1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <c2/audit.h> 60 #include <c2/audit_kernel.h> 61 #include <c2/audit_kevents.h> 62 #include <c2/audit_record.h> 63 #include <sys/procset.h> 64 #include <nfs/mount.h> 65 #include <sys/param.h> 66 #include <sys/debug.h> 67 #include <sys/sysmacros.h> 68 #include <sys/stream.h> 69 #include <sys/strsubr.h> 70 #include <sys/stropts.h> 71 #include <sys/tihdr.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <netinet/in.h> 75 #include <sys/ddi.h> 76 77 extern token_t *au_to_sock_inet(struct sockaddr_in *); 78 79 int au_naevent; 80 char _depends_on[] = "fs/sockfs"; 81 82 static au_event_t aui_null(au_event_t); 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_fsat(au_event_t); 85 static au_event_t aui_msgsys(au_event_t); 86 static au_event_t aui_shmsys(au_event_t); 87 static au_event_t aui_semsys(au_event_t); 88 static au_event_t aui_utssys(au_event_t); 89 static au_event_t aui_fcntl(au_event_t); 90 static au_event_t aui_execv(au_event_t); 91 static au_event_t aui_execve(au_event_t); 92 static au_event_t aui_memcntl(au_event_t); 93 static au_event_t aui_sysinfo(au_event_t); 94 static au_event_t aui_auditsys(au_event_t); 95 static au_event_t aui_modctl(au_event_t); 96 static au_event_t aui_acl(au_event_t); 97 static au_event_t aui_doorfs(au_event_t); 98 static au_event_t aui_privsys(au_event_t); 99 100 static void aus_null(struct t_audit_data *); 101 static void aus_open(struct t_audit_data *); 102 static void aus_acl(struct t_audit_data *); 103 static void aus_acct(struct t_audit_data *); 104 static void aus_chown(struct t_audit_data *); 105 static void aus_fchown(struct t_audit_data *); 106 static void aus_lchown(struct t_audit_data *); 107 static void aus_chmod(struct t_audit_data *); 108 static void aus_facl(struct t_audit_data *); 109 static void aus_fchmod(struct t_audit_data *); 110 static void aus_fcntl(struct t_audit_data *); 111 static void aus_fsat(struct t_audit_data *); 112 static void aus_mkdir(struct t_audit_data *); 113 static void aus_mknod(struct t_audit_data *); 114 static void aus_mount(struct t_audit_data *); 115 static void aus_umount(struct t_audit_data *); 116 static void aus_umount2(struct t_audit_data *); 117 static void aus_msgsys(struct t_audit_data *); 118 static void aus_semsys(struct t_audit_data *); 119 static void aus_close(struct t_audit_data *); 120 static void aus_fstatfs(struct t_audit_data *); 121 static void aus_setgid(struct t_audit_data *); 122 static void aus_setuid(struct t_audit_data *); 123 static void aus_shmsys(struct t_audit_data *); 124 static void aus_doorfs(struct t_audit_data *); 125 static void aus_ioctl(struct t_audit_data *); 126 static void aus_memcntl(struct t_audit_data *); 127 static void aus_mmap(struct t_audit_data *); 128 static void aus_munmap(struct t_audit_data *); 129 static void aus_priocntlsys(struct t_audit_data *); 130 static void aus_setegid(struct t_audit_data *); 131 static void aus_setgroups(struct t_audit_data *); 132 static void aus_seteuid(struct t_audit_data *); 133 static void aus_putmsg(struct t_audit_data *); 134 static void aus_putpmsg(struct t_audit_data *); 135 static void aus_getmsg(struct t_audit_data *); 136 static void aus_getpmsg(struct t_audit_data *); 137 static void aus_auditsys(struct t_audit_data *); 138 static void aus_sysinfo(struct t_audit_data *); 139 static void aus_modctl(struct t_audit_data *); 140 static void aus_kill(struct t_audit_data *); 141 static void aus_xmknod(struct t_audit_data *); 142 static void aus_setregid(struct t_audit_data *); 143 static void aus_setreuid(struct t_audit_data *); 144 145 static void auf_null(struct t_audit_data *, int, rval_t *); 146 static void auf_mknod(struct t_audit_data *, int, rval_t *); 147 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 148 static void auf_semsys(struct t_audit_data *, int, rval_t *); 149 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 150 #if 0 151 static void auf_open(struct t_audit_data *, int, rval_t *); 152 #endif 153 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 154 static void auf_read(struct t_audit_data *, int, rval_t *); 155 static void auf_write(struct t_audit_data *, int, rval_t *); 156 157 static void aus_sigqueue(struct t_audit_data *); 158 static void aus_p_online(struct t_audit_data *); 159 static void aus_processor_bind(struct t_audit_data *); 160 static void aus_inst_sync(struct t_audit_data *); 161 162 static void auf_accept(struct t_audit_data *, int, rval_t *); 163 164 static void auf_bind(struct t_audit_data *, int, rval_t *); 165 static void auf_connect(struct t_audit_data *, int, rval_t *); 166 static void aus_shutdown(struct t_audit_data *); 167 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 168 static void aus_sockconfig(struct t_audit_data *); 169 static void auf_recv(struct t_audit_data *, int, rval_t *); 170 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 171 static void auf_send(struct t_audit_data *, int, rval_t *); 172 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 173 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 174 static void auf_sendto(struct t_audit_data *, int, rval_t *); 175 static void aus_socket(struct t_audit_data *); 176 /* 177 * This table contains mapping information for converting system call numbers 178 * to audit event IDs. In several cases it is necessary to map a single system 179 * call to several events. 180 */ 181 182 struct audit_s2e audit_s2e[] = 183 { 184 /* 185 * ---------- ---------- ---------- ---------- 186 * INITIAL AUDIT START SYSTEM 187 * PROCESSING EVENT PROCESSING CALL 188 * ---------- ---------- ---------- ----------- 189 * FINISH EVENT 190 * PROCESSING CONTROL 191 * ---------------------------------------------------------- 192 */ 193 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 194 auf_null, 0, 195 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 196 auf_null, S2E_NPT, 197 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 198 auf_null, 0, 199 aui_null, AUE_READ, aus_null, /* 3 read */ 200 auf_read, S2E_PUB, 201 aui_null, AUE_WRITE, aus_null, /* 4 write */ 202 auf_write, 0, 203 aui_open, AUE_OPEN, aus_open, /* 5 open */ 204 auf_null, S2E_SP, 205 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 206 auf_null, 0, 207 aui_null, AUE_NULL, aus_null, /* 7 wait */ 208 auf_null, 0, 209 aui_null, AUE_CREAT, aus_null, /* 8 create */ 210 auf_null, S2E_SP, 211 aui_null, AUE_LINK, aus_null, /* 9 link */ 212 auf_null, 0, 213 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 214 auf_null, 0, 215 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 216 auf_null, S2E_MLD, 217 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 218 auf_null, S2E_SP, 219 aui_null, AUE_NULL, aus_null, /* 13 time */ 220 auf_null, 0, 221 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 222 auf_mknod, 0, 223 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 224 auf_null, 0, 225 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 226 auf_null, 0, 227 aui_null, AUE_NULL, aus_null, /* 17 brk */ 228 auf_null, 0, 229 aui_null, AUE_STAT, aus_null, /* 18 stat */ 230 auf_null, S2E_PUB, 231 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 232 auf_null, 0, 233 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 234 auf_null, 0, 235 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 236 auf_null, S2E_MLD, 237 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 238 auf_null, 0, 239 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 240 auf_null, 0, 241 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 242 auf_null, 0, 243 aui_null, AUE_STIME, aus_null, /* 25 stime */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 29 pause */ 252 auf_null, 0, 253 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 258 auf_null, 0, 259 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 260 auf_null, S2E_PUB, 261 aui_null, AUE_NICE, aus_null, /* 34 nice */ 262 auf_null, 0, 263 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 264 auf_null, S2E_PUB, 265 aui_null, AUE_NULL, aus_null, /* 36 sync */ 266 auf_null, 0, 267 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 268 auf_null, 0, 269 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 272 auf_null, 0, 273 aui_null, AUE_NULL, aus_null, /* 40 (loadable) was cxenix */ 274 auf_null, 0, 275 aui_null, AUE_NULL, aus_null, /* 41 dup */ 276 auf_null, 0, 277 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 43 times */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 44 profil */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 284 /* was proc lock */ 285 auf_null, 0, 286 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 289 auf_null, 0, 290 aui_null, AUE_NULL, aus_null, /* 48 sig */ 291 auf_null, 0, 292 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 293 auf_msgsys, 0, 294 #if defined(__x86) 295 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 296 auf_null, 0, 297 #else 298 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 299 auf_null, 0, 300 #endif /* __x86 */ 301 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 302 auf_null, 0, 303 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 304 auf_shmsys, 0, 305 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 306 auf_semsys, 0, 307 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 308 auf_null, 0, 309 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 310 auf_null, 0, 311 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 312 auf_null, 0, 313 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 316 auf_null, 0, 317 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 318 auf_null, S2E_MLD, 319 aui_null, AUE_NULL, aus_null, /* 60 umask */ 320 auf_null, 0, 321 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 322 auf_null, S2E_SP, 323 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 324 auf_null, 0, 325 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 326 auf_null, 0, 327 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 328 auf_null, 0, 329 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 334 /* file locking call */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 337 /* local system calls */ 338 auf_null, 0, 339 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 340 auf_null, 0, 341 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 75 issetugid */ 352 /* was sigret (SunOS) */ 353 auf_null, 0, 354 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 359 auf_null, 0, 360 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 361 auf_null, 0, 362 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 365 auf_null, 0, 366 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 367 /* was libattach */ 368 auf_null, 0, 369 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 370 /* was libdetach */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 373 auf_null, 0, 374 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 375 auf_null, 0, 376 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 87 poll */ 379 auf_null, 0, 380 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 381 auf_null, S2E_PUB, 382 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 383 auf_null, 0, 384 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 387 auf_null, 0, 388 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 389 auf_null, 0, 390 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 391 auf_null, 0, 392 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 409 /* was evtrapret */ 410 auf_null, 0, 411 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 412 auf_null, S2E_PUB, 413 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 414 auf_null, 0, 415 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 416 auf_null, 0, 417 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 422 auf_null, 0, 423 #if defined(__x86) 424 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 425 auf_null, 0, 426 #else 427 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 428 auf_null, 0, 429 #endif /* __x86 */ 430 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 431 auf_null, 0, 432 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 433 auf_null, 0, 434 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 435 auf_null, 0, /* 112 priocntlsys */ 436 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 437 auf_null, S2E_PUB, 438 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 439 auf_null, 0, 440 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 441 auf_null, 0, 442 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 443 auf_null, 0, 444 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 445 auf_null, 0, 446 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 447 auf_null, 0, 448 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 449 auf_null, 0, 450 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 451 auf_null, 0, 452 aui_null, AUE_READ, aus_null, /* 121 readv */ 453 auf_read, S2E_PUB, 454 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 455 auf_write, 0, 456 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 457 auf_null, S2E_PUB, 458 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 459 auf_null, S2E_PUB, 460 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 461 auf_null, 0, 462 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 463 auf_xmknod, 0, 464 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 465 auf_null, 0, 466 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 467 auf_null, 0, 468 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 469 auf_null, 0, 470 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 471 auf_null, 0, 472 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 473 auf_null, 0, 474 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 475 auf_null, 0, 476 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 477 auf_null, 0, 478 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 479 auf_null, 0, 480 aui_null, AUE_NULL, aus_null, /* 135 uname */ 481 auf_null, 0, 482 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 483 auf_null, 0, 484 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 485 auf_null, 0, 486 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 487 auf_null, 0, 488 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 489 auf_null, 0, 490 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 491 auf_null, 0, 492 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 493 auf_null, 0, 494 aui_null, AUE_NULL, aus_null, /* 142 (loadable reserved) */ 495 auf_null, 0, 496 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 497 auf_null, 0, 498 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 499 auf_null, 0, 500 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 146 yield */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 513 auf_null, 0, 514 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 515 auf_null, 0, 516 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 517 auf_null, 0, 518 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 541 /* was lwp_setprivate */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 544 /* was lwp_getprivate */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_unlock */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 557 auf_null, 0, 558 aui_null, AUE_READ, aus_null, /* 173 pread */ 559 auf_read, S2E_PUB, 560 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 561 auf_write, 0, 562 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 563 auf_null, 0, 564 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 565 /* aus_inst_sync */ 566 auf_null, 0, 567 aui_null, AUE_NULL, aus_null, /* 177 (loadable) */ 568 auf_null, 0, 569 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 182 (loadable) */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 580 auf_null, 0, 581 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 582 auf_null, 0, 583 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 584 auf_null, 0, 585 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 586 auf_null, 0, 587 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 588 auf_null, 0, /* 187 processor_bind */ 589 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 590 auf_null, 0, 591 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 594 auf_null, 0, 595 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 596 auf_null, 0, 597 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 612 auf_null, 0, 613 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 614 auf_null, 0, 615 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 616 auf_null, 0, 617 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 618 auf_null, 0, 619 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 620 auf_null, 0, 621 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 640 auf_null, 0, 641 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 642 auf_null, 0, 643 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 644 auf_null, S2E_PUB, 645 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 646 auf_null, S2E_PUB, 647 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 648 auf_null, 0, 649 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 652 auf_null, 0, 653 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 654 auf_null, 0, 655 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 656 auf_null, 0, 657 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 658 auf_read, S2E_PUB, 659 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 660 auf_write, 0, 661 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 662 auf_null, S2E_SP, 663 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 664 auf_null, S2E_SP, 665 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 666 auf_null, 0, 667 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 672 auf_null, 0, 673 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 676 auf_null, 0, 677 aui_null, AUE_BIND, aus_null, /* 232 bind */ 678 auf_bind, 0, 679 aui_null, AUE_NULL, aus_null, /* 233 listen */ 680 auf_null, 0, 681 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 682 auf_accept, 0, 683 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 684 auf_connect, 0, 685 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 686 auf_null, 0, 687 aui_null, AUE_READ, aus_null, /* 237 recv */ 688 auf_recv, 0, 689 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 690 auf_recvfrom, 0, 691 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 692 auf_recvmsg, 0, 693 aui_null, AUE_WRITE, aus_null, /* 240 send */ 694 auf_send, 0, 695 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 696 auf_sendmsg, 0, 697 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 698 auf_sendto, 0, 699 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 700 auf_null, 0, 701 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 702 auf_null, 0, 703 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 704 auf_null, 0, 705 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 706 auf_setsockopt, 0, 707 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 708 auf_null, 0, 709 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 710 auf_null, 0, 711 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_init */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 254 (loadable) */ 722 /* was lwp_sigtimedwait */ 723 auf_null, 0, 724 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 725 auf_null, 0 726 }; 727 728 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 729 730 char *so_not_bound = "socket not bound"; 731 char *so_not_conn = "socket not connected"; 732 char *so_bad_addr = "bad socket address"; 733 char *so_bad_peer_addr = "bad peer address"; 734 735 /* null start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_null(struct t_audit_data *tad) 739 { 740 } 741 742 /* acct start function */ 743 /*ARGSUSED*/ 744 static void 745 aus_acct(struct t_audit_data *tad) 746 { 747 klwp_t *clwp = ttolwp(curthread); 748 uintptr_t fname; 749 750 struct a { 751 long fname; /* char * */ 752 } *uap = (struct a *)clwp->lwp_ap; 753 754 fname = (uintptr_t)uap->fname; 755 756 if (fname == 0) 757 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 758 } 759 760 /* chown start function */ 761 /*ARGSUSED*/ 762 static void 763 aus_chown(struct t_audit_data *tad) 764 { 765 klwp_t *clwp = ttolwp(curthread); 766 uint32_t uid, gid; 767 768 struct a { 769 long fname; /* char * */ 770 long uid; 771 long gid; 772 } *uap = (struct a *)clwp->lwp_ap; 773 774 uid = (uint32_t)uap->uid; 775 gid = (uint32_t)uap->gid; 776 777 au_uwrite(au_to_arg32(2, "new file uid", uid)); 778 au_uwrite(au_to_arg32(3, "new file gid", gid)); 779 } 780 781 /* fchown start function */ 782 /*ARGSUSED*/ 783 static void 784 aus_fchown(struct t_audit_data *tad) 785 { 786 klwp_t *clwp = ttolwp(curthread); 787 uint32_t uid, gid, fd; 788 struct file *fp; 789 struct vnode *vp; 790 struct f_audit_data *fad; 791 792 struct a { 793 long fd; 794 long uid; 795 long gid; 796 } *uap = (struct a *)clwp->lwp_ap; 797 798 fd = (uint32_t)uap->fd; 799 uid = (uint32_t)uap->uid; 800 gid = (uint32_t)uap->gid; 801 802 au_uwrite(au_to_arg32(2, "new file uid", uid)); 803 au_uwrite(au_to_arg32(3, "new file gid", gid)); 804 805 /* 806 * convert file pointer to file descriptor 807 * Note: fd ref count incremented here. 808 */ 809 if ((fp = getf(fd)) == NULL) 810 return; 811 812 /* get path from file struct here */ 813 fad = F2A(fp); 814 if (fad->fad_aupath != NULL) { 815 au_uwrite(au_to_path(fad->fad_aupath)); 816 } else { 817 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 818 } 819 820 vp = fp->f_vnode; 821 audit_attributes(vp); 822 823 /* decrement file descriptor reference count */ 824 releasef(fd); 825 } 826 827 /*ARGSUSED*/ 828 static void 829 aus_lchown(struct t_audit_data *tad) 830 { 831 klwp_t *clwp = ttolwp(curthread); 832 uint32_t uid, gid; 833 834 835 struct a { 836 long fname; /* char * */ 837 long uid; 838 long gid; 839 } *uap = (struct a *)clwp->lwp_ap; 840 841 uid = (uint32_t)uap->uid; 842 gid = (uint32_t)uap->gid; 843 844 au_uwrite(au_to_arg32(2, "new file uid", uid)); 845 au_uwrite(au_to_arg32(3, "new file gid", gid)); 846 } 847 848 /* chmod start function */ 849 /*ARGSUSED*/ 850 static void 851 aus_chmod(struct t_audit_data *tad) 852 { 853 klwp_t *clwp = ttolwp(curthread); 854 uint32_t fmode; 855 856 struct a { 857 long fname; /* char * */ 858 long fmode; 859 } *uap = (struct a *)clwp->lwp_ap; 860 861 fmode = (uint32_t)uap->fmode; 862 863 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 864 } 865 866 /* chmod start function */ 867 /*ARGSUSED*/ 868 static void 869 aus_fchmod(struct t_audit_data *tad) 870 { 871 klwp_t *clwp = ttolwp(curthread); 872 uint32_t fmode, fd; 873 struct file *fp; 874 struct vnode *vp; 875 struct f_audit_data *fad; 876 877 struct a { 878 long fd; 879 long fmode; 880 } *uap = (struct a *)clwp->lwp_ap; 881 882 fd = (uint32_t)uap->fd; 883 fmode = (uint32_t)uap->fmode; 884 885 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 886 887 /* 888 * convert file pointer to file descriptor 889 * Note: fd ref count incremented here. 890 */ 891 if ((fp = getf(fd)) == NULL) 892 return; 893 894 /* get path from file struct here */ 895 fad = F2A(fp); 896 if (fad->fad_aupath != NULL) { 897 au_uwrite(au_to_path(fad->fad_aupath)); 898 } else { 899 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 900 } 901 902 vp = fp->f_vnode; 903 audit_attributes(vp); 904 905 /* decrement file descriptor reference count */ 906 releasef(fd); 907 } 908 909 /* null function */ 910 /*ARGSUSED*/ 911 static void 912 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 913 { 914 } 915 916 /* null function */ 917 static au_event_t 918 aui_null(au_event_t e) 919 { 920 return (e); 921 } 922 923 /* convert open to appropriate event */ 924 static au_event_t 925 aui_open(au_event_t e) 926 { 927 klwp_t *clwp = ttolwp(curthread); 928 uint_t fm; 929 930 struct a { 931 long fnamep; /* char * */ 932 long fmode; 933 long cmode; 934 } *uap = (struct a *)clwp->lwp_ap; 935 936 fm = (uint_t)uap->fmode; 937 938 if (fm & O_WRONLY) 939 e = AUE_OPEN_W; 940 else if (fm & O_RDWR) 941 e = AUE_OPEN_RW; 942 else 943 e = AUE_OPEN_R; 944 945 if (fm & O_CREAT) 946 e += 1; 947 if (fm & O_TRUNC) 948 e += 2; 949 950 return (e); 951 } 952 953 /*ARGSUSED*/ 954 static void 955 aus_open(struct t_audit_data *tad) 956 { 957 klwp_t *clwp = ttolwp(curthread); 958 uint_t fm; 959 960 struct a { 961 long fnamep; /* char * */ 962 long fmode; 963 long cmode; 964 } *uap = (struct a *)clwp->lwp_ap; 965 966 fm = (uint_t)uap->fmode; 967 968 /* If no write, create, or trunc modes, mark as a public op */ 969 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 970 tad->tad_ctrl |= PAD_PUBLIC_EV; 971 } 972 973 /* convert openat(2) to appropriate event */ 974 static au_event_t 975 aui_fsat(au_event_t e) 976 { 977 t_audit_data_t *tad = U2A(u); 978 klwp_t *clwp = ttolwp(curthread); 979 uint_t fmcode, fm; 980 struct a { 981 long id; 982 long arg1; 983 long arg2; 984 long arg3; 985 long arg4; 986 long arg5; 987 } *uap = (struct a *)clwp->lwp_ap; 988 989 fmcode = (uint_t)uap->id; 990 991 switch (fmcode) { 992 993 case 0: /* openat */ 994 case 1: /* openat64 */ 995 fm = (uint_t)uap->arg3; 996 if (fm & O_WRONLY) 997 e = AUE_OPENAT_W; 998 else if (fm & O_RDWR) 999 e = AUE_OPENAT_RW; 1000 else 1001 e = AUE_OPENAT_R; 1002 1003 /* 1004 * openat modes are defined in the following order: 1005 * Read only 1006 * Read|Create 1007 * Read|Trunc 1008 * Read|Create|Trunc 1009 * Write Only 1010 * Write|Create 1011 * Write|Trunc 1012 * Write|Create|Trunc * RW Only 1013 * RW|Create 1014 * RW|Trunc 1015 * RW|Create|Trunc 1016 */ 1017 if (fm & O_CREAT) 1018 e += 1; /* increment to include CREAT in mode */ 1019 if (fm & O_TRUNC) 1020 e += 2; /* increment to include TRUNC in mode */ 1021 1022 /* convert to appropriate au_ctrl */ 1023 tad->tad_ctrl |= PAD_SAVPATH; 1024 if (fm & FXATTR) 1025 tad->tad_ctrl |= PAD_ATPATH; 1026 1027 1028 break; 1029 case 2: /* fstatat64 */ 1030 case 3: /* fstatat */ 1031 e = AUE_FSTATAT; 1032 break; 1033 case 4: /* fchownat */ 1034 e = AUE_FCHOWNAT; 1035 break; 1036 case 5: /* unlinkat */ 1037 e = AUE_UNLINKAT; 1038 break; 1039 case 6: /* futimesat */ 1040 e = AUE_FUTIMESAT; 1041 break; 1042 case 7: /* renameat */ 1043 e = AUE_RENAMEAT; 1044 break; 1045 default: 1046 e = AUE_NULL; 1047 break; 1048 } 1049 1050 return (e); 1051 } 1052 1053 /*ARGSUSED*/ 1054 static void 1055 aus_fsat(struct t_audit_data *tad) 1056 { 1057 klwp_t *clwp = ttolwp(curthread); 1058 uint_t fmcode, fm; 1059 struct a { 1060 long id; 1061 long arg1; 1062 long arg2; 1063 long arg3; 1064 long arg4; 1065 long arg5; 1066 } *uap = (struct a *)clwp->lwp_ap; 1067 1068 fmcode = (uint_t)uap->id; 1069 1070 switch (fmcode) { 1071 1072 case 0: /* openat */ 1073 case 1: /* openat64 */ 1074 fm = (uint_t)uap->arg3; 1075 /* If no write, create, or trunc modes, mark as a public op */ 1076 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1077 tad->tad_ctrl |= PAD_PUBLIC_EV; 1078 1079 break; 1080 case 2: /* fstatat64 */ 1081 case 3: /* fstatat */ 1082 tad->tad_ctrl |= PAD_PUBLIC_EV; 1083 break; 1084 default: 1085 break; 1086 } 1087 } 1088 1089 /* msgsys */ 1090 static au_event_t 1091 aui_msgsys(au_event_t e) 1092 { 1093 klwp_t *clwp = ttolwp(curthread); 1094 uint_t fm; 1095 1096 struct a { 1097 long id; /* function code id */ 1098 long ap; /* arg pointer for recvmsg */ 1099 } *uap = (struct a *)clwp->lwp_ap; 1100 1101 struct b { 1102 long msgid; 1103 long cmd; 1104 long buf; /* struct msqid_ds * */ 1105 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1106 1107 fm = (uint_t)uap->id; 1108 1109 switch (fm) { 1110 case 0: /* msgget */ 1111 e = AUE_MSGGET; 1112 break; 1113 case 1: /* msgctl */ 1114 switch ((uint_t)uap1->cmd) { 1115 case IPC_RMID: 1116 e = AUE_MSGCTL_RMID; 1117 break; 1118 case IPC_SET: 1119 e = AUE_MSGCTL_SET; 1120 break; 1121 case IPC_STAT: 1122 e = AUE_MSGCTL_STAT; 1123 break; 1124 default: 1125 e = AUE_MSGCTL; 1126 break; 1127 } 1128 break; 1129 case 2: /* msgrcv */ 1130 e = AUE_MSGRCV; 1131 break; 1132 case 3: /* msgsnd */ 1133 e = AUE_MSGSND; 1134 break; 1135 default: /* illegal system call */ 1136 e = AUE_NULL; 1137 break; 1138 } 1139 1140 return (e); 1141 } 1142 1143 1144 /* shmsys */ 1145 static au_event_t 1146 aui_shmsys(au_event_t e) 1147 { 1148 klwp_t *clwp = ttolwp(curthread); 1149 int fm; 1150 1151 struct a { /* shmsys */ 1152 long id; /* function code id */ 1153 } *uap = (struct a *)clwp->lwp_ap; 1154 1155 struct b { /* ctrl */ 1156 long shmid; 1157 long cmd; 1158 long arg; /* struct shmid_ds * */ 1159 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1160 fm = (uint_t)uap->id; 1161 1162 switch (fm) { 1163 case 0: /* shmat */ 1164 e = AUE_SHMAT; 1165 break; 1166 case 1: /* shmctl */ 1167 switch ((uint_t)uap1->cmd) { 1168 case IPC_RMID: 1169 e = AUE_SHMCTL_RMID; 1170 break; 1171 case IPC_SET: 1172 e = AUE_SHMCTL_SET; 1173 break; 1174 case IPC_STAT: 1175 e = AUE_SHMCTL_STAT; 1176 break; 1177 default: 1178 e = AUE_SHMCTL; 1179 break; 1180 } 1181 break; 1182 case 2: /* shmdt */ 1183 e = AUE_SHMDT; 1184 break; 1185 case 3: /* shmget */ 1186 e = AUE_SHMGET; 1187 break; 1188 default: /* illegal system call */ 1189 e = AUE_NULL; 1190 break; 1191 } 1192 1193 return (e); 1194 } 1195 1196 1197 /* semsys */ 1198 static au_event_t 1199 aui_semsys(au_event_t e) 1200 { 1201 klwp_t *clwp = ttolwp(curthread); 1202 uint_t fm; 1203 1204 struct a { /* semsys */ 1205 long id; 1206 } *uap = (struct a *)clwp->lwp_ap; 1207 1208 struct b { /* ctrl */ 1209 long semid; 1210 long semnum; 1211 long cmd; 1212 long arg; 1213 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1214 1215 fm = (uint_t)uap->id; 1216 1217 switch (fm) { 1218 case 0: /* semctl */ 1219 switch ((uint_t)uap1->cmd) { 1220 case IPC_RMID: 1221 e = AUE_SEMCTL_RMID; 1222 break; 1223 case IPC_SET: 1224 e = AUE_SEMCTL_SET; 1225 break; 1226 case IPC_STAT: 1227 e = AUE_SEMCTL_STAT; 1228 break; 1229 case GETNCNT: 1230 e = AUE_SEMCTL_GETNCNT; 1231 break; 1232 case GETPID: 1233 e = AUE_SEMCTL_GETPID; 1234 break; 1235 case GETVAL: 1236 e = AUE_SEMCTL_GETVAL; 1237 break; 1238 case GETALL: 1239 e = AUE_SEMCTL_GETALL; 1240 break; 1241 case GETZCNT: 1242 e = AUE_SEMCTL_GETZCNT; 1243 break; 1244 case SETVAL: 1245 e = AUE_SEMCTL_SETVAL; 1246 break; 1247 case SETALL: 1248 e = AUE_SEMCTL_SETALL; 1249 break; 1250 default: 1251 e = AUE_SEMCTL; 1252 break; 1253 } 1254 break; 1255 case 1: /* semget */ 1256 e = AUE_SEMGET; 1257 break; 1258 case 2: /* semop */ 1259 e = AUE_SEMOP; 1260 break; 1261 default: /* illegal system call */ 1262 e = AUE_NULL; 1263 break; 1264 } 1265 1266 return (e); 1267 } 1268 1269 /* utssys - uname(2), ustat(2), fusers(2) */ 1270 static au_event_t 1271 aui_utssys(au_event_t e) 1272 { 1273 klwp_t *clwp = ttolwp(curthread); 1274 uint_t type; 1275 1276 struct a { 1277 union { 1278 long cbuf; /* char * */ 1279 long ubuf; /* struct stat * */ 1280 } ub; 1281 union { 1282 long mv; /* for USTAT */ 1283 long flags; /* for FUSERS */ 1284 } un; 1285 long type; 1286 long outbp; /* char * for FUSERS */ 1287 } *uap = (struct a *)clwp->lwp_ap; 1288 1289 type = (uint_t)uap->type; 1290 1291 if (type == UTS_FUSERS) 1292 return (e); 1293 else 1294 return ((au_event_t)AUE_NULL); 1295 } 1296 1297 static au_event_t 1298 aui_fcntl(au_event_t e) 1299 { 1300 klwp_t *clwp = ttolwp(curthread); 1301 uint_t cmd; 1302 1303 struct a { 1304 long fdes; 1305 long cmd; 1306 long arg; 1307 } *uap = (struct a *)clwp->lwp_ap; 1308 1309 cmd = (uint_t)uap->cmd; 1310 1311 switch (cmd) { 1312 case F_GETLK: 1313 case F_SETLK: 1314 case F_SETLKW: 1315 break; 1316 case F_SETFL: 1317 case F_GETFL: 1318 case F_GETFD: 1319 break; 1320 default: 1321 e = (au_event_t)AUE_NULL; 1322 break; 1323 } 1324 return ((au_event_t)e); 1325 } 1326 1327 /* null function for now */ 1328 static au_event_t 1329 aui_execv(au_event_t e) 1330 { 1331 return (e); 1332 } 1333 1334 /* null function for now */ 1335 static au_event_t 1336 aui_execve(au_event_t e) 1337 { 1338 return (e); 1339 } 1340 1341 /*ARGSUSED*/ 1342 static void 1343 aus_fcntl(struct t_audit_data *tad) 1344 { 1345 klwp_t *clwp = ttolwp(curthread); 1346 uint32_t cmd, fd; 1347 struct file *fp; 1348 struct vnode *vp; 1349 struct f_audit_data *fad; 1350 1351 struct a { 1352 long fd; 1353 long cmd; 1354 long arg; 1355 } *uap = (struct a *)clwp->lwp_ap; 1356 1357 cmd = (uint32_t)uap->cmd; 1358 fd = (uint32_t)uap->fd; 1359 1360 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1361 1362 /* 1363 * convert file pointer to file descriptor 1364 * Note: fd ref count incremented here. 1365 */ 1366 if ((fp = getf(fd)) == NULL) 1367 return; 1368 1369 /* get path from file struct here */ 1370 fad = F2A(fp); 1371 if (fad->fad_aupath != NULL) { 1372 au_uwrite(au_to_path(fad->fad_aupath)); 1373 } else { 1374 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1375 } 1376 1377 vp = fp->f_vnode; 1378 audit_attributes(vp); 1379 1380 /* decrement file descriptor reference count */ 1381 releasef(fd); 1382 } 1383 1384 /*ARGSUSED*/ 1385 static void 1386 aus_kill(struct t_audit_data *tad) 1387 { 1388 klwp_t *clwp = ttolwp(curthread); 1389 struct proc *p; 1390 uint32_t signo; 1391 uid_t uid, ruid; 1392 gid_t gid, rgid; 1393 pid_t pid; 1394 const auditinfo_addr_t *ainfo; 1395 cred_t *cr; 1396 1397 struct a { 1398 long pid; 1399 long signo; 1400 } *uap = (struct a *)clwp->lwp_ap; 1401 1402 pid = (pid_t)uap->pid; 1403 signo = (uint32_t)uap->signo; 1404 1405 au_uwrite(au_to_arg32(2, "signal", signo)); 1406 if (pid > 0) { 1407 mutex_enter(&pidlock); 1408 if (((p = prfind(pid)) == (struct proc *)0) || 1409 (p->p_stat == SIDL)) { 1410 mutex_exit(&pidlock); 1411 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1412 return; 1413 } 1414 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1415 mutex_exit(&pidlock); 1416 1417 mutex_enter(&p->p_crlock); 1418 crhold(cr = p->p_cred); 1419 mutex_exit(&p->p_crlock); 1420 mutex_exit(&p->p_lock); 1421 1422 ainfo = crgetauinfo(cr); 1423 if (ainfo == NULL) { 1424 crfree(cr); 1425 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1426 return; 1427 } 1428 1429 uid = crgetuid(cr); 1430 gid = crgetgid(cr); 1431 ruid = crgetruid(cr); 1432 rgid = crgetrgid(cr); 1433 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1434 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1435 crfree(cr); 1436 } 1437 else 1438 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1439 } 1440 1441 /*ARGSUSED*/ 1442 static void 1443 aus_mkdir(struct t_audit_data *tad) 1444 { 1445 klwp_t *clwp = ttolwp(curthread); 1446 uint32_t dmode; 1447 1448 struct a { 1449 long dirnamep; /* char * */ 1450 long dmode; 1451 } *uap = (struct a *)clwp->lwp_ap; 1452 1453 dmode = (uint32_t)uap->dmode; 1454 1455 au_uwrite(au_to_arg32(2, "mode", dmode)); 1456 } 1457 1458 /*ARGSUSED*/ 1459 static void 1460 aus_mknod(struct t_audit_data *tad) 1461 { 1462 klwp_t *clwp = ttolwp(curthread); 1463 uint32_t fmode; 1464 dev_t dev; 1465 1466 struct a { 1467 long pnamep; /* char * */ 1468 long fmode; 1469 long dev; 1470 } *uap = (struct a *)clwp->lwp_ap; 1471 1472 fmode = (uint32_t)uap->fmode; 1473 dev = (dev_t)uap->dev; 1474 1475 au_uwrite(au_to_arg32(2, "mode", fmode)); 1476 #ifdef _LP64 1477 au_uwrite(au_to_arg64(3, "dev", dev)); 1478 #else 1479 au_uwrite(au_to_arg32(3, "dev", dev)); 1480 #endif 1481 } 1482 1483 /*ARGSUSED*/ 1484 static void 1485 aus_xmknod(struct t_audit_data *tad) 1486 { 1487 klwp_t *clwp = ttolwp(curthread); 1488 uint32_t fmode; 1489 dev_t dev; 1490 1491 struct a { 1492 long version; /* version */ 1493 long pnamep; /* char * */ 1494 long fmode; 1495 long dev; 1496 } *uap = (struct a *)clwp->lwp_ap; 1497 1498 fmode = (uint32_t)uap->fmode; 1499 dev = (dev_t)uap->dev; 1500 1501 au_uwrite(au_to_arg32(2, "mode", fmode)); 1502 #ifdef _LP64 1503 au_uwrite(au_to_arg64(3, "dev", dev)); 1504 #else 1505 au_uwrite(au_to_arg32(3, "dev", dev)); 1506 #endif 1507 } 1508 1509 /*ARGSUSED*/ 1510 static void 1511 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1512 { 1513 klwp_t *clwp = ttolwp(curthread); 1514 vnode_t *dvp; 1515 caddr_t pnamep; 1516 1517 struct a { 1518 long pnamep; /* char * */ 1519 long fmode; 1520 long dev; 1521 } *uap = (struct a *)clwp->lwp_ap; 1522 1523 /* no error, then already path token in audit record */ 1524 if (error != EPERM) 1525 return; 1526 1527 /* not auditing this event, nothing then to do */ 1528 if (tad->tad_flag == 0) 1529 return; 1530 1531 /* do the lookup to force generation of path token */ 1532 pnamep = (caddr_t)uap->pnamep; 1533 tad->tad_ctrl |= PAD_NOATTRB; 1534 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1535 if (error == 0) 1536 VN_RELE(dvp); 1537 } 1538 1539 /*ARGSUSED*/ 1540 static void 1541 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1542 { 1543 klwp_t *clwp = ttolwp(curthread); 1544 vnode_t *dvp; 1545 caddr_t pnamep; 1546 1547 struct a { 1548 long version; /* version */ 1549 long pnamep; /* char * */ 1550 long fmode; 1551 long dev; 1552 } *uap = (struct a *)clwp->lwp_arg; 1553 1554 1555 /* no error, then already path token in audit record */ 1556 if (error != EPERM) 1557 return; 1558 1559 /* not auditing this event, nothing then to do */ 1560 if (tad->tad_flag == 0) 1561 return; 1562 1563 /* do the lookup to force generation of path token */ 1564 pnamep = (caddr_t)uap->pnamep; 1565 tad->tad_ctrl |= PAD_NOATTRB; 1566 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1567 if (error == 0) 1568 VN_RELE(dvp); 1569 } 1570 1571 /*ARGSUSED*/ 1572 static void 1573 aus_mount(struct t_audit_data *tad) 1574 { /* AUS_START */ 1575 klwp_t *clwp = ttolwp(curthread); 1576 uint32_t flags; 1577 uintptr_t u_fstype, dataptr; 1578 STRUCT_DECL(nfs_args, nfsargs); 1579 size_t len; 1580 char *fstype, *hostname; 1581 1582 struct a { 1583 long spec; /* char * */ 1584 long dir; /* char * */ 1585 long flags; 1586 long fstype; /* char * */ 1587 long dataptr; /* char * */ 1588 long datalen; 1589 } *uap = (struct a *)clwp->lwp_ap; 1590 1591 u_fstype = (uintptr_t)uap->fstype; 1592 flags = (uint32_t)uap->flags; 1593 dataptr = (uintptr_t)uap->dataptr; 1594 1595 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1596 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1597 goto mount_free_fstype; 1598 1599 au_uwrite(au_to_arg32(3, "flags", flags)); 1600 au_uwrite(au_to_text(fstype)); 1601 1602 if (strncmp(fstype, "nfs", 3) == 0) { 1603 1604 STRUCT_INIT(nfsargs, get_udatamodel()); 1605 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1606 1607 if (copyin((caddr_t)dataptr, 1608 STRUCT_BUF(nfsargs), 1609 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1610 /* DEBUG debug_enter((char *)NULL); */ 1611 goto mount_free_fstype; 1612 } 1613 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1614 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1615 (caddr_t)hostname, 1616 MAXNAMELEN, &len)) { 1617 goto mount_free_hostname; 1618 } 1619 au_uwrite(au_to_text(hostname)); 1620 au_uwrite(au_to_arg32(3, "internal flags", 1621 (uint_t)STRUCT_FGET(nfsargs, flags))); 1622 1623 mount_free_hostname: 1624 kmem_free(hostname, MAXNAMELEN); 1625 } 1626 1627 mount_free_fstype: 1628 kmem_free(fstype, MAXNAMELEN); 1629 } /* AUS_MOUNT */ 1630 1631 static void 1632 aus_umount_path(caddr_t umount_dir) 1633 { 1634 char *dir_path; 1635 struct audit_path *path; 1636 size_t path_len, dir_len; 1637 1638 /* length alloc'd for two string pointers */ 1639 path_len = sizeof (struct audit_path) + sizeof (char *); 1640 path = kmem_alloc(path_len, KM_SLEEP); 1641 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1642 1643 if (copyinstr(umount_dir, (caddr_t)dir_path, 1644 MAXPATHLEN, &dir_len)) 1645 goto umount2_free_dir; 1646 1647 /* 1648 * the audit_path struct assumes that the buffer pointed to 1649 * by audp_sect[n] contains string 0 immediatedly followed 1650 * by string 1. 1651 */ 1652 path->audp_sect[0] = dir_path; 1653 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1654 path->audp_size = path_len; 1655 path->audp_ref = 1; /* not used */ 1656 path->audp_cnt = 1; /* one path string */ 1657 1658 au_uwrite(au_to_path(path)); 1659 1660 umount2_free_dir: 1661 kmem_free(dir_path, MAXPATHLEN); 1662 kmem_free(path, path_len); 1663 } 1664 1665 /* 1666 * the umount syscall is implemented as a call to umount2, but the args 1667 * are different... 1668 */ 1669 1670 /*ARGSUSED*/ 1671 static void 1672 aus_umount(struct t_audit_data *tad) 1673 { 1674 klwp_t *clwp = ttolwp(curthread); 1675 struct a { 1676 long dir; /* char * */ 1677 } *uap = (struct a *)clwp->lwp_ap; 1678 1679 aus_umount_path((caddr_t)uap->dir); 1680 } 1681 1682 /*ARGSUSED*/ 1683 static void 1684 aus_umount2(struct t_audit_data *tad) 1685 { 1686 klwp_t *clwp = ttolwp(curthread); 1687 struct a { 1688 long dir; /* char * */ 1689 long flags; 1690 } *uap = (struct a *)clwp->lwp_ap; 1691 1692 aus_umount_path((caddr_t)uap->dir); 1693 1694 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1695 } 1696 1697 static void 1698 aus_msgsys(struct t_audit_data *tad) 1699 { 1700 klwp_t *clwp = ttolwp(curthread); 1701 uint32_t msgid; 1702 1703 struct b { 1704 long msgid; 1705 long cmd; 1706 long buf; /* struct msqid_ds * */ 1707 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1708 1709 msgid = (uint32_t)uap1->msgid; 1710 1711 1712 switch (tad->tad_event) { 1713 case AUE_MSGGET: /* msgget */ 1714 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1715 break; 1716 case AUE_MSGCTL: /* msgctl */ 1717 case AUE_MSGCTL_RMID: /* msgctl */ 1718 case AUE_MSGCTL_STAT: /* msgctl */ 1719 case AUE_MSGRCV: /* msgrcv */ 1720 case AUE_MSGSND: /* msgsnd */ 1721 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1722 break; 1723 case AUE_MSGCTL_SET: /* msgctl */ 1724 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1725 break; 1726 } 1727 } 1728 1729 /*ARGSUSED*/ 1730 static void 1731 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1732 { 1733 int id; 1734 1735 if (error != 0) 1736 return; 1737 if (tad->tad_event == AUE_MSGGET) { 1738 uint32_t scid; 1739 uint32_t sy_flags; 1740 1741 /* need to determine type of executing binary */ 1742 scid = tad->tad_scid; 1743 #ifdef _SYSCALL32_IMPL 1744 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1745 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1746 else 1747 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1748 #else 1749 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1750 #endif 1751 if (sy_flags == SE_32RVAL1) 1752 id = rval->r_val1; 1753 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1754 id = rval->r_val1; 1755 if (sy_flags == SE_64RVAL) 1756 id = (int)rval->r_vals; 1757 1758 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1759 } 1760 } 1761 1762 static void 1763 aus_semsys(struct t_audit_data *tad) 1764 { 1765 klwp_t *clwp = ttolwp(curthread); 1766 uint32_t semid; 1767 1768 struct b { /* ctrl */ 1769 long semid; 1770 long semnum; 1771 long cmd; 1772 long arg; 1773 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1774 1775 semid = (uint32_t)uap1->semid; 1776 1777 switch (tad->tad_event) { 1778 case AUE_SEMCTL_RMID: 1779 case AUE_SEMCTL_STAT: 1780 case AUE_SEMCTL_GETNCNT: 1781 case AUE_SEMCTL_GETPID: 1782 case AUE_SEMCTL_GETVAL: 1783 case AUE_SEMCTL_GETALL: 1784 case AUE_SEMCTL_GETZCNT: 1785 case AUE_SEMCTL_SETVAL: 1786 case AUE_SEMCTL_SETALL: 1787 case AUE_SEMCTL: 1788 case AUE_SEMOP: 1789 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1790 break; 1791 case AUE_SEMCTL_SET: 1792 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1793 break; 1794 case AUE_SEMGET: 1795 au_uwrite(au_to_arg32(1, "sem key", semid)); 1796 break; 1797 } 1798 } 1799 1800 /*ARGSUSED*/ 1801 static void 1802 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1803 { 1804 int id; 1805 1806 if (error != 0) 1807 return; 1808 if (tad->tad_event == AUE_SEMGET) { 1809 uint32_t scid; 1810 uint32_t sy_flags; 1811 1812 /* need to determine type of executing binary */ 1813 scid = tad->tad_scid; 1814 #ifdef _SYSCALL32_IMPL 1815 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1816 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1817 else 1818 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1819 #else 1820 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1821 #endif 1822 if (sy_flags == SE_32RVAL1) 1823 id = rval->r_val1; 1824 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1825 id = rval->r_val1; 1826 if (sy_flags == SE_64RVAL) 1827 id = (int)rval->r_vals; 1828 1829 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1830 } 1831 } 1832 1833 /*ARGSUSED*/ 1834 static void 1835 aus_close(struct t_audit_data *tad) 1836 { 1837 klwp_t *clwp = ttolwp(curthread); 1838 uint32_t fd; 1839 struct file *fp; 1840 struct f_audit_data *fad; 1841 struct vnode *vp; 1842 struct vattr attr; 1843 au_kcontext_t *kctx = SET_KCTX_PZ; 1844 1845 struct a { 1846 long i; 1847 } *uap = (struct a *)clwp->lwp_ap; 1848 1849 fd = (uint32_t)uap->i; 1850 1851 attr.va_mask = 0; 1852 au_uwrite(au_to_arg32(1, "fd", fd)); 1853 1854 /* 1855 * convert file pointer to file descriptor 1856 * Note: fd ref count incremented here. 1857 */ 1858 if ((fp = getf(fd)) == NULL) 1859 return; 1860 1861 fad = F2A(fp); 1862 tad->tad_evmod = (short)fad->fad_flags; 1863 if (fad->fad_aupath != NULL) { 1864 au_uwrite(au_to_path(fad->fad_aupath)); 1865 if ((vp = fp->f_vnode) != NULL) { 1866 attr.va_mask = AT_ALL; 1867 if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) { 1868 au_uwrite(au_to_attr(&attr)); 1869 /* 1870 * When write was not used and the file can be 1871 * considered public, skip the audit. 1872 */ 1873 if (((fp->f_flag & FWRITE) == 0) && 1874 file_is_public(&attr)) { 1875 tad->tad_flag = 0; 1876 tad->tad_evmod = 0; 1877 /* free any residual audit data */ 1878 au_close(kctx, &(u_ad), 0, 0, 0); 1879 releasef(fd); 1880 return; 1881 } 1882 } 1883 } 1884 } 1885 1886 /* decrement file descriptor reference count */ 1887 releasef(fd); 1888 } 1889 1890 /*ARGSUSED*/ 1891 static void 1892 aus_fstatfs(struct t_audit_data *tad) 1893 { 1894 klwp_t *clwp = ttolwp(curthread); 1895 uint32_t fd; 1896 struct file *fp; 1897 struct vnode *vp; 1898 struct f_audit_data *fad; 1899 1900 struct a { 1901 long fd; 1902 long buf; /* struct statfs * */ 1903 } *uap = (struct a *)clwp->lwp_ap; 1904 1905 fd = (uint_t)uap->fd; 1906 1907 /* 1908 * convert file pointer to file descriptor 1909 * Note: fd ref count incremented here. 1910 */ 1911 if ((fp = getf(fd)) == NULL) 1912 return; 1913 1914 /* get path from file struct here */ 1915 fad = F2A(fp); 1916 if (fad->fad_aupath != NULL) { 1917 au_uwrite(au_to_path(fad->fad_aupath)); 1918 } else { 1919 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1920 } 1921 1922 vp = fp->f_vnode; 1923 audit_attributes(vp); 1924 1925 /* decrement file descriptor reference count */ 1926 releasef(fd); 1927 } 1928 1929 #ifdef NOTYET 1930 /*ARGSUSED*/ 1931 static void 1932 aus_setpgrp(struct t_audit_data *tad) 1933 { 1934 klwp_t *clwp = ttolwp(curthread); 1935 uint32_t pgrp; 1936 struct proc *p; 1937 uid_t uid, ruid; 1938 gid_t gid, rgid; 1939 pid_t pid; 1940 const auditinfo_addr_t *ainfo; 1941 cred_t *cr; 1942 1943 struct a { 1944 long pid; 1945 long pgrp; 1946 } *uap = (struct a *)clwp->lwp_ap; 1947 1948 pid = (pid_t)uap->pid; 1949 pgrp = (uint32_t)uap->pgrp; 1950 1951 /* current process? */ 1952 if (pid == 0) 1953 (return); 1954 1955 mutex_enter(&pidlock); 1956 p = prfind(pid); 1957 if (p == NULL || p->p_as == &kas) { 1958 mutex_exit(&pidlock); 1959 return; 1960 } 1961 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1962 mutex_exit(&pidlock); 1963 1964 mutex_enter(&p->p_crlock); 1965 crhold(cr = p->p_cred); 1966 mutex_exit(&p->p_crlock); 1967 mutex_exit(&p->p_lock); 1968 1969 ainfo = crgetauinfo(cr); 1970 if (ainfo == NULL) { 1971 crfree(cr); 1972 return; 1973 } 1974 1975 uid = crgetuid(cr); 1976 gid = crgetgid(cr); 1977 ruid = crgetruid(cr); 1978 rgid = crgetrgid(cr); 1979 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1980 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1981 crfree(cr); 1982 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1983 } 1984 #endif 1985 1986 /*ARGSUSED*/ 1987 static void 1988 aus_setregid(struct t_audit_data *tad) 1989 { 1990 klwp_t *clwp = ttolwp(curthread); 1991 uint32_t rgid, egid; 1992 1993 struct a { 1994 long rgid; 1995 long egid; 1996 } *uap = (struct a *)clwp->lwp_ap; 1997 1998 rgid = (uint32_t)uap->rgid; 1999 egid = (uint32_t)uap->egid; 2000 2001 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2002 au_uwrite(au_to_arg32(2, "egid", egid)); 2003 } 2004 2005 /*ARGSUSED*/ 2006 static void 2007 aus_setgid(struct t_audit_data *tad) 2008 { 2009 klwp_t *clwp = ttolwp(curthread); 2010 uint32_t gid; 2011 2012 struct a { 2013 long gid; 2014 } *uap = (struct a *)clwp->lwp_ap; 2015 2016 gid = (uint32_t)uap->gid; 2017 2018 au_uwrite(au_to_arg32(1, "gid", gid)); 2019 } 2020 2021 2022 /*ARGSUSED*/ 2023 static void 2024 aus_setreuid(struct t_audit_data *tad) 2025 { 2026 klwp_t *clwp = ttolwp(curthread); 2027 uint32_t ruid, euid; 2028 2029 struct a { 2030 long ruid; 2031 long euid; 2032 } *uap = (struct a *)clwp->lwp_ap; 2033 2034 ruid = (uint32_t)uap->ruid; 2035 euid = (uint32_t)uap->euid; 2036 2037 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2038 au_uwrite(au_to_arg32(2, "euid", euid)); 2039 } 2040 2041 2042 /*ARGSUSED*/ 2043 static void 2044 aus_setuid(struct t_audit_data *tad) 2045 { 2046 klwp_t *clwp = ttolwp(curthread); 2047 uint32_t uid; 2048 2049 struct a { 2050 long uid; 2051 } *uap = (struct a *)clwp->lwp_ap; 2052 2053 uid = (uint32_t)uap->uid; 2054 2055 au_uwrite(au_to_arg32(1, "uid", uid)); 2056 } 2057 2058 /*ARGSUSED*/ 2059 static void 2060 aus_shmsys(struct t_audit_data *tad) 2061 { 2062 klwp_t *clwp = ttolwp(curthread); 2063 uint32_t id, cmd; 2064 2065 struct b { 2066 long id; 2067 long cmd; 2068 long buf; /* struct shmid_ds * */ 2069 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2070 2071 id = (uint32_t)uap1->id; 2072 cmd = (uint32_t)uap1->cmd; 2073 2074 switch (tad->tad_event) { 2075 case AUE_SHMGET: /* shmget */ 2076 au_uwrite(au_to_arg32(1, "shm key", id)); 2077 break; 2078 case AUE_SHMCTL: /* shmctl */ 2079 case AUE_SHMCTL_RMID: /* shmctl */ 2080 case AUE_SHMCTL_STAT: /* shmctl */ 2081 case AUE_SHMCTL_SET: /* shmctl */ 2082 au_uwrite(au_to_arg32(1, "shm ID", id)); 2083 break; 2084 case AUE_SHMDT: /* shmdt */ 2085 au_uwrite(au_to_arg32(1, "shm adr", id)); 2086 break; 2087 case AUE_SHMAT: /* shmat */ 2088 au_uwrite(au_to_arg32(1, "shm ID", id)); 2089 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2090 break; 2091 } 2092 } 2093 2094 /*ARGSUSED*/ 2095 static void 2096 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2097 { 2098 int id; 2099 2100 if (error != 0) 2101 return; 2102 if (tad->tad_event == AUE_SHMGET) { 2103 uint32_t scid; 2104 uint32_t sy_flags; 2105 2106 /* need to determine type of executing binary */ 2107 scid = tad->tad_scid; 2108 #ifdef _SYSCALL32_IMPL 2109 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2110 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2111 else 2112 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2113 #else 2114 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2115 #endif 2116 if (sy_flags == SE_32RVAL1) 2117 id = rval->r_val1; 2118 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2119 id = rval->r_val1; 2120 if (sy_flags == SE_64RVAL) 2121 id = (int)rval->r_vals; 2122 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2123 } 2124 } 2125 2126 2127 /*ARGSUSED*/ 2128 static void 2129 aus_ioctl(struct t_audit_data *tad) 2130 { 2131 klwp_t *clwp = ttolwp(curthread); 2132 struct file *fp; 2133 struct vnode *vp; 2134 struct f_audit_data *fad; 2135 uint32_t fd, cmd; 2136 uintptr_t cmarg; 2137 2138 /* XX64 */ 2139 struct a { 2140 long fd; 2141 long cmd; 2142 long cmarg; /* caddr_t */ 2143 } *uap = (struct a *)clwp->lwp_ap; 2144 2145 fd = (uint32_t)uap->fd; 2146 cmd = (uint32_t)uap->cmd; 2147 cmarg = (uintptr_t)uap->cmarg; 2148 2149 /* 2150 * convert file pointer to file descriptor 2151 * Note: fd ref count incremented here. 2152 */ 2153 if ((fp = getf(fd)) == NULL) { 2154 au_uwrite(au_to_arg32(1, "fd", fd)); 2155 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2156 #ifndef _LP64 2157 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2158 #else 2159 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2160 #endif 2161 return; 2162 } 2163 2164 /* get path from file struct here */ 2165 fad = F2A(fp); 2166 if (fad->fad_aupath != NULL) { 2167 au_uwrite(au_to_path(fad->fad_aupath)); 2168 } else { 2169 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2170 } 2171 2172 vp = fp->f_vnode; 2173 audit_attributes(vp); 2174 2175 /* decrement file descriptor reference count */ 2176 releasef(fd); 2177 2178 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2179 #ifndef _LP64 2180 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2181 #else 2182 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2183 #endif 2184 } 2185 2186 /* 2187 * null function for memcntl for now. We might want to limit memcntl() 2188 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2189 * require privileges. 2190 */ 2191 static au_event_t 2192 aui_memcntl(au_event_t e) 2193 { 2194 return (e); 2195 } 2196 2197 /*ARGSUSED*/ 2198 static au_event_t 2199 aui_privsys(au_event_t e) 2200 { 2201 klwp_t *clwp = ttolwp(curthread); 2202 2203 struct a { 2204 long opcode; 2205 } *uap = (struct a *)clwp->lwp_ap; 2206 2207 switch (uap->opcode) { 2208 case PRIVSYS_SETPPRIV: 2209 return (AUE_SETPPRIV); 2210 default: 2211 return (AUE_NULL); 2212 } 2213 } 2214 2215 /*ARGSUSED*/ 2216 static void 2217 aus_memcntl(struct t_audit_data *tad) 2218 { 2219 klwp_t *clwp = ttolwp(curthread); 2220 2221 struct a { 2222 long addr; 2223 long len; 2224 long cmd; 2225 long arg; 2226 long attr; 2227 long mask; 2228 } *uap = (struct a *)clwp->lwp_ap; 2229 2230 #ifdef _LP64 2231 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2232 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2233 #else 2234 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2235 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2236 #endif 2237 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2238 #ifdef _LP64 2239 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2240 #else 2241 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2242 #endif 2243 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2244 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2245 } 2246 2247 /*ARGSUSED*/ 2248 static void 2249 aus_mmap(struct t_audit_data *tad) 2250 { 2251 klwp_t *clwp = ttolwp(curthread); 2252 struct file *fp; 2253 struct f_audit_data *fad; 2254 struct vnode *vp; 2255 uint32_t fd; 2256 2257 struct a { 2258 long addr; 2259 long len; 2260 long prot; 2261 long flags; 2262 long fd; 2263 long pos; 2264 } *uap = (struct a *)clwp->lwp_ap; 2265 2266 fd = (uint32_t)uap->fd; 2267 2268 #ifdef _LP64 2269 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2270 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2271 #else 2272 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2273 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2274 #endif 2275 2276 if ((fp = getf(fd)) == NULL) { 2277 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2278 return; 2279 } 2280 2281 /* 2282 * Mark in the tad if write access is NOT requested... if 2283 * this is later detected (in audit_attributes) to be a 2284 * public object, the mmap event may be discarded. 2285 */ 2286 if (((uap->prot) & PROT_WRITE) == 0) { 2287 tad->tad_ctrl |= PAD_PUBLIC_EV; 2288 } 2289 2290 fad = F2A(fp); 2291 if (fad->fad_aupath != NULL) { 2292 au_uwrite(au_to_path(fad->fad_aupath)); 2293 } else { 2294 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2295 } 2296 2297 vp = (struct vnode *)fp->f_vnode; 2298 audit_attributes(vp); 2299 2300 /* mark READ/WRITE since we can't predict access */ 2301 if (uap->prot & PROT_READ) 2302 fad->fad_flags |= FAD_READ; 2303 if (uap->prot & PROT_WRITE) 2304 fad->fad_flags |= FAD_WRITE; 2305 2306 /* decrement file descriptor reference count */ 2307 releasef(fd); 2308 2309 } /* AUS_MMAP */ 2310 2311 2312 2313 2314 /*ARGSUSED*/ 2315 static void 2316 aus_munmap(struct t_audit_data *tad) 2317 { 2318 klwp_t *clwp = ttolwp(curthread); 2319 2320 struct a { 2321 long addr; 2322 long len; 2323 } *uap = (struct a *)clwp->lwp_ap; 2324 2325 #ifdef _LP64 2326 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2327 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2328 #else 2329 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2330 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2331 #endif 2332 2333 } /* AUS_MUNMAP */ 2334 2335 2336 2337 2338 2339 2340 2341 /*ARGSUSED*/ 2342 static void 2343 aus_priocntlsys(struct t_audit_data *tad) 2344 { 2345 klwp_t *clwp = ttolwp(curthread); 2346 2347 struct a { 2348 long pc_version; 2349 long psp; /* procset_t */ 2350 long cmd; 2351 long arg; 2352 } *uap = (struct a *)clwp->lwp_ap; 2353 2354 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2355 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2356 2357 } /* AUS_PRIOCNTLSYS */ 2358 2359 2360 /*ARGSUSED*/ 2361 static void 2362 aus_setegid(struct t_audit_data *tad) 2363 { 2364 klwp_t *clwp = ttolwp(curthread); 2365 uint32_t gid; 2366 2367 struct a { 2368 long gid; 2369 } *uap = (struct a *)clwp->lwp_ap; 2370 2371 gid = (uint32_t)uap->gid; 2372 2373 au_uwrite(au_to_arg32(1, "gid", gid)); 2374 } /* AUS_SETEGID */ 2375 2376 2377 2378 2379 /*ARGSUSED*/ 2380 static void 2381 aus_setgroups(struct t_audit_data *tad) 2382 { 2383 klwp_t *clwp = ttolwp(curthread); 2384 int i; 2385 int gidsetsize; 2386 uintptr_t gidset; 2387 gid_t *gidlist; 2388 2389 struct a { 2390 long gidsetsize; 2391 long gidset; 2392 } *uap = (struct a *)clwp->lwp_ap; 2393 2394 gidsetsize = (uint_t)uap->gidsetsize; 2395 gidset = (uintptr_t)uap->gidset; 2396 2397 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2398 return; 2399 if (gidsetsize != 0) { 2400 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2401 KM_SLEEP); 2402 if (copyin((caddr_t)gidset, gidlist, 2403 gidsetsize * sizeof (gid_t)) == 0) 2404 for (i = 0; i < gidsetsize; i++) 2405 au_uwrite(au_to_arg32(1, "setgroups", 2406 (uint32_t)gidlist[i])); 2407 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2408 } else 2409 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2410 2411 } /* AUS_SETGROUPS */ 2412 2413 2414 2415 2416 2417 /*ARGSUSED*/ 2418 static void 2419 aus_seteuid(struct t_audit_data *tad) 2420 { 2421 klwp_t *clwp = ttolwp(curthread); 2422 uint32_t uid; 2423 2424 struct a { 2425 long uid; 2426 } *uap = (struct a *)clwp->lwp_ap; 2427 2428 uid = (uint32_t)uap->uid; 2429 2430 au_uwrite(au_to_arg32(1, "euid", uid)); 2431 2432 } /* AUS_SETEUID */ 2433 2434 /*ARGSUSED*/ 2435 static void 2436 aus_putmsg(struct t_audit_data *tad) 2437 { 2438 klwp_t *clwp = ttolwp(curthread); 2439 uint32_t fd, pri; 2440 struct file *fp; 2441 struct f_audit_data *fad; 2442 2443 struct a { 2444 long fdes; 2445 long ctl; /* struct strbuf * */ 2446 long data; /* struct strbuf * */ 2447 long pri; 2448 } *uap = (struct a *)clwp->lwp_ap; 2449 2450 fd = (uint32_t)uap->fdes; 2451 pri = (uint32_t)uap->pri; 2452 2453 au_uwrite(au_to_arg32(1, "fd", fd)); 2454 2455 if ((fp = getf(fd)) != NULL) { 2456 fad = F2A(fp); 2457 2458 fad->fad_flags |= FAD_WRITE; 2459 2460 /* add path name to audit record */ 2461 if (fad->fad_aupath != NULL) { 2462 au_uwrite(au_to_path(fad->fad_aupath)); 2463 } 2464 audit_attributes(fp->f_vnode); 2465 2466 releasef(fd); 2467 } 2468 2469 au_uwrite(au_to_arg32(4, "pri", pri)); 2470 } 2471 2472 /*ARGSUSED*/ 2473 static void 2474 aus_putpmsg(struct t_audit_data *tad) 2475 { 2476 klwp_t *clwp = ttolwp(curthread); 2477 uint32_t fd, pri, flags; 2478 struct file *fp; 2479 struct f_audit_data *fad; 2480 2481 struct a { 2482 long fdes; 2483 long ctl; /* struct strbuf * */ 2484 long data; /* struct strbuf * */ 2485 long pri; 2486 long flags; 2487 } *uap = (struct a *)clwp->lwp_ap; 2488 2489 fd = (uint32_t)uap->fdes; 2490 pri = (uint32_t)uap->pri; 2491 flags = (uint32_t)uap->flags; 2492 2493 au_uwrite(au_to_arg32(1, "fd", fd)); 2494 2495 if ((fp = getf(fd)) != NULL) { 2496 fad = F2A(fp); 2497 2498 fad->fad_flags |= FAD_WRITE; 2499 2500 /* add path name to audit record */ 2501 if (fad->fad_aupath != NULL) { 2502 au_uwrite(au_to_path(fad->fad_aupath)); 2503 } 2504 audit_attributes(fp->f_vnode); 2505 2506 releasef(fd); 2507 } 2508 2509 2510 au_uwrite(au_to_arg32(4, "pri", pri)); 2511 au_uwrite(au_to_arg32(5, "flags", flags)); 2512 } 2513 2514 /*ARGSUSED*/ 2515 static void 2516 aus_getmsg(struct t_audit_data *tad) 2517 { 2518 klwp_t *clwp = ttolwp(curthread); 2519 uint32_t fd, pri; 2520 struct file *fp; 2521 struct f_audit_data *fad; 2522 2523 struct a { 2524 long fdes; 2525 long ctl; /* struct strbuf * */ 2526 long data; /* struct strbuf * */ 2527 long pri; 2528 } *uap = (struct a *)clwp->lwp_ap; 2529 2530 fd = (uint32_t)uap->fdes; 2531 pri = (uint32_t)uap->pri; 2532 2533 au_uwrite(au_to_arg32(1, "fd", fd)); 2534 2535 if ((fp = getf(fd)) != NULL) { 2536 fad = F2A(fp); 2537 2538 /* 2539 * read operation on this object 2540 */ 2541 fad->fad_flags |= FAD_READ; 2542 2543 /* add path name to audit record */ 2544 if (fad->fad_aupath != NULL) { 2545 au_uwrite(au_to_path(fad->fad_aupath)); 2546 } 2547 audit_attributes(fp->f_vnode); 2548 2549 releasef(fd); 2550 } 2551 2552 au_uwrite(au_to_arg32(4, "pri", pri)); 2553 } 2554 2555 /*ARGSUSED*/ 2556 static void 2557 aus_getpmsg(struct t_audit_data *tad) 2558 { 2559 klwp_t *clwp = ttolwp(curthread); 2560 uint32_t fd; 2561 struct file *fp; 2562 struct f_audit_data *fad; 2563 2564 struct a { 2565 long fdes; 2566 long ctl; /* struct strbuf * */ 2567 long data; /* struct strbuf * */ 2568 long pri; 2569 long flags; 2570 } *uap = (struct a *)clwp->lwp_ap; 2571 2572 fd = (uint32_t)uap->fdes; 2573 2574 au_uwrite(au_to_arg32(1, "fd", fd)); 2575 2576 if ((fp = getf(fd)) != NULL) { 2577 fad = F2A(fp); 2578 2579 /* 2580 * read operation on this object 2581 */ 2582 fad->fad_flags |= FAD_READ; 2583 2584 /* add path name to audit record */ 2585 if (fad->fad_aupath != NULL) { 2586 au_uwrite(au_to_path(fad->fad_aupath)); 2587 } 2588 audit_attributes(fp->f_vnode); 2589 2590 releasef(fd); 2591 } 2592 } 2593 2594 static au_event_t 2595 aui_auditsys(au_event_t e) 2596 { 2597 klwp_t *clwp = ttolwp(curthread); 2598 uint32_t code; 2599 2600 struct a { 2601 long code; 2602 long a1; 2603 long a2; 2604 long a3; 2605 long a4; 2606 long a5; 2607 long a6; 2608 long a7; 2609 } *uap = (struct a *)clwp->lwp_ap; 2610 2611 code = (uint32_t)uap->code; 2612 2613 switch (code) { 2614 2615 case BSM_GETAUID: 2616 e = AUE_GETAUID; 2617 break; 2618 case BSM_SETAUID: 2619 e = AUE_SETAUID; 2620 break; 2621 case BSM_GETAUDIT: 2622 e = AUE_GETAUDIT; 2623 break; 2624 case BSM_GETAUDIT_ADDR: 2625 e = AUE_GETAUDIT_ADDR; 2626 break; 2627 case BSM_SETAUDIT: 2628 e = AUE_SETAUDIT; 2629 break; 2630 case BSM_SETAUDIT_ADDR: 2631 e = AUE_SETAUDIT_ADDR; 2632 break; 2633 case BSM_AUDIT: 2634 e = AUE_AUDIT; 2635 break; 2636 case BSM_AUDITSVC: 2637 e = AUE_AUDITSVC; 2638 break; 2639 case BSM_GETPORTAUDIT: 2640 e = AUE_GETPORTAUDIT; 2641 break; 2642 case BSM_AUDITON: 2643 case BSM_AUDITCTL: 2644 2645 switch ((uint_t)uap->a1) { 2646 2647 case A_GETPOLICY: 2648 e = AUE_AUDITON_GPOLICY; 2649 break; 2650 case A_SETPOLICY: 2651 e = AUE_AUDITON_SPOLICY; 2652 break; 2653 case A_GETKMASK: 2654 e = AUE_AUDITON_GETKMASK; 2655 break; 2656 case A_SETKMASK: 2657 e = AUE_AUDITON_SETKMASK; 2658 break; 2659 case A_GETQCTRL: 2660 e = AUE_AUDITON_GQCTRL; 2661 break; 2662 case A_SETQCTRL: 2663 e = AUE_AUDITON_SQCTRL; 2664 break; 2665 case A_GETCWD: 2666 e = AUE_AUDITON_GETCWD; 2667 break; 2668 case A_GETCAR: 2669 e = AUE_AUDITON_GETCAR; 2670 break; 2671 case A_GETSTAT: 2672 e = AUE_AUDITON_GETSTAT; 2673 break; 2674 case A_SETSTAT: 2675 e = AUE_AUDITON_SETSTAT; 2676 break; 2677 case A_SETUMASK: 2678 e = AUE_AUDITON_SETUMASK; 2679 break; 2680 case A_SETSMASK: 2681 e = AUE_AUDITON_SETSMASK; 2682 break; 2683 case A_GETCOND: 2684 e = AUE_AUDITON_GETCOND; 2685 break; 2686 case A_SETCOND: 2687 e = AUE_AUDITON_SETCOND; 2688 break; 2689 case A_GETCLASS: 2690 e = AUE_AUDITON_GETCLASS; 2691 break; 2692 case A_SETCLASS: 2693 e = AUE_AUDITON_SETCLASS; 2694 break; 2695 default: 2696 e = AUE_NULL; 2697 break; 2698 } 2699 break; 2700 default: 2701 e = AUE_NULL; 2702 break; 2703 } 2704 2705 return (e); 2706 2707 2708 2709 2710 } /* AUI_AUDITSYS */ 2711 2712 2713 2714 2715 2716 2717 2718 static void 2719 aus_auditsys(struct t_audit_data *tad) 2720 { 2721 klwp_t *clwp = ttolwp(curthread); 2722 uintptr_t a1, a2; 2723 struct file *fp; 2724 struct f_audit_data *fad; 2725 struct vnode *vp; 2726 STRUCT_DECL(auditinfo, ainfo); 2727 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2728 au_evclass_map_t event; 2729 au_mask_t mask; 2730 int auditstate, policy; 2731 2732 2733 struct a { 2734 long code; 2735 long a1; 2736 long a2; 2737 long a3; 2738 long a4; 2739 long a5; 2740 long a6; 2741 long a7; 2742 } *uap = (struct a *)clwp->lwp_ap; 2743 2744 a1 = (uintptr_t)uap->a1; 2745 a2 = (uintptr_t)uap->a2; 2746 2747 switch (tad->tad_event) { 2748 case AUE_SETAUID: 2749 au_uwrite(au_to_arg32(2, "setauid", (uint32_t)a1)); 2750 break; 2751 case AUE_SETAUDIT: 2752 STRUCT_INIT(ainfo, get_udatamodel()); 2753 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2754 STRUCT_SIZE(ainfo))) { 2755 return; 2756 } 2757 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2758 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2759 #ifdef _LP64 2760 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2761 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2762 #else 2763 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2764 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2765 #endif 2766 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2767 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2768 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2769 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2770 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2771 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2772 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2773 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2774 break; 2775 case AUE_SETAUDIT_ADDR: 2776 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2777 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2778 STRUCT_SIZE(ainfo_addr))) { 2779 return; 2780 } 2781 au_uwrite(au_to_arg32((char)1, "auid", 2782 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2783 #ifdef _LP64 2784 au_uwrite(au_to_arg64((char)1, "port", 2785 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2786 #else 2787 au_uwrite(au_to_arg32((char)1, "port", 2788 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2789 #endif 2790 au_uwrite(au_to_arg32((char)1, "type", 2791 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2792 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2793 AU_IPv4) { 2794 au_uwrite(au_to_in_addr( 2795 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2796 ai_termid.at_addr))); 2797 } else { 2798 au_uwrite(au_to_in_addr_ex( 2799 (int32_t *)STRUCT_FGETP(ainfo_addr, 2800 ai_termid.at_addr))); 2801 } 2802 au_uwrite(au_to_arg32((char)1, "as_success", 2803 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2804 au_uwrite(au_to_arg32((char)1, "as_failure", 2805 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2806 au_uwrite(au_to_arg32((char)1, "asid", 2807 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2808 break; 2809 case AUE_AUDITSVC: 2810 /* 2811 * convert file pointer to file descriptor 2812 * Note: fd ref count incremented here 2813 */ 2814 if ((fp = getf((uint_t)a1)) == NULL) 2815 return; 2816 fad = F2A(fp); 2817 if (fad->fad_aupath != NULL) { 2818 au_uwrite(au_to_path(fad->fad_aupath)); 2819 } else { 2820 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2821 } 2822 2823 vp = fp->f_vnode; /* include vnode attributes */ 2824 audit_attributes(vp); 2825 2826 /* decrement file descriptor ref count */ 2827 releasef((uint_t)a1); 2828 2829 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2830 break; 2831 case AUE_AUDITON_SETKMASK: 2832 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2833 return; 2834 au_uwrite(au_to_arg32( 2835 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2836 au_uwrite(au_to_arg32( 2837 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2838 break; 2839 case AUE_AUDITON_SPOLICY: 2840 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2841 return; 2842 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2843 break; 2844 case AUE_AUDITON_SQCTRL: { 2845 STRUCT_DECL(au_qctrl, qctrl); 2846 model_t model; 2847 2848 model = get_udatamodel(); 2849 STRUCT_INIT(qctrl, model); 2850 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2851 return; 2852 if (model == DATAMODEL_ILP32) { 2853 au_uwrite(au_to_arg32( 2854 3, "setqctrl:aq_hiwater", 2855 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2856 au_uwrite(au_to_arg32( 2857 3, "setqctrl:aq_lowater", 2858 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2859 au_uwrite(au_to_arg32( 2860 3, "setqctrl:aq_bufsz", 2861 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2862 au_uwrite(au_to_arg32( 2863 3, "setqctrl:aq_delay", 2864 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2865 } else { 2866 au_uwrite(au_to_arg64( 2867 3, "setqctrl:aq_hiwater", 2868 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2869 au_uwrite(au_to_arg64( 2870 3, "setqctrl:aq_lowater", 2871 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2872 au_uwrite(au_to_arg64( 2873 3, "setqctrl:aq_bufsz", 2874 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2875 au_uwrite(au_to_arg64( 2876 3, "setqctrl:aq_delay", 2877 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2878 } 2879 break; 2880 } 2881 case AUE_AUDITON_SETUMASK: 2882 STRUCT_INIT(ainfo, get_udatamodel()); 2883 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2884 STRUCT_SIZE(ainfo))) { 2885 return; 2886 } 2887 au_uwrite(au_to_arg32(3, "setumask:as_success", 2888 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2889 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2890 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2891 break; 2892 case AUE_AUDITON_SETSMASK: 2893 STRUCT_INIT(ainfo, get_udatamodel()); 2894 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2895 STRUCT_SIZE(ainfo))) { 2896 return; 2897 } 2898 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2899 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2900 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2901 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2902 break; 2903 case AUE_AUDITON_SETCOND: 2904 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2905 return; 2906 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2907 break; 2908 case AUE_AUDITON_SETCLASS: 2909 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2910 return; 2911 au_uwrite(au_to_arg32( 2912 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2913 au_uwrite(au_to_arg32( 2914 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2915 break; 2916 case AUE_GETAUID: 2917 case AUE_GETAUDIT: 2918 case AUE_GETAUDIT_ADDR: 2919 case AUE_AUDIT: 2920 case AUE_GETPORTAUDIT: 2921 case AUE_AUDITON_GPOLICY: 2922 case AUE_AUDITON_GQCTRL: 2923 case AUE_AUDITON_GETKMASK: 2924 case AUE_AUDITON_GETCWD: 2925 case AUE_AUDITON_GETCAR: 2926 case AUE_AUDITON_GETSTAT: 2927 case AUE_AUDITON_SETSTAT: 2928 case AUE_AUDITON_GETCOND: 2929 case AUE_AUDITON_GETCLASS: 2930 break; 2931 default: 2932 break; 2933 } 2934 2935 } /* AUS_AUDITSYS */ 2936 2937 2938 /* only audit privileged operations for systeminfo(2) system call */ 2939 static au_event_t 2940 aui_sysinfo(au_event_t e) 2941 { 2942 klwp_t *clwp = ttolwp(curthread); 2943 uint32_t command; 2944 2945 struct a { 2946 long command; 2947 long buf; /* char * */ 2948 long count; 2949 } *uap = (struct a *)clwp->lwp_ap; 2950 2951 command = (uint32_t)uap->command; 2952 2953 switch (command) { 2954 case SI_SET_HOSTNAME: 2955 case SI_SET_SRPC_DOMAIN: 2956 e = (au_event_t)AUE_SYSINFO; 2957 break; 2958 default: 2959 e = (au_event_t)AUE_NULL; 2960 break; 2961 } 2962 return (e); 2963 } 2964 2965 /*ARGSUSED*/ 2966 static void 2967 aus_sysinfo(struct t_audit_data *tad) 2968 { 2969 klwp_t *clwp = ttolwp(curthread); 2970 uint32_t command; 2971 size_t len, maxlen; 2972 char *name; 2973 uintptr_t buf; 2974 2975 struct a { 2976 long command; 2977 long buf; /* char * */ 2978 long count; 2979 } *uap = (struct a *)clwp->lwp_ap; 2980 2981 command = (uint32_t)uap->command; 2982 buf = (uintptr_t)uap->buf; 2983 2984 au_uwrite(au_to_arg32(1, "cmd", command)); 2985 2986 switch (command) { 2987 case SI_SET_HOSTNAME: 2988 { 2989 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2990 return; 2991 2992 maxlen = SYS_NMLN; 2993 name = kmem_alloc(maxlen, KM_SLEEP); 2994 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 2995 break; 2996 2997 /* 2998 * Must be non-NULL string and string 2999 * must be less than SYS_NMLN chars. 3000 */ 3001 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3002 break; 3003 3004 au_uwrite(au_to_text(name)); 3005 break; 3006 } 3007 3008 case SI_SET_SRPC_DOMAIN: 3009 { 3010 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3011 return; 3012 3013 maxlen = SYS_NMLN; 3014 name = kmem_alloc(maxlen, KM_SLEEP); 3015 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3016 break; 3017 3018 /* 3019 * If string passed in is longer than length 3020 * allowed for domain name, fail. 3021 */ 3022 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3023 break; 3024 3025 au_uwrite(au_to_text(name)); 3026 break; 3027 } 3028 3029 default: 3030 return; 3031 } 3032 3033 kmem_free(name, maxlen); 3034 } 3035 3036 static au_event_t 3037 aui_modctl(au_event_t e) 3038 { 3039 klwp_t *clwp = ttolwp(curthread); 3040 uint_t cmd; 3041 3042 struct a { 3043 long cmd; 3044 } *uap = (struct a *)clwp->lwp_ap; 3045 3046 cmd = (uint_t)uap->cmd; 3047 3048 switch (cmd) { 3049 case MODLOAD: 3050 e = AUE_MODLOAD; 3051 break; 3052 case MODUNLOAD: 3053 e = AUE_MODUNLOAD; 3054 break; 3055 case MODADDMAJBIND: 3056 e = AUE_MODADDMAJ; 3057 break; 3058 case MODSETDEVPOLICY: 3059 e = AUE_MODDEVPLCY; 3060 break; 3061 case MODALLOCPRIV: 3062 e = AUE_MODADDPRIV; 3063 break; 3064 default: 3065 e = AUE_NULL; 3066 break; 3067 } 3068 return (e); 3069 } 3070 3071 3072 /*ARGSUSED*/ 3073 static void 3074 aus_modctl(struct t_audit_data *tad) 3075 { 3076 klwp_t *clwp = ttolwp(curthread); 3077 void *a = clwp->lwp_ap; 3078 uint_t use_path; 3079 3080 switch (tad->tad_event) { 3081 case AUE_MODLOAD: { 3082 typedef struct { 3083 long cmd; 3084 long use_path; 3085 long filename; /* char * */ 3086 } modloada_t; 3087 3088 char *filenamep; 3089 uintptr_t fname; 3090 extern char *default_path; 3091 3092 fname = (uintptr_t)((modloada_t *)a)->filename; 3093 use_path = (uint_t)((modloada_t *)a)->use_path; 3094 3095 /* space to hold path */ 3096 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3097 /* get string */ 3098 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3099 /* free allocated path */ 3100 kmem_free(filenamep, MOD_MAXPATH); 3101 return; 3102 } 3103 /* ensure it's null terminated */ 3104 filenamep[MOD_MAXPATH - 1] = 0; 3105 3106 if (use_path) 3107 au_uwrite(au_to_text(default_path)); 3108 au_uwrite(au_to_text(filenamep)); 3109 3110 /* release temporary memory */ 3111 kmem_free(filenamep, MOD_MAXPATH); 3112 break; 3113 } 3114 case AUE_MODUNLOAD: { 3115 typedef struct { 3116 long cmd; 3117 long id; 3118 } modunloada_t; 3119 3120 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3121 3122 au_uwrite(au_to_arg32(1, "id", id)); 3123 break; 3124 } 3125 case AUE_MODADDMAJ: { 3126 STRUCT_DECL(modconfig, mc); 3127 typedef struct { 3128 long cmd; 3129 long subcmd; 3130 long data; /* int * */ 3131 } modconfiga_t; 3132 3133 STRUCT_DECL(aliases, alias); 3134 caddr_t ap; 3135 int i, num_aliases; 3136 char *drvname, *mc_drvname; 3137 char *name; 3138 extern char *ddi_major_to_name(major_t); 3139 model_t model; 3140 3141 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3142 3143 model = get_udatamodel(); 3144 STRUCT_INIT(mc, model); 3145 /* sanitize buffer */ 3146 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3147 /* get user arguments */ 3148 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3149 STRUCT_SIZE(mc)) != 0) 3150 return; 3151 3152 mc_drvname = STRUCT_FGET(mc, drvname); 3153 if ((drvname = ddi_major_to_name( 3154 (major_t)STRUCT_FGET(mc, major))) != NULL && 3155 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3156 /* safety */ 3157 if (mc_drvname[0] != '\0') { 3158 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3159 au_uwrite(au_to_text(mc_drvname)); 3160 } 3161 /* drvname != NULL from test above */ 3162 au_uwrite(au_to_text(drvname)); 3163 return; 3164 } 3165 3166 if (mc_drvname[0] != '\0') { 3167 /* safety */ 3168 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3169 au_uwrite(au_to_text(mc_drvname)); 3170 } else 3171 au_uwrite(au_to_text("no drvname")); 3172 3173 num_aliases = STRUCT_FGET(mc, num_aliases); 3174 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3175 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3176 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3177 STRUCT_INIT(alias, model); 3178 for (i = 0; i < num_aliases; i++) { 3179 bzero((caddr_t)STRUCT_BUF(alias), 3180 STRUCT_SIZE(alias)); 3181 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3182 STRUCT_SIZE(alias)) != 0) 3183 break; 3184 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3185 MAXMODCONFNAME, NULL) != 0) { 3186 break; 3187 } 3188 3189 au_uwrite(au_to_text(name)); 3190 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3191 } 3192 kmem_free(name, MAXMODCONFNAME); 3193 break; 3194 } 3195 default: 3196 break; 3197 } 3198 } 3199 3200 /* 3201 * private version of getsonode that does not do eprintsoline() 3202 */ 3203 static struct sonode * 3204 au_getsonode(int sock, int *errorp, file_t **fpp) 3205 { 3206 file_t *fp; 3207 register vnode_t *vp; 3208 struct sonode *so; 3209 3210 if ((fp = getf(sock)) == NULL) { 3211 *errorp = EBADF; 3212 return (NULL); 3213 } 3214 vp = fp->f_vnode; 3215 /* Check if it is a socket */ 3216 if (vp->v_type != VSOCK) { 3217 releasef(sock); 3218 *errorp = ENOTSOCK; 3219 return (NULL); 3220 } 3221 /* 3222 * Use the stream head to find the real socket vnode. 3223 * This is needed when namefs sits above sockfs. 3224 */ 3225 ASSERT(vp->v_stream); 3226 ASSERT(vp->v_stream->sd_vnode); 3227 vp = vp->v_stream->sd_vnode; 3228 so = VTOSO(vp); 3229 if (so->so_version == SOV_STREAM) { 3230 releasef(sock); 3231 *errorp = ENOTSOCK; 3232 return (NULL); 3233 } 3234 if (fpp) 3235 *fpp = fp; 3236 return (so); 3237 } 3238 3239 /*ARGSUSED*/ 3240 static void 3241 auf_accept( 3242 struct t_audit_data *tad, 3243 int error, 3244 rval_t *rval) 3245 { 3246 uint32_t scid; 3247 uint32_t sy_flags; 3248 int fd; 3249 struct sonode *so; 3250 char so_laddr[sizeof (struct sockaddr_in6)]; 3251 char so_faddr[sizeof (struct sockaddr_in6)]; 3252 int err; 3253 int len; 3254 short so_family, so_type; 3255 int add_sock_token = 0; 3256 3257 /* need to determine type of executing binary */ 3258 scid = tad->tad_scid; 3259 #ifdef _SYSCALL32_IMPL 3260 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3261 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3262 else 3263 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3264 #else 3265 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3266 #endif 3267 if (sy_flags == SE_32RVAL1) 3268 fd = rval->r_val1; 3269 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3270 fd = rval->r_val1; 3271 if (sy_flags == SE_64RVAL) 3272 fd = (int)rval->r_vals; 3273 3274 if (error) { 3275 /* can't trust socket contents. Just return */ 3276 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3277 return; 3278 } 3279 3280 if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) { 3281 /* 3282 * not security relevant if doing a accept from non socket 3283 * so no extra tokens. Should probably turn off audit record 3284 * generation here. 3285 */ 3286 return; 3287 } 3288 3289 so_family = so->so_family; 3290 so_type = so->so_type; 3291 3292 switch (so_family) { 3293 case AF_INET: 3294 case AF_INET6: 3295 /* 3296 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3297 */ 3298 if (so->so_type == SOCK_STREAM) { 3299 3300 bzero((void *)so_laddr, sizeof (so_laddr)); 3301 bzero((void *)so_faddr, sizeof (so_faddr)); 3302 3303 /* 3304 * no local address then need to get it from lower 3305 * levels. only put out record on first read ala 3306 * AUE_WRITE. 3307 */ 3308 if (so->so_state & SS_ISBOUND) { 3309 /* only done once on a connection */ 3310 (void) SOP_GETSOCKNAME(so); 3311 (void) SOP_GETPEERNAME(so); 3312 3313 /* get local and foreign addresses */ 3314 mutex_enter(&so->so_lock); 3315 len = min(so->so_laddr_len, sizeof (so_laddr)); 3316 bcopy(so->so_laddr_sa, so_laddr, len); 3317 len = min(so->so_faddr_len, sizeof (so_faddr)); 3318 bcopy(so->so_faddr_sa, so_faddr, len); 3319 mutex_exit(&so->so_lock); 3320 } 3321 3322 add_sock_token = 1; 3323 } 3324 break; 3325 3326 default: 3327 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3328 break; 3329 } 3330 3331 releasef(fd); 3332 3333 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3334 3335 if (add_sock_token == 0) { 3336 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3337 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3338 return; 3339 } 3340 3341 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3342 3343 } 3344 3345 /*ARGSUSED*/ 3346 static void 3347 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3348 { 3349 struct a { 3350 long fd; 3351 long addr; 3352 long len; 3353 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3354 3355 struct sonode *so; 3356 char so_laddr[sizeof (struct sockaddr_in6)]; 3357 char so_faddr[sizeof (struct sockaddr_in6)]; 3358 int err, fd; 3359 int len; 3360 short so_family, so_type; 3361 int add_sock_token = 0; 3362 3363 fd = (int)uap->fd; 3364 3365 /* 3366 * bind failed, then nothing extra to add to audit record. 3367 */ 3368 if (error) { 3369 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3370 /* XXX may want to add failed address some day */ 3371 return; 3372 } 3373 3374 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3375 /* 3376 * not security relevant if doing a bind from non socket 3377 * so no extra tokens. Should probably turn off audit record 3378 * generation here. 3379 */ 3380 return; 3381 } 3382 3383 so_family = so->so_family; 3384 so_type = so->so_type; 3385 3386 switch (so_family) { 3387 case AF_INET: 3388 case AF_INET6: 3389 3390 bzero(so_faddr, sizeof (so_faddr)); 3391 3392 if (so->so_state & SS_ISBOUND) { 3393 /* only done once on a connection */ 3394 (void) SOP_GETSOCKNAME(so); 3395 } 3396 3397 mutex_enter(&so->so_lock); 3398 len = min(so->so_laddr_len, sizeof (so_laddr)); 3399 bcopy(so->so_laddr_sa, so_laddr, len); 3400 mutex_exit(&so->so_lock); 3401 3402 add_sock_token = 1; 3403 3404 break; 3405 3406 case AF_UNIX: 3407 /* token added by lookup */ 3408 break; 3409 default: 3410 /* AF_ROUTE, AF_KEY do not support accept */ 3411 break; 3412 } 3413 3414 releasef(fd); 3415 3416 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3417 3418 if (add_sock_token == 0) { 3419 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3420 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3421 return; 3422 } 3423 3424 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3425 3426 } 3427 3428 /*ARGSUSED*/ 3429 static void 3430 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3431 { 3432 struct a { 3433 long fd; 3434 long addr; 3435 long len; 3436 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3437 3438 struct sonode *so; 3439 char so_laddr[sizeof (struct sockaddr_in6)]; 3440 char so_faddr[sizeof (struct sockaddr_in6)]; 3441 int err, fd; 3442 int len; 3443 short so_family, so_type; 3444 int add_sock_token = 0; 3445 3446 fd = (int)uap->fd; 3447 3448 3449 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3450 /* 3451 * not security relevant if doing a connect from non socket 3452 * so no extra tokens. Should probably turn off audit record 3453 * generation here. 3454 */ 3455 return; 3456 } 3457 3458 so_family = so->so_family; 3459 so_type = so->so_type; 3460 3461 switch (so_family) { 3462 case AF_INET: 3463 case AF_INET6: 3464 /* 3465 * no local address then need to get it from lower 3466 * levels. 3467 */ 3468 if (so->so_state & SS_ISBOUND) { 3469 /* only done once on a connection */ 3470 (void) SOP_GETSOCKNAME(so); 3471 (void) SOP_GETPEERNAME(so); 3472 } 3473 3474 bzero(so_laddr, sizeof (so_laddr)); 3475 bzero(so_faddr, sizeof (so_faddr)); 3476 3477 mutex_enter(&so->so_lock); 3478 len = min(so->so_laddr_len, sizeof (so_laddr)); 3479 bcopy(so->so_laddr_sa, so_laddr, len); 3480 if (error) { 3481 mutex_exit(&so->so_lock); 3482 if (uap->addr == NULL) 3483 break; 3484 if (uap->len <= 0) 3485 break; 3486 len = min(uap->len, sizeof (so_faddr)); 3487 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3488 break; 3489 #ifdef NOTYET 3490 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3491 #endif 3492 } else { 3493 /* sanity check on length */ 3494 len = min(so->so_faddr_len, sizeof (so_faddr)); 3495 bcopy(so->so_faddr_sa, so_faddr, len); 3496 mutex_exit(&so->so_lock); 3497 } 3498 3499 add_sock_token = 1; 3500 3501 break; 3502 3503 case AF_UNIX: 3504 /* does a lookup on name */ 3505 break; 3506 3507 default: 3508 /* AF_ROUTE, AF_KEY do not support accept */ 3509 break; 3510 } 3511 3512 releasef(fd); 3513 3514 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3515 3516 if (add_sock_token == 0) { 3517 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3518 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3519 return; 3520 } 3521 3522 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3523 3524 } 3525 3526 /*ARGSUSED*/ 3527 static void 3528 aus_shutdown(struct t_audit_data *tad) 3529 { 3530 struct a { 3531 long fd; 3532 long how; 3533 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3534 3535 struct sonode *so; 3536 char so_laddr[sizeof (struct sockaddr_in6)]; 3537 char so_faddr[sizeof (struct sockaddr_in6)]; 3538 int err, fd; 3539 int len; 3540 short so_family, so_type; 3541 int add_sock_token = 0; 3542 file_t *fp; /* unix domain sockets */ 3543 struct f_audit_data *fad; /* unix domain sockets */ 3544 3545 fd = (int)uap->fd; 3546 3547 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3548 /* 3549 * not security relevant if doing a shutdown using non socket 3550 * so no extra tokens. Should probably turn off audit record 3551 * generation here. 3552 */ 3553 return; 3554 } 3555 3556 so_family = so->so_family; 3557 so_type = so->so_type; 3558 3559 switch (so_family) { 3560 case AF_INET: 3561 case AF_INET6: 3562 3563 bzero(so_laddr, sizeof (so_laddr)); 3564 bzero(so_faddr, sizeof (so_faddr)); 3565 3566 if (so->so_state & SS_ISBOUND) { 3567 /* 3568 * no local address then need to get it from lower 3569 * levels. 3570 */ 3571 if (so->so_laddr_len == 0) 3572 (void) SOP_GETSOCKNAME(so); 3573 if (so->so_faddr_len == 0) 3574 (void) SOP_GETPEERNAME(so); 3575 } 3576 3577 mutex_enter(&so->so_lock); 3578 len = min(so->so_laddr_len, sizeof (so_laddr)); 3579 bcopy(so->so_laddr_sa, so_laddr, len); 3580 len = min(so->so_faddr_len, sizeof (so_faddr)); 3581 bcopy(so->so_faddr_sa, so_faddr, len); 3582 mutex_exit(&so->so_lock); 3583 3584 add_sock_token = 1; 3585 3586 break; 3587 3588 case AF_UNIX: 3589 3590 /* get path from file struct here */ 3591 fad = F2A(fp); 3592 ASSERT(fad); 3593 3594 if (fad->fad_aupath != NULL) { 3595 au_uwrite(au_to_path(fad->fad_aupath)); 3596 } else { 3597 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3598 } 3599 3600 audit_attributes(fp->f_vnode); 3601 3602 break; 3603 3604 default: 3605 /* 3606 * AF_KEY and AF_ROUTE support shutdown. No socket token 3607 * added. 3608 */ 3609 break; 3610 } 3611 3612 releasef(fd); 3613 3614 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3615 3616 if (add_sock_token == 0) { 3617 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3618 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3619 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3620 return; 3621 } 3622 3623 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3624 3625 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3626 3627 } 3628 3629 /*ARGSUSED*/ 3630 static void 3631 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3632 { 3633 struct a { 3634 long fd; 3635 long level; 3636 long optname; 3637 long *optval; 3638 long optlen; 3639 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3640 3641 struct sonode *so; 3642 char so_laddr[sizeof (struct sockaddr_in6)]; 3643 char so_faddr[sizeof (struct sockaddr_in6)]; 3644 char val[AU_BUFSIZE]; 3645 int err, fd; 3646 int len; 3647 short so_family, so_type; 3648 int add_sock_token = 0; 3649 file_t *fp; /* unix domain sockets */ 3650 struct f_audit_data *fad; /* unix domain sockets */ 3651 3652 fd = (int)uap->fd; 3653 3654 if (error) { 3655 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3656 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3657 /* XXX may want to include other arguments */ 3658 return; 3659 } 3660 3661 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3662 /* 3663 * not security relevant if doing a setsockopt from non socket 3664 * so no extra tokens. Should probably turn off audit record 3665 * generation here. 3666 */ 3667 return; 3668 } 3669 3670 so_family = so->so_family; 3671 so_type = so->so_type; 3672 3673 switch (so_family) { 3674 case AF_INET: 3675 case AF_INET6: 3676 3677 bzero((void *)so_laddr, sizeof (so_laddr)); 3678 bzero((void *)so_faddr, sizeof (so_faddr)); 3679 3680 if (so->so_state & SS_ISBOUND) { 3681 if (so->so_laddr_len == 0) 3682 (void) SOP_GETSOCKNAME(so); 3683 if (so->so_faddr_len == 0) 3684 (void) SOP_GETPEERNAME(so); 3685 } 3686 3687 /* get local and foreign addresses */ 3688 mutex_enter(&so->so_lock); 3689 len = min(so->so_laddr_len, sizeof (so_laddr)); 3690 bcopy(so->so_laddr_sa, so_laddr, len); 3691 len = min(so->so_faddr_len, sizeof (so_faddr)); 3692 bcopy(so->so_faddr_sa, so_faddr, len); 3693 mutex_exit(&so->so_lock); 3694 3695 add_sock_token = 1; 3696 3697 break; 3698 3699 case AF_UNIX: 3700 3701 /* get path from file struct here */ 3702 fad = F2A(fp); 3703 ASSERT(fad); 3704 3705 if (fad->fad_aupath != NULL) { 3706 au_uwrite(au_to_path(fad->fad_aupath)); 3707 } else { 3708 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3709 } 3710 3711 audit_attributes(fp->f_vnode); 3712 3713 break; 3714 3715 default: 3716 /* 3717 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3718 * added. 3719 */ 3720 break; 3721 } 3722 3723 releasef(fd); 3724 3725 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3726 3727 if (add_sock_token == 0) { 3728 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3729 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3730 } 3731 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3732 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3733 3734 bzero(val, sizeof (val)); 3735 len = min(uap->optlen, sizeof (val)); 3736 if ((len > 0) && 3737 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3738 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3739 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3740 } 3741 3742 if (add_sock_token == 0) 3743 return; 3744 3745 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3746 3747 } 3748 3749 /*ARGSUSED*/ 3750 static void 3751 aus_sockconfig(tad) 3752 struct t_audit_data *tad; 3753 { 3754 struct a { 3755 long domain; 3756 long type; 3757 long protocol; 3758 long devpath; 3759 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3760 3761 char *kdevpath; 3762 int kdevpathlen = MAXPATHLEN + 1; 3763 size_t size; 3764 3765 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3766 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3767 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3768 3769 if (uap->devpath == 0) { 3770 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3771 } else { 3772 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3773 3774 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3775 &size)) { 3776 kmem_free(kdevpath, kdevpathlen); 3777 return; 3778 } 3779 3780 if (size > MAXPATHLEN) { 3781 kmem_free(kdevpath, kdevpathlen); 3782 return; 3783 } 3784 3785 au_uwrite(au_to_text(kdevpath)); 3786 kmem_free(kdevpath, kdevpathlen); 3787 } 3788 } 3789 3790 /* 3791 * only audit recvmsg when the system call represents the creation of a new 3792 * circuit. This effectively occurs for all UDP packets and may occur for 3793 * special TCP situations where the local host has not set a local address 3794 * in the socket structure. 3795 */ 3796 /*ARGSUSED*/ 3797 static void 3798 auf_recvmsg( 3799 struct t_audit_data *tad, 3800 int error, 3801 rval_t *rvp) 3802 { 3803 struct a { 3804 long fd; 3805 long msg; /* struct msghdr */ 3806 long flags; 3807 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3808 3809 struct sonode *so; 3810 STRUCT_DECL(msghdr, msg); 3811 caddr_t msg_name; 3812 socklen_t msg_namelen; 3813 int fd; 3814 int err; 3815 char so_laddr[sizeof (struct sockaddr_in6)]; 3816 char so_faddr[sizeof (struct sockaddr_in6)]; 3817 int len; 3818 file_t *fp; /* unix domain sockets */ 3819 struct f_audit_data *fad; /* unix domain sockets */ 3820 short so_family, so_type; 3821 int add_sock_token = 0; 3822 au_kcontext_t *kctx = SET_KCTX_PZ; 3823 3824 fd = (int)uap->fd; 3825 3826 /* bail if an error */ 3827 if (error) { 3828 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3829 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3830 return; 3831 } 3832 3833 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3834 /* 3835 * not security relevant if doing a recvmsg from non socket 3836 * so no extra tokens. Should probably turn off audit record 3837 * generation here. 3838 */ 3839 return; 3840 } 3841 3842 so_family = so->so_family; 3843 so_type = so->so_type; 3844 3845 /* 3846 * only putout SOCKET_EX token if INET/INET6 family. 3847 * XXX - what do we do about other families? 3848 */ 3849 3850 switch (so_family) { 3851 case AF_INET: 3852 case AF_INET6: 3853 3854 /* 3855 * if datagram type socket, then just use what is in 3856 * socket structure for local address. 3857 * XXX - what do we do for other types? 3858 */ 3859 if ((so->so_type == SOCK_DGRAM) || 3860 (so->so_type == SOCK_RAW)) { 3861 add_sock_token = 1; 3862 3863 bzero((void *)so_laddr, sizeof (so_laddr)); 3864 bzero((void *)so_faddr, sizeof (so_faddr)); 3865 3866 /* get local address */ 3867 mutex_enter(&so->so_lock); 3868 len = min(so->so_laddr_len, sizeof (so_laddr)); 3869 bcopy(so->so_laddr_sa, so_laddr, len); 3870 mutex_exit(&so->so_lock); 3871 3872 /* get peer address */ 3873 STRUCT_INIT(msg, get_udatamodel()); 3874 3875 if (copyin((caddr_t)(uap->msg), 3876 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3877 break; 3878 } 3879 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3880 if (msg_name == NULL) { 3881 break; 3882 } 3883 3884 /* length is value from recvmsg - sanity check */ 3885 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3886 if (msg_namelen == 0) { 3887 break; 3888 } 3889 if (copyin(msg_name, so_faddr, 3890 sizeof (so_faddr)) != 0) { 3891 break; 3892 } 3893 3894 } else if (so->so_type == SOCK_STREAM) { 3895 3896 /* get path from file struct here */ 3897 fad = F2A(fp); 3898 ASSERT(fad); 3899 3900 /* 3901 * already processed this file for read attempt 3902 */ 3903 if (fad->fad_flags & FAD_READ) { 3904 /* don't want to audit every recvmsg attempt */ 3905 tad->tad_flag = 0; 3906 /* free any residual audit data */ 3907 au_close(kctx, &(u_ad), 0, 0, 0); 3908 releasef(fd); 3909 return; 3910 } 3911 /* 3912 * mark things so we know what happened and don't 3913 * repeat things 3914 */ 3915 fad->fad_flags |= FAD_READ; 3916 3917 bzero((void *)so_laddr, sizeof (so_laddr)); 3918 bzero((void *)so_faddr, sizeof (so_faddr)); 3919 3920 if (so->so_state & SS_ISBOUND) { 3921 3922 if (so->so_laddr_len == 0) 3923 (void) SOP_GETSOCKNAME(so); 3924 if (so->so_faddr_len == 0) 3925 (void) SOP_GETPEERNAME(so); 3926 3927 /* get local and foreign addresses */ 3928 mutex_enter(&so->so_lock); 3929 len = min(so->so_laddr_len, sizeof (so_laddr)); 3930 bcopy(so->so_laddr_sa, so_laddr, len); 3931 len = min(so->so_faddr_len, sizeof (so_faddr)); 3932 bcopy(so->so_faddr_sa, so_faddr, len); 3933 mutex_exit(&so->so_lock); 3934 } 3935 3936 add_sock_token = 1; 3937 } 3938 3939 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3940 3941 break; 3942 3943 case AF_UNIX: 3944 /* 3945 * first check if this is first time through. Too much 3946 * duplicate code to put this in an aui_ routine. 3947 */ 3948 3949 /* get path from file struct here */ 3950 fad = F2A(fp); 3951 ASSERT(fad); 3952 3953 /* 3954 * already processed this file for read attempt 3955 */ 3956 if (fad->fad_flags & FAD_READ) { 3957 releasef(fd); 3958 /* don't want to audit every recvmsg attempt */ 3959 tad->tad_flag = 0; 3960 /* free any residual audit data */ 3961 au_close(kctx, &(u_ad), 0, 0, 0); 3962 return; 3963 } 3964 /* 3965 * mark things so we know what happened and don't 3966 * repeat things 3967 */ 3968 fad->fad_flags |= FAD_READ; 3969 3970 if (fad->fad_aupath != NULL) { 3971 au_uwrite(au_to_path(fad->fad_aupath)); 3972 } else { 3973 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3974 } 3975 3976 audit_attributes(fp->f_vnode); 3977 3978 releasef(fd); 3979 3980 return; 3981 3982 default: 3983 break; 3984 3985 } 3986 3987 releasef(fd); 3988 3989 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3990 3991 if (add_sock_token == 0) { 3992 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 3993 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 3994 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3995 return; 3996 } 3997 3998 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3999 4000 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4001 4002 } 4003 4004 /*ARGSUSED*/ 4005 static void 4006 auf_recvfrom( 4007 struct t_audit_data *tad, 4008 int error, 4009 rval_t *rvp) 4010 { 4011 4012 struct a { 4013 long fd; 4014 long msg; /* char */ 4015 long len; 4016 long flags; 4017 long from; /* struct sockaddr */ 4018 long fromlen; 4019 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4020 4021 socklen_t fromlen; 4022 struct sonode *so; 4023 char so_laddr[sizeof (struct sockaddr_in6)]; 4024 char so_faddr[sizeof (struct sockaddr_in6)]; 4025 int fd; 4026 short so_family, so_type; 4027 int add_sock_token = 0; 4028 int len; 4029 int err; 4030 struct file *fp; 4031 struct f_audit_data *fad; /* unix domain sockets */ 4032 au_kcontext_t *kctx = SET_KCTX_PZ; 4033 4034 fd = (int)uap->fd; 4035 4036 /* bail if an error */ 4037 if (error) { 4038 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4039 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4040 return; 4041 } 4042 4043 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4044 /* 4045 * not security relevant if doing a recvmsg from non socket 4046 * so no extra tokens. Should probably turn off audit record 4047 * generation here. 4048 */ 4049 return; 4050 } 4051 4052 so_family = so->so_family; 4053 so_type = so->so_type; 4054 4055 /* 4056 * only putout SOCKET_EX token if INET/INET6 family. 4057 * XXX - what do we do about other families? 4058 */ 4059 4060 switch (so_family) { 4061 case AF_INET: 4062 case AF_INET6: 4063 4064 /* 4065 * if datagram type socket, then just use what is in 4066 * socket structure for local address. 4067 * XXX - what do we do for other types? 4068 */ 4069 if ((so->so_type == SOCK_DGRAM) || 4070 (so->so_type == SOCK_RAW)) { 4071 add_sock_token = 1; 4072 4073 /* get local address */ 4074 mutex_enter(&so->so_lock); 4075 len = min(so->so_laddr_len, sizeof (so_laddr)); 4076 bcopy(so->so_laddr_sa, so_laddr, len); 4077 mutex_exit(&so->so_lock); 4078 4079 /* get peer address */ 4080 bzero((void *)so_faddr, sizeof (so_faddr)); 4081 4082 /* sanity check */ 4083 if (uap->from == NULL) 4084 break; 4085 4086 /* sanity checks */ 4087 if (uap->fromlen == 0) 4088 break; 4089 4090 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4091 sizeof (fromlen)) != 0) 4092 break; 4093 4094 if (fromlen == 0) 4095 break; 4096 4097 /* enforce maximum size */ 4098 if (fromlen > sizeof (so_faddr)) 4099 fromlen = sizeof (so_faddr); 4100 4101 if (copyin((caddr_t)(uap->from), so_faddr, 4102 fromlen) != 0) 4103 break; 4104 4105 } else if (so->so_type == SOCK_STREAM) { 4106 4107 /* get path from file struct here */ 4108 fad = F2A(fp); 4109 ASSERT(fad); 4110 4111 /* 4112 * already processed this file for read attempt 4113 */ 4114 if (fad->fad_flags & FAD_READ) { 4115 /* don't want to audit every recvfrom attempt */ 4116 tad->tad_flag = 0; 4117 /* free any residual audit data */ 4118 au_close(kctx, &(u_ad), 0, 0, 0); 4119 releasef(fd); 4120 return; 4121 } 4122 /* 4123 * mark things so we know what happened and don't 4124 * repeat things 4125 */ 4126 fad->fad_flags |= FAD_READ; 4127 4128 bzero((void *)so_laddr, sizeof (so_laddr)); 4129 bzero((void *)so_faddr, sizeof (so_faddr)); 4130 4131 if (so->so_state & SS_ISBOUND) { 4132 4133 if (so->so_laddr_len == 0) 4134 (void) SOP_GETSOCKNAME(so); 4135 if (so->so_faddr_len == 0) 4136 (void) SOP_GETPEERNAME(so); 4137 4138 /* get local and foreign addresses */ 4139 mutex_enter(&so->so_lock); 4140 len = min(so->so_laddr_len, sizeof (so_laddr)); 4141 bcopy(so->so_laddr_sa, so_laddr, len); 4142 len = min(so->so_faddr_len, sizeof (so_faddr)); 4143 bcopy(so->so_faddr_sa, so_faddr, len); 4144 mutex_exit(&so->so_lock); 4145 } 4146 4147 add_sock_token = 1; 4148 } 4149 4150 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4151 4152 break; 4153 4154 case AF_UNIX: 4155 /* 4156 * first check if this is first time through. Too much 4157 * duplicate code to put this in an aui_ routine. 4158 */ 4159 4160 /* get path from file struct here */ 4161 fad = F2A(fp); 4162 ASSERT(fad); 4163 4164 /* 4165 * already processed this file for read attempt 4166 */ 4167 if (fad->fad_flags & FAD_READ) { 4168 /* don't want to audit every recvfrom attempt */ 4169 tad->tad_flag = 0; 4170 /* free any residual audit data */ 4171 au_close(kctx, &(u_ad), 0, 0, 0); 4172 releasef(fd); 4173 return; 4174 } 4175 /* 4176 * mark things so we know what happened and don't 4177 * repeat things 4178 */ 4179 fad->fad_flags |= FAD_READ; 4180 4181 if (fad->fad_aupath != NULL) { 4182 au_uwrite(au_to_path(fad->fad_aupath)); 4183 } else { 4184 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4185 } 4186 4187 audit_attributes(fp->f_vnode); 4188 4189 releasef(fd); 4190 4191 return; 4192 4193 default: 4194 break; 4195 4196 } 4197 4198 releasef(fd); 4199 4200 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4201 4202 if (add_sock_token == 0) { 4203 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4204 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4205 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4206 return; 4207 } 4208 4209 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4210 4211 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4212 } 4213 4214 /*ARGSUSED*/ 4215 static void 4216 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4217 { 4218 struct a { 4219 long fd; 4220 long msg; /* struct msghdr */ 4221 long flags; 4222 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4223 4224 struct sonode *so; 4225 char so_laddr[sizeof (struct sockaddr_in6)]; 4226 char so_faddr[sizeof (struct sockaddr_in6)]; 4227 int err; 4228 int fd; 4229 short so_family, so_type; 4230 int add_sock_token = 0; 4231 int len; 4232 struct file *fp; 4233 struct f_audit_data *fad; 4234 caddr_t msg_name; 4235 socklen_t msg_namelen; 4236 STRUCT_DECL(msghdr, msg); 4237 au_kcontext_t *kctx = SET_KCTX_PZ; 4238 4239 fd = (int)uap->fd; 4240 4241 /* bail if an error */ 4242 if (error) { 4243 /* XXX include destination address from system call arguments */ 4244 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4245 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4246 return; 4247 } 4248 4249 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4250 /* 4251 * not security relevant if doing a sendmsg from non socket 4252 * so no extra tokens. Should probably turn off audit record 4253 * generation here. 4254 */ 4255 return; 4256 } 4257 4258 so_family = so->so_family; 4259 so_type = so->so_type; 4260 4261 switch (so_family) { 4262 case AF_INET: 4263 case AF_INET6: 4264 /* 4265 * if datagram type socket, then just use what is in 4266 * socket structure for local address. 4267 * XXX - what do we do for other types? 4268 */ 4269 if ((so->so_type == SOCK_DGRAM) || 4270 (so->so_type == SOCK_RAW)) { 4271 4272 bzero((void *)so_laddr, sizeof (so_laddr)); 4273 bzero((void *)so_faddr, sizeof (so_faddr)); 4274 4275 /* get local address */ 4276 mutex_enter(&so->so_lock); 4277 len = min(so->so_laddr_len, sizeof (so_laddr)); 4278 bcopy(so->so_laddr_sa, so_laddr, len); 4279 mutex_exit(&so->so_lock); 4280 4281 /* get peer address */ 4282 STRUCT_INIT(msg, get_udatamodel()); 4283 4284 if (copyin((caddr_t)(uap->msg), 4285 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4286 break; 4287 } 4288 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4289 if (msg_name == NULL) 4290 break; 4291 4292 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4293 /* length is value from recvmsg - sanity check */ 4294 if (msg_namelen == 0) 4295 break; 4296 4297 if (copyin(msg_name, so_faddr, 4298 sizeof (so_faddr)) != 0) 4299 break; 4300 4301 add_sock_token = 1; 4302 4303 } else if (so->so_type == SOCK_STREAM) { 4304 4305 /* get path from file struct here */ 4306 fad = F2A(fp); 4307 ASSERT(fad); 4308 4309 /* 4310 * already processed this file for write attempt 4311 */ 4312 if (fad->fad_flags & FAD_WRITE) { 4313 releasef(fd); 4314 /* don't want to audit every sendmsg attempt */ 4315 tad->tad_flag = 0; 4316 /* free any residual audit data */ 4317 au_close(kctx, &(u_ad), 0, 0, 0); 4318 return; 4319 } 4320 4321 /* 4322 * mark things so we know what happened and don't 4323 * repeat things 4324 */ 4325 fad->fad_flags |= FAD_WRITE; 4326 4327 bzero((void *)so_laddr, sizeof (so_laddr)); 4328 bzero((void *)so_faddr, sizeof (so_faddr)); 4329 4330 if (so->so_state & SS_ISBOUND) { 4331 4332 if (so->so_laddr_len == 0) 4333 (void) SOP_GETSOCKNAME(so); 4334 if (so->so_faddr_len == 0) 4335 (void) SOP_GETPEERNAME(so); 4336 4337 /* get local and foreign addresses */ 4338 mutex_enter(&so->so_lock); 4339 len = min(so->so_laddr_len, sizeof (so_laddr)); 4340 bcopy(so->so_laddr_sa, so_laddr, len); 4341 len = min(so->so_faddr_len, sizeof (so_faddr)); 4342 bcopy(so->so_faddr_sa, so_faddr, len); 4343 mutex_exit(&so->so_lock); 4344 } 4345 4346 add_sock_token = 1; 4347 } 4348 4349 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4350 4351 break; 4352 4353 case AF_UNIX: 4354 /* 4355 * first check if this is first time through. Too much 4356 * duplicate code to put this in an aui_ routine. 4357 */ 4358 4359 /* get path from file struct here */ 4360 fad = F2A(fp); 4361 ASSERT(fad); 4362 4363 /* 4364 * already processed this file for write attempt 4365 */ 4366 if (fad->fad_flags & FAD_WRITE) { 4367 releasef(fd); 4368 /* don't want to audit every sendmsg attempt */ 4369 tad->tad_flag = 0; 4370 /* free any residual audit data */ 4371 au_close(kctx, &(u_ad), 0, 0, 0); 4372 return; 4373 } 4374 /* 4375 * mark things so we know what happened and don't 4376 * repeat things 4377 */ 4378 fad->fad_flags |= FAD_WRITE; 4379 4380 if (fad->fad_aupath != NULL) { 4381 au_uwrite(au_to_path(fad->fad_aupath)); 4382 } else { 4383 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4384 } 4385 4386 audit_attributes(fp->f_vnode); 4387 4388 releasef(fd); 4389 4390 return; 4391 4392 default: 4393 break; 4394 } 4395 4396 releasef(fd); 4397 4398 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4399 4400 if (add_sock_token == 0) { 4401 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4402 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4403 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4404 return; 4405 } 4406 4407 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4408 4409 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4410 } 4411 4412 /*ARGSUSED*/ 4413 static void 4414 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4415 { 4416 struct a { 4417 long fd; 4418 long msg; /* char */ 4419 long len; 4420 long flags; 4421 long to; /* struct sockaddr */ 4422 long tolen; 4423 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4424 4425 struct sonode *so; 4426 char so_laddr[sizeof (struct sockaddr_in6)]; 4427 char so_faddr[sizeof (struct sockaddr_in6)]; 4428 socklen_t tolen; 4429 int err; 4430 int fd; 4431 int len; 4432 short so_family, so_type; 4433 int add_sock_token = 0; 4434 struct file *fp; 4435 struct f_audit_data *fad; 4436 au_kcontext_t *kctx = SET_KCTX_PZ; 4437 4438 fd = (int)uap->fd; 4439 4440 /* bail if an error */ 4441 if (error) { 4442 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4443 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4444 /* XXX include destination address from system call arguments */ 4445 return; 4446 } 4447 4448 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4449 /* 4450 * not security relevant if doing a sendto using non socket 4451 * so no extra tokens. Should probably turn off audit record 4452 * generation here. 4453 */ 4454 return; 4455 } 4456 4457 so_family = so->so_family; 4458 so_type = so->so_type; 4459 4460 /* 4461 * only putout SOCKET_EX token if INET/INET6 family. 4462 * XXX - what do we do about other families? 4463 */ 4464 4465 switch (so_family) { 4466 case AF_INET: 4467 case AF_INET6: 4468 4469 /* 4470 * if datagram type socket, then just use what is in 4471 * socket structure for local address. 4472 * XXX - what do we do for other types? 4473 */ 4474 if ((so->so_type == SOCK_DGRAM) || 4475 (so->so_type == SOCK_RAW)) { 4476 4477 bzero((void *)so_laddr, sizeof (so_laddr)); 4478 bzero((void *)so_faddr, sizeof (so_faddr)); 4479 4480 /* get local address */ 4481 mutex_enter(&so->so_lock); 4482 len = min(so->so_laddr_len, sizeof (so_laddr)); 4483 bcopy(so->so_laddr_sa, so_laddr, len); 4484 mutex_exit(&so->so_lock); 4485 4486 /* get peer address */ 4487 4488 /* sanity check */ 4489 if (uap->to == NULL) 4490 break; 4491 4492 /* sanity checks */ 4493 if (uap->tolen == 0) 4494 break; 4495 4496 tolen = (socklen_t)uap->tolen; 4497 4498 /* enforce maximum size */ 4499 if (tolen > sizeof (so_faddr)) 4500 tolen = sizeof (so_faddr); 4501 4502 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4503 break; 4504 4505 add_sock_token = 1; 4506 } else { 4507 /* 4508 * check if this is first time through. 4509 */ 4510 4511 /* get path from file struct here */ 4512 fad = F2A(fp); 4513 ASSERT(fad); 4514 4515 /* 4516 * already processed this file for write attempt 4517 */ 4518 if (fad->fad_flags & FAD_WRITE) { 4519 /* don't want to audit every sendto attempt */ 4520 tad->tad_flag = 0; 4521 /* free any residual audit data */ 4522 au_close(kctx, &(u_ad), 0, 0, 0); 4523 releasef(fd); 4524 return; 4525 } 4526 /* 4527 * mark things so we know what happened and don't 4528 * repeat things 4529 */ 4530 fad->fad_flags |= FAD_WRITE; 4531 4532 bzero((void *)so_laddr, sizeof (so_laddr)); 4533 bzero((void *)so_faddr, sizeof (so_faddr)); 4534 4535 if (so->so_state & SS_ISBOUND) { 4536 4537 if (so->so_laddr_len == 0) 4538 (void) SOP_GETSOCKNAME(so); 4539 if (so->so_faddr_len == 0) 4540 (void) SOP_GETPEERNAME(so); 4541 4542 /* get local and foreign addresses */ 4543 mutex_enter(&so->so_lock); 4544 len = min(so->so_laddr_len, sizeof (so_laddr)); 4545 bcopy(so->so_laddr_sa, so_laddr, len); 4546 len = min(so->so_faddr_len, sizeof (so_faddr)); 4547 bcopy(so->so_faddr_sa, so_faddr, len); 4548 mutex_exit(&so->so_lock); 4549 } 4550 4551 add_sock_token = 1; 4552 } 4553 4554 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4555 4556 break; 4557 4558 case AF_UNIX: 4559 /* 4560 * first check if this is first time through. Too much 4561 * duplicate code to put this in an aui_ routine. 4562 */ 4563 4564 /* get path from file struct here */ 4565 fad = F2A(fp); 4566 ASSERT(fad); 4567 4568 /* 4569 * already processed this file for write attempt 4570 */ 4571 if (fad->fad_flags & FAD_WRITE) { 4572 /* don't want to audit every sendto attempt */ 4573 tad->tad_flag = 0; 4574 /* free any residual audit data */ 4575 au_close(kctx, &(u_ad), 0, 0, 0); 4576 releasef(fd); 4577 return; 4578 } 4579 /* 4580 * mark things so we know what happened and don't 4581 * repeat things 4582 */ 4583 fad->fad_flags |= FAD_WRITE; 4584 4585 if (fad->fad_aupath != NULL) { 4586 au_uwrite(au_to_path(fad->fad_aupath)); 4587 } else { 4588 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4589 } 4590 4591 audit_attributes(fp->f_vnode); 4592 4593 releasef(fd); 4594 4595 return; 4596 4597 default: 4598 break; 4599 4600 } 4601 4602 releasef(fd); 4603 4604 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4605 4606 if (add_sock_token == 0) { 4607 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4608 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4609 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4610 return; 4611 } 4612 4613 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4614 4615 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4616 4617 } 4618 4619 /* 4620 * XXX socket(2) may be equivilent to open(2) on a unix domain 4621 * socket. This needs investigation. 4622 */ 4623 4624 /*ARGSUSED*/ 4625 static void 4626 aus_socket(struct t_audit_data *tad) 4627 { 4628 struct a { 4629 long domain; 4630 long type; 4631 long protocol; 4632 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4633 4634 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4635 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4636 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4637 } 4638 4639 /*ARGSUSED*/ 4640 static void 4641 aus_sigqueue(struct t_audit_data *tad) 4642 { 4643 struct a { 4644 long pid; 4645 long signo; 4646 long *val; 4647 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4648 struct proc *p; 4649 uid_t uid, ruid; 4650 gid_t gid, rgid; 4651 pid_t pid; 4652 const auditinfo_addr_t *ainfo; 4653 cred_t *cr; 4654 4655 pid = (pid_t)uap->pid; 4656 4657 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4658 if (pid > 0) { 4659 mutex_enter(&pidlock); 4660 if ((p = prfind(pid)) == (struct proc *)0) { 4661 mutex_exit(&pidlock); 4662 return; 4663 } 4664 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4665 mutex_exit(&pidlock); 4666 4667 mutex_enter(&p->p_crlock); 4668 crhold(cr = p->p_cred); 4669 mutex_exit(&p->p_crlock); 4670 mutex_exit(&p->p_lock); 4671 4672 ainfo = crgetauinfo(cr); 4673 if (ainfo == NULL) { 4674 crfree(cr); 4675 return; 4676 } 4677 4678 uid = crgetuid(cr); 4679 gid = crgetgid(cr); 4680 ruid = crgetruid(cr); 4681 rgid = crgetrgid(cr); 4682 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4683 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4684 crfree(cr); 4685 } 4686 else 4687 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4688 } 4689 4690 /*ARGSUSED*/ 4691 static void 4692 aus_inst_sync(struct t_audit_data *tad) 4693 { 4694 struct a { 4695 long name; /* char */ 4696 long flags; 4697 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4698 4699 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4700 } 4701 4702 /*ARGSUSED*/ 4703 static void 4704 aus_p_online(struct t_audit_data *tad) 4705 { 4706 struct a { 4707 long processor_id; 4708 long flag; 4709 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4710 4711 struct flags { 4712 int flag; 4713 char *cflag; 4714 } aflags[6] = { 4715 { P_ONLINE, "P_ONLINE"}, 4716 { P_OFFLINE, "P_OFFLINE"}, 4717 { P_NOINTR, "P_NOINTR"}, 4718 { P_SPARE, "P_SPARE"}, 4719 { P_FAULTED, "P_FAULTED"}, 4720 { P_STATUS, "P_STATUS"} 4721 }; 4722 int i; 4723 char *cflag; 4724 4725 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4726 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4727 4728 for (i = 0; i < 6; i++) { 4729 if (aflags[i].flag == uap->flag) 4730 break; 4731 } 4732 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4733 4734 au_uwrite(au_to_text(cflag)); 4735 } 4736 4737 /*ARGSUSED*/ 4738 static void 4739 aus_processor_bind(struct t_audit_data *tad) 4740 { 4741 struct a { 4742 long id_type; 4743 long id; 4744 long processor_id; 4745 long obind; 4746 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4747 4748 struct proc *p; 4749 int lwpcnt; 4750 uid_t uid, ruid; 4751 gid_t gid, rgid; 4752 pid_t pid; 4753 const auditinfo_addr_t *ainfo; 4754 cred_t *cr; 4755 4756 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4757 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4758 if (uap->processor_id == PBIND_NONE) 4759 au_uwrite(au_to_text("PBIND_NONE")); 4760 else 4761 au_uwrite(au_to_arg32(3, "processor_id", 4762 (uint32_t)uap->processor_id)); 4763 4764 switch (uap->id_type) { 4765 case P_MYID: 4766 case P_LWPID: 4767 mutex_enter(&pidlock); 4768 p = ttoproc(curthread); 4769 if (p == NULL || p->p_as == &kas) { 4770 mutex_exit(&pidlock); 4771 return; 4772 } 4773 mutex_enter(&p->p_lock); 4774 mutex_exit(&pidlock); 4775 lwpcnt = p->p_lwpcnt; 4776 pid = p->p_pid; 4777 4778 mutex_enter(&p->p_crlock); 4779 crhold(cr = p->p_cred); 4780 mutex_exit(&p->p_crlock); 4781 mutex_exit(&p->p_lock); 4782 4783 ainfo = crgetauinfo(cr); 4784 if (ainfo == NULL) { 4785 crfree(cr); 4786 return; 4787 } 4788 4789 uid = crgetuid(cr); 4790 gid = crgetgid(cr); 4791 ruid = crgetruid(cr); 4792 rgid = crgetrgid(cr); 4793 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4794 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4795 crfree(cr); 4796 break; 4797 case P_PID: 4798 mutex_enter(&pidlock); 4799 p = prfind(uap->id); 4800 if (p == NULL || p->p_as == &kas) { 4801 mutex_exit(&pidlock); 4802 return; 4803 } 4804 mutex_enter(&p->p_lock); 4805 mutex_exit(&pidlock); 4806 lwpcnt = p->p_lwpcnt; 4807 pid = p->p_pid; 4808 4809 mutex_enter(&p->p_crlock); 4810 crhold(cr = p->p_cred); 4811 mutex_exit(&p->p_crlock); 4812 mutex_exit(&p->p_lock); 4813 4814 ainfo = crgetauinfo(cr); 4815 if (ainfo == NULL) { 4816 crfree(cr); 4817 return; 4818 } 4819 4820 uid = crgetuid(cr); 4821 gid = crgetgid(cr); 4822 ruid = crgetruid(cr); 4823 rgid = crgetrgid(cr); 4824 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4825 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4826 crfree(cr); 4827 4828 break; 4829 default: 4830 return; 4831 } 4832 4833 if (uap->processor_id == PBIND_NONE && 4834 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4835 au_uwrite(au_to_text("PBIND_NONE for process")); 4836 else 4837 au_uwrite(au_to_arg32(3, "processor_id", 4838 (uint32_t)uap->processor_id)); 4839 } 4840 4841 /*ARGSUSED*/ 4842 static au_event_t 4843 aui_doorfs(au_event_t e) 4844 { 4845 uint32_t code; 4846 4847 struct a { /* doorfs */ 4848 long a1; 4849 long a2; 4850 long a3; 4851 long a4; 4852 long a5; 4853 long code; 4854 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4855 4856 /* 4857 * audit formats for several of the 4858 * door calls have not yet been determined 4859 */ 4860 code = (uint32_t)uap->code; 4861 switch (code) { 4862 case DOOR_CALL: 4863 e = AUE_DOORFS_DOOR_CALL; 4864 break; 4865 case DOOR_RETURN: 4866 e = AUE_NULL; 4867 break; 4868 case DOOR_CREATE: 4869 e = AUE_DOORFS_DOOR_CREATE; 4870 break; 4871 case DOOR_REVOKE: 4872 e = AUE_DOORFS_DOOR_REVOKE; 4873 break; 4874 case DOOR_INFO: 4875 e = AUE_NULL; 4876 break; 4877 case DOOR_UCRED: 4878 e = AUE_NULL; 4879 break; 4880 case DOOR_BIND: 4881 e = AUE_NULL; 4882 break; 4883 case DOOR_UNBIND: 4884 e = AUE_NULL; 4885 break; 4886 case DOOR_GETPARAM: 4887 e = AUE_NULL; 4888 break; 4889 case DOOR_SETPARAM: 4890 e = AUE_NULL; 4891 break; 4892 default: /* illegal system call */ 4893 e = AUE_NULL; 4894 break; 4895 } 4896 4897 return (e); 4898 } 4899 4900 static door_node_t * 4901 au_door_lookup(int did) 4902 { 4903 vnode_t *vp; 4904 file_t *fp; 4905 4906 if ((fp = getf(did)) == NULL) 4907 return (NULL); 4908 /* 4909 * Use the underlying vnode (we may be namefs mounted) 4910 */ 4911 if (VOP_REALVP(fp->f_vnode, &vp)) 4912 vp = fp->f_vnode; 4913 4914 if (vp == NULL || vp->v_type != VDOOR) { 4915 releasef(did); 4916 return (NULL); 4917 } 4918 4919 return (VTOD(vp)); 4920 } 4921 4922 /*ARGSUSED*/ 4923 static void 4924 aus_doorfs(struct t_audit_data *tad) 4925 { 4926 4927 struct a { /* doorfs */ 4928 long a1; 4929 long a2; 4930 long a3; 4931 long a4; 4932 long a5; 4933 long code; 4934 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4935 4936 door_node_t *dp; 4937 struct proc *p; 4938 uint32_t did; 4939 uid_t uid, ruid; 4940 gid_t gid, rgid; 4941 pid_t pid; 4942 const auditinfo_addr_t *ainfo; 4943 cred_t *cr; 4944 4945 did = (uint32_t)uap->a1; 4946 4947 switch (tad->tad_event) { 4948 case AUE_DOORFS_DOOR_CALL: 4949 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4950 if ((dp = au_door_lookup(did)) == NULL) 4951 break; 4952 4953 if (DOOR_INVALID(dp)) { 4954 releasef(did); 4955 break; 4956 } 4957 4958 if ((p = dp->door_target) == NULL) { 4959 releasef(did); 4960 break; 4961 } 4962 mutex_enter(&p->p_lock); 4963 releasef(did); 4964 4965 pid = p->p_pid; 4966 4967 mutex_enter(&p->p_crlock); 4968 crhold(cr = p->p_cred); 4969 mutex_exit(&p->p_crlock); 4970 mutex_exit(&p->p_lock); 4971 4972 ainfo = crgetauinfo(cr); 4973 if (ainfo == NULL) { 4974 crfree(cr); 4975 return; 4976 } 4977 uid = crgetuid(cr); 4978 gid = crgetgid(cr); 4979 ruid = crgetruid(cr); 4980 rgid = crgetrgid(cr); 4981 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4982 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4983 crfree(cr); 4984 break; 4985 case AUE_DOORFS_DOOR_RETURN: 4986 /* 4987 * We may want to write information about 4988 * all doors (if any) which will be copied 4989 * by this call to the user space 4990 */ 4991 break; 4992 case AUE_DOORFS_DOOR_CREATE: 4993 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 4994 break; 4995 case AUE_DOORFS_DOOR_REVOKE: 4996 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4997 break; 4998 case AUE_DOORFS_DOOR_INFO: 4999 break; 5000 case AUE_DOORFS_DOOR_CRED: 5001 break; 5002 case AUE_DOORFS_DOOR_BIND: 5003 break; 5004 case AUE_DOORFS_DOOR_UNBIND: { 5005 break; 5006 } 5007 default: /* illegal system call */ 5008 break; 5009 } 5010 } 5011 5012 /*ARGSUSED*/ 5013 static au_event_t 5014 aui_acl(au_event_t e) 5015 { 5016 struct a { 5017 union { 5018 long name; /* char */ 5019 long fd; 5020 } obj; 5021 5022 long cmd; 5023 long nentries; 5024 long arg; /* aclent_t */ 5025 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5026 5027 switch (uap->cmd) { 5028 case SETACL: 5029 /* ok, acl(SETACL, ...) and facl(SETACL, ...) are expected. */ 5030 break; 5031 case GETACL: 5032 case GETACLCNT: 5033 /* do nothing for these two values. */ 5034 e = AUE_NULL; 5035 break; 5036 default: 5037 /* illegal system call */ 5038 break; 5039 } 5040 5041 return (e); 5042 } 5043 5044 5045 /*ARGSUSED*/ 5046 static void 5047 aus_acl(struct t_audit_data *tad) 5048 { 5049 struct a { 5050 long fname; 5051 long cmd; 5052 long nentries; 5053 long aclbufp; 5054 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5055 struct acl *aclbufp; 5056 5057 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5058 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5059 5060 switch (uap->cmd) { 5061 case GETACL: 5062 case GETACLCNT: 5063 break; 5064 case SETACL: 5065 if (uap->nentries < 3) 5066 break; 5067 else { 5068 size_t a_size = uap->nentries * sizeof (struct acl); 5069 int i; 5070 5071 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5072 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5073 kmem_free(aclbufp, a_size); 5074 break; 5075 } 5076 for (i = 0; i < uap->nentries; i++) { 5077 au_uwrite(au_to_acl(aclbufp + i)); 5078 } 5079 kmem_free(aclbufp, a_size); 5080 break; 5081 } 5082 default: 5083 break; 5084 } 5085 } 5086 5087 /*ARGSUSED*/ 5088 static void 5089 aus_facl(struct t_audit_data *tad) 5090 { 5091 struct a { 5092 long fd; 5093 long cmd; 5094 long nentries; 5095 long aclbufp; 5096 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5097 struct file *fp; 5098 struct vnode *vp; 5099 struct f_audit_data *fad; 5100 struct acl *aclbufp; 5101 int fd; 5102 5103 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5104 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5105 5106 fd = (int)uap->fd; 5107 5108 if ((fp = getf(fd)) == NULL) 5109 return; 5110 5111 /* get path from file struct here */ 5112 fad = F2A(fp); 5113 if (fad->fad_aupath != NULL) { 5114 au_uwrite(au_to_path(fad->fad_aupath)); 5115 } else { 5116 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5117 } 5118 5119 vp = fp->f_vnode; 5120 audit_attributes(vp); 5121 5122 /* decrement file descriptor reference count */ 5123 releasef(fd); 5124 5125 switch (uap->cmd) { 5126 case GETACL: 5127 case GETACLCNT: 5128 break; 5129 case SETACL: 5130 if (uap->nentries < 3) 5131 break; 5132 else { 5133 size_t a_size = uap->nentries * sizeof (struct acl); 5134 int i; 5135 5136 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5137 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5138 kmem_free(aclbufp, a_size); 5139 break; 5140 } 5141 for (i = 0; i < uap->nentries; i++) { 5142 au_uwrite(au_to_acl(aclbufp + i)); 5143 } 5144 kmem_free(aclbufp, a_size); 5145 break; 5146 } 5147 default: 5148 break; 5149 } 5150 } 5151 5152 /*ARGSUSED*/ 5153 static void 5154 auf_read(tad, error, rval) 5155 struct t_audit_data *tad; 5156 int error; 5157 rval_t *rval; 5158 { 5159 struct file *fp; 5160 struct f_audit_data *fad; 5161 int fd; 5162 register struct a { 5163 long fd; 5164 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5165 au_kcontext_t *kctx = SET_KCTX_PZ; 5166 5167 fd = (int)uap->fd; 5168 5169 /* 5170 * convert file pointer to file descriptor 5171 * Note: fd ref count incremented here. 5172 */ 5173 if ((fp = getf(fd)) == NULL) 5174 return; 5175 5176 /* get path from file struct here */ 5177 fad = F2A(fp); 5178 ASSERT(fad); 5179 5180 /* 5181 * already processed this file for read attempt 5182 * 5183 * XXX might be better to turn off auditing in a aui_read() routine. 5184 */ 5185 if (fad->fad_flags & FAD_READ) { 5186 /* don't really want to audit every read attempt */ 5187 tad->tad_flag = 0; 5188 /* free any residual audit data */ 5189 au_close(kctx, &(u_ad), 0, 0, 0); 5190 releasef(fd); 5191 return; 5192 } 5193 /* mark things so we know what happened and don't repeat things */ 5194 fad->fad_flags |= FAD_READ; 5195 5196 if (fad->fad_aupath != NULL) { 5197 au_uwrite(au_to_path(fad->fad_aupath)); 5198 } else { 5199 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5200 } 5201 5202 /* include attributes */ 5203 audit_attributes(fp->f_vnode); 5204 5205 /* decrement file descriptor reference count */ 5206 releasef(fd); 5207 } 5208 5209 /*ARGSUSED*/ 5210 static void 5211 auf_write(tad, error, rval) 5212 struct t_audit_data *tad; 5213 int error; 5214 rval_t *rval; 5215 { 5216 struct file *fp; 5217 struct f_audit_data *fad; 5218 int fd; 5219 register struct a { 5220 long fd; 5221 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5222 au_kcontext_t *kctx = SET_KCTX_PZ; 5223 5224 fd = (int)uap->fd; 5225 5226 /* 5227 * convert file pointer to file descriptor 5228 * Note: fd ref count incremented here. 5229 */ 5230 if ((fp = getf(fd)) == NULL) 5231 return; 5232 5233 /* get path from file struct here */ 5234 fad = F2A(fp); 5235 ASSERT(fad); 5236 5237 /* 5238 * already processed this file for write attempt 5239 * 5240 * XXX might be better to turn off auditing in a aus_write() routine. 5241 */ 5242 if (fad->fad_flags & FAD_WRITE) { 5243 /* don't really want to audit every write attempt */ 5244 tad->tad_flag = 0; 5245 /* free any residual audit data */ 5246 au_close(kctx, &(u_ad), 0, 0, 0); 5247 releasef(fd); 5248 return; 5249 } 5250 /* mark things so we know what happened and don't repeat things */ 5251 fad->fad_flags |= FAD_WRITE; 5252 5253 if (fad->fad_aupath != NULL) { 5254 au_uwrite(au_to_path(fad->fad_aupath)); 5255 } else { 5256 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5257 } 5258 5259 /* include attributes */ 5260 audit_attributes(fp->f_vnode); 5261 5262 /* decrement file descriptor reference count */ 5263 releasef(fd); 5264 } 5265 5266 /*ARGSUSED*/ 5267 static void 5268 auf_recv(tad, error, rval) 5269 struct t_audit_data *tad; 5270 int error; 5271 rval_t *rval; 5272 { 5273 struct sonode *so; 5274 char so_laddr[sizeof (struct sockaddr_in6)]; 5275 char so_faddr[sizeof (struct sockaddr_in6)]; 5276 struct file *fp; 5277 struct f_audit_data *fad; 5278 int fd; 5279 int err; 5280 int len; 5281 short so_family, so_type; 5282 register struct a { 5283 long fd; 5284 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5285 au_kcontext_t *kctx = SET_KCTX_PZ; 5286 5287 /* 5288 * If there was an error, then nothing to do. Only generate 5289 * audit record on first successful recv. 5290 */ 5291 if (error) { 5292 /* Turn off audit record generation here. */ 5293 tad->tad_flag = 0; 5294 /* free any residual audit data */ 5295 au_close(kctx, &(u_ad), 0, 0, 0); 5296 return; 5297 } 5298 5299 fd = (int)uap->fd; 5300 5301 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5302 /* Turn off audit record generation here. */ 5303 tad->tad_flag = 0; 5304 /* free any residual audit data */ 5305 au_close(kctx, &(u_ad), 0, 0, 0); 5306 return; 5307 } 5308 5309 /* get path from file struct here */ 5310 fad = F2A(fp); 5311 ASSERT(fad); 5312 5313 /* 5314 * already processed this file for read attempt 5315 */ 5316 if (fad->fad_flags & FAD_READ) { 5317 releasef(fd); 5318 /* don't really want to audit every recv call */ 5319 tad->tad_flag = 0; 5320 /* free any residual audit data */ 5321 au_close(kctx, &(u_ad), 0, 0, 0); 5322 return; 5323 } 5324 5325 /* mark things so we know what happened and don't repeat things */ 5326 fad->fad_flags |= FAD_READ; 5327 5328 so_family = so->so_family; 5329 so_type = so->so_type; 5330 5331 switch (so_family) { 5332 case AF_INET: 5333 case AF_INET6: 5334 /* 5335 * Only for connections. 5336 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5337 */ 5338 if (so->so_state & SS_ISBOUND) { 5339 5340 bzero((void *)so_laddr, sizeof (so_laddr)); 5341 bzero((void *)so_faddr, sizeof (so_faddr)); 5342 5343 /* only done once on a connection */ 5344 (void) SOP_GETSOCKNAME(so); 5345 (void) SOP_GETPEERNAME(so); 5346 5347 /* get local and foreign addresses */ 5348 mutex_enter(&so->so_lock); 5349 len = min(so->so_laddr_len, sizeof (so_laddr)); 5350 bcopy(so->so_laddr_sa, so_laddr, len); 5351 len = min(so->so_faddr_len, sizeof (so_faddr)); 5352 bcopy(so->so_faddr_sa, so_faddr, len); 5353 mutex_exit(&so->so_lock); 5354 5355 /* 5356 * only way to drop out of switch. Note that we 5357 * we release fd below. 5358 */ 5359 5360 break; 5361 } 5362 5363 releasef(fd); 5364 5365 /* don't really want to audit every recv call */ 5366 tad->tad_flag = 0; 5367 /* free any residual audit data */ 5368 au_close(kctx, &(u_ad), 0, 0, 0); 5369 5370 return; 5371 5372 case AF_UNIX: 5373 5374 if (fad->fad_aupath != NULL) { 5375 au_uwrite(au_to_path(fad->fad_aupath)); 5376 } else { 5377 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5378 } 5379 5380 audit_attributes(fp->f_vnode); 5381 5382 releasef(fd); 5383 5384 return; 5385 5386 default: 5387 releasef(fd); 5388 5389 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5390 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5391 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5392 5393 return; 5394 } 5395 5396 releasef(fd); 5397 5398 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5399 5400 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5401 5402 } 5403 5404 /*ARGSUSED*/ 5405 static void 5406 auf_send(tad, error, rval) 5407 struct t_audit_data *tad; 5408 int error; 5409 rval_t *rval; 5410 { 5411 struct sonode *so; 5412 char so_laddr[sizeof (struct sockaddr_in6)]; 5413 char so_faddr[sizeof (struct sockaddr_in6)]; 5414 struct file *fp; 5415 struct f_audit_data *fad; 5416 int fd; 5417 int err; 5418 int len; 5419 short so_family, so_type; 5420 register struct a { 5421 long fd; 5422 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5423 au_kcontext_t *kctx = SET_KCTX_PZ; 5424 5425 fd = (int)uap->fd; 5426 5427 /* 5428 * If there was an error, then nothing to do. Only generate 5429 * audit record on first successful send. 5430 */ 5431 if (error != 0) { 5432 /* Turn off audit record generation here. */ 5433 tad->tad_flag = 0; 5434 /* free any residual audit data */ 5435 au_close(kctx, &(u_ad), 0, 0, 0); 5436 return; 5437 } 5438 5439 fd = (int)uap->fd; 5440 5441 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5442 /* Turn off audit record generation here. */ 5443 tad->tad_flag = 0; 5444 /* free any residual audit data */ 5445 au_close(kctx, &(u_ad), 0, 0, 0); 5446 return; 5447 } 5448 5449 /* get path from file struct here */ 5450 fad = F2A(fp); 5451 ASSERT(fad); 5452 5453 /* 5454 * already processed this file for write attempt 5455 */ 5456 if (fad->fad_flags & FAD_WRITE) { 5457 releasef(fd); 5458 /* don't really want to audit every send call */ 5459 tad->tad_flag = 0; 5460 /* free any residual audit data */ 5461 au_close(kctx, &(u_ad), 0, 0, 0); 5462 return; 5463 } 5464 5465 /* mark things so we know what happened and don't repeat things */ 5466 fad->fad_flags |= FAD_WRITE; 5467 5468 so_family = so->so_family; 5469 so_type = so->so_type; 5470 5471 switch (so_family) { 5472 case AF_INET: 5473 case AF_INET6: 5474 /* 5475 * Only for connections. 5476 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5477 */ 5478 if (so->so_state & SS_ISBOUND) { 5479 5480 bzero((void *)so_laddr, sizeof (so_laddr)); 5481 bzero((void *)so_faddr, sizeof (so_faddr)); 5482 5483 /* only done once on a connection */ 5484 (void) SOP_GETSOCKNAME(so); 5485 (void) SOP_GETPEERNAME(so); 5486 5487 /* get local and foreign addresses */ 5488 mutex_enter(&so->so_lock); 5489 len = min(so->so_laddr_len, sizeof (so_laddr)); 5490 bcopy(so->so_laddr_sa, so_laddr, len); 5491 len = min(so->so_faddr_len, sizeof (so_faddr)); 5492 bcopy(so->so_faddr_sa, so_faddr, len); 5493 mutex_exit(&so->so_lock); 5494 5495 /* 5496 * only way to drop out of switch. Note that we 5497 * we release fd below. 5498 */ 5499 5500 break; 5501 } 5502 5503 releasef(fd); 5504 /* don't really want to audit every send call */ 5505 tad->tad_flag = 0; 5506 /* free any residual audit data */ 5507 au_close(kctx, &(u_ad), 0, 0, 0); 5508 5509 return; 5510 5511 case AF_UNIX: 5512 5513 if (fad->fad_aupath != NULL) { 5514 au_uwrite(au_to_path(fad->fad_aupath)); 5515 } else { 5516 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5517 } 5518 5519 audit_attributes(fp->f_vnode); 5520 5521 releasef(fd); 5522 5523 return; 5524 5525 default: 5526 releasef(fd); 5527 5528 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5529 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5530 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5531 5532 return; 5533 } 5534 5535 releasef(fd); 5536 5537 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5538 5539 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5540 } 5541