1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file contains the audit event table used to control the production 30 * of audit records for each system call. 31 */ 32 33 #include <sys/policy.h> 34 #include <sys/cred.h> 35 #include <sys/types.h> 36 #include <sys/systm.h> 37 #include <sys/systeminfo.h> /* for sysinfo auditing */ 38 #include <sys/utsname.h> /* for sysinfo auditing */ 39 #include <sys/proc.h> 40 #include <sys/vnode.h> 41 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 42 #include <sys/fcntl.h> 43 #include <sys/modctl.h> /* for modctl auditing */ 44 #include <sys/vnode.h> 45 #include <sys/user.h> 46 #include <sys/types.h> 47 #include <sys/processor.h> 48 #include <sys/procset.h> 49 #include <sys/acl.h> 50 #include <sys/ipc.h> 51 #include <sys/door.h> 52 #include <sys/sem.h> 53 #include <sys/msg.h> 54 #include <sys/shm.h> 55 #include <sys/kmem.h> 56 #include <sys/file.h> /* for accept */ 57 #include <sys/utssys.h> /* for fuser */ 58 #include <sys/tsol/label.h> 59 #include <c2/audit.h> 60 #include <c2/audit_kernel.h> 61 #include <c2/audit_kevents.h> 62 #include <c2/audit_record.h> 63 #include <sys/procset.h> 64 #include <nfs/mount.h> 65 #include <sys/param.h> 66 #include <sys/debug.h> 67 #include <sys/sysmacros.h> 68 #include <sys/stream.h> 69 #include <sys/strsubr.h> 70 #include <sys/stropts.h> 71 #include <sys/tihdr.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <netinet/in.h> 75 #include <sys/ddi.h> 76 77 extern token_t *au_to_sock_inet(struct sockaddr_in *); 78 79 int au_naevent; 80 char _depends_on[] = "fs/sockfs"; 81 82 static au_event_t aui_null(au_event_t); 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_fsat(au_event_t); 85 static au_event_t aui_msgsys(au_event_t); 86 static au_event_t aui_shmsys(au_event_t); 87 static au_event_t aui_semsys(au_event_t); 88 static au_event_t aui_utssys(au_event_t); 89 static au_event_t aui_fcntl(au_event_t); 90 static au_event_t aui_execv(au_event_t); 91 static au_event_t aui_execve(au_event_t); 92 static au_event_t aui_memcntl(au_event_t); 93 static au_event_t aui_sysinfo(au_event_t); 94 static au_event_t aui_auditsys(au_event_t); 95 static au_event_t aui_modctl(au_event_t); 96 static au_event_t aui_acl(au_event_t); 97 static au_event_t aui_doorfs(au_event_t); 98 static au_event_t aui_privsys(au_event_t); 99 100 static void aus_null(struct t_audit_data *); 101 static void aus_open(struct t_audit_data *); 102 static void aus_acl(struct t_audit_data *); 103 static void aus_acct(struct t_audit_data *); 104 static void aus_chown(struct t_audit_data *); 105 static void aus_fchown(struct t_audit_data *); 106 static void aus_lchown(struct t_audit_data *); 107 static void aus_chmod(struct t_audit_data *); 108 static void aus_facl(struct t_audit_data *); 109 static void aus_fchmod(struct t_audit_data *); 110 static void aus_fcntl(struct t_audit_data *); 111 static void aus_fsat(struct t_audit_data *); 112 static void aus_mkdir(struct t_audit_data *); 113 static void aus_mknod(struct t_audit_data *); 114 static void aus_mount(struct t_audit_data *); 115 static void aus_umount(struct t_audit_data *); 116 static void aus_umount2(struct t_audit_data *); 117 static void aus_msgsys(struct t_audit_data *); 118 static void aus_semsys(struct t_audit_data *); 119 static void aus_close(struct t_audit_data *); 120 static void aus_fstatfs(struct t_audit_data *); 121 static void aus_setgid(struct t_audit_data *); 122 static void aus_setuid(struct t_audit_data *); 123 static void aus_shmsys(struct t_audit_data *); 124 static void aus_doorfs(struct t_audit_data *); 125 static void aus_ioctl(struct t_audit_data *); 126 static void aus_memcntl(struct t_audit_data *); 127 static void aus_mmap(struct t_audit_data *); 128 static void aus_munmap(struct t_audit_data *); 129 static void aus_priocntlsys(struct t_audit_data *); 130 static void aus_setegid(struct t_audit_data *); 131 static void aus_setgroups(struct t_audit_data *); 132 static void aus_seteuid(struct t_audit_data *); 133 static void aus_putmsg(struct t_audit_data *); 134 static void aus_putpmsg(struct t_audit_data *); 135 static void aus_getmsg(struct t_audit_data *); 136 static void aus_getpmsg(struct t_audit_data *); 137 static void aus_auditsys(struct t_audit_data *); 138 static void aus_sysinfo(struct t_audit_data *); 139 static void aus_modctl(struct t_audit_data *); 140 static void aus_kill(struct t_audit_data *); 141 static void aus_xmknod(struct t_audit_data *); 142 static void aus_setregid(struct t_audit_data *); 143 static void aus_setreuid(struct t_audit_data *); 144 145 static void auf_null(struct t_audit_data *, int, rval_t *); 146 static void auf_mknod(struct t_audit_data *, int, rval_t *); 147 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 148 static void auf_semsys(struct t_audit_data *, int, rval_t *); 149 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 150 #if 0 151 static void auf_open(struct t_audit_data *, int, rval_t *); 152 #endif 153 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 154 static void auf_read(struct t_audit_data *, int, rval_t *); 155 static void auf_write(struct t_audit_data *, int, rval_t *); 156 157 static void aus_sigqueue(struct t_audit_data *); 158 static void aus_p_online(struct t_audit_data *); 159 static void aus_processor_bind(struct t_audit_data *); 160 static void aus_inst_sync(struct t_audit_data *); 161 static void aus_brandsys(struct t_audit_data *); 162 163 static void auf_accept(struct t_audit_data *, int, rval_t *); 164 165 static void auf_bind(struct t_audit_data *, int, rval_t *); 166 static void auf_connect(struct t_audit_data *, int, rval_t *); 167 static void aus_shutdown(struct t_audit_data *); 168 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 169 static void aus_sockconfig(struct t_audit_data *); 170 static void auf_recv(struct t_audit_data *, int, rval_t *); 171 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 172 static void auf_send(struct t_audit_data *, int, rval_t *); 173 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 175 static void auf_sendto(struct t_audit_data *, int, rval_t *); 176 static void aus_socket(struct t_audit_data *); 177 /* 178 * This table contains mapping information for converting system call numbers 179 * to audit event IDs. In several cases it is necessary to map a single system 180 * call to several events. 181 */ 182 183 struct audit_s2e audit_s2e[] = 184 { 185 /* 186 * ---------- ---------- ---------- ---------- 187 * INITIAL AUDIT START SYSTEM 188 * PROCESSING EVENT PROCESSING CALL 189 * ---------- ---------- ---------- ----------- 190 * FINISH EVENT 191 * PROCESSING CONTROL 192 * ---------------------------------------------------------- 193 */ 194 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 195 auf_null, 0, 196 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 197 auf_null, S2E_NPT, 198 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 199 auf_null, 0, 200 aui_null, AUE_READ, aus_null, /* 3 read */ 201 auf_read, S2E_PUB, 202 aui_null, AUE_WRITE, aus_null, /* 4 write */ 203 auf_write, 0, 204 aui_open, AUE_OPEN, aus_open, /* 5 open */ 205 auf_null, S2E_SP, 206 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 207 auf_null, 0, 208 aui_null, AUE_NULL, aus_null, /* 7 wait */ 209 auf_null, 0, 210 aui_null, AUE_CREAT, aus_null, /* 8 create */ 211 auf_null, S2E_SP, 212 aui_null, AUE_LINK, aus_null, /* 9 link */ 213 auf_null, 0, 214 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 215 auf_null, 0, 216 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 217 auf_null, S2E_MLD, 218 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 219 auf_null, S2E_SP, 220 aui_null, AUE_NULL, aus_null, /* 13 time */ 221 auf_null, 0, 222 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 223 auf_mknod, 0, 224 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 225 auf_null, 0, 226 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 227 auf_null, 0, 228 aui_null, AUE_NULL, aus_null, /* 17 brk */ 229 auf_null, 0, 230 aui_null, AUE_STAT, aus_null, /* 18 stat */ 231 auf_null, S2E_PUB, 232 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 233 auf_null, 0, 234 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 235 auf_null, 0, 236 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 237 auf_null, S2E_MLD, 238 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 239 auf_null, 0, 240 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 241 auf_null, 0, 242 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 243 auf_null, 0, 244 aui_null, AUE_STIME, aus_null, /* 25 stime */ 245 auf_null, 0, 246 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 249 auf_null, 0, 250 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 29 pause */ 253 auf_null, 0, 254 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 259 auf_null, 0, 260 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 261 auf_null, S2E_PUB, 262 aui_null, AUE_NICE, aus_null, /* 34 nice */ 263 auf_null, 0, 264 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 265 auf_null, S2E_PUB, 266 aui_null, AUE_NULL, aus_null, /* 36 sync */ 267 auf_null, 0, 268 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 269 auf_null, 0, 270 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 271 auf_null, S2E_PUB, 272 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 273 auf_null, 0, 274 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 275 auf_null, 0, 276 aui_null, AUE_NULL, aus_null, /* 41 dup */ 277 auf_null, 0, 278 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 43 times */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 44 profil */ 283 auf_null, 0, 284 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 285 /* was proc lock */ 286 auf_null, 0, 287 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 288 auf_null, 0, 289 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 48 sig */ 292 auf_null, 0, 293 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 294 auf_msgsys, 0, 295 #if defined(__x86) 296 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 297 auf_null, 0, 298 #else 299 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 300 auf_null, 0, 301 #endif /* __x86 */ 302 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 303 auf_null, 0, 304 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 305 auf_shmsys, 0, 306 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 307 auf_semsys, 0, 308 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 309 auf_null, 0, 310 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 311 auf_null, 0, 312 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 313 auf_null, 0, 314 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 317 auf_null, 0, 318 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 319 auf_null, S2E_MLD, 320 aui_null, AUE_NULL, aus_null, /* 60 umask */ 321 auf_null, 0, 322 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 323 auf_null, S2E_SP, 324 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 325 auf_null, 0, 326 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 327 auf_null, 0, 328 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 335 /* file locking call */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 338 /* local system calls */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 341 auf_null, 0, 342 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 343 auf_null, 0, 344 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 75 issetugid */ 353 /* was sigret (SunOS) */ 354 auf_null, 0, 355 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 356 auf_null, 0, 357 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 358 auf_null, 0, 359 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 360 auf_null, 0, 361 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 362 auf_null, 0, 363 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 364 auf_null, 0, 365 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 366 auf_null, 0, 367 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 368 /* was libattach */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 371 /* was libdetach */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 374 auf_null, 0, 375 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 376 auf_null, 0, 377 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 87 poll */ 380 auf_null, 0, 381 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 382 auf_null, S2E_PUB, 383 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 384 auf_null, 0, 385 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 386 auf_null, S2E_PUB, 387 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 388 auf_null, 0, 389 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 390 auf_null, 0, 391 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 392 auf_null, 0, 393 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 396 auf_null, 0, 397 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 410 /* was evtrapret */ 411 auf_null, 0, 412 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 413 auf_null, S2E_PUB, 414 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 415 auf_null, 0, 416 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 423 auf_null, 0, 424 #if defined(__x86) 425 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 426 auf_null, 0, 427 #else 428 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 429 auf_null, 0, 430 #endif /* __x86 */ 431 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 432 auf_null, 0, 433 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 434 auf_null, 0, 435 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 436 auf_null, 0, /* 112 priocntlsys */ 437 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 438 auf_null, S2E_PUB, 439 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 440 auf_null, 0, 441 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 442 auf_null, 0, 443 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 444 auf_null, 0, 445 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 448 auf_null, 0, 449 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 450 auf_null, 0, 451 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 452 auf_null, 0, 453 aui_null, AUE_READ, aus_null, /* 121 readv */ 454 auf_read, S2E_PUB, 455 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 456 auf_write, 0, 457 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 458 auf_null, S2E_PUB, 459 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 460 auf_null, S2E_PUB, 461 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 462 auf_null, 0, 463 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 464 auf_xmknod, 0, 465 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 466 auf_null, 0, 467 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 468 auf_null, 0, 469 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 470 auf_null, 0, 471 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 472 auf_null, 0, 473 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 474 auf_null, 0, 475 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 476 auf_null, 0, 477 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 478 auf_null, 0, 479 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 480 auf_null, 0, 481 aui_null, AUE_NULL, aus_null, /* 135 uname */ 482 auf_null, 0, 483 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 486 auf_null, 0, 487 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 488 auf_null, 0, 489 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 490 auf_null, 0, 491 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 492 auf_null, 0, 493 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 142 (loadable reserved) */ 496 auf_null, 0, 497 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 146 yield */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 514 auf_null, 0, 515 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 516 auf_null, 0, 517 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 518 auf_null, 0, 519 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 520 auf_null, 0, 521 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 522 auf_null, 0, 523 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 542 /* was lwp_setprivate */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 545 /* was lwp_getprivate */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_unlock */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 558 auf_null, 0, 559 aui_null, AUE_READ, aus_null, /* 173 pread */ 560 auf_read, S2E_PUB, 561 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 562 auf_write, 0, 563 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 564 auf_null, 0, 565 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 566 /* aus_inst_sync */ 567 auf_null, 0, 568 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 569 auf_null, 0, 570 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 571 auf_null, 0, 572 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 182 (loadable) */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 583 auf_null, 0, 584 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 585 auf_null, 0, 586 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 587 auf_null, 0, 588 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 589 auf_null, 0, /* 187 processor_bind */ 590 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 591 auf_null, 0, 592 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 593 auf_null, 0, 594 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 595 auf_null, 0, 596 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 597 auf_null, 0, 598 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 613 auf_null, 0, 614 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 615 auf_null, 0, 616 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 617 auf_null, 0, 618 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 619 auf_null, 0, 620 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 621 auf_null, 0, 622 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 623 auf_null, 0, 624 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 641 auf_null, 0, 642 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 643 auf_null, 0, 644 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 645 auf_null, S2E_PUB, 646 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 647 auf_null, S2E_PUB, 648 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 649 auf_null, 0, 650 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 653 auf_null, 0, 654 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 655 auf_null, 0, 656 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 657 auf_null, 0, 658 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 659 auf_read, S2E_PUB, 660 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 661 auf_write, 0, 662 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 663 auf_null, S2E_SP, 664 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 665 auf_null, S2E_SP, 666 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 667 auf_null, 0, 668 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 669 auf_null, 0, 670 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 673 auf_null, 0, 674 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 677 auf_null, 0, 678 aui_null, AUE_BIND, aus_null, /* 232 bind */ 679 auf_bind, 0, 680 aui_null, AUE_NULL, aus_null, /* 233 listen */ 681 auf_null, 0, 682 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 683 auf_accept, 0, 684 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 685 auf_connect, 0, 686 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 687 auf_null, 0, 688 aui_null, AUE_READ, aus_null, /* 237 recv */ 689 auf_recv, 0, 690 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 691 auf_recvfrom, 0, 692 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 693 auf_recvmsg, 0, 694 aui_null, AUE_WRITE, aus_null, /* 240 send */ 695 auf_send, 0, 696 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 697 auf_sendmsg, 0, 698 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 699 auf_sendto, 0, 700 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 701 auf_null, 0, 702 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 703 auf_null, 0, 704 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 705 auf_null, 0, 706 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 707 auf_setsockopt, 0, 708 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 709 auf_null, 0, 710 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 711 auf_null, 0, 712 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 713 auf_null, 0, 714 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_init */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 723 auf_null, 0, 724 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 725 auf_null, 0 726 }; 727 728 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 729 730 char *so_not_bound = "socket not bound"; 731 char *so_not_conn = "socket not connected"; 732 char *so_bad_addr = "bad socket address"; 733 char *so_bad_peer_addr = "bad peer address"; 734 735 /* null start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_null(struct t_audit_data *tad) 739 { 740 } 741 742 /* acct start function */ 743 /*ARGSUSED*/ 744 static void 745 aus_acct(struct t_audit_data *tad) 746 { 747 klwp_t *clwp = ttolwp(curthread); 748 uintptr_t fname; 749 750 struct a { 751 long fname; /* char * */ 752 } *uap = (struct a *)clwp->lwp_ap; 753 754 fname = (uintptr_t)uap->fname; 755 756 if (fname == 0) 757 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 758 } 759 760 /* chown start function */ 761 /*ARGSUSED*/ 762 static void 763 aus_chown(struct t_audit_data *tad) 764 { 765 klwp_t *clwp = ttolwp(curthread); 766 uint32_t uid, gid; 767 768 struct a { 769 long fname; /* char * */ 770 long uid; 771 long gid; 772 } *uap = (struct a *)clwp->lwp_ap; 773 774 uid = (uint32_t)uap->uid; 775 gid = (uint32_t)uap->gid; 776 777 au_uwrite(au_to_arg32(2, "new file uid", uid)); 778 au_uwrite(au_to_arg32(3, "new file gid", gid)); 779 } 780 781 /* fchown start function */ 782 /*ARGSUSED*/ 783 static void 784 aus_fchown(struct t_audit_data *tad) 785 { 786 klwp_t *clwp = ttolwp(curthread); 787 uint32_t uid, gid, fd; 788 struct file *fp; 789 struct vnode *vp; 790 struct f_audit_data *fad; 791 792 struct a { 793 long fd; 794 long uid; 795 long gid; 796 } *uap = (struct a *)clwp->lwp_ap; 797 798 fd = (uint32_t)uap->fd; 799 uid = (uint32_t)uap->uid; 800 gid = (uint32_t)uap->gid; 801 802 au_uwrite(au_to_arg32(2, "new file uid", uid)); 803 au_uwrite(au_to_arg32(3, "new file gid", gid)); 804 805 /* 806 * convert file pointer to file descriptor 807 * Note: fd ref count incremented here. 808 */ 809 if ((fp = getf(fd)) == NULL) 810 return; 811 812 /* get path from file struct here */ 813 fad = F2A(fp); 814 if (fad->fad_aupath != NULL) { 815 au_uwrite(au_to_path(fad->fad_aupath)); 816 } else { 817 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 818 } 819 820 vp = fp->f_vnode; 821 audit_attributes(vp); 822 823 /* decrement file descriptor reference count */ 824 releasef(fd); 825 } 826 827 /*ARGSUSED*/ 828 static void 829 aus_lchown(struct t_audit_data *tad) 830 { 831 klwp_t *clwp = ttolwp(curthread); 832 uint32_t uid, gid; 833 834 835 struct a { 836 long fname; /* char * */ 837 long uid; 838 long gid; 839 } *uap = (struct a *)clwp->lwp_ap; 840 841 uid = (uint32_t)uap->uid; 842 gid = (uint32_t)uap->gid; 843 844 au_uwrite(au_to_arg32(2, "new file uid", uid)); 845 au_uwrite(au_to_arg32(3, "new file gid", gid)); 846 } 847 848 /* chmod start function */ 849 /*ARGSUSED*/ 850 static void 851 aus_chmod(struct t_audit_data *tad) 852 { 853 klwp_t *clwp = ttolwp(curthread); 854 uint32_t fmode; 855 856 struct a { 857 long fname; /* char * */ 858 long fmode; 859 } *uap = (struct a *)clwp->lwp_ap; 860 861 fmode = (uint32_t)uap->fmode; 862 863 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 864 } 865 866 /* chmod start function */ 867 /*ARGSUSED*/ 868 static void 869 aus_fchmod(struct t_audit_data *tad) 870 { 871 klwp_t *clwp = ttolwp(curthread); 872 uint32_t fmode, fd; 873 struct file *fp; 874 struct vnode *vp; 875 struct f_audit_data *fad; 876 877 struct a { 878 long fd; 879 long fmode; 880 } *uap = (struct a *)clwp->lwp_ap; 881 882 fd = (uint32_t)uap->fd; 883 fmode = (uint32_t)uap->fmode; 884 885 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 886 887 /* 888 * convert file pointer to file descriptor 889 * Note: fd ref count incremented here. 890 */ 891 if ((fp = getf(fd)) == NULL) 892 return; 893 894 /* get path from file struct here */ 895 fad = F2A(fp); 896 if (fad->fad_aupath != NULL) { 897 au_uwrite(au_to_path(fad->fad_aupath)); 898 } else { 899 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 900 } 901 902 vp = fp->f_vnode; 903 audit_attributes(vp); 904 905 /* decrement file descriptor reference count */ 906 releasef(fd); 907 } 908 909 /* null function */ 910 /*ARGSUSED*/ 911 static void 912 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 913 { 914 } 915 916 /* null function */ 917 static au_event_t 918 aui_null(au_event_t e) 919 { 920 return (e); 921 } 922 923 /* convert open to appropriate event */ 924 static au_event_t 925 aui_open(au_event_t e) 926 { 927 klwp_t *clwp = ttolwp(curthread); 928 uint_t fm; 929 930 struct a { 931 long fnamep; /* char * */ 932 long fmode; 933 long cmode; 934 } *uap = (struct a *)clwp->lwp_ap; 935 936 fm = (uint_t)uap->fmode; 937 938 if (fm & O_WRONLY) 939 e = AUE_OPEN_W; 940 else if (fm & O_RDWR) 941 e = AUE_OPEN_RW; 942 else 943 e = AUE_OPEN_R; 944 945 if (fm & O_CREAT) 946 e += 1; 947 if (fm & O_TRUNC) 948 e += 2; 949 950 return (e); 951 } 952 953 /*ARGSUSED*/ 954 static void 955 aus_open(struct t_audit_data *tad) 956 { 957 klwp_t *clwp = ttolwp(curthread); 958 uint_t fm; 959 960 struct a { 961 long fnamep; /* char * */ 962 long fmode; 963 long cmode; 964 } *uap = (struct a *)clwp->lwp_ap; 965 966 fm = (uint_t)uap->fmode; 967 968 /* If no write, create, or trunc modes, mark as a public op */ 969 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 970 tad->tad_ctrl |= PAD_PUBLIC_EV; 971 } 972 973 /* convert openat(2) to appropriate event */ 974 static au_event_t 975 aui_fsat(au_event_t e) 976 { 977 t_audit_data_t *tad = U2A(u); 978 klwp_t *clwp = ttolwp(curthread); 979 uint_t fmcode, fm; 980 struct a { 981 long id; 982 long arg1; 983 long arg2; 984 long arg3; 985 long arg4; 986 long arg5; 987 } *uap = (struct a *)clwp->lwp_ap; 988 989 fmcode = (uint_t)uap->id; 990 991 switch (fmcode) { 992 993 case 0: /* openat */ 994 case 1: /* openat64 */ 995 fm = (uint_t)uap->arg3; 996 if (fm & O_WRONLY) 997 e = AUE_OPENAT_W; 998 else if (fm & O_RDWR) 999 e = AUE_OPENAT_RW; 1000 else 1001 e = AUE_OPENAT_R; 1002 1003 /* 1004 * openat modes are defined in the following order: 1005 * Read only 1006 * Read|Create 1007 * Read|Trunc 1008 * Read|Create|Trunc 1009 * Write Only 1010 * Write|Create 1011 * Write|Trunc 1012 * Write|Create|Trunc * RW Only 1013 * RW|Create 1014 * RW|Trunc 1015 * RW|Create|Trunc 1016 */ 1017 if (fm & O_CREAT) 1018 e += 1; /* increment to include CREAT in mode */ 1019 if (fm & O_TRUNC) 1020 e += 2; /* increment to include TRUNC in mode */ 1021 1022 /* convert to appropriate au_ctrl */ 1023 tad->tad_ctrl |= PAD_SAVPATH; 1024 if (fm & FXATTR) 1025 tad->tad_ctrl |= PAD_ATPATH; 1026 1027 1028 break; 1029 case 2: /* fstatat64 */ 1030 case 3: /* fstatat */ 1031 e = AUE_FSTATAT; 1032 break; 1033 case 4: /* fchownat */ 1034 e = AUE_FCHOWNAT; 1035 break; 1036 case 5: /* unlinkat */ 1037 e = AUE_UNLINKAT; 1038 break; 1039 case 6: /* futimesat */ 1040 e = AUE_FUTIMESAT; 1041 break; 1042 case 7: /* renameat */ 1043 e = AUE_RENAMEAT; 1044 break; 1045 default: 1046 e = AUE_NULL; 1047 break; 1048 } 1049 1050 return (e); 1051 } 1052 1053 /*ARGSUSED*/ 1054 static void 1055 aus_fsat(struct t_audit_data *tad) 1056 { 1057 klwp_t *clwp = ttolwp(curthread); 1058 uint_t fmcode, fm; 1059 struct a { 1060 long id; 1061 long arg1; 1062 long arg2; 1063 long arg3; 1064 long arg4; 1065 long arg5; 1066 } *uap = (struct a *)clwp->lwp_ap; 1067 1068 fmcode = (uint_t)uap->id; 1069 1070 switch (fmcode) { 1071 1072 case 0: /* openat */ 1073 case 1: /* openat64 */ 1074 fm = (uint_t)uap->arg3; 1075 /* If no write, create, or trunc modes, mark as a public op */ 1076 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1077 tad->tad_ctrl |= PAD_PUBLIC_EV; 1078 1079 break; 1080 case 2: /* fstatat64 */ 1081 case 3: /* fstatat */ 1082 tad->tad_ctrl |= PAD_PUBLIC_EV; 1083 break; 1084 default: 1085 break; 1086 } 1087 } 1088 1089 /* msgsys */ 1090 static au_event_t 1091 aui_msgsys(au_event_t e) 1092 { 1093 klwp_t *clwp = ttolwp(curthread); 1094 uint_t fm; 1095 1096 struct a { 1097 long id; /* function code id */ 1098 long ap; /* arg pointer for recvmsg */ 1099 } *uap = (struct a *)clwp->lwp_ap; 1100 1101 struct b { 1102 long msgid; 1103 long cmd; 1104 long buf; /* struct msqid_ds * */ 1105 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1106 1107 fm = (uint_t)uap->id; 1108 1109 switch (fm) { 1110 case 0: /* msgget */ 1111 e = AUE_MSGGET; 1112 break; 1113 case 1: /* msgctl */ 1114 switch ((uint_t)uap1->cmd) { 1115 case IPC_RMID: 1116 e = AUE_MSGCTL_RMID; 1117 break; 1118 case IPC_SET: 1119 e = AUE_MSGCTL_SET; 1120 break; 1121 case IPC_STAT: 1122 e = AUE_MSGCTL_STAT; 1123 break; 1124 default: 1125 e = AUE_MSGCTL; 1126 break; 1127 } 1128 break; 1129 case 2: /* msgrcv */ 1130 e = AUE_MSGRCV; 1131 break; 1132 case 3: /* msgsnd */ 1133 e = AUE_MSGSND; 1134 break; 1135 default: /* illegal system call */ 1136 e = AUE_NULL; 1137 break; 1138 } 1139 1140 return (e); 1141 } 1142 1143 1144 /* shmsys */ 1145 static au_event_t 1146 aui_shmsys(au_event_t e) 1147 { 1148 klwp_t *clwp = ttolwp(curthread); 1149 int fm; 1150 1151 struct a { /* shmsys */ 1152 long id; /* function code id */ 1153 } *uap = (struct a *)clwp->lwp_ap; 1154 1155 struct b { /* ctrl */ 1156 long shmid; 1157 long cmd; 1158 long arg; /* struct shmid_ds * */ 1159 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1160 fm = (uint_t)uap->id; 1161 1162 switch (fm) { 1163 case 0: /* shmat */ 1164 e = AUE_SHMAT; 1165 break; 1166 case 1: /* shmctl */ 1167 switch ((uint_t)uap1->cmd) { 1168 case IPC_RMID: 1169 e = AUE_SHMCTL_RMID; 1170 break; 1171 case IPC_SET: 1172 e = AUE_SHMCTL_SET; 1173 break; 1174 case IPC_STAT: 1175 e = AUE_SHMCTL_STAT; 1176 break; 1177 default: 1178 e = AUE_SHMCTL; 1179 break; 1180 } 1181 break; 1182 case 2: /* shmdt */ 1183 e = AUE_SHMDT; 1184 break; 1185 case 3: /* shmget */ 1186 e = AUE_SHMGET; 1187 break; 1188 default: /* illegal system call */ 1189 e = AUE_NULL; 1190 break; 1191 } 1192 1193 return (e); 1194 } 1195 1196 1197 /* semsys */ 1198 static au_event_t 1199 aui_semsys(au_event_t e) 1200 { 1201 klwp_t *clwp = ttolwp(curthread); 1202 uint_t fm; 1203 1204 struct a { /* semsys */ 1205 long id; 1206 } *uap = (struct a *)clwp->lwp_ap; 1207 1208 struct b { /* ctrl */ 1209 long semid; 1210 long semnum; 1211 long cmd; 1212 long arg; 1213 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1214 1215 fm = (uint_t)uap->id; 1216 1217 switch (fm) { 1218 case 0: /* semctl */ 1219 switch ((uint_t)uap1->cmd) { 1220 case IPC_RMID: 1221 e = AUE_SEMCTL_RMID; 1222 break; 1223 case IPC_SET: 1224 e = AUE_SEMCTL_SET; 1225 break; 1226 case IPC_STAT: 1227 e = AUE_SEMCTL_STAT; 1228 break; 1229 case GETNCNT: 1230 e = AUE_SEMCTL_GETNCNT; 1231 break; 1232 case GETPID: 1233 e = AUE_SEMCTL_GETPID; 1234 break; 1235 case GETVAL: 1236 e = AUE_SEMCTL_GETVAL; 1237 break; 1238 case GETALL: 1239 e = AUE_SEMCTL_GETALL; 1240 break; 1241 case GETZCNT: 1242 e = AUE_SEMCTL_GETZCNT; 1243 break; 1244 case SETVAL: 1245 e = AUE_SEMCTL_SETVAL; 1246 break; 1247 case SETALL: 1248 e = AUE_SEMCTL_SETALL; 1249 break; 1250 default: 1251 e = AUE_SEMCTL; 1252 break; 1253 } 1254 break; 1255 case 1: /* semget */ 1256 e = AUE_SEMGET; 1257 break; 1258 case 2: /* semop */ 1259 e = AUE_SEMOP; 1260 break; 1261 default: /* illegal system call */ 1262 e = AUE_NULL; 1263 break; 1264 } 1265 1266 return (e); 1267 } 1268 1269 /* utssys - uname(2), ustat(2), fusers(2) */ 1270 static au_event_t 1271 aui_utssys(au_event_t e) 1272 { 1273 klwp_t *clwp = ttolwp(curthread); 1274 uint_t type; 1275 1276 struct a { 1277 union { 1278 long cbuf; /* char * */ 1279 long ubuf; /* struct stat * */ 1280 } ub; 1281 union { 1282 long mv; /* for USTAT */ 1283 long flags; /* for FUSERS */ 1284 } un; 1285 long type; 1286 long outbp; /* char * for FUSERS */ 1287 } *uap = (struct a *)clwp->lwp_ap; 1288 1289 type = (uint_t)uap->type; 1290 1291 if (type == UTS_FUSERS) 1292 return (e); 1293 else 1294 return ((au_event_t)AUE_NULL); 1295 } 1296 1297 static au_event_t 1298 aui_fcntl(au_event_t e) 1299 { 1300 klwp_t *clwp = ttolwp(curthread); 1301 uint_t cmd; 1302 1303 struct a { 1304 long fdes; 1305 long cmd; 1306 long arg; 1307 } *uap = (struct a *)clwp->lwp_ap; 1308 1309 cmd = (uint_t)uap->cmd; 1310 1311 switch (cmd) { 1312 case F_GETLK: 1313 case F_SETLK: 1314 case F_SETLKW: 1315 break; 1316 case F_SETFL: 1317 case F_GETFL: 1318 case F_GETFD: 1319 break; 1320 default: 1321 e = (au_event_t)AUE_NULL; 1322 break; 1323 } 1324 return ((au_event_t)e); 1325 } 1326 1327 /* null function for now */ 1328 static au_event_t 1329 aui_execv(au_event_t e) 1330 { 1331 return (e); 1332 } 1333 1334 /* null function for now */ 1335 static au_event_t 1336 aui_execve(au_event_t e) 1337 { 1338 return (e); 1339 } 1340 1341 /*ARGSUSED*/ 1342 static void 1343 aus_fcntl(struct t_audit_data *tad) 1344 { 1345 klwp_t *clwp = ttolwp(curthread); 1346 uint32_t cmd, fd; 1347 struct file *fp; 1348 struct vnode *vp; 1349 struct f_audit_data *fad; 1350 1351 struct a { 1352 long fd; 1353 long cmd; 1354 long arg; 1355 } *uap = (struct a *)clwp->lwp_ap; 1356 1357 cmd = (uint32_t)uap->cmd; 1358 fd = (uint32_t)uap->fd; 1359 1360 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1361 1362 /* 1363 * convert file pointer to file descriptor 1364 * Note: fd ref count incremented here. 1365 */ 1366 if ((fp = getf(fd)) == NULL) 1367 return; 1368 1369 /* get path from file struct here */ 1370 fad = F2A(fp); 1371 if (fad->fad_aupath != NULL) { 1372 au_uwrite(au_to_path(fad->fad_aupath)); 1373 } else { 1374 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1375 } 1376 1377 vp = fp->f_vnode; 1378 audit_attributes(vp); 1379 1380 /* decrement file descriptor reference count */ 1381 releasef(fd); 1382 } 1383 1384 /*ARGSUSED*/ 1385 static void 1386 aus_kill(struct t_audit_data *tad) 1387 { 1388 klwp_t *clwp = ttolwp(curthread); 1389 struct proc *p; 1390 uint32_t signo; 1391 uid_t uid, ruid; 1392 gid_t gid, rgid; 1393 pid_t pid; 1394 const auditinfo_addr_t *ainfo; 1395 cred_t *cr; 1396 1397 struct a { 1398 long pid; 1399 long signo; 1400 } *uap = (struct a *)clwp->lwp_ap; 1401 1402 pid = (pid_t)uap->pid; 1403 signo = (uint32_t)uap->signo; 1404 1405 au_uwrite(au_to_arg32(2, "signal", signo)); 1406 if (pid > 0) { 1407 mutex_enter(&pidlock); 1408 if (((p = prfind(pid)) == (struct proc *)0) || 1409 (p->p_stat == SIDL)) { 1410 mutex_exit(&pidlock); 1411 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1412 return; 1413 } 1414 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1415 mutex_exit(&pidlock); 1416 1417 mutex_enter(&p->p_crlock); 1418 crhold(cr = p->p_cred); 1419 mutex_exit(&p->p_crlock); 1420 mutex_exit(&p->p_lock); 1421 1422 ainfo = crgetauinfo(cr); 1423 if (ainfo == NULL) { 1424 crfree(cr); 1425 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1426 return; 1427 } 1428 1429 uid = crgetuid(cr); 1430 gid = crgetgid(cr); 1431 ruid = crgetruid(cr); 1432 rgid = crgetrgid(cr); 1433 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1434 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1435 1436 if (is_system_labeled()) 1437 au_uwrite(au_to_label(CR_SL(cr))); 1438 1439 crfree(cr); 1440 } 1441 else 1442 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1443 } 1444 1445 /*ARGSUSED*/ 1446 static void 1447 aus_mkdir(struct t_audit_data *tad) 1448 { 1449 klwp_t *clwp = ttolwp(curthread); 1450 uint32_t dmode; 1451 1452 struct a { 1453 long dirnamep; /* char * */ 1454 long dmode; 1455 } *uap = (struct a *)clwp->lwp_ap; 1456 1457 dmode = (uint32_t)uap->dmode; 1458 1459 au_uwrite(au_to_arg32(2, "mode", dmode)); 1460 } 1461 1462 /*ARGSUSED*/ 1463 static void 1464 aus_mknod(struct t_audit_data *tad) 1465 { 1466 klwp_t *clwp = ttolwp(curthread); 1467 uint32_t fmode; 1468 dev_t dev; 1469 1470 struct a { 1471 long pnamep; /* char * */ 1472 long fmode; 1473 long dev; 1474 } *uap = (struct a *)clwp->lwp_ap; 1475 1476 fmode = (uint32_t)uap->fmode; 1477 dev = (dev_t)uap->dev; 1478 1479 au_uwrite(au_to_arg32(2, "mode", fmode)); 1480 #ifdef _LP64 1481 au_uwrite(au_to_arg64(3, "dev", dev)); 1482 #else 1483 au_uwrite(au_to_arg32(3, "dev", dev)); 1484 #endif 1485 } 1486 1487 /*ARGSUSED*/ 1488 static void 1489 aus_xmknod(struct t_audit_data *tad) 1490 { 1491 klwp_t *clwp = ttolwp(curthread); 1492 uint32_t fmode; 1493 dev_t dev; 1494 1495 struct a { 1496 long version; /* version */ 1497 long pnamep; /* char * */ 1498 long fmode; 1499 long dev; 1500 } *uap = (struct a *)clwp->lwp_ap; 1501 1502 fmode = (uint32_t)uap->fmode; 1503 dev = (dev_t)uap->dev; 1504 1505 au_uwrite(au_to_arg32(2, "mode", fmode)); 1506 #ifdef _LP64 1507 au_uwrite(au_to_arg64(3, "dev", dev)); 1508 #else 1509 au_uwrite(au_to_arg32(3, "dev", dev)); 1510 #endif 1511 } 1512 1513 /*ARGSUSED*/ 1514 static void 1515 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1516 { 1517 klwp_t *clwp = ttolwp(curthread); 1518 vnode_t *dvp; 1519 caddr_t pnamep; 1520 1521 struct a { 1522 long pnamep; /* char * */ 1523 long fmode; 1524 long dev; 1525 } *uap = (struct a *)clwp->lwp_ap; 1526 1527 /* no error, then already path token in audit record */ 1528 if (error != EPERM) 1529 return; 1530 1531 /* not auditing this event, nothing then to do */ 1532 if (tad->tad_flag == 0) 1533 return; 1534 1535 /* do the lookup to force generation of path token */ 1536 pnamep = (caddr_t)uap->pnamep; 1537 tad->tad_ctrl |= PAD_NOATTRB; 1538 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1539 if (error == 0) 1540 VN_RELE(dvp); 1541 } 1542 1543 /*ARGSUSED*/ 1544 static void 1545 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1546 { 1547 klwp_t *clwp = ttolwp(curthread); 1548 vnode_t *dvp; 1549 caddr_t pnamep; 1550 1551 struct a { 1552 long version; /* version */ 1553 long pnamep; /* char * */ 1554 long fmode; 1555 long dev; 1556 } *uap = (struct a *)clwp->lwp_arg; 1557 1558 1559 /* no error, then already path token in audit record */ 1560 if (error != EPERM) 1561 return; 1562 1563 /* not auditing this event, nothing then to do */ 1564 if (tad->tad_flag == 0) 1565 return; 1566 1567 /* do the lookup to force generation of path token */ 1568 pnamep = (caddr_t)uap->pnamep; 1569 tad->tad_ctrl |= PAD_NOATTRB; 1570 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1571 if (error == 0) 1572 VN_RELE(dvp); 1573 } 1574 1575 /*ARGSUSED*/ 1576 static void 1577 aus_mount(struct t_audit_data *tad) 1578 { /* AUS_START */ 1579 klwp_t *clwp = ttolwp(curthread); 1580 uint32_t flags; 1581 uintptr_t u_fstype, dataptr; 1582 STRUCT_DECL(nfs_args, nfsargs); 1583 size_t len; 1584 char *fstype, *hostname; 1585 1586 struct a { 1587 long spec; /* char * */ 1588 long dir; /* char * */ 1589 long flags; 1590 long fstype; /* char * */ 1591 long dataptr; /* char * */ 1592 long datalen; 1593 } *uap = (struct a *)clwp->lwp_ap; 1594 1595 u_fstype = (uintptr_t)uap->fstype; 1596 flags = (uint32_t)uap->flags; 1597 dataptr = (uintptr_t)uap->dataptr; 1598 1599 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1600 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1601 goto mount_free_fstype; 1602 1603 au_uwrite(au_to_arg32(3, "flags", flags)); 1604 au_uwrite(au_to_text(fstype)); 1605 1606 if (strncmp(fstype, "nfs", 3) == 0) { 1607 1608 STRUCT_INIT(nfsargs, get_udatamodel()); 1609 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1610 1611 if (copyin((caddr_t)dataptr, 1612 STRUCT_BUF(nfsargs), 1613 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1614 /* DEBUG debug_enter((char *)NULL); */ 1615 goto mount_free_fstype; 1616 } 1617 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1618 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1619 (caddr_t)hostname, 1620 MAXNAMELEN, &len)) { 1621 goto mount_free_hostname; 1622 } 1623 au_uwrite(au_to_text(hostname)); 1624 au_uwrite(au_to_arg32(3, "internal flags", 1625 (uint_t)STRUCT_FGET(nfsargs, flags))); 1626 1627 mount_free_hostname: 1628 kmem_free(hostname, MAXNAMELEN); 1629 } 1630 1631 mount_free_fstype: 1632 kmem_free(fstype, MAXNAMELEN); 1633 } /* AUS_MOUNT */ 1634 1635 static void 1636 aus_umount_path(caddr_t umount_dir) 1637 { 1638 char *dir_path; 1639 struct audit_path *path; 1640 size_t path_len, dir_len; 1641 1642 /* length alloc'd for two string pointers */ 1643 path_len = sizeof (struct audit_path) + sizeof (char *); 1644 path = kmem_alloc(path_len, KM_SLEEP); 1645 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1646 1647 if (copyinstr(umount_dir, (caddr_t)dir_path, 1648 MAXPATHLEN, &dir_len)) 1649 goto umount2_free_dir; 1650 1651 /* 1652 * the audit_path struct assumes that the buffer pointed to 1653 * by audp_sect[n] contains string 0 immediatedly followed 1654 * by string 1. 1655 */ 1656 path->audp_sect[0] = dir_path; 1657 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1658 path->audp_size = path_len; 1659 path->audp_ref = 1; /* not used */ 1660 path->audp_cnt = 1; /* one path string */ 1661 1662 au_uwrite(au_to_path(path)); 1663 1664 umount2_free_dir: 1665 kmem_free(dir_path, MAXPATHLEN); 1666 kmem_free(path, path_len); 1667 } 1668 1669 /* 1670 * the umount syscall is implemented as a call to umount2, but the args 1671 * are different... 1672 */ 1673 1674 /*ARGSUSED*/ 1675 static void 1676 aus_umount(struct t_audit_data *tad) 1677 { 1678 klwp_t *clwp = ttolwp(curthread); 1679 struct a { 1680 long dir; /* char * */ 1681 } *uap = (struct a *)clwp->lwp_ap; 1682 1683 aus_umount_path((caddr_t)uap->dir); 1684 } 1685 1686 /*ARGSUSED*/ 1687 static void 1688 aus_umount2(struct t_audit_data *tad) 1689 { 1690 klwp_t *clwp = ttolwp(curthread); 1691 struct a { 1692 long dir; /* char * */ 1693 long flags; 1694 } *uap = (struct a *)clwp->lwp_ap; 1695 1696 aus_umount_path((caddr_t)uap->dir); 1697 1698 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1699 } 1700 1701 static void 1702 aus_msgsys(struct t_audit_data *tad) 1703 { 1704 klwp_t *clwp = ttolwp(curthread); 1705 uint32_t msgid; 1706 1707 struct b { 1708 long msgid; 1709 long cmd; 1710 long buf; /* struct msqid_ds * */ 1711 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1712 1713 msgid = (uint32_t)uap1->msgid; 1714 1715 1716 switch (tad->tad_event) { 1717 case AUE_MSGGET: /* msgget */ 1718 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1719 break; 1720 case AUE_MSGCTL: /* msgctl */ 1721 case AUE_MSGCTL_RMID: /* msgctl */ 1722 case AUE_MSGCTL_STAT: /* msgctl */ 1723 case AUE_MSGRCV: /* msgrcv */ 1724 case AUE_MSGSND: /* msgsnd */ 1725 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1726 break; 1727 case AUE_MSGCTL_SET: /* msgctl */ 1728 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1729 break; 1730 } 1731 } 1732 1733 /*ARGSUSED*/ 1734 static void 1735 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1736 { 1737 int id; 1738 1739 if (error != 0) 1740 return; 1741 if (tad->tad_event == AUE_MSGGET) { 1742 uint32_t scid; 1743 uint32_t sy_flags; 1744 1745 /* need to determine type of executing binary */ 1746 scid = tad->tad_scid; 1747 #ifdef _SYSCALL32_IMPL 1748 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1749 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1750 else 1751 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1752 #else 1753 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1754 #endif 1755 if (sy_flags == SE_32RVAL1) 1756 id = rval->r_val1; 1757 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1758 id = rval->r_val1; 1759 if (sy_flags == SE_64RVAL) 1760 id = (int)rval->r_vals; 1761 1762 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1763 } 1764 } 1765 1766 static void 1767 aus_semsys(struct t_audit_data *tad) 1768 { 1769 klwp_t *clwp = ttolwp(curthread); 1770 uint32_t semid; 1771 1772 struct b { /* ctrl */ 1773 long semid; 1774 long semnum; 1775 long cmd; 1776 long arg; 1777 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1778 1779 semid = (uint32_t)uap1->semid; 1780 1781 switch (tad->tad_event) { 1782 case AUE_SEMCTL_RMID: 1783 case AUE_SEMCTL_STAT: 1784 case AUE_SEMCTL_GETNCNT: 1785 case AUE_SEMCTL_GETPID: 1786 case AUE_SEMCTL_GETVAL: 1787 case AUE_SEMCTL_GETALL: 1788 case AUE_SEMCTL_GETZCNT: 1789 case AUE_SEMCTL_SETVAL: 1790 case AUE_SEMCTL_SETALL: 1791 case AUE_SEMCTL: 1792 case AUE_SEMOP: 1793 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1794 break; 1795 case AUE_SEMCTL_SET: 1796 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1797 break; 1798 case AUE_SEMGET: 1799 au_uwrite(au_to_arg32(1, "sem key", semid)); 1800 break; 1801 } 1802 } 1803 1804 /*ARGSUSED*/ 1805 static void 1806 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1807 { 1808 int id; 1809 1810 if (error != 0) 1811 return; 1812 if (tad->tad_event == AUE_SEMGET) { 1813 uint32_t scid; 1814 uint32_t sy_flags; 1815 1816 /* need to determine type of executing binary */ 1817 scid = tad->tad_scid; 1818 #ifdef _SYSCALL32_IMPL 1819 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1820 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1821 else 1822 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1823 #else 1824 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1825 #endif 1826 if (sy_flags == SE_32RVAL1) 1827 id = rval->r_val1; 1828 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1829 id = rval->r_val1; 1830 if (sy_flags == SE_64RVAL) 1831 id = (int)rval->r_vals; 1832 1833 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1834 } 1835 } 1836 1837 /*ARGSUSED*/ 1838 static void 1839 aus_close(struct t_audit_data *tad) 1840 { 1841 klwp_t *clwp = ttolwp(curthread); 1842 uint32_t fd; 1843 struct file *fp; 1844 struct f_audit_data *fad; 1845 struct vnode *vp; 1846 struct vattr attr; 1847 au_kcontext_t *kctx = SET_KCTX_PZ; 1848 1849 struct a { 1850 long i; 1851 } *uap = (struct a *)clwp->lwp_ap; 1852 1853 fd = (uint32_t)uap->i; 1854 1855 attr.va_mask = 0; 1856 au_uwrite(au_to_arg32(1, "fd", fd)); 1857 1858 /* 1859 * convert file pointer to file descriptor 1860 * Note: fd ref count incremented here. 1861 */ 1862 if ((fp = getf(fd)) == NULL) 1863 return; 1864 1865 fad = F2A(fp); 1866 tad->tad_evmod = (short)fad->fad_flags; 1867 if (fad->fad_aupath != NULL) { 1868 au_uwrite(au_to_path(fad->fad_aupath)); 1869 if ((vp = fp->f_vnode) != NULL) { 1870 attr.va_mask = AT_ALL; 1871 if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) { 1872 /* 1873 * When write was not used and the file can be 1874 * considered public, skip the audit. 1875 */ 1876 if (((fp->f_flag & FWRITE) == 0) && 1877 file_is_public(&attr)) { 1878 tad->tad_flag = 0; 1879 tad->tad_evmod = 0; 1880 /* free any residual audit data */ 1881 au_close(kctx, &(u_ad), 0, 0, 0); 1882 releasef(fd); 1883 return; 1884 } 1885 au_uwrite(au_to_attr(&attr)); 1886 audit_sec_attributes(&(u_ad), vp); 1887 } 1888 } 1889 } 1890 1891 /* decrement file descriptor reference count */ 1892 releasef(fd); 1893 } 1894 1895 /*ARGSUSED*/ 1896 static void 1897 aus_fstatfs(struct t_audit_data *tad) 1898 { 1899 klwp_t *clwp = ttolwp(curthread); 1900 uint32_t fd; 1901 struct file *fp; 1902 struct vnode *vp; 1903 struct f_audit_data *fad; 1904 1905 struct a { 1906 long fd; 1907 long buf; /* struct statfs * */ 1908 } *uap = (struct a *)clwp->lwp_ap; 1909 1910 fd = (uint_t)uap->fd; 1911 1912 /* 1913 * convert file pointer to file descriptor 1914 * Note: fd ref count incremented here. 1915 */ 1916 if ((fp = getf(fd)) == NULL) 1917 return; 1918 1919 /* get path from file struct here */ 1920 fad = F2A(fp); 1921 if (fad->fad_aupath != NULL) { 1922 au_uwrite(au_to_path(fad->fad_aupath)); 1923 } else { 1924 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1925 } 1926 1927 vp = fp->f_vnode; 1928 audit_attributes(vp); 1929 1930 /* decrement file descriptor reference count */ 1931 releasef(fd); 1932 } 1933 1934 #ifdef NOTYET 1935 /*ARGSUSED*/ 1936 static void 1937 aus_setpgrp(struct t_audit_data *tad) 1938 { 1939 klwp_t *clwp = ttolwp(curthread); 1940 uint32_t pgrp; 1941 struct proc *p; 1942 uid_t uid, ruid; 1943 gid_t gid, rgid; 1944 pid_t pid; 1945 const auditinfo_addr_t *ainfo; 1946 cred_t *cr; 1947 1948 struct a { 1949 long pid; 1950 long pgrp; 1951 } *uap = (struct a *)clwp->lwp_ap; 1952 1953 pid = (pid_t)uap->pid; 1954 pgrp = (uint32_t)uap->pgrp; 1955 1956 /* current process? */ 1957 if (pid == 0) 1958 (return); 1959 1960 mutex_enter(&pidlock); 1961 p = prfind(pid); 1962 if (p == NULL || p->p_as == &kas) { 1963 mutex_exit(&pidlock); 1964 return; 1965 } 1966 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1967 mutex_exit(&pidlock); 1968 1969 mutex_enter(&p->p_crlock); 1970 crhold(cr = p->p_cred); 1971 mutex_exit(&p->p_crlock); 1972 mutex_exit(&p->p_lock); 1973 1974 ainfo = crgetauinfo(cr); 1975 if (ainfo == NULL) { 1976 crfree(cr); 1977 return; 1978 } 1979 1980 uid = crgetuid(cr); 1981 gid = crgetgid(cr); 1982 ruid = crgetruid(cr); 1983 rgid = crgetrgid(cr); 1984 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1985 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1986 crfree(cr); 1987 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1988 } 1989 #endif 1990 1991 /*ARGSUSED*/ 1992 static void 1993 aus_setregid(struct t_audit_data *tad) 1994 { 1995 klwp_t *clwp = ttolwp(curthread); 1996 uint32_t rgid, egid; 1997 1998 struct a { 1999 long rgid; 2000 long egid; 2001 } *uap = (struct a *)clwp->lwp_ap; 2002 2003 rgid = (uint32_t)uap->rgid; 2004 egid = (uint32_t)uap->egid; 2005 2006 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2007 au_uwrite(au_to_arg32(2, "egid", egid)); 2008 } 2009 2010 /*ARGSUSED*/ 2011 static void 2012 aus_setgid(struct t_audit_data *tad) 2013 { 2014 klwp_t *clwp = ttolwp(curthread); 2015 uint32_t gid; 2016 2017 struct a { 2018 long gid; 2019 } *uap = (struct a *)clwp->lwp_ap; 2020 2021 gid = (uint32_t)uap->gid; 2022 2023 au_uwrite(au_to_arg32(1, "gid", gid)); 2024 } 2025 2026 2027 /*ARGSUSED*/ 2028 static void 2029 aus_setreuid(struct t_audit_data *tad) 2030 { 2031 klwp_t *clwp = ttolwp(curthread); 2032 uint32_t ruid, euid; 2033 2034 struct a { 2035 long ruid; 2036 long euid; 2037 } *uap = (struct a *)clwp->lwp_ap; 2038 2039 ruid = (uint32_t)uap->ruid; 2040 euid = (uint32_t)uap->euid; 2041 2042 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2043 au_uwrite(au_to_arg32(2, "euid", euid)); 2044 } 2045 2046 2047 /*ARGSUSED*/ 2048 static void 2049 aus_setuid(struct t_audit_data *tad) 2050 { 2051 klwp_t *clwp = ttolwp(curthread); 2052 uint32_t uid; 2053 2054 struct a { 2055 long uid; 2056 } *uap = (struct a *)clwp->lwp_ap; 2057 2058 uid = (uint32_t)uap->uid; 2059 2060 au_uwrite(au_to_arg32(1, "uid", uid)); 2061 } 2062 2063 /*ARGSUSED*/ 2064 static void 2065 aus_shmsys(struct t_audit_data *tad) 2066 { 2067 klwp_t *clwp = ttolwp(curthread); 2068 uint32_t id, cmd; 2069 2070 struct b { 2071 long id; 2072 long cmd; 2073 long buf; /* struct shmid_ds * */ 2074 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2075 2076 id = (uint32_t)uap1->id; 2077 cmd = (uint32_t)uap1->cmd; 2078 2079 switch (tad->tad_event) { 2080 case AUE_SHMGET: /* shmget */ 2081 au_uwrite(au_to_arg32(1, "shm key", id)); 2082 break; 2083 case AUE_SHMCTL: /* shmctl */ 2084 case AUE_SHMCTL_RMID: /* shmctl */ 2085 case AUE_SHMCTL_STAT: /* shmctl */ 2086 case AUE_SHMCTL_SET: /* shmctl */ 2087 au_uwrite(au_to_arg32(1, "shm ID", id)); 2088 break; 2089 case AUE_SHMDT: /* shmdt */ 2090 au_uwrite(au_to_arg32(1, "shm adr", id)); 2091 break; 2092 case AUE_SHMAT: /* shmat */ 2093 au_uwrite(au_to_arg32(1, "shm ID", id)); 2094 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2095 break; 2096 } 2097 } 2098 2099 /*ARGSUSED*/ 2100 static void 2101 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2102 { 2103 int id; 2104 2105 if (error != 0) 2106 return; 2107 if (tad->tad_event == AUE_SHMGET) { 2108 uint32_t scid; 2109 uint32_t sy_flags; 2110 2111 /* need to determine type of executing binary */ 2112 scid = tad->tad_scid; 2113 #ifdef _SYSCALL32_IMPL 2114 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2115 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2116 else 2117 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2118 #else 2119 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2120 #endif 2121 if (sy_flags == SE_32RVAL1) 2122 id = rval->r_val1; 2123 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2124 id = rval->r_val1; 2125 if (sy_flags == SE_64RVAL) 2126 id = (int)rval->r_vals; 2127 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2128 } 2129 } 2130 2131 2132 /*ARGSUSED*/ 2133 static void 2134 aus_ioctl(struct t_audit_data *tad) 2135 { 2136 klwp_t *clwp = ttolwp(curthread); 2137 struct file *fp; 2138 struct vnode *vp; 2139 struct f_audit_data *fad; 2140 uint32_t fd, cmd; 2141 uintptr_t cmarg; 2142 2143 /* XX64 */ 2144 struct a { 2145 long fd; 2146 long cmd; 2147 long cmarg; /* caddr_t */ 2148 } *uap = (struct a *)clwp->lwp_ap; 2149 2150 fd = (uint32_t)uap->fd; 2151 cmd = (uint32_t)uap->cmd; 2152 cmarg = (uintptr_t)uap->cmarg; 2153 2154 /* 2155 * convert file pointer to file descriptor 2156 * Note: fd ref count incremented here. 2157 */ 2158 if ((fp = getf(fd)) == NULL) { 2159 au_uwrite(au_to_arg32(1, "fd", fd)); 2160 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2161 #ifndef _LP64 2162 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2163 #else 2164 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2165 #endif 2166 return; 2167 } 2168 2169 /* get path from file struct here */ 2170 fad = F2A(fp); 2171 if (fad->fad_aupath != NULL) { 2172 au_uwrite(au_to_path(fad->fad_aupath)); 2173 } else { 2174 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2175 } 2176 2177 vp = fp->f_vnode; 2178 audit_attributes(vp); 2179 2180 /* decrement file descriptor reference count */ 2181 releasef(fd); 2182 2183 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2184 #ifndef _LP64 2185 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2186 #else 2187 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2188 #endif 2189 } 2190 2191 /* 2192 * null function for memcntl for now. We might want to limit memcntl() 2193 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2194 * require privileges. 2195 */ 2196 static au_event_t 2197 aui_memcntl(au_event_t e) 2198 { 2199 return (e); 2200 } 2201 2202 /*ARGSUSED*/ 2203 static au_event_t 2204 aui_privsys(au_event_t e) 2205 { 2206 klwp_t *clwp = ttolwp(curthread); 2207 2208 struct a { 2209 long opcode; 2210 } *uap = (struct a *)clwp->lwp_ap; 2211 2212 switch (uap->opcode) { 2213 case PRIVSYS_SETPPRIV: 2214 return (AUE_SETPPRIV); 2215 default: 2216 return (AUE_NULL); 2217 } 2218 } 2219 2220 /*ARGSUSED*/ 2221 static void 2222 aus_memcntl(struct t_audit_data *tad) 2223 { 2224 klwp_t *clwp = ttolwp(curthread); 2225 2226 struct a { 2227 long addr; 2228 long len; 2229 long cmd; 2230 long arg; 2231 long attr; 2232 long mask; 2233 } *uap = (struct a *)clwp->lwp_ap; 2234 2235 #ifdef _LP64 2236 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2237 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2238 #else 2239 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2240 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2241 #endif 2242 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2243 #ifdef _LP64 2244 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2245 #else 2246 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2247 #endif 2248 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2249 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2250 } 2251 2252 /*ARGSUSED*/ 2253 static void 2254 aus_mmap(struct t_audit_data *tad) 2255 { 2256 klwp_t *clwp = ttolwp(curthread); 2257 struct file *fp; 2258 struct f_audit_data *fad; 2259 struct vnode *vp; 2260 uint32_t fd; 2261 2262 struct a { 2263 long addr; 2264 long len; 2265 long prot; 2266 long flags; 2267 long fd; 2268 long pos; 2269 } *uap = (struct a *)clwp->lwp_ap; 2270 2271 fd = (uint32_t)uap->fd; 2272 2273 #ifdef _LP64 2274 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2275 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2276 #else 2277 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2278 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2279 #endif 2280 2281 if ((fp = getf(fd)) == NULL) { 2282 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2283 return; 2284 } 2285 2286 /* 2287 * Mark in the tad if write access is NOT requested... if 2288 * this is later detected (in audit_attributes) to be a 2289 * public object, the mmap event may be discarded. 2290 */ 2291 if (((uap->prot) & PROT_WRITE) == 0) { 2292 tad->tad_ctrl |= PAD_PUBLIC_EV; 2293 } 2294 2295 fad = F2A(fp); 2296 if (fad->fad_aupath != NULL) { 2297 au_uwrite(au_to_path(fad->fad_aupath)); 2298 } else { 2299 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2300 } 2301 2302 vp = (struct vnode *)fp->f_vnode; 2303 audit_attributes(vp); 2304 2305 /* mark READ/WRITE since we can't predict access */ 2306 if (uap->prot & PROT_READ) 2307 fad->fad_flags |= FAD_READ; 2308 if (uap->prot & PROT_WRITE) 2309 fad->fad_flags |= FAD_WRITE; 2310 2311 /* decrement file descriptor reference count */ 2312 releasef(fd); 2313 2314 } /* AUS_MMAP */ 2315 2316 2317 2318 2319 /*ARGSUSED*/ 2320 static void 2321 aus_munmap(struct t_audit_data *tad) 2322 { 2323 klwp_t *clwp = ttolwp(curthread); 2324 2325 struct a { 2326 long addr; 2327 long len; 2328 } *uap = (struct a *)clwp->lwp_ap; 2329 2330 #ifdef _LP64 2331 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2332 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2333 #else 2334 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2335 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2336 #endif 2337 2338 } /* AUS_MUNMAP */ 2339 2340 2341 2342 2343 2344 2345 2346 /*ARGSUSED*/ 2347 static void 2348 aus_priocntlsys(struct t_audit_data *tad) 2349 { 2350 klwp_t *clwp = ttolwp(curthread); 2351 2352 struct a { 2353 long pc_version; 2354 long psp; /* procset_t */ 2355 long cmd; 2356 long arg; 2357 } *uap = (struct a *)clwp->lwp_ap; 2358 2359 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2360 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2361 2362 } /* AUS_PRIOCNTLSYS */ 2363 2364 2365 /*ARGSUSED*/ 2366 static void 2367 aus_setegid(struct t_audit_data *tad) 2368 { 2369 klwp_t *clwp = ttolwp(curthread); 2370 uint32_t gid; 2371 2372 struct a { 2373 long gid; 2374 } *uap = (struct a *)clwp->lwp_ap; 2375 2376 gid = (uint32_t)uap->gid; 2377 2378 au_uwrite(au_to_arg32(1, "gid", gid)); 2379 } /* AUS_SETEGID */ 2380 2381 2382 2383 2384 /*ARGSUSED*/ 2385 static void 2386 aus_setgroups(struct t_audit_data *tad) 2387 { 2388 klwp_t *clwp = ttolwp(curthread); 2389 int i; 2390 int gidsetsize; 2391 uintptr_t gidset; 2392 gid_t *gidlist; 2393 2394 struct a { 2395 long gidsetsize; 2396 long gidset; 2397 } *uap = (struct a *)clwp->lwp_ap; 2398 2399 gidsetsize = (uint_t)uap->gidsetsize; 2400 gidset = (uintptr_t)uap->gidset; 2401 2402 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2403 return; 2404 if (gidsetsize != 0) { 2405 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2406 KM_SLEEP); 2407 if (copyin((caddr_t)gidset, gidlist, 2408 gidsetsize * sizeof (gid_t)) == 0) 2409 for (i = 0; i < gidsetsize; i++) 2410 au_uwrite(au_to_arg32(1, "setgroups", 2411 (uint32_t)gidlist[i])); 2412 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2413 } else 2414 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2415 2416 } /* AUS_SETGROUPS */ 2417 2418 2419 2420 2421 2422 /*ARGSUSED*/ 2423 static void 2424 aus_seteuid(struct t_audit_data *tad) 2425 { 2426 klwp_t *clwp = ttolwp(curthread); 2427 uint32_t uid; 2428 2429 struct a { 2430 long uid; 2431 } *uap = (struct a *)clwp->lwp_ap; 2432 2433 uid = (uint32_t)uap->uid; 2434 2435 au_uwrite(au_to_arg32(1, "euid", uid)); 2436 2437 } /* AUS_SETEUID */ 2438 2439 /*ARGSUSED*/ 2440 static void 2441 aus_putmsg(struct t_audit_data *tad) 2442 { 2443 klwp_t *clwp = ttolwp(curthread); 2444 uint32_t fd, pri; 2445 struct file *fp; 2446 struct f_audit_data *fad; 2447 2448 struct a { 2449 long fdes; 2450 long ctl; /* struct strbuf * */ 2451 long data; /* struct strbuf * */ 2452 long pri; 2453 } *uap = (struct a *)clwp->lwp_ap; 2454 2455 fd = (uint32_t)uap->fdes; 2456 pri = (uint32_t)uap->pri; 2457 2458 au_uwrite(au_to_arg32(1, "fd", fd)); 2459 2460 if ((fp = getf(fd)) != NULL) { 2461 fad = F2A(fp); 2462 2463 fad->fad_flags |= FAD_WRITE; 2464 2465 /* add path name to audit record */ 2466 if (fad->fad_aupath != NULL) { 2467 au_uwrite(au_to_path(fad->fad_aupath)); 2468 } 2469 audit_attributes(fp->f_vnode); 2470 2471 releasef(fd); 2472 } 2473 2474 au_uwrite(au_to_arg32(4, "pri", pri)); 2475 } 2476 2477 /*ARGSUSED*/ 2478 static void 2479 aus_putpmsg(struct t_audit_data *tad) 2480 { 2481 klwp_t *clwp = ttolwp(curthread); 2482 uint32_t fd, pri, flags; 2483 struct file *fp; 2484 struct f_audit_data *fad; 2485 2486 struct a { 2487 long fdes; 2488 long ctl; /* struct strbuf * */ 2489 long data; /* struct strbuf * */ 2490 long pri; 2491 long flags; 2492 } *uap = (struct a *)clwp->lwp_ap; 2493 2494 fd = (uint32_t)uap->fdes; 2495 pri = (uint32_t)uap->pri; 2496 flags = (uint32_t)uap->flags; 2497 2498 au_uwrite(au_to_arg32(1, "fd", fd)); 2499 2500 if ((fp = getf(fd)) != NULL) { 2501 fad = F2A(fp); 2502 2503 fad->fad_flags |= FAD_WRITE; 2504 2505 /* add path name to audit record */ 2506 if (fad->fad_aupath != NULL) { 2507 au_uwrite(au_to_path(fad->fad_aupath)); 2508 } 2509 audit_attributes(fp->f_vnode); 2510 2511 releasef(fd); 2512 } 2513 2514 2515 au_uwrite(au_to_arg32(4, "pri", pri)); 2516 au_uwrite(au_to_arg32(5, "flags", flags)); 2517 } 2518 2519 /*ARGSUSED*/ 2520 static void 2521 aus_getmsg(struct t_audit_data *tad) 2522 { 2523 klwp_t *clwp = ttolwp(curthread); 2524 uint32_t fd, pri; 2525 struct file *fp; 2526 struct f_audit_data *fad; 2527 2528 struct a { 2529 long fdes; 2530 long ctl; /* struct strbuf * */ 2531 long data; /* struct strbuf * */ 2532 long pri; 2533 } *uap = (struct a *)clwp->lwp_ap; 2534 2535 fd = (uint32_t)uap->fdes; 2536 pri = (uint32_t)uap->pri; 2537 2538 au_uwrite(au_to_arg32(1, "fd", fd)); 2539 2540 if ((fp = getf(fd)) != NULL) { 2541 fad = F2A(fp); 2542 2543 /* 2544 * read operation on this object 2545 */ 2546 fad->fad_flags |= FAD_READ; 2547 2548 /* add path name to audit record */ 2549 if (fad->fad_aupath != NULL) { 2550 au_uwrite(au_to_path(fad->fad_aupath)); 2551 } 2552 audit_attributes(fp->f_vnode); 2553 2554 releasef(fd); 2555 } 2556 2557 au_uwrite(au_to_arg32(4, "pri", pri)); 2558 } 2559 2560 /*ARGSUSED*/ 2561 static void 2562 aus_getpmsg(struct t_audit_data *tad) 2563 { 2564 klwp_t *clwp = ttolwp(curthread); 2565 uint32_t fd; 2566 struct file *fp; 2567 struct f_audit_data *fad; 2568 2569 struct a { 2570 long fdes; 2571 long ctl; /* struct strbuf * */ 2572 long data; /* struct strbuf * */ 2573 long pri; 2574 long flags; 2575 } *uap = (struct a *)clwp->lwp_ap; 2576 2577 fd = (uint32_t)uap->fdes; 2578 2579 au_uwrite(au_to_arg32(1, "fd", fd)); 2580 2581 if ((fp = getf(fd)) != NULL) { 2582 fad = F2A(fp); 2583 2584 /* 2585 * read operation on this object 2586 */ 2587 fad->fad_flags |= FAD_READ; 2588 2589 /* add path name to audit record */ 2590 if (fad->fad_aupath != NULL) { 2591 au_uwrite(au_to_path(fad->fad_aupath)); 2592 } 2593 audit_attributes(fp->f_vnode); 2594 2595 releasef(fd); 2596 } 2597 } 2598 2599 static au_event_t 2600 aui_auditsys(au_event_t e) 2601 { 2602 klwp_t *clwp = ttolwp(curthread); 2603 uint32_t code; 2604 2605 struct a { 2606 long code; 2607 long a1; 2608 long a2; 2609 long a3; 2610 long a4; 2611 long a5; 2612 long a6; 2613 long a7; 2614 } *uap = (struct a *)clwp->lwp_ap; 2615 2616 code = (uint32_t)uap->code; 2617 2618 switch (code) { 2619 2620 case BSM_GETAUID: 2621 e = AUE_GETAUID; 2622 break; 2623 case BSM_SETAUID: 2624 e = AUE_SETAUID; 2625 break; 2626 case BSM_GETAUDIT: 2627 e = AUE_GETAUDIT; 2628 break; 2629 case BSM_GETAUDIT_ADDR: 2630 e = AUE_GETAUDIT_ADDR; 2631 break; 2632 case BSM_SETAUDIT: 2633 e = AUE_SETAUDIT; 2634 break; 2635 case BSM_SETAUDIT_ADDR: 2636 e = AUE_SETAUDIT_ADDR; 2637 break; 2638 case BSM_AUDIT: 2639 e = AUE_AUDIT; 2640 break; 2641 case BSM_AUDITSVC: 2642 e = AUE_AUDITSVC; 2643 break; 2644 case BSM_GETPORTAUDIT: 2645 e = AUE_GETPORTAUDIT; 2646 break; 2647 case BSM_AUDITON: 2648 case BSM_AUDITCTL: 2649 2650 switch ((uint_t)uap->a1) { 2651 2652 case A_GETPOLICY: 2653 e = AUE_AUDITON_GPOLICY; 2654 break; 2655 case A_SETPOLICY: 2656 e = AUE_AUDITON_SPOLICY; 2657 break; 2658 case A_GETKMASK: 2659 e = AUE_AUDITON_GETKMASK; 2660 break; 2661 case A_SETKMASK: 2662 e = AUE_AUDITON_SETKMASK; 2663 break; 2664 case A_GETQCTRL: 2665 e = AUE_AUDITON_GQCTRL; 2666 break; 2667 case A_SETQCTRL: 2668 e = AUE_AUDITON_SQCTRL; 2669 break; 2670 case A_GETCWD: 2671 e = AUE_AUDITON_GETCWD; 2672 break; 2673 case A_GETCAR: 2674 e = AUE_AUDITON_GETCAR; 2675 break; 2676 case A_GETSTAT: 2677 e = AUE_AUDITON_GETSTAT; 2678 break; 2679 case A_SETSTAT: 2680 e = AUE_AUDITON_SETSTAT; 2681 break; 2682 case A_SETUMASK: 2683 e = AUE_AUDITON_SETUMASK; 2684 break; 2685 case A_SETSMASK: 2686 e = AUE_AUDITON_SETSMASK; 2687 break; 2688 case A_GETCOND: 2689 e = AUE_AUDITON_GETCOND; 2690 break; 2691 case A_SETCOND: 2692 e = AUE_AUDITON_SETCOND; 2693 break; 2694 case A_GETCLASS: 2695 e = AUE_AUDITON_GETCLASS; 2696 break; 2697 case A_SETCLASS: 2698 e = AUE_AUDITON_SETCLASS; 2699 break; 2700 default: 2701 e = AUE_NULL; 2702 break; 2703 } 2704 break; 2705 default: 2706 e = AUE_NULL; 2707 break; 2708 } 2709 2710 return (e); 2711 2712 2713 2714 2715 } /* AUI_AUDITSYS */ 2716 2717 2718 2719 2720 2721 2722 2723 static void 2724 aus_auditsys(struct t_audit_data *tad) 2725 { 2726 klwp_t *clwp = ttolwp(curthread); 2727 uintptr_t a1, a2; 2728 struct file *fp; 2729 struct f_audit_data *fad; 2730 struct vnode *vp; 2731 STRUCT_DECL(auditinfo, ainfo); 2732 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2733 au_evclass_map_t event; 2734 au_mask_t mask; 2735 int auditstate, policy; 2736 2737 2738 struct a { 2739 long code; 2740 long a1; 2741 long a2; 2742 long a3; 2743 long a4; 2744 long a5; 2745 long a6; 2746 long a7; 2747 } *uap = (struct a *)clwp->lwp_ap; 2748 2749 a1 = (uintptr_t)uap->a1; 2750 a2 = (uintptr_t)uap->a2; 2751 2752 switch (tad->tad_event) { 2753 case AUE_SETAUID: 2754 au_uwrite(au_to_arg32(2, "setauid", (uint32_t)a1)); 2755 break; 2756 case AUE_SETAUDIT: 2757 STRUCT_INIT(ainfo, get_udatamodel()); 2758 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2759 STRUCT_SIZE(ainfo))) { 2760 return; 2761 } 2762 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2763 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2764 #ifdef _LP64 2765 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2766 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2767 #else 2768 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2769 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2770 #endif 2771 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2772 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2773 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2774 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2775 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2776 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2777 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2778 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2779 break; 2780 case AUE_SETAUDIT_ADDR: 2781 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2782 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2783 STRUCT_SIZE(ainfo_addr))) { 2784 return; 2785 } 2786 au_uwrite(au_to_arg32((char)1, "auid", 2787 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2788 #ifdef _LP64 2789 au_uwrite(au_to_arg64((char)1, "port", 2790 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2791 #else 2792 au_uwrite(au_to_arg32((char)1, "port", 2793 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2794 #endif 2795 au_uwrite(au_to_arg32((char)1, "type", 2796 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2797 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2798 AU_IPv4) { 2799 au_uwrite(au_to_in_addr( 2800 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2801 ai_termid.at_addr))); 2802 } else { 2803 au_uwrite(au_to_in_addr_ex( 2804 (int32_t *)STRUCT_FGETP(ainfo_addr, 2805 ai_termid.at_addr))); 2806 } 2807 au_uwrite(au_to_arg32((char)1, "as_success", 2808 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2809 au_uwrite(au_to_arg32((char)1, "as_failure", 2810 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2811 au_uwrite(au_to_arg32((char)1, "asid", 2812 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2813 break; 2814 case AUE_AUDITSVC: 2815 /* 2816 * convert file pointer to file descriptor 2817 * Note: fd ref count incremented here 2818 */ 2819 if ((fp = getf((uint_t)a1)) == NULL) 2820 return; 2821 fad = F2A(fp); 2822 if (fad->fad_aupath != NULL) { 2823 au_uwrite(au_to_path(fad->fad_aupath)); 2824 } else { 2825 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2826 } 2827 2828 vp = fp->f_vnode; /* include vnode attributes */ 2829 audit_attributes(vp); 2830 2831 /* decrement file descriptor ref count */ 2832 releasef((uint_t)a1); 2833 2834 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2835 break; 2836 case AUE_AUDITON_SETKMASK: 2837 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2838 return; 2839 au_uwrite(au_to_arg32( 2840 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2841 au_uwrite(au_to_arg32( 2842 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2843 break; 2844 case AUE_AUDITON_SPOLICY: 2845 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2846 return; 2847 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2848 break; 2849 case AUE_AUDITON_SQCTRL: { 2850 STRUCT_DECL(au_qctrl, qctrl); 2851 model_t model; 2852 2853 model = get_udatamodel(); 2854 STRUCT_INIT(qctrl, model); 2855 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2856 return; 2857 if (model == DATAMODEL_ILP32) { 2858 au_uwrite(au_to_arg32( 2859 3, "setqctrl:aq_hiwater", 2860 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2861 au_uwrite(au_to_arg32( 2862 3, "setqctrl:aq_lowater", 2863 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2864 au_uwrite(au_to_arg32( 2865 3, "setqctrl:aq_bufsz", 2866 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2867 au_uwrite(au_to_arg32( 2868 3, "setqctrl:aq_delay", 2869 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2870 } else { 2871 au_uwrite(au_to_arg64( 2872 3, "setqctrl:aq_hiwater", 2873 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2874 au_uwrite(au_to_arg64( 2875 3, "setqctrl:aq_lowater", 2876 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2877 au_uwrite(au_to_arg64( 2878 3, "setqctrl:aq_bufsz", 2879 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2880 au_uwrite(au_to_arg64( 2881 3, "setqctrl:aq_delay", 2882 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2883 } 2884 break; 2885 } 2886 case AUE_AUDITON_SETUMASK: 2887 STRUCT_INIT(ainfo, get_udatamodel()); 2888 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2889 STRUCT_SIZE(ainfo))) { 2890 return; 2891 } 2892 au_uwrite(au_to_arg32(3, "setumask:as_success", 2893 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2894 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2895 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2896 break; 2897 case AUE_AUDITON_SETSMASK: 2898 STRUCT_INIT(ainfo, get_udatamodel()); 2899 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2900 STRUCT_SIZE(ainfo))) { 2901 return; 2902 } 2903 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2904 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2905 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2906 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2907 break; 2908 case AUE_AUDITON_SETCOND: 2909 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2910 return; 2911 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2912 break; 2913 case AUE_AUDITON_SETCLASS: 2914 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2915 return; 2916 au_uwrite(au_to_arg32( 2917 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2918 au_uwrite(au_to_arg32( 2919 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2920 break; 2921 case AUE_GETAUID: 2922 case AUE_GETAUDIT: 2923 case AUE_GETAUDIT_ADDR: 2924 case AUE_AUDIT: 2925 case AUE_GETPORTAUDIT: 2926 case AUE_AUDITON_GPOLICY: 2927 case AUE_AUDITON_GQCTRL: 2928 case AUE_AUDITON_GETKMASK: 2929 case AUE_AUDITON_GETCWD: 2930 case AUE_AUDITON_GETCAR: 2931 case AUE_AUDITON_GETSTAT: 2932 case AUE_AUDITON_SETSTAT: 2933 case AUE_AUDITON_GETCOND: 2934 case AUE_AUDITON_GETCLASS: 2935 break; 2936 default: 2937 break; 2938 } 2939 2940 } /* AUS_AUDITSYS */ 2941 2942 2943 /* only audit privileged operations for systeminfo(2) system call */ 2944 static au_event_t 2945 aui_sysinfo(au_event_t e) 2946 { 2947 klwp_t *clwp = ttolwp(curthread); 2948 uint32_t command; 2949 2950 struct a { 2951 long command; 2952 long buf; /* char * */ 2953 long count; 2954 } *uap = (struct a *)clwp->lwp_ap; 2955 2956 command = (uint32_t)uap->command; 2957 2958 switch (command) { 2959 case SI_SET_HOSTNAME: 2960 case SI_SET_SRPC_DOMAIN: 2961 e = (au_event_t)AUE_SYSINFO; 2962 break; 2963 default: 2964 e = (au_event_t)AUE_NULL; 2965 break; 2966 } 2967 return (e); 2968 } 2969 2970 /*ARGSUSED*/ 2971 static void 2972 aus_sysinfo(struct t_audit_data *tad) 2973 { 2974 klwp_t *clwp = ttolwp(curthread); 2975 uint32_t command; 2976 size_t len, maxlen; 2977 char *name; 2978 uintptr_t buf; 2979 2980 struct a { 2981 long command; 2982 long buf; /* char * */ 2983 long count; 2984 } *uap = (struct a *)clwp->lwp_ap; 2985 2986 command = (uint32_t)uap->command; 2987 buf = (uintptr_t)uap->buf; 2988 2989 au_uwrite(au_to_arg32(1, "cmd", command)); 2990 2991 switch (command) { 2992 case SI_SET_HOSTNAME: 2993 { 2994 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2995 return; 2996 2997 maxlen = SYS_NMLN; 2998 name = kmem_alloc(maxlen, KM_SLEEP); 2999 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3000 break; 3001 3002 /* 3003 * Must be non-NULL string and string 3004 * must be less than SYS_NMLN chars. 3005 */ 3006 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3007 break; 3008 3009 au_uwrite(au_to_text(name)); 3010 break; 3011 } 3012 3013 case SI_SET_SRPC_DOMAIN: 3014 { 3015 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3016 return; 3017 3018 maxlen = SYS_NMLN; 3019 name = kmem_alloc(maxlen, KM_SLEEP); 3020 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3021 break; 3022 3023 /* 3024 * If string passed in is longer than length 3025 * allowed for domain name, fail. 3026 */ 3027 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3028 break; 3029 3030 au_uwrite(au_to_text(name)); 3031 break; 3032 } 3033 3034 default: 3035 return; 3036 } 3037 3038 kmem_free(name, maxlen); 3039 } 3040 3041 static au_event_t 3042 aui_modctl(au_event_t e) 3043 { 3044 klwp_t *clwp = ttolwp(curthread); 3045 uint_t cmd; 3046 3047 struct a { 3048 long cmd; 3049 } *uap = (struct a *)clwp->lwp_ap; 3050 3051 cmd = (uint_t)uap->cmd; 3052 3053 switch (cmd) { 3054 case MODLOAD: 3055 e = AUE_MODLOAD; 3056 break; 3057 case MODUNLOAD: 3058 e = AUE_MODUNLOAD; 3059 break; 3060 case MODADDMAJBIND: 3061 e = AUE_MODADDMAJ; 3062 break; 3063 case MODSETDEVPOLICY: 3064 e = AUE_MODDEVPLCY; 3065 break; 3066 case MODALLOCPRIV: 3067 e = AUE_MODADDPRIV; 3068 break; 3069 default: 3070 e = AUE_NULL; 3071 break; 3072 } 3073 return (e); 3074 } 3075 3076 3077 /*ARGSUSED*/ 3078 static void 3079 aus_modctl(struct t_audit_data *tad) 3080 { 3081 klwp_t *clwp = ttolwp(curthread); 3082 void *a = clwp->lwp_ap; 3083 uint_t use_path; 3084 3085 switch (tad->tad_event) { 3086 case AUE_MODLOAD: { 3087 typedef struct { 3088 long cmd; 3089 long use_path; 3090 long filename; /* char * */ 3091 } modloada_t; 3092 3093 char *filenamep; 3094 uintptr_t fname; 3095 extern char *default_path; 3096 3097 fname = (uintptr_t)((modloada_t *)a)->filename; 3098 use_path = (uint_t)((modloada_t *)a)->use_path; 3099 3100 /* space to hold path */ 3101 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3102 /* get string */ 3103 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3104 /* free allocated path */ 3105 kmem_free(filenamep, MOD_MAXPATH); 3106 return; 3107 } 3108 /* ensure it's null terminated */ 3109 filenamep[MOD_MAXPATH - 1] = 0; 3110 3111 if (use_path) 3112 au_uwrite(au_to_text(default_path)); 3113 au_uwrite(au_to_text(filenamep)); 3114 3115 /* release temporary memory */ 3116 kmem_free(filenamep, MOD_MAXPATH); 3117 break; 3118 } 3119 case AUE_MODUNLOAD: { 3120 typedef struct { 3121 long cmd; 3122 long id; 3123 } modunloada_t; 3124 3125 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3126 3127 au_uwrite(au_to_arg32(1, "id", id)); 3128 break; 3129 } 3130 case AUE_MODADDMAJ: { 3131 STRUCT_DECL(modconfig, mc); 3132 typedef struct { 3133 long cmd; 3134 long subcmd; 3135 long data; /* int * */ 3136 } modconfiga_t; 3137 3138 STRUCT_DECL(aliases, alias); 3139 caddr_t ap; 3140 int i, num_aliases; 3141 char *drvname, *mc_drvname; 3142 char *name; 3143 extern char *ddi_major_to_name(major_t); 3144 model_t model; 3145 3146 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3147 3148 model = get_udatamodel(); 3149 STRUCT_INIT(mc, model); 3150 /* sanitize buffer */ 3151 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3152 /* get user arguments */ 3153 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3154 STRUCT_SIZE(mc)) != 0) 3155 return; 3156 3157 mc_drvname = STRUCT_FGET(mc, drvname); 3158 if ((drvname = ddi_major_to_name( 3159 (major_t)STRUCT_FGET(mc, major))) != NULL && 3160 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3161 /* safety */ 3162 if (mc_drvname[0] != '\0') { 3163 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3164 au_uwrite(au_to_text(mc_drvname)); 3165 } 3166 /* drvname != NULL from test above */ 3167 au_uwrite(au_to_text(drvname)); 3168 return; 3169 } 3170 3171 if (mc_drvname[0] != '\0') { 3172 /* safety */ 3173 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3174 au_uwrite(au_to_text(mc_drvname)); 3175 } else 3176 au_uwrite(au_to_text("no drvname")); 3177 3178 num_aliases = STRUCT_FGET(mc, num_aliases); 3179 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3180 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3181 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3182 STRUCT_INIT(alias, model); 3183 for (i = 0; i < num_aliases; i++) { 3184 bzero((caddr_t)STRUCT_BUF(alias), 3185 STRUCT_SIZE(alias)); 3186 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3187 STRUCT_SIZE(alias)) != 0) 3188 break; 3189 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3190 MAXMODCONFNAME, NULL) != 0) { 3191 break; 3192 } 3193 3194 au_uwrite(au_to_text(name)); 3195 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3196 } 3197 kmem_free(name, MAXMODCONFNAME); 3198 break; 3199 } 3200 default: 3201 break; 3202 } 3203 } 3204 3205 /* 3206 * private version of getsonode that does not do eprintsoline() 3207 */ 3208 static struct sonode * 3209 au_getsonode(int sock, int *errorp, file_t **fpp) 3210 { 3211 file_t *fp; 3212 register vnode_t *vp; 3213 struct sonode *so; 3214 3215 if ((fp = getf(sock)) == NULL) { 3216 *errorp = EBADF; 3217 return (NULL); 3218 } 3219 vp = fp->f_vnode; 3220 /* Check if it is a socket */ 3221 if (vp->v_type != VSOCK) { 3222 releasef(sock); 3223 *errorp = ENOTSOCK; 3224 return (NULL); 3225 } 3226 /* 3227 * Use the stream head to find the real socket vnode. 3228 * This is needed when namefs sits above sockfs. 3229 */ 3230 ASSERT(vp->v_stream); 3231 ASSERT(vp->v_stream->sd_vnode); 3232 vp = vp->v_stream->sd_vnode; 3233 so = VTOSO(vp); 3234 if (so->so_version == SOV_STREAM) { 3235 releasef(sock); 3236 *errorp = ENOTSOCK; 3237 return (NULL); 3238 } 3239 if (fpp) 3240 *fpp = fp; 3241 return (so); 3242 } 3243 3244 /*ARGSUSED*/ 3245 static void 3246 auf_accept( 3247 struct t_audit_data *tad, 3248 int error, 3249 rval_t *rval) 3250 { 3251 uint32_t scid; 3252 uint32_t sy_flags; 3253 int fd; 3254 struct sonode *so; 3255 char so_laddr[sizeof (struct sockaddr_in6)]; 3256 char so_faddr[sizeof (struct sockaddr_in6)]; 3257 int err; 3258 int len; 3259 short so_family, so_type; 3260 int add_sock_token = 0; 3261 3262 /* need to determine type of executing binary */ 3263 scid = tad->tad_scid; 3264 #ifdef _SYSCALL32_IMPL 3265 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3266 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3267 else 3268 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3269 #else 3270 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3271 #endif 3272 if (sy_flags == SE_32RVAL1) 3273 fd = rval->r_val1; 3274 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3275 fd = rval->r_val1; 3276 if (sy_flags == SE_64RVAL) 3277 fd = (int)rval->r_vals; 3278 3279 if (error) { 3280 /* can't trust socket contents. Just return */ 3281 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3282 return; 3283 } 3284 3285 if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) { 3286 /* 3287 * not security relevant if doing a accept from non socket 3288 * so no extra tokens. Should probably turn off audit record 3289 * generation here. 3290 */ 3291 return; 3292 } 3293 3294 so_family = so->so_family; 3295 so_type = so->so_type; 3296 3297 switch (so_family) { 3298 case AF_INET: 3299 case AF_INET6: 3300 /* 3301 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3302 */ 3303 if (so->so_type == SOCK_STREAM) { 3304 3305 bzero((void *)so_laddr, sizeof (so_laddr)); 3306 bzero((void *)so_faddr, sizeof (so_faddr)); 3307 3308 /* 3309 * no local address then need to get it from lower 3310 * levels. only put out record on first read ala 3311 * AUE_WRITE. 3312 */ 3313 if (so->so_state & SS_ISBOUND) { 3314 /* only done once on a connection */ 3315 (void) SOP_GETSOCKNAME(so); 3316 (void) SOP_GETPEERNAME(so); 3317 3318 /* get local and foreign addresses */ 3319 mutex_enter(&so->so_lock); 3320 len = min(so->so_laddr_len, sizeof (so_laddr)); 3321 bcopy(so->so_laddr_sa, so_laddr, len); 3322 len = min(so->so_faddr_len, sizeof (so_faddr)); 3323 bcopy(so->so_faddr_sa, so_faddr, len); 3324 mutex_exit(&so->so_lock); 3325 } 3326 3327 add_sock_token = 1; 3328 } 3329 break; 3330 3331 default: 3332 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3333 break; 3334 } 3335 3336 releasef(fd); 3337 3338 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3339 3340 if (add_sock_token == 0) { 3341 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3342 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3343 return; 3344 } 3345 3346 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3347 3348 } 3349 3350 /*ARGSUSED*/ 3351 static void 3352 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3353 { 3354 struct a { 3355 long fd; 3356 long addr; 3357 long len; 3358 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3359 3360 struct sonode *so; 3361 char so_laddr[sizeof (struct sockaddr_in6)]; 3362 char so_faddr[sizeof (struct sockaddr_in6)]; 3363 int err, fd; 3364 int len; 3365 short so_family, so_type; 3366 int add_sock_token = 0; 3367 3368 fd = (int)uap->fd; 3369 3370 /* 3371 * bind failed, then nothing extra to add to audit record. 3372 */ 3373 if (error) { 3374 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3375 /* XXX may want to add failed address some day */ 3376 return; 3377 } 3378 3379 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3380 /* 3381 * not security relevant if doing a bind from non socket 3382 * so no extra tokens. Should probably turn off audit record 3383 * generation here. 3384 */ 3385 return; 3386 } 3387 3388 so_family = so->so_family; 3389 so_type = so->so_type; 3390 3391 switch (so_family) { 3392 case AF_INET: 3393 case AF_INET6: 3394 3395 bzero(so_faddr, sizeof (so_faddr)); 3396 3397 if (so->so_state & SS_ISBOUND) { 3398 /* only done once on a connection */ 3399 (void) SOP_GETSOCKNAME(so); 3400 } 3401 3402 mutex_enter(&so->so_lock); 3403 len = min(so->so_laddr_len, sizeof (so_laddr)); 3404 bcopy(so->so_laddr_sa, so_laddr, len); 3405 mutex_exit(&so->so_lock); 3406 3407 add_sock_token = 1; 3408 3409 break; 3410 3411 case AF_UNIX: 3412 /* token added by lookup */ 3413 break; 3414 default: 3415 /* AF_ROUTE, AF_KEY do not support accept */ 3416 break; 3417 } 3418 3419 releasef(fd); 3420 3421 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3422 3423 if (add_sock_token == 0) { 3424 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3425 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3426 return; 3427 } 3428 3429 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3430 3431 } 3432 3433 /*ARGSUSED*/ 3434 static void 3435 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3436 { 3437 struct a { 3438 long fd; 3439 long addr; 3440 long len; 3441 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3442 3443 struct sonode *so; 3444 char so_laddr[sizeof (struct sockaddr_in6)]; 3445 char so_faddr[sizeof (struct sockaddr_in6)]; 3446 int err, fd; 3447 int len; 3448 short so_family, so_type; 3449 int add_sock_token = 0; 3450 3451 fd = (int)uap->fd; 3452 3453 3454 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3455 /* 3456 * not security relevant if doing a connect from non socket 3457 * so no extra tokens. Should probably turn off audit record 3458 * generation here. 3459 */ 3460 return; 3461 } 3462 3463 so_family = so->so_family; 3464 so_type = so->so_type; 3465 3466 switch (so_family) { 3467 case AF_INET: 3468 case AF_INET6: 3469 /* 3470 * no local address then need to get it from lower 3471 * levels. 3472 */ 3473 if (so->so_state & SS_ISBOUND) { 3474 /* only done once on a connection */ 3475 (void) SOP_GETSOCKNAME(so); 3476 (void) SOP_GETPEERNAME(so); 3477 } 3478 3479 bzero(so_laddr, sizeof (so_laddr)); 3480 bzero(so_faddr, sizeof (so_faddr)); 3481 3482 mutex_enter(&so->so_lock); 3483 len = min(so->so_laddr_len, sizeof (so_laddr)); 3484 bcopy(so->so_laddr_sa, so_laddr, len); 3485 if (error) { 3486 mutex_exit(&so->so_lock); 3487 if (uap->addr == NULL) 3488 break; 3489 if (uap->len <= 0) 3490 break; 3491 len = min(uap->len, sizeof (so_faddr)); 3492 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3493 break; 3494 #ifdef NOTYET 3495 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3496 #endif 3497 } else { 3498 /* sanity check on length */ 3499 len = min(so->so_faddr_len, sizeof (so_faddr)); 3500 bcopy(so->so_faddr_sa, so_faddr, len); 3501 mutex_exit(&so->so_lock); 3502 } 3503 3504 add_sock_token = 1; 3505 3506 break; 3507 3508 case AF_UNIX: 3509 /* does a lookup on name */ 3510 break; 3511 3512 default: 3513 /* AF_ROUTE, AF_KEY do not support accept */ 3514 break; 3515 } 3516 3517 releasef(fd); 3518 3519 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3520 3521 if (add_sock_token == 0) { 3522 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3523 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3524 return; 3525 } 3526 3527 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3528 3529 } 3530 3531 /*ARGSUSED*/ 3532 static void 3533 aus_shutdown(struct t_audit_data *tad) 3534 { 3535 struct a { 3536 long fd; 3537 long how; 3538 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3539 3540 struct sonode *so; 3541 char so_laddr[sizeof (struct sockaddr_in6)]; 3542 char so_faddr[sizeof (struct sockaddr_in6)]; 3543 int err, fd; 3544 int len; 3545 short so_family, so_type; 3546 int add_sock_token = 0; 3547 file_t *fp; /* unix domain sockets */ 3548 struct f_audit_data *fad; /* unix domain sockets */ 3549 3550 fd = (int)uap->fd; 3551 3552 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3553 /* 3554 * not security relevant if doing a shutdown using non socket 3555 * so no extra tokens. Should probably turn off audit record 3556 * generation here. 3557 */ 3558 return; 3559 } 3560 3561 so_family = so->so_family; 3562 so_type = so->so_type; 3563 3564 switch (so_family) { 3565 case AF_INET: 3566 case AF_INET6: 3567 3568 bzero(so_laddr, sizeof (so_laddr)); 3569 bzero(so_faddr, sizeof (so_faddr)); 3570 3571 if (so->so_state & SS_ISBOUND) { 3572 /* 3573 * no local address then need to get it from lower 3574 * levels. 3575 */ 3576 if (so->so_laddr_len == 0) 3577 (void) SOP_GETSOCKNAME(so); 3578 if (so->so_faddr_len == 0) 3579 (void) SOP_GETPEERNAME(so); 3580 } 3581 3582 mutex_enter(&so->so_lock); 3583 len = min(so->so_laddr_len, sizeof (so_laddr)); 3584 bcopy(so->so_laddr_sa, so_laddr, len); 3585 len = min(so->so_faddr_len, sizeof (so_faddr)); 3586 bcopy(so->so_faddr_sa, so_faddr, len); 3587 mutex_exit(&so->so_lock); 3588 3589 add_sock_token = 1; 3590 3591 break; 3592 3593 case AF_UNIX: 3594 3595 /* get path from file struct here */ 3596 fad = F2A(fp); 3597 ASSERT(fad); 3598 3599 if (fad->fad_aupath != NULL) { 3600 au_uwrite(au_to_path(fad->fad_aupath)); 3601 } else { 3602 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3603 } 3604 3605 audit_attributes(fp->f_vnode); 3606 3607 break; 3608 3609 default: 3610 /* 3611 * AF_KEY and AF_ROUTE support shutdown. No socket token 3612 * added. 3613 */ 3614 break; 3615 } 3616 3617 releasef(fd); 3618 3619 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3620 3621 if (add_sock_token == 0) { 3622 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3623 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3624 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3625 return; 3626 } 3627 3628 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3629 3630 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3631 3632 } 3633 3634 /*ARGSUSED*/ 3635 static void 3636 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3637 { 3638 struct a { 3639 long fd; 3640 long level; 3641 long optname; 3642 long *optval; 3643 long optlen; 3644 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3645 3646 struct sonode *so; 3647 char so_laddr[sizeof (struct sockaddr_in6)]; 3648 char so_faddr[sizeof (struct sockaddr_in6)]; 3649 char val[AU_BUFSIZE]; 3650 int err, fd; 3651 int len; 3652 short so_family, so_type; 3653 int add_sock_token = 0; 3654 file_t *fp; /* unix domain sockets */ 3655 struct f_audit_data *fad; /* unix domain sockets */ 3656 3657 fd = (int)uap->fd; 3658 3659 if (error) { 3660 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3661 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3662 /* XXX may want to include other arguments */ 3663 return; 3664 } 3665 3666 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3667 /* 3668 * not security relevant if doing a setsockopt from non socket 3669 * so no extra tokens. Should probably turn off audit record 3670 * generation here. 3671 */ 3672 return; 3673 } 3674 3675 so_family = so->so_family; 3676 so_type = so->so_type; 3677 3678 switch (so_family) { 3679 case AF_INET: 3680 case AF_INET6: 3681 3682 bzero((void *)so_laddr, sizeof (so_laddr)); 3683 bzero((void *)so_faddr, sizeof (so_faddr)); 3684 3685 if (so->so_state & SS_ISBOUND) { 3686 if (so->so_laddr_len == 0) 3687 (void) SOP_GETSOCKNAME(so); 3688 if (so->so_faddr_len == 0) 3689 (void) SOP_GETPEERNAME(so); 3690 } 3691 3692 /* get local and foreign addresses */ 3693 mutex_enter(&so->so_lock); 3694 len = min(so->so_laddr_len, sizeof (so_laddr)); 3695 bcopy(so->so_laddr_sa, so_laddr, len); 3696 len = min(so->so_faddr_len, sizeof (so_faddr)); 3697 bcopy(so->so_faddr_sa, so_faddr, len); 3698 mutex_exit(&so->so_lock); 3699 3700 add_sock_token = 1; 3701 3702 break; 3703 3704 case AF_UNIX: 3705 3706 /* get path from file struct here */ 3707 fad = F2A(fp); 3708 ASSERT(fad); 3709 3710 if (fad->fad_aupath != NULL) { 3711 au_uwrite(au_to_path(fad->fad_aupath)); 3712 } else { 3713 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3714 } 3715 3716 audit_attributes(fp->f_vnode); 3717 3718 break; 3719 3720 default: 3721 /* 3722 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3723 * added. 3724 */ 3725 break; 3726 } 3727 3728 releasef(fd); 3729 3730 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3731 3732 if (add_sock_token == 0) { 3733 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3734 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3735 } 3736 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3737 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3738 3739 bzero(val, sizeof (val)); 3740 len = min(uap->optlen, sizeof (val)); 3741 if ((len > 0) && 3742 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3743 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3744 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3745 } 3746 3747 if (add_sock_token == 0) 3748 return; 3749 3750 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3751 3752 } 3753 3754 /*ARGSUSED*/ 3755 static void 3756 aus_sockconfig(tad) 3757 struct t_audit_data *tad; 3758 { 3759 struct a { 3760 long domain; 3761 long type; 3762 long protocol; 3763 long devpath; 3764 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3765 3766 char *kdevpath; 3767 int kdevpathlen = MAXPATHLEN + 1; 3768 size_t size; 3769 3770 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3771 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3772 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3773 3774 if (uap->devpath == 0) { 3775 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3776 } else { 3777 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3778 3779 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3780 &size)) { 3781 kmem_free(kdevpath, kdevpathlen); 3782 return; 3783 } 3784 3785 if (size > MAXPATHLEN) { 3786 kmem_free(kdevpath, kdevpathlen); 3787 return; 3788 } 3789 3790 au_uwrite(au_to_text(kdevpath)); 3791 kmem_free(kdevpath, kdevpathlen); 3792 } 3793 } 3794 3795 /* 3796 * only audit recvmsg when the system call represents the creation of a new 3797 * circuit. This effectively occurs for all UDP packets and may occur for 3798 * special TCP situations where the local host has not set a local address 3799 * in the socket structure. 3800 */ 3801 /*ARGSUSED*/ 3802 static void 3803 auf_recvmsg( 3804 struct t_audit_data *tad, 3805 int error, 3806 rval_t *rvp) 3807 { 3808 struct a { 3809 long fd; 3810 long msg; /* struct msghdr */ 3811 long flags; 3812 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3813 3814 struct sonode *so; 3815 STRUCT_DECL(msghdr, msg); 3816 caddr_t msg_name; 3817 socklen_t msg_namelen; 3818 int fd; 3819 int err; 3820 char so_laddr[sizeof (struct sockaddr_in6)]; 3821 char so_faddr[sizeof (struct sockaddr_in6)]; 3822 int len; 3823 file_t *fp; /* unix domain sockets */ 3824 struct f_audit_data *fad; /* unix domain sockets */ 3825 short so_family, so_type; 3826 int add_sock_token = 0; 3827 au_kcontext_t *kctx = SET_KCTX_PZ; 3828 3829 fd = (int)uap->fd; 3830 3831 /* bail if an error */ 3832 if (error) { 3833 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3834 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3835 return; 3836 } 3837 3838 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3839 /* 3840 * not security relevant if doing a recvmsg from non socket 3841 * so no extra tokens. Should probably turn off audit record 3842 * generation here. 3843 */ 3844 return; 3845 } 3846 3847 so_family = so->so_family; 3848 so_type = so->so_type; 3849 3850 /* 3851 * only putout SOCKET_EX token if INET/INET6 family. 3852 * XXX - what do we do about other families? 3853 */ 3854 3855 switch (so_family) { 3856 case AF_INET: 3857 case AF_INET6: 3858 3859 /* 3860 * if datagram type socket, then just use what is in 3861 * socket structure for local address. 3862 * XXX - what do we do for other types? 3863 */ 3864 if ((so->so_type == SOCK_DGRAM) || 3865 (so->so_type == SOCK_RAW)) { 3866 add_sock_token = 1; 3867 3868 bzero((void *)so_laddr, sizeof (so_laddr)); 3869 bzero((void *)so_faddr, sizeof (so_faddr)); 3870 3871 /* get local address */ 3872 mutex_enter(&so->so_lock); 3873 len = min(so->so_laddr_len, sizeof (so_laddr)); 3874 bcopy(so->so_laddr_sa, so_laddr, len); 3875 mutex_exit(&so->so_lock); 3876 3877 /* get peer address */ 3878 STRUCT_INIT(msg, get_udatamodel()); 3879 3880 if (copyin((caddr_t)(uap->msg), 3881 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3882 break; 3883 } 3884 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3885 if (msg_name == NULL) { 3886 break; 3887 } 3888 3889 /* length is value from recvmsg - sanity check */ 3890 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3891 if (msg_namelen == 0) { 3892 break; 3893 } 3894 if (copyin(msg_name, so_faddr, 3895 sizeof (so_faddr)) != 0) { 3896 break; 3897 } 3898 3899 } else if (so->so_type == SOCK_STREAM) { 3900 3901 /* get path from file struct here */ 3902 fad = F2A(fp); 3903 ASSERT(fad); 3904 3905 /* 3906 * already processed this file for read attempt 3907 */ 3908 if (fad->fad_flags & FAD_READ) { 3909 /* don't want to audit every recvmsg attempt */ 3910 tad->tad_flag = 0; 3911 /* free any residual audit data */ 3912 au_close(kctx, &(u_ad), 0, 0, 0); 3913 releasef(fd); 3914 return; 3915 } 3916 /* 3917 * mark things so we know what happened and don't 3918 * repeat things 3919 */ 3920 fad->fad_flags |= FAD_READ; 3921 3922 bzero((void *)so_laddr, sizeof (so_laddr)); 3923 bzero((void *)so_faddr, sizeof (so_faddr)); 3924 3925 if (so->so_state & SS_ISBOUND) { 3926 3927 if (so->so_laddr_len == 0) 3928 (void) SOP_GETSOCKNAME(so); 3929 if (so->so_faddr_len == 0) 3930 (void) SOP_GETPEERNAME(so); 3931 3932 /* get local and foreign addresses */ 3933 mutex_enter(&so->so_lock); 3934 len = min(so->so_laddr_len, sizeof (so_laddr)); 3935 bcopy(so->so_laddr_sa, so_laddr, len); 3936 len = min(so->so_faddr_len, sizeof (so_faddr)); 3937 bcopy(so->so_faddr_sa, so_faddr, len); 3938 mutex_exit(&so->so_lock); 3939 } 3940 3941 add_sock_token = 1; 3942 } 3943 3944 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3945 3946 break; 3947 3948 case AF_UNIX: 3949 /* 3950 * first check if this is first time through. Too much 3951 * duplicate code to put this in an aui_ routine. 3952 */ 3953 3954 /* get path from file struct here */ 3955 fad = F2A(fp); 3956 ASSERT(fad); 3957 3958 /* 3959 * already processed this file for read attempt 3960 */ 3961 if (fad->fad_flags & FAD_READ) { 3962 releasef(fd); 3963 /* don't want to audit every recvmsg attempt */ 3964 tad->tad_flag = 0; 3965 /* free any residual audit data */ 3966 au_close(kctx, &(u_ad), 0, 0, 0); 3967 return; 3968 } 3969 /* 3970 * mark things so we know what happened and don't 3971 * repeat things 3972 */ 3973 fad->fad_flags |= FAD_READ; 3974 3975 if (fad->fad_aupath != NULL) { 3976 au_uwrite(au_to_path(fad->fad_aupath)); 3977 } else { 3978 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3979 } 3980 3981 audit_attributes(fp->f_vnode); 3982 3983 releasef(fd); 3984 3985 return; 3986 3987 default: 3988 break; 3989 3990 } 3991 3992 releasef(fd); 3993 3994 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3995 3996 if (add_sock_token == 0) { 3997 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 3998 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 3999 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4000 return; 4001 } 4002 4003 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4004 4005 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4006 4007 } 4008 4009 /*ARGSUSED*/ 4010 static void 4011 auf_recvfrom( 4012 struct t_audit_data *tad, 4013 int error, 4014 rval_t *rvp) 4015 { 4016 4017 struct a { 4018 long fd; 4019 long msg; /* char */ 4020 long len; 4021 long flags; 4022 long from; /* struct sockaddr */ 4023 long fromlen; 4024 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4025 4026 socklen_t fromlen; 4027 struct sonode *so; 4028 char so_laddr[sizeof (struct sockaddr_in6)]; 4029 char so_faddr[sizeof (struct sockaddr_in6)]; 4030 int fd; 4031 short so_family, so_type; 4032 int add_sock_token = 0; 4033 int len; 4034 int err; 4035 struct file *fp; 4036 struct f_audit_data *fad; /* unix domain sockets */ 4037 au_kcontext_t *kctx = SET_KCTX_PZ; 4038 4039 fd = (int)uap->fd; 4040 4041 /* bail if an error */ 4042 if (error) { 4043 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4044 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4045 return; 4046 } 4047 4048 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4049 /* 4050 * not security relevant if doing a recvmsg from non socket 4051 * so no extra tokens. Should probably turn off audit record 4052 * generation here. 4053 */ 4054 return; 4055 } 4056 4057 so_family = so->so_family; 4058 so_type = so->so_type; 4059 4060 /* 4061 * only putout SOCKET_EX token if INET/INET6 family. 4062 * XXX - what do we do about other families? 4063 */ 4064 4065 switch (so_family) { 4066 case AF_INET: 4067 case AF_INET6: 4068 4069 /* 4070 * if datagram type socket, then just use what is in 4071 * socket structure for local address. 4072 * XXX - what do we do for other types? 4073 */ 4074 if ((so->so_type == SOCK_DGRAM) || 4075 (so->so_type == SOCK_RAW)) { 4076 add_sock_token = 1; 4077 4078 /* get local address */ 4079 mutex_enter(&so->so_lock); 4080 len = min(so->so_laddr_len, sizeof (so_laddr)); 4081 bcopy(so->so_laddr_sa, so_laddr, len); 4082 mutex_exit(&so->so_lock); 4083 4084 /* get peer address */ 4085 bzero((void *)so_faddr, sizeof (so_faddr)); 4086 4087 /* sanity check */ 4088 if (uap->from == NULL) 4089 break; 4090 4091 /* sanity checks */ 4092 if (uap->fromlen == 0) 4093 break; 4094 4095 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4096 sizeof (fromlen)) != 0) 4097 break; 4098 4099 if (fromlen == 0) 4100 break; 4101 4102 /* enforce maximum size */ 4103 if (fromlen > sizeof (so_faddr)) 4104 fromlen = sizeof (so_faddr); 4105 4106 if (copyin((caddr_t)(uap->from), so_faddr, 4107 fromlen) != 0) 4108 break; 4109 4110 } else if (so->so_type == SOCK_STREAM) { 4111 4112 /* get path from file struct here */ 4113 fad = F2A(fp); 4114 ASSERT(fad); 4115 4116 /* 4117 * already processed this file for read attempt 4118 */ 4119 if (fad->fad_flags & FAD_READ) { 4120 /* don't want to audit every recvfrom attempt */ 4121 tad->tad_flag = 0; 4122 /* free any residual audit data */ 4123 au_close(kctx, &(u_ad), 0, 0, 0); 4124 releasef(fd); 4125 return; 4126 } 4127 /* 4128 * mark things so we know what happened and don't 4129 * repeat things 4130 */ 4131 fad->fad_flags |= FAD_READ; 4132 4133 bzero((void *)so_laddr, sizeof (so_laddr)); 4134 bzero((void *)so_faddr, sizeof (so_faddr)); 4135 4136 if (so->so_state & SS_ISBOUND) { 4137 4138 if (so->so_laddr_len == 0) 4139 (void) SOP_GETSOCKNAME(so); 4140 if (so->so_faddr_len == 0) 4141 (void) SOP_GETPEERNAME(so); 4142 4143 /* get local and foreign addresses */ 4144 mutex_enter(&so->so_lock); 4145 len = min(so->so_laddr_len, sizeof (so_laddr)); 4146 bcopy(so->so_laddr_sa, so_laddr, len); 4147 len = min(so->so_faddr_len, sizeof (so_faddr)); 4148 bcopy(so->so_faddr_sa, so_faddr, len); 4149 mutex_exit(&so->so_lock); 4150 } 4151 4152 add_sock_token = 1; 4153 } 4154 4155 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4156 4157 break; 4158 4159 case AF_UNIX: 4160 /* 4161 * first check if this is first time through. Too much 4162 * duplicate code to put this in an aui_ routine. 4163 */ 4164 4165 /* get path from file struct here */ 4166 fad = F2A(fp); 4167 ASSERT(fad); 4168 4169 /* 4170 * already processed this file for read attempt 4171 */ 4172 if (fad->fad_flags & FAD_READ) { 4173 /* don't want to audit every recvfrom attempt */ 4174 tad->tad_flag = 0; 4175 /* free any residual audit data */ 4176 au_close(kctx, &(u_ad), 0, 0, 0); 4177 releasef(fd); 4178 return; 4179 } 4180 /* 4181 * mark things so we know what happened and don't 4182 * repeat things 4183 */ 4184 fad->fad_flags |= FAD_READ; 4185 4186 if (fad->fad_aupath != NULL) { 4187 au_uwrite(au_to_path(fad->fad_aupath)); 4188 } else { 4189 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4190 } 4191 4192 audit_attributes(fp->f_vnode); 4193 4194 releasef(fd); 4195 4196 return; 4197 4198 default: 4199 break; 4200 4201 } 4202 4203 releasef(fd); 4204 4205 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4206 4207 if (add_sock_token == 0) { 4208 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4209 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4210 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4211 return; 4212 } 4213 4214 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4215 4216 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4217 } 4218 4219 /*ARGSUSED*/ 4220 static void 4221 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4222 { 4223 struct a { 4224 long fd; 4225 long msg; /* struct msghdr */ 4226 long flags; 4227 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4228 4229 struct sonode *so; 4230 char so_laddr[sizeof (struct sockaddr_in6)]; 4231 char so_faddr[sizeof (struct sockaddr_in6)]; 4232 int err; 4233 int fd; 4234 short so_family, so_type; 4235 int add_sock_token = 0; 4236 int len; 4237 struct file *fp; 4238 struct f_audit_data *fad; 4239 caddr_t msg_name; 4240 socklen_t msg_namelen; 4241 STRUCT_DECL(msghdr, msg); 4242 au_kcontext_t *kctx = SET_KCTX_PZ; 4243 4244 fd = (int)uap->fd; 4245 4246 /* bail if an error */ 4247 if (error) { 4248 /* XXX include destination address from system call arguments */ 4249 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4250 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4251 return; 4252 } 4253 4254 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4255 /* 4256 * not security relevant if doing a sendmsg from non socket 4257 * so no extra tokens. Should probably turn off audit record 4258 * generation here. 4259 */ 4260 return; 4261 } 4262 4263 so_family = so->so_family; 4264 so_type = so->so_type; 4265 4266 switch (so_family) { 4267 case AF_INET: 4268 case AF_INET6: 4269 /* 4270 * if datagram type socket, then just use what is in 4271 * socket structure for local address. 4272 * XXX - what do we do for other types? 4273 */ 4274 if ((so->so_type == SOCK_DGRAM) || 4275 (so->so_type == SOCK_RAW)) { 4276 4277 bzero((void *)so_laddr, sizeof (so_laddr)); 4278 bzero((void *)so_faddr, sizeof (so_faddr)); 4279 4280 /* get local address */ 4281 mutex_enter(&so->so_lock); 4282 len = min(so->so_laddr_len, sizeof (so_laddr)); 4283 bcopy(so->so_laddr_sa, so_laddr, len); 4284 mutex_exit(&so->so_lock); 4285 4286 /* get peer address */ 4287 STRUCT_INIT(msg, get_udatamodel()); 4288 4289 if (copyin((caddr_t)(uap->msg), 4290 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4291 break; 4292 } 4293 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4294 if (msg_name == NULL) 4295 break; 4296 4297 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4298 /* length is value from recvmsg - sanity check */ 4299 if (msg_namelen == 0) 4300 break; 4301 4302 if (copyin(msg_name, so_faddr, 4303 sizeof (so_faddr)) != 0) 4304 break; 4305 4306 add_sock_token = 1; 4307 4308 } else if (so->so_type == SOCK_STREAM) { 4309 4310 /* get path from file struct here */ 4311 fad = F2A(fp); 4312 ASSERT(fad); 4313 4314 /* 4315 * already processed this file for write attempt 4316 */ 4317 if (fad->fad_flags & FAD_WRITE) { 4318 releasef(fd); 4319 /* don't want to audit every sendmsg attempt */ 4320 tad->tad_flag = 0; 4321 /* free any residual audit data */ 4322 au_close(kctx, &(u_ad), 0, 0, 0); 4323 return; 4324 } 4325 4326 /* 4327 * mark things so we know what happened and don't 4328 * repeat things 4329 */ 4330 fad->fad_flags |= FAD_WRITE; 4331 4332 bzero((void *)so_laddr, sizeof (so_laddr)); 4333 bzero((void *)so_faddr, sizeof (so_faddr)); 4334 4335 if (so->so_state & SS_ISBOUND) { 4336 4337 if (so->so_laddr_len == 0) 4338 (void) SOP_GETSOCKNAME(so); 4339 if (so->so_faddr_len == 0) 4340 (void) SOP_GETPEERNAME(so); 4341 4342 /* get local and foreign addresses */ 4343 mutex_enter(&so->so_lock); 4344 len = min(so->so_laddr_len, sizeof (so_laddr)); 4345 bcopy(so->so_laddr_sa, so_laddr, len); 4346 len = min(so->so_faddr_len, sizeof (so_faddr)); 4347 bcopy(so->so_faddr_sa, so_faddr, len); 4348 mutex_exit(&so->so_lock); 4349 } 4350 4351 add_sock_token = 1; 4352 } 4353 4354 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4355 4356 break; 4357 4358 case AF_UNIX: 4359 /* 4360 * first check if this is first time through. Too much 4361 * duplicate code to put this in an aui_ routine. 4362 */ 4363 4364 /* get path from file struct here */ 4365 fad = F2A(fp); 4366 ASSERT(fad); 4367 4368 /* 4369 * already processed this file for write attempt 4370 */ 4371 if (fad->fad_flags & FAD_WRITE) { 4372 releasef(fd); 4373 /* don't want to audit every sendmsg attempt */ 4374 tad->tad_flag = 0; 4375 /* free any residual audit data */ 4376 au_close(kctx, &(u_ad), 0, 0, 0); 4377 return; 4378 } 4379 /* 4380 * mark things so we know what happened and don't 4381 * repeat things 4382 */ 4383 fad->fad_flags |= FAD_WRITE; 4384 4385 if (fad->fad_aupath != NULL) { 4386 au_uwrite(au_to_path(fad->fad_aupath)); 4387 } else { 4388 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4389 } 4390 4391 audit_attributes(fp->f_vnode); 4392 4393 releasef(fd); 4394 4395 return; 4396 4397 default: 4398 break; 4399 } 4400 4401 releasef(fd); 4402 4403 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4404 4405 if (add_sock_token == 0) { 4406 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4407 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4408 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4409 return; 4410 } 4411 4412 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4413 4414 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4415 } 4416 4417 /*ARGSUSED*/ 4418 static void 4419 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4420 { 4421 struct a { 4422 long fd; 4423 long msg; /* char */ 4424 long len; 4425 long flags; 4426 long to; /* struct sockaddr */ 4427 long tolen; 4428 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4429 4430 struct sonode *so; 4431 char so_laddr[sizeof (struct sockaddr_in6)]; 4432 char so_faddr[sizeof (struct sockaddr_in6)]; 4433 socklen_t tolen; 4434 int err; 4435 int fd; 4436 int len; 4437 short so_family, so_type; 4438 int add_sock_token = 0; 4439 struct file *fp; 4440 struct f_audit_data *fad; 4441 au_kcontext_t *kctx = SET_KCTX_PZ; 4442 4443 fd = (int)uap->fd; 4444 4445 /* bail if an error */ 4446 if (error) { 4447 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4448 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4449 /* XXX include destination address from system call arguments */ 4450 return; 4451 } 4452 4453 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4454 /* 4455 * not security relevant if doing a sendto using non socket 4456 * so no extra tokens. Should probably turn off audit record 4457 * generation here. 4458 */ 4459 return; 4460 } 4461 4462 so_family = so->so_family; 4463 so_type = so->so_type; 4464 4465 /* 4466 * only putout SOCKET_EX token if INET/INET6 family. 4467 * XXX - what do we do about other families? 4468 */ 4469 4470 switch (so_family) { 4471 case AF_INET: 4472 case AF_INET6: 4473 4474 /* 4475 * if datagram type socket, then just use what is in 4476 * socket structure for local address. 4477 * XXX - what do we do for other types? 4478 */ 4479 if ((so->so_type == SOCK_DGRAM) || 4480 (so->so_type == SOCK_RAW)) { 4481 4482 bzero((void *)so_laddr, sizeof (so_laddr)); 4483 bzero((void *)so_faddr, sizeof (so_faddr)); 4484 4485 /* get local address */ 4486 mutex_enter(&so->so_lock); 4487 len = min(so->so_laddr_len, sizeof (so_laddr)); 4488 bcopy(so->so_laddr_sa, so_laddr, len); 4489 mutex_exit(&so->so_lock); 4490 4491 /* get peer address */ 4492 4493 /* sanity check */ 4494 if (uap->to == NULL) 4495 break; 4496 4497 /* sanity checks */ 4498 if (uap->tolen == 0) 4499 break; 4500 4501 tolen = (socklen_t)uap->tolen; 4502 4503 /* enforce maximum size */ 4504 if (tolen > sizeof (so_faddr)) 4505 tolen = sizeof (so_faddr); 4506 4507 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4508 break; 4509 4510 add_sock_token = 1; 4511 } else { 4512 /* 4513 * check if this is first time through. 4514 */ 4515 4516 /* get path from file struct here */ 4517 fad = F2A(fp); 4518 ASSERT(fad); 4519 4520 /* 4521 * already processed this file for write attempt 4522 */ 4523 if (fad->fad_flags & FAD_WRITE) { 4524 /* don't want to audit every sendto attempt */ 4525 tad->tad_flag = 0; 4526 /* free any residual audit data */ 4527 au_close(kctx, &(u_ad), 0, 0, 0); 4528 releasef(fd); 4529 return; 4530 } 4531 /* 4532 * mark things so we know what happened and don't 4533 * repeat things 4534 */ 4535 fad->fad_flags |= FAD_WRITE; 4536 4537 bzero((void *)so_laddr, sizeof (so_laddr)); 4538 bzero((void *)so_faddr, sizeof (so_faddr)); 4539 4540 if (so->so_state & SS_ISBOUND) { 4541 4542 if (so->so_laddr_len == 0) 4543 (void) SOP_GETSOCKNAME(so); 4544 if (so->so_faddr_len == 0) 4545 (void) SOP_GETPEERNAME(so); 4546 4547 /* get local and foreign addresses */ 4548 mutex_enter(&so->so_lock); 4549 len = min(so->so_laddr_len, sizeof (so_laddr)); 4550 bcopy(so->so_laddr_sa, so_laddr, len); 4551 len = min(so->so_faddr_len, sizeof (so_faddr)); 4552 bcopy(so->so_faddr_sa, so_faddr, len); 4553 mutex_exit(&so->so_lock); 4554 } 4555 4556 add_sock_token = 1; 4557 } 4558 4559 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4560 4561 break; 4562 4563 case AF_UNIX: 4564 /* 4565 * first check if this is first time through. Too much 4566 * duplicate code to put this in an aui_ routine. 4567 */ 4568 4569 /* get path from file struct here */ 4570 fad = F2A(fp); 4571 ASSERT(fad); 4572 4573 /* 4574 * already processed this file for write attempt 4575 */ 4576 if (fad->fad_flags & FAD_WRITE) { 4577 /* don't want to audit every sendto attempt */ 4578 tad->tad_flag = 0; 4579 /* free any residual audit data */ 4580 au_close(kctx, &(u_ad), 0, 0, 0); 4581 releasef(fd); 4582 return; 4583 } 4584 /* 4585 * mark things so we know what happened and don't 4586 * repeat things 4587 */ 4588 fad->fad_flags |= FAD_WRITE; 4589 4590 if (fad->fad_aupath != NULL) { 4591 au_uwrite(au_to_path(fad->fad_aupath)); 4592 } else { 4593 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4594 } 4595 4596 audit_attributes(fp->f_vnode); 4597 4598 releasef(fd); 4599 4600 return; 4601 4602 default: 4603 break; 4604 4605 } 4606 4607 releasef(fd); 4608 4609 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4610 4611 if (add_sock_token == 0) { 4612 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4613 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4614 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4615 return; 4616 } 4617 4618 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4619 4620 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4621 4622 } 4623 4624 /* 4625 * XXX socket(2) may be equivilent to open(2) on a unix domain 4626 * socket. This needs investigation. 4627 */ 4628 4629 /*ARGSUSED*/ 4630 static void 4631 aus_socket(struct t_audit_data *tad) 4632 { 4633 struct a { 4634 long domain; 4635 long type; 4636 long protocol; 4637 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4638 4639 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4640 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4641 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4642 } 4643 4644 /*ARGSUSED*/ 4645 static void 4646 aus_sigqueue(struct t_audit_data *tad) 4647 { 4648 struct a { 4649 long pid; 4650 long signo; 4651 long *val; 4652 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4653 struct proc *p; 4654 uid_t uid, ruid; 4655 gid_t gid, rgid; 4656 pid_t pid; 4657 const auditinfo_addr_t *ainfo; 4658 cred_t *cr; 4659 4660 pid = (pid_t)uap->pid; 4661 4662 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4663 if (pid > 0) { 4664 mutex_enter(&pidlock); 4665 if ((p = prfind(pid)) == (struct proc *)0) { 4666 mutex_exit(&pidlock); 4667 return; 4668 } 4669 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4670 mutex_exit(&pidlock); 4671 4672 mutex_enter(&p->p_crlock); 4673 crhold(cr = p->p_cred); 4674 mutex_exit(&p->p_crlock); 4675 mutex_exit(&p->p_lock); 4676 4677 ainfo = crgetauinfo(cr); 4678 if (ainfo == NULL) { 4679 crfree(cr); 4680 return; 4681 } 4682 4683 uid = crgetuid(cr); 4684 gid = crgetgid(cr); 4685 ruid = crgetruid(cr); 4686 rgid = crgetrgid(cr); 4687 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4688 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4689 crfree(cr); 4690 } 4691 else 4692 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4693 } 4694 4695 /*ARGSUSED*/ 4696 static void 4697 aus_inst_sync(struct t_audit_data *tad) 4698 { 4699 struct a { 4700 long name; /* char */ 4701 long flags; 4702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4703 4704 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4705 } 4706 4707 /*ARGSUSED*/ 4708 static void 4709 aus_brandsys(struct t_audit_data *tad) 4710 { 4711 klwp_t *clwp = ttolwp(curthread); 4712 4713 struct a { 4714 long cmd; 4715 long arg1; 4716 long arg2; 4717 long arg3; 4718 long arg4; 4719 long arg5; 4720 long arg6; 4721 } *uap = (struct a *)clwp->lwp_ap; 4722 4723 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4724 #ifdef _LP64 4725 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4726 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4727 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4728 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4729 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4730 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4731 #else 4732 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4733 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4734 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4735 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4736 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4737 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4738 #endif 4739 } 4740 4741 /*ARGSUSED*/ 4742 static void 4743 aus_p_online(struct t_audit_data *tad) 4744 { 4745 struct a { 4746 long processor_id; 4747 long flag; 4748 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4749 4750 struct flags { 4751 int flag; 4752 char *cflag; 4753 } aflags[6] = { 4754 { P_ONLINE, "P_ONLINE"}, 4755 { P_OFFLINE, "P_OFFLINE"}, 4756 { P_NOINTR, "P_NOINTR"}, 4757 { P_SPARE, "P_SPARE"}, 4758 { P_FAULTED, "P_FAULTED"}, 4759 { P_STATUS, "P_STATUS"} 4760 }; 4761 int i; 4762 char *cflag; 4763 4764 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4765 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4766 4767 for (i = 0; i < 6; i++) { 4768 if (aflags[i].flag == uap->flag) 4769 break; 4770 } 4771 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4772 4773 au_uwrite(au_to_text(cflag)); 4774 } 4775 4776 /*ARGSUSED*/ 4777 static void 4778 aus_processor_bind(struct t_audit_data *tad) 4779 { 4780 struct a { 4781 long id_type; 4782 long id; 4783 long processor_id; 4784 long obind; 4785 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4786 4787 struct proc *p; 4788 int lwpcnt; 4789 uid_t uid, ruid; 4790 gid_t gid, rgid; 4791 pid_t pid; 4792 const auditinfo_addr_t *ainfo; 4793 cred_t *cr; 4794 4795 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4796 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4797 if (uap->processor_id == PBIND_NONE) 4798 au_uwrite(au_to_text("PBIND_NONE")); 4799 else 4800 au_uwrite(au_to_arg32(3, "processor_id", 4801 (uint32_t)uap->processor_id)); 4802 4803 switch (uap->id_type) { 4804 case P_MYID: 4805 case P_LWPID: 4806 mutex_enter(&pidlock); 4807 p = ttoproc(curthread); 4808 if (p == NULL || p->p_as == &kas) { 4809 mutex_exit(&pidlock); 4810 return; 4811 } 4812 mutex_enter(&p->p_lock); 4813 mutex_exit(&pidlock); 4814 lwpcnt = p->p_lwpcnt; 4815 pid = p->p_pid; 4816 4817 mutex_enter(&p->p_crlock); 4818 crhold(cr = p->p_cred); 4819 mutex_exit(&p->p_crlock); 4820 mutex_exit(&p->p_lock); 4821 4822 ainfo = crgetauinfo(cr); 4823 if (ainfo == NULL) { 4824 crfree(cr); 4825 return; 4826 } 4827 4828 uid = crgetuid(cr); 4829 gid = crgetgid(cr); 4830 ruid = crgetruid(cr); 4831 rgid = crgetrgid(cr); 4832 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4833 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4834 crfree(cr); 4835 break; 4836 case P_PID: 4837 mutex_enter(&pidlock); 4838 p = prfind(uap->id); 4839 if (p == NULL || p->p_as == &kas) { 4840 mutex_exit(&pidlock); 4841 return; 4842 } 4843 mutex_enter(&p->p_lock); 4844 mutex_exit(&pidlock); 4845 lwpcnt = p->p_lwpcnt; 4846 pid = p->p_pid; 4847 4848 mutex_enter(&p->p_crlock); 4849 crhold(cr = p->p_cred); 4850 mutex_exit(&p->p_crlock); 4851 mutex_exit(&p->p_lock); 4852 4853 ainfo = crgetauinfo(cr); 4854 if (ainfo == NULL) { 4855 crfree(cr); 4856 return; 4857 } 4858 4859 uid = crgetuid(cr); 4860 gid = crgetgid(cr); 4861 ruid = crgetruid(cr); 4862 rgid = crgetrgid(cr); 4863 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4864 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4865 crfree(cr); 4866 4867 break; 4868 default: 4869 return; 4870 } 4871 4872 if (uap->processor_id == PBIND_NONE && 4873 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4874 au_uwrite(au_to_text("PBIND_NONE for process")); 4875 else 4876 au_uwrite(au_to_arg32(3, "processor_id", 4877 (uint32_t)uap->processor_id)); 4878 } 4879 4880 /*ARGSUSED*/ 4881 static au_event_t 4882 aui_doorfs(au_event_t e) 4883 { 4884 uint32_t code; 4885 4886 struct a { /* doorfs */ 4887 long a1; 4888 long a2; 4889 long a3; 4890 long a4; 4891 long a5; 4892 long code; 4893 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4894 4895 /* 4896 * audit formats for several of the 4897 * door calls have not yet been determined 4898 */ 4899 code = (uint32_t)uap->code; 4900 switch (code) { 4901 case DOOR_CALL: 4902 e = AUE_DOORFS_DOOR_CALL; 4903 break; 4904 case DOOR_RETURN: 4905 e = AUE_NULL; 4906 break; 4907 case DOOR_CREATE: 4908 e = AUE_DOORFS_DOOR_CREATE; 4909 break; 4910 case DOOR_REVOKE: 4911 e = AUE_DOORFS_DOOR_REVOKE; 4912 break; 4913 case DOOR_INFO: 4914 e = AUE_NULL; 4915 break; 4916 case DOOR_UCRED: 4917 e = AUE_NULL; 4918 break; 4919 case DOOR_BIND: 4920 e = AUE_NULL; 4921 break; 4922 case DOOR_UNBIND: 4923 e = AUE_NULL; 4924 break; 4925 case DOOR_GETPARAM: 4926 e = AUE_NULL; 4927 break; 4928 case DOOR_SETPARAM: 4929 e = AUE_NULL; 4930 break; 4931 default: /* illegal system call */ 4932 e = AUE_NULL; 4933 break; 4934 } 4935 4936 return (e); 4937 } 4938 4939 static door_node_t * 4940 au_door_lookup(int did) 4941 { 4942 vnode_t *vp; 4943 file_t *fp; 4944 4945 if ((fp = getf(did)) == NULL) 4946 return (NULL); 4947 /* 4948 * Use the underlying vnode (we may be namefs mounted) 4949 */ 4950 if (VOP_REALVP(fp->f_vnode, &vp)) 4951 vp = fp->f_vnode; 4952 4953 if (vp == NULL || vp->v_type != VDOOR) { 4954 releasef(did); 4955 return (NULL); 4956 } 4957 4958 return (VTOD(vp)); 4959 } 4960 4961 /*ARGSUSED*/ 4962 static void 4963 aus_doorfs(struct t_audit_data *tad) 4964 { 4965 4966 struct a { /* doorfs */ 4967 long a1; 4968 long a2; 4969 long a3; 4970 long a4; 4971 long a5; 4972 long code; 4973 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4974 4975 door_node_t *dp; 4976 struct proc *p; 4977 uint32_t did; 4978 uid_t uid, ruid; 4979 gid_t gid, rgid; 4980 pid_t pid; 4981 const auditinfo_addr_t *ainfo; 4982 cred_t *cr; 4983 4984 did = (uint32_t)uap->a1; 4985 4986 switch (tad->tad_event) { 4987 case AUE_DOORFS_DOOR_CALL: 4988 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4989 if ((dp = au_door_lookup(did)) == NULL) 4990 break; 4991 4992 if (DOOR_INVALID(dp)) { 4993 releasef(did); 4994 break; 4995 } 4996 4997 if ((p = dp->door_target) == NULL) { 4998 releasef(did); 4999 break; 5000 } 5001 mutex_enter(&p->p_lock); 5002 releasef(did); 5003 5004 pid = p->p_pid; 5005 5006 mutex_enter(&p->p_crlock); 5007 crhold(cr = p->p_cred); 5008 mutex_exit(&p->p_crlock); 5009 mutex_exit(&p->p_lock); 5010 5011 ainfo = crgetauinfo(cr); 5012 if (ainfo == NULL) { 5013 crfree(cr); 5014 return; 5015 } 5016 uid = crgetuid(cr); 5017 gid = crgetgid(cr); 5018 ruid = crgetruid(cr); 5019 rgid = crgetrgid(cr); 5020 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5021 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5022 crfree(cr); 5023 break; 5024 case AUE_DOORFS_DOOR_RETURN: 5025 /* 5026 * We may want to write information about 5027 * all doors (if any) which will be copied 5028 * by this call to the user space 5029 */ 5030 break; 5031 case AUE_DOORFS_DOOR_CREATE: 5032 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5033 break; 5034 case AUE_DOORFS_DOOR_REVOKE: 5035 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5036 break; 5037 case AUE_DOORFS_DOOR_INFO: 5038 break; 5039 case AUE_DOORFS_DOOR_CRED: 5040 break; 5041 case AUE_DOORFS_DOOR_BIND: 5042 break; 5043 case AUE_DOORFS_DOOR_UNBIND: { 5044 break; 5045 } 5046 default: /* illegal system call */ 5047 break; 5048 } 5049 } 5050 5051 /*ARGSUSED*/ 5052 static au_event_t 5053 aui_acl(au_event_t e) 5054 { 5055 struct a { 5056 union { 5057 long name; /* char */ 5058 long fd; 5059 } obj; 5060 5061 long cmd; 5062 long nentries; 5063 long arg; /* aclent_t */ 5064 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5065 5066 switch (uap->cmd) { 5067 case SETACL: 5068 /* ok, acl(SETACL, ...) and facl(SETACL, ...) are expected. */ 5069 break; 5070 case GETACL: 5071 case GETACLCNT: 5072 /* do nothing for these two values. */ 5073 e = AUE_NULL; 5074 break; 5075 default: 5076 /* illegal system call */ 5077 break; 5078 } 5079 5080 return (e); 5081 } 5082 5083 5084 /*ARGSUSED*/ 5085 static void 5086 aus_acl(struct t_audit_data *tad) 5087 { 5088 struct a { 5089 long fname; 5090 long cmd; 5091 long nentries; 5092 long aclbufp; 5093 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5094 struct acl *aclbufp; 5095 5096 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5097 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5098 5099 switch (uap->cmd) { 5100 case GETACL: 5101 case GETACLCNT: 5102 break; 5103 case SETACL: 5104 if (uap->nentries < 3) 5105 break; 5106 else { 5107 size_t a_size = uap->nentries * sizeof (struct acl); 5108 int i; 5109 5110 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5111 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5112 kmem_free(aclbufp, a_size); 5113 break; 5114 } 5115 for (i = 0; i < uap->nentries; i++) { 5116 au_uwrite(au_to_acl(aclbufp + i)); 5117 } 5118 kmem_free(aclbufp, a_size); 5119 break; 5120 } 5121 default: 5122 break; 5123 } 5124 } 5125 5126 /*ARGSUSED*/ 5127 static void 5128 aus_facl(struct t_audit_data *tad) 5129 { 5130 struct a { 5131 long fd; 5132 long cmd; 5133 long nentries; 5134 long aclbufp; 5135 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5136 struct file *fp; 5137 struct vnode *vp; 5138 struct f_audit_data *fad; 5139 struct acl *aclbufp; 5140 int fd; 5141 5142 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5143 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5144 5145 fd = (int)uap->fd; 5146 5147 if ((fp = getf(fd)) == NULL) 5148 return; 5149 5150 /* get path from file struct here */ 5151 fad = F2A(fp); 5152 if (fad->fad_aupath != NULL) { 5153 au_uwrite(au_to_path(fad->fad_aupath)); 5154 } else { 5155 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5156 } 5157 5158 vp = fp->f_vnode; 5159 audit_attributes(vp); 5160 5161 /* decrement file descriptor reference count */ 5162 releasef(fd); 5163 5164 switch (uap->cmd) { 5165 case GETACL: 5166 case GETACLCNT: 5167 break; 5168 case SETACL: 5169 if (uap->nentries < 3) 5170 break; 5171 else { 5172 size_t a_size = uap->nentries * sizeof (struct acl); 5173 int i; 5174 5175 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5176 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5177 kmem_free(aclbufp, a_size); 5178 break; 5179 } 5180 for (i = 0; i < uap->nentries; i++) { 5181 au_uwrite(au_to_acl(aclbufp + i)); 5182 } 5183 kmem_free(aclbufp, a_size); 5184 break; 5185 } 5186 default: 5187 break; 5188 } 5189 } 5190 5191 /*ARGSUSED*/ 5192 static void 5193 auf_read(tad, error, rval) 5194 struct t_audit_data *tad; 5195 int error; 5196 rval_t *rval; 5197 { 5198 struct file *fp; 5199 struct f_audit_data *fad; 5200 int fd; 5201 register struct a { 5202 long fd; 5203 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5204 au_kcontext_t *kctx = SET_KCTX_PZ; 5205 5206 fd = (int)uap->fd; 5207 5208 /* 5209 * convert file pointer to file descriptor 5210 * Note: fd ref count incremented here. 5211 */ 5212 if ((fp = getf(fd)) == NULL) 5213 return; 5214 5215 /* get path from file struct here */ 5216 fad = F2A(fp); 5217 ASSERT(fad); 5218 5219 /* 5220 * already processed this file for read attempt 5221 * 5222 * XXX might be better to turn off auditing in a aui_read() routine. 5223 */ 5224 if (fad->fad_flags & FAD_READ) { 5225 /* don't really want to audit every read attempt */ 5226 tad->tad_flag = 0; 5227 /* free any residual audit data */ 5228 au_close(kctx, &(u_ad), 0, 0, 0); 5229 releasef(fd); 5230 return; 5231 } 5232 /* mark things so we know what happened and don't repeat things */ 5233 fad->fad_flags |= FAD_READ; 5234 5235 if (fad->fad_aupath != NULL) { 5236 au_uwrite(au_to_path(fad->fad_aupath)); 5237 } else { 5238 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5239 } 5240 5241 /* include attributes */ 5242 audit_attributes(fp->f_vnode); 5243 5244 /* decrement file descriptor reference count */ 5245 releasef(fd); 5246 } 5247 5248 /*ARGSUSED*/ 5249 static void 5250 auf_write(tad, error, rval) 5251 struct t_audit_data *tad; 5252 int error; 5253 rval_t *rval; 5254 { 5255 struct file *fp; 5256 struct f_audit_data *fad; 5257 int fd; 5258 register struct a { 5259 long fd; 5260 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5261 au_kcontext_t *kctx = SET_KCTX_PZ; 5262 5263 fd = (int)uap->fd; 5264 5265 /* 5266 * convert file pointer to file descriptor 5267 * Note: fd ref count incremented here. 5268 */ 5269 if ((fp = getf(fd)) == NULL) 5270 return; 5271 5272 /* get path from file struct here */ 5273 fad = F2A(fp); 5274 ASSERT(fad); 5275 5276 /* 5277 * already processed this file for write attempt 5278 * 5279 * XXX might be better to turn off auditing in a aus_write() routine. 5280 */ 5281 if (fad->fad_flags & FAD_WRITE) { 5282 /* don't really want to audit every write attempt */ 5283 tad->tad_flag = 0; 5284 /* free any residual audit data */ 5285 au_close(kctx, &(u_ad), 0, 0, 0); 5286 releasef(fd); 5287 return; 5288 } 5289 /* mark things so we know what happened and don't repeat things */ 5290 fad->fad_flags |= FAD_WRITE; 5291 5292 if (fad->fad_aupath != NULL) { 5293 au_uwrite(au_to_path(fad->fad_aupath)); 5294 } else { 5295 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5296 } 5297 5298 /* include attributes */ 5299 audit_attributes(fp->f_vnode); 5300 5301 /* decrement file descriptor reference count */ 5302 releasef(fd); 5303 } 5304 5305 /*ARGSUSED*/ 5306 static void 5307 auf_recv(tad, error, rval) 5308 struct t_audit_data *tad; 5309 int error; 5310 rval_t *rval; 5311 { 5312 struct sonode *so; 5313 char so_laddr[sizeof (struct sockaddr_in6)]; 5314 char so_faddr[sizeof (struct sockaddr_in6)]; 5315 struct file *fp; 5316 struct f_audit_data *fad; 5317 int fd; 5318 int err; 5319 int len; 5320 short so_family, so_type; 5321 register struct a { 5322 long fd; 5323 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5324 au_kcontext_t *kctx = SET_KCTX_PZ; 5325 5326 /* 5327 * If there was an error, then nothing to do. Only generate 5328 * audit record on first successful recv. 5329 */ 5330 if (error) { 5331 /* Turn off audit record generation here. */ 5332 tad->tad_flag = 0; 5333 /* free any residual audit data */ 5334 au_close(kctx, &(u_ad), 0, 0, 0); 5335 return; 5336 } 5337 5338 fd = (int)uap->fd; 5339 5340 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5341 /* Turn off audit record generation here. */ 5342 tad->tad_flag = 0; 5343 /* free any residual audit data */ 5344 au_close(kctx, &(u_ad), 0, 0, 0); 5345 return; 5346 } 5347 5348 /* get path from file struct here */ 5349 fad = F2A(fp); 5350 ASSERT(fad); 5351 5352 /* 5353 * already processed this file for read attempt 5354 */ 5355 if (fad->fad_flags & FAD_READ) { 5356 releasef(fd); 5357 /* don't really want to audit every recv call */ 5358 tad->tad_flag = 0; 5359 /* free any residual audit data */ 5360 au_close(kctx, &(u_ad), 0, 0, 0); 5361 return; 5362 } 5363 5364 /* mark things so we know what happened and don't repeat things */ 5365 fad->fad_flags |= FAD_READ; 5366 5367 so_family = so->so_family; 5368 so_type = so->so_type; 5369 5370 switch (so_family) { 5371 case AF_INET: 5372 case AF_INET6: 5373 /* 5374 * Only for connections. 5375 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5376 */ 5377 if (so->so_state & SS_ISBOUND) { 5378 5379 bzero((void *)so_laddr, sizeof (so_laddr)); 5380 bzero((void *)so_faddr, sizeof (so_faddr)); 5381 5382 /* only done once on a connection */ 5383 (void) SOP_GETSOCKNAME(so); 5384 (void) SOP_GETPEERNAME(so); 5385 5386 /* get local and foreign addresses */ 5387 mutex_enter(&so->so_lock); 5388 len = min(so->so_laddr_len, sizeof (so_laddr)); 5389 bcopy(so->so_laddr_sa, so_laddr, len); 5390 len = min(so->so_faddr_len, sizeof (so_faddr)); 5391 bcopy(so->so_faddr_sa, so_faddr, len); 5392 mutex_exit(&so->so_lock); 5393 5394 /* 5395 * only way to drop out of switch. Note that we 5396 * we release fd below. 5397 */ 5398 5399 break; 5400 } 5401 5402 releasef(fd); 5403 5404 /* don't really want to audit every recv call */ 5405 tad->tad_flag = 0; 5406 /* free any residual audit data */ 5407 au_close(kctx, &(u_ad), 0, 0, 0); 5408 5409 return; 5410 5411 case AF_UNIX: 5412 5413 if (fad->fad_aupath != NULL) { 5414 au_uwrite(au_to_path(fad->fad_aupath)); 5415 } else { 5416 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5417 } 5418 5419 audit_attributes(fp->f_vnode); 5420 5421 releasef(fd); 5422 5423 return; 5424 5425 default: 5426 releasef(fd); 5427 5428 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5429 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5430 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5431 5432 return; 5433 } 5434 5435 releasef(fd); 5436 5437 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5438 5439 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5440 5441 } 5442 5443 /*ARGSUSED*/ 5444 static void 5445 auf_send(tad, error, rval) 5446 struct t_audit_data *tad; 5447 int error; 5448 rval_t *rval; 5449 { 5450 struct sonode *so; 5451 char so_laddr[sizeof (struct sockaddr_in6)]; 5452 char so_faddr[sizeof (struct sockaddr_in6)]; 5453 struct file *fp; 5454 struct f_audit_data *fad; 5455 int fd; 5456 int err; 5457 int len; 5458 short so_family, so_type; 5459 register struct a { 5460 long fd; 5461 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5462 au_kcontext_t *kctx = SET_KCTX_PZ; 5463 5464 fd = (int)uap->fd; 5465 5466 /* 5467 * If there was an error, then nothing to do. Only generate 5468 * audit record on first successful send. 5469 */ 5470 if (error != 0) { 5471 /* Turn off audit record generation here. */ 5472 tad->tad_flag = 0; 5473 /* free any residual audit data */ 5474 au_close(kctx, &(u_ad), 0, 0, 0); 5475 return; 5476 } 5477 5478 fd = (int)uap->fd; 5479 5480 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5481 /* Turn off audit record generation here. */ 5482 tad->tad_flag = 0; 5483 /* free any residual audit data */ 5484 au_close(kctx, &(u_ad), 0, 0, 0); 5485 return; 5486 } 5487 5488 /* get path from file struct here */ 5489 fad = F2A(fp); 5490 ASSERT(fad); 5491 5492 /* 5493 * already processed this file for write attempt 5494 */ 5495 if (fad->fad_flags & FAD_WRITE) { 5496 releasef(fd); 5497 /* don't really want to audit every send call */ 5498 tad->tad_flag = 0; 5499 /* free any residual audit data */ 5500 au_close(kctx, &(u_ad), 0, 0, 0); 5501 return; 5502 } 5503 5504 /* mark things so we know what happened and don't repeat things */ 5505 fad->fad_flags |= FAD_WRITE; 5506 5507 so_family = so->so_family; 5508 so_type = so->so_type; 5509 5510 switch (so_family) { 5511 case AF_INET: 5512 case AF_INET6: 5513 /* 5514 * Only for connections. 5515 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5516 */ 5517 if (so->so_state & SS_ISBOUND) { 5518 5519 bzero((void *)so_laddr, sizeof (so_laddr)); 5520 bzero((void *)so_faddr, sizeof (so_faddr)); 5521 5522 /* only done once on a connection */ 5523 (void) SOP_GETSOCKNAME(so); 5524 (void) SOP_GETPEERNAME(so); 5525 5526 /* get local and foreign addresses */ 5527 mutex_enter(&so->so_lock); 5528 len = min(so->so_laddr_len, sizeof (so_laddr)); 5529 bcopy(so->so_laddr_sa, so_laddr, len); 5530 len = min(so->so_faddr_len, sizeof (so_faddr)); 5531 bcopy(so->so_faddr_sa, so_faddr, len); 5532 mutex_exit(&so->so_lock); 5533 5534 /* 5535 * only way to drop out of switch. Note that we 5536 * we release fd below. 5537 */ 5538 5539 break; 5540 } 5541 5542 releasef(fd); 5543 /* don't really want to audit every send call */ 5544 tad->tad_flag = 0; 5545 /* free any residual audit data */ 5546 au_close(kctx, &(u_ad), 0, 0, 0); 5547 5548 return; 5549 5550 case AF_UNIX: 5551 5552 if (fad->fad_aupath != NULL) { 5553 au_uwrite(au_to_path(fad->fad_aupath)); 5554 } else { 5555 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5556 } 5557 5558 audit_attributes(fp->f_vnode); 5559 5560 releasef(fd); 5561 5562 return; 5563 5564 default: 5565 releasef(fd); 5566 5567 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5568 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5569 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5570 5571 return; 5572 } 5573 5574 releasef(fd); 5575 5576 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5577 5578 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5579 } 5580