1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains the audit event table used to control the production 28 * of audit records for each system call. 29 */ 30 31 #include <sys/policy.h> 32 #include <sys/cred.h> 33 #include <sys/types.h> 34 #include <sys/systm.h> 35 #include <sys/systeminfo.h> /* for sysinfo auditing */ 36 #include <sys/utsname.h> /* for sysinfo auditing */ 37 #include <sys/proc.h> 38 #include <sys/vnode.h> 39 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 40 #include <sys/fcntl.h> 41 #include <sys/modctl.h> /* for modctl auditing */ 42 #include <sys/vnode.h> 43 #include <sys/user.h> 44 #include <sys/types.h> 45 #include <sys/processor.h> 46 #include <sys/procset.h> 47 #include <sys/acl.h> 48 #include <sys/ipc.h> 49 #include <sys/door.h> 50 #include <sys/sem.h> 51 #include <sys/msg.h> 52 #include <sys/shm.h> 53 #include <sys/kmem.h> 54 #include <sys/file.h> /* for accept */ 55 #include <sys/utssys.h> /* for fuser */ 56 #include <sys/tsol/label.h> 57 #include <sys/tsol/tndb.h> 58 #include <sys/tsol/tsyscall.h> 59 #include <c2/audit.h> 60 #include <c2/audit_kernel.h> 61 #include <c2/audit_kevents.h> 62 #include <c2/audit_record.h> 63 #include <sys/procset.h> 64 #include <nfs/mount.h> 65 #include <sys/param.h> 66 #include <sys/debug.h> 67 #include <sys/sysmacros.h> 68 #include <sys/stream.h> 69 #include <sys/strsubr.h> 70 #include <sys/stropts.h> 71 #include <sys/tihdr.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/vfs_opreg.h> 75 #include <fs/sockfs/sockcommon.h> 76 #include <netinet/in.h> 77 #include <sys/ddi.h> 78 #include <sys/port_impl.h> 79 80 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_fchownat(au_event_t); 84 static au_event_t aui_fchmodat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 static void aus_exit(struct t_audit_data *); 108 static void aus_open(struct t_audit_data *); 109 static void aus_openat(struct t_audit_data *); 110 static void aus_acl(struct t_audit_data *); 111 static void aus_acct(struct t_audit_data *); 112 static void aus_chown(struct t_audit_data *); 113 static void aus_fchown(struct t_audit_data *); 114 static void aus_lchown(struct t_audit_data *); 115 static void aus_fchownat(struct t_audit_data *); 116 static void aus_chmod(struct t_audit_data *); 117 static void aus_facl(struct t_audit_data *); 118 static void aus_fchmod(struct t_audit_data *); 119 static void aus_fchmodat(struct t_audit_data *); 120 static void aus_fcntl(struct t_audit_data *); 121 static void aus_mkdir(struct t_audit_data *); 122 static void aus_mkdirat(struct t_audit_data *); 123 static void aus_mknod(struct t_audit_data *); 124 static void aus_mknodat(struct t_audit_data *); 125 static void aus_mount(struct t_audit_data *); 126 static void aus_umount2(struct t_audit_data *); 127 static void aus_msgsys(struct t_audit_data *); 128 static void aus_semsys(struct t_audit_data *); 129 static void aus_close(struct t_audit_data *); 130 static void aus_fstatfs(struct t_audit_data *); 131 static void aus_setgid(struct t_audit_data *); 132 static void aus_setpgrp(struct t_audit_data *); 133 static void aus_setuid(struct t_audit_data *); 134 static void aus_shmsys(struct t_audit_data *); 135 static void aus_doorfs(struct t_audit_data *); 136 static void aus_ioctl(struct t_audit_data *); 137 static void aus_memcntl(struct t_audit_data *); 138 static void aus_mmap(struct t_audit_data *); 139 static void aus_munmap(struct t_audit_data *); 140 static void aus_priocntlsys(struct t_audit_data *); 141 static void aus_setegid(struct t_audit_data *); 142 static void aus_setgroups(struct t_audit_data *); 143 static void aus_seteuid(struct t_audit_data *); 144 static void aus_putmsg(struct t_audit_data *); 145 static void aus_putpmsg(struct t_audit_data *); 146 static void aus_getmsg(struct t_audit_data *); 147 static void aus_getpmsg(struct t_audit_data *); 148 static void aus_auditsys(struct t_audit_data *); 149 static void aus_sysinfo(struct t_audit_data *); 150 static void aus_modctl(struct t_audit_data *); 151 static void aus_kill(struct t_audit_data *); 152 static void aus_setregid(struct t_audit_data *); 153 static void aus_setreuid(struct t_audit_data *); 154 static void aus_labelsys(struct t_audit_data *); 155 156 static void auf_mknod(struct t_audit_data *, int, rval_t *); 157 static void auf_mknodat(struct t_audit_data *, int, rval_t *); 158 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 159 static void auf_semsys(struct t_audit_data *, int, rval_t *); 160 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 161 static void auf_read(struct t_audit_data *, int, rval_t *); 162 static void auf_write(struct t_audit_data *, int, rval_t *); 163 164 static void aus_sigqueue(struct t_audit_data *); 165 static void aus_p_online(struct t_audit_data *); 166 static void aus_processor_bind(struct t_audit_data *); 167 static void aus_inst_sync(struct t_audit_data *); 168 static void aus_brandsys(struct t_audit_data *); 169 170 static void auf_accept(struct t_audit_data *, int, rval_t *); 171 172 static void auf_bind(struct t_audit_data *, int, rval_t *); 173 static void auf_connect(struct t_audit_data *, int, rval_t *); 174 static void aus_shutdown(struct t_audit_data *); 175 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 176 static void aus_sockconfig(struct t_audit_data *); 177 static void auf_recv(struct t_audit_data *, int, rval_t *); 178 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 179 static void auf_send(struct t_audit_data *, int, rval_t *); 180 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 181 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 182 static void auf_sendto(struct t_audit_data *, int, rval_t *); 183 static void aus_socket(struct t_audit_data *); 184 /* 185 * This table contains mapping information for converting system call numbers 186 * to audit event IDs. In several cases it is necessary to map a single system 187 * call to several events. 188 */ 189 190 #define aui_null NULL /* NULL initialize function */ 191 #define aus_null NULL /* NULL start function */ 192 #define auf_null NULL /* NULL finish function */ 193 194 struct audit_s2e audit_s2e[] = 195 { 196 /* 197 * ---------- ---------- ---------- ---------- 198 * INITIAL AUDIT START SYSTEM 199 * PROCESSING EVENT PROCESSING CALL 200 * ---------- ---------- ---------- ----------- 201 * FINISH EVENT 202 * PROCESSING CONTROL 203 * ---------------------------------------------------------- 204 */ 205 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 206 auf_null, 0, 207 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 208 auf_null, S2E_NPT, 209 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 210 auf_null, 0, 211 aui_null, AUE_READ, aus_null, /* 3 read */ 212 auf_read, S2E_PUB, 213 aui_null, AUE_WRITE, aus_null, /* 4 write */ 214 auf_write, 0, 215 aui_open, AUE_OPEN, aus_open, /* 5 open */ 216 auf_null, S2E_SP, 217 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 218 auf_null, 0, 219 aui_null, AUE_LINK, aus_null, /* 7 linkat */ 220 auf_null, 0, 221 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 222 auf_null, 0, 223 aui_null, AUE_LINK, aus_null, /* 9 link */ 224 auf_null, 0, 225 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 226 auf_null, 0, 227 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */ 228 auf_null, 0, 229 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 230 auf_null, S2E_SP, 231 aui_null, AUE_NULL, aus_null, /* 13 time */ 232 auf_null, 0, 233 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 234 auf_mknod, S2E_MLD, 235 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 236 auf_null, 0, 237 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 17 brk */ 240 auf_null, 0, 241 aui_null, AUE_STAT, aus_null, /* 18 stat */ 242 auf_null, S2E_PUB, 243 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 246 auf_null, 0, 247 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 248 auf_null, S2E_MLD, 249 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */ 250 auf_null, S2E_PUB, 251 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 254 auf_null, 0, 255 aui_null, AUE_STIME, aus_null, /* 25 stime */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 29 pause */ 264 auf_null, 0, 265 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 266 auf_null, 0, 267 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 268 auf_null, 0, 269 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 270 auf_null, 0, 271 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 272 auf_null, S2E_PUB, 273 aui_null, AUE_NICE, aus_null, /* 34 nice */ 274 auf_null, 0, 275 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 276 auf_null, S2E_PUB, 277 aui_null, AUE_NULL, aus_null, /* 36 sync */ 278 auf_null, 0, 279 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 280 auf_null, 0, 281 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 282 auf_null, S2E_PUB, 283 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 288 auf_null, 0, 289 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 43 times */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 44 profil */ 294 auf_null, 0, 295 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 296 auf_null, S2E_PUB, 297 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 298 auf_null, 0, 299 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 300 auf_null, 0, 301 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */ 302 auf_mknodat, S2E_MLD, 303 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 304 auf_msgsys, 0, 305 #if defined(__x86) 306 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 307 auf_null, 0, 308 #else 309 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 310 auf_null, 0, 311 #endif /* __x86 */ 312 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 313 auf_null, 0, 314 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 315 auf_shmsys, 0, 316 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 317 auf_semsys, 0, 318 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 321 auf_null, 0, 322 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 323 auf_null, 0, 324 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 325 auf_null, 0, 326 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 327 auf_null, 0, 328 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 329 auf_null, S2E_MLD, 330 aui_null, AUE_NULL, aus_null, /* 60 umask */ 331 auf_null, 0, 332 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 333 auf_null, S2E_SP, 334 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 337 auf_null, 0, 338 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 339 auf_null, 0, 340 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 341 auf_null, 0, 342 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 343 auf_null, S2E_PUB, 344 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 345 auf_null, S2E_PUB, 346 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 347 auf_null, S2E_SP, 348 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 349 auf_null, S2E_SP, 350 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 367 auf_null, 0, 368 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 369 auf_null, 0, 370 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 373 auf_null, 0, 374 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 379 auf_null, 0, 380 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 381 auf_null, 0, 382 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 383 auf_null, 0, 384 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 385 auf_null, 0, 386 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 389 auf_null, 0, 390 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 391 auf_null, S2E_PUB, 392 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 395 auf_null, 0, 396 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 397 auf_null, 0, 398 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 411 auf_null, 0, 412 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */ 413 auf_null, 0, 414 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */ 415 auf_null, 0, 416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 417 auf_null, S2E_PUB, 418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 427 auf_null, 0, 428 #if defined(__x86) 429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 430 auf_null, 0, 431 #else 432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 433 auf_null, 0, 434 #endif /* __x86 */ 435 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 436 auf_null, 0, 437 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 438 auf_null, 0, 439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 440 auf_null, 0, 441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 442 auf_null, S2E_PUB, 443 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 444 auf_null, 0, 445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 448 auf_null, 0, 449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 450 auf_null, 0, 451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 452 auf_null, 0, 453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 454 auf_null, 0, 455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 456 auf_null, 0, 457 aui_null, AUE_READ, aus_null, /* 121 readv */ 458 auf_read, S2E_PUB, 459 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 460 auf_write, 0, 461 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 464 auf_null, 0, 465 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 468 auf_null, 0, 469 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 470 auf_null, 0, 471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 472 auf_null, 0, 473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 474 auf_null, 0, 475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 476 auf_null, 0, 477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 478 auf_null, 0, 479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 480 auf_null, 0, 481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 482 auf_null, 0, 483 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 135 uname */ 486 auf_null, 0, 487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 490 auf_null, 0, 491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 492 auf_null, 0, 493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 496 auf_null, 0, 497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 498 auf_null, 0, 499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 146 yield */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 510 /* was lwp_sema_wait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 519 auf_null, 0, 520 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 521 auf_null, 0, 522 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 555 /* was lwp_mutex_lock */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 562 auf_null, 0, 563 aui_null, AUE_READ, aus_null, /* 173 pread */ 564 auf_read, S2E_PUB, 565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 566 auf_write, 0, 567 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 568 auf_null, 0, 569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 570 auf_null, 0, 571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 580 auf_null, 0, 581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 582 auf_null, S2E_MLD, 583 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 584 auf_null, 0, 585 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 586 auf_null, 0, 587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 588 auf_null, 0, 589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 590 auf_null, 0, 591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 594 auf_null, 0, 595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 600 auf_null, 0, 601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 616 auf_null, 0, 617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 618 auf_null, 0, 619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 620 auf_null, 0, 621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 622 auf_null, 0, 623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 644 auf_null, 0, 645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 646 auf_null, 0, 647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 652 auf_null, 0, 653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 656 auf_null, 0, 657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 662 auf_read, S2E_PUB, 663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 664 auf_write, 0, 665 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 666 auf_null, 0, 667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 668 auf_null, S2E_SP, 669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 227 zone */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 676 auf_null, 0, 677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 680 auf_null, 0, 681 aui_null, AUE_BIND, aus_null, /* 232 bind */ 682 auf_bind, 0, 683 aui_null, AUE_NULL, aus_null, /* 233 listen */ 684 auf_null, 0, 685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 686 auf_accept, 0, 687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 688 auf_connect, 0, 689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 690 auf_null, 0, 691 aui_null, AUE_READ, aus_null, /* 237 recv */ 692 auf_recv, 0, 693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 694 auf_recvfrom, 0, 695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 696 auf_recvmsg, 0, 697 aui_null, AUE_WRITE, aus_null, /* 240 send */ 698 auf_send, 0, 699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 700 auf_sendmsg, 0, 701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 702 auf_sendto, 0, 703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 708 auf_null, 0, 709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 710 auf_setsockopt, 0, 711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 714 auf_null, 0, 715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 726 auf_null, 0, 727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 728 auf_null, 0 729 }; 730 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 732 733 734 /* exit start function */ 735 /*ARGSUSED*/ 736 static void 737 aus_exit(struct t_audit_data *tad) 738 { 739 uint32_t rval; 740 struct a { 741 long rval; 742 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 743 744 rval = (uint32_t)uap->rval; 745 au_uwrite(au_to_arg32(1, "exit status", rval)); 746 } 747 748 /* acct start function */ 749 /*ARGSUSED*/ 750 static void 751 aus_acct(struct t_audit_data *tad) 752 { 753 klwp_t *clwp = ttolwp(curthread); 754 uintptr_t fname; 755 756 struct a { 757 long fname; /* char * */ 758 } *uap = (struct a *)clwp->lwp_ap; 759 760 fname = (uintptr_t)uap->fname; 761 762 if (fname == 0) 763 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 764 } 765 766 /* chown start function */ 767 /*ARGSUSED*/ 768 static void 769 aus_chown(struct t_audit_data *tad) 770 { 771 klwp_t *clwp = ttolwp(curthread); 772 uint32_t uid, gid; 773 774 struct a { 775 long fname; /* char * */ 776 long uid; 777 long gid; 778 } *uap = (struct a *)clwp->lwp_ap; 779 780 uid = (uint32_t)uap->uid; 781 gid = (uint32_t)uap->gid; 782 783 au_uwrite(au_to_arg32(2, "new file uid", uid)); 784 au_uwrite(au_to_arg32(3, "new file gid", gid)); 785 } 786 787 /* fchown start function */ 788 /*ARGSUSED*/ 789 static void 790 aus_fchown(struct t_audit_data *tad) 791 { 792 klwp_t *clwp = ttolwp(curthread); 793 uint32_t uid, gid, fd; 794 struct file *fp; 795 struct vnode *vp; 796 struct f_audit_data *fad; 797 798 struct a { 799 long fd; 800 long uid; 801 long gid; 802 } *uap = (struct a *)clwp->lwp_ap; 803 804 fd = (uint32_t)uap->fd; 805 uid = (uint32_t)uap->uid; 806 gid = (uint32_t)uap->gid; 807 808 au_uwrite(au_to_arg32(2, "new file uid", uid)); 809 au_uwrite(au_to_arg32(3, "new file gid", gid)); 810 811 /* 812 * convert file pointer to file descriptor 813 * Note: fd ref count incremented here. 814 */ 815 if ((fp = getf(fd)) == NULL) 816 return; 817 818 /* get path from file struct here */ 819 fad = F2A(fp); 820 if (fad->fad_aupath != NULL) { 821 au_uwrite(au_to_path(fad->fad_aupath)); 822 } else { 823 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 824 } 825 826 vp = fp->f_vnode; 827 audit_attributes(vp); 828 829 /* decrement file descriptor reference count */ 830 releasef(fd); 831 } 832 833 /*ARGSUSED*/ 834 static void 835 aus_lchown(struct t_audit_data *tad) 836 { 837 klwp_t *clwp = ttolwp(curthread); 838 uint32_t uid, gid; 839 840 841 struct a { 842 long fname; /* char * */ 843 long uid; 844 long gid; 845 } *uap = (struct a *)clwp->lwp_ap; 846 847 uid = (uint32_t)uap->uid; 848 gid = (uint32_t)uap->gid; 849 850 au_uwrite(au_to_arg32(2, "new file uid", uid)); 851 au_uwrite(au_to_arg32(3, "new file gid", gid)); 852 } 853 854 static au_event_t 855 aui_fchownat(au_event_t e) 856 { 857 klwp_t *clwp = ttolwp(curthread); 858 859 struct a { 860 long fd; 861 long fname; /* char * */ 862 long uid; 863 long gid; 864 long flags; 865 } *uap = (struct a *)clwp->lwp_ap; 866 867 if (uap->fname == NULL) 868 e = AUE_FCHOWN; 869 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 870 e = AUE_LCHOWN; 871 else 872 e = AUE_CHOWN; 873 874 return (e); 875 } 876 877 /*ARGSUSED*/ 878 static void 879 aus_fchownat(struct t_audit_data *tad) 880 { 881 klwp_t *clwp = ttolwp(curthread); 882 uint32_t uid, gid; 883 884 struct a { 885 long fd; 886 long fname; /* char * */ 887 long uid; 888 long gid; 889 long flags; 890 } *uap = (struct a *)clwp->lwp_ap; 891 892 uid = (uint32_t)uap->uid; 893 gid = (uint32_t)uap->gid; 894 895 au_uwrite(au_to_arg32(3, "new file uid", uid)); 896 au_uwrite(au_to_arg32(4, "new file gid", gid)); 897 } 898 899 /*ARGSUSED*/ 900 static void 901 aus_chmod(struct t_audit_data *tad) 902 { 903 klwp_t *clwp = ttolwp(curthread); 904 uint32_t fmode; 905 906 struct a { 907 long fname; /* char * */ 908 long fmode; 909 } *uap = (struct a *)clwp->lwp_ap; 910 911 fmode = (uint32_t)uap->fmode; 912 913 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 914 } 915 916 /*ARGSUSED*/ 917 static void 918 aus_fchmod(struct t_audit_data *tad) 919 { 920 klwp_t *clwp = ttolwp(curthread); 921 uint32_t fmode, fd; 922 struct file *fp; 923 struct vnode *vp; 924 struct f_audit_data *fad; 925 926 struct a { 927 long fd; 928 long fmode; 929 } *uap = (struct a *)clwp->lwp_ap; 930 931 fd = (uint32_t)uap->fd; 932 fmode = (uint32_t)uap->fmode; 933 934 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 935 936 /* 937 * convert file pointer to file descriptor 938 * Note: fd ref count incremented here. 939 */ 940 if ((fp = getf(fd)) == NULL) 941 return; 942 943 /* get path from file struct here */ 944 fad = F2A(fp); 945 if (fad->fad_aupath != NULL) { 946 au_uwrite(au_to_path(fad->fad_aupath)); 947 } else { 948 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 949 } 950 951 vp = fp->f_vnode; 952 audit_attributes(vp); 953 954 /* decrement file descriptor reference count */ 955 releasef(fd); 956 } 957 958 static au_event_t 959 aui_fchmodat(au_event_t e) 960 { 961 klwp_t *clwp = ttolwp(curthread); 962 963 struct a { 964 long fd; 965 long fname; /* char * */ 966 long fmode; 967 long flag; 968 } *uap = (struct a *)clwp->lwp_ap; 969 970 if (uap->fname == NULL) 971 e = AUE_FCHMOD; 972 else 973 e = AUE_CHMOD; 974 975 return (e); 976 } 977 978 /*ARGSUSED*/ 979 static void 980 aus_fchmodat(struct t_audit_data *tad) 981 { 982 klwp_t *clwp = ttolwp(curthread); 983 uint32_t fmode; 984 uint32_t fd; 985 struct file *fp; 986 struct vnode *vp; 987 struct f_audit_data *fad; 988 989 struct a { 990 long fd; 991 long fname; /* char * */ 992 long fmode; 993 long flag; 994 } *uap = (struct a *)clwp->lwp_ap; 995 996 fd = (uint32_t)uap->fd; 997 fmode = (uint32_t)uap->fmode; 998 999 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 1000 1001 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */ 1002 return; 1003 1004 /* 1005 * convert file pointer to file descriptor 1006 * Note: fd ref count incremented here. 1007 */ 1008 if ((fp = getf(fd)) == NULL) 1009 return; 1010 1011 /* get path from file struct here */ 1012 fad = F2A(fp); 1013 if (fad->fad_aupath != NULL) { 1014 au_uwrite(au_to_path(fad->fad_aupath)); 1015 } else { 1016 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1017 } 1018 1019 vp = fp->f_vnode; 1020 audit_attributes(vp); 1021 1022 /* decrement file descriptor reference count */ 1023 releasef(fd); 1024 } 1025 1026 /* 1027 * convert open mode to appropriate open event 1028 */ 1029 au_event_t 1030 open_event(uint_t fm) 1031 { 1032 au_event_t e; 1033 1034 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) { 1035 case O_RDONLY: 1036 e = AUE_OPEN_R; 1037 break; 1038 case O_RDONLY | O_CREAT: 1039 e = AUE_OPEN_RC; 1040 break; 1041 case O_RDONLY | O_TRUNC: 1042 e = AUE_OPEN_RT; 1043 break; 1044 case O_RDONLY | O_TRUNC | O_CREAT: 1045 e = AUE_OPEN_RTC; 1046 break; 1047 case O_WRONLY: 1048 e = AUE_OPEN_W; 1049 break; 1050 case O_WRONLY | O_CREAT: 1051 e = AUE_OPEN_WC; 1052 break; 1053 case O_WRONLY | O_TRUNC: 1054 e = AUE_OPEN_WT; 1055 break; 1056 case O_WRONLY | O_TRUNC | O_CREAT: 1057 e = AUE_OPEN_WTC; 1058 break; 1059 case O_RDWR: 1060 e = AUE_OPEN_RW; 1061 break; 1062 case O_RDWR | O_CREAT: 1063 e = AUE_OPEN_RWC; 1064 break; 1065 case O_RDWR | O_TRUNC: 1066 e = AUE_OPEN_RWT; 1067 break; 1068 case O_RDWR | O_TRUNC | O_CREAT: 1069 e = AUE_OPEN_RWTC; 1070 break; 1071 case O_SEARCH: 1072 e = AUE_OPEN_S; 1073 break; 1074 case O_EXEC: 1075 e = AUE_OPEN_E; 1076 break; 1077 default: 1078 e = AUE_NULL; 1079 break; 1080 } 1081 1082 return (e); 1083 } 1084 1085 /* ARGSUSED */ 1086 static au_event_t 1087 aui_open(au_event_t e) 1088 { 1089 klwp_t *clwp = ttolwp(curthread); 1090 uint_t fm; 1091 1092 struct a { 1093 long fnamep; /* char * */ 1094 long fmode; 1095 long cmode; 1096 } *uap = (struct a *)clwp->lwp_ap; 1097 1098 fm = (uint_t)uap->fmode; 1099 1100 return (open_event(fm)); 1101 } 1102 1103 static void 1104 aus_open(struct t_audit_data *tad) 1105 { 1106 klwp_t *clwp = ttolwp(curthread); 1107 uint_t fm; 1108 1109 struct a { 1110 long fnamep; /* char * */ 1111 long fmode; 1112 long cmode; 1113 } *uap = (struct a *)clwp->lwp_ap; 1114 1115 fm = (uint_t)uap->fmode; 1116 1117 /* If no write, create, or trunc modes, mark as a public op */ 1118 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1119 tad->tad_ctrl |= TAD_PUBLIC_EV; 1120 } 1121 1122 /* ARGSUSED */ 1123 static au_event_t 1124 aui_openat(au_event_t e) 1125 { 1126 t_audit_data_t *tad = T2A(curthread); 1127 klwp_t *clwp = ttolwp(curthread); 1128 uint_t fm; 1129 1130 struct a { 1131 long filedes; 1132 long fnamep; /* char * */ 1133 long fmode; 1134 long cmode; 1135 } *uap = (struct a *)clwp->lwp_ap; 1136 1137 fm = (uint_t)uap->fmode; 1138 1139 /* 1140 * __openattrdirat() does an extra pathname lookup in order to 1141 * enter the extended system attribute namespace of the referenced 1142 * extended attribute filename. 1143 */ 1144 if (fm & FXATTRDIROPEN) 1145 tad->tad_ctrl |= TAD_MLD; 1146 1147 return (open_event(fm)); 1148 } 1149 1150 static void 1151 aus_openat(struct t_audit_data *tad) 1152 { 1153 klwp_t *clwp = ttolwp(curthread); 1154 uint_t fm; 1155 1156 struct a { 1157 long filedes; 1158 long fnamep; /* char * */ 1159 long fmode; 1160 long cmode; 1161 } *uap = (struct a *)clwp->lwp_ap; 1162 1163 fm = (uint_t)uap->fmode; 1164 1165 /* If no write, create, or trunc modes, mark as a public op */ 1166 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1167 tad->tad_ctrl |= TAD_PUBLIC_EV; 1168 } 1169 1170 static au_event_t 1171 aui_unlinkat(au_event_t e) 1172 { 1173 klwp_t *clwp = ttolwp(curthread); 1174 1175 struct a { 1176 long filedes; 1177 long fnamep; /* char * */ 1178 long flags; 1179 } *uap = (struct a *)clwp->lwp_ap; 1180 1181 if (uap->flags & AT_REMOVEDIR) 1182 e = AUE_RMDIR; 1183 else 1184 e = AUE_UNLINK; 1185 1186 return (e); 1187 } 1188 1189 static au_event_t 1190 aui_fstatat(au_event_t e) 1191 { 1192 klwp_t *clwp = ttolwp(curthread); 1193 1194 struct a { 1195 long filedes; 1196 long fnamep; /* char * */ 1197 long statb; 1198 long flags; 1199 } *uap = (struct a *)clwp->lwp_ap; 1200 1201 if (uap->fnamep == NULL) 1202 e = AUE_FSTAT; 1203 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1204 e = AUE_LSTAT; 1205 else 1206 e = AUE_STAT; 1207 1208 return (e); 1209 } 1210 1211 /* msgsys */ 1212 static au_event_t 1213 aui_msgsys(au_event_t e) 1214 { 1215 klwp_t *clwp = ttolwp(curthread); 1216 uint_t fm; 1217 1218 struct a { 1219 long id; /* function code id */ 1220 long ap; /* arg pointer for recvmsg */ 1221 } *uap = (struct a *)clwp->lwp_ap; 1222 1223 struct b { 1224 long msgid; 1225 long cmd; 1226 long buf; /* struct msqid_ds * */ 1227 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1228 1229 fm = (uint_t)uap->id; 1230 1231 switch (fm) { 1232 case 0: /* msgget */ 1233 e = AUE_MSGGET; 1234 break; 1235 case 1: /* msgctl */ 1236 switch ((uint_t)uap1->cmd) { 1237 case IPC_RMID: 1238 e = AUE_MSGCTL_RMID; 1239 break; 1240 case IPC_SET: 1241 e = AUE_MSGCTL_SET; 1242 break; 1243 case IPC_STAT: 1244 e = AUE_MSGCTL_STAT; 1245 break; 1246 default: 1247 e = AUE_MSGCTL; 1248 break; 1249 } 1250 break; 1251 case 2: /* msgrcv */ 1252 e = AUE_MSGRCV; 1253 break; 1254 case 3: /* msgsnd */ 1255 e = AUE_MSGSND; 1256 break; 1257 default: /* illegal system call */ 1258 e = AUE_NULL; 1259 break; 1260 } 1261 1262 return (e); 1263 } 1264 1265 1266 /* shmsys */ 1267 static au_event_t 1268 aui_shmsys(au_event_t e) 1269 { 1270 klwp_t *clwp = ttolwp(curthread); 1271 int fm; 1272 1273 struct a { /* shmsys */ 1274 long id; /* function code id */ 1275 } *uap = (struct a *)clwp->lwp_ap; 1276 1277 struct b { /* ctrl */ 1278 long shmid; 1279 long cmd; 1280 long arg; /* struct shmid_ds * */ 1281 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1282 fm = (uint_t)uap->id; 1283 1284 switch (fm) { 1285 case 0: /* shmat */ 1286 e = AUE_SHMAT; 1287 break; 1288 case 1: /* shmctl */ 1289 switch ((uint_t)uap1->cmd) { 1290 case IPC_RMID: 1291 e = AUE_SHMCTL_RMID; 1292 break; 1293 case IPC_SET: 1294 e = AUE_SHMCTL_SET; 1295 break; 1296 case IPC_STAT: 1297 e = AUE_SHMCTL_STAT; 1298 break; 1299 default: 1300 e = AUE_SHMCTL; 1301 break; 1302 } 1303 break; 1304 case 2: /* shmdt */ 1305 e = AUE_SHMDT; 1306 break; 1307 case 3: /* shmget */ 1308 e = AUE_SHMGET; 1309 break; 1310 default: /* illegal system call */ 1311 e = AUE_NULL; 1312 break; 1313 } 1314 1315 return (e); 1316 } 1317 1318 1319 /* semsys */ 1320 static au_event_t 1321 aui_semsys(au_event_t e) 1322 { 1323 klwp_t *clwp = ttolwp(curthread); 1324 uint_t fm; 1325 1326 struct a { /* semsys */ 1327 long id; 1328 } *uap = (struct a *)clwp->lwp_ap; 1329 1330 struct b { /* ctrl */ 1331 long semid; 1332 long semnum; 1333 long cmd; 1334 long arg; 1335 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1336 1337 fm = (uint_t)uap->id; 1338 1339 switch (fm) { 1340 case 0: /* semctl */ 1341 switch ((uint_t)uap1->cmd) { 1342 case IPC_RMID: 1343 e = AUE_SEMCTL_RMID; 1344 break; 1345 case IPC_SET: 1346 e = AUE_SEMCTL_SET; 1347 break; 1348 case IPC_STAT: 1349 e = AUE_SEMCTL_STAT; 1350 break; 1351 case GETNCNT: 1352 e = AUE_SEMCTL_GETNCNT; 1353 break; 1354 case GETPID: 1355 e = AUE_SEMCTL_GETPID; 1356 break; 1357 case GETVAL: 1358 e = AUE_SEMCTL_GETVAL; 1359 break; 1360 case GETALL: 1361 e = AUE_SEMCTL_GETALL; 1362 break; 1363 case GETZCNT: 1364 e = AUE_SEMCTL_GETZCNT; 1365 break; 1366 case SETVAL: 1367 e = AUE_SEMCTL_SETVAL; 1368 break; 1369 case SETALL: 1370 e = AUE_SEMCTL_SETALL; 1371 break; 1372 default: 1373 e = AUE_SEMCTL; 1374 break; 1375 } 1376 break; 1377 case 1: /* semget */ 1378 e = AUE_SEMGET; 1379 break; 1380 case 2: /* semop */ 1381 e = AUE_SEMOP; 1382 break; 1383 default: /* illegal system call */ 1384 e = AUE_NULL; 1385 break; 1386 } 1387 1388 return (e); 1389 } 1390 1391 /* utssys - uname(2), ustat(2), fusers(2) */ 1392 static au_event_t 1393 aui_utssys(au_event_t e) 1394 { 1395 klwp_t *clwp = ttolwp(curthread); 1396 uint_t type; 1397 1398 struct a { 1399 union { 1400 long cbuf; /* char * */ 1401 long ubuf; /* struct stat * */ 1402 } ub; 1403 union { 1404 long mv; /* for USTAT */ 1405 long flags; /* for FUSERS */ 1406 } un; 1407 long type; 1408 long outbp; /* char * for FUSERS */ 1409 } *uap = (struct a *)clwp->lwp_ap; 1410 1411 type = (uint_t)uap->type; 1412 1413 if (type == UTS_FUSERS) 1414 return (e); 1415 else 1416 return ((au_event_t)AUE_NULL); 1417 } 1418 1419 static au_event_t 1420 aui_fcntl(au_event_t e) 1421 { 1422 klwp_t *clwp = ttolwp(curthread); 1423 uint_t cmd; 1424 1425 struct a { 1426 long fdes; 1427 long cmd; 1428 long arg; 1429 } *uap = (struct a *)clwp->lwp_ap; 1430 1431 cmd = (uint_t)uap->cmd; 1432 1433 switch (cmd) { 1434 case F_GETLK: 1435 case F_SETLK: 1436 case F_SETLKW: 1437 break; 1438 case F_SETFL: 1439 case F_GETFL: 1440 case F_GETFD: 1441 break; 1442 default: 1443 e = (au_event_t)AUE_NULL; 1444 break; 1445 } 1446 return ((au_event_t)e); 1447 } 1448 1449 /* null function for now */ 1450 static au_event_t 1451 aui_execve(au_event_t e) 1452 { 1453 return (e); 1454 } 1455 1456 /*ARGSUSED*/ 1457 static void 1458 aus_fcntl(struct t_audit_data *tad) 1459 { 1460 klwp_t *clwp = ttolwp(curthread); 1461 uint32_t cmd, fd, flags; 1462 struct file *fp; 1463 struct vnode *vp; 1464 struct f_audit_data *fad; 1465 1466 struct a { 1467 long fd; 1468 long cmd; 1469 long arg; 1470 } *uap = (struct a *)clwp->lwp_ap; 1471 1472 cmd = (uint32_t)uap->cmd; 1473 fd = (uint32_t)uap->fd; 1474 flags = (uint32_t)uap->arg; 1475 1476 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1477 1478 if (cmd == F_SETFL) 1479 au_uwrite(au_to_arg32(3, "flags", flags)); 1480 1481 /* 1482 * convert file pointer to file descriptor 1483 * Note: fd ref count incremented here. 1484 */ 1485 if ((fp = getf(fd)) == NULL) 1486 return; 1487 1488 /* get path from file struct here */ 1489 fad = F2A(fp); 1490 if (fad->fad_aupath != NULL) { 1491 au_uwrite(au_to_path(fad->fad_aupath)); 1492 } else { 1493 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1494 } 1495 1496 vp = fp->f_vnode; 1497 audit_attributes(vp); 1498 1499 /* decrement file descriptor reference count */ 1500 releasef(fd); 1501 } 1502 1503 /*ARGSUSED*/ 1504 static void 1505 aus_kill(struct t_audit_data *tad) 1506 { 1507 klwp_t *clwp = ttolwp(curthread); 1508 struct proc *p; 1509 uint32_t signo; 1510 uid_t uid, ruid; 1511 gid_t gid, rgid; 1512 pid_t pid; 1513 const auditinfo_addr_t *ainfo; 1514 cred_t *cr; 1515 1516 struct a { 1517 long pid; 1518 long signo; 1519 } *uap = (struct a *)clwp->lwp_ap; 1520 1521 pid = (pid_t)uap->pid; 1522 signo = (uint32_t)uap->signo; 1523 1524 au_uwrite(au_to_arg32(2, "signal", signo)); 1525 if (pid > 0) { 1526 mutex_enter(&pidlock); 1527 if (((p = prfind(pid)) == (struct proc *)0) || 1528 (p->p_stat == SIDL)) { 1529 mutex_exit(&pidlock); 1530 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1531 return; 1532 } 1533 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1534 mutex_exit(&pidlock); 1535 1536 mutex_enter(&p->p_crlock); 1537 crhold(cr = p->p_cred); 1538 mutex_exit(&p->p_crlock); 1539 mutex_exit(&p->p_lock); 1540 1541 ainfo = crgetauinfo(cr); 1542 if (ainfo == NULL) { 1543 crfree(cr); 1544 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1545 return; 1546 } 1547 1548 uid = crgetuid(cr); 1549 gid = crgetgid(cr); 1550 ruid = crgetruid(cr); 1551 rgid = crgetrgid(cr); 1552 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1553 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1554 1555 if (is_system_labeled()) 1556 au_uwrite(au_to_label(CR_SL(cr))); 1557 1558 crfree(cr); 1559 } 1560 else 1561 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1562 } 1563 1564 /*ARGSUSED*/ 1565 static void 1566 aus_mkdir(struct t_audit_data *tad) 1567 { 1568 klwp_t *clwp = ttolwp(curthread); 1569 uint32_t dmode; 1570 1571 struct a { 1572 long dirnamep; /* char * */ 1573 long dmode; 1574 } *uap = (struct a *)clwp->lwp_ap; 1575 1576 dmode = (uint32_t)uap->dmode; 1577 1578 au_uwrite(au_to_arg32(2, "mode", dmode)); 1579 } 1580 1581 /*ARGSUSED*/ 1582 static void 1583 aus_mkdirat(struct t_audit_data *tad) 1584 { 1585 klwp_t *clwp = ttolwp(curthread); 1586 uint32_t dmode; 1587 1588 struct a { 1589 long fd; 1590 long dirnamep; /* char * */ 1591 long dmode; 1592 } *uap = (struct a *)clwp->lwp_ap; 1593 1594 dmode = (uint32_t)uap->dmode; 1595 1596 au_uwrite(au_to_arg32(2, "mode", dmode)); 1597 } 1598 1599 /*ARGSUSED*/ 1600 static void 1601 aus_mknod(struct t_audit_data *tad) 1602 { 1603 klwp_t *clwp = ttolwp(curthread); 1604 uint32_t fmode; 1605 dev_t dev; 1606 1607 struct a { 1608 long pnamep; /* char * */ 1609 long fmode; 1610 long dev; 1611 } *uap = (struct a *)clwp->lwp_ap; 1612 1613 fmode = (uint32_t)uap->fmode; 1614 dev = (dev_t)uap->dev; 1615 1616 au_uwrite(au_to_arg32(2, "mode", fmode)); 1617 #ifdef _LP64 1618 au_uwrite(au_to_arg64(3, "dev", dev)); 1619 #else 1620 au_uwrite(au_to_arg32(3, "dev", dev)); 1621 #endif 1622 } 1623 1624 /*ARGSUSED*/ 1625 static void 1626 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1627 { 1628 klwp_t *clwp = ttolwp(curthread); 1629 vnode_t *dvp; 1630 caddr_t pnamep; 1631 1632 struct a { 1633 long pnamep; /* char * */ 1634 long fmode; 1635 long dev; 1636 } *uap = (struct a *)clwp->lwp_ap; 1637 1638 /* no error, then already path token in audit record */ 1639 if (error != EPERM && error != EINVAL) 1640 return; 1641 1642 /* do the lookup to force generation of path token */ 1643 pnamep = (caddr_t)uap->pnamep; 1644 tad->tad_ctrl |= TAD_NOATTRB; 1645 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1646 if (error == 0) 1647 VN_RELE(dvp); 1648 } 1649 1650 /*ARGSUSED*/ 1651 static void 1652 aus_mknodat(struct t_audit_data *tad) 1653 { 1654 klwp_t *clwp = ttolwp(curthread); 1655 uint32_t fmode; 1656 dev_t dev; 1657 1658 struct a { 1659 long fd; 1660 long pnamep; /* char * */ 1661 long fmode; 1662 long dev; 1663 } *uap = (struct a *)clwp->lwp_ap; 1664 1665 fmode = (uint32_t)uap->fmode; 1666 dev = (dev_t)uap->dev; 1667 1668 au_uwrite(au_to_arg32(2, "mode", fmode)); 1669 #ifdef _LP64 1670 au_uwrite(au_to_arg64(3, "dev", dev)); 1671 #else 1672 au_uwrite(au_to_arg32(3, "dev", dev)); 1673 #endif 1674 } 1675 1676 /*ARGSUSED*/ 1677 static void 1678 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval) 1679 { 1680 klwp_t *clwp = ttolwp(curthread); 1681 vnode_t *startvp; 1682 vnode_t *dvp; 1683 caddr_t pnamep; 1684 int fd; 1685 1686 struct a { 1687 long fd; 1688 long pnamep; /* char * */ 1689 long fmode; 1690 long dev; 1691 } *uap = (struct a *)clwp->lwp_ap; 1692 1693 /* no error, then already path token in audit record */ 1694 if (error != EPERM && error != EINVAL) 1695 return; 1696 1697 /* do the lookup to force generation of path token */ 1698 fd = (int)uap->fd; 1699 pnamep = (caddr_t)uap->pnamep; 1700 if (pnamep == NULL || 1701 fgetstartvp(fd, pnamep, &startvp) != 0) 1702 return; 1703 tad->tad_ctrl |= TAD_NOATTRB; 1704 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP, 1705 startvp); 1706 if (error == 0) 1707 VN_RELE(dvp); 1708 if (startvp != NULL) 1709 VN_RELE(startvp); 1710 } 1711 1712 /*ARGSUSED*/ 1713 static void 1714 aus_mount(struct t_audit_data *tad) 1715 { /* AUS_START */ 1716 klwp_t *clwp = ttolwp(curthread); 1717 uint32_t flags; 1718 uintptr_t u_fstype, dataptr; 1719 STRUCT_DECL(nfs_args, nfsargs); 1720 size_t len; 1721 char *fstype, *hostname; 1722 1723 struct a { 1724 long spec; /* char * */ 1725 long dir; /* char * */ 1726 long flags; 1727 long fstype; /* char * */ 1728 long dataptr; /* char * */ 1729 long datalen; 1730 } *uap = (struct a *)clwp->lwp_ap; 1731 1732 u_fstype = (uintptr_t)uap->fstype; 1733 flags = (uint32_t)uap->flags; 1734 dataptr = (uintptr_t)uap->dataptr; 1735 1736 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1737 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1738 goto mount_free_fstype; 1739 1740 au_uwrite(au_to_arg32(3, "flags", flags)); 1741 au_uwrite(au_to_text(fstype)); 1742 1743 if (strncmp(fstype, "nfs", 3) == 0) { 1744 1745 STRUCT_INIT(nfsargs, get_udatamodel()); 1746 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1747 1748 if (copyin((caddr_t)dataptr, 1749 STRUCT_BUF(nfsargs), 1750 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1751 /* DEBUG debug_enter((char *)NULL); */ 1752 goto mount_free_fstype; 1753 } 1754 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1755 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1756 (caddr_t)hostname, 1757 MAXNAMELEN, &len)) { 1758 goto mount_free_hostname; 1759 } 1760 au_uwrite(au_to_text(hostname)); 1761 au_uwrite(au_to_arg32(3, "internal flags", 1762 (uint_t)STRUCT_FGET(nfsargs, flags))); 1763 1764 mount_free_hostname: 1765 kmem_free(hostname, MAXNAMELEN); 1766 } 1767 1768 mount_free_fstype: 1769 kmem_free(fstype, MAXNAMELEN); 1770 } /* AUS_MOUNT */ 1771 1772 static void 1773 aus_umount_path(caddr_t umount_dir) 1774 { 1775 char *dir_path; 1776 struct audit_path *path; 1777 size_t path_len, dir_len; 1778 1779 /* length alloc'd for two string pointers */ 1780 path_len = sizeof (struct audit_path) + sizeof (char *); 1781 path = kmem_alloc(path_len, KM_SLEEP); 1782 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1783 1784 if (copyinstr(umount_dir, (caddr_t)dir_path, 1785 MAXPATHLEN, &dir_len)) 1786 goto umount2_free_dir; 1787 1788 /* 1789 * the audit_path struct assumes that the buffer pointed to 1790 * by audp_sect[n] contains string 0 immediatedly followed 1791 * by string 1. 1792 */ 1793 path->audp_sect[0] = dir_path; 1794 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1795 path->audp_size = path_len; 1796 path->audp_ref = 1; /* not used */ 1797 path->audp_cnt = 1; /* one path string */ 1798 1799 au_uwrite(au_to_path(path)); 1800 1801 umount2_free_dir: 1802 kmem_free(dir_path, MAXPATHLEN); 1803 kmem_free(path, path_len); 1804 } 1805 1806 /*ARGSUSED*/ 1807 static void 1808 aus_umount2(struct t_audit_data *tad) 1809 { 1810 klwp_t *clwp = ttolwp(curthread); 1811 struct a { 1812 long dir; /* char * */ 1813 long flags; 1814 } *uap = (struct a *)clwp->lwp_ap; 1815 1816 aus_umount_path((caddr_t)uap->dir); 1817 1818 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1819 } 1820 1821 static void 1822 aus_msgsys(struct t_audit_data *tad) 1823 { 1824 klwp_t *clwp = ttolwp(curthread); 1825 uint32_t msgid; 1826 1827 struct b { 1828 long msgid; 1829 long cmd; 1830 long buf; /* struct msqid_ds * */ 1831 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1832 1833 msgid = (uint32_t)uap1->msgid; 1834 1835 1836 switch (tad->tad_event) { 1837 case AUE_MSGGET: /* msgget */ 1838 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1839 break; 1840 case AUE_MSGCTL: /* msgctl */ 1841 case AUE_MSGCTL_RMID: /* msgctl */ 1842 case AUE_MSGCTL_SET: /* msgctl */ 1843 case AUE_MSGCTL_STAT: /* msgctl */ 1844 case AUE_MSGRCV: /* msgrcv */ 1845 case AUE_MSGSND: /* msgsnd */ 1846 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1847 break; 1848 } 1849 } 1850 1851 /*ARGSUSED*/ 1852 static void 1853 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1854 { 1855 int id; 1856 1857 if (error != 0) 1858 return; 1859 if (tad->tad_event == AUE_MSGGET) { 1860 uint32_t scid; 1861 uint32_t sy_flags; 1862 1863 /* need to determine type of executing binary */ 1864 scid = tad->tad_scid; 1865 #ifdef _SYSCALL32_IMPL 1866 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1867 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1868 else 1869 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1870 #else 1871 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1872 #endif 1873 if (sy_flags == SE_32RVAL1) 1874 id = rval->r_val1; 1875 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1876 id = rval->r_val1; 1877 if (sy_flags == SE_64RVAL) 1878 id = (int)rval->r_vals; 1879 1880 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1881 } 1882 } 1883 1884 static void 1885 aus_semsys(struct t_audit_data *tad) 1886 { 1887 klwp_t *clwp = ttolwp(curthread); 1888 uint32_t semid; 1889 1890 struct b { /* ctrl */ 1891 long semid; 1892 long semnum; 1893 long cmd; 1894 long arg; 1895 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1896 1897 semid = (uint32_t)uap1->semid; 1898 1899 switch (tad->tad_event) { 1900 case AUE_SEMCTL_RMID: 1901 case AUE_SEMCTL_STAT: 1902 case AUE_SEMCTL_GETNCNT: 1903 case AUE_SEMCTL_GETPID: 1904 case AUE_SEMCTL_GETVAL: 1905 case AUE_SEMCTL_GETALL: 1906 case AUE_SEMCTL_GETZCNT: 1907 case AUE_SEMCTL_SET: 1908 case AUE_SEMCTL_SETVAL: 1909 case AUE_SEMCTL_SETALL: 1910 case AUE_SEMCTL: 1911 case AUE_SEMOP: 1912 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1913 break; 1914 case AUE_SEMGET: 1915 au_uwrite(au_to_arg32(1, "sem key", semid)); 1916 break; 1917 } 1918 } 1919 1920 /*ARGSUSED*/ 1921 static void 1922 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1923 { 1924 int id; 1925 1926 if (error != 0) 1927 return; 1928 if (tad->tad_event == AUE_SEMGET) { 1929 uint32_t scid; 1930 uint32_t sy_flags; 1931 1932 /* need to determine type of executing binary */ 1933 scid = tad->tad_scid; 1934 #ifdef _SYSCALL32_IMPL 1935 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1936 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1937 else 1938 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1939 #else 1940 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1941 #endif 1942 if (sy_flags == SE_32RVAL1) 1943 id = rval->r_val1; 1944 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1945 id = rval->r_val1; 1946 if (sy_flags == SE_64RVAL) 1947 id = (int)rval->r_vals; 1948 1949 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1950 } 1951 } 1952 1953 /*ARGSUSED*/ 1954 static void 1955 aus_close(struct t_audit_data *tad) 1956 { 1957 klwp_t *clwp = ttolwp(curthread); 1958 uint32_t fd; 1959 struct file *fp; 1960 struct f_audit_data *fad; 1961 struct vnode *vp; 1962 struct vattr attr; 1963 au_kcontext_t *kctx = GET_KCTX_PZ; 1964 1965 struct a { 1966 long i; 1967 } *uap = (struct a *)clwp->lwp_ap; 1968 1969 fd = (uint32_t)uap->i; 1970 1971 attr.va_mask = 0; 1972 au_uwrite(au_to_arg32(1, "fd", fd)); 1973 1974 /* 1975 * convert file pointer to file descriptor 1976 * Note: fd ref count incremented here. 1977 */ 1978 if ((fp = getf(fd)) == NULL) 1979 return; 1980 1981 fad = F2A(fp); 1982 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1983 if (fad->fad_aupath != NULL) { 1984 au_uwrite(au_to_path(fad->fad_aupath)); 1985 if ((vp = fp->f_vnode) != NULL) { 1986 attr.va_mask = AT_ALL; 1987 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1988 /* 1989 * When write was not used and the file can be 1990 * considered public, skip the audit. 1991 */ 1992 if (((fp->f_flag & FWRITE) == 0) && 1993 object_is_public(&attr)) { 1994 tad->tad_flag = 0; 1995 tad->tad_evmod = 0; 1996 /* free any residual audit data */ 1997 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1998 releasef(fd); 1999 return; 2000 } 2001 au_uwrite(au_to_attr(&attr)); 2002 audit_sec_attributes(&(u_ad), vp); 2003 } 2004 } 2005 } 2006 2007 /* decrement file descriptor reference count */ 2008 releasef(fd); 2009 } 2010 2011 /*ARGSUSED*/ 2012 static void 2013 aus_fstatfs(struct t_audit_data *tad) 2014 { 2015 klwp_t *clwp = ttolwp(curthread); 2016 uint32_t fd; 2017 struct file *fp; 2018 struct vnode *vp; 2019 struct f_audit_data *fad; 2020 2021 struct a { 2022 long fd; 2023 long buf; /* struct statfs * */ 2024 } *uap = (struct a *)clwp->lwp_ap; 2025 2026 fd = (uint_t)uap->fd; 2027 2028 /* 2029 * convert file pointer to file descriptor 2030 * Note: fd ref count incremented here. 2031 */ 2032 if ((fp = getf(fd)) == NULL) 2033 return; 2034 2035 /* get path from file struct here */ 2036 fad = F2A(fp); 2037 if (fad->fad_aupath != NULL) { 2038 au_uwrite(au_to_path(fad->fad_aupath)); 2039 } else { 2040 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2041 } 2042 2043 vp = fp->f_vnode; 2044 audit_attributes(vp); 2045 2046 /* decrement file descriptor reference count */ 2047 releasef(fd); 2048 } 2049 2050 static au_event_t 2051 aui_setpgrp(au_event_t e) 2052 { 2053 klwp_t *clwp = ttolwp(curthread); 2054 int flag; 2055 2056 struct a { 2057 long flag; 2058 long pid; 2059 long pgid; 2060 } *uap = (struct a *)clwp->lwp_ap; 2061 2062 flag = (int)uap->flag; 2063 2064 2065 switch (flag) { 2066 2067 case 1: /* setpgrp() */ 2068 e = AUE_SETPGRP; 2069 break; 2070 2071 case 3: /* setsid() */ 2072 e = AUE_SETSID; 2073 break; 2074 2075 case 5: /* setpgid() */ 2076 e = AUE_SETPGID; 2077 break; 2078 2079 case 0: /* getpgrp() - not security relevant */ 2080 case 2: /* getsid() - not security relevant */ 2081 case 4: /* getpgid() - not security relevant */ 2082 e = AUE_NULL; 2083 break; 2084 2085 default: 2086 e = AUE_NULL; 2087 break; 2088 } 2089 2090 return (e); 2091 } 2092 2093 /*ARGSUSED*/ 2094 static void 2095 aus_setpgrp(struct t_audit_data *tad) 2096 { 2097 klwp_t *clwp = ttolwp(curthread); 2098 pid_t pgid; 2099 struct proc *p; 2100 uid_t uid, ruid; 2101 gid_t gid, rgid; 2102 pid_t pid; 2103 cred_t *cr; 2104 int flag; 2105 const auditinfo_addr_t *ainfo; 2106 2107 struct a { 2108 long flag; 2109 long pid; 2110 long pgid; 2111 } *uap = (struct a *)clwp->lwp_ap; 2112 2113 flag = (int)uap->flag; 2114 pid = (pid_t)uap->pid; 2115 pgid = (pid_t)uap->pgid; 2116 2117 2118 switch (flag) { 2119 2120 case 0: /* getpgrp() */ 2121 case 1: /* setpgrp() */ 2122 case 2: /* getsid() */ 2123 case 3: /* setsid() */ 2124 case 4: /* getpgid() */ 2125 break; 2126 2127 case 5: /* setpgid() */ 2128 2129 /* current process? */ 2130 if (pid == 0) { 2131 return; 2132 } 2133 2134 mutex_enter(&pidlock); 2135 p = prfind(pid); 2136 if (p == NULL || p->p_as == &kas || 2137 p->p_stat == SIDL || p->p_stat == SZOMB) { 2138 mutex_exit(&pidlock); 2139 return; 2140 } 2141 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2142 mutex_exit(&pidlock); 2143 2144 mutex_enter(&p->p_crlock); 2145 crhold(cr = p->p_cred); 2146 mutex_exit(&p->p_crlock); 2147 mutex_exit(&p->p_lock); 2148 2149 ainfo = crgetauinfo(cr); 2150 if (ainfo == NULL) { 2151 crfree(cr); 2152 return; 2153 } 2154 2155 uid = crgetuid(cr); 2156 gid = crgetgid(cr); 2157 ruid = crgetruid(cr); 2158 rgid = crgetrgid(cr); 2159 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2160 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2161 crfree(cr); 2162 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2163 break; 2164 2165 default: 2166 break; 2167 } 2168 } 2169 2170 2171 /*ARGSUSED*/ 2172 static void 2173 aus_setregid(struct t_audit_data *tad) 2174 { 2175 klwp_t *clwp = ttolwp(curthread); 2176 uint32_t rgid, egid; 2177 2178 struct a { 2179 long rgid; 2180 long egid; 2181 } *uap = (struct a *)clwp->lwp_ap; 2182 2183 rgid = (uint32_t)uap->rgid; 2184 egid = (uint32_t)uap->egid; 2185 2186 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2187 au_uwrite(au_to_arg32(2, "egid", egid)); 2188 } 2189 2190 /*ARGSUSED*/ 2191 static void 2192 aus_setgid(struct t_audit_data *tad) 2193 { 2194 klwp_t *clwp = ttolwp(curthread); 2195 uint32_t gid; 2196 2197 struct a { 2198 long gid; 2199 } *uap = (struct a *)clwp->lwp_ap; 2200 2201 gid = (uint32_t)uap->gid; 2202 2203 au_uwrite(au_to_arg32(1, "gid", gid)); 2204 } 2205 2206 2207 /*ARGSUSED*/ 2208 static void 2209 aus_setreuid(struct t_audit_data *tad) 2210 { 2211 klwp_t *clwp = ttolwp(curthread); 2212 uint32_t ruid, euid; 2213 2214 struct a { 2215 long ruid; 2216 long euid; 2217 } *uap = (struct a *)clwp->lwp_ap; 2218 2219 ruid = (uint32_t)uap->ruid; 2220 euid = (uint32_t)uap->euid; 2221 2222 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2223 au_uwrite(au_to_arg32(2, "euid", euid)); 2224 } 2225 2226 2227 /*ARGSUSED*/ 2228 static void 2229 aus_setuid(struct t_audit_data *tad) 2230 { 2231 klwp_t *clwp = ttolwp(curthread); 2232 uint32_t uid; 2233 2234 struct a { 2235 long uid; 2236 } *uap = (struct a *)clwp->lwp_ap; 2237 2238 uid = (uint32_t)uap->uid; 2239 2240 au_uwrite(au_to_arg32(1, "uid", uid)); 2241 } 2242 2243 /*ARGSUSED*/ 2244 static void 2245 aus_shmsys(struct t_audit_data *tad) 2246 { 2247 klwp_t *clwp = ttolwp(curthread); 2248 uint32_t id, cmd; 2249 2250 struct b { 2251 long id; 2252 long cmd; 2253 long buf; /* struct shmid_ds * */ 2254 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2255 2256 id = (uint32_t)uap1->id; 2257 cmd = (uint32_t)uap1->cmd; 2258 2259 switch (tad->tad_event) { 2260 case AUE_SHMGET: /* shmget */ 2261 au_uwrite(au_to_arg32(1, "shm key", id)); 2262 break; 2263 case AUE_SHMCTL: /* shmctl */ 2264 case AUE_SHMCTL_RMID: /* shmctl */ 2265 case AUE_SHMCTL_STAT: /* shmctl */ 2266 case AUE_SHMCTL_SET: /* shmctl */ 2267 au_uwrite(au_to_arg32(1, "shm ID", id)); 2268 break; 2269 case AUE_SHMDT: /* shmdt */ 2270 au_uwrite(au_to_arg32(1, "shm adr", id)); 2271 break; 2272 case AUE_SHMAT: /* shmat */ 2273 au_uwrite(au_to_arg32(1, "shm ID", id)); 2274 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2275 break; 2276 } 2277 } 2278 2279 /*ARGSUSED*/ 2280 static void 2281 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2282 { 2283 int id; 2284 2285 if (error != 0) 2286 return; 2287 if (tad->tad_event == AUE_SHMGET) { 2288 uint32_t scid; 2289 uint32_t sy_flags; 2290 2291 /* need to determine type of executing binary */ 2292 scid = tad->tad_scid; 2293 #ifdef _SYSCALL32_IMPL 2294 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2295 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2296 else 2297 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2298 #else 2299 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2300 #endif 2301 if (sy_flags == SE_32RVAL1) 2302 id = rval->r_val1; 2303 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2304 id = rval->r_val1; 2305 if (sy_flags == SE_64RVAL) 2306 id = (int)rval->r_vals; 2307 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2308 } 2309 } 2310 2311 2312 /*ARGSUSED*/ 2313 static void 2314 aus_ioctl(struct t_audit_data *tad) 2315 { 2316 klwp_t *clwp = ttolwp(curthread); 2317 struct file *fp; 2318 struct vnode *vp; 2319 struct f_audit_data *fad; 2320 uint32_t fd, cmd; 2321 uintptr_t cmarg; 2322 2323 /* XX64 */ 2324 struct a { 2325 long fd; 2326 long cmd; 2327 long cmarg; /* caddr_t */ 2328 } *uap = (struct a *)clwp->lwp_ap; 2329 2330 fd = (uint32_t)uap->fd; 2331 cmd = (uint32_t)uap->cmd; 2332 cmarg = (uintptr_t)uap->cmarg; 2333 2334 /* 2335 * convert file pointer to file descriptor 2336 * Note: fd ref count incremented here. 2337 */ 2338 if ((fp = getf(fd)) == NULL) { 2339 au_uwrite(au_to_arg32(1, "fd", fd)); 2340 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2341 #ifndef _LP64 2342 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2343 #else 2344 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2345 #endif 2346 return; 2347 } 2348 2349 /* get path from file struct here */ 2350 fad = F2A(fp); 2351 if (fad->fad_aupath != NULL) { 2352 au_uwrite(au_to_path(fad->fad_aupath)); 2353 } else { 2354 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2355 } 2356 2357 vp = fp->f_vnode; 2358 audit_attributes(vp); 2359 2360 /* decrement file descriptor reference count */ 2361 releasef(fd); 2362 2363 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2364 #ifndef _LP64 2365 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2366 #else 2367 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2368 #endif 2369 } 2370 2371 /* 2372 * null function for memcntl for now. We might want to limit memcntl() 2373 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2374 * require privileges. 2375 */ 2376 static au_event_t 2377 aui_memcntl(au_event_t e) 2378 { 2379 return (e); 2380 } 2381 2382 /*ARGSUSED*/ 2383 static au_event_t 2384 aui_privsys(au_event_t e) 2385 { 2386 klwp_t *clwp = ttolwp(curthread); 2387 2388 struct a { 2389 long opcode; 2390 } *uap = (struct a *)clwp->lwp_ap; 2391 2392 switch (uap->opcode) { 2393 case PRIVSYS_SETPPRIV: 2394 return (AUE_SETPPRIV); 2395 default: 2396 return (AUE_NULL); 2397 } 2398 } 2399 2400 /*ARGSUSED*/ 2401 static void 2402 aus_memcntl(struct t_audit_data *tad) 2403 { 2404 klwp_t *clwp = ttolwp(curthread); 2405 2406 struct a { 2407 long addr; 2408 long len; 2409 long cmd; 2410 long arg; 2411 long attr; 2412 long mask; 2413 } *uap = (struct a *)clwp->lwp_ap; 2414 2415 #ifdef _LP64 2416 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2417 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2418 #else 2419 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2420 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2421 #endif 2422 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2423 #ifdef _LP64 2424 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2425 #else 2426 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2427 #endif 2428 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2429 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2430 } 2431 2432 /*ARGSUSED*/ 2433 static void 2434 aus_mmap(struct t_audit_data *tad) 2435 { 2436 klwp_t *clwp = ttolwp(curthread); 2437 struct file *fp; 2438 struct f_audit_data *fad; 2439 struct vnode *vp; 2440 uint32_t fd; 2441 2442 struct a { 2443 long addr; 2444 long len; 2445 long prot; 2446 long flags; 2447 long fd; 2448 long pos; 2449 } *uap = (struct a *)clwp->lwp_ap; 2450 2451 fd = (uint32_t)uap->fd; 2452 2453 #ifdef _LP64 2454 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2455 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2456 #else 2457 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2458 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2459 #endif 2460 2461 if ((fp = getf(fd)) == NULL) { 2462 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2463 return; 2464 } 2465 2466 /* 2467 * Mark in the tad if write access is NOT requested... if 2468 * this is later detected (in audit_attributes) to be a 2469 * public object, the mmap event may be discarded. 2470 */ 2471 if (((uap->prot) & PROT_WRITE) == 0) { 2472 tad->tad_ctrl |= TAD_PUBLIC_EV; 2473 } 2474 2475 fad = F2A(fp); 2476 if (fad->fad_aupath != NULL) { 2477 au_uwrite(au_to_path(fad->fad_aupath)); 2478 } else { 2479 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2480 } 2481 2482 vp = (struct vnode *)fp->f_vnode; 2483 audit_attributes(vp); 2484 2485 /* mark READ/WRITE since we can't predict access */ 2486 if (uap->prot & PROT_READ) 2487 fad->fad_flags |= FAD_READ; 2488 if (uap->prot & PROT_WRITE) 2489 fad->fad_flags |= FAD_WRITE; 2490 2491 /* decrement file descriptor reference count */ 2492 releasef(fd); 2493 2494 } /* AUS_MMAP */ 2495 2496 2497 2498 2499 /*ARGSUSED*/ 2500 static void 2501 aus_munmap(struct t_audit_data *tad) 2502 { 2503 klwp_t *clwp = ttolwp(curthread); 2504 2505 struct a { 2506 long addr; 2507 long len; 2508 } *uap = (struct a *)clwp->lwp_ap; 2509 2510 #ifdef _LP64 2511 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2512 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2513 #else 2514 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2515 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2516 #endif 2517 2518 } /* AUS_MUNMAP */ 2519 2520 2521 2522 2523 2524 2525 2526 /*ARGSUSED*/ 2527 static void 2528 aus_priocntlsys(struct t_audit_data *tad) 2529 { 2530 klwp_t *clwp = ttolwp(curthread); 2531 2532 struct a { 2533 long pc_version; 2534 long psp; /* procset_t */ 2535 long cmd; 2536 long arg; 2537 } *uap = (struct a *)clwp->lwp_ap; 2538 2539 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2540 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2541 2542 } /* AUS_PRIOCNTLSYS */ 2543 2544 2545 /*ARGSUSED*/ 2546 static void 2547 aus_setegid(struct t_audit_data *tad) 2548 { 2549 klwp_t *clwp = ttolwp(curthread); 2550 uint32_t gid; 2551 2552 struct a { 2553 long gid; 2554 } *uap = (struct a *)clwp->lwp_ap; 2555 2556 gid = (uint32_t)uap->gid; 2557 2558 au_uwrite(au_to_arg32(1, "gid", gid)); 2559 } /* AUS_SETEGID */ 2560 2561 2562 2563 2564 /*ARGSUSED*/ 2565 static void 2566 aus_setgroups(struct t_audit_data *tad) 2567 { 2568 klwp_t *clwp = ttolwp(curthread); 2569 int i; 2570 int gidsetsize; 2571 uintptr_t gidset; 2572 gid_t *gidlist; 2573 2574 struct a { 2575 long gidsetsize; 2576 long gidset; 2577 } *uap = (struct a *)clwp->lwp_ap; 2578 2579 gidsetsize = (uint_t)uap->gidsetsize; 2580 gidset = (uintptr_t)uap->gidset; 2581 2582 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2583 return; 2584 if (gidsetsize != 0) { 2585 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2586 KM_SLEEP); 2587 if (copyin((caddr_t)gidset, gidlist, 2588 gidsetsize * sizeof (gid_t)) == 0) 2589 for (i = 0; i < gidsetsize; i++) 2590 au_uwrite(au_to_arg32(1, "setgroups", 2591 (uint32_t)gidlist[i])); 2592 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2593 } else 2594 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2595 2596 } /* AUS_SETGROUPS */ 2597 2598 2599 2600 2601 2602 /*ARGSUSED*/ 2603 static void 2604 aus_seteuid(struct t_audit_data *tad) 2605 { 2606 klwp_t *clwp = ttolwp(curthread); 2607 uint32_t uid; 2608 2609 struct a { 2610 long uid; 2611 } *uap = (struct a *)clwp->lwp_ap; 2612 2613 uid = (uint32_t)uap->uid; 2614 2615 au_uwrite(au_to_arg32(1, "euid", uid)); 2616 2617 } /* AUS_SETEUID */ 2618 2619 /*ARGSUSED*/ 2620 static void 2621 aus_putmsg(struct t_audit_data *tad) 2622 { 2623 klwp_t *clwp = ttolwp(curthread); 2624 uint32_t fd, pri; 2625 struct file *fp; 2626 struct f_audit_data *fad; 2627 2628 struct a { 2629 long fdes; 2630 long ctl; /* struct strbuf * */ 2631 long data; /* struct strbuf * */ 2632 long pri; 2633 } *uap = (struct a *)clwp->lwp_ap; 2634 2635 fd = (uint32_t)uap->fdes; 2636 pri = (uint32_t)uap->pri; 2637 2638 au_uwrite(au_to_arg32(1, "fd", fd)); 2639 2640 if ((fp = getf(fd)) != NULL) { 2641 fad = F2A(fp); 2642 2643 fad->fad_flags |= FAD_WRITE; 2644 2645 /* add path name to audit record */ 2646 if (fad->fad_aupath != NULL) { 2647 au_uwrite(au_to_path(fad->fad_aupath)); 2648 } 2649 audit_attributes(fp->f_vnode); 2650 2651 releasef(fd); 2652 } 2653 2654 au_uwrite(au_to_arg32(4, "pri", pri)); 2655 } 2656 2657 /*ARGSUSED*/ 2658 static void 2659 aus_putpmsg(struct t_audit_data *tad) 2660 { 2661 klwp_t *clwp = ttolwp(curthread); 2662 uint32_t fd, pri, flags; 2663 struct file *fp; 2664 struct f_audit_data *fad; 2665 2666 struct a { 2667 long fdes; 2668 long ctl; /* struct strbuf * */ 2669 long data; /* struct strbuf * */ 2670 long pri; 2671 long flags; 2672 } *uap = (struct a *)clwp->lwp_ap; 2673 2674 fd = (uint32_t)uap->fdes; 2675 pri = (uint32_t)uap->pri; 2676 flags = (uint32_t)uap->flags; 2677 2678 au_uwrite(au_to_arg32(1, "fd", fd)); 2679 2680 if ((fp = getf(fd)) != NULL) { 2681 fad = F2A(fp); 2682 2683 fad->fad_flags |= FAD_WRITE; 2684 2685 /* add path name to audit record */ 2686 if (fad->fad_aupath != NULL) { 2687 au_uwrite(au_to_path(fad->fad_aupath)); 2688 } 2689 audit_attributes(fp->f_vnode); 2690 2691 releasef(fd); 2692 } 2693 2694 2695 au_uwrite(au_to_arg32(4, "pri", pri)); 2696 au_uwrite(au_to_arg32(5, "flags", flags)); 2697 } 2698 2699 /*ARGSUSED*/ 2700 static void 2701 aus_getmsg(struct t_audit_data *tad) 2702 { 2703 klwp_t *clwp = ttolwp(curthread); 2704 uint32_t fd, pri; 2705 struct file *fp; 2706 struct f_audit_data *fad; 2707 2708 struct a { 2709 long fdes; 2710 long ctl; /* struct strbuf * */ 2711 long data; /* struct strbuf * */ 2712 long pri; 2713 } *uap = (struct a *)clwp->lwp_ap; 2714 2715 fd = (uint32_t)uap->fdes; 2716 pri = (uint32_t)uap->pri; 2717 2718 au_uwrite(au_to_arg32(1, "fd", fd)); 2719 2720 if ((fp = getf(fd)) != NULL) { 2721 fad = F2A(fp); 2722 2723 /* 2724 * read operation on this object 2725 */ 2726 fad->fad_flags |= FAD_READ; 2727 2728 /* add path name to audit record */ 2729 if (fad->fad_aupath != NULL) { 2730 au_uwrite(au_to_path(fad->fad_aupath)); 2731 } 2732 audit_attributes(fp->f_vnode); 2733 2734 releasef(fd); 2735 } 2736 2737 au_uwrite(au_to_arg32(4, "pri", pri)); 2738 } 2739 2740 /*ARGSUSED*/ 2741 static void 2742 aus_getpmsg(struct t_audit_data *tad) 2743 { 2744 klwp_t *clwp = ttolwp(curthread); 2745 uint32_t fd; 2746 struct file *fp; 2747 struct f_audit_data *fad; 2748 2749 struct a { 2750 long fdes; 2751 long ctl; /* struct strbuf * */ 2752 long data; /* struct strbuf * */ 2753 long pri; 2754 long flags; 2755 } *uap = (struct a *)clwp->lwp_ap; 2756 2757 fd = (uint32_t)uap->fdes; 2758 2759 au_uwrite(au_to_arg32(1, "fd", fd)); 2760 2761 if ((fp = getf(fd)) != NULL) { 2762 fad = F2A(fp); 2763 2764 /* 2765 * read operation on this object 2766 */ 2767 fad->fad_flags |= FAD_READ; 2768 2769 /* add path name to audit record */ 2770 if (fad->fad_aupath != NULL) { 2771 au_uwrite(au_to_path(fad->fad_aupath)); 2772 } 2773 audit_attributes(fp->f_vnode); 2774 2775 releasef(fd); 2776 } 2777 } 2778 2779 static au_event_t 2780 aui_labelsys(au_event_t e) 2781 { 2782 klwp_t *clwp = ttolwp(curthread); 2783 uint32_t code; 2784 uint32_t cmd; 2785 2786 struct a { 2787 long code; 2788 long cmd; 2789 } *uap = (struct a *)clwp->lwp_ap; 2790 2791 code = (uint32_t)uap->code; 2792 cmd = (uint32_t)uap->cmd; 2793 2794 /* not security relevant if not changing kernel cache */ 2795 if (cmd == TNDB_GET) 2796 return (AUE_NULL); 2797 2798 switch (code) { 2799 case TSOL_TNRH: 2800 e = AUE_LABELSYS_TNRH; 2801 break; 2802 case TSOL_TNRHTP: 2803 e = AUE_LABELSYS_TNRHTP; 2804 break; 2805 case TSOL_TNMLP: 2806 e = AUE_LABELSYS_TNMLP; 2807 break; 2808 default: 2809 e = AUE_NULL; 2810 break; 2811 } 2812 2813 return (e); 2814 2815 } 2816 2817 static void 2818 aus_labelsys(struct t_audit_data *tad) 2819 { 2820 klwp_t *clwp = ttolwp(curthread); 2821 uint32_t cmd; 2822 uintptr_t a2; 2823 2824 struct a { 2825 long code; 2826 long cmd; 2827 long a2; 2828 } *uap = (struct a *)clwp->lwp_ap; 2829 2830 cmd = (uint32_t)uap->cmd; 2831 a2 = (uintptr_t)uap->a2; 2832 2833 switch (tad->tad_event) { 2834 case AUE_LABELSYS_TNRH: 2835 { 2836 tsol_rhent_t *rhent; 2837 tnaddr_t *rh_addr; 2838 2839 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2840 2841 /* Remaining args don't apply for FLUSH, so skip */ 2842 if (cmd == TNDB_FLUSH) 2843 break; 2844 2845 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2846 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2847 kmem_free(rhent, sizeof (tsol_rhent_t)); 2848 return; 2849 } 2850 2851 rh_addr = &rhent->rh_address; 2852 if (rh_addr->ta_family == AF_INET) { 2853 struct in_addr *ipaddr; 2854 2855 ipaddr = &(rh_addr->ta_addr_v4); 2856 au_uwrite(au_to_in_addr(ipaddr)); 2857 } else if (rh_addr->ta_family == AF_INET6) { 2858 int32_t *ipaddr; 2859 2860 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2861 au_uwrite(au_to_in_addr_ex(ipaddr)); 2862 } 2863 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2864 2865 kmem_free(rhent, sizeof (tsol_rhent_t)); 2866 2867 break; 2868 } 2869 case AUE_LABELSYS_TNRHTP: 2870 { 2871 tsol_tpent_t *tpent; 2872 2873 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2874 2875 /* Remaining args don't apply for FLUSH, so skip */ 2876 if (cmd == TNDB_FLUSH) 2877 break; 2878 2879 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2880 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2881 kmem_free(tpent, sizeof (tsol_tpent_t)); 2882 return; 2883 } 2884 2885 /* Make sure that the template name is null-terminated. */ 2886 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2887 2888 au_uwrite(au_to_text(tpent->name)); 2889 kmem_free(tpent, sizeof (tsol_tpent_t)); 2890 2891 break; 2892 } 2893 case AUE_LABELSYS_TNMLP: 2894 { 2895 tsol_mlpent_t *mlpent; 2896 2897 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2898 2899 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2900 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2901 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2902 return; 2903 } 2904 2905 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2906 au_uwrite(au_to_text("shared")); 2907 } else { 2908 zone_t *zone; 2909 2910 zone = zone_find_by_id(mlpent->tsme_zoneid); 2911 if (zone != NULL) { 2912 au_uwrite(au_to_text(zone->zone_name)); 2913 zone_rele(zone); 2914 } 2915 } 2916 2917 /* Remaining args don't apply for FLUSH, so skip */ 2918 if (cmd == TNDB_FLUSH) { 2919 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2920 break; 2921 } 2922 2923 au_uwrite(au_to_arg32(2, "proto num", 2924 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2925 au_uwrite(au_to_arg32(2, "mlp_port", 2926 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2927 2928 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2929 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2930 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2931 2932 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2933 2934 break; 2935 } 2936 default: 2937 break; 2938 } 2939 } 2940 2941 2942 static au_event_t 2943 aui_auditsys(au_event_t e) 2944 { 2945 klwp_t *clwp = ttolwp(curthread); 2946 uint32_t code; 2947 2948 struct a { 2949 long code; 2950 long a1; 2951 long a2; 2952 long a3; 2953 long a4; 2954 long a5; 2955 long a6; 2956 long a7; 2957 } *uap = (struct a *)clwp->lwp_ap; 2958 2959 code = (uint32_t)uap->code; 2960 2961 switch (code) { 2962 2963 case BSM_GETAUID: 2964 e = AUE_GETAUID; 2965 break; 2966 case BSM_SETAUID: 2967 e = AUE_SETAUID; 2968 break; 2969 case BSM_GETAUDIT: 2970 e = AUE_GETAUDIT; 2971 break; 2972 case BSM_GETAUDIT_ADDR: 2973 e = AUE_GETAUDIT_ADDR; 2974 break; 2975 case BSM_SETAUDIT: 2976 e = AUE_SETAUDIT; 2977 break; 2978 case BSM_SETAUDIT_ADDR: 2979 e = AUE_SETAUDIT_ADDR; 2980 break; 2981 case BSM_AUDIT: 2982 e = AUE_AUDIT; 2983 break; 2984 case BSM_AUDITCTL: 2985 switch ((uint_t)uap->a1) { 2986 2987 case A_GETPOLICY: 2988 e = AUE_AUDITON_GPOLICY; 2989 break; 2990 case A_SETPOLICY: 2991 e = AUE_AUDITON_SPOLICY; 2992 break; 2993 case A_GETKMASK: 2994 e = AUE_AUDITON_GETKMASK; 2995 break; 2996 case A_SETKMASK: 2997 e = AUE_AUDITON_SETKMASK; 2998 break; 2999 case A_GETQCTRL: 3000 e = AUE_AUDITON_GQCTRL; 3001 break; 3002 case A_SETQCTRL: 3003 e = AUE_AUDITON_SQCTRL; 3004 break; 3005 case A_GETCWD: 3006 e = AUE_AUDITON_GETCWD; 3007 break; 3008 case A_GETCAR: 3009 e = AUE_AUDITON_GETCAR; 3010 break; 3011 case A_GETSTAT: 3012 e = AUE_AUDITON_GETSTAT; 3013 break; 3014 case A_SETSTAT: 3015 e = AUE_AUDITON_SETSTAT; 3016 break; 3017 case A_SETUMASK: 3018 e = AUE_AUDITON_SETUMASK; 3019 break; 3020 case A_SETSMASK: 3021 e = AUE_AUDITON_SETSMASK; 3022 break; 3023 case A_GETCOND: 3024 e = AUE_AUDITON_GETCOND; 3025 break; 3026 case A_SETCOND: 3027 e = AUE_AUDITON_SETCOND; 3028 break; 3029 case A_GETCLASS: 3030 e = AUE_AUDITON_GETCLASS; 3031 break; 3032 case A_SETCLASS: 3033 e = AUE_AUDITON_SETCLASS; 3034 break; 3035 default: 3036 e = AUE_NULL; 3037 break; 3038 } 3039 break; 3040 default: 3041 e = AUE_NULL; 3042 break; 3043 } 3044 3045 return (e); 3046 3047 } /* AUI_AUDITSYS */ 3048 3049 3050 static void 3051 aus_auditsys(struct t_audit_data *tad) 3052 { 3053 klwp_t *clwp = ttolwp(curthread); 3054 uintptr_t a1, a2; 3055 STRUCT_DECL(auditinfo, ainfo); 3056 STRUCT_DECL(auditinfo_addr, ainfo_addr); 3057 au_evclass_map_t event; 3058 au_mask_t mask; 3059 int auditstate, policy; 3060 au_id_t auid; 3061 3062 3063 struct a { 3064 long code; 3065 long a1; 3066 long a2; 3067 long a3; 3068 long a4; 3069 long a5; 3070 long a6; 3071 long a7; 3072 } *uap = (struct a *)clwp->lwp_ap; 3073 3074 a1 = (uintptr_t)uap->a1; 3075 a2 = (uintptr_t)uap->a2; 3076 3077 switch (tad->tad_event) { 3078 case AUE_SETAUID: 3079 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 3080 return; 3081 au_uwrite(au_to_arg32(2, "setauid", auid)); 3082 break; 3083 case AUE_SETAUDIT: 3084 STRUCT_INIT(ainfo, get_udatamodel()); 3085 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 3086 STRUCT_SIZE(ainfo))) { 3087 return; 3088 } 3089 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 3090 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 3091 #ifdef _LP64 3092 au_uwrite(au_to_arg64((char)1, "setaudit:port", 3093 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 3094 #else 3095 au_uwrite(au_to_arg32((char)1, "setaudit:port", 3096 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 3097 #endif 3098 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 3099 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 3100 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 3101 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3102 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 3103 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3104 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 3105 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 3106 break; 3107 case AUE_SETAUDIT_ADDR: 3108 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3109 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3110 STRUCT_SIZE(ainfo_addr))) { 3111 return; 3112 } 3113 au_uwrite(au_to_arg32((char)1, "auid", 3114 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3115 #ifdef _LP64 3116 au_uwrite(au_to_arg64((char)1, "port", 3117 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3118 #else 3119 au_uwrite(au_to_arg32((char)1, "port", 3120 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3121 #endif 3122 au_uwrite(au_to_arg32((char)1, "type", 3123 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3124 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3125 AU_IPv4) { 3126 au_uwrite(au_to_in_addr( 3127 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3128 ai_termid.at_addr))); 3129 } else { 3130 au_uwrite(au_to_in_addr_ex( 3131 (int32_t *)STRUCT_FGETP(ainfo_addr, 3132 ai_termid.at_addr))); 3133 } 3134 au_uwrite(au_to_arg32((char)1, "as_success", 3135 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3136 au_uwrite(au_to_arg32((char)1, "as_failure", 3137 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3138 au_uwrite(au_to_arg32((char)1, "asid", 3139 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3140 break; 3141 case AUE_AUDITON_SETKMASK: 3142 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3143 return; 3144 au_uwrite(au_to_arg32( 3145 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3146 au_uwrite(au_to_arg32( 3147 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3148 break; 3149 case AUE_AUDITON_SPOLICY: 3150 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3151 return; 3152 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3153 break; 3154 case AUE_AUDITON_SQCTRL: { 3155 STRUCT_DECL(au_qctrl, qctrl); 3156 model_t model; 3157 3158 model = get_udatamodel(); 3159 STRUCT_INIT(qctrl, model); 3160 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3161 return; 3162 if (model == DATAMODEL_ILP32) { 3163 au_uwrite(au_to_arg32( 3164 3, "setqctrl:aq_hiwater", 3165 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3166 au_uwrite(au_to_arg32( 3167 3, "setqctrl:aq_lowater", 3168 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3169 au_uwrite(au_to_arg32( 3170 3, "setqctrl:aq_bufsz", 3171 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3172 au_uwrite(au_to_arg32( 3173 3, "setqctrl:aq_delay", 3174 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3175 } else { 3176 au_uwrite(au_to_arg64( 3177 3, "setqctrl:aq_hiwater", 3178 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3179 au_uwrite(au_to_arg64( 3180 3, "setqctrl:aq_lowater", 3181 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3182 au_uwrite(au_to_arg64( 3183 3, "setqctrl:aq_bufsz", 3184 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3185 au_uwrite(au_to_arg64( 3186 3, "setqctrl:aq_delay", 3187 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3188 } 3189 break; 3190 } 3191 case AUE_AUDITON_SETUMASK: 3192 STRUCT_INIT(ainfo, get_udatamodel()); 3193 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3194 STRUCT_SIZE(ainfo))) { 3195 return; 3196 } 3197 au_uwrite(au_to_arg32(3, "setumask:as_success", 3198 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3199 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3200 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3201 break; 3202 case AUE_AUDITON_SETSMASK: 3203 STRUCT_INIT(ainfo, get_udatamodel()); 3204 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3205 STRUCT_SIZE(ainfo))) { 3206 return; 3207 } 3208 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3209 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3210 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3211 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3212 break; 3213 case AUE_AUDITON_SETCOND: 3214 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3215 return; 3216 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3217 break; 3218 case AUE_AUDITON_SETCLASS: 3219 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3220 return; 3221 au_uwrite(au_to_arg32( 3222 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3223 au_uwrite(au_to_arg32( 3224 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3225 break; 3226 case AUE_GETAUID: 3227 case AUE_GETAUDIT: 3228 case AUE_GETAUDIT_ADDR: 3229 case AUE_AUDIT: 3230 case AUE_AUDITON_GPOLICY: 3231 case AUE_AUDITON_GQCTRL: 3232 case AUE_AUDITON_GETKMASK: 3233 case AUE_AUDITON_GETCWD: 3234 case AUE_AUDITON_GETCAR: 3235 case AUE_AUDITON_GETSTAT: 3236 case AUE_AUDITON_SETSTAT: 3237 case AUE_AUDITON_GETCOND: 3238 case AUE_AUDITON_GETCLASS: 3239 break; 3240 default: 3241 break; 3242 } 3243 3244 } /* AUS_AUDITSYS */ 3245 3246 3247 /* only audit privileged operations for systeminfo(2) system call */ 3248 static au_event_t 3249 aui_sysinfo(au_event_t e) 3250 { 3251 klwp_t *clwp = ttolwp(curthread); 3252 uint32_t command; 3253 3254 struct a { 3255 long command; 3256 long buf; /* char * */ 3257 long count; 3258 } *uap = (struct a *)clwp->lwp_ap; 3259 3260 command = (uint32_t)uap->command; 3261 3262 switch (command) { 3263 case SI_SET_HOSTNAME: 3264 case SI_SET_SRPC_DOMAIN: 3265 e = (au_event_t)AUE_SYSINFO; 3266 break; 3267 default: 3268 e = (au_event_t)AUE_NULL; 3269 break; 3270 } 3271 return (e); 3272 } 3273 3274 /*ARGSUSED*/ 3275 static void 3276 aus_sysinfo(struct t_audit_data *tad) 3277 { 3278 klwp_t *clwp = ttolwp(curthread); 3279 uint32_t command; 3280 size_t len, maxlen; 3281 char *name; 3282 uintptr_t buf; 3283 3284 struct a { 3285 long command; 3286 long buf; /* char * */ 3287 long count; 3288 } *uap = (struct a *)clwp->lwp_ap; 3289 3290 command = (uint32_t)uap->command; 3291 buf = (uintptr_t)uap->buf; 3292 3293 au_uwrite(au_to_arg32(1, "cmd", command)); 3294 3295 switch (command) { 3296 case SI_SET_HOSTNAME: 3297 { 3298 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3299 return; 3300 3301 maxlen = SYS_NMLN; 3302 name = kmem_alloc(maxlen, KM_SLEEP); 3303 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3304 break; 3305 3306 /* 3307 * Must be non-NULL string and string 3308 * must be less than SYS_NMLN chars. 3309 */ 3310 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3311 break; 3312 3313 au_uwrite(au_to_text(name)); 3314 break; 3315 } 3316 3317 case SI_SET_SRPC_DOMAIN: 3318 { 3319 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3320 return; 3321 3322 maxlen = SYS_NMLN; 3323 name = kmem_alloc(maxlen, KM_SLEEP); 3324 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3325 break; 3326 3327 /* 3328 * If string passed in is longer than length 3329 * allowed for domain name, fail. 3330 */ 3331 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3332 break; 3333 3334 au_uwrite(au_to_text(name)); 3335 break; 3336 } 3337 3338 default: 3339 return; 3340 } 3341 3342 kmem_free(name, maxlen); 3343 } 3344 3345 static au_event_t 3346 aui_modctl(au_event_t e) 3347 { 3348 klwp_t *clwp = ttolwp(curthread); 3349 uint_t cmd; 3350 3351 struct a { 3352 long cmd; 3353 } *uap = (struct a *)clwp->lwp_ap; 3354 3355 cmd = (uint_t)uap->cmd; 3356 3357 switch (cmd) { 3358 case MODLOAD: 3359 e = AUE_MODLOAD; 3360 break; 3361 case MODUNLOAD: 3362 e = AUE_MODUNLOAD; 3363 break; 3364 case MODADDMAJBIND: 3365 e = AUE_MODADDMAJ; 3366 break; 3367 case MODSETDEVPOLICY: 3368 e = AUE_MODDEVPLCY; 3369 break; 3370 case MODALLOCPRIV: 3371 e = AUE_MODADDPRIV; 3372 break; 3373 default: 3374 e = AUE_NULL; 3375 break; 3376 } 3377 return (e); 3378 } 3379 3380 3381 /*ARGSUSED*/ 3382 static void 3383 aus_modctl(struct t_audit_data *tad) 3384 { 3385 klwp_t *clwp = ttolwp(curthread); 3386 void *a = clwp->lwp_ap; 3387 uint_t use_path; 3388 3389 switch (tad->tad_event) { 3390 case AUE_MODLOAD: { 3391 typedef struct { 3392 long cmd; 3393 long use_path; 3394 long filename; /* char * */ 3395 } modloada_t; 3396 3397 char *filenamep; 3398 uintptr_t fname; 3399 extern char *default_path; 3400 3401 fname = (uintptr_t)((modloada_t *)a)->filename; 3402 use_path = (uint_t)((modloada_t *)a)->use_path; 3403 3404 /* space to hold path */ 3405 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3406 /* get string */ 3407 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3408 /* free allocated path */ 3409 kmem_free(filenamep, MOD_MAXPATH); 3410 return; 3411 } 3412 /* ensure it's null terminated */ 3413 filenamep[MOD_MAXPATH - 1] = 0; 3414 3415 if (use_path) 3416 au_uwrite(au_to_text(default_path)); 3417 au_uwrite(au_to_text(filenamep)); 3418 3419 /* release temporary memory */ 3420 kmem_free(filenamep, MOD_MAXPATH); 3421 break; 3422 } 3423 case AUE_MODUNLOAD: { 3424 typedef struct { 3425 long cmd; 3426 long id; 3427 } modunloada_t; 3428 3429 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3430 3431 au_uwrite(au_to_arg32(1, "id", id)); 3432 break; 3433 } 3434 case AUE_MODADDMAJ: { 3435 STRUCT_DECL(modconfig, mc); 3436 typedef struct { 3437 long cmd; 3438 long subcmd; 3439 long data; /* int * */ 3440 } modconfiga_t; 3441 3442 STRUCT_DECL(aliases, alias); 3443 caddr_t ap; 3444 int i, num_aliases; 3445 char *drvname, *mc_drvname; 3446 char *name; 3447 extern char *ddi_major_to_name(major_t); 3448 model_t model; 3449 3450 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3451 3452 model = get_udatamodel(); 3453 STRUCT_INIT(mc, model); 3454 /* sanitize buffer */ 3455 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3456 /* get user arguments */ 3457 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3458 STRUCT_SIZE(mc)) != 0) 3459 return; 3460 3461 mc_drvname = STRUCT_FGET(mc, drvname); 3462 if ((drvname = ddi_major_to_name( 3463 (major_t)STRUCT_FGET(mc, major))) != NULL && 3464 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3465 /* safety */ 3466 if (mc_drvname[0] != '\0') { 3467 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3468 au_uwrite(au_to_text(mc_drvname)); 3469 } 3470 /* drvname != NULL from test above */ 3471 au_uwrite(au_to_text(drvname)); 3472 return; 3473 } 3474 3475 if (mc_drvname[0] != '\0') { 3476 /* safety */ 3477 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3478 au_uwrite(au_to_text(mc_drvname)); 3479 } else 3480 au_uwrite(au_to_text("no drvname")); 3481 3482 num_aliases = STRUCT_FGET(mc, num_aliases); 3483 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3484 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3485 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3486 STRUCT_INIT(alias, model); 3487 for (i = 0; i < num_aliases; i++) { 3488 bzero((caddr_t)STRUCT_BUF(alias), 3489 STRUCT_SIZE(alias)); 3490 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3491 STRUCT_SIZE(alias)) != 0) 3492 break; 3493 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3494 MAXMODCONFNAME, NULL) != 0) { 3495 break; 3496 } 3497 3498 au_uwrite(au_to_text(name)); 3499 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3500 } 3501 kmem_free(name, MAXMODCONFNAME); 3502 break; 3503 } 3504 default: 3505 break; 3506 } 3507 } 3508 3509 3510 /*ARGSUSED*/ 3511 static void 3512 auf_accept( 3513 struct t_audit_data *tad, 3514 int error, 3515 rval_t *rval) 3516 { 3517 uint32_t scid; 3518 uint32_t sy_flags; 3519 int fd; 3520 struct sonode *so; 3521 char so_laddr[sizeof (struct sockaddr_in6)]; 3522 char so_faddr[sizeof (struct sockaddr_in6)]; 3523 int err; 3524 short so_family, so_type; 3525 int add_sock_token = 0; 3526 3527 /* need to determine type of executing binary */ 3528 scid = tad->tad_scid; 3529 #ifdef _SYSCALL32_IMPL 3530 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3531 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3532 else 3533 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3534 #else 3535 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3536 #endif 3537 if (sy_flags == SE_32RVAL1) 3538 fd = rval->r_val1; 3539 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3540 fd = rval->r_val1; 3541 if (sy_flags == SE_64RVAL) 3542 fd = (int)rval->r_vals; 3543 3544 if (error) { 3545 /* can't trust socket contents. Just return */ 3546 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3547 return; 3548 } 3549 3550 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3551 /* 3552 * not security relevant if doing a accept from non socket 3553 * so no extra tokens. Should probably turn off audit record 3554 * generation here. 3555 */ 3556 return; 3557 } 3558 3559 so_family = so->so_family; 3560 so_type = so->so_type; 3561 3562 switch (so_family) { 3563 case AF_INET: 3564 case AF_INET6: 3565 /* 3566 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3567 */ 3568 if (so->so_type == SOCK_STREAM) { 3569 socklen_t len; 3570 3571 bzero((void *)so_laddr, sizeof (so_laddr)); 3572 bzero((void *)so_faddr, sizeof (so_faddr)); 3573 3574 len = sizeof (so_laddr); 3575 (void) socket_getsockname(so, 3576 (struct sockaddr *)so_laddr, &len, CRED()); 3577 len = sizeof (so_faddr); 3578 (void) socket_getpeername(so, 3579 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3580 3581 add_sock_token = 1; 3582 } 3583 break; 3584 3585 default: 3586 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3587 break; 3588 } 3589 3590 releasef(fd); 3591 3592 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3593 3594 if (add_sock_token == 0) { 3595 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3596 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3597 return; 3598 } 3599 3600 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3601 3602 } 3603 3604 /*ARGSUSED*/ 3605 static void 3606 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3607 { 3608 struct a { 3609 long fd; 3610 long addr; 3611 long len; 3612 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3613 3614 struct sonode *so; 3615 char so_laddr[sizeof (struct sockaddr_in6)]; 3616 char so_faddr[sizeof (struct sockaddr_in6)]; 3617 int err, fd; 3618 socklen_t len; 3619 short so_family, so_type; 3620 int add_sock_token = 0; 3621 3622 fd = (int)uap->fd; 3623 3624 /* 3625 * bind failed, then nothing extra to add to audit record. 3626 */ 3627 if (error) { 3628 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3629 /* XXX may want to add failed address some day */ 3630 return; 3631 } 3632 3633 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3634 /* 3635 * not security relevant if doing a bind from non socket 3636 * so no extra tokens. Should probably turn off audit record 3637 * generation here. 3638 */ 3639 return; 3640 } 3641 3642 so_family = so->so_family; 3643 so_type = so->so_type; 3644 3645 switch (so_family) { 3646 case AF_INET: 3647 case AF_INET6: 3648 3649 bzero(so_faddr, sizeof (so_faddr)); 3650 len = sizeof (so_faddr); 3651 3652 (void) socket_getpeername(so, 3653 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3654 add_sock_token = 1; 3655 3656 break; 3657 3658 case AF_UNIX: 3659 /* token added by lookup */ 3660 break; 3661 default: 3662 /* AF_ROUTE, AF_KEY do not support accept */ 3663 break; 3664 } 3665 3666 releasef(fd); 3667 3668 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3669 3670 if (add_sock_token == 0) { 3671 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3672 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3673 return; 3674 } 3675 3676 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3677 3678 } 3679 3680 /*ARGSUSED*/ 3681 static void 3682 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3683 { 3684 struct a { 3685 long fd; 3686 long addr; 3687 long len; 3688 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3689 3690 struct sonode *so; 3691 char so_laddr[sizeof (struct sockaddr_in6)]; 3692 char so_faddr[sizeof (struct sockaddr_in6)]; 3693 int err, fd; 3694 socklen_t len; 3695 short so_family, so_type; 3696 int add_sock_token = 0; 3697 3698 fd = (int)uap->fd; 3699 3700 3701 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3702 /* 3703 * not security relevant if doing a connect from non socket 3704 * so no extra tokens. Should probably turn off audit record 3705 * generation here. 3706 */ 3707 return; 3708 } 3709 3710 so_family = so->so_family; 3711 so_type = so->so_type; 3712 3713 switch (so_family) { 3714 case AF_INET: 3715 case AF_INET6: 3716 3717 bzero(so_laddr, sizeof (so_laddr)); 3718 bzero(so_faddr, sizeof (so_faddr)); 3719 3720 len = sizeof (so_laddr); 3721 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3722 &len, CRED()); 3723 if (error) { 3724 if (uap->addr == NULL) 3725 break; 3726 if (uap->len <= 0) 3727 break; 3728 len = min(uap->len, sizeof (so_faddr)); 3729 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3730 break; 3731 #ifdef NOTYET 3732 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3733 #endif 3734 } else { 3735 /* sanity check on length */ 3736 len = sizeof (so_faddr); 3737 (void) socket_getpeername(so, 3738 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3739 } 3740 3741 add_sock_token = 1; 3742 3743 break; 3744 3745 case AF_UNIX: 3746 /* does a lookup on name */ 3747 break; 3748 3749 default: 3750 /* AF_ROUTE, AF_KEY do not support accept */ 3751 break; 3752 } 3753 3754 releasef(fd); 3755 3756 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3757 3758 if (add_sock_token == 0) { 3759 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3760 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3761 return; 3762 } 3763 3764 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3765 3766 } 3767 3768 /*ARGSUSED*/ 3769 static void 3770 aus_shutdown(struct t_audit_data *tad) 3771 { 3772 struct a { 3773 long fd; 3774 long how; 3775 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3776 3777 struct sonode *so; 3778 char so_laddr[sizeof (struct sockaddr_in6)]; 3779 char so_faddr[sizeof (struct sockaddr_in6)]; 3780 int err, fd; 3781 socklen_t len; 3782 short so_family, so_type; 3783 int add_sock_token = 0; 3784 file_t *fp; /* unix domain sockets */ 3785 struct f_audit_data *fad; /* unix domain sockets */ 3786 3787 fd = (int)uap->fd; 3788 3789 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3790 /* 3791 * not security relevant if doing a shutdown using non socket 3792 * so no extra tokens. Should probably turn off audit record 3793 * generation here. 3794 */ 3795 return; 3796 } 3797 3798 so_family = so->so_family; 3799 so_type = so->so_type; 3800 3801 switch (so_family) { 3802 case AF_INET: 3803 case AF_INET6: 3804 3805 bzero(so_laddr, sizeof (so_laddr)); 3806 bzero(so_faddr, sizeof (so_faddr)); 3807 3808 len = sizeof (so_laddr); 3809 (void) socket_getsockname(so, 3810 (struct sockaddr *)so_laddr, &len, CRED()); 3811 len = sizeof (so_faddr); 3812 (void) socket_getpeername(so, 3813 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3814 3815 add_sock_token = 1; 3816 3817 break; 3818 3819 case AF_UNIX: 3820 3821 /* get path from file struct here */ 3822 fad = F2A(fp); 3823 ASSERT(fad); 3824 3825 if (fad->fad_aupath != NULL) { 3826 au_uwrite(au_to_path(fad->fad_aupath)); 3827 } else { 3828 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3829 } 3830 3831 audit_attributes(fp->f_vnode); 3832 3833 break; 3834 3835 default: 3836 /* 3837 * AF_KEY and AF_ROUTE support shutdown. No socket token 3838 * added. 3839 */ 3840 break; 3841 } 3842 3843 releasef(fd); 3844 3845 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3846 3847 if (add_sock_token == 0) { 3848 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3849 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3850 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3851 return; 3852 } 3853 3854 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3855 3856 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3857 3858 } 3859 3860 /*ARGSUSED*/ 3861 static void 3862 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3863 { 3864 struct a { 3865 long fd; 3866 long level; 3867 long optname; 3868 long *optval; 3869 long optlen; 3870 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3871 3872 struct sonode *so; 3873 char so_laddr[sizeof (struct sockaddr_in6)]; 3874 char so_faddr[sizeof (struct sockaddr_in6)]; 3875 char val[AU_BUFSIZE]; 3876 int err, fd; 3877 socklen_t len; 3878 short so_family, so_type; 3879 int add_sock_token = 0; 3880 file_t *fp; /* unix domain sockets */ 3881 struct f_audit_data *fad; /* unix domain sockets */ 3882 3883 fd = (int)uap->fd; 3884 3885 if (error) { 3886 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3887 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3888 /* XXX may want to include other arguments */ 3889 return; 3890 } 3891 3892 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3893 /* 3894 * not security relevant if doing a setsockopt from non socket 3895 * so no extra tokens. Should probably turn off audit record 3896 * generation here. 3897 */ 3898 return; 3899 } 3900 3901 so_family = so->so_family; 3902 so_type = so->so_type; 3903 3904 switch (so_family) { 3905 case AF_INET: 3906 case AF_INET6: 3907 bzero((void *)so_laddr, sizeof (so_laddr)); 3908 bzero((void *)so_faddr, sizeof (so_faddr)); 3909 3910 /* get local and foreign addresses */ 3911 len = sizeof (so_laddr); 3912 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3913 &len, CRED()); 3914 len = sizeof (so_faddr); 3915 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3916 &len, B_FALSE, CRED()); 3917 3918 add_sock_token = 1; 3919 3920 break; 3921 3922 case AF_UNIX: 3923 3924 /* get path from file struct here */ 3925 fad = F2A(fp); 3926 ASSERT(fad); 3927 3928 if (fad->fad_aupath != NULL) { 3929 au_uwrite(au_to_path(fad->fad_aupath)); 3930 } else { 3931 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3932 } 3933 3934 audit_attributes(fp->f_vnode); 3935 3936 break; 3937 3938 default: 3939 /* 3940 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3941 * added. 3942 */ 3943 break; 3944 } 3945 3946 releasef(fd); 3947 3948 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3949 3950 if (add_sock_token == 0) { 3951 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3952 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3953 } 3954 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3955 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3956 3957 bzero(val, sizeof (val)); 3958 len = min(uap->optlen, sizeof (val)); 3959 if ((len > 0) && 3960 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3961 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3962 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3963 } 3964 3965 if (add_sock_token == 0) 3966 return; 3967 3968 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3969 3970 } 3971 3972 /*ARGSUSED*/ 3973 static void 3974 aus_sockconfig(tad) 3975 struct t_audit_data *tad; 3976 { 3977 struct a { 3978 long cmd; 3979 long arg1; 3980 long arg2; 3981 long arg3; 3982 long arg4; 3983 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3984 3985 char *buf; 3986 int buflen; 3987 size_t size; 3988 3989 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 3990 switch (uap->cmd) { 3991 case SOCKCONFIG_ADD_SOCK: 3992 case SOCKCONFIG_REMOVE_SOCK: 3993 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 3994 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 3995 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 3996 3997 if (uap->arg4 == 0) { 3998 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 3999 } else { 4000 buflen = MAXPATHLEN + 1; 4001 buf = kmem_alloc(buflen, KM_SLEEP); 4002 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 4003 &size)) { 4004 kmem_free(buf, buflen); 4005 return; 4006 } 4007 4008 if (size > MAXPATHLEN) { 4009 kmem_free(buf, buflen); 4010 return; 4011 } 4012 4013 au_uwrite(au_to_text(buf)); 4014 kmem_free(buf, buflen); 4015 } 4016 break; 4017 case SOCKCONFIG_ADD_FILTER: 4018 case SOCKCONFIG_REMOVE_FILTER: 4019 buflen = FILNAME_MAX; 4020 buf = kmem_alloc(buflen, KM_SLEEP); 4021 4022 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 4023 kmem_free(buf, buflen); 4024 return; 4025 } 4026 4027 au_uwrite(au_to_text(buf)); 4028 kmem_free(buf, buflen); 4029 break; 4030 default: 4031 break; 4032 } 4033 } 4034 4035 /* 4036 * only audit recvmsg when the system call represents the creation of a new 4037 * circuit. This effectively occurs for all UDP packets and may occur for 4038 * special TCP situations where the local host has not set a local address 4039 * in the socket structure. 4040 */ 4041 /*ARGSUSED*/ 4042 static void 4043 auf_recvmsg( 4044 struct t_audit_data *tad, 4045 int error, 4046 rval_t *rvp) 4047 { 4048 struct a { 4049 long fd; 4050 long msg; /* struct msghdr */ 4051 long flags; 4052 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4053 4054 struct sonode *so; 4055 STRUCT_DECL(msghdr, msg); 4056 caddr_t msg_name; 4057 socklen_t msg_namelen; 4058 int fd; 4059 int err; 4060 char so_laddr[sizeof (struct sockaddr_in6)]; 4061 char so_faddr[sizeof (struct sockaddr_in6)]; 4062 socklen_t len; 4063 file_t *fp; /* unix domain sockets */ 4064 struct f_audit_data *fad; /* unix domain sockets */ 4065 short so_family, so_type; 4066 int add_sock_token = 0; 4067 au_kcontext_t *kctx = GET_KCTX_PZ; 4068 4069 fd = (int)uap->fd; 4070 4071 /* bail if an error */ 4072 if (error) { 4073 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4074 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4075 return; 4076 } 4077 4078 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4079 /* 4080 * not security relevant if doing a recvmsg from non socket 4081 * so no extra tokens. Should probably turn off audit record 4082 * generation here. 4083 */ 4084 return; 4085 } 4086 4087 so_family = so->so_family; 4088 so_type = so->so_type; 4089 4090 /* 4091 * only putout SOCKET_EX token if INET/INET6 family. 4092 * XXX - what do we do about other families? 4093 */ 4094 4095 switch (so_family) { 4096 case AF_INET: 4097 case AF_INET6: 4098 4099 /* 4100 * if datagram type socket, then just use what is in 4101 * socket structure for local address. 4102 * XXX - what do we do for other types? 4103 */ 4104 if ((so->so_type == SOCK_DGRAM) || 4105 (so->so_type == SOCK_RAW)) { 4106 add_sock_token = 1; 4107 4108 bzero((void *)so_laddr, sizeof (so_laddr)); 4109 bzero((void *)so_faddr, sizeof (so_faddr)); 4110 4111 /* get local address */ 4112 len = sizeof (so_laddr); 4113 (void) socket_getsockname(so, 4114 (struct sockaddr *)so_laddr, &len, CRED()); 4115 4116 /* get peer address */ 4117 STRUCT_INIT(msg, get_udatamodel()); 4118 4119 if (copyin((caddr_t)(uap->msg), 4120 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4121 break; 4122 } 4123 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4124 if (msg_name == NULL) { 4125 break; 4126 } 4127 4128 /* length is value from recvmsg - sanity check */ 4129 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4130 if (msg_namelen == 0) { 4131 break; 4132 } 4133 if (copyin(msg_name, so_faddr, 4134 sizeof (so_faddr)) != 0) { 4135 break; 4136 } 4137 4138 } else if (so->so_type == SOCK_STREAM) { 4139 4140 /* get path from file struct here */ 4141 fad = F2A(fp); 4142 ASSERT(fad); 4143 4144 /* 4145 * already processed this file for read attempt 4146 */ 4147 if (fad->fad_flags & FAD_READ) { 4148 /* don't want to audit every recvmsg attempt */ 4149 tad->tad_flag = 0; 4150 /* free any residual audit data */ 4151 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4152 releasef(fd); 4153 return; 4154 } 4155 /* 4156 * mark things so we know what happened and don't 4157 * repeat things 4158 */ 4159 fad->fad_flags |= FAD_READ; 4160 4161 bzero((void *)so_laddr, sizeof (so_laddr)); 4162 bzero((void *)so_faddr, sizeof (so_faddr)); 4163 4164 /* get local and foreign addresses */ 4165 len = sizeof (so_laddr); 4166 (void) socket_getsockname(so, 4167 (struct sockaddr *)so_laddr, &len, CRED()); 4168 len = sizeof (so_faddr); 4169 (void) socket_getpeername(so, 4170 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4171 4172 add_sock_token = 1; 4173 } 4174 4175 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4176 4177 break; 4178 4179 case AF_UNIX: 4180 /* 4181 * first check if this is first time through. Too much 4182 * duplicate code to put this in an aui_ routine. 4183 */ 4184 4185 /* get path from file struct here */ 4186 fad = F2A(fp); 4187 ASSERT(fad); 4188 4189 /* 4190 * already processed this file for read attempt 4191 */ 4192 if (fad->fad_flags & FAD_READ) { 4193 releasef(fd); 4194 /* don't want to audit every recvmsg attempt */ 4195 tad->tad_flag = 0; 4196 /* free any residual audit data */ 4197 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4198 return; 4199 } 4200 /* 4201 * mark things so we know what happened and don't 4202 * repeat things 4203 */ 4204 fad->fad_flags |= FAD_READ; 4205 4206 if (fad->fad_aupath != NULL) { 4207 au_uwrite(au_to_path(fad->fad_aupath)); 4208 } else { 4209 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4210 } 4211 4212 audit_attributes(fp->f_vnode); 4213 4214 releasef(fd); 4215 4216 return; 4217 4218 default: 4219 break; 4220 4221 } 4222 4223 releasef(fd); 4224 4225 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4226 4227 if (add_sock_token == 0) { 4228 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4229 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4230 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4231 return; 4232 } 4233 4234 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4235 4236 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4237 4238 } 4239 4240 /*ARGSUSED*/ 4241 static void 4242 auf_recvfrom( 4243 struct t_audit_data *tad, 4244 int error, 4245 rval_t *rvp) 4246 { 4247 4248 struct a { 4249 long fd; 4250 long msg; /* char */ 4251 long len; 4252 long flags; 4253 long from; /* struct sockaddr */ 4254 long fromlen; 4255 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4256 4257 socklen_t fromlen; 4258 struct sonode *so; 4259 char so_laddr[sizeof (struct sockaddr_in6)]; 4260 char so_faddr[sizeof (struct sockaddr_in6)]; 4261 int fd; 4262 short so_family, so_type; 4263 int add_sock_token = 0; 4264 socklen_t len; 4265 int err; 4266 struct file *fp; 4267 struct f_audit_data *fad; /* unix domain sockets */ 4268 au_kcontext_t *kctx = GET_KCTX_PZ; 4269 4270 fd = (int)uap->fd; 4271 4272 /* bail if an error */ 4273 if (error) { 4274 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4275 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4276 return; 4277 } 4278 4279 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4280 /* 4281 * not security relevant if doing a recvmsg from non socket 4282 * so no extra tokens. Should probably turn off audit record 4283 * generation here. 4284 */ 4285 return; 4286 } 4287 4288 so_family = so->so_family; 4289 so_type = so->so_type; 4290 4291 /* 4292 * only putout SOCKET_EX token if INET/INET6 family. 4293 * XXX - what do we do about other families? 4294 */ 4295 4296 switch (so_family) { 4297 case AF_INET: 4298 case AF_INET6: 4299 4300 /* 4301 * if datagram type socket, then just use what is in 4302 * socket structure for local address. 4303 * XXX - what do we do for other types? 4304 */ 4305 if ((so->so_type == SOCK_DGRAM) || 4306 (so->so_type == SOCK_RAW)) { 4307 add_sock_token = 1; 4308 4309 /* get local address */ 4310 len = sizeof (so_laddr); 4311 (void) socket_getsockname(so, 4312 (struct sockaddr *)so_laddr, &len, CRED()); 4313 4314 /* get peer address */ 4315 bzero((void *)so_faddr, sizeof (so_faddr)); 4316 4317 /* sanity check */ 4318 if (uap->from == NULL) 4319 break; 4320 4321 /* sanity checks */ 4322 if (uap->fromlen == 0) 4323 break; 4324 4325 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4326 sizeof (fromlen)) != 0) 4327 break; 4328 4329 if (fromlen == 0) 4330 break; 4331 4332 /* enforce maximum size */ 4333 if (fromlen > sizeof (so_faddr)) 4334 fromlen = sizeof (so_faddr); 4335 4336 if (copyin((caddr_t)(uap->from), so_faddr, 4337 fromlen) != 0) 4338 break; 4339 4340 } else if (so->so_type == SOCK_STREAM) { 4341 4342 /* get path from file struct here */ 4343 fad = F2A(fp); 4344 ASSERT(fad); 4345 4346 /* 4347 * already processed this file for read attempt 4348 */ 4349 if (fad->fad_flags & FAD_READ) { 4350 /* don't want to audit every recvfrom attempt */ 4351 tad->tad_flag = 0; 4352 /* free any residual audit data */ 4353 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4354 releasef(fd); 4355 return; 4356 } 4357 /* 4358 * mark things so we know what happened and don't 4359 * repeat things 4360 */ 4361 fad->fad_flags |= FAD_READ; 4362 4363 bzero((void *)so_laddr, sizeof (so_laddr)); 4364 bzero((void *)so_faddr, sizeof (so_faddr)); 4365 4366 /* get local and foreign addresses */ 4367 len = sizeof (so_laddr); 4368 (void) socket_getsockname(so, 4369 (struct sockaddr *)so_laddr, &len, CRED()); 4370 len = sizeof (so_faddr); 4371 (void) socket_getpeername(so, 4372 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4373 4374 add_sock_token = 1; 4375 } 4376 4377 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4378 4379 break; 4380 4381 case AF_UNIX: 4382 /* 4383 * first check if this is first time through. Too much 4384 * duplicate code to put this in an aui_ routine. 4385 */ 4386 4387 /* get path from file struct here */ 4388 fad = F2A(fp); 4389 ASSERT(fad); 4390 4391 /* 4392 * already processed this file for read attempt 4393 */ 4394 if (fad->fad_flags & FAD_READ) { 4395 /* don't want to audit every recvfrom attempt */ 4396 tad->tad_flag = 0; 4397 /* free any residual audit data */ 4398 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4399 releasef(fd); 4400 return; 4401 } 4402 /* 4403 * mark things so we know what happened and don't 4404 * repeat things 4405 */ 4406 fad->fad_flags |= FAD_READ; 4407 4408 if (fad->fad_aupath != NULL) { 4409 au_uwrite(au_to_path(fad->fad_aupath)); 4410 } else { 4411 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4412 } 4413 4414 audit_attributes(fp->f_vnode); 4415 4416 releasef(fd); 4417 4418 return; 4419 4420 default: 4421 break; 4422 4423 } 4424 4425 releasef(fd); 4426 4427 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4428 4429 if (add_sock_token == 0) { 4430 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4431 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4432 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4433 return; 4434 } 4435 4436 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4437 4438 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4439 } 4440 4441 /*ARGSUSED*/ 4442 static void 4443 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4444 { 4445 struct a { 4446 long fd; 4447 long msg; /* struct msghdr */ 4448 long flags; 4449 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4450 4451 struct sonode *so; 4452 char so_laddr[sizeof (struct sockaddr_in6)]; 4453 char so_faddr[sizeof (struct sockaddr_in6)]; 4454 int err; 4455 int fd; 4456 short so_family, so_type; 4457 int add_sock_token = 0; 4458 socklen_t len; 4459 struct file *fp; 4460 struct f_audit_data *fad; 4461 caddr_t msg_name; 4462 socklen_t msg_namelen; 4463 STRUCT_DECL(msghdr, msg); 4464 au_kcontext_t *kctx = GET_KCTX_PZ; 4465 4466 fd = (int)uap->fd; 4467 4468 /* bail if an error */ 4469 if (error) { 4470 /* XXX include destination address from system call arguments */ 4471 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4472 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4473 return; 4474 } 4475 4476 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4477 /* 4478 * not security relevant if doing a sendmsg from non socket 4479 * so no extra tokens. Should probably turn off audit record 4480 * generation here. 4481 */ 4482 return; 4483 } 4484 4485 so_family = so->so_family; 4486 so_type = so->so_type; 4487 4488 switch (so_family) { 4489 case AF_INET: 4490 case AF_INET6: 4491 /* 4492 * if datagram type socket, then just use what is in 4493 * socket structure for local address. 4494 * XXX - what do we do for other types? 4495 */ 4496 if ((so->so_type == SOCK_DGRAM) || 4497 (so->so_type == SOCK_RAW)) { 4498 4499 bzero((void *)so_laddr, sizeof (so_laddr)); 4500 bzero((void *)so_faddr, sizeof (so_faddr)); 4501 4502 /* get local address */ 4503 len = sizeof (so_laddr); 4504 (void) socket_getsockname(so, 4505 (struct sockaddr *)so_laddr, &len, CRED()); 4506 4507 /* get peer address */ 4508 STRUCT_INIT(msg, get_udatamodel()); 4509 4510 if (copyin((caddr_t)(uap->msg), 4511 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4512 break; 4513 } 4514 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4515 if (msg_name == NULL) 4516 break; 4517 4518 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4519 /* length is value from recvmsg - sanity check */ 4520 if (msg_namelen == 0) 4521 break; 4522 4523 if (copyin(msg_name, so_faddr, 4524 sizeof (so_faddr)) != 0) 4525 break; 4526 4527 add_sock_token = 1; 4528 4529 } else if (so->so_type == SOCK_STREAM) { 4530 4531 /* get path from file struct here */ 4532 fad = F2A(fp); 4533 ASSERT(fad); 4534 4535 /* 4536 * already processed this file for write attempt 4537 */ 4538 if (fad->fad_flags & FAD_WRITE) { 4539 releasef(fd); 4540 /* don't want to audit every sendmsg attempt */ 4541 tad->tad_flag = 0; 4542 /* free any residual audit data */ 4543 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4544 return; 4545 } 4546 4547 /* 4548 * mark things so we know what happened and don't 4549 * repeat things 4550 */ 4551 fad->fad_flags |= FAD_WRITE; 4552 4553 bzero((void *)so_laddr, sizeof (so_laddr)); 4554 bzero((void *)so_faddr, sizeof (so_faddr)); 4555 4556 /* get local and foreign addresses */ 4557 len = sizeof (so_laddr); 4558 (void) socket_getsockname(so, 4559 (struct sockaddr *)so_laddr, &len, CRED()); 4560 len = sizeof (so_faddr); 4561 (void) socket_getpeername(so, 4562 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4563 4564 add_sock_token = 1; 4565 } 4566 4567 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4568 4569 break; 4570 4571 case AF_UNIX: 4572 /* 4573 * first check if this is first time through. Too much 4574 * duplicate code to put this in an aui_ routine. 4575 */ 4576 4577 /* get path from file struct here */ 4578 fad = F2A(fp); 4579 ASSERT(fad); 4580 4581 /* 4582 * already processed this file for write attempt 4583 */ 4584 if (fad->fad_flags & FAD_WRITE) { 4585 releasef(fd); 4586 /* don't want to audit every sendmsg attempt */ 4587 tad->tad_flag = 0; 4588 /* free any residual audit data */ 4589 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4590 return; 4591 } 4592 /* 4593 * mark things so we know what happened and don't 4594 * repeat things 4595 */ 4596 fad->fad_flags |= FAD_WRITE; 4597 4598 if (fad->fad_aupath != NULL) { 4599 au_uwrite(au_to_path(fad->fad_aupath)); 4600 } else { 4601 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4602 } 4603 4604 audit_attributes(fp->f_vnode); 4605 4606 releasef(fd); 4607 4608 return; 4609 4610 default: 4611 break; 4612 } 4613 4614 releasef(fd); 4615 4616 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4617 4618 if (add_sock_token == 0) { 4619 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4620 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4621 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4622 return; 4623 } 4624 4625 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4626 4627 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4628 } 4629 4630 /*ARGSUSED*/ 4631 static void 4632 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4633 { 4634 struct a { 4635 long fd; 4636 long msg; /* char */ 4637 long len; 4638 long flags; 4639 long to; /* struct sockaddr */ 4640 long tolen; 4641 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4642 4643 struct sonode *so; 4644 char so_laddr[sizeof (struct sockaddr_in6)]; 4645 char so_faddr[sizeof (struct sockaddr_in6)]; 4646 socklen_t tolen; 4647 int err; 4648 int fd; 4649 socklen_t len; 4650 short so_family, so_type; 4651 int add_sock_token = 0; 4652 struct file *fp; 4653 struct f_audit_data *fad; 4654 au_kcontext_t *kctx = GET_KCTX_PZ; 4655 4656 fd = (int)uap->fd; 4657 4658 /* bail if an error */ 4659 if (error) { 4660 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4661 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4662 /* XXX include destination address from system call arguments */ 4663 return; 4664 } 4665 4666 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4667 /* 4668 * not security relevant if doing a sendto using non socket 4669 * so no extra tokens. Should probably turn off audit record 4670 * generation here. 4671 */ 4672 return; 4673 } 4674 4675 so_family = so->so_family; 4676 so_type = so->so_type; 4677 4678 /* 4679 * only putout SOCKET_EX token if INET/INET6 family. 4680 * XXX - what do we do about other families? 4681 */ 4682 4683 switch (so_family) { 4684 case AF_INET: 4685 case AF_INET6: 4686 4687 /* 4688 * if datagram type socket, then just use what is in 4689 * socket structure for local address. 4690 * XXX - what do we do for other types? 4691 */ 4692 if ((so->so_type == SOCK_DGRAM) || 4693 (so->so_type == SOCK_RAW)) { 4694 4695 bzero((void *)so_laddr, sizeof (so_laddr)); 4696 bzero((void *)so_faddr, sizeof (so_faddr)); 4697 4698 /* get local address */ 4699 len = sizeof (so_laddr); 4700 (void) socket_getsockname(so, 4701 (struct sockaddr *)so_laddr, &len, CRED()); 4702 4703 /* get peer address */ 4704 4705 /* sanity check */ 4706 if (uap->to == NULL) 4707 break; 4708 4709 /* sanity checks */ 4710 if (uap->tolen == 0) 4711 break; 4712 4713 tolen = (socklen_t)uap->tolen; 4714 4715 /* enforce maximum size */ 4716 if (tolen > sizeof (so_faddr)) 4717 tolen = sizeof (so_faddr); 4718 4719 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4720 break; 4721 4722 add_sock_token = 1; 4723 } else { 4724 /* 4725 * check if this is first time through. 4726 */ 4727 4728 /* get path from file struct here */ 4729 fad = F2A(fp); 4730 ASSERT(fad); 4731 4732 /* 4733 * already processed this file for write attempt 4734 */ 4735 if (fad->fad_flags & FAD_WRITE) { 4736 /* don't want to audit every sendto attempt */ 4737 tad->tad_flag = 0; 4738 /* free any residual audit data */ 4739 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4740 releasef(fd); 4741 return; 4742 } 4743 /* 4744 * mark things so we know what happened and don't 4745 * repeat things 4746 */ 4747 fad->fad_flags |= FAD_WRITE; 4748 4749 bzero((void *)so_laddr, sizeof (so_laddr)); 4750 bzero((void *)so_faddr, sizeof (so_faddr)); 4751 4752 /* get local and foreign addresses */ 4753 len = sizeof (so_laddr); 4754 (void) socket_getsockname(so, 4755 (struct sockaddr *)so_laddr, &len, CRED()); 4756 len = sizeof (so_faddr); 4757 (void) socket_getpeername(so, 4758 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4759 4760 add_sock_token = 1; 4761 } 4762 4763 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4764 4765 break; 4766 4767 case AF_UNIX: 4768 /* 4769 * first check if this is first time through. Too much 4770 * duplicate code to put this in an aui_ routine. 4771 */ 4772 4773 /* get path from file struct here */ 4774 fad = F2A(fp); 4775 ASSERT(fad); 4776 4777 /* 4778 * already processed this file for write attempt 4779 */ 4780 if (fad->fad_flags & FAD_WRITE) { 4781 /* don't want to audit every sendto attempt */ 4782 tad->tad_flag = 0; 4783 /* free any residual audit data */ 4784 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4785 releasef(fd); 4786 return; 4787 } 4788 /* 4789 * mark things so we know what happened and don't 4790 * repeat things 4791 */ 4792 fad->fad_flags |= FAD_WRITE; 4793 4794 if (fad->fad_aupath != NULL) { 4795 au_uwrite(au_to_path(fad->fad_aupath)); 4796 } else { 4797 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4798 } 4799 4800 audit_attributes(fp->f_vnode); 4801 4802 releasef(fd); 4803 4804 return; 4805 4806 default: 4807 break; 4808 4809 } 4810 4811 releasef(fd); 4812 4813 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4814 4815 if (add_sock_token == 0) { 4816 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4817 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4818 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4819 return; 4820 } 4821 4822 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4823 4824 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4825 4826 } 4827 4828 /* 4829 * XXX socket(2) may be equivalent to open(2) on a unix domain 4830 * socket. This needs investigation. 4831 */ 4832 4833 /*ARGSUSED*/ 4834 static void 4835 aus_socket(struct t_audit_data *tad) 4836 { 4837 struct a { 4838 long domain; 4839 long type; 4840 long protocol; 4841 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4842 4843 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4844 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4845 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4846 } 4847 4848 /*ARGSUSED*/ 4849 static void 4850 aus_sigqueue(struct t_audit_data *tad) 4851 { 4852 struct a { 4853 long pid; 4854 long signo; 4855 long *val; 4856 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4857 struct proc *p; 4858 uid_t uid, ruid; 4859 gid_t gid, rgid; 4860 pid_t pid; 4861 const auditinfo_addr_t *ainfo; 4862 cred_t *cr; 4863 4864 pid = (pid_t)uap->pid; 4865 4866 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4867 if (pid > 0) { 4868 mutex_enter(&pidlock); 4869 if ((p = prfind(pid)) == (struct proc *)0) { 4870 mutex_exit(&pidlock); 4871 return; 4872 } 4873 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4874 mutex_exit(&pidlock); 4875 4876 mutex_enter(&p->p_crlock); 4877 crhold(cr = p->p_cred); 4878 mutex_exit(&p->p_crlock); 4879 mutex_exit(&p->p_lock); 4880 4881 ainfo = crgetauinfo(cr); 4882 if (ainfo == NULL) { 4883 crfree(cr); 4884 return; 4885 } 4886 4887 uid = crgetuid(cr); 4888 gid = crgetgid(cr); 4889 ruid = crgetruid(cr); 4890 rgid = crgetrgid(cr); 4891 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4892 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4893 crfree(cr); 4894 } 4895 else 4896 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4897 } 4898 4899 /*ARGSUSED*/ 4900 static void 4901 aus_inst_sync(struct t_audit_data *tad) 4902 { 4903 struct a { 4904 long name; /* char */ 4905 long flags; 4906 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4907 4908 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4909 } 4910 4911 /*ARGSUSED*/ 4912 static void 4913 aus_brandsys(struct t_audit_data *tad) 4914 { 4915 klwp_t *clwp = ttolwp(curthread); 4916 4917 struct a { 4918 long cmd; 4919 long arg1; 4920 long arg2; 4921 long arg3; 4922 long arg4; 4923 long arg5; 4924 long arg6; 4925 } *uap = (struct a *)clwp->lwp_ap; 4926 4927 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4928 #ifdef _LP64 4929 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4930 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4931 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4932 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4933 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4934 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4935 #else 4936 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4937 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4938 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4939 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4940 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4941 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4942 #endif 4943 } 4944 4945 /*ARGSUSED*/ 4946 static void 4947 aus_p_online(struct t_audit_data *tad) 4948 { 4949 struct a { 4950 long processor_id; 4951 long flag; 4952 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4953 4954 struct flags { 4955 int flag; 4956 char *cflag; 4957 } aflags[6] = { 4958 { P_ONLINE, "P_ONLINE"}, 4959 { P_OFFLINE, "P_OFFLINE"}, 4960 { P_NOINTR, "P_NOINTR"}, 4961 { P_SPARE, "P_SPARE"}, 4962 { P_FAULTED, "P_FAULTED"}, 4963 { P_STATUS, "P_STATUS"} 4964 }; 4965 int i; 4966 char *cflag; 4967 4968 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4969 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4970 4971 for (i = 0; i < 6; i++) { 4972 if (aflags[i].flag == uap->flag) 4973 break; 4974 } 4975 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4976 4977 au_uwrite(au_to_text(cflag)); 4978 } 4979 4980 /*ARGSUSED*/ 4981 static void 4982 aus_processor_bind(struct t_audit_data *tad) 4983 { 4984 struct a { 4985 long id_type; 4986 long id; 4987 long processor_id; 4988 long obind; 4989 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4990 4991 struct proc *p; 4992 int lwpcnt; 4993 uid_t uid, ruid; 4994 gid_t gid, rgid; 4995 pid_t pid; 4996 const auditinfo_addr_t *ainfo; 4997 cred_t *cr; 4998 4999 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 5000 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 5001 if (uap->processor_id == PBIND_NONE) 5002 au_uwrite(au_to_text("PBIND_NONE")); 5003 else 5004 au_uwrite(au_to_arg32(3, "processor_id", 5005 (uint32_t)uap->processor_id)); 5006 5007 switch (uap->id_type) { 5008 case P_MYID: 5009 case P_LWPID: 5010 mutex_enter(&pidlock); 5011 p = ttoproc(curthread); 5012 if (p == NULL || p->p_as == &kas) { 5013 mutex_exit(&pidlock); 5014 return; 5015 } 5016 mutex_enter(&p->p_lock); 5017 mutex_exit(&pidlock); 5018 lwpcnt = p->p_lwpcnt; 5019 pid = p->p_pid; 5020 5021 mutex_enter(&p->p_crlock); 5022 crhold(cr = p->p_cred); 5023 mutex_exit(&p->p_crlock); 5024 mutex_exit(&p->p_lock); 5025 5026 ainfo = crgetauinfo(cr); 5027 if (ainfo == NULL) { 5028 crfree(cr); 5029 return; 5030 } 5031 5032 uid = crgetuid(cr); 5033 gid = crgetgid(cr); 5034 ruid = crgetruid(cr); 5035 rgid = crgetrgid(cr); 5036 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5037 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5038 crfree(cr); 5039 break; 5040 case P_PID: 5041 mutex_enter(&pidlock); 5042 p = prfind(uap->id); 5043 if (p == NULL || p->p_as == &kas) { 5044 mutex_exit(&pidlock); 5045 return; 5046 } 5047 mutex_enter(&p->p_lock); 5048 mutex_exit(&pidlock); 5049 lwpcnt = p->p_lwpcnt; 5050 pid = p->p_pid; 5051 5052 mutex_enter(&p->p_crlock); 5053 crhold(cr = p->p_cred); 5054 mutex_exit(&p->p_crlock); 5055 mutex_exit(&p->p_lock); 5056 5057 ainfo = crgetauinfo(cr); 5058 if (ainfo == NULL) { 5059 crfree(cr); 5060 return; 5061 } 5062 5063 uid = crgetuid(cr); 5064 gid = crgetgid(cr); 5065 ruid = crgetruid(cr); 5066 rgid = crgetrgid(cr); 5067 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5068 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5069 crfree(cr); 5070 5071 break; 5072 default: 5073 return; 5074 } 5075 5076 if (uap->processor_id == PBIND_NONE && 5077 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 5078 au_uwrite(au_to_text("PBIND_NONE for process")); 5079 else 5080 au_uwrite(au_to_arg32(3, "processor_id", 5081 (uint32_t)uap->processor_id)); 5082 } 5083 5084 /*ARGSUSED*/ 5085 static au_event_t 5086 aui_doorfs(au_event_t e) 5087 { 5088 uint32_t code; 5089 5090 struct a { /* doorfs */ 5091 long a1; 5092 long a2; 5093 long a3; 5094 long a4; 5095 long a5; 5096 long code; 5097 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5098 5099 /* 5100 * audit formats for several of the 5101 * door calls have not yet been determined 5102 */ 5103 code = (uint32_t)uap->code; 5104 switch (code) { 5105 case DOOR_CALL: 5106 e = AUE_DOORFS_DOOR_CALL; 5107 break; 5108 case DOOR_RETURN: 5109 e = AUE_NULL; 5110 break; 5111 case DOOR_CREATE: 5112 e = AUE_DOORFS_DOOR_CREATE; 5113 break; 5114 case DOOR_REVOKE: 5115 e = AUE_DOORFS_DOOR_REVOKE; 5116 break; 5117 case DOOR_INFO: 5118 e = AUE_NULL; 5119 break; 5120 case DOOR_UCRED: 5121 e = AUE_NULL; 5122 break; 5123 case DOOR_BIND: 5124 e = AUE_NULL; 5125 break; 5126 case DOOR_UNBIND: 5127 e = AUE_NULL; 5128 break; 5129 case DOOR_GETPARAM: 5130 e = AUE_NULL; 5131 break; 5132 case DOOR_SETPARAM: 5133 e = AUE_NULL; 5134 break; 5135 default: /* illegal system call */ 5136 e = AUE_NULL; 5137 break; 5138 } 5139 5140 return (e); 5141 } 5142 5143 static door_node_t * 5144 au_door_lookup(int did) 5145 { 5146 vnode_t *vp; 5147 file_t *fp; 5148 5149 if ((fp = getf(did)) == NULL) 5150 return (NULL); 5151 /* 5152 * Use the underlying vnode (we may be namefs mounted) 5153 */ 5154 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5155 vp = fp->f_vnode; 5156 5157 if (vp == NULL || vp->v_type != VDOOR) { 5158 releasef(did); 5159 return (NULL); 5160 } 5161 5162 return (VTOD(vp)); 5163 } 5164 5165 /*ARGSUSED*/ 5166 static void 5167 aus_doorfs(struct t_audit_data *tad) 5168 { 5169 5170 struct a { /* doorfs */ 5171 long a1; 5172 long a2; 5173 long a3; 5174 long a4; 5175 long a5; 5176 long code; 5177 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5178 5179 door_node_t *dp; 5180 struct proc *p; 5181 uint32_t did; 5182 uid_t uid, ruid; 5183 gid_t gid, rgid; 5184 pid_t pid; 5185 const auditinfo_addr_t *ainfo; 5186 cred_t *cr; 5187 5188 did = (uint32_t)uap->a1; 5189 5190 switch (tad->tad_event) { 5191 case AUE_DOORFS_DOOR_CALL: 5192 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5193 if ((dp = au_door_lookup(did)) == NULL) 5194 break; 5195 5196 if (DOOR_INVALID(dp)) { 5197 releasef(did); 5198 break; 5199 } 5200 5201 if ((p = dp->door_target) == NULL) { 5202 releasef(did); 5203 break; 5204 } 5205 mutex_enter(&p->p_lock); 5206 releasef(did); 5207 5208 pid = p->p_pid; 5209 5210 mutex_enter(&p->p_crlock); 5211 crhold(cr = p->p_cred); 5212 mutex_exit(&p->p_crlock); 5213 mutex_exit(&p->p_lock); 5214 5215 ainfo = crgetauinfo(cr); 5216 if (ainfo == NULL) { 5217 crfree(cr); 5218 return; 5219 } 5220 uid = crgetuid(cr); 5221 gid = crgetgid(cr); 5222 ruid = crgetruid(cr); 5223 rgid = crgetrgid(cr); 5224 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5225 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5226 crfree(cr); 5227 break; 5228 case AUE_DOORFS_DOOR_RETURN: 5229 /* 5230 * We may want to write information about 5231 * all doors (if any) which will be copied 5232 * by this call to the user space 5233 */ 5234 break; 5235 case AUE_DOORFS_DOOR_CREATE: 5236 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5237 break; 5238 case AUE_DOORFS_DOOR_REVOKE: 5239 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5240 break; 5241 case AUE_DOORFS_DOOR_INFO: 5242 break; 5243 case AUE_DOORFS_DOOR_CRED: 5244 break; 5245 case AUE_DOORFS_DOOR_BIND: 5246 break; 5247 case AUE_DOORFS_DOOR_UNBIND: { 5248 break; 5249 } 5250 default: /* illegal system call */ 5251 break; 5252 } 5253 } 5254 5255 /*ARGSUSED*/ 5256 static au_event_t 5257 aui_acl(au_event_t e) 5258 { 5259 struct a { 5260 union { 5261 long name; /* char */ 5262 long fd; 5263 } obj; 5264 5265 long cmd; 5266 long nentries; 5267 long arg; /* aclent_t */ 5268 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5269 5270 switch (uap->cmd) { 5271 case SETACL: 5272 case ACE_SETACL: 5273 /* 5274 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5275 * are expected. 5276 */ 5277 break; 5278 case GETACL: 5279 case GETACLCNT: 5280 case ACE_GETACL: 5281 case ACE_GETACLCNT: 5282 /* do nothing for these four values. */ 5283 e = AUE_NULL; 5284 break; 5285 default: 5286 /* illegal system call */ 5287 break; 5288 } 5289 5290 return (e); 5291 } 5292 5293 static void 5294 au_acl(int cmd, int nentries, caddr_t bufp) 5295 { 5296 size_t a_size; 5297 aclent_t *aclbufp; 5298 ace_t *acebufp; 5299 int i; 5300 5301 switch (cmd) { 5302 case GETACL: 5303 case GETACLCNT: 5304 break; 5305 case SETACL: 5306 if (nentries < 3) 5307 break; 5308 5309 a_size = nentries * sizeof (aclent_t); 5310 5311 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5312 break; 5313 if (copyin(bufp, aclbufp, a_size)) { 5314 kmem_free(aclbufp, a_size); 5315 break; 5316 } 5317 for (i = 0; i < nentries; i++) { 5318 au_uwrite(au_to_acl(aclbufp + i)); 5319 } 5320 kmem_free(aclbufp, a_size); 5321 break; 5322 5323 case ACE_SETACL: 5324 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5325 break; 5326 5327 a_size = nentries * sizeof (ace_t); 5328 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5329 break; 5330 if (copyin(bufp, acebufp, a_size)) { 5331 kmem_free(acebufp, a_size); 5332 break; 5333 } 5334 for (i = 0; i < nentries; i++) { 5335 au_uwrite(au_to_ace(acebufp + i)); 5336 } 5337 kmem_free(acebufp, a_size); 5338 break; 5339 default: 5340 break; 5341 } 5342 } 5343 5344 /*ARGSUSED*/ 5345 static void 5346 aus_acl(struct t_audit_data *tad) 5347 { 5348 struct a { 5349 long fname; 5350 long cmd; 5351 long nentries; 5352 long aclbufp; 5353 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5354 5355 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5356 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5357 5358 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5359 } 5360 5361 /*ARGSUSED*/ 5362 static void 5363 aus_facl(struct t_audit_data *tad) 5364 { 5365 struct a { 5366 long fd; 5367 long cmd; 5368 long nentries; 5369 long aclbufp; 5370 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5371 struct file *fp; 5372 struct vnode *vp; 5373 struct f_audit_data *fad; 5374 int fd; 5375 5376 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5377 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5378 5379 fd = (int)uap->fd; 5380 5381 if ((fp = getf(fd)) == NULL) 5382 return; 5383 5384 /* get path from file struct here */ 5385 fad = F2A(fp); 5386 if (fad->fad_aupath != NULL) { 5387 au_uwrite(au_to_path(fad->fad_aupath)); 5388 } else { 5389 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5390 } 5391 5392 vp = fp->f_vnode; 5393 audit_attributes(vp); 5394 5395 /* decrement file descriptor reference count */ 5396 releasef(fd); 5397 5398 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5399 } 5400 5401 /*ARGSUSED*/ 5402 static void 5403 auf_read(tad, error, rval) 5404 struct t_audit_data *tad; 5405 int error; 5406 rval_t *rval; 5407 { 5408 struct file *fp; 5409 struct f_audit_data *fad; 5410 int fd; 5411 register struct a { 5412 long fd; 5413 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5414 au_kcontext_t *kctx = GET_KCTX_PZ; 5415 5416 fd = (int)uap->fd; 5417 5418 /* 5419 * convert file pointer to file descriptor 5420 * Note: fd ref count incremented here. 5421 */ 5422 if ((fp = getf(fd)) == NULL) 5423 return; 5424 5425 /* get path from file struct here */ 5426 fad = F2A(fp); 5427 ASSERT(fad); 5428 5429 /* 5430 * already processed this file for read attempt 5431 * 5432 * XXX might be better to turn off auditing in a aui_read() routine. 5433 */ 5434 if (fad->fad_flags & FAD_READ) { 5435 /* don't really want to audit every read attempt */ 5436 tad->tad_flag = 0; 5437 /* free any residual audit data */ 5438 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5439 releasef(fd); 5440 return; 5441 } 5442 /* mark things so we know what happened and don't repeat things */ 5443 fad->fad_flags |= FAD_READ; 5444 5445 if (fad->fad_aupath != NULL) { 5446 au_uwrite(au_to_path(fad->fad_aupath)); 5447 } else { 5448 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5449 } 5450 5451 /* include attributes */ 5452 audit_attributes(fp->f_vnode); 5453 5454 /* decrement file descriptor reference count */ 5455 releasef(fd); 5456 } 5457 5458 /*ARGSUSED*/ 5459 static void 5460 auf_write(tad, error, rval) 5461 struct t_audit_data *tad; 5462 int error; 5463 rval_t *rval; 5464 { 5465 struct file *fp; 5466 struct f_audit_data *fad; 5467 int fd; 5468 register struct a { 5469 long fd; 5470 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5471 au_kcontext_t *kctx = GET_KCTX_PZ; 5472 5473 fd = (int)uap->fd; 5474 5475 /* 5476 * convert file pointer to file descriptor 5477 * Note: fd ref count incremented here. 5478 */ 5479 if ((fp = getf(fd)) == NULL) 5480 return; 5481 5482 /* get path from file struct here */ 5483 fad = F2A(fp); 5484 ASSERT(fad); 5485 5486 /* 5487 * already processed this file for write attempt 5488 * 5489 * XXX might be better to turn off auditing in a aus_write() routine. 5490 */ 5491 if (fad->fad_flags & FAD_WRITE) { 5492 /* don't really want to audit every write attempt */ 5493 tad->tad_flag = 0; 5494 /* free any residual audit data */ 5495 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5496 releasef(fd); 5497 return; 5498 } 5499 /* mark things so we know what happened and don't repeat things */ 5500 fad->fad_flags |= FAD_WRITE; 5501 5502 if (fad->fad_aupath != NULL) { 5503 au_uwrite(au_to_path(fad->fad_aupath)); 5504 } else { 5505 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5506 } 5507 5508 /* include attributes */ 5509 audit_attributes(fp->f_vnode); 5510 5511 /* decrement file descriptor reference count */ 5512 releasef(fd); 5513 } 5514 5515 /*ARGSUSED*/ 5516 static void 5517 auf_recv(tad, error, rval) 5518 struct t_audit_data *tad; 5519 int error; 5520 rval_t *rval; 5521 { 5522 struct sonode *so; 5523 char so_laddr[sizeof (struct sockaddr_in6)]; 5524 char so_faddr[sizeof (struct sockaddr_in6)]; 5525 struct file *fp; 5526 struct f_audit_data *fad; 5527 int fd; 5528 int err; 5529 socklen_t len; 5530 short so_family, so_type; 5531 register struct a { 5532 long fd; 5533 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5534 au_kcontext_t *kctx = GET_KCTX_PZ; 5535 5536 /* 5537 * If there was an error, then nothing to do. Only generate 5538 * audit record on first successful recv. 5539 */ 5540 if (error) { 5541 /* Turn off audit record generation here. */ 5542 tad->tad_flag = 0; 5543 /* free any residual audit data */ 5544 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5545 return; 5546 } 5547 5548 fd = (int)uap->fd; 5549 5550 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5551 /* Turn off audit record generation here. */ 5552 tad->tad_flag = 0; 5553 /* free any residual audit data */ 5554 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5555 return; 5556 } 5557 5558 /* get path from file struct here */ 5559 fad = F2A(fp); 5560 ASSERT(fad); 5561 5562 /* 5563 * already processed this file for read attempt 5564 */ 5565 if (fad->fad_flags & FAD_READ) { 5566 releasef(fd); 5567 /* don't really want to audit every recv call */ 5568 tad->tad_flag = 0; 5569 /* free any residual audit data */ 5570 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5571 return; 5572 } 5573 5574 /* mark things so we know what happened and don't repeat things */ 5575 fad->fad_flags |= FAD_READ; 5576 5577 so_family = so->so_family; 5578 so_type = so->so_type; 5579 5580 switch (so_family) { 5581 case AF_INET: 5582 case AF_INET6: 5583 /* 5584 * Only for connections. 5585 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5586 */ 5587 if (so->so_state & SS_ISBOUND) { 5588 5589 bzero((void *)so_laddr, sizeof (so_laddr)); 5590 bzero((void *)so_faddr, sizeof (so_faddr)); 5591 5592 /* get local and foreign addresses */ 5593 len = sizeof (so_laddr); 5594 (void) socket_getsockname(so, 5595 (struct sockaddr *)so_laddr, &len, CRED()); 5596 len = sizeof (so_faddr); 5597 (void) socket_getpeername(so, 5598 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5599 5600 /* 5601 * only way to drop out of switch. Note that we 5602 * we release fd below. 5603 */ 5604 5605 break; 5606 } 5607 5608 releasef(fd); 5609 5610 /* don't really want to audit every recv call */ 5611 tad->tad_flag = 0; 5612 /* free any residual audit data */ 5613 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5614 5615 return; 5616 5617 case AF_UNIX: 5618 5619 if (fad->fad_aupath != NULL) { 5620 au_uwrite(au_to_path(fad->fad_aupath)); 5621 } else { 5622 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5623 } 5624 5625 audit_attributes(fp->f_vnode); 5626 5627 releasef(fd); 5628 5629 return; 5630 5631 default: 5632 releasef(fd); 5633 5634 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5635 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5636 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5637 5638 return; 5639 } 5640 5641 releasef(fd); 5642 5643 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5644 5645 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5646 5647 } 5648 5649 /*ARGSUSED*/ 5650 static void 5651 auf_send(tad, error, rval) 5652 struct t_audit_data *tad; 5653 int error; 5654 rval_t *rval; 5655 { 5656 struct sonode *so; 5657 char so_laddr[sizeof (struct sockaddr_in6)]; 5658 char so_faddr[sizeof (struct sockaddr_in6)]; 5659 struct file *fp; 5660 struct f_audit_data *fad; 5661 int fd; 5662 int err; 5663 socklen_t len; 5664 short so_family, so_type; 5665 register struct a { 5666 long fd; 5667 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5668 au_kcontext_t *kctx = GET_KCTX_PZ; 5669 5670 fd = (int)uap->fd; 5671 5672 /* 5673 * If there was an error, then nothing to do. Only generate 5674 * audit record on first successful send. 5675 */ 5676 if (error != 0) { 5677 /* Turn off audit record generation here. */ 5678 tad->tad_flag = 0; 5679 /* free any residual audit data */ 5680 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5681 return; 5682 } 5683 5684 fd = (int)uap->fd; 5685 5686 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5687 /* Turn off audit record generation here. */ 5688 tad->tad_flag = 0; 5689 /* free any residual audit data */ 5690 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5691 return; 5692 } 5693 5694 /* get path from file struct here */ 5695 fad = F2A(fp); 5696 ASSERT(fad); 5697 5698 /* 5699 * already processed this file for write attempt 5700 */ 5701 if (fad->fad_flags & FAD_WRITE) { 5702 releasef(fd); 5703 /* don't really want to audit every send call */ 5704 tad->tad_flag = 0; 5705 /* free any residual audit data */ 5706 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5707 return; 5708 } 5709 5710 /* mark things so we know what happened and don't repeat things */ 5711 fad->fad_flags |= FAD_WRITE; 5712 5713 so_family = so->so_family; 5714 so_type = so->so_type; 5715 5716 switch (so_family) { 5717 case AF_INET: 5718 case AF_INET6: 5719 /* 5720 * Only for connections. 5721 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5722 */ 5723 if (so->so_state & SS_ISBOUND) { 5724 5725 bzero((void *)so_laddr, sizeof (so_laddr)); 5726 bzero((void *)so_faddr, sizeof (so_faddr)); 5727 5728 /* get local and foreign addresses */ 5729 len = sizeof (so_laddr); 5730 (void) socket_getsockname(so, 5731 (struct sockaddr *)so_laddr, &len, CRED()); 5732 len = sizeof (so_faddr); 5733 (void) socket_getpeername(so, 5734 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5735 5736 /* 5737 * only way to drop out of switch. Note that we 5738 * we release fd below. 5739 */ 5740 5741 break; 5742 } 5743 5744 releasef(fd); 5745 /* don't really want to audit every send call */ 5746 tad->tad_flag = 0; 5747 /* free any residual audit data */ 5748 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5749 5750 return; 5751 5752 case AF_UNIX: 5753 5754 if (fad->fad_aupath != NULL) { 5755 au_uwrite(au_to_path(fad->fad_aupath)); 5756 } else { 5757 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5758 } 5759 5760 audit_attributes(fp->f_vnode); 5761 5762 releasef(fd); 5763 5764 return; 5765 5766 default: 5767 releasef(fd); 5768 5769 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5770 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5771 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5772 5773 return; 5774 } 5775 5776 releasef(fd); 5777 5778 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5779 5780 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5781 } 5782 5783 static au_event_t 5784 aui_forksys(au_event_t e) 5785 { 5786 struct a { 5787 long subcode; 5788 long flags; 5789 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5790 5791 switch ((uint_t)uap->subcode) { 5792 case 0: 5793 e = AUE_FORK1; 5794 break; 5795 case 1: 5796 e = AUE_FORKALL; 5797 break; 5798 case 2: 5799 e = AUE_VFORK; 5800 break; 5801 default: 5802 e = AUE_NULL; 5803 break; 5804 } 5805 5806 return (e); 5807 } 5808 5809 /*ARGSUSED*/ 5810 static au_event_t 5811 aui_portfs(au_event_t e) 5812 { 5813 struct a { /* portfs */ 5814 long a1; 5815 long a2; 5816 long a3; 5817 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5818 5819 /* 5820 * check opcode 5821 */ 5822 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5823 case PORT_ASSOCIATE: 5824 /* check source */ 5825 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5826 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5827 e = AUE_PORTFS_ASSOCIATE; 5828 } else { 5829 e = AUE_NULL; 5830 } 5831 break; 5832 case PORT_DISSOCIATE: 5833 /* check source */ 5834 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5835 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5836 e = AUE_PORTFS_DISSOCIATE; 5837 } else { 5838 e = AUE_NULL; 5839 } 5840 break; 5841 default: 5842 e = AUE_NULL; 5843 } 5844 return (e); 5845 } 5846