856 			au_uwrite(au_to_in_addr(ipaddr));
2857 		} else if (rh_addr->ta_family == AF_INET6) {
2858 			int32_t		*ipaddr;
2859 
2860 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2861 			au_uwrite(au_to_in_addr_ex(ipaddr));
2862 		}
2863 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2864 
2865 		kmem_free(rhent, sizeof (tsol_rhent_t));
2866 
2867 		break;
2868 	}
2869 	case AUE_LABELSYS_TNRHTP:
2870 	{
2871 		tsol_tpent_t	*tpent;
2872 
2873 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2874 
2875 		/* Remaining args don't apply for FLUSH, so skip */
2876 		if (cmd == TNDB_FLUSH)
2877 			break;
2878 
2879 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2880 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2881 			kmem_free(tpent, sizeof (tsol_tpent_t));
2882 			return;
2883 		}
2884 
2885 		/* Make sure that the template name is null-terminated. */
2886 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2887 
2888 		au_uwrite(au_to_text(tpent->name));
2889 		kmem_free(tpent, sizeof (tsol_tpent_t));
2890 
2891 		break;
2892 	}
2893 	case AUE_LABELSYS_TNMLP:
2894 	{
2895 		tsol_mlpent_t	*mlpent;
2896 
2897 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2898 
2899 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2900 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2901 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2902 			return;
2903 		}
2904 
2905 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2906 			au_uwrite(au_to_text("shared"));
2907 		} else {
2908 			zone_t	*zone;
2909 
2910 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2911 			if (zone != NULL) {
2912 				au_uwrite(au_to_text(zone->zone_name));
2913 				zone_rele(zone);
2914 			}
2915 		}
2916 
2917 		/* Remaining args don't apply for FLUSH, so skip */
2918 		if (cmd == TNDB_FLUSH) {
2919 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2920 			break;
2921 		}
2922 
2923 		au_uwrite(au_to_arg32(2, "proto num",
2924 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2925 		au_uwrite(au_to_arg32(2, "mlp_port",
2926 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2927 
2928 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2929 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2930 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2931 
2932 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2933 
2934 		break;
2935 	}
2936 	default:
2937 		break;
2938 	}
2939 }
2940 
2941 
2942 static au_event_t
2943 aui_auditsys(au_event_t e)
2944 {
2945 	klwp_t *clwp = ttolwp(curthread);
2946 	uint32_t code;
2947 
2948 	struct a {
2949 		long	code;
2950 		long	a1;
2951 		long	a2;
2952 		long	a3;
2953 		long	a4;
2954 		long	a5;
2955 		long	a6;
2956 		long	a7;
2957 	} *uap = (struct a *)clwp->lwp_ap;
2958 
2959 	code = (uint32_t)uap->code;
2960 
2961 	switch (code) {
2962 
2963 	case BSM_GETAUID:
2964 		e = AUE_GETAUID;
2965 		break;
2966 	case BSM_SETAUID:
2967 		e = AUE_SETAUID;
2968 		break;
2969 	case BSM_GETAUDIT:
2970 		e = AUE_GETAUDIT;
2971 		break;
2972 	case BSM_GETAUDIT_ADDR:
2973 		e = AUE_GETAUDIT_ADDR;
2974 		break;
2975 	case BSM_SETAUDIT:
2976 		e = AUE_SETAUDIT;
2977 		break;
2978 	case BSM_SETAUDIT_ADDR:
2979 		e = AUE_SETAUDIT_ADDR;
2980 		break;
2981 	case BSM_AUDIT:
2982 		e = AUE_AUDIT;
2983 		break;
2984 	case BSM_AUDITCTL:
2985 		switch ((uint_t)uap->a1) {
2986 
2987 		case A_GETPOLICY:
2988 			e = AUE_AUDITON_GPOLICY;
2989 			break;
2990 		case A_SETPOLICY:
2991 			e = AUE_AUDITON_SPOLICY;
2992 			break;
2993 		case A_GETKMASK:
2994 			e = AUE_AUDITON_GETKMASK;
2995 			break;
2996 		case A_SETKMASK:
2997 			e = AUE_AUDITON_SETKMASK;
2998 			break;
2999 		case A_GETQCTRL:
3000 			e = AUE_AUDITON_GQCTRL;
3001 			break;
3002 		case A_SETQCTRL:
3003 			e = AUE_AUDITON_SQCTRL;
3004 			break;
3005 		case A_GETCWD:
3006 			e = AUE_AUDITON_GETCWD;
3007 			break;
3008 		case A_GETCAR:
3009 			e = AUE_AUDITON_GETCAR;
3010 			break;
3011 		case A_GETSTAT:
3012 			e = AUE_AUDITON_GETSTAT;
3013 			break;
3014 		case A_SETSTAT:
3015 			e = AUE_AUDITON_SETSTAT;
3016 			break;
3017 		case A_SETUMASK:
3018 			e = AUE_AUDITON_SETUMASK;
3019 			break;
3020 		case A_SETSMASK:
3021 			e = AUE_AUDITON_SETSMASK;
3022 			break;
3023 		case A_GETCOND:
3024 			e = AUE_AUDITON_GETCOND;
3025 			break;
3026 		case A_SETCOND:
3027 			e = AUE_AUDITON_SETCOND;
3028 			break;
3029 		case A_GETCLASS:
3030 			e = AUE_AUDITON_GETCLASS;
3031 			break;
3032 		case A_SETCLASS:
3033 			e = AUE_AUDITON_SETCLASS;
3034 			break;
3035 		default:
3036 			e = AUE_NULL;
3037 			break;
3038 		}
3039 		break;
3040 	default:
3041 		e = AUE_NULL;
3042 		break;
3043 	}
3044 
3045 	return (e);
3046 
3047 }	/* AUI_AUDITSYS */
3048 
3049 
3050 static void
3051 aus_auditsys(struct t_audit_data *tad)
3052 {
3053 	klwp_t *clwp = ttolwp(curthread);
3054 	uintptr_t a1, a2;
3055 	STRUCT_DECL(auditinfo, ainfo);
3056 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
3057 	au_evclass_map_t event;
3058 	au_mask_t mask;
3059 	int auditstate, policy;
3060 	au_id_t auid;
3061 
3062 
3063 	struct a {
3064 		long	code;
3065 		long	a1;
3066 		long	a2;
3067 		long	a3;
3068 		long	a4;
3069 		long	a5;
3070 		long	a6;
3071 		long	a7;
3072 	} *uap = (struct a *)clwp->lwp_ap;
3073 
3074 	a1   = (uintptr_t)uap->a1;
3075 	a2   = (uintptr_t)uap->a2;
3076 
3077 	switch (tad->tad_event) {
3078 	case AUE_SETAUID:
3079 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3080 				return;
3081 		au_uwrite(au_to_arg32(2, "setauid", auid));
3082 		break;
3083 	case AUE_SETAUDIT:
3084 		STRUCT_INIT(ainfo, get_udatamodel());
3085 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3086 		    STRUCT_SIZE(ainfo))) {
3087 				return;
3088 		}
3089 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3090 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3091 #ifdef _LP64
3092 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
3093 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3094 #else
3095 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
3096 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3097 #endif
3098 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3099 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3100 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3101 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3102 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3103 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3104 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3105 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3106 		break;
3107 	case AUE_SETAUDIT_ADDR:
3108 		STRUCT_INIT(ainfo_addr, get_udatamodel());
3109 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3110 		    STRUCT_SIZE(ainfo_addr))) {
3111 				return;
3112 		}
3113 		au_uwrite(au_to_arg32((char)1, "auid",
3114 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3115 #ifdef _LP64
3116 		au_uwrite(au_to_arg64((char)1, "port",
3117 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3118 #else
3119 		au_uwrite(au_to_arg32((char)1, "port",
3120 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3121 #endif
3122 		au_uwrite(au_to_arg32((char)1, "type",
3123 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3124 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3125 		    AU_IPv4) {
3126 			au_uwrite(au_to_in_addr(
3127 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3128 			    ai_termid.at_addr)));
3129 		} else {
3130 			au_uwrite(au_to_in_addr_ex(
3131 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
3132 			    ai_termid.at_addr)));
3133 		}
3134 		au_uwrite(au_to_arg32((char)1, "as_success",
3135 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3136 		au_uwrite(au_to_arg32((char)1, "as_failure",
3137 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3138 		au_uwrite(au_to_arg32((char)1, "asid",
3139 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3140 		break;
3141 	case AUE_AUDITON_SETKMASK:
3142 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3143 				return;
3144 		au_uwrite(au_to_arg32(
3145 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
3146 		au_uwrite(au_to_arg32(
3147 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3148 		break;
3149 	case AUE_AUDITON_SPOLICY:
3150 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3151 			return;
3152 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3153 		break;
3154 	case AUE_AUDITON_SQCTRL: {
3155 		STRUCT_DECL(au_qctrl, qctrl);
3156 		model_t model;
3157 
3158 		model = get_udatamodel();
3159 		STRUCT_INIT(qctrl, model);
3160 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3161 				return;
3162 		if (model == DATAMODEL_ILP32) {
3163 			au_uwrite(au_to_arg32(
3164 			    3, "setqctrl:aq_hiwater",
3165 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3166 			au_uwrite(au_to_arg32(
3167 			    3, "setqctrl:aq_lowater",
3168 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3169 			au_uwrite(au_to_arg32(
3170 			    3, "setqctrl:aq_bufsz",
3171 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3172 			au_uwrite(au_to_arg32(
3173 			    3, "setqctrl:aq_delay",
3174 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3175 		} else {
3176 			au_uwrite(au_to_arg64(
3177 			    3, "setqctrl:aq_hiwater",
3178 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3179 			au_uwrite(au_to_arg64(
3180 			    3, "setqctrl:aq_lowater",
3181 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3182 			au_uwrite(au_to_arg64(
3183 			    3, "setqctrl:aq_bufsz",
3184 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3185 			au_uwrite(au_to_arg64(
3186 			    3, "setqctrl:aq_delay",
3187 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3188 		}
3189 		break;
3190 	}
3191 	case AUE_AUDITON_SETUMASK:
3192 		STRUCT_INIT(ainfo, get_udatamodel());
3193 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3194 		    STRUCT_SIZE(ainfo))) {
3195 			return;
3196 		}
3197 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3198 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3199 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3200 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3201 		break;
3202 	case AUE_AUDITON_SETSMASK:
3203 		STRUCT_INIT(ainfo, get_udatamodel());
3204 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3205 		    STRUCT_SIZE(ainfo))) {
3206 			return;
3207 		}
3208 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3209 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3210 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3211 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3212 		break;
3213 	case AUE_AUDITON_SETCOND:
3214 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3215 			return;
3216 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3217 		break;
3218 	case AUE_AUDITON_SETCLASS:
3219 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3220 			return;
3221 		au_uwrite(au_to_arg32(
3222 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3223 		au_uwrite(au_to_arg32(
3224 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3225 		break;
3226 	case AUE_GETAUID:
3227 	case AUE_GETAUDIT:
3228 	case AUE_GETAUDIT_ADDR:
3229 	case AUE_AUDIT:
3230 	case AUE_AUDITON_GPOLICY:
3231 	case AUE_AUDITON_GQCTRL:
3232 	case AUE_AUDITON_GETKMASK:
3233 	case AUE_AUDITON_GETCWD:
3234 	case AUE_AUDITON_GETCAR:
3235 	case AUE_AUDITON_GETSTAT:
3236 	case AUE_AUDITON_SETSTAT:
3237 	case AUE_AUDITON_GETCOND:
3238 	case AUE_AUDITON_GETCLASS:
3239 		break;
3240 	default:
3241 		break;
3242 	}
3243 
3244 }	/* AUS_AUDITSYS */
3245 
3246 
3247 /* only audit privileged operations for systeminfo(2) system call */
3248 static au_event_t
3249 aui_sysinfo(au_event_t e)
3250 {
3251 	klwp_t *clwp = ttolwp(curthread);
3252 	uint32_t command;
3253 
3254 	struct a {
3255 		long	command;
3256 		long	buf;		/* char * */
3257 		long	count;
3258 	} *uap = (struct a *)clwp->lwp_ap;
3259 
3260 	command = (uint32_t)uap->command;
3261 
3262 	switch (command) {
3263 	case SI_SET_HOSTNAME:
3264 	case SI_SET_SRPC_DOMAIN:
3265 		e = (au_event_t)AUE_SYSINFO;
3266 		break;
3267 	default:
3268 		e = (au_event_t)AUE_NULL;
3269 		break;
3270 	}
3271 	return (e);
3272 }
3273 
3274 /*ARGSUSED*/
3275 static void
3276 aus_sysinfo(struct t_audit_data *tad)
3277 {
3278 	klwp_t *clwp = ttolwp(curthread);
3279 	uint32_t command;
3280 	size_t len, maxlen;
3281 	char *name;
3282 	uintptr_t buf;
3283 
3284 	struct a {
3285 		long	command;
3286 		long	buf;		/* char * */
3287 		long	count;
3288 	} *uap = (struct a *)clwp->lwp_ap;
3289 
3290 	command = (uint32_t)uap->command;
3291 	buf = (uintptr_t)uap->buf;
3292 
3293 	au_uwrite(au_to_arg32(1, "cmd", command));
3294 
3295 	switch (command) {
3296 	case SI_SET_HOSTNAME:
3297 	{
3298 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3299 			return;
3300 
3301 		maxlen = SYS_NMLN;
3302 		name = kmem_alloc(maxlen, KM_SLEEP);
3303 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3304 			break;
3305 
3306 		/*
3307 		 * Must be non-NULL string and string
3308 		 * must be less than SYS_NMLN chars.
3309 		 */
3310 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3311 			break;
3312 
3313 		au_uwrite(au_to_text(name));
3314 		break;
3315 	}
3316 
3317 	case SI_SET_SRPC_DOMAIN:
3318 	{
3319 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3320 			return;
3321 
3322 		maxlen = SYS_NMLN;
3323 		name = kmem_alloc(maxlen, KM_SLEEP);
3324 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3325 			break;
3326 
3327 		/*
3328 		 * If string passed in is longer than length
3329 		 * allowed for domain name, fail.
3330 		 */
3331 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3332 			break;
3333 
3334 		au_uwrite(au_to_text(name));
3335 		break;
3336 	}
3337 
3338 	default:
3339 		return;
3340 	}
3341 
3342 	kmem_free(name, maxlen);
3343 }
3344 
3345 static au_event_t
3346 aui_modctl(au_event_t e)
3347 {
3348 	klwp_t *clwp = ttolwp(curthread);
3349 	uint_t cmd;
3350 
3351 	struct a {
3352 		long	cmd;
3353 	} *uap = (struct a *)clwp->lwp_ap;
3354 
3355 	cmd = (uint_t)uap->cmd;
3356 
3357 	switch (cmd) {
3358 	case MODLOAD:
3359 		e = AUE_MODLOAD;
3360 		break;
3361 	case MODUNLOAD:
3362 		e = AUE_MODUNLOAD;
3363 		break;
3364 	case MODADDMAJBIND:
3365 		e = AUE_MODADDMAJ;
3366 		break;
3367 	case MODSETDEVPOLICY:
3368 		e = AUE_MODDEVPLCY;
3369 		break;
3370 	case MODALLOCPRIV:
3371 		e = AUE_MODADDPRIV;
3372 		break;
3373 	default:
3374 		e = AUE_NULL;
3375 		break;
3376 	}
3377 	return (e);
3378 }
3379 
3380 
3381 /*ARGSUSED*/
3382 static void
3383 aus_modctl(struct t_audit_data *tad)
3384 {
3385 	klwp_t *clwp = ttolwp(curthread);
3386 	void *a	= clwp->lwp_ap;
3387 	uint_t use_path;
3388 
3389 	switch (tad->tad_event) {
3390 	case AUE_MODLOAD: {
3391 		typedef struct {
3392 			long	cmd;
3393 			long	use_path;
3394 			long	filename;		/* char * */
3395 		} modloada_t;
3396 
3397 		char *filenamep;
3398 		uintptr_t fname;
3399 		extern char *default_path;
3400 
3401 		fname = (uintptr_t)((modloada_t *)a)->filename;
3402 		use_path = (uint_t)((modloada_t *)a)->use_path;
3403 
3404 			/* space to hold path */
3405 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3406 			/* get string */
3407 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3408 				/* free allocated path */
3409 			kmem_free(filenamep, MOD_MAXPATH);
3410 			return;
3411 		}
3412 			/* ensure it's null terminated */
3413 		filenamep[MOD_MAXPATH - 1] = 0;
3414 
3415 		if (use_path)
3416 			au_uwrite(au_to_text(default_path));
3417 		au_uwrite(au_to_text(filenamep));
3418 
3419 			/* release temporary memory */
3420 		kmem_free(filenamep, MOD_MAXPATH);
3421 		break;
3422 	}
3423 	case AUE_MODUNLOAD: {
3424 		typedef struct {
3425 			long	cmd;
3426 			long	id;
3427 		} modunloada_t;
3428 
3429 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3430 
3431 		au_uwrite(au_to_arg32(1, "id", id));
3432 		break;
3433 	}
3434 	case AUE_MODADDMAJ: {
3435 		STRUCT_DECL(modconfig, mc);
3436 		typedef struct {
3437 			long	cmd;
3438 			long	subcmd;
3439 			long	data;		/* int * */
3440 		} modconfiga_t;
3441 
3442 		STRUCT_DECL(aliases, alias);
3443 		caddr_t ap;
3444 		int i, num_aliases;
3445 		char *drvname, *mc_drvname;
3446 		char *name;
3447 		extern char *ddi_major_to_name(major_t);
3448 		model_t model;
3449 
3450 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3451 
3452 		model = get_udatamodel();
3453 		STRUCT_INIT(mc, model);
3454 			/* sanitize buffer */
3455 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3456 			/* get user arguments */
3457 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3458 		    STRUCT_SIZE(mc)) != 0)
3459 			return;
3460 
3461 		mc_drvname = STRUCT_FGET(mc, drvname);
3462 		if ((drvname = ddi_major_to_name(
3463 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3464 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3465 				/* safety */
3466 			if (mc_drvname[0] != '\0') {
3467 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3468 				au_uwrite(au_to_text(mc_drvname));
3469 			}
3470 				/* drvname != NULL from test above */
3471 			au_uwrite(au_to_text(drvname));
3472 			return;
3473 		}
3474 
3475 		if (mc_drvname[0] != '\0') {
3476 				/* safety */
3477 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3478 			au_uwrite(au_to_text(mc_drvname));
3479 		} else
3480 			au_uwrite(au_to_text("no drvname"));
3481 
3482 		num_aliases = STRUCT_FGET(mc, num_aliases);
3483 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3484 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3485 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3486 		STRUCT_INIT(alias, model);
3487 		for (i = 0; i < num_aliases; i++) {
3488 			bzero((caddr_t)STRUCT_BUF(alias),
3489 			    STRUCT_SIZE(alias));
3490 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3491 			    STRUCT_SIZE(alias)) != 0)
3492 				break;
3493 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3494 			    MAXMODCONFNAME, NULL) != 0) {
3495 				break;
3496 			}
3497 
3498 			au_uwrite(au_to_text(name));
3499 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3500 		}
3501 		kmem_free(name, MAXMODCONFNAME);
3502 		break;
3503 	}
3504 	default:
3505 		break;
3506 	}
3507 }
3508 
3509 
3510 /*ARGSUSED*/
3511 static void
3512 auf_accept(
3513 	struct t_audit_data *tad,
3514 	int	error,
3515 	rval_t	*rval)
3516 {
3517 	uint32_t scid;
3518 	uint32_t sy_flags;
3519 	int fd;
3520 	struct sonode *so;
3521 	char so_laddr[sizeof (struct sockaddr_in6)];
3522 	char so_faddr[sizeof (struct sockaddr_in6)];
3523 	int err;
3524 	short so_family, so_type;
3525 	int add_sock_token = 0;
3526 
3527 	/* need to determine type of executing binary */
3528 	scid = tad->tad_scid;
3529 #ifdef _SYSCALL32_IMPL
3530 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3531 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3532 	else
3533 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3534 #else
3535 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3536 #endif
3537 	if (sy_flags == SE_32RVAL1)
3538 		fd = rval->r_val1;
3539 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3540 		fd = rval->r_val1;
3541 	if (sy_flags == SE_64RVAL)
3542 		fd = (int)rval->r_vals;
3543 
3544 	if (error) {
3545 		/* can't trust socket contents. Just return */
3546 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3547 		return;
3548 	}
3549 
3550 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3551 		/*
3552 		 * not security relevant if doing a accept from non socket
3553 		 * so no extra tokens. Should probably turn off audit record
3554 		 * generation here.
3555 		 */
3556 		return;
3557 	}
3558 
3559 	so_family = so->so_family;
3560 	so_type   = so->so_type;
3561 
3562 	switch (so_family) {
3563 	case AF_INET:
3564 	case AF_INET6:
3565 		/*
3566 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3567 		 */
3568 		if (so->so_type == SOCK_STREAM) {
3569 			socklen_t len;
3570 
3571 			bzero((void *)so_laddr, sizeof (so_laddr));
3572 			bzero((void *)so_faddr, sizeof (so_faddr));
3573 
3574 			len = sizeof (so_laddr);
3575 			(void) socket_getsockname(so,
3576 			    (struct sockaddr *)so_laddr, &len, CRED());
3577 			len = sizeof (so_faddr);
3578 			(void) socket_getpeername(so,
3579 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3580 
3581 			add_sock_token = 1;
3582 		}
3583 		break;
3584 
3585 	default:
3586 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3587 		break;
3588 	}
3589 
3590 	releasef(fd);
3591 
3592 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3593 
3594 	if (add_sock_token == 0) {
3595 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3596 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3597 		return;
3598 	}
3599 
3600 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3601 
3602 }
3603 
3604 /*ARGSUSED*/
3605 static void
3606 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3607 {
3608 	struct a {
3609 		long	fd;
3610 		long	addr;
3611 		long	len;
3612 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3613 
3614 	struct sonode *so;
3615 	char so_laddr[sizeof (struct sockaddr_in6)];
3616 	char so_faddr[sizeof (struct sockaddr_in6)];
3617 	int err, fd;
3618 	socklen_t len;
3619 	short so_family, so_type;
3620 	int add_sock_token = 0;
3621 
3622 	fd = (int)uap->fd;
3623 
3624 	/*
3625 	 * bind failed, then nothing extra to add to audit record.
3626 	 */
3627 	if (error) {
3628 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3629 		/* XXX may want to add failed address some day */
3630 		return;
3631 	}
3632 
3633 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3634 		/*
3635 		 * not security relevant if doing a bind from non socket
3636 		 * so no extra tokens. Should probably turn off audit record
3637 		 * generation here.
3638 		 */
3639 		return;
3640 	}
3641 
3642 	so_family = so->so_family;
3643 	so_type   = so->so_type;
3644 
3645 	switch (so_family) {
3646 	case AF_INET:
3647 	case AF_INET6:
3648 
3649 		bzero(so_faddr, sizeof (so_faddr));
3650 		len = sizeof (so_faddr);
3651 
3652 		(void) socket_getpeername(so,
3653 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3654 		add_sock_token = 1;
3655 
3656 		break;
3657 
3658 	case AF_UNIX:
3659 		/* token added by lookup */
3660 		break;
3661 	default:
3662 		/* AF_ROUTE, AF_KEY do not support accept */
3663 		break;
3664 	}
3665 
3666 	releasef(fd);
3667 
3668 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3669 
3670 	if (add_sock_token == 0) {
3671 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3672 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3673 		return;
3674 	}
3675 
3676 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3677 
3678 }
3679 
3680 /*ARGSUSED*/
3681 static void
3682 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3683 {
3684 	struct a {
3685 		long	fd;
3686 		long	addr;
3687 		long	len;
3688 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3689 
3690 	struct sonode *so;
3691 	char so_laddr[sizeof (struct sockaddr_in6)];
3692 	char so_faddr[sizeof (struct sockaddr_in6)];
3693 	int err, fd;
3694 	socklen_t len;
3695 	short so_family, so_type;
3696 	int add_sock_token = 0;
3697 
3698 	fd = (int)uap->fd;
3699 
3700 
3701 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3702 		/*
3703 		 * not security relevant if doing a connect from non socket
3704 		 * so no extra tokens. Should probably turn off audit record
3705 		 * generation here.
3706 		 */
3707 		return;
3708 	}
3709 
3710 	so_family = so->so_family;
3711 	so_type   = so->so_type;
3712 
3713 	switch (so_family) {
3714 	case AF_INET:
3715 	case AF_INET6:
3716 
3717 		bzero(so_laddr, sizeof (so_laddr));
3718 		bzero(so_faddr, sizeof (so_faddr));
3719 
3720 		len = sizeof (so_laddr);
3721 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3722 		    &len, CRED());
3723 		if (error) {
3724 			if (uap->addr == NULL)
3725 				break;
3726 			if (uap->len <= 0)
3727 				break;
3728 			len = min(uap->len, sizeof (so_faddr));
3729 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3730 				break;
3731 #ifdef NOTYET
3732 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3733 #endif
3734 		} else {
3735 			/* sanity check on length */
3736 			len = sizeof (so_faddr);
3737 			(void) socket_getpeername(so,
3738 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3739 		}
3740 
3741 		add_sock_token = 1;
3742 
3743 		break;
3744 
3745 	case AF_UNIX:
3746 		/* does a lookup on name */
3747 		break;
3748 
3749 	default:
3750 		/* AF_ROUTE, AF_KEY do not support accept */
3751 		break;
3752 	}
3753 
3754 	releasef(fd);
3755 
3756 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3757 
3758 	if (add_sock_token == 0) {
3759 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3760 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3761 		return;
3762 	}
3763 
3764 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3765 
3766 }
3767 
3768 /*ARGSUSED*/
3769 static void
3770 aus_shutdown(struct t_audit_data *tad)
3771 {
3772 	struct a {
3773 		long	fd;
3774 		long	how;
3775 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3776 
3777 	struct sonode *so;
3778 	char so_laddr[sizeof (struct sockaddr_in6)];
3779 	char so_faddr[sizeof (struct sockaddr_in6)];
3780 	int err, fd;
3781 	socklen_t len;
3782 	short so_family, so_type;
3783 	int add_sock_token = 0;
3784 	file_t *fp;				/* unix domain sockets */
3785 	struct f_audit_data *fad;		/* unix domain sockets */
3786 
3787 	fd = (int)uap->fd;
3788 
3789 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3790 		/*
3791 		 * not security relevant if doing a shutdown using non socket
3792 		 * so no extra tokens. Should probably turn off audit record
3793 		 * generation here.
3794 		 */
3795 		return;
3796 	}
3797 
3798 	so_family = so->so_family;
3799 	so_type   = so->so_type;
3800 
3801 	switch (so_family) {
3802 	case AF_INET:
3803 	case AF_INET6:
3804 
3805 		bzero(so_laddr, sizeof (so_laddr));
3806 		bzero(so_faddr, sizeof (so_faddr));
3807 
3808 		len = sizeof (so_laddr);
3809 		(void) socket_getsockname(so,
3810 		    (struct sockaddr *)so_laddr, &len, CRED());
3811 		len = sizeof (so_faddr);
3812 		(void) socket_getpeername(so,
3813 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3814 
3815 		add_sock_token = 1;
3816 
3817 		break;
3818 
3819 	case AF_UNIX:
3820 
3821 		/* get path from file struct here */
3822 		fad = F2A(fp);
3823 		ASSERT(fad);
3824 
3825 		if (fad->fad_aupath != NULL) {
3826 			au_uwrite(au_to_path(fad->fad_aupath));
3827 		} else {
3828 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3829 		}
3830 
3831 		audit_attributes(fp->f_vnode);
3832 
3833 		break;
3834 
3835 	default:
3836 		/*
3837 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3838 		 * added.
3839 		 */
3840 		break;
3841 	}
3842 
3843 	releasef(fd);
3844 
3845 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3846 
3847 	if (add_sock_token == 0) {
3848 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3849 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3850 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3851 		return;
3852 	}
3853 
3854 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3855 
3856 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3857 
3858 }
3859 
3860 /*ARGSUSED*/
3861 static void
3862 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3863 {
3864 	struct a {
3865 		long	fd;
3866 		long	level;
3867 		long	optname;
3868 		long	*optval;
3869 		long	optlen;
3870 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3871 
3872 	struct sonode	*so;
3873 	char so_laddr[sizeof (struct sockaddr_in6)];
3874 	char so_faddr[sizeof (struct sockaddr_in6)];
3875 	char		val[AU_BUFSIZE];
3876 	int		err, fd;
3877 	socklen_t	len;
3878 	short so_family, so_type;
3879 	int		add_sock_token = 0;
3880 	file_t *fp;				/* unix domain sockets */
3881 	struct f_audit_data *fad;		/* unix domain sockets */
3882 
3883 	fd = (int)uap->fd;
3884 
3885 	if (error) {
3886 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3887 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3888 		/* XXX may want to include other arguments */
3889 		return;
3890 	}
3891 
3892 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3893 		/*
3894 		 * not security relevant if doing a setsockopt from non socket
3895 		 * so no extra tokens. Should probably turn off audit record
3896 		 * generation here.
3897 		 */
3898 		return;
3899 	}
3900 
3901 	so_family = so->so_family;
3902 	so_type   = so->so_type;
3903 
3904 	switch (so_family) {
3905 	case AF_INET:
3906 	case AF_INET6:
3907 		bzero((void *)so_laddr, sizeof (so_laddr));
3908 		bzero((void *)so_faddr, sizeof (so_faddr));
3909 
3910 		/* get local and foreign addresses */
3911 		len = sizeof (so_laddr);
3912 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3913 		    &len, CRED());
3914 		len = sizeof (so_faddr);
3915 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3916 		    &len, B_FALSE, CRED());
3917 
3918 		add_sock_token = 1;
3919 
3920 		break;
3921 
3922 	case AF_UNIX:
3923 
3924 		/* get path from file struct here */
3925 		fad = F2A(fp);
3926 		ASSERT(fad);
3927 
3928 		if (fad->fad_aupath != NULL) {
3929 			au_uwrite(au_to_path(fad->fad_aupath));
3930 		} else {
3931 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3932 		}
3933 
3934 		audit_attributes(fp->f_vnode);
3935 
3936 		break;
3937 
3938 	default:
3939 		/*
3940 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3941 		 * added.
3942 		 */
3943 		break;
3944 	}
3945 
3946 	releasef(fd);
3947 
3948 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3949 
3950 	if (add_sock_token == 0) {
3951 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3952 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3953 	}
3954 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3955 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3956 
3957 	bzero(val, sizeof (val));
3958 	len = min(uap->optlen, sizeof (val));
3959 	if ((len > 0) &&
3960 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3961 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3962 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3963 	}
3964 
3965 	if (add_sock_token == 0)
3966 		return;
3967 
3968 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3969 
3970 }
3971 
3972 /*ARGSUSED*/
3973 static void
3974 aus_sockconfig(tad)
3975 	struct t_audit_data *tad;
3976 {
3977 	struct a {
3978 		long	cmd;
3979 		long	arg1;
3980 		long	arg2;
3981 		long	arg3;
3982 		long	arg4;
3983 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3984 
3985 	char	*buf;
3986 	int	buflen;
3987 	size_t	size;
3988 
3989 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
3990 	switch (uap->cmd) {
3991 	case SOCKCONFIG_ADD_SOCK:
3992 	case SOCKCONFIG_REMOVE_SOCK:
3993 		au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
3994 		au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
3995 		au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
3996 
3997 		if (uap->arg4 == 0) {
3998 			au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
3999 		} else {
4000 			buflen = MAXPATHLEN + 1;
4001 			buf = kmem_alloc(buflen, KM_SLEEP);
4002 			if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4003 			    &size)) {
4004 				kmem_free(buf, buflen);
4005 				return;
4006 			}
4007 
4008 			if (size > MAXPATHLEN) {
4009 				kmem_free(buf, buflen);
4010 				return;
4011 			}
4012 
4013 			au_uwrite(au_to_text(buf));
4014 			kmem_free(buf, buflen);
4015 		}
4016 		break;
4017 	case SOCKCONFIG_ADD_FILTER:
4018 	case SOCKCONFIG_REMOVE_FILTER:
4019 		buflen = FILNAME_MAX;
4020 		buf = kmem_alloc(buflen, KM_SLEEP);
4021 
4022 		if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4023 			kmem_free(buf, buflen);
4024 			return;
4025 		}
4026 
4027 		au_uwrite(au_to_text(buf));
4028 		kmem_free(buf, buflen);
4029 		break;
4030 	default:
4031 		break;
4032 	}
4033 }
4034 
4035 /*
4036  * only audit recvmsg when the system call represents the creation of a new
4037  * circuit. This effectively occurs for all UDP packets and may occur for
4038  * special TCP situations where the local host has not set a local address
4039  * in the socket structure.
4040  */
4041 /*ARGSUSED*/
4042 static void
4043 auf_recvmsg(
4044 	struct t_audit_data *tad,
4045 	int error,
4046 	rval_t *rvp)
4047 {
4048 	struct a {
4049 		long	fd;
4050 		long	msg;	/* struct msghdr */
4051 		long	flags;
4052 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4053 
4054 	struct sonode	*so;
4055 	STRUCT_DECL(msghdr, msg);
4056 	caddr_t msg_name;
4057 	socklen_t msg_namelen;
4058 	int fd;
4059 	int err;
4060 	char so_laddr[sizeof (struct sockaddr_in6)];
4061 	char so_faddr[sizeof (struct sockaddr_in6)];
4062 	socklen_t len;
4063 	file_t *fp;				/* unix domain sockets */
4064 	struct f_audit_data *fad;		/* unix domain sockets */
4065 	short so_family, so_type;
4066 	int add_sock_token = 0;
4067 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4068 
4069 	fd = (int)uap->fd;
4070 
4071 	/* bail if an error */
4072 	if (error) {
4073 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4074 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4075 		return;
4076 	}
4077 
4078 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4079 		/*
4080 		 * not security relevant if doing a recvmsg from non socket
4081 		 * so no extra tokens. Should probably turn off audit record
4082 		 * generation here.
4083 		 */
4084 		return;
4085 	}
4086 
4087 	so_family = so->so_family;
4088 	so_type   = so->so_type;
4089 
4090 	/*
4091 	 * only putout SOCKET_EX token if INET/INET6 family.
4092 	 * XXX - what do we do about other families?
4093 	 */
4094 
4095 	switch (so_family) {
4096 	case AF_INET:
4097 	case AF_INET6:
4098 
4099 		/*
4100 		 * if datagram type socket, then just use what is in
4101 		 * socket structure for local address.
4102 		 * XXX - what do we do for other types?
4103 		 */
4104 		if ((so->so_type == SOCK_DGRAM) ||
4105 		    (so->so_type == SOCK_RAW)) {
4106 			add_sock_token = 1;
4107 
4108 			bzero((void *)so_laddr, sizeof (so_laddr));
4109 			bzero((void *)so_faddr, sizeof (so_faddr));
4110 
4111 			/* get local address */
4112 			len = sizeof (so_laddr);
4113 			(void) socket_getsockname(so,
4114 			    (struct sockaddr *)so_laddr, &len, CRED());
4115 
4116 			/* get peer address */
4117 			STRUCT_INIT(msg, get_udatamodel());
4118 
4119 			if (copyin((caddr_t)(uap->msg),
4120 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4121 				break;
4122 			}
4123 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4124 			if (msg_name == NULL) {
4125 				break;
4126 			}
4127 
4128 			/* length is value from recvmsg - sanity check */
4129 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4130 			if (msg_namelen == 0) {
4131 				break;
4132 			}
4133 			if (copyin(msg_name, so_faddr,
4134 			    sizeof (so_faddr)) != 0) {
4135 				break;
4136 			}
4137 
4138 		} else if (so->so_type == SOCK_STREAM) {
4139 
4140 			/* get path from file struct here */
4141 			fad = F2A(fp);
4142 			ASSERT(fad);
4143 
4144 			/*
4145 			 * already processed this file for read attempt
4146 			 */
4147 			if (fad->fad_flags & FAD_READ) {
4148 				/* don't want to audit every recvmsg attempt */
4149 				tad->tad_flag = 0;
4150 				/* free any residual audit data */
4151 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4152 				releasef(fd);
4153 				return;
4154 			}
4155 			/*
4156 			 * mark things so we know what happened and don't
4157 			 * repeat things
4158 			 */
4159 			fad->fad_flags |= FAD_READ;
4160 
4161 			bzero((void *)so_laddr, sizeof (so_laddr));
4162 			bzero((void *)so_faddr, sizeof (so_faddr));
4163 
4164 			/* get local and foreign addresses */
4165 			len = sizeof (so_laddr);
4166 			(void) socket_getsockname(so,
4167 			    (struct sockaddr *)so_laddr, &len, CRED());
4168 			len = sizeof (so_faddr);
4169 			(void) socket_getpeername(so,
4170 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4171 
4172 			add_sock_token = 1;
4173 		}
4174 
4175 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4176 
4177 		break;
4178 
4179 	case AF_UNIX:
4180 		/*
4181 		 * first check if this is first time through. Too much
4182 		 * duplicate code to put this in an aui_ routine.
4183 		 */
4184 
4185 		/* get path from file struct here */
4186 		fad = F2A(fp);
4187 		ASSERT(fad);
4188 
4189 		/*
4190 		 * already processed this file for read attempt
4191 		 */
4192 		if (fad->fad_flags & FAD_READ) {
4193 			releasef(fd);
4194 			/* don't want to audit every recvmsg attempt */
4195 			tad->tad_flag = 0;
4196 			/* free any residual audit data */
4197 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4198 			return;
4199 		}
4200 		/*
4201 		 * mark things so we know what happened and don't
4202 		 * repeat things
4203 		 */
4204 		fad->fad_flags |= FAD_READ;
4205 
4206 		if (fad->fad_aupath != NULL) {
4207 			au_uwrite(au_to_path(fad->fad_aupath));
4208 		} else {
4209 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4210 		}
4211 
4212 		audit_attributes(fp->f_vnode);
4213 
4214 		releasef(fd);
4215 
4216 		return;
4217 
4218 	default:
4219 		break;
4220 
4221 	}
4222 
4223 	releasef(fd);
4224 
4225 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4226 
4227 	if (add_sock_token == 0) {
4228 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4229 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4230 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4231 		return;
4232 	}
4233 
4234 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4235 
4236 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4237 
4238 }
4239 
4240 /*ARGSUSED*/
4241 static void
4242 auf_recvfrom(
4243 	struct t_audit_data *tad,
4244 	int error,
4245 	rval_t *rvp)
4246 {
4247 
4248 	struct a {
4249 		long	fd;
4250 		long	msg;	/* char */
4251 		long	len;
4252 		long	flags;
4253 		long	from;	/* struct sockaddr */
4254 		long	fromlen;
4255 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4256 
4257 	socklen_t	fromlen;
4258 	struct sonode	*so;
4259 	char so_laddr[sizeof (struct sockaddr_in6)];
4260 	char so_faddr[sizeof (struct sockaddr_in6)];
4261 	int		fd;
4262 	short so_family, so_type;
4263 	int add_sock_token = 0;
4264 	socklen_t len;
4265 	int err;
4266 	struct file *fp;
4267 	struct f_audit_data *fad;		/* unix domain sockets */
4268 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4269 
4270 	fd = (int)uap->fd;
4271 
4272 	/* bail if an error */
4273 	if (error) {
4274 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4275 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4276 		return;
4277 	}
4278 
4279 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4280 		/*
4281 		 * not security relevant if doing a recvmsg from non socket
4282 		 * so no extra tokens. Should probably turn off audit record
4283 		 * generation here.
4284 		 */
4285 		return;
4286 	}
4287 
4288 	so_family = so->so_family;
4289 	so_type   = so->so_type;
4290 
4291 	/*
4292 	 * only putout SOCKET_EX token if INET/INET6 family.
4293 	 * XXX - what do we do about other families?
4294 	 */
4295 
4296 	switch (so_family) {
4297 	case AF_INET:
4298 	case AF_INET6:
4299 
4300 		/*
4301 		 * if datagram type socket, then just use what is in
4302 		 * socket structure for local address.
4303 		 * XXX - what do we do for other types?
4304 		 */
4305 		if ((so->so_type == SOCK_DGRAM) ||
4306 		    (so->so_type == SOCK_RAW)) {
4307 			add_sock_token = 1;
4308 
4309 			/* get local address */
4310 			len = sizeof (so_laddr);
4311 			(void) socket_getsockname(so,
4312 			    (struct sockaddr *)so_laddr, &len, CRED());
4313 
4314 			/* get peer address */
4315 			bzero((void *)so_faddr, sizeof (so_faddr));
4316 
4317 			/* sanity check */
4318 			if (uap->from == NULL)
4319 				break;
4320 
4321 			/* sanity checks */
4322 			if (uap->fromlen == 0)
4323 				break;
4324 
4325 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4326 			    sizeof (fromlen)) != 0)
4327 				break;
4328 
4329 			if (fromlen == 0)
4330 				break;
4331 
4332 			/* enforce maximum size */
4333 			if (fromlen > sizeof (so_faddr))
4334 				fromlen = sizeof (so_faddr);
4335 
4336 			if (copyin((caddr_t)(uap->from), so_faddr,
4337 			    fromlen) != 0)
4338 				break;
4339 
4340 		} else if (so->so_type == SOCK_STREAM) {
4341 
4342 			/* get path from file struct here */
4343 			fad = F2A(fp);
4344 			ASSERT(fad);
4345 
4346 			/*
4347 			 * already processed this file for read attempt
4348 			 */
4349 			if (fad->fad_flags & FAD_READ) {
4350 				/* don't want to audit every recvfrom attempt */
4351 				tad->tad_flag = 0;
4352 				/* free any residual audit data */
4353 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4354 				releasef(fd);
4355 				return;
4356 			}
4357 			/*
4358 			 * mark things so we know what happened and don't
4359 			 * repeat things
4360 			 */
4361 			fad->fad_flags |= FAD_READ;
4362 
4363 			bzero((void *)so_laddr, sizeof (so_laddr));
4364 			bzero((void *)so_faddr, sizeof (so_faddr));
4365 
4366 			/* get local and foreign addresses */
4367 			len = sizeof (so_laddr);
4368 			(void) socket_getsockname(so,
4369 			    (struct sockaddr *)so_laddr, &len, CRED());
4370 			len = sizeof (so_faddr);
4371 			(void) socket_getpeername(so,
4372 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4373 
4374 			add_sock_token = 1;
4375 		}
4376 
4377 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4378 
4379 		break;
4380 
4381 	case AF_UNIX:
4382 		/*
4383 		 * first check if this is first time through. Too much
4384 		 * duplicate code to put this in an aui_ routine.
4385 		 */
4386 
4387 		/* get path from file struct here */
4388 		fad = F2A(fp);
4389 		ASSERT(fad);
4390 
4391 		/*
4392 		 * already processed this file for read attempt
4393 		 */
4394 		if (fad->fad_flags & FAD_READ) {
4395 			/* don't want to audit every recvfrom attempt */
4396 			tad->tad_flag = 0;
4397 			/* free any residual audit data */
4398 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4399 			releasef(fd);
4400 			return;
4401 		}
4402 		/*
4403 		 * mark things so we know what happened and don't
4404 		 * repeat things
4405 		 */
4406 		fad->fad_flags |= FAD_READ;
4407 
4408 		if (fad->fad_aupath != NULL) {
4409 			au_uwrite(au_to_path(fad->fad_aupath));
4410 		} else {
4411 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4412 		}
4413 
4414 		audit_attributes(fp->f_vnode);
4415 
4416 		releasef(fd);
4417 
4418 		return;
4419 
4420 	default:
4421 		break;
4422 
4423 	}
4424 
4425 	releasef(fd);
4426 
4427 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4428 
4429 	if (add_sock_token == 0) {
4430 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4431 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4432 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4433 		return;
4434 	}
4435 
4436 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4437 
4438 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4439 }
4440 
4441 /*ARGSUSED*/
4442 static void
4443 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4444 {
4445 	struct a {
4446 		long	fd;
4447 		long	msg;	/* struct msghdr */
4448 		long	flags;
4449 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4450 
4451 	struct sonode	*so;
4452 	char so_laddr[sizeof (struct sockaddr_in6)];
4453 	char so_faddr[sizeof (struct sockaddr_in6)];
4454 	int		err;
4455 	int		fd;
4456 	short so_family, so_type;
4457 	int		add_sock_token = 0;
4458 	socklen_t	len;
4459 	struct file	*fp;
4460 	struct f_audit_data *fad;
4461 	caddr_t		msg_name;
4462 	socklen_t	msg_namelen;
4463 	STRUCT_DECL(msghdr, msg);
4464 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4465 
4466 	fd = (int)uap->fd;
4467 
4468 	/* bail if an error */
4469 	if (error) {
4470 		/* XXX include destination address from system call arguments */
4471 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4472 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4473 		return;
4474 	}
4475 
4476 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4477 		/*
4478 		 * not security relevant if doing a sendmsg from non socket
4479 		 * so no extra tokens. Should probably turn off audit record
4480 		 * generation here.
4481 		 */
4482 		return;
4483 	}
4484 
4485 	so_family = so->so_family;
4486 	so_type   = so->so_type;
4487 
4488 	switch (so_family) {
4489 	case AF_INET:
4490 	case AF_INET6:
4491 		/*
4492 		 * if datagram type socket, then just use what is in
4493 		 * socket structure for local address.
4494 		 * XXX - what do we do for other types?
4495 		 */
4496 		if ((so->so_type == SOCK_DGRAM) ||
4497 		    (so->so_type == SOCK_RAW)) {
4498 
4499 			bzero((void *)so_laddr, sizeof (so_laddr));
4500 			bzero((void *)so_faddr, sizeof (so_faddr));
4501 
4502 			/* get local address */
4503 			len = sizeof (so_laddr);
4504 			(void) socket_getsockname(so,
4505 			    (struct sockaddr *)so_laddr, &len, CRED());
4506 
4507 			/* get peer address */
4508 			STRUCT_INIT(msg, get_udatamodel());
4509 
4510 			if (copyin((caddr_t)(uap->msg),
4511 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4512 				break;
4513 			}
4514 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4515 			if (msg_name == NULL)
4516 				break;
4517 
4518 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4519 			/* length is value from recvmsg - sanity check */
4520 			if (msg_namelen == 0)
4521 				break;
4522 
4523 			if (copyin(msg_name, so_faddr,
4524 			    sizeof (so_faddr)) != 0)
4525 				break;
4526 
4527 			add_sock_token = 1;
4528 
4529 		} else if (so->so_type == SOCK_STREAM) {
4530 
4531 			/* get path from file struct here */
4532 			fad = F2A(fp);
4533 			ASSERT(fad);
4534 
4535 			/*
4536 			 * already processed this file for write attempt
4537 			 */
4538 			if (fad->fad_flags & FAD_WRITE) {
4539 				releasef(fd);
4540 				/* don't want to audit every sendmsg attempt */
4541 				tad->tad_flag = 0;
4542 				/* free any residual audit data */
4543 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4544 				return;
4545 			}
4546 
4547 			/*
4548 			 * mark things so we know what happened and don't
4549 			 * repeat things
4550 			 */
4551 			fad->fad_flags |= FAD_WRITE;
4552 
4553 			bzero((void *)so_laddr, sizeof (so_laddr));
4554 			bzero((void *)so_faddr, sizeof (so_faddr));
4555 
4556 			/* get local and foreign addresses */
4557 			len = sizeof (so_laddr);
4558 			(void) socket_getsockname(so,
4559 			    (struct sockaddr *)so_laddr, &len, CRED());
4560 			len = sizeof (so_faddr);
4561 			(void) socket_getpeername(so,
4562 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4563 
4564 			add_sock_token = 1;
4565 		}
4566 
4567 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4568 
4569 		break;
4570 
4571 	case AF_UNIX:
4572 		/*
4573 		 * first check if this is first time through. Too much
4574 		 * duplicate code to put this in an aui_ routine.
4575 		 */
4576 
4577 		/* get path from file struct here */
4578 		fad = F2A(fp);
4579 		ASSERT(fad);
4580 
4581 		/*
4582 		 * already processed this file for write attempt
4583 		 */
4584 		if (fad->fad_flags & FAD_WRITE) {
4585 			releasef(fd);
4586 			/* don't want to audit every sendmsg attempt */
4587 			tad->tad_flag = 0;
4588 			/* free any residual audit data */
4589 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4590 			return;
4591 		}
4592 		/*
4593 		 * mark things so we know what happened and don't
4594 		 * repeat things
4595 		 */
4596 		fad->fad_flags |= FAD_WRITE;
4597 
4598 		if (fad->fad_aupath != NULL) {
4599 			au_uwrite(au_to_path(fad->fad_aupath));
4600 		} else {
4601 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4602 		}
4603 
4604 		audit_attributes(fp->f_vnode);
4605 
4606 		releasef(fd);
4607 
4608 		return;
4609 
4610 	default:
4611 		break;
4612 	}
4613 
4614 	releasef(fd);
4615 
4616 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4617 
4618 	if (add_sock_token == 0) {
4619 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4620 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4621 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4622 		return;
4623 	}
4624 
4625 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4626 
4627 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4628 }
4629 
4630 /*ARGSUSED*/
4631 static void
4632 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4633 {
4634 	struct a {
4635 		long	fd;
4636 		long	msg;	/* char */
4637 		long	len;
4638 		long	flags;
4639 		long	to;	/* struct sockaddr */
4640 		long	tolen;
4641 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4642 
4643 	struct sonode	*so;
4644 	char so_laddr[sizeof (struct sockaddr_in6)];
4645 	char so_faddr[sizeof (struct sockaddr_in6)];
4646 	socklen_t	tolen;
4647 	int		err;
4648 	int		fd;
4649 	socklen_t	len;
4650 	short so_family, so_type;
4651 	int		add_sock_token = 0;
4652 	struct file	*fp;
4653 	struct f_audit_data *fad;
4654 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4655 
4656 	fd = (int)uap->fd;
4657 
4658 	/* bail if an error */
4659 	if (error) {
4660 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4661 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4662 		/* XXX include destination address from system call arguments */
4663 		return;
4664 	}
4665 
4666 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4667 		/*
4668 		 * not security relevant if doing a sendto using non socket
4669 		 * so no extra tokens. Should probably turn off audit record
4670 		 * generation here.
4671 		 */
4672 		return;
4673 	}
4674 
4675 	so_family = so->so_family;
4676 	so_type   = so->so_type;
4677 
4678 	/*
4679 	 * only putout SOCKET_EX token if INET/INET6 family.
4680 	 * XXX - what do we do about other families?
4681 	 */
4682 
4683 	switch (so_family) {
4684 	case AF_INET:
4685 	case AF_INET6:
4686 
4687 		/*
4688 		 * if datagram type socket, then just use what is in
4689 		 * socket structure for local address.
4690 		 * XXX - what do we do for other types?
4691 		 */
4692 		if ((so->so_type == SOCK_DGRAM) ||
4693 		    (so->so_type == SOCK_RAW)) {
4694 
4695 			bzero((void *)so_laddr, sizeof (so_laddr));
4696 			bzero((void *)so_faddr, sizeof (so_faddr));
4697 
4698 			/* get local address */
4699 			len = sizeof (so_laddr);
4700 			(void) socket_getsockname(so,
4701 			    (struct sockaddr *)so_laddr, &len, CRED());
4702 
4703 			/* get peer address */
4704 
4705 			/* sanity check */
4706 			if (uap->to == NULL)
4707 				break;
4708 
4709 			/* sanity checks */
4710 			if (uap->tolen == 0)
4711 				break;
4712 
4713 			tolen = (socklen_t)uap->tolen;
4714 
4715 			/* enforce maximum size */
4716 			if (tolen > sizeof (so_faddr))
4717 				tolen = sizeof (so_faddr);
4718 
4719 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4720 				break;
4721 
4722 			add_sock_token = 1;
4723 		} else {
4724 			/*
4725 			 * check if this is first time through.
4726 			 */
4727 
4728 			/* get path from file struct here */
4729 			fad = F2A(fp);
4730 			ASSERT(fad);
4731 
4732 			/*
4733 			 * already processed this file for write attempt
4734 			 */
4735 			if (fad->fad_flags & FAD_WRITE) {
4736 				/* don't want to audit every sendto attempt */
4737 				tad->tad_flag = 0;
4738 				/* free any residual audit data */
4739 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4740 				releasef(fd);
4741 				return;
4742 			}
4743 			/*
4744 			 * mark things so we know what happened and don't
4745 			 * repeat things
4746 			 */
4747 			fad->fad_flags |= FAD_WRITE;
4748 
4749 			bzero((void *)so_laddr, sizeof (so_laddr));
4750 			bzero((void *)so_faddr, sizeof (so_faddr));
4751 
4752 			/* get local and foreign addresses */
4753 			len = sizeof (so_laddr);
4754 			(void) socket_getsockname(so,
4755 			    (struct sockaddr *)so_laddr, &len, CRED());
4756 			len = sizeof (so_faddr);
4757 			(void) socket_getpeername(so,
4758 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4759 
4760 			add_sock_token = 1;
4761 		}
4762 
4763 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4764 
4765 		break;
4766 
4767 	case AF_UNIX:
4768 		/*
4769 		 * first check if this is first time through. Too much
4770 		 * duplicate code to put this in an aui_ routine.
4771 		 */
4772 
4773 		/* get path from file struct here */
4774 		fad = F2A(fp);
4775 		ASSERT(fad);
4776 
4777 		/*
4778 		 * already processed this file for write attempt
4779 		 */
4780 		if (fad->fad_flags & FAD_WRITE) {
4781 			/* don't want to audit every sendto attempt */
4782 			tad->tad_flag = 0;
4783 			/* free any residual audit data */
4784 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4785 			releasef(fd);
4786 			return;
4787 		}
4788 		/*
4789 		 * mark things so we know what happened and don't
4790 		 * repeat things
4791 		 */
4792 		fad->fad_flags |= FAD_WRITE;
4793 
4794 		if (fad->fad_aupath != NULL) {
4795 			au_uwrite(au_to_path(fad->fad_aupath));
4796 		} else {
4797 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4798 		}
4799 
4800 		audit_attributes(fp->f_vnode);
4801 
4802 		releasef(fd);
4803 
4804 		return;
4805 
4806 	default:
4807 		break;
4808 
4809 	}
4810 
4811 	releasef(fd);
4812 
4813 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4814 
4815 	if (add_sock_token == 0) {
4816 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4817 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4818 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4819 		return;
4820 	}
4821 
4822 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4823 
4824 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4825 
4826 }
4827 
4828 /*
4829  * XXX socket(2) may be equivalent to open(2) on a unix domain
4830  * socket. This needs investigation.
4831  */
4832 
4833 /*ARGSUSED*/
4834 static void
4835 aus_socket(struct t_audit_data *tad)
4836 {
4837 	struct a {
4838 		long	domain;
4839 		long	type;
4840 		long	protocol;
4841 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4842 
4843 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4844 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4845 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4846 }
4847 
4848 /*ARGSUSED*/
4849 static void
4850 aus_sigqueue(struct t_audit_data *tad)
4851 {
4852 	struct a {
4853 		long	pid;
4854 		long	signo;
4855 		long	*val;
4856 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4857 	struct proc *p;
4858 	uid_t uid, ruid;
4859 	gid_t gid, rgid;
4860 	pid_t pid;
4861 	const auditinfo_addr_t *ainfo;
4862 	cred_t *cr;
4863 
4864 	pid = (pid_t)uap->pid;
4865 
4866 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4867 	if (pid > 0) {
4868 		mutex_enter(&pidlock);
4869 		if ((p = prfind(pid)) == (struct proc *)0) {
4870 			mutex_exit(&pidlock);
4871 			return;
4872 		}
4873 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4874 		mutex_exit(&pidlock);
4875 
4876 		mutex_enter(&p->p_crlock);
4877 		crhold(cr = p->p_cred);
4878 		mutex_exit(&p->p_crlock);
4879 		mutex_exit(&p->p_lock);
4880 
4881 		ainfo = crgetauinfo(cr);
4882 		if (ainfo == NULL) {
4883 			crfree(cr);
4884 			return;
4885 		}
4886 
4887 		uid  = crgetuid(cr);
4888 		gid  = crgetgid(cr);
4889 		ruid = crgetruid(cr);
4890 		rgid = crgetrgid(cr);
4891 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4892 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4893 		crfree(cr);
4894 	}
4895 	else
4896 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4897 }
4898 
4899 /*ARGSUSED*/
4900 static void
4901 aus_inst_sync(struct t_audit_data *tad)
4902 {
4903 	struct a {
4904 		long	name;	/* char */
4905 		long	flags;
4906 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4907 
4908 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4909 }
4910 
4911 /*ARGSUSED*/
4912 static void
4913 aus_brandsys(struct t_audit_data *tad)
4914 {
4915 	klwp_t *clwp = ttolwp(curthread);
4916 
4917 	struct a {
4918 		long	cmd;
4919 		long	arg1;
4920 		long	arg2;
4921 		long	arg3;
4922 		long	arg4;
4923 		long	arg5;
4924 		long	arg6;
4925 	} *uap = (struct a *)clwp->lwp_ap;
4926 
4927 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4928 #ifdef _LP64
4929 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4930 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4931 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4932 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4933 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4934 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4935 #else
4936 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4937 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4938 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4939 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4940 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4941 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4942 #endif
4943 }
4944 
4945 /*ARGSUSED*/
4946 static void
4947 aus_p_online(struct t_audit_data *tad)
4948 {
4949 	struct a {
4950 		long	processor_id;
4951 		long	flag;
4952 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4953 
4954 	struct flags {
4955 			int	flag;
4956 			char	*cflag;
4957 	} aflags[6] = {
4958 			{ P_ONLINE, "P_ONLINE"},
4959 			{ P_OFFLINE, "P_OFFLINE"},
4960 			{ P_NOINTR, "P_NOINTR"},
4961 			{ P_SPARE, "P_SPARE"},
4962 			{ P_FAULTED, "P_FAULTED"},
4963 			{ P_STATUS, "P_STATUS"}
4964 	};
4965 	int i;
4966 	char *cflag;
4967 
4968 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4969 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4970 
4971 	for (i = 0; i < 6; i++) {
4972 		if (aflags[i].flag == uap->flag)
4973 			break;
4974 	}
4975 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4976 
4977 	au_uwrite(au_to_text(cflag));
4978 }
4979 
4980 /*ARGSUSED*/
4981 static void
4982 aus_processor_bind(struct t_audit_data *tad)
4983 {
4984 	struct a {
4985 		long	id_type;
4986 		long	id;
4987 		long	processor_id;
4988 		long	obind;
4989 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4990 
4991 	struct proc *p;
4992 	int lwpcnt;
4993 	uid_t uid, ruid;
4994 	gid_t gid, rgid;
4995 	pid_t pid;
4996 	const auditinfo_addr_t *ainfo;
4997 	cred_t *cr;
4998 
4999 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5000 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5001 	if (uap->processor_id == PBIND_NONE)
5002 		au_uwrite(au_to_text("PBIND_NONE"));
5003 	else
5004 		au_uwrite(au_to_arg32(3, "processor_id",
5005 		    (uint32_t)uap->processor_id));
5006 
5007 	switch (uap->id_type) {
5008 	case P_MYID:
5009 	case P_LWPID:
5010 		mutex_enter(&pidlock);
5011 		p = ttoproc(curthread);
5012 		if (p == NULL || p->p_as == &kas) {
5013 			mutex_exit(&pidlock);
5014 			return;
5015 		}
5016 		mutex_enter(&p->p_lock);
5017 		mutex_exit(&pidlock);
5018 		lwpcnt = p->p_lwpcnt;
5019 		pid  = p->p_pid;
5020 
5021 		mutex_enter(&p->p_crlock);
5022 		crhold(cr = p->p_cred);
5023 		mutex_exit(&p->p_crlock);
5024 		mutex_exit(&p->p_lock);
5025 
5026 		ainfo = crgetauinfo(cr);
5027 		if (ainfo == NULL) {
5028 			crfree(cr);
5029 			return;
5030 		}
5031 
5032 		uid  = crgetuid(cr);
5033 		gid  = crgetgid(cr);
5034 		ruid = crgetruid(cr);
5035 		rgid = crgetrgid(cr);
5036 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5037 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5038 		crfree(cr);
5039 		break;
5040 	case P_PID:
5041 		mutex_enter(&pidlock);
5042 		p = prfind(uap->id);
5043 		if (p == NULL || p->p_as == &kas) {
5044 			mutex_exit(&pidlock);
5045 			return;
5046 		}
5047 		mutex_enter(&p->p_lock);
5048 		mutex_exit(&pidlock);
5049 		lwpcnt = p->p_lwpcnt;
5050 		pid  = p->p_pid;
5051 
5052 		mutex_enter(&p->p_crlock);
5053 		crhold(cr = p->p_cred);
5054 		mutex_exit(&p->p_crlock);
5055 		mutex_exit(&p->p_lock);
5056 
5057 		ainfo = crgetauinfo(cr);
5058 		if (ainfo == NULL) {
5059 			crfree(cr);
5060 			return;
5061 		}
5062 
5063 		uid  = crgetuid(cr);
5064 		gid  = crgetgid(cr);
5065 		ruid = crgetruid(cr);
5066 		rgid = crgetrgid(cr);
5067 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5068 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5069 		crfree(cr);
5070 
5071 		break;
5072 	default:
5073 		return;
5074 	}
5075 
5076 	if (uap->processor_id == PBIND_NONE &&
5077 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5078 		au_uwrite(au_to_text("PBIND_NONE for process"));
5079 	else
5080 		au_uwrite(au_to_arg32(3, "processor_id",
5081 		    (uint32_t)uap->processor_id));
5082 }
5083 
5084 /*ARGSUSED*/
5085 static au_event_t
5086 aui_doorfs(au_event_t e)
5087 {
5088 	uint32_t code;
5089 
5090 	struct a {		/* doorfs */
5091 		long	a1;
5092 		long	a2;
5093 		long	a3;
5094 		long	a4;
5095 		long	a5;
5096 		long	code;
5097 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5098 
5099 	/*
5100 	 *	audit formats for several of the
5101 	 *	door calls have not yet been determined
5102 	 */
5103 	code = (uint32_t)uap->code;
5104 	switch (code) {
5105 	case DOOR_CALL:
5106 		e = AUE_DOORFS_DOOR_CALL;
5107 		break;
5108 	case DOOR_RETURN:
5109 		e = AUE_NULL;
5110 		break;
5111 	case DOOR_CREATE:
5112 		e = AUE_DOORFS_DOOR_CREATE;
5113 		break;
5114 	case DOOR_REVOKE:
5115 		e = AUE_DOORFS_DOOR_REVOKE;
5116 		break;
5117 	case DOOR_INFO:
5118 		e = AUE_NULL;
5119 		break;
5120 	case DOOR_UCRED:
5121 		e = AUE_NULL;
5122 		break;
5123 	case DOOR_BIND:
5124 		e = AUE_NULL;
5125 		break;
5126 	case DOOR_UNBIND:
5127 		e = AUE_NULL;
5128 		break;
5129 	case DOOR_GETPARAM:
5130 		e = AUE_NULL;
5131 		break;
5132 	case DOOR_SETPARAM:
5133 		e = AUE_NULL;
5134 		break;
5135 	default:	/* illegal system call */
5136 		e = AUE_NULL;
5137 		break;
5138 	}
5139 
5140 	return (e);
5141 }
5142 
5143 static door_node_t *
5144 au_door_lookup(int did)
5145 {
5146 	vnode_t	*vp;
5147 	file_t *fp;
5148 
5149 	if ((fp = getf(did)) == NULL)
5150 		return (NULL);
5151 	/*
5152 	 * Use the underlying vnode (we may be namefs mounted)
5153 	 */
5154 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5155 		vp = fp->f_vnode;
5156 
5157 	if (vp == NULL || vp->v_type != VDOOR) {
5158 		releasef(did);
5159 		return (NULL);
5160 	}
5161 
5162 	return (VTOD(vp));
5163 }
5164 
5165 /*ARGSUSED*/
5166 static void
5167 aus_doorfs(struct t_audit_data *tad)
5168 {
5169 
5170 	struct a {		/* doorfs */
5171 		long	a1;
5172 		long	a2;
5173 		long	a3;
5174 		long	a4;
5175 		long	a5;
5176 		long	code;
5177 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5178 
5179 	door_node_t	*dp;
5180 	struct proc	*p;
5181 	uint32_t	did;
5182 	uid_t uid, ruid;
5183 	gid_t gid, rgid;
5184 	pid_t pid;
5185 	const auditinfo_addr_t *ainfo;
5186 	cred_t *cr;
5187 
5188 	did = (uint32_t)uap->a1;
5189 
5190 	switch (tad->tad_event) {
5191 	case AUE_DOORFS_DOOR_CALL:
5192 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5193 		if ((dp = au_door_lookup(did)) == NULL)
5194 			break;
5195 
5196 		if (DOOR_INVALID(dp)) {
5197 			releasef(did);
5198 			break;
5199 		}
5200 
5201 		if ((p = dp->door_target) == NULL) {
5202 			releasef(did);
5203 			break;
5204 		}
5205 		mutex_enter(&p->p_lock);
5206 		releasef(did);
5207 
5208 		pid  = p->p_pid;
5209 
5210 		mutex_enter(&p->p_crlock);
5211 		crhold(cr = p->p_cred);
5212 		mutex_exit(&p->p_crlock);
5213 		mutex_exit(&p->p_lock);
5214 
5215 		ainfo = crgetauinfo(cr);
5216 		if (ainfo == NULL) {
5217 			crfree(cr);
5218 			return;
5219 		}
5220 		uid  = crgetuid(cr);
5221 		gid  = crgetgid(cr);
5222 		ruid = crgetruid(cr);
5223 		rgid = crgetrgid(cr);
5224 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5225 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5226 		crfree(cr);
5227 		break;
5228 	case AUE_DOORFS_DOOR_RETURN:
5229 		/*
5230 		 * We may want to write information about
5231 		 * all doors (if any) which will be copied
5232 		 * by this call to the user space
5233 		 */
5234 		break;
5235 	case AUE_DOORFS_DOOR_CREATE:
5236 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5237 		break;
5238 	case AUE_DOORFS_DOOR_REVOKE:
5239 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5240 		break;
5241 	case AUE_DOORFS_DOOR_INFO:
5242 		break;
5243 	case AUE_DOORFS_DOOR_CRED:
5244 		break;
5245 	case AUE_DOORFS_DOOR_BIND:
5246 		break;
5247 	case AUE_DOORFS_DOOR_UNBIND: {
5248 		break;
5249 	}
5250 	default:	/* illegal system call */
5251 		break;
5252 	}
5253 }
5254 
5255 /*ARGSUSED*/
5256 static au_event_t
5257 aui_acl(au_event_t e)
5258 {
5259 	struct a {
5260 		union {
5261 			long	name;	/* char */
5262 			long	fd;
5263 		}		obj;
5264 
5265 		long		cmd;
5266 		long		nentries;
5267 		long		arg;	/* aclent_t */
5268 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5269 
5270 	switch (uap->cmd) {
5271 	case SETACL:
5272 	case ACE_SETACL:
5273 		/*
5274 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5275 		 * are expected.
5276 		 */
5277 		break;
5278 	case GETACL:
5279 	case GETACLCNT:
5280 	case ACE_GETACL:
5281 	case ACE_GETACLCNT:
5282 		/* do nothing for these four values. */
5283 		e = AUE_NULL;
5284 		break;
5285 	default:
5286 		/* illegal system call */
5287 		break;
5288 	}
5289 
5290 	return (e);
5291 }
5292 
5293 static void
5294 au_acl(int cmd, int nentries, caddr_t bufp)
5295 {
5296 	size_t		a_size;
5297 	aclent_t	*aclbufp;
5298 	ace_t		*acebufp;
5299 	int		i;
5300 
5301 	switch (cmd) {
5302 	case GETACL:
5303 	case GETACLCNT:
5304 		break;
5305 	case SETACL:
5306 		if (nentries < 3)
5307 			break;
5308 
5309 		a_size = nentries * sizeof (aclent_t);
5310 
5311 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5312 			break;
5313 		if (copyin(bufp, aclbufp, a_size)) {
5314 			kmem_free(aclbufp, a_size);
5315 			break;
5316 		}
5317 		for (i = 0; i < nentries; i++) {
5318 			au_uwrite(au_to_acl(aclbufp + i));
5319 		}
5320 		kmem_free(aclbufp, a_size);
5321 		break;
5322 
5323 	case ACE_SETACL:
5324 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5325 			break;
5326 
5327 		a_size = nentries * sizeof (ace_t);
5328 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5329 			break;
5330 		if (copyin(bufp, acebufp, a_size)) {
5331 			kmem_free(acebufp, a_size);
5332 			break;
5333 		}
5334 		for (i = 0; i < nentries; i++) {
5335 			au_uwrite(au_to_ace(acebufp + i));
5336 		}
5337 		kmem_free(acebufp, a_size);
5338 		break;
5339 	default:
5340 		break;
5341 	}
5342 }
5343 
5344 /*ARGSUSED*/
5345 static void
5346 aus_acl(struct t_audit_data *tad)
5347 {
5348 	struct a {
5349 		long	fname;
5350 		long	cmd;
5351 		long	nentries;
5352 		long	aclbufp;
5353 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5354 
5355 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5356 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5357 
5358 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5359 }
5360 
5361 /*ARGSUSED*/
5362 static void
5363 aus_facl(struct t_audit_data *tad)
5364 {
5365 	struct a {
5366 		long	fd;
5367 		long	cmd;
5368 		long	nentries;
5369 		long	aclbufp;
5370 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5371 	struct file  *fp;
5372 	struct vnode *vp;
5373 	struct f_audit_data *fad;
5374 	int fd;
5375 
5376 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5377 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5378 
5379 	fd = (int)uap->fd;
5380 
5381 	if ((fp = getf(fd)) == NULL)
5382 		return;
5383 
5384 	/* get path from file struct here */
5385 	fad = F2A(fp);
5386 	if (fad->fad_aupath != NULL) {
5387 		au_uwrite(au_to_path(fad->fad_aupath));
5388 	} else {
5389 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5390 	}
5391 
5392 	vp = fp->f_vnode;
5393 	audit_attributes(vp);
5394 
5395 	/* decrement file descriptor reference count */
5396 	releasef(fd);
5397 
5398 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5399 }
5400 
5401 /*ARGSUSED*/
5402 static void
5403 auf_read(tad, error, rval)
5404 	struct t_audit_data *tad;
5405 	int error;
5406 	rval_t *rval;
5407 {
5408 	struct file *fp;
5409 	struct f_audit_data *fad;
5410 	int fd;
5411 	register struct a {
5412 		long	fd;
5413 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5414 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5415 
5416 	fd = (int)uap->fd;
5417 
5418 	/*
5419 	 * convert file pointer to file descriptor
5420 	 *   Note: fd ref count incremented here.
5421 	 */
5422 	if ((fp = getf(fd)) == NULL)
5423 		return;
5424 
5425 	/* get path from file struct here */
5426 	fad = F2A(fp);
5427 	ASSERT(fad);
5428 
5429 	/*
5430 	 * already processed this file for read attempt
5431 	 *
5432 	 * XXX might be better to turn off auditing in a aui_read() routine.
5433 	 */
5434 	if (fad->fad_flags & FAD_READ) {
5435 		/* don't really want to audit every read attempt */
5436 		tad->tad_flag = 0;
5437 		/* free any residual audit data */
5438 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5439 		releasef(fd);
5440 		return;
5441 	}
5442 	/* mark things so we know what happened and don't repeat things */
5443 	fad->fad_flags |= FAD_READ;
5444 
5445 	if (fad->fad_aupath != NULL) {
5446 		au_uwrite(au_to_path(fad->fad_aupath));
5447 	} else {
5448 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5449 	}
5450 
5451 	/* include attributes */
5452 	audit_attributes(fp->f_vnode);
5453 
5454 	/* decrement file descriptor reference count */
5455 	releasef(fd);
5456 }
5457 
5458 /*ARGSUSED*/
5459 static void
5460 auf_write(tad, error, rval)
5461 	struct t_audit_data *tad;
5462 	int error;
5463 	rval_t *rval;
5464 {
5465 	struct file *fp;
5466 	struct f_audit_data *fad;
5467 	int fd;
5468 	register struct a {
5469 		long	fd;
5470 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5471 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5472 
5473 	fd = (int)uap->fd;
5474 
5475 	/*
5476 	 * convert file pointer to file descriptor
5477 	 *   Note: fd ref count incremented here.
5478 	 */
5479 	if ((fp = getf(fd)) == NULL)
5480 		return;
5481 
5482 	/* get path from file struct here */
5483 	fad = F2A(fp);
5484 	ASSERT(fad);
5485 
5486 	/*
5487 	 * already processed this file for write attempt
5488 	 *
5489 	 * XXX might be better to turn off auditing in a aus_write() routine.
5490 	 */
5491 	if (fad->fad_flags & FAD_WRITE) {
5492 		/* don't really want to audit every write attempt */
5493 		tad->tad_flag = 0;
5494 		/* free any residual audit data */
5495 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5496 		releasef(fd);
5497 		return;
5498 	}
5499 	/* mark things so we know what happened and don't repeat things */
5500 	fad->fad_flags |= FAD_WRITE;
5501 
5502 	if (fad->fad_aupath != NULL) {
5503 		au_uwrite(au_to_path(fad->fad_aupath));
5504 	} else {
5505 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5506 	}
5507 
5508 	/* include attributes */
5509 	audit_attributes(fp->f_vnode);
5510 
5511 	/* decrement file descriptor reference count */
5512 	releasef(fd);
5513 }
5514 
5515 /*ARGSUSED*/
5516 static void
5517 auf_recv(tad, error, rval)
5518 	struct t_audit_data *tad;
5519 	int error;
5520 	rval_t *rval;
5521 {
5522 	struct sonode *so;
5523 	char so_laddr[sizeof (struct sockaddr_in6)];
5524 	char so_faddr[sizeof (struct sockaddr_in6)];
5525 	struct file *fp;
5526 	struct f_audit_data *fad;
5527 	int fd;
5528 	int err;
5529 	socklen_t len;
5530 	short so_family, so_type;
5531 	register struct a {
5532 		long	fd;
5533 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5534 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5535 
5536 	/*
5537 	 * If there was an error, then nothing to do. Only generate
5538 	 * audit record on first successful recv.
5539 	 */
5540 	if (error) {
5541 		/* Turn off audit record generation here. */
5542 		tad->tad_flag = 0;
5543 		/* free any residual audit data */
5544 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5545 		return;
5546 	}
5547 
5548 	fd = (int)uap->fd;
5549 
5550 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5551 		/* Turn off audit record generation here. */
5552 		tad->tad_flag = 0;
5553 		/* free any residual audit data */
5554 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5555 		return;
5556 	}
5557 
5558 	/* get path from file struct here */
5559 	fad = F2A(fp);
5560 	ASSERT(fad);
5561 
5562 	/*
5563 	 * already processed this file for read attempt
5564 	 */
5565 	if (fad->fad_flags & FAD_READ) {
5566 		releasef(fd);
5567 		/* don't really want to audit every recv call */
5568 		tad->tad_flag = 0;
5569 		/* free any residual audit data */
5570 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5571 		return;
5572 	}
5573 
5574 	/* mark things so we know what happened and don't repeat things */
5575 	fad->fad_flags |= FAD_READ;
5576 
5577 	so_family = so->so_family;
5578 	so_type   = so->so_type;
5579 
5580 	switch (so_family) {
5581 	case AF_INET:
5582 	case AF_INET6:
5583 		/*
5584 		 * Only for connections.
5585 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5586 		 */
5587 		if (so->so_state & SS_ISBOUND) {
5588 
5589 			bzero((void *)so_laddr, sizeof (so_laddr));
5590 			bzero((void *)so_faddr, sizeof (so_faddr));
5591 
5592 			/* get local and foreign addresses */
5593 			len = sizeof (so_laddr);
5594 			(void) socket_getsockname(so,
5595 			    (struct sockaddr *)so_laddr, &len, CRED());
5596 			len = sizeof (so_faddr);
5597 			(void) socket_getpeername(so,
5598 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5599 
5600 			/*
5601 			 * only way to drop out of switch. Note that we
5602 			 * we release fd below.
5603 			 */
5604 
5605 			break;
5606 		}
5607 
5608 		releasef(fd);
5609 
5610 		/* don't really want to audit every recv call */
5611 		tad->tad_flag = 0;
5612 		/* free any residual audit data */
5613 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5614 
5615 		return;
5616 
5617 	case AF_UNIX:
5618 
5619 		if (fad->fad_aupath != NULL) {
5620 			au_uwrite(au_to_path(fad->fad_aupath));
5621 		} else {
5622 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5623 		}
5624 
5625 		audit_attributes(fp->f_vnode);
5626 
5627 		releasef(fd);
5628 
5629 		return;
5630 
5631 	default:
5632 		releasef(fd);
5633 
5634 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5635 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5636 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5637 
5638 		return;
5639 	}
5640 
5641 	releasef(fd);
5642 
5643 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5644 
5645 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5646 
5647 }
5648 
5649 /*ARGSUSED*/
5650 static void
5651 auf_send(tad, error, rval)
5652 	struct t_audit_data *tad;
5653 	int error;
5654 	rval_t *rval;
5655 {
5656 	struct sonode *so;
5657 	char so_laddr[sizeof (struct sockaddr_in6)];
5658 	char so_faddr[sizeof (struct sockaddr_in6)];
5659 	struct file *fp;
5660 	struct f_audit_data *fad;
5661 	int fd;
5662 	int err;
5663 	socklen_t len;
5664 	short so_family, so_type;
5665 	register struct a {
5666 		long	fd;
5667 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5668 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5669 
5670 	fd = (int)uap->fd;
5671 
5672 	/*
5673 	 * If there was an error, then nothing to do. Only generate
5674 	 * audit record on first successful send.
5675 	 */
5676 	if (error != 0) {
5677 		/* Turn off audit record generation here. */
5678 		tad->tad_flag = 0;
5679 		/* free any residual audit data */
5680 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5681 		return;
5682 	}
5683 
5684 	fd = (int)uap->fd;
5685 
5686 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5687 		/* Turn off audit record generation here. */
5688 		tad->tad_flag = 0;
5689 		/* free any residual audit data */
5690 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5691 		return;
5692 	}
5693 
5694 	/* get path from file struct here */
5695 	fad = F2A(fp);
5696 	ASSERT(fad);
5697 
5698 	/*
5699 	 * already processed this file for write attempt
5700 	 */
5701 	if (fad->fad_flags & FAD_WRITE) {
5702 		releasef(fd);
5703 		/* don't really want to audit every send call */
5704 		tad->tad_flag = 0;
5705 		/* free any residual audit data */
5706 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5707 		return;
5708 	}
5709 
5710 	/* mark things so we know what happened and don't repeat things */
5711 	fad->fad_flags |= FAD_WRITE;
5712 
5713 	so_family = so->so_family;
5714 	so_type   = so->so_type;
5715 
5716 	switch (so_family) {
5717 	case AF_INET:
5718 	case AF_INET6:
5719 		/*
5720 		 * Only for connections.
5721 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5722 		 */
5723 		if (so->so_state & SS_ISBOUND) {
5724 
5725 			bzero((void *)so_laddr, sizeof (so_laddr));
5726 			bzero((void *)so_faddr, sizeof (so_faddr));
5727 
5728 			/* get local and foreign addresses */
5729 			len = sizeof (so_laddr);
5730 			(void) socket_getsockname(so,
5731 			    (struct sockaddr *)so_laddr, &len, CRED());
5732 			len = sizeof (so_faddr);
5733 			(void) socket_getpeername(so,
5734 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5735 
5736 			/*
5737 			 * only way to drop out of switch. Note that we
5738 			 * we release fd below.
5739 			 */
5740 
5741 			break;
5742 		}
5743 
5744 		releasef(fd);
5745 		/* don't really want to audit every send call */
5746 		tad->tad_flag = 0;
5747 		/* free any residual audit data */
5748 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5749 
5750 		return;
5751 
5752 	case AF_UNIX:
5753 
5754 		if (fad->fad_aupath != NULL) {
5755 			au_uwrite(au_to_path(fad->fad_aupath));
5756 		} else {
5757 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5758 		}
5759 
5760 		audit_attributes(fp->f_vnode);
5761 
5762 		releasef(fd);
5763 
5764 		return;
5765 
5766 	default:
5767 		releasef(fd);
5768 
5769 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5770 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5771 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5772 
5773 		return;
5774 	}
5775 
5776 	releasef(fd);
5777 
5778 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5779 
5780 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5781 }
5782 
5783 static au_event_t
5784 aui_forksys(au_event_t e)
5785 {
5786 	struct a {
5787 		long	subcode;
5788 		long	flags;
5789 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5790 
5791 	switch ((uint_t)uap->subcode) {
5792 	case 0:
5793 		e = AUE_FORK1;
5794 		break;
5795 	case 1:
5796 		e = AUE_FORKALL;
5797 		break;
5798 	case 2:
5799 		e = AUE_VFORK;
5800 		break;
5801 	default:
5802 		e = AUE_NULL;
5803 		break;
5804 	}
5805 
5806 	return (e);
5807 }
5808 
5809 /*ARGSUSED*/
5810 static au_event_t
5811 aui_portfs(au_event_t e)
5812 {
5813 	struct a {		/* portfs */
5814 		long	a1;
5815 		long	a2;
5816 		long	a3;
5817 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5818 
5819 	/*
5820 	 * check opcode
5821 	 */
5822 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5823 	case PORT_ASSOCIATE:
5824 		/* check source */
5825 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5826 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5827 			e = AUE_PORTFS_ASSOCIATE;
5828 		} else {
5829 			e = AUE_NULL;
5830 		}
5831 		break;
5832 	case PORT_DISSOCIATE:
5833 		/* check source */
5834 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5835 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5836 			e = AUE_PORTFS_DISSOCIATE;
5837 		} else {
5838 			e = AUE_NULL;
5839 		}
5840 		break;
5841 	default:
5842 		e = AUE_NULL;
5843 	}
5844 	return (e);
5845 }
5846