1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the audit event table used to control the production 27 * of audit records for each system call. 28 */ 29 30 #include <sys/policy.h> 31 #include <sys/cred.h> 32 #include <sys/types.h> 33 #include <sys/systm.h> 34 #include <sys/systeminfo.h> /* for sysinfo auditing */ 35 #include <sys/utsname.h> /* for sysinfo auditing */ 36 #include <sys/proc.h> 37 #include <sys/vnode.h> 38 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 39 #include <sys/fcntl.h> 40 #include <sys/modctl.h> /* for modctl auditing */ 41 #include <sys/vnode.h> 42 #include <sys/user.h> 43 #include <sys/types.h> 44 #include <sys/processor.h> 45 #include <sys/procset.h> 46 #include <sys/acl.h> 47 #include <sys/ipc.h> 48 #include <sys/door.h> 49 #include <sys/sem.h> 50 #include <sys/msg.h> 51 #include <sys/shm.h> 52 #include <sys/kmem.h> 53 #include <sys/file.h> /* for accept */ 54 #include <sys/utssys.h> /* for fuser */ 55 #include <sys/tsol/label.h> 56 #include <sys/tsol/tndb.h> 57 #include <sys/tsol/tsyscall.h> 58 #include <c2/audit.h> 59 #include <c2/audit_kernel.h> 60 #include <c2/audit_kevents.h> 61 #include <c2/audit_record.h> 62 #include <sys/procset.h> 63 #include <nfs/mount.h> 64 #include <sys/param.h> 65 #include <sys/debug.h> 66 #include <sys/sysmacros.h> 67 #include <sys/stream.h> 68 #include <sys/strsubr.h> 69 #include <sys/stropts.h> 70 #include <sys/tihdr.h> 71 #include <sys/socket.h> 72 #include <sys/socketvar.h> 73 #include <sys/vfs_opreg.h> 74 #include <fs/sockfs/sockcommon.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 char _depends_on[] = "fs/sockfs"; 81 82 static au_event_t aui_fchownat(au_event_t); 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_openat(au_event_t); 85 static au_event_t aui_unlinkat(au_event_t); 86 static au_event_t aui_fstatat(au_event_t); 87 static au_event_t aui_msgsys(au_event_t); 88 static au_event_t aui_shmsys(au_event_t); 89 static au_event_t aui_semsys(au_event_t); 90 static au_event_t aui_utssys(au_event_t); 91 static au_event_t aui_fcntl(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_exit(struct t_audit_data *); 106 static void aus_open(struct t_audit_data *); 107 static void aus_openat(struct t_audit_data *); 108 static void aus_acl(struct t_audit_data *); 109 static void aus_acct(struct t_audit_data *); 110 static void aus_chown(struct t_audit_data *); 111 static void aus_fchown(struct t_audit_data *); 112 static void aus_lchown(struct t_audit_data *); 113 static void aus_fchownat(struct t_audit_data *); 114 static void aus_chmod(struct t_audit_data *); 115 static void aus_facl(struct t_audit_data *); 116 static void aus_fchmod(struct t_audit_data *); 117 static void aus_fcntl(struct t_audit_data *); 118 static void aus_mkdir(struct t_audit_data *); 119 static void aus_mknod(struct t_audit_data *); 120 static void aus_mount(struct t_audit_data *); 121 static void aus_umount2(struct t_audit_data *); 122 static void aus_msgsys(struct t_audit_data *); 123 static void aus_semsys(struct t_audit_data *); 124 static void aus_close(struct t_audit_data *); 125 static void aus_fstatfs(struct t_audit_data *); 126 static void aus_setgid(struct t_audit_data *); 127 static void aus_setpgrp(struct t_audit_data *); 128 static void aus_setuid(struct t_audit_data *); 129 static void aus_shmsys(struct t_audit_data *); 130 static void aus_doorfs(struct t_audit_data *); 131 static void aus_ioctl(struct t_audit_data *); 132 static void aus_memcntl(struct t_audit_data *); 133 static void aus_mmap(struct t_audit_data *); 134 static void aus_munmap(struct t_audit_data *); 135 static void aus_priocntlsys(struct t_audit_data *); 136 static void aus_setegid(struct t_audit_data *); 137 static void aus_setgroups(struct t_audit_data *); 138 static void aus_seteuid(struct t_audit_data *); 139 static void aus_putmsg(struct t_audit_data *); 140 static void aus_putpmsg(struct t_audit_data *); 141 static void aus_getmsg(struct t_audit_data *); 142 static void aus_getpmsg(struct t_audit_data *); 143 static void aus_auditsys(struct t_audit_data *); 144 static void aus_sysinfo(struct t_audit_data *); 145 static void aus_modctl(struct t_audit_data *); 146 static void aus_kill(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 static void aus_labelsys(struct t_audit_data *); 150 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 static void auf_read(struct t_audit_data *, int, rval_t *); 156 static void auf_write(struct t_audit_data *, int, rval_t *); 157 158 static void aus_sigqueue(struct t_audit_data *); 159 static void aus_p_online(struct t_audit_data *); 160 static void aus_processor_bind(struct t_audit_data *); 161 static void aus_inst_sync(struct t_audit_data *); 162 static void aus_brandsys(struct t_audit_data *); 163 164 static void auf_accept(struct t_audit_data *, int, rval_t *); 165 166 static void auf_bind(struct t_audit_data *, int, rval_t *); 167 static void auf_connect(struct t_audit_data *, int, rval_t *); 168 static void aus_shutdown(struct t_audit_data *); 169 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 170 static void aus_sockconfig(struct t_audit_data *); 171 static void auf_recv(struct t_audit_data *, int, rval_t *); 172 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 173 static void auf_send(struct t_audit_data *, int, rval_t *); 174 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 176 static void auf_sendto(struct t_audit_data *, int, rval_t *); 177 static void aus_socket(struct t_audit_data *); 178 /* 179 * This table contains mapping information for converting system call numbers 180 * to audit event IDs. In several cases it is necessary to map a single system 181 * call to several events. 182 */ 183 184 #define aui_null NULL /* NULL initialize function */ 185 #define aus_null NULL /* NULL start function */ 186 #define auf_null NULL /* NULL finish function */ 187 188 struct audit_s2e audit_s2e[] = 189 { 190 /* 191 * ---------- ---------- ---------- ---------- 192 * INITIAL AUDIT START SYSTEM 193 * PROCESSING EVENT PROCESSING CALL 194 * ---------- ---------- ---------- ----------- 195 * FINISH EVENT 196 * PROCESSING CONTROL 197 * ---------------------------------------------------------- 198 */ 199 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 200 auf_null, 0, 201 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 202 auf_null, S2E_NPT, 203 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 204 auf_null, 0, 205 aui_null, AUE_READ, aus_null, /* 3 read */ 206 auf_read, S2E_PUB, 207 aui_null, AUE_WRITE, aus_null, /* 4 write */ 208 auf_write, 0, 209 aui_open, AUE_OPEN, aus_open, /* 5 open */ 210 auf_null, S2E_SP, 211 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 212 auf_null, 0, 213 aui_null, AUE_NULL, aus_null, /* 7 (loadable) was wait */ 214 auf_null, 0, 215 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 216 auf_null, 0, 217 aui_null, AUE_LINK, aus_null, /* 9 link */ 218 auf_null, 0, 219 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 220 auf_null, 0, 221 aui_null, AUE_NULL, aus_null, /* 11 (loadable) was exec */ 222 auf_null, 0, 223 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 224 auf_null, S2E_SP, 225 aui_null, AUE_NULL, aus_null, /* 13 time */ 226 auf_null, 0, 227 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 228 auf_mknod, 0, 229 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 230 auf_null, 0, 231 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 232 auf_null, 0, 233 aui_null, AUE_NULL, aus_null, /* 17 brk */ 234 auf_null, 0, 235 aui_null, AUE_STAT, aus_null, /* 18 stat */ 236 auf_null, S2E_PUB, 237 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 240 auf_null, 0, 241 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 242 auf_null, S2E_MLD, 243 aui_null, AUE_NULL, aus_null, /* 22 (loadable) was umount */ 244 auf_null, 0, 245 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 248 auf_null, 0, 249 aui_null, AUE_STIME, aus_null, /* 25 stime */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 29 pause */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 264 auf_null, 0, 265 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 266 auf_null, S2E_PUB, 267 aui_null, AUE_NICE, aus_null, /* 34 nice */ 268 auf_null, 0, 269 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_NULL, aus_null, /* 36 sync */ 272 auf_null, 0, 273 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 274 auf_null, 0, 275 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 276 auf_null, S2E_PUB, 277 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 282 auf_null, 0, 283 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 43 times */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 44 profil */ 288 auf_null, 0, 289 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 290 auf_null, S2E_PUB, 291 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 48 (loadable) was ssig */ 296 auf_null, 0, 297 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 298 auf_msgsys, 0, 299 #if defined(__x86) 300 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 301 auf_null, 0, 302 #else 303 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 304 auf_null, 0, 305 #endif /* __x86 */ 306 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 307 auf_null, 0, 308 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 309 auf_shmsys, 0, 310 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 311 auf_semsys, 0, 312 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 315 auf_null, 0, 316 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 317 auf_null, 0, 318 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 321 auf_null, 0, 322 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 323 auf_null, S2E_MLD, 324 aui_null, AUE_NULL, aus_null, /* 60 umask */ 325 auf_null, 0, 326 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 327 auf_null, S2E_SP, 328 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 331 auf_null, 0, 332 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 333 auf_null, 0, 334 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 335 auf_null, 0, 336 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 337 auf_null, S2E_PUB, 338 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 339 auf_null, S2E_PUB, 340 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 341 auf_null, S2E_SP, 342 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 343 auf_null, S2E_SP, 344 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 361 auf_null, 0, 362 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 363 auf_null, 0, 364 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 367 auf_null, 0, 368 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 373 auf_null, 0, 374 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 375 auf_null, 0, 376 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 379 auf_null, 0, 380 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 381 auf_null, S2E_PUB, 382 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 383 auf_null, 0, 384 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 387 auf_null, 0, 388 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 389 auf_null, 0, 390 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 391 auf_null, 0, 392 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 101 (loadable) */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 409 auf_null, 0, 410 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 411 auf_null, S2E_PUB, 412 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 413 auf_null, 0, 414 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 415 auf_null, 0, 416 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 421 auf_null, 0, 422 #if defined(__x86) 423 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 424 auf_null, 0, 425 #else 426 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 427 auf_null, 0, 428 #endif /* __x86 */ 429 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 430 auf_null, 0, 431 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 432 auf_null, 0, 433 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 434 auf_null, 0, 435 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 436 auf_null, S2E_PUB, 437 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 438 auf_null, 0, 439 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 440 auf_null, 0, 441 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 442 auf_null, 0, 443 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 444 auf_null, 0, 445 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 446 auf_null, 0, 447 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 448 auf_null, 0, 449 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 450 auf_null, 0, 451 aui_null, AUE_READ, aus_null, /* 121 readv */ 452 auf_read, S2E_PUB, 453 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 454 auf_write, 0, 455 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 456 auf_null, 0, 457 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 458 auf_null, 0, 459 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 460 auf_null, 0, 461 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 464 auf_null, 0, 465 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 468 auf_null, 0, 469 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 470 auf_null, 0, 471 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 472 auf_null, 0, 473 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 474 auf_null, 0, 475 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 476 auf_null, 0, 477 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 478 auf_null, 0, 479 aui_null, AUE_NULL, aus_null, /* 135 uname */ 480 auf_null, 0, 481 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 482 auf_null, 0, 483 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 484 auf_null, 0, 485 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 486 auf_null, 0, 487 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 490 auf_null, 0, 491 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 492 auf_null, 0, 493 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 146 yield */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 504 /* was lwp_sema_wait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 513 auf_null, 0, 514 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 515 auf_null, 0, 516 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 549 /* was lwp_mutex_lock */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 556 auf_null, 0, 557 aui_null, AUE_READ, aus_null, /* 173 pread */ 558 auf_read, S2E_PUB, 559 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 560 auf_write, 0, 561 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 562 auf_null, 0, 563 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 564 auf_null, 0, 565 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 566 auf_null, 0, 567 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 568 auf_null, 0, 569 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 574 auf_null, 0, 575 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 576 auf_null, S2E_MLD, 577 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 578 auf_null, 0, 579 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 580 auf_null, 0, 581 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 582 auf_null, 0, 583 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 584 auf_null, 0, 585 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 586 auf_null, 0, 587 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 588 auf_null, 0, 589 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 590 auf_null, 0, 591 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 594 auf_null, 0, 595 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 610 auf_null, 0, 611 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 612 auf_null, 0, 613 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 614 auf_null, 0, 615 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 616 auf_null, 0, 617 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 618 auf_null, 0, 619 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 620 auf_null, 0, 621 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 638 auf_null, 0, 639 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 640 auf_null, 0, 641 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 642 auf_null, S2E_PUB, 643 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 644 auf_null, S2E_PUB, 645 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 646 auf_null, 0, 647 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 650 auf_null, 0, 651 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 652 auf_null, 0, 653 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 654 auf_null, 0, 655 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 656 auf_read, S2E_PUB, 657 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 658 auf_write, 0, 659 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 660 auf_null, 0, 661 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 662 auf_null, S2E_SP, 663 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 664 auf_null, 0, 665 aui_null, AUE_NULL, aus_null, /* 227 zone */ 666 auf_null, 0, 667 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 670 auf_null, 0, 671 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 674 auf_null, 0, 675 aui_null, AUE_BIND, aus_null, /* 232 bind */ 676 auf_bind, 0, 677 aui_null, AUE_NULL, aus_null, /* 233 listen */ 678 auf_null, 0, 679 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 680 auf_accept, 0, 681 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 682 auf_connect, 0, 683 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 684 auf_null, 0, 685 aui_null, AUE_READ, aus_null, /* 237 recv */ 686 auf_recv, 0, 687 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 688 auf_recvfrom, 0, 689 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 690 auf_recvmsg, 0, 691 aui_null, AUE_WRITE, aus_null, /* 240 send */ 692 auf_send, 0, 693 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 694 auf_sendmsg, 0, 695 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 696 auf_sendto, 0, 697 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 698 auf_null, 0, 699 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 700 auf_null, 0, 701 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 702 auf_null, 0, 703 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 704 auf_setsockopt, 0, 705 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 708 auf_null, 0, 709 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 710 auf_null, 0, 711 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 720 auf_null, 0, 721 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 722 auf_null, 0 723 }; 724 725 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 726 727 728 /* exit start function */ 729 /*ARGSUSED*/ 730 static void 731 aus_exit(struct t_audit_data *tad) 732 { 733 uint32_t rval; 734 struct a { 735 long rval; 736 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 737 738 rval = (uint32_t)uap->rval; 739 au_uwrite(au_to_arg32(1, "exit status", rval)); 740 } 741 742 /* acct start function */ 743 /*ARGSUSED*/ 744 static void 745 aus_acct(struct t_audit_data *tad) 746 { 747 klwp_t *clwp = ttolwp(curthread); 748 uintptr_t fname; 749 750 struct a { 751 long fname; /* char * */ 752 } *uap = (struct a *)clwp->lwp_ap; 753 754 fname = (uintptr_t)uap->fname; 755 756 if (fname == 0) 757 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 758 } 759 760 /* chown start function */ 761 /*ARGSUSED*/ 762 static void 763 aus_chown(struct t_audit_data *tad) 764 { 765 klwp_t *clwp = ttolwp(curthread); 766 uint32_t uid, gid; 767 768 struct a { 769 long fname; /* char * */ 770 long uid; 771 long gid; 772 } *uap = (struct a *)clwp->lwp_ap; 773 774 uid = (uint32_t)uap->uid; 775 gid = (uint32_t)uap->gid; 776 777 au_uwrite(au_to_arg32(2, "new file uid", uid)); 778 au_uwrite(au_to_arg32(3, "new file gid", gid)); 779 } 780 781 /* fchown start function */ 782 /*ARGSUSED*/ 783 static void 784 aus_fchown(struct t_audit_data *tad) 785 { 786 klwp_t *clwp = ttolwp(curthread); 787 uint32_t uid, gid, fd; 788 struct file *fp; 789 struct vnode *vp; 790 struct f_audit_data *fad; 791 792 struct a { 793 long fd; 794 long uid; 795 long gid; 796 } *uap = (struct a *)clwp->lwp_ap; 797 798 fd = (uint32_t)uap->fd; 799 uid = (uint32_t)uap->uid; 800 gid = (uint32_t)uap->gid; 801 802 au_uwrite(au_to_arg32(2, "new file uid", uid)); 803 au_uwrite(au_to_arg32(3, "new file gid", gid)); 804 805 /* 806 * convert file pointer to file descriptor 807 * Note: fd ref count incremented here. 808 */ 809 if ((fp = getf(fd)) == NULL) 810 return; 811 812 /* get path from file struct here */ 813 fad = F2A(fp); 814 if (fad->fad_aupath != NULL) { 815 au_uwrite(au_to_path(fad->fad_aupath)); 816 } else { 817 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 818 } 819 820 vp = fp->f_vnode; 821 audit_attributes(vp); 822 823 /* decrement file descriptor reference count */ 824 releasef(fd); 825 } 826 827 /*ARGSUSED*/ 828 static void 829 aus_lchown(struct t_audit_data *tad) 830 { 831 klwp_t *clwp = ttolwp(curthread); 832 uint32_t uid, gid; 833 834 835 struct a { 836 long fname; /* char * */ 837 long uid; 838 long gid; 839 } *uap = (struct a *)clwp->lwp_ap; 840 841 uid = (uint32_t)uap->uid; 842 gid = (uint32_t)uap->gid; 843 844 au_uwrite(au_to_arg32(2, "new file uid", uid)); 845 au_uwrite(au_to_arg32(3, "new file gid", gid)); 846 } 847 848 static au_event_t 849 aui_fchownat(au_event_t e) 850 { 851 klwp_t *clwp = ttolwp(curthread); 852 853 struct a { 854 long fd; 855 long fname; /* char * */ 856 long uid; 857 long gid; 858 long flags; 859 } *uap = (struct a *)clwp->lwp_ap; 860 861 if (uap->fname == NULL) 862 e = AUE_FCHOWN; 863 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 864 e = AUE_LCHOWN; 865 else 866 e = AUE_CHOWN; 867 868 return (e); 869 } 870 871 /*ARGSUSED*/ 872 static void 873 aus_fchownat(struct t_audit_data *tad) 874 { 875 klwp_t *clwp = ttolwp(curthread); 876 uint32_t uid, gid; 877 878 struct a { 879 long fd; 880 long fname; /* char * */ 881 long uid; 882 long gid; 883 long flags; 884 } *uap = (struct a *)clwp->lwp_ap; 885 886 uid = (uint32_t)uap->uid; 887 gid = (uint32_t)uap->gid; 888 889 au_uwrite(au_to_arg32(3, "new file uid", uid)); 890 au_uwrite(au_to_arg32(4, "new file gid", gid)); 891 } 892 893 /* chmod start function */ 894 /*ARGSUSED*/ 895 static void 896 aus_chmod(struct t_audit_data *tad) 897 { 898 klwp_t *clwp = ttolwp(curthread); 899 uint32_t fmode; 900 901 struct a { 902 long fname; /* char * */ 903 long fmode; 904 } *uap = (struct a *)clwp->lwp_ap; 905 906 fmode = (uint32_t)uap->fmode; 907 908 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 909 } 910 911 /* chmod start function */ 912 /*ARGSUSED*/ 913 static void 914 aus_fchmod(struct t_audit_data *tad) 915 { 916 klwp_t *clwp = ttolwp(curthread); 917 uint32_t fmode, fd; 918 struct file *fp; 919 struct vnode *vp; 920 struct f_audit_data *fad; 921 922 struct a { 923 long fd; 924 long fmode; 925 } *uap = (struct a *)clwp->lwp_ap; 926 927 fd = (uint32_t)uap->fd; 928 fmode = (uint32_t)uap->fmode; 929 930 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 931 932 /* 933 * convert file pointer to file descriptor 934 * Note: fd ref count incremented here. 935 */ 936 if ((fp = getf(fd)) == NULL) 937 return; 938 939 /* get path from file struct here */ 940 fad = F2A(fp); 941 if (fad->fad_aupath != NULL) { 942 au_uwrite(au_to_path(fad->fad_aupath)); 943 } else { 944 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 945 } 946 947 vp = fp->f_vnode; 948 audit_attributes(vp); 949 950 /* decrement file descriptor reference count */ 951 releasef(fd); 952 } 953 954 /* 955 * convert open mode to appropriate open event 956 */ 957 au_event_t 958 open_event(uint_t fm) 959 { 960 au_event_t e; 961 962 switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) { 963 case O_RDONLY: 964 e = AUE_OPEN_R; 965 break; 966 case O_RDONLY | O_CREAT: 967 e = AUE_OPEN_RC; 968 break; 969 case O_RDONLY | O_TRUNC: 970 e = AUE_OPEN_RT; 971 break; 972 case O_RDONLY | O_TRUNC | O_CREAT: 973 e = AUE_OPEN_RTC; 974 break; 975 case O_WRONLY: 976 e = AUE_OPEN_W; 977 break; 978 case O_WRONLY | O_CREAT: 979 e = AUE_OPEN_WC; 980 break; 981 case O_WRONLY | O_TRUNC: 982 e = AUE_OPEN_WT; 983 break; 984 case O_WRONLY | O_TRUNC | O_CREAT: 985 e = AUE_OPEN_WTC; 986 break; 987 case O_RDWR: 988 e = AUE_OPEN_RW; 989 break; 990 case O_RDWR | O_CREAT: 991 e = AUE_OPEN_RWC; 992 break; 993 case O_RDWR | O_TRUNC: 994 e = AUE_OPEN_RWT; 995 break; 996 case O_RDWR | O_TRUNC | O_CREAT: 997 e = AUE_OPEN_RWTC; 998 break; 999 default: 1000 e = AUE_NULL; 1001 break; 1002 } 1003 1004 return (e); 1005 } 1006 1007 /* ARGSUSED */ 1008 static au_event_t 1009 aui_open(au_event_t e) 1010 { 1011 klwp_t *clwp = ttolwp(curthread); 1012 uint_t fm; 1013 1014 struct a { 1015 long fnamep; /* char * */ 1016 long fmode; 1017 long cmode; 1018 } *uap = (struct a *)clwp->lwp_ap; 1019 1020 fm = (uint_t)uap->fmode; 1021 1022 return (open_event(fm)); 1023 } 1024 1025 static void 1026 aus_open(struct t_audit_data *tad) 1027 { 1028 klwp_t *clwp = ttolwp(curthread); 1029 uint_t fm; 1030 1031 struct a { 1032 long fnamep; /* char * */ 1033 long fmode; 1034 long cmode; 1035 } *uap = (struct a *)clwp->lwp_ap; 1036 1037 fm = (uint_t)uap->fmode; 1038 1039 /* If no write, create, or trunc modes, mark as a public op */ 1040 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1041 tad->tad_ctrl |= TAD_PUBLIC_EV; 1042 } 1043 1044 /* ARGSUSED */ 1045 static au_event_t 1046 aui_openat(au_event_t e) 1047 { 1048 t_audit_data_t *tad = T2A(curthread); 1049 klwp_t *clwp = ttolwp(curthread); 1050 uint_t fm; 1051 1052 struct a { 1053 long filedes; 1054 long fnamep; /* char * */ 1055 long fmode; 1056 long cmode; 1057 } *uap = (struct a *)clwp->lwp_ap; 1058 1059 fm = (uint_t)uap->fmode; 1060 1061 /* 1062 * __openattrdirat() does an extra pathname lookup in order to 1063 * enter the extended system attribute namespace of the referenced 1064 * extended attribute filename. 1065 */ 1066 if (fm & FXATTRDIROPEN) 1067 tad->tad_ctrl |= TAD_MLD; 1068 1069 return (open_event(fm)); 1070 } 1071 1072 static void 1073 aus_openat(struct t_audit_data *tad) 1074 { 1075 klwp_t *clwp = ttolwp(curthread); 1076 uint_t fm; 1077 1078 struct a { 1079 long filedes; 1080 long fnamep; /* char * */ 1081 long fmode; 1082 long cmode; 1083 } *uap = (struct a *)clwp->lwp_ap; 1084 1085 fm = (uint_t)uap->fmode; 1086 1087 /* If no write, create, or trunc modes, mark as a public op */ 1088 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1089 tad->tad_ctrl |= TAD_PUBLIC_EV; 1090 } 1091 1092 static au_event_t 1093 aui_unlinkat(au_event_t e) 1094 { 1095 klwp_t *clwp = ttolwp(curthread); 1096 1097 struct a { 1098 long filedes; 1099 long fnamep; /* char * */ 1100 long flags; 1101 } *uap = (struct a *)clwp->lwp_ap; 1102 1103 if (uap->flags & AT_REMOVEDIR) 1104 e = AUE_RMDIR; 1105 else 1106 e = AUE_UNLINK; 1107 1108 return (e); 1109 } 1110 1111 static au_event_t 1112 aui_fstatat(au_event_t e) 1113 { 1114 klwp_t *clwp = ttolwp(curthread); 1115 1116 struct a { 1117 long filedes; 1118 long fnamep; /* char * */ 1119 long statb; 1120 long flags; 1121 } *uap = (struct a *)clwp->lwp_ap; 1122 1123 if (uap->fnamep == NULL) 1124 e = AUE_FSTAT; 1125 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1126 e = AUE_LSTAT; 1127 else 1128 e = AUE_STAT; 1129 1130 return (e); 1131 } 1132 1133 /* msgsys */ 1134 static au_event_t 1135 aui_msgsys(au_event_t e) 1136 { 1137 klwp_t *clwp = ttolwp(curthread); 1138 uint_t fm; 1139 1140 struct a { 1141 long id; /* function code id */ 1142 long ap; /* arg pointer for recvmsg */ 1143 } *uap = (struct a *)clwp->lwp_ap; 1144 1145 struct b { 1146 long msgid; 1147 long cmd; 1148 long buf; /* struct msqid_ds * */ 1149 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1150 1151 fm = (uint_t)uap->id; 1152 1153 switch (fm) { 1154 case 0: /* msgget */ 1155 e = AUE_MSGGET; 1156 break; 1157 case 1: /* msgctl */ 1158 switch ((uint_t)uap1->cmd) { 1159 case IPC_RMID: 1160 e = AUE_MSGCTL_RMID; 1161 break; 1162 case IPC_SET: 1163 e = AUE_MSGCTL_SET; 1164 break; 1165 case IPC_STAT: 1166 e = AUE_MSGCTL_STAT; 1167 break; 1168 default: 1169 e = AUE_MSGCTL; 1170 break; 1171 } 1172 break; 1173 case 2: /* msgrcv */ 1174 e = AUE_MSGRCV; 1175 break; 1176 case 3: /* msgsnd */ 1177 e = AUE_MSGSND; 1178 break; 1179 default: /* illegal system call */ 1180 e = AUE_NULL; 1181 break; 1182 } 1183 1184 return (e); 1185 } 1186 1187 1188 /* shmsys */ 1189 static au_event_t 1190 aui_shmsys(au_event_t e) 1191 { 1192 klwp_t *clwp = ttolwp(curthread); 1193 int fm; 1194 1195 struct a { /* shmsys */ 1196 long id; /* function code id */ 1197 } *uap = (struct a *)clwp->lwp_ap; 1198 1199 struct b { /* ctrl */ 1200 long shmid; 1201 long cmd; 1202 long arg; /* struct shmid_ds * */ 1203 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1204 fm = (uint_t)uap->id; 1205 1206 switch (fm) { 1207 case 0: /* shmat */ 1208 e = AUE_SHMAT; 1209 break; 1210 case 1: /* shmctl */ 1211 switch ((uint_t)uap1->cmd) { 1212 case IPC_RMID: 1213 e = AUE_SHMCTL_RMID; 1214 break; 1215 case IPC_SET: 1216 e = AUE_SHMCTL_SET; 1217 break; 1218 case IPC_STAT: 1219 e = AUE_SHMCTL_STAT; 1220 break; 1221 default: 1222 e = AUE_SHMCTL; 1223 break; 1224 } 1225 break; 1226 case 2: /* shmdt */ 1227 e = AUE_SHMDT; 1228 break; 1229 case 3: /* shmget */ 1230 e = AUE_SHMGET; 1231 break; 1232 default: /* illegal system call */ 1233 e = AUE_NULL; 1234 break; 1235 } 1236 1237 return (e); 1238 } 1239 1240 1241 /* semsys */ 1242 static au_event_t 1243 aui_semsys(au_event_t e) 1244 { 1245 klwp_t *clwp = ttolwp(curthread); 1246 uint_t fm; 1247 1248 struct a { /* semsys */ 1249 long id; 1250 } *uap = (struct a *)clwp->lwp_ap; 1251 1252 struct b { /* ctrl */ 1253 long semid; 1254 long semnum; 1255 long cmd; 1256 long arg; 1257 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1258 1259 fm = (uint_t)uap->id; 1260 1261 switch (fm) { 1262 case 0: /* semctl */ 1263 switch ((uint_t)uap1->cmd) { 1264 case IPC_RMID: 1265 e = AUE_SEMCTL_RMID; 1266 break; 1267 case IPC_SET: 1268 e = AUE_SEMCTL_SET; 1269 break; 1270 case IPC_STAT: 1271 e = AUE_SEMCTL_STAT; 1272 break; 1273 case GETNCNT: 1274 e = AUE_SEMCTL_GETNCNT; 1275 break; 1276 case GETPID: 1277 e = AUE_SEMCTL_GETPID; 1278 break; 1279 case GETVAL: 1280 e = AUE_SEMCTL_GETVAL; 1281 break; 1282 case GETALL: 1283 e = AUE_SEMCTL_GETALL; 1284 break; 1285 case GETZCNT: 1286 e = AUE_SEMCTL_GETZCNT; 1287 break; 1288 case SETVAL: 1289 e = AUE_SEMCTL_SETVAL; 1290 break; 1291 case SETALL: 1292 e = AUE_SEMCTL_SETALL; 1293 break; 1294 default: 1295 e = AUE_SEMCTL; 1296 break; 1297 } 1298 break; 1299 case 1: /* semget */ 1300 e = AUE_SEMGET; 1301 break; 1302 case 2: /* semop */ 1303 e = AUE_SEMOP; 1304 break; 1305 default: /* illegal system call */ 1306 e = AUE_NULL; 1307 break; 1308 } 1309 1310 return (e); 1311 } 1312 1313 /* utssys - uname(2), ustat(2), fusers(2) */ 1314 static au_event_t 1315 aui_utssys(au_event_t e) 1316 { 1317 klwp_t *clwp = ttolwp(curthread); 1318 uint_t type; 1319 1320 struct a { 1321 union { 1322 long cbuf; /* char * */ 1323 long ubuf; /* struct stat * */ 1324 } ub; 1325 union { 1326 long mv; /* for USTAT */ 1327 long flags; /* for FUSERS */ 1328 } un; 1329 long type; 1330 long outbp; /* char * for FUSERS */ 1331 } *uap = (struct a *)clwp->lwp_ap; 1332 1333 type = (uint_t)uap->type; 1334 1335 if (type == UTS_FUSERS) 1336 return (e); 1337 else 1338 return ((au_event_t)AUE_NULL); 1339 } 1340 1341 static au_event_t 1342 aui_fcntl(au_event_t e) 1343 { 1344 klwp_t *clwp = ttolwp(curthread); 1345 uint_t cmd; 1346 1347 struct a { 1348 long fdes; 1349 long cmd; 1350 long arg; 1351 } *uap = (struct a *)clwp->lwp_ap; 1352 1353 cmd = (uint_t)uap->cmd; 1354 1355 switch (cmd) { 1356 case F_GETLK: 1357 case F_SETLK: 1358 case F_SETLKW: 1359 break; 1360 case F_SETFL: 1361 case F_GETFL: 1362 case F_GETFD: 1363 break; 1364 default: 1365 e = (au_event_t)AUE_NULL; 1366 break; 1367 } 1368 return ((au_event_t)e); 1369 } 1370 1371 /* null function for now */ 1372 static au_event_t 1373 aui_execve(au_event_t e) 1374 { 1375 return (e); 1376 } 1377 1378 /*ARGSUSED*/ 1379 static void 1380 aus_fcntl(struct t_audit_data *tad) 1381 { 1382 klwp_t *clwp = ttolwp(curthread); 1383 uint32_t cmd, fd, flags; 1384 struct file *fp; 1385 struct vnode *vp; 1386 struct f_audit_data *fad; 1387 1388 struct a { 1389 long fd; 1390 long cmd; 1391 long arg; 1392 } *uap = (struct a *)clwp->lwp_ap; 1393 1394 cmd = (uint32_t)uap->cmd; 1395 fd = (uint32_t)uap->fd; 1396 flags = (uint32_t)uap->arg; 1397 1398 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1399 1400 if (cmd == F_SETFL) 1401 au_uwrite(au_to_arg32(3, "flags", flags)); 1402 1403 /* 1404 * convert file pointer to file descriptor 1405 * Note: fd ref count incremented here. 1406 */ 1407 if ((fp = getf(fd)) == NULL) 1408 return; 1409 1410 /* get path from file struct here */ 1411 fad = F2A(fp); 1412 if (fad->fad_aupath != NULL) { 1413 au_uwrite(au_to_path(fad->fad_aupath)); 1414 } else { 1415 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1416 } 1417 1418 vp = fp->f_vnode; 1419 audit_attributes(vp); 1420 1421 /* decrement file descriptor reference count */ 1422 releasef(fd); 1423 } 1424 1425 /*ARGSUSED*/ 1426 static void 1427 aus_kill(struct t_audit_data *tad) 1428 { 1429 klwp_t *clwp = ttolwp(curthread); 1430 struct proc *p; 1431 uint32_t signo; 1432 uid_t uid, ruid; 1433 gid_t gid, rgid; 1434 pid_t pid; 1435 const auditinfo_addr_t *ainfo; 1436 cred_t *cr; 1437 1438 struct a { 1439 long pid; 1440 long signo; 1441 } *uap = (struct a *)clwp->lwp_ap; 1442 1443 pid = (pid_t)uap->pid; 1444 signo = (uint32_t)uap->signo; 1445 1446 au_uwrite(au_to_arg32(2, "signal", signo)); 1447 if (pid > 0) { 1448 mutex_enter(&pidlock); 1449 if (((p = prfind(pid)) == (struct proc *)0) || 1450 (p->p_stat == SIDL)) { 1451 mutex_exit(&pidlock); 1452 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1453 return; 1454 } 1455 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1456 mutex_exit(&pidlock); 1457 1458 mutex_enter(&p->p_crlock); 1459 crhold(cr = p->p_cred); 1460 mutex_exit(&p->p_crlock); 1461 mutex_exit(&p->p_lock); 1462 1463 ainfo = crgetauinfo(cr); 1464 if (ainfo == NULL) { 1465 crfree(cr); 1466 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1467 return; 1468 } 1469 1470 uid = crgetuid(cr); 1471 gid = crgetgid(cr); 1472 ruid = crgetruid(cr); 1473 rgid = crgetrgid(cr); 1474 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1475 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1476 1477 if (is_system_labeled()) 1478 au_uwrite(au_to_label(CR_SL(cr))); 1479 1480 crfree(cr); 1481 } 1482 else 1483 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1484 } 1485 1486 /*ARGSUSED*/ 1487 static void 1488 aus_mkdir(struct t_audit_data *tad) 1489 { 1490 klwp_t *clwp = ttolwp(curthread); 1491 uint32_t dmode; 1492 1493 struct a { 1494 long dirnamep; /* char * */ 1495 long dmode; 1496 } *uap = (struct a *)clwp->lwp_ap; 1497 1498 dmode = (uint32_t)uap->dmode; 1499 1500 au_uwrite(au_to_arg32(2, "mode", dmode)); 1501 } 1502 1503 /*ARGSUSED*/ 1504 static void 1505 aus_mknod(struct t_audit_data *tad) 1506 { 1507 klwp_t *clwp = ttolwp(curthread); 1508 uint32_t fmode; 1509 dev_t dev; 1510 1511 struct a { 1512 long pnamep; /* char * */ 1513 long fmode; 1514 long dev; 1515 } *uap = (struct a *)clwp->lwp_ap; 1516 1517 fmode = (uint32_t)uap->fmode; 1518 dev = (dev_t)uap->dev; 1519 1520 au_uwrite(au_to_arg32(2, "mode", fmode)); 1521 #ifdef _LP64 1522 au_uwrite(au_to_arg64(3, "dev", dev)); 1523 #else 1524 au_uwrite(au_to_arg32(3, "dev", dev)); 1525 #endif 1526 } 1527 1528 /*ARGSUSED*/ 1529 static void 1530 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1531 { 1532 klwp_t *clwp = ttolwp(curthread); 1533 vnode_t *dvp; 1534 caddr_t pnamep; 1535 1536 struct a { 1537 long pnamep; /* char * */ 1538 long fmode; 1539 long dev; 1540 } *uap = (struct a *)clwp->lwp_ap; 1541 1542 /* no error, then already path token in audit record */ 1543 if (error != EPERM) 1544 return; 1545 1546 /* not auditing this event, nothing then to do */ 1547 if (tad->tad_flag == 0) 1548 return; 1549 1550 /* do the lookup to force generation of path token */ 1551 pnamep = (caddr_t)uap->pnamep; 1552 tad->tad_ctrl |= TAD_NOATTRB; 1553 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1554 if (error == 0) 1555 VN_RELE(dvp); 1556 } 1557 1558 /*ARGSUSED*/ 1559 static void 1560 aus_mount(struct t_audit_data *tad) 1561 { /* AUS_START */ 1562 klwp_t *clwp = ttolwp(curthread); 1563 uint32_t flags; 1564 uintptr_t u_fstype, dataptr; 1565 STRUCT_DECL(nfs_args, nfsargs); 1566 size_t len; 1567 char *fstype, *hostname; 1568 1569 struct a { 1570 long spec; /* char * */ 1571 long dir; /* char * */ 1572 long flags; 1573 long fstype; /* char * */ 1574 long dataptr; /* char * */ 1575 long datalen; 1576 } *uap = (struct a *)clwp->lwp_ap; 1577 1578 u_fstype = (uintptr_t)uap->fstype; 1579 flags = (uint32_t)uap->flags; 1580 dataptr = (uintptr_t)uap->dataptr; 1581 1582 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1583 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1584 goto mount_free_fstype; 1585 1586 au_uwrite(au_to_arg32(3, "flags", flags)); 1587 au_uwrite(au_to_text(fstype)); 1588 1589 if (strncmp(fstype, "nfs", 3) == 0) { 1590 1591 STRUCT_INIT(nfsargs, get_udatamodel()); 1592 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1593 1594 if (copyin((caddr_t)dataptr, 1595 STRUCT_BUF(nfsargs), 1596 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1597 /* DEBUG debug_enter((char *)NULL); */ 1598 goto mount_free_fstype; 1599 } 1600 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1601 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1602 (caddr_t)hostname, 1603 MAXNAMELEN, &len)) { 1604 goto mount_free_hostname; 1605 } 1606 au_uwrite(au_to_text(hostname)); 1607 au_uwrite(au_to_arg32(3, "internal flags", 1608 (uint_t)STRUCT_FGET(nfsargs, flags))); 1609 1610 mount_free_hostname: 1611 kmem_free(hostname, MAXNAMELEN); 1612 } 1613 1614 mount_free_fstype: 1615 kmem_free(fstype, MAXNAMELEN); 1616 } /* AUS_MOUNT */ 1617 1618 static void 1619 aus_umount_path(caddr_t umount_dir) 1620 { 1621 char *dir_path; 1622 struct audit_path *path; 1623 size_t path_len, dir_len; 1624 1625 /* length alloc'd for two string pointers */ 1626 path_len = sizeof (struct audit_path) + sizeof (char *); 1627 path = kmem_alloc(path_len, KM_SLEEP); 1628 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1629 1630 if (copyinstr(umount_dir, (caddr_t)dir_path, 1631 MAXPATHLEN, &dir_len)) 1632 goto umount2_free_dir; 1633 1634 /* 1635 * the audit_path struct assumes that the buffer pointed to 1636 * by audp_sect[n] contains string 0 immediatedly followed 1637 * by string 1. 1638 */ 1639 path->audp_sect[0] = dir_path; 1640 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1641 path->audp_size = path_len; 1642 path->audp_ref = 1; /* not used */ 1643 path->audp_cnt = 1; /* one path string */ 1644 1645 au_uwrite(au_to_path(path)); 1646 1647 umount2_free_dir: 1648 kmem_free(dir_path, MAXPATHLEN); 1649 kmem_free(path, path_len); 1650 } 1651 1652 /*ARGSUSED*/ 1653 static void 1654 aus_umount2(struct t_audit_data *tad) 1655 { 1656 klwp_t *clwp = ttolwp(curthread); 1657 struct a { 1658 long dir; /* char * */ 1659 long flags; 1660 } *uap = (struct a *)clwp->lwp_ap; 1661 1662 aus_umount_path((caddr_t)uap->dir); 1663 1664 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1665 } 1666 1667 static void 1668 aus_msgsys(struct t_audit_data *tad) 1669 { 1670 klwp_t *clwp = ttolwp(curthread); 1671 uint32_t msgid; 1672 1673 struct b { 1674 long msgid; 1675 long cmd; 1676 long buf; /* struct msqid_ds * */ 1677 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1678 1679 msgid = (uint32_t)uap1->msgid; 1680 1681 1682 switch (tad->tad_event) { 1683 case AUE_MSGGET: /* msgget */ 1684 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1685 break; 1686 case AUE_MSGCTL: /* msgctl */ 1687 case AUE_MSGCTL_RMID: /* msgctl */ 1688 case AUE_MSGCTL_SET: /* msgctl */ 1689 case AUE_MSGCTL_STAT: /* msgctl */ 1690 case AUE_MSGRCV: /* msgrcv */ 1691 case AUE_MSGSND: /* msgsnd */ 1692 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1693 break; 1694 } 1695 } 1696 1697 /*ARGSUSED*/ 1698 static void 1699 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1700 { 1701 int id; 1702 1703 if (error != 0) 1704 return; 1705 if (tad->tad_event == AUE_MSGGET) { 1706 uint32_t scid; 1707 uint32_t sy_flags; 1708 1709 /* need to determine type of executing binary */ 1710 scid = tad->tad_scid; 1711 #ifdef _SYSCALL32_IMPL 1712 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1713 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1714 else 1715 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1716 #else 1717 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1718 #endif 1719 if (sy_flags == SE_32RVAL1) 1720 id = rval->r_val1; 1721 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1722 id = rval->r_val1; 1723 if (sy_flags == SE_64RVAL) 1724 id = (int)rval->r_vals; 1725 1726 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1727 } 1728 } 1729 1730 static void 1731 aus_semsys(struct t_audit_data *tad) 1732 { 1733 klwp_t *clwp = ttolwp(curthread); 1734 uint32_t semid; 1735 1736 struct b { /* ctrl */ 1737 long semid; 1738 long semnum; 1739 long cmd; 1740 long arg; 1741 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1742 1743 semid = (uint32_t)uap1->semid; 1744 1745 switch (tad->tad_event) { 1746 case AUE_SEMCTL_RMID: 1747 case AUE_SEMCTL_STAT: 1748 case AUE_SEMCTL_GETNCNT: 1749 case AUE_SEMCTL_GETPID: 1750 case AUE_SEMCTL_GETVAL: 1751 case AUE_SEMCTL_GETALL: 1752 case AUE_SEMCTL_GETZCNT: 1753 case AUE_SEMCTL_SET: 1754 case AUE_SEMCTL_SETVAL: 1755 case AUE_SEMCTL_SETALL: 1756 case AUE_SEMCTL: 1757 case AUE_SEMOP: 1758 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1759 break; 1760 case AUE_SEMGET: 1761 au_uwrite(au_to_arg32(1, "sem key", semid)); 1762 break; 1763 } 1764 } 1765 1766 /*ARGSUSED*/ 1767 static void 1768 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1769 { 1770 int id; 1771 1772 if (error != 0) 1773 return; 1774 if (tad->tad_event == AUE_SEMGET) { 1775 uint32_t scid; 1776 uint32_t sy_flags; 1777 1778 /* need to determine type of executing binary */ 1779 scid = tad->tad_scid; 1780 #ifdef _SYSCALL32_IMPL 1781 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1782 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1783 else 1784 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1785 #else 1786 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1787 #endif 1788 if (sy_flags == SE_32RVAL1) 1789 id = rval->r_val1; 1790 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1791 id = rval->r_val1; 1792 if (sy_flags == SE_64RVAL) 1793 id = (int)rval->r_vals; 1794 1795 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1796 } 1797 } 1798 1799 /*ARGSUSED*/ 1800 static void 1801 aus_close(struct t_audit_data *tad) 1802 { 1803 klwp_t *clwp = ttolwp(curthread); 1804 uint32_t fd; 1805 struct file *fp; 1806 struct f_audit_data *fad; 1807 struct vnode *vp; 1808 struct vattr attr; 1809 au_kcontext_t *kctx = GET_KCTX_PZ; 1810 1811 struct a { 1812 long i; 1813 } *uap = (struct a *)clwp->lwp_ap; 1814 1815 fd = (uint32_t)uap->i; 1816 1817 attr.va_mask = 0; 1818 au_uwrite(au_to_arg32(1, "fd", fd)); 1819 1820 /* 1821 * convert file pointer to file descriptor 1822 * Note: fd ref count incremented here. 1823 */ 1824 if ((fp = getf(fd)) == NULL) 1825 return; 1826 1827 fad = F2A(fp); 1828 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1829 if (fad->fad_aupath != NULL) { 1830 au_uwrite(au_to_path(fad->fad_aupath)); 1831 if ((vp = fp->f_vnode) != NULL) { 1832 attr.va_mask = AT_ALL; 1833 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1834 /* 1835 * When write was not used and the file can be 1836 * considered public, skip the audit. 1837 */ 1838 if (((fp->f_flag & FWRITE) == 0) && 1839 object_is_public(&attr)) { 1840 tad->tad_flag = 0; 1841 tad->tad_evmod = 0; 1842 /* free any residual audit data */ 1843 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1844 releasef(fd); 1845 return; 1846 } 1847 au_uwrite(au_to_attr(&attr)); 1848 audit_sec_attributes(&(u_ad), vp); 1849 } 1850 } 1851 } 1852 1853 /* decrement file descriptor reference count */ 1854 releasef(fd); 1855 } 1856 1857 /*ARGSUSED*/ 1858 static void 1859 aus_fstatfs(struct t_audit_data *tad) 1860 { 1861 klwp_t *clwp = ttolwp(curthread); 1862 uint32_t fd; 1863 struct file *fp; 1864 struct vnode *vp; 1865 struct f_audit_data *fad; 1866 1867 struct a { 1868 long fd; 1869 long buf; /* struct statfs * */ 1870 } *uap = (struct a *)clwp->lwp_ap; 1871 1872 fd = (uint_t)uap->fd; 1873 1874 /* 1875 * convert file pointer to file descriptor 1876 * Note: fd ref count incremented here. 1877 */ 1878 if ((fp = getf(fd)) == NULL) 1879 return; 1880 1881 /* get path from file struct here */ 1882 fad = F2A(fp); 1883 if (fad->fad_aupath != NULL) { 1884 au_uwrite(au_to_path(fad->fad_aupath)); 1885 } else { 1886 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1887 } 1888 1889 vp = fp->f_vnode; 1890 audit_attributes(vp); 1891 1892 /* decrement file descriptor reference count */ 1893 releasef(fd); 1894 } 1895 1896 static au_event_t 1897 aui_setpgrp(au_event_t e) 1898 { 1899 klwp_t *clwp = ttolwp(curthread); 1900 int flag; 1901 1902 struct a { 1903 long flag; 1904 long pid; 1905 long pgid; 1906 } *uap = (struct a *)clwp->lwp_ap; 1907 1908 flag = (int)uap->flag; 1909 1910 1911 switch (flag) { 1912 1913 case 1: /* setpgrp() */ 1914 e = AUE_SETPGRP; 1915 break; 1916 1917 case 3: /* setsid() */ 1918 e = AUE_SETSID; 1919 break; 1920 1921 case 5: /* setpgid() */ 1922 e = AUE_SETPGID; 1923 break; 1924 1925 case 0: /* getpgrp() - not security relevant */ 1926 case 2: /* getsid() - not security relevant */ 1927 case 4: /* getpgid() - not security relevant */ 1928 e = AUE_NULL; 1929 break; 1930 1931 default: 1932 e = AUE_NULL; 1933 break; 1934 } 1935 1936 return (e); 1937 } 1938 1939 /*ARGSUSED*/ 1940 static void 1941 aus_setpgrp(struct t_audit_data *tad) 1942 { 1943 klwp_t *clwp = ttolwp(curthread); 1944 pid_t pgid; 1945 struct proc *p; 1946 uid_t uid, ruid; 1947 gid_t gid, rgid; 1948 pid_t pid; 1949 cred_t *cr; 1950 int flag; 1951 const auditinfo_addr_t *ainfo; 1952 1953 struct a { 1954 long flag; 1955 long pid; 1956 long pgid; 1957 } *uap = (struct a *)clwp->lwp_ap; 1958 1959 flag = (int)uap->flag; 1960 pid = (pid_t)uap->pid; 1961 pgid = (pid_t)uap->pgid; 1962 1963 1964 switch (flag) { 1965 1966 case 0: /* getpgrp() */ 1967 case 1: /* setpgrp() */ 1968 case 2: /* getsid() */ 1969 case 3: /* setsid() */ 1970 case 4: /* getpgid() */ 1971 break; 1972 1973 case 5: /* setpgid() */ 1974 1975 /* current process? */ 1976 if (pid == 0) { 1977 return; 1978 } 1979 1980 mutex_enter(&pidlock); 1981 p = prfind(pid); 1982 if (p == NULL || p->p_as == &kas || 1983 p->p_stat == SIDL || p->p_stat == SZOMB) { 1984 mutex_exit(&pidlock); 1985 return; 1986 } 1987 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1988 mutex_exit(&pidlock); 1989 1990 mutex_enter(&p->p_crlock); 1991 crhold(cr = p->p_cred); 1992 mutex_exit(&p->p_crlock); 1993 mutex_exit(&p->p_lock); 1994 1995 ainfo = crgetauinfo(cr); 1996 if (ainfo == NULL) { 1997 crfree(cr); 1998 return; 1999 } 2000 2001 uid = crgetuid(cr); 2002 gid = crgetgid(cr); 2003 ruid = crgetruid(cr); 2004 rgid = crgetrgid(cr); 2005 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2006 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2007 crfree(cr); 2008 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2009 break; 2010 2011 default: 2012 break; 2013 } 2014 } 2015 2016 2017 /*ARGSUSED*/ 2018 static void 2019 aus_setregid(struct t_audit_data *tad) 2020 { 2021 klwp_t *clwp = ttolwp(curthread); 2022 uint32_t rgid, egid; 2023 2024 struct a { 2025 long rgid; 2026 long egid; 2027 } *uap = (struct a *)clwp->lwp_ap; 2028 2029 rgid = (uint32_t)uap->rgid; 2030 egid = (uint32_t)uap->egid; 2031 2032 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2033 au_uwrite(au_to_arg32(2, "egid", egid)); 2034 } 2035 2036 /*ARGSUSED*/ 2037 static void 2038 aus_setgid(struct t_audit_data *tad) 2039 { 2040 klwp_t *clwp = ttolwp(curthread); 2041 uint32_t gid; 2042 2043 struct a { 2044 long gid; 2045 } *uap = (struct a *)clwp->lwp_ap; 2046 2047 gid = (uint32_t)uap->gid; 2048 2049 au_uwrite(au_to_arg32(1, "gid", gid)); 2050 } 2051 2052 2053 /*ARGSUSED*/ 2054 static void 2055 aus_setreuid(struct t_audit_data *tad) 2056 { 2057 klwp_t *clwp = ttolwp(curthread); 2058 uint32_t ruid, euid; 2059 2060 struct a { 2061 long ruid; 2062 long euid; 2063 } *uap = (struct a *)clwp->lwp_ap; 2064 2065 ruid = (uint32_t)uap->ruid; 2066 euid = (uint32_t)uap->euid; 2067 2068 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2069 au_uwrite(au_to_arg32(2, "euid", euid)); 2070 } 2071 2072 2073 /*ARGSUSED*/ 2074 static void 2075 aus_setuid(struct t_audit_data *tad) 2076 { 2077 klwp_t *clwp = ttolwp(curthread); 2078 uint32_t uid; 2079 2080 struct a { 2081 long uid; 2082 } *uap = (struct a *)clwp->lwp_ap; 2083 2084 uid = (uint32_t)uap->uid; 2085 2086 au_uwrite(au_to_arg32(1, "uid", uid)); 2087 } 2088 2089 /*ARGSUSED*/ 2090 static void 2091 aus_shmsys(struct t_audit_data *tad) 2092 { 2093 klwp_t *clwp = ttolwp(curthread); 2094 uint32_t id, cmd; 2095 2096 struct b { 2097 long id; 2098 long cmd; 2099 long buf; /* struct shmid_ds * */ 2100 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2101 2102 id = (uint32_t)uap1->id; 2103 cmd = (uint32_t)uap1->cmd; 2104 2105 switch (tad->tad_event) { 2106 case AUE_SHMGET: /* shmget */ 2107 au_uwrite(au_to_arg32(1, "shm key", id)); 2108 break; 2109 case AUE_SHMCTL: /* shmctl */ 2110 case AUE_SHMCTL_RMID: /* shmctl */ 2111 case AUE_SHMCTL_STAT: /* shmctl */ 2112 case AUE_SHMCTL_SET: /* shmctl */ 2113 au_uwrite(au_to_arg32(1, "shm ID", id)); 2114 break; 2115 case AUE_SHMDT: /* shmdt */ 2116 au_uwrite(au_to_arg32(1, "shm adr", id)); 2117 break; 2118 case AUE_SHMAT: /* shmat */ 2119 au_uwrite(au_to_arg32(1, "shm ID", id)); 2120 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2121 break; 2122 } 2123 } 2124 2125 /*ARGSUSED*/ 2126 static void 2127 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2128 { 2129 int id; 2130 2131 if (error != 0) 2132 return; 2133 if (tad->tad_event == AUE_SHMGET) { 2134 uint32_t scid; 2135 uint32_t sy_flags; 2136 2137 /* need to determine type of executing binary */ 2138 scid = tad->tad_scid; 2139 #ifdef _SYSCALL32_IMPL 2140 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2141 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2142 else 2143 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2144 #else 2145 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2146 #endif 2147 if (sy_flags == SE_32RVAL1) 2148 id = rval->r_val1; 2149 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2150 id = rval->r_val1; 2151 if (sy_flags == SE_64RVAL) 2152 id = (int)rval->r_vals; 2153 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2154 } 2155 } 2156 2157 2158 /*ARGSUSED*/ 2159 static void 2160 aus_ioctl(struct t_audit_data *tad) 2161 { 2162 klwp_t *clwp = ttolwp(curthread); 2163 struct file *fp; 2164 struct vnode *vp; 2165 struct f_audit_data *fad; 2166 uint32_t fd, cmd; 2167 uintptr_t cmarg; 2168 2169 /* XX64 */ 2170 struct a { 2171 long fd; 2172 long cmd; 2173 long cmarg; /* caddr_t */ 2174 } *uap = (struct a *)clwp->lwp_ap; 2175 2176 fd = (uint32_t)uap->fd; 2177 cmd = (uint32_t)uap->cmd; 2178 cmarg = (uintptr_t)uap->cmarg; 2179 2180 /* 2181 * convert file pointer to file descriptor 2182 * Note: fd ref count incremented here. 2183 */ 2184 if ((fp = getf(fd)) == NULL) { 2185 au_uwrite(au_to_arg32(1, "fd", fd)); 2186 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2187 #ifndef _LP64 2188 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2189 #else 2190 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2191 #endif 2192 return; 2193 } 2194 2195 /* get path from file struct here */ 2196 fad = F2A(fp); 2197 if (fad->fad_aupath != NULL) { 2198 au_uwrite(au_to_path(fad->fad_aupath)); 2199 } else { 2200 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2201 } 2202 2203 vp = fp->f_vnode; 2204 audit_attributes(vp); 2205 2206 /* decrement file descriptor reference count */ 2207 releasef(fd); 2208 2209 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2210 #ifndef _LP64 2211 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2212 #else 2213 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2214 #endif 2215 } 2216 2217 /* 2218 * null function for memcntl for now. We might want to limit memcntl() 2219 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2220 * require privileges. 2221 */ 2222 static au_event_t 2223 aui_memcntl(au_event_t e) 2224 { 2225 return (e); 2226 } 2227 2228 /*ARGSUSED*/ 2229 static au_event_t 2230 aui_privsys(au_event_t e) 2231 { 2232 klwp_t *clwp = ttolwp(curthread); 2233 2234 struct a { 2235 long opcode; 2236 } *uap = (struct a *)clwp->lwp_ap; 2237 2238 switch (uap->opcode) { 2239 case PRIVSYS_SETPPRIV: 2240 return (AUE_SETPPRIV); 2241 default: 2242 return (AUE_NULL); 2243 } 2244 } 2245 2246 /*ARGSUSED*/ 2247 static void 2248 aus_memcntl(struct t_audit_data *tad) 2249 { 2250 klwp_t *clwp = ttolwp(curthread); 2251 2252 struct a { 2253 long addr; 2254 long len; 2255 long cmd; 2256 long arg; 2257 long attr; 2258 long mask; 2259 } *uap = (struct a *)clwp->lwp_ap; 2260 2261 #ifdef _LP64 2262 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2263 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2264 #else 2265 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2266 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2267 #endif 2268 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2269 #ifdef _LP64 2270 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2271 #else 2272 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2273 #endif 2274 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2275 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2276 } 2277 2278 /*ARGSUSED*/ 2279 static void 2280 aus_mmap(struct t_audit_data *tad) 2281 { 2282 klwp_t *clwp = ttolwp(curthread); 2283 struct file *fp; 2284 struct f_audit_data *fad; 2285 struct vnode *vp; 2286 uint32_t fd; 2287 2288 struct a { 2289 long addr; 2290 long len; 2291 long prot; 2292 long flags; 2293 long fd; 2294 long pos; 2295 } *uap = (struct a *)clwp->lwp_ap; 2296 2297 fd = (uint32_t)uap->fd; 2298 2299 #ifdef _LP64 2300 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2301 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2302 #else 2303 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2304 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2305 #endif 2306 2307 if ((fp = getf(fd)) == NULL) { 2308 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2309 return; 2310 } 2311 2312 /* 2313 * Mark in the tad if write access is NOT requested... if 2314 * this is later detected (in audit_attributes) to be a 2315 * public object, the mmap event may be discarded. 2316 */ 2317 if (((uap->prot) & PROT_WRITE) == 0) { 2318 tad->tad_ctrl |= TAD_PUBLIC_EV; 2319 } 2320 2321 fad = F2A(fp); 2322 if (fad->fad_aupath != NULL) { 2323 au_uwrite(au_to_path(fad->fad_aupath)); 2324 } else { 2325 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2326 } 2327 2328 vp = (struct vnode *)fp->f_vnode; 2329 audit_attributes(vp); 2330 2331 /* mark READ/WRITE since we can't predict access */ 2332 if (uap->prot & PROT_READ) 2333 fad->fad_flags |= FAD_READ; 2334 if (uap->prot & PROT_WRITE) 2335 fad->fad_flags |= FAD_WRITE; 2336 2337 /* decrement file descriptor reference count */ 2338 releasef(fd); 2339 2340 } /* AUS_MMAP */ 2341 2342 2343 2344 2345 /*ARGSUSED*/ 2346 static void 2347 aus_munmap(struct t_audit_data *tad) 2348 { 2349 klwp_t *clwp = ttolwp(curthread); 2350 2351 struct a { 2352 long addr; 2353 long len; 2354 } *uap = (struct a *)clwp->lwp_ap; 2355 2356 #ifdef _LP64 2357 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2358 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2359 #else 2360 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2361 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2362 #endif 2363 2364 } /* AUS_MUNMAP */ 2365 2366 2367 2368 2369 2370 2371 2372 /*ARGSUSED*/ 2373 static void 2374 aus_priocntlsys(struct t_audit_data *tad) 2375 { 2376 klwp_t *clwp = ttolwp(curthread); 2377 2378 struct a { 2379 long pc_version; 2380 long psp; /* procset_t */ 2381 long cmd; 2382 long arg; 2383 } *uap = (struct a *)clwp->lwp_ap; 2384 2385 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2386 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2387 2388 } /* AUS_PRIOCNTLSYS */ 2389 2390 2391 /*ARGSUSED*/ 2392 static void 2393 aus_setegid(struct t_audit_data *tad) 2394 { 2395 klwp_t *clwp = ttolwp(curthread); 2396 uint32_t gid; 2397 2398 struct a { 2399 long gid; 2400 } *uap = (struct a *)clwp->lwp_ap; 2401 2402 gid = (uint32_t)uap->gid; 2403 2404 au_uwrite(au_to_arg32(1, "gid", gid)); 2405 } /* AUS_SETEGID */ 2406 2407 2408 2409 2410 /*ARGSUSED*/ 2411 static void 2412 aus_setgroups(struct t_audit_data *tad) 2413 { 2414 klwp_t *clwp = ttolwp(curthread); 2415 int i; 2416 int gidsetsize; 2417 uintptr_t gidset; 2418 gid_t *gidlist; 2419 2420 struct a { 2421 long gidsetsize; 2422 long gidset; 2423 } *uap = (struct a *)clwp->lwp_ap; 2424 2425 gidsetsize = (uint_t)uap->gidsetsize; 2426 gidset = (uintptr_t)uap->gidset; 2427 2428 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2429 return; 2430 if (gidsetsize != 0) { 2431 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2432 KM_SLEEP); 2433 if (copyin((caddr_t)gidset, gidlist, 2434 gidsetsize * sizeof (gid_t)) == 0) 2435 for (i = 0; i < gidsetsize; i++) 2436 au_uwrite(au_to_arg32(1, "setgroups", 2437 (uint32_t)gidlist[i])); 2438 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2439 } else 2440 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2441 2442 } /* AUS_SETGROUPS */ 2443 2444 2445 2446 2447 2448 /*ARGSUSED*/ 2449 static void 2450 aus_seteuid(struct t_audit_data *tad) 2451 { 2452 klwp_t *clwp = ttolwp(curthread); 2453 uint32_t uid; 2454 2455 struct a { 2456 long uid; 2457 } *uap = (struct a *)clwp->lwp_ap; 2458 2459 uid = (uint32_t)uap->uid; 2460 2461 au_uwrite(au_to_arg32(1, "euid", uid)); 2462 2463 } /* AUS_SETEUID */ 2464 2465 /*ARGSUSED*/ 2466 static void 2467 aus_putmsg(struct t_audit_data *tad) 2468 { 2469 klwp_t *clwp = ttolwp(curthread); 2470 uint32_t fd, pri; 2471 struct file *fp; 2472 struct f_audit_data *fad; 2473 2474 struct a { 2475 long fdes; 2476 long ctl; /* struct strbuf * */ 2477 long data; /* struct strbuf * */ 2478 long pri; 2479 } *uap = (struct a *)clwp->lwp_ap; 2480 2481 fd = (uint32_t)uap->fdes; 2482 pri = (uint32_t)uap->pri; 2483 2484 au_uwrite(au_to_arg32(1, "fd", fd)); 2485 2486 if ((fp = getf(fd)) != NULL) { 2487 fad = F2A(fp); 2488 2489 fad->fad_flags |= FAD_WRITE; 2490 2491 /* add path name to audit record */ 2492 if (fad->fad_aupath != NULL) { 2493 au_uwrite(au_to_path(fad->fad_aupath)); 2494 } 2495 audit_attributes(fp->f_vnode); 2496 2497 releasef(fd); 2498 } 2499 2500 au_uwrite(au_to_arg32(4, "pri", pri)); 2501 } 2502 2503 /*ARGSUSED*/ 2504 static void 2505 aus_putpmsg(struct t_audit_data *tad) 2506 { 2507 klwp_t *clwp = ttolwp(curthread); 2508 uint32_t fd, pri, flags; 2509 struct file *fp; 2510 struct f_audit_data *fad; 2511 2512 struct a { 2513 long fdes; 2514 long ctl; /* struct strbuf * */ 2515 long data; /* struct strbuf * */ 2516 long pri; 2517 long flags; 2518 } *uap = (struct a *)clwp->lwp_ap; 2519 2520 fd = (uint32_t)uap->fdes; 2521 pri = (uint32_t)uap->pri; 2522 flags = (uint32_t)uap->flags; 2523 2524 au_uwrite(au_to_arg32(1, "fd", fd)); 2525 2526 if ((fp = getf(fd)) != NULL) { 2527 fad = F2A(fp); 2528 2529 fad->fad_flags |= FAD_WRITE; 2530 2531 /* add path name to audit record */ 2532 if (fad->fad_aupath != NULL) { 2533 au_uwrite(au_to_path(fad->fad_aupath)); 2534 } 2535 audit_attributes(fp->f_vnode); 2536 2537 releasef(fd); 2538 } 2539 2540 2541 au_uwrite(au_to_arg32(4, "pri", pri)); 2542 au_uwrite(au_to_arg32(5, "flags", flags)); 2543 } 2544 2545 /*ARGSUSED*/ 2546 static void 2547 aus_getmsg(struct t_audit_data *tad) 2548 { 2549 klwp_t *clwp = ttolwp(curthread); 2550 uint32_t fd, pri; 2551 struct file *fp; 2552 struct f_audit_data *fad; 2553 2554 struct a { 2555 long fdes; 2556 long ctl; /* struct strbuf * */ 2557 long data; /* struct strbuf * */ 2558 long pri; 2559 } *uap = (struct a *)clwp->lwp_ap; 2560 2561 fd = (uint32_t)uap->fdes; 2562 pri = (uint32_t)uap->pri; 2563 2564 au_uwrite(au_to_arg32(1, "fd", fd)); 2565 2566 if ((fp = getf(fd)) != NULL) { 2567 fad = F2A(fp); 2568 2569 /* 2570 * read operation on this object 2571 */ 2572 fad->fad_flags |= FAD_READ; 2573 2574 /* add path name to audit record */ 2575 if (fad->fad_aupath != NULL) { 2576 au_uwrite(au_to_path(fad->fad_aupath)); 2577 } 2578 audit_attributes(fp->f_vnode); 2579 2580 releasef(fd); 2581 } 2582 2583 au_uwrite(au_to_arg32(4, "pri", pri)); 2584 } 2585 2586 /*ARGSUSED*/ 2587 static void 2588 aus_getpmsg(struct t_audit_data *tad) 2589 { 2590 klwp_t *clwp = ttolwp(curthread); 2591 uint32_t fd; 2592 struct file *fp; 2593 struct f_audit_data *fad; 2594 2595 struct a { 2596 long fdes; 2597 long ctl; /* struct strbuf * */ 2598 long data; /* struct strbuf * */ 2599 long pri; 2600 long flags; 2601 } *uap = (struct a *)clwp->lwp_ap; 2602 2603 fd = (uint32_t)uap->fdes; 2604 2605 au_uwrite(au_to_arg32(1, "fd", fd)); 2606 2607 if ((fp = getf(fd)) != NULL) { 2608 fad = F2A(fp); 2609 2610 /* 2611 * read operation on this object 2612 */ 2613 fad->fad_flags |= FAD_READ; 2614 2615 /* add path name to audit record */ 2616 if (fad->fad_aupath != NULL) { 2617 au_uwrite(au_to_path(fad->fad_aupath)); 2618 } 2619 audit_attributes(fp->f_vnode); 2620 2621 releasef(fd); 2622 } 2623 } 2624 2625 static au_event_t 2626 aui_labelsys(au_event_t e) 2627 { 2628 klwp_t *clwp = ttolwp(curthread); 2629 uint32_t code; 2630 uint32_t cmd; 2631 2632 struct a { 2633 long code; 2634 long cmd; 2635 } *uap = (struct a *)clwp->lwp_ap; 2636 2637 code = (uint32_t)uap->code; 2638 cmd = (uint32_t)uap->cmd; 2639 2640 /* not security relevant if not changing kernel cache */ 2641 if (cmd == TNDB_GET) 2642 return (AUE_NULL); 2643 2644 switch (code) { 2645 case TSOL_TNRH: 2646 e = AUE_LABELSYS_TNRH; 2647 break; 2648 case TSOL_TNRHTP: 2649 e = AUE_LABELSYS_TNRHTP; 2650 break; 2651 case TSOL_TNMLP: 2652 e = AUE_LABELSYS_TNMLP; 2653 break; 2654 default: 2655 e = AUE_NULL; 2656 break; 2657 } 2658 2659 return (e); 2660 2661 } 2662 2663 static void 2664 aus_labelsys(struct t_audit_data *tad) 2665 { 2666 klwp_t *clwp = ttolwp(curthread); 2667 uint32_t cmd; 2668 uintptr_t a2; 2669 2670 struct a { 2671 long code; 2672 long cmd; 2673 long a2; 2674 } *uap = (struct a *)clwp->lwp_ap; 2675 2676 cmd = (uint32_t)uap->cmd; 2677 a2 = (uintptr_t)uap->a2; 2678 2679 switch (tad->tad_event) { 2680 case AUE_LABELSYS_TNRH: 2681 { 2682 tsol_rhent_t *rhent; 2683 tnaddr_t *rh_addr; 2684 2685 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2686 2687 /* Remaining args don't apply for FLUSH, so skip */ 2688 if (cmd == TNDB_FLUSH) 2689 break; 2690 2691 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2692 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2693 kmem_free(rhent, sizeof (tsol_rhent_t)); 2694 return; 2695 } 2696 2697 rh_addr = &rhent->rh_address; 2698 if (rh_addr->ta_family == AF_INET) { 2699 struct in_addr *ipaddr; 2700 2701 ipaddr = &(rh_addr->ta_addr_v4); 2702 au_uwrite(au_to_in_addr(ipaddr)); 2703 } else if (rh_addr->ta_family == AF_INET6) { 2704 int32_t *ipaddr; 2705 2706 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2707 au_uwrite(au_to_in_addr_ex(ipaddr)); 2708 } 2709 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2710 2711 kmem_free(rhent, sizeof (tsol_rhent_t)); 2712 2713 break; 2714 } 2715 case AUE_LABELSYS_TNRHTP: 2716 { 2717 tsol_tpent_t *tpent; 2718 2719 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2720 2721 /* Remaining args don't apply for FLUSH, so skip */ 2722 if (cmd == TNDB_FLUSH) 2723 break; 2724 2725 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2726 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2727 kmem_free(tpent, sizeof (tsol_tpent_t)); 2728 return; 2729 } 2730 2731 /* Make sure that the template name is null-terminated. */ 2732 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2733 2734 au_uwrite(au_to_text(tpent->name)); 2735 kmem_free(tpent, sizeof (tsol_tpent_t)); 2736 2737 break; 2738 } 2739 case AUE_LABELSYS_TNMLP: 2740 { 2741 tsol_mlpent_t *mlpent; 2742 2743 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2744 2745 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2746 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2747 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2748 return; 2749 } 2750 2751 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2752 au_uwrite(au_to_text("shared")); 2753 } else { 2754 zone_t *zone; 2755 2756 zone = zone_find_by_id(mlpent->tsme_zoneid); 2757 if (zone != NULL) { 2758 au_uwrite(au_to_text(zone->zone_name)); 2759 zone_rele(zone); 2760 } 2761 } 2762 2763 /* Remaining args don't apply for FLUSH, so skip */ 2764 if (cmd == TNDB_FLUSH) { 2765 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2766 break; 2767 } 2768 2769 au_uwrite(au_to_arg32(2, "proto num", 2770 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2771 au_uwrite(au_to_arg32(2, "mlp_port", 2772 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2773 2774 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2775 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2776 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2777 2778 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2779 2780 break; 2781 } 2782 default: 2783 break; 2784 } 2785 } 2786 2787 2788 static au_event_t 2789 aui_auditsys(au_event_t e) 2790 { 2791 klwp_t *clwp = ttolwp(curthread); 2792 uint32_t code; 2793 2794 struct a { 2795 long code; 2796 long a1; 2797 long a2; 2798 long a3; 2799 long a4; 2800 long a5; 2801 long a6; 2802 long a7; 2803 } *uap = (struct a *)clwp->lwp_ap; 2804 2805 code = (uint32_t)uap->code; 2806 2807 switch (code) { 2808 2809 case BSM_GETAUID: 2810 e = AUE_GETAUID; 2811 break; 2812 case BSM_SETAUID: 2813 e = AUE_SETAUID; 2814 break; 2815 case BSM_GETAUDIT: 2816 e = AUE_GETAUDIT; 2817 break; 2818 case BSM_GETAUDIT_ADDR: 2819 e = AUE_GETAUDIT_ADDR; 2820 break; 2821 case BSM_SETAUDIT: 2822 e = AUE_SETAUDIT; 2823 break; 2824 case BSM_SETAUDIT_ADDR: 2825 e = AUE_SETAUDIT_ADDR; 2826 break; 2827 case BSM_AUDIT: 2828 e = AUE_AUDIT; 2829 break; 2830 case BSM_AUDITCTL: 2831 switch ((uint_t)uap->a1) { 2832 2833 case A_GETPOLICY: 2834 e = AUE_AUDITON_GPOLICY; 2835 break; 2836 case A_SETPOLICY: 2837 e = AUE_AUDITON_SPOLICY; 2838 break; 2839 case A_GETKMASK: 2840 e = AUE_AUDITON_GETKMASK; 2841 break; 2842 case A_SETKMASK: 2843 e = AUE_AUDITON_SETKMASK; 2844 break; 2845 case A_GETQCTRL: 2846 e = AUE_AUDITON_GQCTRL; 2847 break; 2848 case A_SETQCTRL: 2849 e = AUE_AUDITON_SQCTRL; 2850 break; 2851 case A_GETCWD: 2852 e = AUE_AUDITON_GETCWD; 2853 break; 2854 case A_GETCAR: 2855 e = AUE_AUDITON_GETCAR; 2856 break; 2857 case A_GETSTAT: 2858 e = AUE_AUDITON_GETSTAT; 2859 break; 2860 case A_SETSTAT: 2861 e = AUE_AUDITON_SETSTAT; 2862 break; 2863 case A_SETUMASK: 2864 e = AUE_AUDITON_SETUMASK; 2865 break; 2866 case A_SETSMASK: 2867 e = AUE_AUDITON_SETSMASK; 2868 break; 2869 case A_GETCOND: 2870 e = AUE_AUDITON_GETCOND; 2871 break; 2872 case A_SETCOND: 2873 e = AUE_AUDITON_SETCOND; 2874 break; 2875 case A_GETCLASS: 2876 e = AUE_AUDITON_GETCLASS; 2877 break; 2878 case A_SETCLASS: 2879 e = AUE_AUDITON_SETCLASS; 2880 break; 2881 default: 2882 e = AUE_NULL; 2883 break; 2884 } 2885 break; 2886 default: 2887 e = AUE_NULL; 2888 break; 2889 } 2890 2891 return (e); 2892 2893 } /* AUI_AUDITSYS */ 2894 2895 2896 static void 2897 aus_auditsys(struct t_audit_data *tad) 2898 { 2899 klwp_t *clwp = ttolwp(curthread); 2900 uintptr_t a1, a2; 2901 STRUCT_DECL(auditinfo, ainfo); 2902 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2903 au_evclass_map_t event; 2904 au_mask_t mask; 2905 int auditstate, policy; 2906 au_id_t auid; 2907 2908 2909 struct a { 2910 long code; 2911 long a1; 2912 long a2; 2913 long a3; 2914 long a4; 2915 long a5; 2916 long a6; 2917 long a7; 2918 } *uap = (struct a *)clwp->lwp_ap; 2919 2920 a1 = (uintptr_t)uap->a1; 2921 a2 = (uintptr_t)uap->a2; 2922 2923 switch (tad->tad_event) { 2924 case AUE_SETAUID: 2925 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2926 return; 2927 au_uwrite(au_to_arg32(2, "setauid", auid)); 2928 break; 2929 case AUE_SETAUDIT: 2930 STRUCT_INIT(ainfo, get_udatamodel()); 2931 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2932 STRUCT_SIZE(ainfo))) { 2933 return; 2934 } 2935 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2936 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2937 #ifdef _LP64 2938 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2939 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2940 #else 2941 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2942 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2943 #endif 2944 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2945 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2946 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2947 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2948 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2949 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2950 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2951 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2952 break; 2953 case AUE_SETAUDIT_ADDR: 2954 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2955 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2956 STRUCT_SIZE(ainfo_addr))) { 2957 return; 2958 } 2959 au_uwrite(au_to_arg32((char)1, "auid", 2960 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2961 #ifdef _LP64 2962 au_uwrite(au_to_arg64((char)1, "port", 2963 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2964 #else 2965 au_uwrite(au_to_arg32((char)1, "port", 2966 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2967 #endif 2968 au_uwrite(au_to_arg32((char)1, "type", 2969 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2970 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2971 AU_IPv4) { 2972 au_uwrite(au_to_in_addr( 2973 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2974 ai_termid.at_addr))); 2975 } else { 2976 au_uwrite(au_to_in_addr_ex( 2977 (int32_t *)STRUCT_FGETP(ainfo_addr, 2978 ai_termid.at_addr))); 2979 } 2980 au_uwrite(au_to_arg32((char)1, "as_success", 2981 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2982 au_uwrite(au_to_arg32((char)1, "as_failure", 2983 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2984 au_uwrite(au_to_arg32((char)1, "asid", 2985 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2986 break; 2987 case AUE_AUDITON_SETKMASK: 2988 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2989 return; 2990 au_uwrite(au_to_arg32( 2991 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2992 au_uwrite(au_to_arg32( 2993 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2994 break; 2995 case AUE_AUDITON_SPOLICY: 2996 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2997 return; 2998 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2999 break; 3000 case AUE_AUDITON_SQCTRL: { 3001 STRUCT_DECL(au_qctrl, qctrl); 3002 model_t model; 3003 3004 model = get_udatamodel(); 3005 STRUCT_INIT(qctrl, model); 3006 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3007 return; 3008 if (model == DATAMODEL_ILP32) { 3009 au_uwrite(au_to_arg32( 3010 3, "setqctrl:aq_hiwater", 3011 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3012 au_uwrite(au_to_arg32( 3013 3, "setqctrl:aq_lowater", 3014 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3015 au_uwrite(au_to_arg32( 3016 3, "setqctrl:aq_bufsz", 3017 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3018 au_uwrite(au_to_arg32( 3019 3, "setqctrl:aq_delay", 3020 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3021 } else { 3022 au_uwrite(au_to_arg64( 3023 3, "setqctrl:aq_hiwater", 3024 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3025 au_uwrite(au_to_arg64( 3026 3, "setqctrl:aq_lowater", 3027 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3028 au_uwrite(au_to_arg64( 3029 3, "setqctrl:aq_bufsz", 3030 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3031 au_uwrite(au_to_arg64( 3032 3, "setqctrl:aq_delay", 3033 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3034 } 3035 break; 3036 } 3037 case AUE_AUDITON_SETUMASK: 3038 STRUCT_INIT(ainfo, get_udatamodel()); 3039 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3040 STRUCT_SIZE(ainfo))) { 3041 return; 3042 } 3043 au_uwrite(au_to_arg32(3, "setumask:as_success", 3044 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3045 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3046 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3047 break; 3048 case AUE_AUDITON_SETSMASK: 3049 STRUCT_INIT(ainfo, get_udatamodel()); 3050 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3051 STRUCT_SIZE(ainfo))) { 3052 return; 3053 } 3054 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3055 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3056 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3057 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3058 break; 3059 case AUE_AUDITON_SETCOND: 3060 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3061 return; 3062 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3063 break; 3064 case AUE_AUDITON_SETCLASS: 3065 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3066 return; 3067 au_uwrite(au_to_arg32( 3068 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3069 au_uwrite(au_to_arg32( 3070 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3071 break; 3072 case AUE_GETAUID: 3073 case AUE_GETAUDIT: 3074 case AUE_GETAUDIT_ADDR: 3075 case AUE_AUDIT: 3076 case AUE_AUDITON_GPOLICY: 3077 case AUE_AUDITON_GQCTRL: 3078 case AUE_AUDITON_GETKMASK: 3079 case AUE_AUDITON_GETCWD: 3080 case AUE_AUDITON_GETCAR: 3081 case AUE_AUDITON_GETSTAT: 3082 case AUE_AUDITON_SETSTAT: 3083 case AUE_AUDITON_GETCOND: 3084 case AUE_AUDITON_GETCLASS: 3085 break; 3086 default: 3087 break; 3088 } 3089 3090 } /* AUS_AUDITSYS */ 3091 3092 3093 /* only audit privileged operations for systeminfo(2) system call */ 3094 static au_event_t 3095 aui_sysinfo(au_event_t e) 3096 { 3097 klwp_t *clwp = ttolwp(curthread); 3098 uint32_t command; 3099 3100 struct a { 3101 long command; 3102 long buf; /* char * */ 3103 long count; 3104 } *uap = (struct a *)clwp->lwp_ap; 3105 3106 command = (uint32_t)uap->command; 3107 3108 switch (command) { 3109 case SI_SET_HOSTNAME: 3110 case SI_SET_SRPC_DOMAIN: 3111 e = (au_event_t)AUE_SYSINFO; 3112 break; 3113 default: 3114 e = (au_event_t)AUE_NULL; 3115 break; 3116 } 3117 return (e); 3118 } 3119 3120 /*ARGSUSED*/ 3121 static void 3122 aus_sysinfo(struct t_audit_data *tad) 3123 { 3124 klwp_t *clwp = ttolwp(curthread); 3125 uint32_t command; 3126 size_t len, maxlen; 3127 char *name; 3128 uintptr_t buf; 3129 3130 struct a { 3131 long command; 3132 long buf; /* char * */ 3133 long count; 3134 } *uap = (struct a *)clwp->lwp_ap; 3135 3136 command = (uint32_t)uap->command; 3137 buf = (uintptr_t)uap->buf; 3138 3139 au_uwrite(au_to_arg32(1, "cmd", command)); 3140 3141 switch (command) { 3142 case SI_SET_HOSTNAME: 3143 { 3144 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3145 return; 3146 3147 maxlen = SYS_NMLN; 3148 name = kmem_alloc(maxlen, KM_SLEEP); 3149 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3150 break; 3151 3152 /* 3153 * Must be non-NULL string and string 3154 * must be less than SYS_NMLN chars. 3155 */ 3156 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3157 break; 3158 3159 au_uwrite(au_to_text(name)); 3160 break; 3161 } 3162 3163 case SI_SET_SRPC_DOMAIN: 3164 { 3165 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3166 return; 3167 3168 maxlen = SYS_NMLN; 3169 name = kmem_alloc(maxlen, KM_SLEEP); 3170 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3171 break; 3172 3173 /* 3174 * If string passed in is longer than length 3175 * allowed for domain name, fail. 3176 */ 3177 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3178 break; 3179 3180 au_uwrite(au_to_text(name)); 3181 break; 3182 } 3183 3184 default: 3185 return; 3186 } 3187 3188 kmem_free(name, maxlen); 3189 } 3190 3191 static au_event_t 3192 aui_modctl(au_event_t e) 3193 { 3194 klwp_t *clwp = ttolwp(curthread); 3195 uint_t cmd; 3196 3197 struct a { 3198 long cmd; 3199 } *uap = (struct a *)clwp->lwp_ap; 3200 3201 cmd = (uint_t)uap->cmd; 3202 3203 switch (cmd) { 3204 case MODLOAD: 3205 e = AUE_MODLOAD; 3206 break; 3207 case MODUNLOAD: 3208 e = AUE_MODUNLOAD; 3209 break; 3210 case MODADDMAJBIND: 3211 e = AUE_MODADDMAJ; 3212 break; 3213 case MODSETDEVPOLICY: 3214 e = AUE_MODDEVPLCY; 3215 break; 3216 case MODALLOCPRIV: 3217 e = AUE_MODADDPRIV; 3218 break; 3219 default: 3220 e = AUE_NULL; 3221 break; 3222 } 3223 return (e); 3224 } 3225 3226 3227 /*ARGSUSED*/ 3228 static void 3229 aus_modctl(struct t_audit_data *tad) 3230 { 3231 klwp_t *clwp = ttolwp(curthread); 3232 void *a = clwp->lwp_ap; 3233 uint_t use_path; 3234 3235 switch (tad->tad_event) { 3236 case AUE_MODLOAD: { 3237 typedef struct { 3238 long cmd; 3239 long use_path; 3240 long filename; /* char * */ 3241 } modloada_t; 3242 3243 char *filenamep; 3244 uintptr_t fname; 3245 extern char *default_path; 3246 3247 fname = (uintptr_t)((modloada_t *)a)->filename; 3248 use_path = (uint_t)((modloada_t *)a)->use_path; 3249 3250 /* space to hold path */ 3251 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3252 /* get string */ 3253 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3254 /* free allocated path */ 3255 kmem_free(filenamep, MOD_MAXPATH); 3256 return; 3257 } 3258 /* ensure it's null terminated */ 3259 filenamep[MOD_MAXPATH - 1] = 0; 3260 3261 if (use_path) 3262 au_uwrite(au_to_text(default_path)); 3263 au_uwrite(au_to_text(filenamep)); 3264 3265 /* release temporary memory */ 3266 kmem_free(filenamep, MOD_MAXPATH); 3267 break; 3268 } 3269 case AUE_MODUNLOAD: { 3270 typedef struct { 3271 long cmd; 3272 long id; 3273 } modunloada_t; 3274 3275 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3276 3277 au_uwrite(au_to_arg32(1, "id", id)); 3278 break; 3279 } 3280 case AUE_MODADDMAJ: { 3281 STRUCT_DECL(modconfig, mc); 3282 typedef struct { 3283 long cmd; 3284 long subcmd; 3285 long data; /* int * */ 3286 } modconfiga_t; 3287 3288 STRUCT_DECL(aliases, alias); 3289 caddr_t ap; 3290 int i, num_aliases; 3291 char *drvname, *mc_drvname; 3292 char *name; 3293 extern char *ddi_major_to_name(major_t); 3294 model_t model; 3295 3296 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3297 3298 model = get_udatamodel(); 3299 STRUCT_INIT(mc, model); 3300 /* sanitize buffer */ 3301 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3302 /* get user arguments */ 3303 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3304 STRUCT_SIZE(mc)) != 0) 3305 return; 3306 3307 mc_drvname = STRUCT_FGET(mc, drvname); 3308 if ((drvname = ddi_major_to_name( 3309 (major_t)STRUCT_FGET(mc, major))) != NULL && 3310 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3311 /* safety */ 3312 if (mc_drvname[0] != '\0') { 3313 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3314 au_uwrite(au_to_text(mc_drvname)); 3315 } 3316 /* drvname != NULL from test above */ 3317 au_uwrite(au_to_text(drvname)); 3318 return; 3319 } 3320 3321 if (mc_drvname[0] != '\0') { 3322 /* safety */ 3323 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3324 au_uwrite(au_to_text(mc_drvname)); 3325 } else 3326 au_uwrite(au_to_text("no drvname")); 3327 3328 num_aliases = STRUCT_FGET(mc, num_aliases); 3329 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3330 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3331 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3332 STRUCT_INIT(alias, model); 3333 for (i = 0; i < num_aliases; i++) { 3334 bzero((caddr_t)STRUCT_BUF(alias), 3335 STRUCT_SIZE(alias)); 3336 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3337 STRUCT_SIZE(alias)) != 0) 3338 break; 3339 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3340 MAXMODCONFNAME, NULL) != 0) { 3341 break; 3342 } 3343 3344 au_uwrite(au_to_text(name)); 3345 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3346 } 3347 kmem_free(name, MAXMODCONFNAME); 3348 break; 3349 } 3350 default: 3351 break; 3352 } 3353 } 3354 3355 3356 /*ARGSUSED*/ 3357 static void 3358 auf_accept( 3359 struct t_audit_data *tad, 3360 int error, 3361 rval_t *rval) 3362 { 3363 uint32_t scid; 3364 uint32_t sy_flags; 3365 int fd; 3366 struct sonode *so; 3367 char so_laddr[sizeof (struct sockaddr_in6)]; 3368 char so_faddr[sizeof (struct sockaddr_in6)]; 3369 int err; 3370 short so_family, so_type; 3371 int add_sock_token = 0; 3372 3373 /* need to determine type of executing binary */ 3374 scid = tad->tad_scid; 3375 #ifdef _SYSCALL32_IMPL 3376 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3377 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3378 else 3379 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3380 #else 3381 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3382 #endif 3383 if (sy_flags == SE_32RVAL1) 3384 fd = rval->r_val1; 3385 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3386 fd = rval->r_val1; 3387 if (sy_flags == SE_64RVAL) 3388 fd = (int)rval->r_vals; 3389 3390 if (error) { 3391 /* can't trust socket contents. Just return */ 3392 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3393 return; 3394 } 3395 3396 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3397 /* 3398 * not security relevant if doing a accept from non socket 3399 * so no extra tokens. Should probably turn off audit record 3400 * generation here. 3401 */ 3402 return; 3403 } 3404 3405 so_family = so->so_family; 3406 so_type = so->so_type; 3407 3408 switch (so_family) { 3409 case AF_INET: 3410 case AF_INET6: 3411 /* 3412 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3413 */ 3414 if (so->so_type == SOCK_STREAM) { 3415 socklen_t len; 3416 3417 bzero((void *)so_laddr, sizeof (so_laddr)); 3418 bzero((void *)so_faddr, sizeof (so_faddr)); 3419 3420 len = sizeof (so_laddr); 3421 (void) socket_getsockname(so, 3422 (struct sockaddr *)so_laddr, &len, CRED()); 3423 len = sizeof (so_faddr); 3424 (void) socket_getpeername(so, 3425 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3426 3427 add_sock_token = 1; 3428 } 3429 break; 3430 3431 default: 3432 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3433 break; 3434 } 3435 3436 releasef(fd); 3437 3438 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3439 3440 if (add_sock_token == 0) { 3441 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3442 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3443 return; 3444 } 3445 3446 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3447 3448 } 3449 3450 /*ARGSUSED*/ 3451 static void 3452 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3453 { 3454 struct a { 3455 long fd; 3456 long addr; 3457 long len; 3458 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3459 3460 struct sonode *so; 3461 char so_laddr[sizeof (struct sockaddr_in6)]; 3462 char so_faddr[sizeof (struct sockaddr_in6)]; 3463 int err, fd; 3464 socklen_t len; 3465 short so_family, so_type; 3466 int add_sock_token = 0; 3467 3468 fd = (int)uap->fd; 3469 3470 /* 3471 * bind failed, then nothing extra to add to audit record. 3472 */ 3473 if (error) { 3474 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3475 /* XXX may want to add failed address some day */ 3476 return; 3477 } 3478 3479 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3480 /* 3481 * not security relevant if doing a bind from non socket 3482 * so no extra tokens. Should probably turn off audit record 3483 * generation here. 3484 */ 3485 return; 3486 } 3487 3488 so_family = so->so_family; 3489 so_type = so->so_type; 3490 3491 switch (so_family) { 3492 case AF_INET: 3493 case AF_INET6: 3494 3495 bzero(so_faddr, sizeof (so_faddr)); 3496 len = sizeof (so_faddr); 3497 3498 (void) socket_getpeername(so, 3499 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3500 add_sock_token = 1; 3501 3502 break; 3503 3504 case AF_UNIX: 3505 /* token added by lookup */ 3506 break; 3507 default: 3508 /* AF_ROUTE, AF_KEY do not support accept */ 3509 break; 3510 } 3511 3512 releasef(fd); 3513 3514 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3515 3516 if (add_sock_token == 0) { 3517 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3518 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3519 return; 3520 } 3521 3522 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3523 3524 } 3525 3526 /*ARGSUSED*/ 3527 static void 3528 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3529 { 3530 struct a { 3531 long fd; 3532 long addr; 3533 long len; 3534 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3535 3536 struct sonode *so; 3537 char so_laddr[sizeof (struct sockaddr_in6)]; 3538 char so_faddr[sizeof (struct sockaddr_in6)]; 3539 int err, fd; 3540 socklen_t len; 3541 short so_family, so_type; 3542 int add_sock_token = 0; 3543 3544 fd = (int)uap->fd; 3545 3546 3547 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3548 /* 3549 * not security relevant if doing a connect from non socket 3550 * so no extra tokens. Should probably turn off audit record 3551 * generation here. 3552 */ 3553 return; 3554 } 3555 3556 so_family = so->so_family; 3557 so_type = so->so_type; 3558 3559 switch (so_family) { 3560 case AF_INET: 3561 case AF_INET6: 3562 3563 bzero(so_laddr, sizeof (so_laddr)); 3564 bzero(so_faddr, sizeof (so_faddr)); 3565 3566 len = sizeof (so_laddr); 3567 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3568 &len, CRED()); 3569 if (error) { 3570 if (uap->addr == NULL) 3571 break; 3572 if (uap->len <= 0) 3573 break; 3574 len = min(uap->len, sizeof (so_faddr)); 3575 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3576 break; 3577 #ifdef NOTYET 3578 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3579 #endif 3580 } else { 3581 /* sanity check on length */ 3582 len = sizeof (so_faddr); 3583 (void) socket_getpeername(so, 3584 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3585 } 3586 3587 add_sock_token = 1; 3588 3589 break; 3590 3591 case AF_UNIX: 3592 /* does a lookup on name */ 3593 break; 3594 3595 default: 3596 /* AF_ROUTE, AF_KEY do not support accept */ 3597 break; 3598 } 3599 3600 releasef(fd); 3601 3602 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3603 3604 if (add_sock_token == 0) { 3605 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3606 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3607 return; 3608 } 3609 3610 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3611 3612 } 3613 3614 /*ARGSUSED*/ 3615 static void 3616 aus_shutdown(struct t_audit_data *tad) 3617 { 3618 struct a { 3619 long fd; 3620 long how; 3621 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3622 3623 struct sonode *so; 3624 char so_laddr[sizeof (struct sockaddr_in6)]; 3625 char so_faddr[sizeof (struct sockaddr_in6)]; 3626 int err, fd; 3627 socklen_t len; 3628 short so_family, so_type; 3629 int add_sock_token = 0; 3630 file_t *fp; /* unix domain sockets */ 3631 struct f_audit_data *fad; /* unix domain sockets */ 3632 3633 fd = (int)uap->fd; 3634 3635 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3636 /* 3637 * not security relevant if doing a shutdown using non socket 3638 * so no extra tokens. Should probably turn off audit record 3639 * generation here. 3640 */ 3641 return; 3642 } 3643 3644 so_family = so->so_family; 3645 so_type = so->so_type; 3646 3647 switch (so_family) { 3648 case AF_INET: 3649 case AF_INET6: 3650 3651 bzero(so_laddr, sizeof (so_laddr)); 3652 bzero(so_faddr, sizeof (so_faddr)); 3653 3654 len = sizeof (so_laddr); 3655 (void) socket_getsockname(so, 3656 (struct sockaddr *)so_laddr, &len, CRED()); 3657 len = sizeof (so_faddr); 3658 (void) socket_getpeername(so, 3659 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3660 3661 add_sock_token = 1; 3662 3663 break; 3664 3665 case AF_UNIX: 3666 3667 /* get path from file struct here */ 3668 fad = F2A(fp); 3669 ASSERT(fad); 3670 3671 if (fad->fad_aupath != NULL) { 3672 au_uwrite(au_to_path(fad->fad_aupath)); 3673 } else { 3674 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3675 } 3676 3677 audit_attributes(fp->f_vnode); 3678 3679 break; 3680 3681 default: 3682 /* 3683 * AF_KEY and AF_ROUTE support shutdown. No socket token 3684 * added. 3685 */ 3686 break; 3687 } 3688 3689 releasef(fd); 3690 3691 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3692 3693 if (add_sock_token == 0) { 3694 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3695 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3696 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3697 return; 3698 } 3699 3700 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3701 3702 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3703 3704 } 3705 3706 /*ARGSUSED*/ 3707 static void 3708 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3709 { 3710 struct a { 3711 long fd; 3712 long level; 3713 long optname; 3714 long *optval; 3715 long optlen; 3716 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3717 3718 struct sonode *so; 3719 char so_laddr[sizeof (struct sockaddr_in6)]; 3720 char so_faddr[sizeof (struct sockaddr_in6)]; 3721 char val[AU_BUFSIZE]; 3722 int err, fd; 3723 socklen_t len; 3724 short so_family, so_type; 3725 int add_sock_token = 0; 3726 file_t *fp; /* unix domain sockets */ 3727 struct f_audit_data *fad; /* unix domain sockets */ 3728 3729 fd = (int)uap->fd; 3730 3731 if (error) { 3732 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3733 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3734 /* XXX may want to include other arguments */ 3735 return; 3736 } 3737 3738 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3739 /* 3740 * not security relevant if doing a setsockopt from non socket 3741 * so no extra tokens. Should probably turn off audit record 3742 * generation here. 3743 */ 3744 return; 3745 } 3746 3747 so_family = so->so_family; 3748 so_type = so->so_type; 3749 3750 switch (so_family) { 3751 case AF_INET: 3752 case AF_INET6: 3753 bzero((void *)so_laddr, sizeof (so_laddr)); 3754 bzero((void *)so_faddr, sizeof (so_faddr)); 3755 3756 /* get local and foreign addresses */ 3757 len = sizeof (so_laddr); 3758 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3759 &len, CRED()); 3760 len = sizeof (so_faddr); 3761 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3762 &len, B_FALSE, CRED()); 3763 3764 add_sock_token = 1; 3765 3766 break; 3767 3768 case AF_UNIX: 3769 3770 /* get path from file struct here */ 3771 fad = F2A(fp); 3772 ASSERT(fad); 3773 3774 if (fad->fad_aupath != NULL) { 3775 au_uwrite(au_to_path(fad->fad_aupath)); 3776 } else { 3777 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3778 } 3779 3780 audit_attributes(fp->f_vnode); 3781 3782 break; 3783 3784 default: 3785 /* 3786 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3787 * added. 3788 */ 3789 break; 3790 } 3791 3792 releasef(fd); 3793 3794 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3795 3796 if (add_sock_token == 0) { 3797 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3798 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3799 } 3800 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3801 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3802 3803 bzero(val, sizeof (val)); 3804 len = min(uap->optlen, sizeof (val)); 3805 if ((len > 0) && 3806 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3807 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3808 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3809 } 3810 3811 if (add_sock_token == 0) 3812 return; 3813 3814 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3815 3816 } 3817 3818 /*ARGSUSED*/ 3819 static void 3820 aus_sockconfig(tad) 3821 struct t_audit_data *tad; 3822 { 3823 struct a { 3824 long cmd; 3825 long arg1; 3826 long arg2; 3827 long arg3; 3828 long arg4; 3829 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3830 3831 char *buf; 3832 int buflen; 3833 size_t size; 3834 3835 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 3836 switch (uap->cmd) { 3837 case SOCKCONFIG_ADD_SOCK: 3838 case SOCKCONFIG_REMOVE_SOCK: 3839 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 3840 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 3841 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 3842 3843 if (uap->arg4 == 0) { 3844 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 3845 } else { 3846 buflen = MAXPATHLEN + 1; 3847 buf = kmem_alloc(buflen, KM_SLEEP); 3848 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 3849 &size)) { 3850 kmem_free(buf, buflen); 3851 return; 3852 } 3853 3854 if (size > MAXPATHLEN) { 3855 kmem_free(buf, buflen); 3856 return; 3857 } 3858 3859 au_uwrite(au_to_text(buf)); 3860 kmem_free(buf, buflen); 3861 } 3862 break; 3863 case SOCKCONFIG_ADD_FILTER: 3864 case SOCKCONFIG_REMOVE_FILTER: 3865 buflen = FILNAME_MAX; 3866 buf = kmem_alloc(buflen, KM_SLEEP); 3867 3868 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 3869 kmem_free(buf, buflen); 3870 return; 3871 } 3872 3873 au_uwrite(au_to_text(buf)); 3874 kmem_free(buf, buflen); 3875 break; 3876 default: 3877 break; 3878 } 3879 } 3880 3881 /* 3882 * only audit recvmsg when the system call represents the creation of a new 3883 * circuit. This effectively occurs for all UDP packets and may occur for 3884 * special TCP situations where the local host has not set a local address 3885 * in the socket structure. 3886 */ 3887 /*ARGSUSED*/ 3888 static void 3889 auf_recvmsg( 3890 struct t_audit_data *tad, 3891 int error, 3892 rval_t *rvp) 3893 { 3894 struct a { 3895 long fd; 3896 long msg; /* struct msghdr */ 3897 long flags; 3898 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3899 3900 struct sonode *so; 3901 STRUCT_DECL(msghdr, msg); 3902 caddr_t msg_name; 3903 socklen_t msg_namelen; 3904 int fd; 3905 int err; 3906 char so_laddr[sizeof (struct sockaddr_in6)]; 3907 char so_faddr[sizeof (struct sockaddr_in6)]; 3908 socklen_t len; 3909 file_t *fp; /* unix domain sockets */ 3910 struct f_audit_data *fad; /* unix domain sockets */ 3911 short so_family, so_type; 3912 int add_sock_token = 0; 3913 au_kcontext_t *kctx = GET_KCTX_PZ; 3914 3915 fd = (int)uap->fd; 3916 3917 /* bail if an error */ 3918 if (error) { 3919 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3920 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3921 return; 3922 } 3923 3924 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3925 /* 3926 * not security relevant if doing a recvmsg from non socket 3927 * so no extra tokens. Should probably turn off audit record 3928 * generation here. 3929 */ 3930 return; 3931 } 3932 3933 so_family = so->so_family; 3934 so_type = so->so_type; 3935 3936 /* 3937 * only putout SOCKET_EX token if INET/INET6 family. 3938 * XXX - what do we do about other families? 3939 */ 3940 3941 switch (so_family) { 3942 case AF_INET: 3943 case AF_INET6: 3944 3945 /* 3946 * if datagram type socket, then just use what is in 3947 * socket structure for local address. 3948 * XXX - what do we do for other types? 3949 */ 3950 if ((so->so_type == SOCK_DGRAM) || 3951 (so->so_type == SOCK_RAW)) { 3952 add_sock_token = 1; 3953 3954 bzero((void *)so_laddr, sizeof (so_laddr)); 3955 bzero((void *)so_faddr, sizeof (so_faddr)); 3956 3957 /* get local address */ 3958 len = sizeof (so_laddr); 3959 (void) socket_getsockname(so, 3960 (struct sockaddr *)so_laddr, &len, CRED()); 3961 3962 /* get peer address */ 3963 STRUCT_INIT(msg, get_udatamodel()); 3964 3965 if (copyin((caddr_t)(uap->msg), 3966 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3967 break; 3968 } 3969 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3970 if (msg_name == NULL) { 3971 break; 3972 } 3973 3974 /* length is value from recvmsg - sanity check */ 3975 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3976 if (msg_namelen == 0) { 3977 break; 3978 } 3979 if (copyin(msg_name, so_faddr, 3980 sizeof (so_faddr)) != 0) { 3981 break; 3982 } 3983 3984 } else if (so->so_type == SOCK_STREAM) { 3985 3986 /* get path from file struct here */ 3987 fad = F2A(fp); 3988 ASSERT(fad); 3989 3990 /* 3991 * already processed this file for read attempt 3992 */ 3993 if (fad->fad_flags & FAD_READ) { 3994 /* don't want to audit every recvmsg attempt */ 3995 tad->tad_flag = 0; 3996 /* free any residual audit data */ 3997 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 3998 releasef(fd); 3999 return; 4000 } 4001 /* 4002 * mark things so we know what happened and don't 4003 * repeat things 4004 */ 4005 fad->fad_flags |= FAD_READ; 4006 4007 bzero((void *)so_laddr, sizeof (so_laddr)); 4008 bzero((void *)so_faddr, sizeof (so_faddr)); 4009 4010 /* get local and foreign addresses */ 4011 len = sizeof (so_laddr); 4012 (void) socket_getsockname(so, 4013 (struct sockaddr *)so_laddr, &len, CRED()); 4014 len = sizeof (so_faddr); 4015 (void) socket_getpeername(so, 4016 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4017 4018 add_sock_token = 1; 4019 } 4020 4021 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4022 4023 break; 4024 4025 case AF_UNIX: 4026 /* 4027 * first check if this is first time through. Too much 4028 * duplicate code to put this in an aui_ routine. 4029 */ 4030 4031 /* get path from file struct here */ 4032 fad = F2A(fp); 4033 ASSERT(fad); 4034 4035 /* 4036 * already processed this file for read attempt 4037 */ 4038 if (fad->fad_flags & FAD_READ) { 4039 releasef(fd); 4040 /* don't want to audit every recvmsg attempt */ 4041 tad->tad_flag = 0; 4042 /* free any residual audit data */ 4043 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4044 return; 4045 } 4046 /* 4047 * mark things so we know what happened and don't 4048 * repeat things 4049 */ 4050 fad->fad_flags |= FAD_READ; 4051 4052 if (fad->fad_aupath != NULL) { 4053 au_uwrite(au_to_path(fad->fad_aupath)); 4054 } else { 4055 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4056 } 4057 4058 audit_attributes(fp->f_vnode); 4059 4060 releasef(fd); 4061 4062 return; 4063 4064 default: 4065 break; 4066 4067 } 4068 4069 releasef(fd); 4070 4071 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4072 4073 if (add_sock_token == 0) { 4074 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4075 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4076 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4077 return; 4078 } 4079 4080 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4081 4082 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4083 4084 } 4085 4086 /*ARGSUSED*/ 4087 static void 4088 auf_recvfrom( 4089 struct t_audit_data *tad, 4090 int error, 4091 rval_t *rvp) 4092 { 4093 4094 struct a { 4095 long fd; 4096 long msg; /* char */ 4097 long len; 4098 long flags; 4099 long from; /* struct sockaddr */ 4100 long fromlen; 4101 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4102 4103 socklen_t fromlen; 4104 struct sonode *so; 4105 char so_laddr[sizeof (struct sockaddr_in6)]; 4106 char so_faddr[sizeof (struct sockaddr_in6)]; 4107 int fd; 4108 short so_family, so_type; 4109 int add_sock_token = 0; 4110 socklen_t len; 4111 int err; 4112 struct file *fp; 4113 struct f_audit_data *fad; /* unix domain sockets */ 4114 au_kcontext_t *kctx = GET_KCTX_PZ; 4115 4116 fd = (int)uap->fd; 4117 4118 /* bail if an error */ 4119 if (error) { 4120 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4121 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4122 return; 4123 } 4124 4125 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4126 /* 4127 * not security relevant if doing a recvmsg from non socket 4128 * so no extra tokens. Should probably turn off audit record 4129 * generation here. 4130 */ 4131 return; 4132 } 4133 4134 so_family = so->so_family; 4135 so_type = so->so_type; 4136 4137 /* 4138 * only putout SOCKET_EX token if INET/INET6 family. 4139 * XXX - what do we do about other families? 4140 */ 4141 4142 switch (so_family) { 4143 case AF_INET: 4144 case AF_INET6: 4145 4146 /* 4147 * if datagram type socket, then just use what is in 4148 * socket structure for local address. 4149 * XXX - what do we do for other types? 4150 */ 4151 if ((so->so_type == SOCK_DGRAM) || 4152 (so->so_type == SOCK_RAW)) { 4153 add_sock_token = 1; 4154 4155 /* get local address */ 4156 len = sizeof (so_laddr); 4157 (void) socket_getsockname(so, 4158 (struct sockaddr *)so_laddr, &len, CRED()); 4159 4160 /* get peer address */ 4161 bzero((void *)so_faddr, sizeof (so_faddr)); 4162 4163 /* sanity check */ 4164 if (uap->from == NULL) 4165 break; 4166 4167 /* sanity checks */ 4168 if (uap->fromlen == 0) 4169 break; 4170 4171 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4172 sizeof (fromlen)) != 0) 4173 break; 4174 4175 if (fromlen == 0) 4176 break; 4177 4178 /* enforce maximum size */ 4179 if (fromlen > sizeof (so_faddr)) 4180 fromlen = sizeof (so_faddr); 4181 4182 if (copyin((caddr_t)(uap->from), so_faddr, 4183 fromlen) != 0) 4184 break; 4185 4186 } else if (so->so_type == SOCK_STREAM) { 4187 4188 /* get path from file struct here */ 4189 fad = F2A(fp); 4190 ASSERT(fad); 4191 4192 /* 4193 * already processed this file for read attempt 4194 */ 4195 if (fad->fad_flags & FAD_READ) { 4196 /* don't want to audit every recvfrom attempt */ 4197 tad->tad_flag = 0; 4198 /* free any residual audit data */ 4199 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4200 releasef(fd); 4201 return; 4202 } 4203 /* 4204 * mark things so we know what happened and don't 4205 * repeat things 4206 */ 4207 fad->fad_flags |= FAD_READ; 4208 4209 bzero((void *)so_laddr, sizeof (so_laddr)); 4210 bzero((void *)so_faddr, sizeof (so_faddr)); 4211 4212 /* get local and foreign addresses */ 4213 len = sizeof (so_laddr); 4214 (void) socket_getsockname(so, 4215 (struct sockaddr *)so_laddr, &len, CRED()); 4216 len = sizeof (so_faddr); 4217 (void) socket_getpeername(so, 4218 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4219 4220 add_sock_token = 1; 4221 } 4222 4223 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4224 4225 break; 4226 4227 case AF_UNIX: 4228 /* 4229 * first check if this is first time through. Too much 4230 * duplicate code to put this in an aui_ routine. 4231 */ 4232 4233 /* get path from file struct here */ 4234 fad = F2A(fp); 4235 ASSERT(fad); 4236 4237 /* 4238 * already processed this file for read attempt 4239 */ 4240 if (fad->fad_flags & FAD_READ) { 4241 /* don't want to audit every recvfrom attempt */ 4242 tad->tad_flag = 0; 4243 /* free any residual audit data */ 4244 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4245 releasef(fd); 4246 return; 4247 } 4248 /* 4249 * mark things so we know what happened and don't 4250 * repeat things 4251 */ 4252 fad->fad_flags |= FAD_READ; 4253 4254 if (fad->fad_aupath != NULL) { 4255 au_uwrite(au_to_path(fad->fad_aupath)); 4256 } else { 4257 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4258 } 4259 4260 audit_attributes(fp->f_vnode); 4261 4262 releasef(fd); 4263 4264 return; 4265 4266 default: 4267 break; 4268 4269 } 4270 4271 releasef(fd); 4272 4273 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4274 4275 if (add_sock_token == 0) { 4276 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4277 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4278 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4279 return; 4280 } 4281 4282 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4283 4284 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4285 } 4286 4287 /*ARGSUSED*/ 4288 static void 4289 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4290 { 4291 struct a { 4292 long fd; 4293 long msg; /* struct msghdr */ 4294 long flags; 4295 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4296 4297 struct sonode *so; 4298 char so_laddr[sizeof (struct sockaddr_in6)]; 4299 char so_faddr[sizeof (struct sockaddr_in6)]; 4300 int err; 4301 int fd; 4302 short so_family, so_type; 4303 int add_sock_token = 0; 4304 socklen_t len; 4305 struct file *fp; 4306 struct f_audit_data *fad; 4307 caddr_t msg_name; 4308 socklen_t msg_namelen; 4309 STRUCT_DECL(msghdr, msg); 4310 au_kcontext_t *kctx = GET_KCTX_PZ; 4311 4312 fd = (int)uap->fd; 4313 4314 /* bail if an error */ 4315 if (error) { 4316 /* XXX include destination address from system call arguments */ 4317 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4318 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4319 return; 4320 } 4321 4322 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4323 /* 4324 * not security relevant if doing a sendmsg from non socket 4325 * so no extra tokens. Should probably turn off audit record 4326 * generation here. 4327 */ 4328 return; 4329 } 4330 4331 so_family = so->so_family; 4332 so_type = so->so_type; 4333 4334 switch (so_family) { 4335 case AF_INET: 4336 case AF_INET6: 4337 /* 4338 * if datagram type socket, then just use what is in 4339 * socket structure for local address. 4340 * XXX - what do we do for other types? 4341 */ 4342 if ((so->so_type == SOCK_DGRAM) || 4343 (so->so_type == SOCK_RAW)) { 4344 4345 bzero((void *)so_laddr, sizeof (so_laddr)); 4346 bzero((void *)so_faddr, sizeof (so_faddr)); 4347 4348 /* get local address */ 4349 len = sizeof (so_laddr); 4350 (void) socket_getsockname(so, 4351 (struct sockaddr *)so_laddr, &len, CRED()); 4352 4353 /* get peer address */ 4354 STRUCT_INIT(msg, get_udatamodel()); 4355 4356 if (copyin((caddr_t)(uap->msg), 4357 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4358 break; 4359 } 4360 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4361 if (msg_name == NULL) 4362 break; 4363 4364 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4365 /* length is value from recvmsg - sanity check */ 4366 if (msg_namelen == 0) 4367 break; 4368 4369 if (copyin(msg_name, so_faddr, 4370 sizeof (so_faddr)) != 0) 4371 break; 4372 4373 add_sock_token = 1; 4374 4375 } else if (so->so_type == SOCK_STREAM) { 4376 4377 /* get path from file struct here */ 4378 fad = F2A(fp); 4379 ASSERT(fad); 4380 4381 /* 4382 * already processed this file for write attempt 4383 */ 4384 if (fad->fad_flags & FAD_WRITE) { 4385 releasef(fd); 4386 /* don't want to audit every sendmsg attempt */ 4387 tad->tad_flag = 0; 4388 /* free any residual audit data */ 4389 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4390 return; 4391 } 4392 4393 /* 4394 * mark things so we know what happened and don't 4395 * repeat things 4396 */ 4397 fad->fad_flags |= FAD_WRITE; 4398 4399 bzero((void *)so_laddr, sizeof (so_laddr)); 4400 bzero((void *)so_faddr, sizeof (so_faddr)); 4401 4402 /* get local and foreign addresses */ 4403 len = sizeof (so_laddr); 4404 (void) socket_getsockname(so, 4405 (struct sockaddr *)so_laddr, &len, CRED()); 4406 len = sizeof (so_faddr); 4407 (void) socket_getpeername(so, 4408 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4409 4410 add_sock_token = 1; 4411 } 4412 4413 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4414 4415 break; 4416 4417 case AF_UNIX: 4418 /* 4419 * first check if this is first time through. Too much 4420 * duplicate code to put this in an aui_ routine. 4421 */ 4422 4423 /* get path from file struct here */ 4424 fad = F2A(fp); 4425 ASSERT(fad); 4426 4427 /* 4428 * already processed this file for write attempt 4429 */ 4430 if (fad->fad_flags & FAD_WRITE) { 4431 releasef(fd); 4432 /* don't want to audit every sendmsg attempt */ 4433 tad->tad_flag = 0; 4434 /* free any residual audit data */ 4435 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4436 return; 4437 } 4438 /* 4439 * mark things so we know what happened and don't 4440 * repeat things 4441 */ 4442 fad->fad_flags |= FAD_WRITE; 4443 4444 if (fad->fad_aupath != NULL) { 4445 au_uwrite(au_to_path(fad->fad_aupath)); 4446 } else { 4447 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4448 } 4449 4450 audit_attributes(fp->f_vnode); 4451 4452 releasef(fd); 4453 4454 return; 4455 4456 default: 4457 break; 4458 } 4459 4460 releasef(fd); 4461 4462 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4463 4464 if (add_sock_token == 0) { 4465 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4466 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4467 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4468 return; 4469 } 4470 4471 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4472 4473 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4474 } 4475 4476 /*ARGSUSED*/ 4477 static void 4478 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4479 { 4480 struct a { 4481 long fd; 4482 long msg; /* char */ 4483 long len; 4484 long flags; 4485 long to; /* struct sockaddr */ 4486 long tolen; 4487 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4488 4489 struct sonode *so; 4490 char so_laddr[sizeof (struct sockaddr_in6)]; 4491 char so_faddr[sizeof (struct sockaddr_in6)]; 4492 socklen_t tolen; 4493 int err; 4494 int fd; 4495 socklen_t len; 4496 short so_family, so_type; 4497 int add_sock_token = 0; 4498 struct file *fp; 4499 struct f_audit_data *fad; 4500 au_kcontext_t *kctx = GET_KCTX_PZ; 4501 4502 fd = (int)uap->fd; 4503 4504 /* bail if an error */ 4505 if (error) { 4506 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4507 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4508 /* XXX include destination address from system call arguments */ 4509 return; 4510 } 4511 4512 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4513 /* 4514 * not security relevant if doing a sendto using non socket 4515 * so no extra tokens. Should probably turn off audit record 4516 * generation here. 4517 */ 4518 return; 4519 } 4520 4521 so_family = so->so_family; 4522 so_type = so->so_type; 4523 4524 /* 4525 * only putout SOCKET_EX token if INET/INET6 family. 4526 * XXX - what do we do about other families? 4527 */ 4528 4529 switch (so_family) { 4530 case AF_INET: 4531 case AF_INET6: 4532 4533 /* 4534 * if datagram type socket, then just use what is in 4535 * socket structure for local address. 4536 * XXX - what do we do for other types? 4537 */ 4538 if ((so->so_type == SOCK_DGRAM) || 4539 (so->so_type == SOCK_RAW)) { 4540 4541 bzero((void *)so_laddr, sizeof (so_laddr)); 4542 bzero((void *)so_faddr, sizeof (so_faddr)); 4543 4544 /* get local address */ 4545 len = sizeof (so_laddr); 4546 (void) socket_getsockname(so, 4547 (struct sockaddr *)so_laddr, &len, CRED()); 4548 4549 /* get peer address */ 4550 4551 /* sanity check */ 4552 if (uap->to == NULL) 4553 break; 4554 4555 /* sanity checks */ 4556 if (uap->tolen == 0) 4557 break; 4558 4559 tolen = (socklen_t)uap->tolen; 4560 4561 /* enforce maximum size */ 4562 if (tolen > sizeof (so_faddr)) 4563 tolen = sizeof (so_faddr); 4564 4565 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4566 break; 4567 4568 add_sock_token = 1; 4569 } else { 4570 /* 4571 * check if this is first time through. 4572 */ 4573 4574 /* get path from file struct here */ 4575 fad = F2A(fp); 4576 ASSERT(fad); 4577 4578 /* 4579 * already processed this file for write attempt 4580 */ 4581 if (fad->fad_flags & FAD_WRITE) { 4582 /* don't want to audit every sendto attempt */ 4583 tad->tad_flag = 0; 4584 /* free any residual audit data */ 4585 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4586 releasef(fd); 4587 return; 4588 } 4589 /* 4590 * mark things so we know what happened and don't 4591 * repeat things 4592 */ 4593 fad->fad_flags |= FAD_WRITE; 4594 4595 bzero((void *)so_laddr, sizeof (so_laddr)); 4596 bzero((void *)so_faddr, sizeof (so_faddr)); 4597 4598 /* get local and foreign addresses */ 4599 len = sizeof (so_laddr); 4600 (void) socket_getsockname(so, 4601 (struct sockaddr *)so_laddr, &len, CRED()); 4602 len = sizeof (so_faddr); 4603 (void) socket_getpeername(so, 4604 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4605 4606 add_sock_token = 1; 4607 } 4608 4609 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4610 4611 break; 4612 4613 case AF_UNIX: 4614 /* 4615 * first check if this is first time through. Too much 4616 * duplicate code to put this in an aui_ routine. 4617 */ 4618 4619 /* get path from file struct here */ 4620 fad = F2A(fp); 4621 ASSERT(fad); 4622 4623 /* 4624 * already processed this file for write attempt 4625 */ 4626 if (fad->fad_flags & FAD_WRITE) { 4627 /* don't want to audit every sendto attempt */ 4628 tad->tad_flag = 0; 4629 /* free any residual audit data */ 4630 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4631 releasef(fd); 4632 return; 4633 } 4634 /* 4635 * mark things so we know what happened and don't 4636 * repeat things 4637 */ 4638 fad->fad_flags |= FAD_WRITE; 4639 4640 if (fad->fad_aupath != NULL) { 4641 au_uwrite(au_to_path(fad->fad_aupath)); 4642 } else { 4643 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4644 } 4645 4646 audit_attributes(fp->f_vnode); 4647 4648 releasef(fd); 4649 4650 return; 4651 4652 default: 4653 break; 4654 4655 } 4656 4657 releasef(fd); 4658 4659 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4660 4661 if (add_sock_token == 0) { 4662 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4663 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4664 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4665 return; 4666 } 4667 4668 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4669 4670 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4671 4672 } 4673 4674 /* 4675 * XXX socket(2) may be equivalent to open(2) on a unix domain 4676 * socket. This needs investigation. 4677 */ 4678 4679 /*ARGSUSED*/ 4680 static void 4681 aus_socket(struct t_audit_data *tad) 4682 { 4683 struct a { 4684 long domain; 4685 long type; 4686 long protocol; 4687 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4688 4689 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4690 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4691 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4692 } 4693 4694 /*ARGSUSED*/ 4695 static void 4696 aus_sigqueue(struct t_audit_data *tad) 4697 { 4698 struct a { 4699 long pid; 4700 long signo; 4701 long *val; 4702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4703 struct proc *p; 4704 uid_t uid, ruid; 4705 gid_t gid, rgid; 4706 pid_t pid; 4707 const auditinfo_addr_t *ainfo; 4708 cred_t *cr; 4709 4710 pid = (pid_t)uap->pid; 4711 4712 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4713 if (pid > 0) { 4714 mutex_enter(&pidlock); 4715 if ((p = prfind(pid)) == (struct proc *)0) { 4716 mutex_exit(&pidlock); 4717 return; 4718 } 4719 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4720 mutex_exit(&pidlock); 4721 4722 mutex_enter(&p->p_crlock); 4723 crhold(cr = p->p_cred); 4724 mutex_exit(&p->p_crlock); 4725 mutex_exit(&p->p_lock); 4726 4727 ainfo = crgetauinfo(cr); 4728 if (ainfo == NULL) { 4729 crfree(cr); 4730 return; 4731 } 4732 4733 uid = crgetuid(cr); 4734 gid = crgetgid(cr); 4735 ruid = crgetruid(cr); 4736 rgid = crgetrgid(cr); 4737 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4738 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4739 crfree(cr); 4740 } 4741 else 4742 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4743 } 4744 4745 /*ARGSUSED*/ 4746 static void 4747 aus_inst_sync(struct t_audit_data *tad) 4748 { 4749 struct a { 4750 long name; /* char */ 4751 long flags; 4752 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4753 4754 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4755 } 4756 4757 /*ARGSUSED*/ 4758 static void 4759 aus_brandsys(struct t_audit_data *tad) 4760 { 4761 klwp_t *clwp = ttolwp(curthread); 4762 4763 struct a { 4764 long cmd; 4765 long arg1; 4766 long arg2; 4767 long arg3; 4768 long arg4; 4769 long arg5; 4770 long arg6; 4771 } *uap = (struct a *)clwp->lwp_ap; 4772 4773 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4774 #ifdef _LP64 4775 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4776 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4777 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4778 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4779 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4780 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4781 #else 4782 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4783 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4784 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4785 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4786 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4787 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4788 #endif 4789 } 4790 4791 /*ARGSUSED*/ 4792 static void 4793 aus_p_online(struct t_audit_data *tad) 4794 { 4795 struct a { 4796 long processor_id; 4797 long flag; 4798 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4799 4800 struct flags { 4801 int flag; 4802 char *cflag; 4803 } aflags[6] = { 4804 { P_ONLINE, "P_ONLINE"}, 4805 { P_OFFLINE, "P_OFFLINE"}, 4806 { P_NOINTR, "P_NOINTR"}, 4807 { P_SPARE, "P_SPARE"}, 4808 { P_FAULTED, "P_FAULTED"}, 4809 { P_STATUS, "P_STATUS"} 4810 }; 4811 int i; 4812 char *cflag; 4813 4814 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4815 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4816 4817 for (i = 0; i < 6; i++) { 4818 if (aflags[i].flag == uap->flag) 4819 break; 4820 } 4821 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4822 4823 au_uwrite(au_to_text(cflag)); 4824 } 4825 4826 /*ARGSUSED*/ 4827 static void 4828 aus_processor_bind(struct t_audit_data *tad) 4829 { 4830 struct a { 4831 long id_type; 4832 long id; 4833 long processor_id; 4834 long obind; 4835 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4836 4837 struct proc *p; 4838 int lwpcnt; 4839 uid_t uid, ruid; 4840 gid_t gid, rgid; 4841 pid_t pid; 4842 const auditinfo_addr_t *ainfo; 4843 cred_t *cr; 4844 4845 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4846 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4847 if (uap->processor_id == PBIND_NONE) 4848 au_uwrite(au_to_text("PBIND_NONE")); 4849 else 4850 au_uwrite(au_to_arg32(3, "processor_id", 4851 (uint32_t)uap->processor_id)); 4852 4853 switch (uap->id_type) { 4854 case P_MYID: 4855 case P_LWPID: 4856 mutex_enter(&pidlock); 4857 p = ttoproc(curthread); 4858 if (p == NULL || p->p_as == &kas) { 4859 mutex_exit(&pidlock); 4860 return; 4861 } 4862 mutex_enter(&p->p_lock); 4863 mutex_exit(&pidlock); 4864 lwpcnt = p->p_lwpcnt; 4865 pid = p->p_pid; 4866 4867 mutex_enter(&p->p_crlock); 4868 crhold(cr = p->p_cred); 4869 mutex_exit(&p->p_crlock); 4870 mutex_exit(&p->p_lock); 4871 4872 ainfo = crgetauinfo(cr); 4873 if (ainfo == NULL) { 4874 crfree(cr); 4875 return; 4876 } 4877 4878 uid = crgetuid(cr); 4879 gid = crgetgid(cr); 4880 ruid = crgetruid(cr); 4881 rgid = crgetrgid(cr); 4882 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4883 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4884 crfree(cr); 4885 break; 4886 case P_PID: 4887 mutex_enter(&pidlock); 4888 p = prfind(uap->id); 4889 if (p == NULL || p->p_as == &kas) { 4890 mutex_exit(&pidlock); 4891 return; 4892 } 4893 mutex_enter(&p->p_lock); 4894 mutex_exit(&pidlock); 4895 lwpcnt = p->p_lwpcnt; 4896 pid = p->p_pid; 4897 4898 mutex_enter(&p->p_crlock); 4899 crhold(cr = p->p_cred); 4900 mutex_exit(&p->p_crlock); 4901 mutex_exit(&p->p_lock); 4902 4903 ainfo = crgetauinfo(cr); 4904 if (ainfo == NULL) { 4905 crfree(cr); 4906 return; 4907 } 4908 4909 uid = crgetuid(cr); 4910 gid = crgetgid(cr); 4911 ruid = crgetruid(cr); 4912 rgid = crgetrgid(cr); 4913 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4914 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4915 crfree(cr); 4916 4917 break; 4918 default: 4919 return; 4920 } 4921 4922 if (uap->processor_id == PBIND_NONE && 4923 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4924 au_uwrite(au_to_text("PBIND_NONE for process")); 4925 else 4926 au_uwrite(au_to_arg32(3, "processor_id", 4927 (uint32_t)uap->processor_id)); 4928 } 4929 4930 /*ARGSUSED*/ 4931 static au_event_t 4932 aui_doorfs(au_event_t e) 4933 { 4934 uint32_t code; 4935 4936 struct a { /* doorfs */ 4937 long a1; 4938 long a2; 4939 long a3; 4940 long a4; 4941 long a5; 4942 long code; 4943 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4944 4945 /* 4946 * audit formats for several of the 4947 * door calls have not yet been determined 4948 */ 4949 code = (uint32_t)uap->code; 4950 switch (code) { 4951 case DOOR_CALL: 4952 e = AUE_DOORFS_DOOR_CALL; 4953 break; 4954 case DOOR_RETURN: 4955 e = AUE_NULL; 4956 break; 4957 case DOOR_CREATE: 4958 e = AUE_DOORFS_DOOR_CREATE; 4959 break; 4960 case DOOR_REVOKE: 4961 e = AUE_DOORFS_DOOR_REVOKE; 4962 break; 4963 case DOOR_INFO: 4964 e = AUE_NULL; 4965 break; 4966 case DOOR_UCRED: 4967 e = AUE_NULL; 4968 break; 4969 case DOOR_BIND: 4970 e = AUE_NULL; 4971 break; 4972 case DOOR_UNBIND: 4973 e = AUE_NULL; 4974 break; 4975 case DOOR_GETPARAM: 4976 e = AUE_NULL; 4977 break; 4978 case DOOR_SETPARAM: 4979 e = AUE_NULL; 4980 break; 4981 default: /* illegal system call */ 4982 e = AUE_NULL; 4983 break; 4984 } 4985 4986 return (e); 4987 } 4988 4989 static door_node_t * 4990 au_door_lookup(int did) 4991 { 4992 vnode_t *vp; 4993 file_t *fp; 4994 4995 if ((fp = getf(did)) == NULL) 4996 return (NULL); 4997 /* 4998 * Use the underlying vnode (we may be namefs mounted) 4999 */ 5000 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5001 vp = fp->f_vnode; 5002 5003 if (vp == NULL || vp->v_type != VDOOR) { 5004 releasef(did); 5005 return (NULL); 5006 } 5007 5008 return (VTOD(vp)); 5009 } 5010 5011 /*ARGSUSED*/ 5012 static void 5013 aus_doorfs(struct t_audit_data *tad) 5014 { 5015 5016 struct a { /* doorfs */ 5017 long a1; 5018 long a2; 5019 long a3; 5020 long a4; 5021 long a5; 5022 long code; 5023 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5024 5025 door_node_t *dp; 5026 struct proc *p; 5027 uint32_t did; 5028 uid_t uid, ruid; 5029 gid_t gid, rgid; 5030 pid_t pid; 5031 const auditinfo_addr_t *ainfo; 5032 cred_t *cr; 5033 5034 did = (uint32_t)uap->a1; 5035 5036 switch (tad->tad_event) { 5037 case AUE_DOORFS_DOOR_CALL: 5038 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5039 if ((dp = au_door_lookup(did)) == NULL) 5040 break; 5041 5042 if (DOOR_INVALID(dp)) { 5043 releasef(did); 5044 break; 5045 } 5046 5047 if ((p = dp->door_target) == NULL) { 5048 releasef(did); 5049 break; 5050 } 5051 mutex_enter(&p->p_lock); 5052 releasef(did); 5053 5054 pid = p->p_pid; 5055 5056 mutex_enter(&p->p_crlock); 5057 crhold(cr = p->p_cred); 5058 mutex_exit(&p->p_crlock); 5059 mutex_exit(&p->p_lock); 5060 5061 ainfo = crgetauinfo(cr); 5062 if (ainfo == NULL) { 5063 crfree(cr); 5064 return; 5065 } 5066 uid = crgetuid(cr); 5067 gid = crgetgid(cr); 5068 ruid = crgetruid(cr); 5069 rgid = crgetrgid(cr); 5070 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5071 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5072 crfree(cr); 5073 break; 5074 case AUE_DOORFS_DOOR_RETURN: 5075 /* 5076 * We may want to write information about 5077 * all doors (if any) which will be copied 5078 * by this call to the user space 5079 */ 5080 break; 5081 case AUE_DOORFS_DOOR_CREATE: 5082 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5083 break; 5084 case AUE_DOORFS_DOOR_REVOKE: 5085 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5086 break; 5087 case AUE_DOORFS_DOOR_INFO: 5088 break; 5089 case AUE_DOORFS_DOOR_CRED: 5090 break; 5091 case AUE_DOORFS_DOOR_BIND: 5092 break; 5093 case AUE_DOORFS_DOOR_UNBIND: { 5094 break; 5095 } 5096 default: /* illegal system call */ 5097 break; 5098 } 5099 } 5100 5101 /*ARGSUSED*/ 5102 static au_event_t 5103 aui_acl(au_event_t e) 5104 { 5105 struct a { 5106 union { 5107 long name; /* char */ 5108 long fd; 5109 } obj; 5110 5111 long cmd; 5112 long nentries; 5113 long arg; /* aclent_t */ 5114 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5115 5116 switch (uap->cmd) { 5117 case SETACL: 5118 case ACE_SETACL: 5119 /* 5120 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5121 * are expected. 5122 */ 5123 break; 5124 case GETACL: 5125 case GETACLCNT: 5126 case ACE_GETACL: 5127 case ACE_GETACLCNT: 5128 /* do nothing for these four values. */ 5129 e = AUE_NULL; 5130 break; 5131 default: 5132 /* illegal system call */ 5133 break; 5134 } 5135 5136 return (e); 5137 } 5138 5139 static void 5140 au_acl(int cmd, int nentries, caddr_t bufp) 5141 { 5142 size_t a_size; 5143 aclent_t *aclbufp; 5144 ace_t *acebufp; 5145 int i; 5146 5147 switch (cmd) { 5148 case GETACL: 5149 case GETACLCNT: 5150 break; 5151 case SETACL: 5152 if (nentries < 3) 5153 break; 5154 5155 a_size = nentries * sizeof (aclent_t); 5156 5157 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5158 break; 5159 if (copyin(bufp, aclbufp, a_size)) { 5160 kmem_free(aclbufp, a_size); 5161 break; 5162 } 5163 for (i = 0; i < nentries; i++) { 5164 au_uwrite(au_to_acl(aclbufp + i)); 5165 } 5166 kmem_free(aclbufp, a_size); 5167 break; 5168 5169 case ACE_SETACL: 5170 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5171 break; 5172 5173 a_size = nentries * sizeof (ace_t); 5174 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5175 break; 5176 if (copyin(bufp, acebufp, a_size)) { 5177 kmem_free(acebufp, a_size); 5178 break; 5179 } 5180 for (i = 0; i < nentries; i++) { 5181 au_uwrite(au_to_ace(acebufp + i)); 5182 } 5183 kmem_free(acebufp, a_size); 5184 break; 5185 default: 5186 break; 5187 } 5188 } 5189 5190 /*ARGSUSED*/ 5191 static void 5192 aus_acl(struct t_audit_data *tad) 5193 { 5194 struct a { 5195 long fname; 5196 long cmd; 5197 long nentries; 5198 long aclbufp; 5199 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5200 5201 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5202 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5203 5204 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5205 } 5206 5207 /*ARGSUSED*/ 5208 static void 5209 aus_facl(struct t_audit_data *tad) 5210 { 5211 struct a { 5212 long fd; 5213 long cmd; 5214 long nentries; 5215 long aclbufp; 5216 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5217 struct file *fp; 5218 struct vnode *vp; 5219 struct f_audit_data *fad; 5220 int fd; 5221 5222 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5223 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5224 5225 fd = (int)uap->fd; 5226 5227 if ((fp = getf(fd)) == NULL) 5228 return; 5229 5230 /* get path from file struct here */ 5231 fad = F2A(fp); 5232 if (fad->fad_aupath != NULL) { 5233 au_uwrite(au_to_path(fad->fad_aupath)); 5234 } else { 5235 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5236 } 5237 5238 vp = fp->f_vnode; 5239 audit_attributes(vp); 5240 5241 /* decrement file descriptor reference count */ 5242 releasef(fd); 5243 5244 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5245 } 5246 5247 /*ARGSUSED*/ 5248 static void 5249 auf_read(tad, error, rval) 5250 struct t_audit_data *tad; 5251 int error; 5252 rval_t *rval; 5253 { 5254 struct file *fp; 5255 struct f_audit_data *fad; 5256 int fd; 5257 register struct a { 5258 long fd; 5259 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5260 au_kcontext_t *kctx = GET_KCTX_PZ; 5261 5262 fd = (int)uap->fd; 5263 5264 /* 5265 * convert file pointer to file descriptor 5266 * Note: fd ref count incremented here. 5267 */ 5268 if ((fp = getf(fd)) == NULL) 5269 return; 5270 5271 /* get path from file struct here */ 5272 fad = F2A(fp); 5273 ASSERT(fad); 5274 5275 /* 5276 * already processed this file for read attempt 5277 * 5278 * XXX might be better to turn off auditing in a aui_read() routine. 5279 */ 5280 if (fad->fad_flags & FAD_READ) { 5281 /* don't really want to audit every read attempt */ 5282 tad->tad_flag = 0; 5283 /* free any residual audit data */ 5284 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5285 releasef(fd); 5286 return; 5287 } 5288 /* mark things so we know what happened and don't repeat things */ 5289 fad->fad_flags |= FAD_READ; 5290 5291 if (fad->fad_aupath != NULL) { 5292 au_uwrite(au_to_path(fad->fad_aupath)); 5293 } else { 5294 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5295 } 5296 5297 /* include attributes */ 5298 audit_attributes(fp->f_vnode); 5299 5300 /* decrement file descriptor reference count */ 5301 releasef(fd); 5302 } 5303 5304 /*ARGSUSED*/ 5305 static void 5306 auf_write(tad, error, rval) 5307 struct t_audit_data *tad; 5308 int error; 5309 rval_t *rval; 5310 { 5311 struct file *fp; 5312 struct f_audit_data *fad; 5313 int fd; 5314 register struct a { 5315 long fd; 5316 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5317 au_kcontext_t *kctx = GET_KCTX_PZ; 5318 5319 fd = (int)uap->fd; 5320 5321 /* 5322 * convert file pointer to file descriptor 5323 * Note: fd ref count incremented here. 5324 */ 5325 if ((fp = getf(fd)) == NULL) 5326 return; 5327 5328 /* get path from file struct here */ 5329 fad = F2A(fp); 5330 ASSERT(fad); 5331 5332 /* 5333 * already processed this file for write attempt 5334 * 5335 * XXX might be better to turn off auditing in a aus_write() routine. 5336 */ 5337 if (fad->fad_flags & FAD_WRITE) { 5338 /* don't really want to audit every write attempt */ 5339 tad->tad_flag = 0; 5340 /* free any residual audit data */ 5341 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5342 releasef(fd); 5343 return; 5344 } 5345 /* mark things so we know what happened and don't repeat things */ 5346 fad->fad_flags |= FAD_WRITE; 5347 5348 if (fad->fad_aupath != NULL) { 5349 au_uwrite(au_to_path(fad->fad_aupath)); 5350 } else { 5351 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5352 } 5353 5354 /* include attributes */ 5355 audit_attributes(fp->f_vnode); 5356 5357 /* decrement file descriptor reference count */ 5358 releasef(fd); 5359 } 5360 5361 /*ARGSUSED*/ 5362 static void 5363 auf_recv(tad, error, rval) 5364 struct t_audit_data *tad; 5365 int error; 5366 rval_t *rval; 5367 { 5368 struct sonode *so; 5369 char so_laddr[sizeof (struct sockaddr_in6)]; 5370 char so_faddr[sizeof (struct sockaddr_in6)]; 5371 struct file *fp; 5372 struct f_audit_data *fad; 5373 int fd; 5374 int err; 5375 socklen_t len; 5376 short so_family, so_type; 5377 register struct a { 5378 long fd; 5379 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5380 au_kcontext_t *kctx = GET_KCTX_PZ; 5381 5382 /* 5383 * If there was an error, then nothing to do. Only generate 5384 * audit record on first successful recv. 5385 */ 5386 if (error) { 5387 /* Turn off audit record generation here. */ 5388 tad->tad_flag = 0; 5389 /* free any residual audit data */ 5390 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5391 return; 5392 } 5393 5394 fd = (int)uap->fd; 5395 5396 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5397 /* Turn off audit record generation here. */ 5398 tad->tad_flag = 0; 5399 /* free any residual audit data */ 5400 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5401 return; 5402 } 5403 5404 /* get path from file struct here */ 5405 fad = F2A(fp); 5406 ASSERT(fad); 5407 5408 /* 5409 * already processed this file for read attempt 5410 */ 5411 if (fad->fad_flags & FAD_READ) { 5412 releasef(fd); 5413 /* don't really want to audit every recv call */ 5414 tad->tad_flag = 0; 5415 /* free any residual audit data */ 5416 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5417 return; 5418 } 5419 5420 /* mark things so we know what happened and don't repeat things */ 5421 fad->fad_flags |= FAD_READ; 5422 5423 so_family = so->so_family; 5424 so_type = so->so_type; 5425 5426 switch (so_family) { 5427 case AF_INET: 5428 case AF_INET6: 5429 /* 5430 * Only for connections. 5431 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5432 */ 5433 if (so->so_state & SS_ISBOUND) { 5434 5435 bzero((void *)so_laddr, sizeof (so_laddr)); 5436 bzero((void *)so_faddr, sizeof (so_faddr)); 5437 5438 /* get local and foreign addresses */ 5439 len = sizeof (so_laddr); 5440 (void) socket_getsockname(so, 5441 (struct sockaddr *)so_laddr, &len, CRED()); 5442 len = sizeof (so_faddr); 5443 (void) socket_getpeername(so, 5444 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5445 5446 /* 5447 * only way to drop out of switch. Note that we 5448 * we release fd below. 5449 */ 5450 5451 break; 5452 } 5453 5454 releasef(fd); 5455 5456 /* don't really want to audit every recv call */ 5457 tad->tad_flag = 0; 5458 /* free any residual audit data */ 5459 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5460 5461 return; 5462 5463 case AF_UNIX: 5464 5465 if (fad->fad_aupath != NULL) { 5466 au_uwrite(au_to_path(fad->fad_aupath)); 5467 } else { 5468 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5469 } 5470 5471 audit_attributes(fp->f_vnode); 5472 5473 releasef(fd); 5474 5475 return; 5476 5477 default: 5478 releasef(fd); 5479 5480 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5481 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5482 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5483 5484 return; 5485 } 5486 5487 releasef(fd); 5488 5489 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5490 5491 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5492 5493 } 5494 5495 /*ARGSUSED*/ 5496 static void 5497 auf_send(tad, error, rval) 5498 struct t_audit_data *tad; 5499 int error; 5500 rval_t *rval; 5501 { 5502 struct sonode *so; 5503 char so_laddr[sizeof (struct sockaddr_in6)]; 5504 char so_faddr[sizeof (struct sockaddr_in6)]; 5505 struct file *fp; 5506 struct f_audit_data *fad; 5507 int fd; 5508 int err; 5509 socklen_t len; 5510 short so_family, so_type; 5511 register struct a { 5512 long fd; 5513 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5514 au_kcontext_t *kctx = GET_KCTX_PZ; 5515 5516 fd = (int)uap->fd; 5517 5518 /* 5519 * If there was an error, then nothing to do. Only generate 5520 * audit record on first successful send. 5521 */ 5522 if (error != 0) { 5523 /* Turn off audit record generation here. */ 5524 tad->tad_flag = 0; 5525 /* free any residual audit data */ 5526 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5527 return; 5528 } 5529 5530 fd = (int)uap->fd; 5531 5532 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5533 /* Turn off audit record generation here. */ 5534 tad->tad_flag = 0; 5535 /* free any residual audit data */ 5536 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5537 return; 5538 } 5539 5540 /* get path from file struct here */ 5541 fad = F2A(fp); 5542 ASSERT(fad); 5543 5544 /* 5545 * already processed this file for write attempt 5546 */ 5547 if (fad->fad_flags & FAD_WRITE) { 5548 releasef(fd); 5549 /* don't really want to audit every send call */ 5550 tad->tad_flag = 0; 5551 /* free any residual audit data */ 5552 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5553 return; 5554 } 5555 5556 /* mark things so we know what happened and don't repeat things */ 5557 fad->fad_flags |= FAD_WRITE; 5558 5559 so_family = so->so_family; 5560 so_type = so->so_type; 5561 5562 switch (so_family) { 5563 case AF_INET: 5564 case AF_INET6: 5565 /* 5566 * Only for connections. 5567 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5568 */ 5569 if (so->so_state & SS_ISBOUND) { 5570 5571 bzero((void *)so_laddr, sizeof (so_laddr)); 5572 bzero((void *)so_faddr, sizeof (so_faddr)); 5573 5574 /* get local and foreign addresses */ 5575 len = sizeof (so_laddr); 5576 (void) socket_getsockname(so, 5577 (struct sockaddr *)so_laddr, &len, CRED()); 5578 len = sizeof (so_faddr); 5579 (void) socket_getpeername(so, 5580 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5581 5582 /* 5583 * only way to drop out of switch. Note that we 5584 * we release fd below. 5585 */ 5586 5587 break; 5588 } 5589 5590 releasef(fd); 5591 /* don't really want to audit every send call */ 5592 tad->tad_flag = 0; 5593 /* free any residual audit data */ 5594 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5595 5596 return; 5597 5598 case AF_UNIX: 5599 5600 if (fad->fad_aupath != NULL) { 5601 au_uwrite(au_to_path(fad->fad_aupath)); 5602 } else { 5603 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5604 } 5605 5606 audit_attributes(fp->f_vnode); 5607 5608 releasef(fd); 5609 5610 return; 5611 5612 default: 5613 releasef(fd); 5614 5615 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5616 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5617 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5618 5619 return; 5620 } 5621 5622 releasef(fd); 5623 5624 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5625 5626 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5627 } 5628 5629 static au_event_t 5630 aui_forksys(au_event_t e) 5631 { 5632 struct a { 5633 long subcode; 5634 long flags; 5635 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5636 5637 switch ((uint_t)uap->subcode) { 5638 case 0: 5639 e = AUE_FORK1; 5640 break; 5641 case 1: 5642 e = AUE_FORKALL; 5643 break; 5644 case 2: 5645 e = AUE_VFORK; 5646 break; 5647 default: 5648 e = AUE_NULL; 5649 break; 5650 } 5651 5652 return (e); 5653 } 5654 5655 /*ARGSUSED*/ 5656 static au_event_t 5657 aui_portfs(au_event_t e) 5658 { 5659 struct a { /* portfs */ 5660 long a1; 5661 long a2; 5662 long a3; 5663 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5664 5665 /* 5666 * check opcode 5667 */ 5668 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5669 case PORT_ASSOCIATE: 5670 /* check source */ 5671 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5672 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5673 e = AUE_PORTFS_ASSOCIATE; 5674 } else { 5675 e = AUE_NULL; 5676 } 5677 break; 5678 case PORT_DISSOCIATE: 5679 /* check source */ 5680 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5681 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5682 e = AUE_PORTFS_DISSOCIATE; 5683 } else { 5684 e = AUE_NULL; 5685 } 5686 break; 5687 default: 5688 e = AUE_NULL; 5689 } 5690 return (e); 5691 } 5692