1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <sys/tsol/tndb.h> 61 #include <sys/tsol/tsyscall.h> 62 #include <c2/audit.h> 63 #include <c2/audit_kernel.h> 64 #include <c2/audit_kevents.h> 65 #include <c2/audit_record.h> 66 #include <sys/procset.h> 67 #include <nfs/mount.h> 68 #include <sys/param.h> 69 #include <sys/debug.h> 70 #include <sys/sysmacros.h> 71 #include <sys/stream.h> 72 #include <sys/strsubr.h> 73 #include <sys/stropts.h> 74 #include <sys/tihdr.h> 75 #include <sys/socket.h> 76 #include <sys/socketvar.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 int au_naevent; 83 char _depends_on[] = "fs/sockfs"; 84 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_fsat(au_event_t); 87 static au_event_t aui_msgsys(au_event_t); 88 static au_event_t aui_shmsys(au_event_t); 89 static au_event_t aui_semsys(au_event_t); 90 static au_event_t aui_utssys(au_event_t); 91 static au_event_t aui_fcntl(au_event_t); 92 static au_event_t aui_execv(au_event_t); 93 static au_event_t aui_execve(au_event_t); 94 static au_event_t aui_memcntl(au_event_t); 95 static au_event_t aui_sysinfo(au_event_t); 96 static au_event_t aui_portfs(au_event_t); 97 static au_event_t aui_auditsys(au_event_t); 98 static au_event_t aui_modctl(au_event_t); 99 static au_event_t aui_acl(au_event_t); 100 static au_event_t aui_doorfs(au_event_t); 101 static au_event_t aui_privsys(au_event_t); 102 static au_event_t aui_forksys(au_event_t); 103 static au_event_t aui_labelsys(au_event_t); 104 105 static void aus_open(struct t_audit_data *); 106 static void aus_acl(struct t_audit_data *); 107 static void aus_acct(struct t_audit_data *); 108 static void aus_chown(struct t_audit_data *); 109 static void aus_fchown(struct t_audit_data *); 110 static void aus_lchown(struct t_audit_data *); 111 static void aus_chmod(struct t_audit_data *); 112 static void aus_facl(struct t_audit_data *); 113 static void aus_fchmod(struct t_audit_data *); 114 static void aus_fcntl(struct t_audit_data *); 115 static void aus_fsat(struct t_audit_data *); 116 static void aus_mkdir(struct t_audit_data *); 117 static void aus_mknod(struct t_audit_data *); 118 static void aus_mount(struct t_audit_data *); 119 static void aus_umount(struct t_audit_data *); 120 static void aus_umount2(struct t_audit_data *); 121 static void aus_msgsys(struct t_audit_data *); 122 static void aus_semsys(struct t_audit_data *); 123 static void aus_close(struct t_audit_data *); 124 static void aus_fstatfs(struct t_audit_data *); 125 static void aus_setgid(struct t_audit_data *); 126 static void aus_setuid(struct t_audit_data *); 127 static void aus_shmsys(struct t_audit_data *); 128 static void aus_doorfs(struct t_audit_data *); 129 static void aus_ioctl(struct t_audit_data *); 130 static void aus_memcntl(struct t_audit_data *); 131 static void aus_mmap(struct t_audit_data *); 132 static void aus_munmap(struct t_audit_data *); 133 static void aus_priocntlsys(struct t_audit_data *); 134 static void aus_setegid(struct t_audit_data *); 135 static void aus_setgroups(struct t_audit_data *); 136 static void aus_seteuid(struct t_audit_data *); 137 static void aus_putmsg(struct t_audit_data *); 138 static void aus_putpmsg(struct t_audit_data *); 139 static void aus_getmsg(struct t_audit_data *); 140 static void aus_getpmsg(struct t_audit_data *); 141 static void aus_auditsys(struct t_audit_data *); 142 static void aus_sysinfo(struct t_audit_data *); 143 static void aus_modctl(struct t_audit_data *); 144 static void aus_kill(struct t_audit_data *); 145 static void aus_xmknod(struct t_audit_data *); 146 static void aus_setregid(struct t_audit_data *); 147 static void aus_setreuid(struct t_audit_data *); 148 static void aus_labelsys(struct t_audit_data *); 149 150 static void auf_mknod(struct t_audit_data *, int, rval_t *); 151 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 152 static void auf_semsys(struct t_audit_data *, int, rval_t *); 153 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 154 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 155 static void auf_read(struct t_audit_data *, int, rval_t *); 156 static void auf_write(struct t_audit_data *, int, rval_t *); 157 158 static void aus_sigqueue(struct t_audit_data *); 159 static void aus_p_online(struct t_audit_data *); 160 static void aus_processor_bind(struct t_audit_data *); 161 static void aus_inst_sync(struct t_audit_data *); 162 static void aus_brandsys(struct t_audit_data *); 163 164 static void auf_accept(struct t_audit_data *, int, rval_t *); 165 166 static void auf_bind(struct t_audit_data *, int, rval_t *); 167 static void auf_connect(struct t_audit_data *, int, rval_t *); 168 static void aus_shutdown(struct t_audit_data *); 169 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 170 static void aus_sockconfig(struct t_audit_data *); 171 static void auf_recv(struct t_audit_data *, int, rval_t *); 172 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 173 static void auf_send(struct t_audit_data *, int, rval_t *); 174 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 176 static void auf_sendto(struct t_audit_data *, int, rval_t *); 177 static void aus_socket(struct t_audit_data *); 178 /* 179 * This table contains mapping information for converting system call numbers 180 * to audit event IDs. In several cases it is necessary to map a single system 181 * call to several events. 182 */ 183 184 #define aui_null NULL /* NULL initialize function */ 185 #define aus_null NULL /* NULL start function */ 186 #define auf_null NULL /* NULL finish function */ 187 188 struct audit_s2e audit_s2e[] = 189 { 190 /* 191 * ---------- ---------- ---------- ---------- 192 * INITIAL AUDIT START SYSTEM 193 * PROCESSING EVENT PROCESSING CALL 194 * ---------- ---------- ---------- ----------- 195 * FINISH EVENT 196 * PROCESSING CONTROL 197 * ---------------------------------------------------------- 198 */ 199 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 200 auf_null, 0, 201 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 202 auf_null, S2E_NPT, 203 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 204 auf_null, 0, 205 aui_null, AUE_READ, aus_null, /* 3 read */ 206 auf_read, S2E_PUB, 207 aui_null, AUE_WRITE, aus_null, /* 4 write */ 208 auf_write, 0, 209 aui_open, AUE_OPEN, aus_open, /* 5 open */ 210 auf_null, S2E_SP, 211 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 212 auf_null, 0, 213 aui_null, AUE_NULL, aus_null, /* 7 wait */ 214 auf_null, 0, 215 aui_null, AUE_CREAT, aus_null, /* 8 create */ 216 auf_null, S2E_SP, 217 aui_null, AUE_LINK, aus_null, /* 9 link */ 218 auf_null, 0, 219 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 220 auf_null, 0, 221 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 222 auf_null, S2E_MLD, 223 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 224 auf_null, S2E_SP, 225 aui_null, AUE_NULL, aus_null, /* 13 time */ 226 auf_null, 0, 227 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 228 auf_mknod, 0, 229 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 230 auf_null, 0, 231 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 232 auf_null, 0, 233 aui_null, AUE_NULL, aus_null, /* 17 brk */ 234 auf_null, 0, 235 aui_null, AUE_STAT, aus_null, /* 18 stat */ 236 auf_null, S2E_PUB, 237 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 240 auf_null, 0, 241 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 242 auf_null, S2E_MLD, 243 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 244 auf_null, 0, 245 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 248 auf_null, 0, 249 aui_null, AUE_STIME, aus_null, /* 25 stime */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 29 pause */ 258 auf_null, 0, 259 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 264 auf_null, 0, 265 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 266 auf_null, S2E_PUB, 267 aui_null, AUE_NICE, aus_null, /* 34 nice */ 268 auf_null, 0, 269 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_NULL, aus_null, /* 36 sync */ 272 auf_null, 0, 273 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 274 auf_null, 0, 275 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 276 auf_null, S2E_PUB, 277 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 41 dup */ 282 auf_null, 0, 283 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 43 times */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 44 profil */ 288 auf_null, 0, 289 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 290 /* was proc lock */ 291 auf_null, 0, 292 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 295 auf_null, 0, 296 aui_null, AUE_NULL, aus_null, /* 48 sig */ 297 auf_null, 0, 298 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 299 auf_msgsys, 0, 300 #if defined(__x86) 301 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 302 auf_null, 0, 303 #else 304 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 305 auf_null, 0, 306 #endif /* __x86 */ 307 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 308 auf_null, 0, 309 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 310 auf_shmsys, 0, 311 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 312 auf_semsys, 0, 313 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 316 auf_null, 0, 317 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 318 auf_null, 0, 319 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 320 auf_null, 0, 321 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 322 auf_null, 0, 323 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 324 auf_null, S2E_MLD, 325 aui_null, AUE_NULL, aus_null, /* 60 umask */ 326 auf_null, 0, 327 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 328 auf_null, S2E_SP, 329 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 334 auf_null, 0, 335 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 338 auf_null, 0, 339 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 340 /* file locking call */ 341 auf_null, 0, 342 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 343 /* local system calls */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 356 auf_null, 0, 357 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 358 /* was sigret (SunOS) */ 359 auf_null, 0, 360 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 365 auf_null, 0, 366 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 367 auf_null, 0, 368 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 371 auf_null, 0, 372 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 373 /* was libattach */ 374 auf_null, 0, 375 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 376 /* was libdetach */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 379 auf_null, 0, 380 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 381 auf_null, 0, 382 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 383 auf_null, 0, 384 aui_null, AUE_NULL, aus_null, /* 87 poll */ 385 auf_null, 0, 386 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 389 auf_null, 0, 390 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 391 auf_null, S2E_PUB, 392 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 395 auf_null, 0, 396 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 397 auf_null, 0, 398 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 411 auf_null, 0, 412 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 413 auf_null, 0, 414 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 415 /* was evtrapret */ 416 auf_null, 0, 417 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 418 auf_null, S2E_PUB, 419 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 426 auf_null, 0, 427 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 428 auf_null, 0, 429 #if defined(__x86) 430 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 431 auf_null, 0, 432 #else 433 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 434 auf_null, 0, 435 #endif /* __x86 */ 436 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 437 auf_null, 0, 438 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 439 auf_null, 0, 440 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 441 auf_null, 0, /* 112 priocntlsys */ 442 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 443 auf_null, S2E_PUB, 444 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 445 auf_null, 0, 446 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 447 auf_null, 0, 448 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 449 auf_null, 0, 450 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 451 auf_null, 0, 452 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 453 auf_null, 0, 454 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 455 auf_null, 0, 456 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 457 auf_null, 0, 458 aui_null, AUE_READ, aus_null, /* 121 readv */ 459 auf_read, S2E_PUB, 460 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 461 auf_write, 0, 462 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 463 auf_null, S2E_PUB, 464 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 465 auf_null, S2E_PUB, 466 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 467 auf_null, 0, 468 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 469 auf_xmknod, 0, 470 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 471 auf_null, 0, 472 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 473 auf_null, 0, 474 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 475 auf_null, 0, 476 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 477 auf_null, 0, 478 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 479 auf_null, 0, 480 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 481 auf_null, 0, 482 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 483 auf_null, 0, 484 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 485 auf_null, 0, 486 aui_null, AUE_NULL, aus_null, /* 135 uname */ 487 auf_null, 0, 488 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 489 auf_null, 0, 490 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 491 auf_null, 0, 492 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 493 auf_null, 0, 494 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 495 auf_null, 0, 496 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 497 auf_null, 0, 498 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 499 auf_null, 0, 500 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 501 auf_null, 0, 502 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 146 yield */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 519 auf_null, 0, 520 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 521 auf_null, 0, 522 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 523 auf_null, 0, 524 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 547 /* was lwp_setprivate */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 550 /* was lwp_getprivate */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 561 auf_null, 0, 562 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 563 auf_null, 0, 564 aui_null, AUE_READ, aus_null, /* 173 pread */ 565 auf_read, S2E_PUB, 566 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 567 auf_write, 0, 568 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 569 auf_null, 0, 570 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 571 /* aus_inst_sync */ 572 auf_null, 0, 573 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 580 auf_null, 0, 581 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 582 auf_null, 0, 583 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 584 auf_null, 0, 585 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 586 auf_null, 0, 587 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 588 auf_null, 0, 589 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 590 auf_null, 0, 591 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 592 auf_null, 0, 593 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 594 auf_null, 0, /* 187 processor_bind */ 595 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 596 auf_null, 0, 597 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 602 auf_null, 0, 603 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 616 auf_null, 0, 617 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 618 auf_null, 0, 619 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 620 auf_null, 0, 621 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 622 auf_null, 0, 623 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 624 auf_null, 0, 625 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 644 auf_null, 0, 645 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 646 auf_null, 0, 647 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 648 auf_null, 0, 649 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 652 auf_null, S2E_PUB, 653 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 654 auf_null, 0, 655 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 656 auf_null, S2E_PUB, 657 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 658 auf_null, 0, 659 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 662 auf_null, 0, 663 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 664 auf_read, S2E_PUB, 665 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 666 auf_write, 0, 667 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 668 auf_null, S2E_SP, 669 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 670 auf_null, S2E_SP, 671 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 676 auf_null, 0, 677 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 678 auf_null, 0, 679 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 680 auf_null, 0, 681 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 682 auf_null, 0, 683 aui_null, AUE_BIND, aus_null, /* 232 bind */ 684 auf_bind, 0, 685 aui_null, AUE_NULL, aus_null, /* 233 listen */ 686 auf_null, 0, 687 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 688 auf_accept, 0, 689 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 690 auf_connect, 0, 691 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 692 auf_null, 0, 693 aui_null, AUE_READ, aus_null, /* 237 recv */ 694 auf_recv, 0, 695 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 696 auf_recvfrom, 0, 697 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 698 auf_recvmsg, 0, 699 aui_null, AUE_WRITE, aus_null, /* 240 send */ 700 auf_send, 0, 701 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 702 auf_sendmsg, 0, 703 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 704 auf_sendto, 0, 705 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 708 auf_null, 0, 709 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 710 auf_null, 0, 711 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 712 auf_setsockopt, 0, 713 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 716 auf_null, 0, 717 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 726 auf_null, 0, 727 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 728 auf_null, 0, 729 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 730 auf_null, 0 731 }; 732 733 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 734 735 736 /* acct start function */ 737 /*ARGSUSED*/ 738 static void 739 aus_acct(struct t_audit_data *tad) 740 { 741 klwp_t *clwp = ttolwp(curthread); 742 uintptr_t fname; 743 744 struct a { 745 long fname; /* char * */ 746 } *uap = (struct a *)clwp->lwp_ap; 747 748 fname = (uintptr_t)uap->fname; 749 750 if (fname == 0) 751 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 752 } 753 754 /* chown start function */ 755 /*ARGSUSED*/ 756 static void 757 aus_chown(struct t_audit_data *tad) 758 { 759 klwp_t *clwp = ttolwp(curthread); 760 uint32_t uid, gid; 761 762 struct a { 763 long fname; /* char * */ 764 long uid; 765 long gid; 766 } *uap = (struct a *)clwp->lwp_ap; 767 768 uid = (uint32_t)uap->uid; 769 gid = (uint32_t)uap->gid; 770 771 au_uwrite(au_to_arg32(2, "new file uid", uid)); 772 au_uwrite(au_to_arg32(3, "new file gid", gid)); 773 } 774 775 /* fchown start function */ 776 /*ARGSUSED*/ 777 static void 778 aus_fchown(struct t_audit_data *tad) 779 { 780 klwp_t *clwp = ttolwp(curthread); 781 uint32_t uid, gid, fd; 782 struct file *fp; 783 struct vnode *vp; 784 struct f_audit_data *fad; 785 786 struct a { 787 long fd; 788 long uid; 789 long gid; 790 } *uap = (struct a *)clwp->lwp_ap; 791 792 fd = (uint32_t)uap->fd; 793 uid = (uint32_t)uap->uid; 794 gid = (uint32_t)uap->gid; 795 796 au_uwrite(au_to_arg32(2, "new file uid", uid)); 797 au_uwrite(au_to_arg32(3, "new file gid", gid)); 798 799 /* 800 * convert file pointer to file descriptor 801 * Note: fd ref count incremented here. 802 */ 803 if ((fp = getf(fd)) == NULL) 804 return; 805 806 /* get path from file struct here */ 807 fad = F2A(fp); 808 if (fad->fad_aupath != NULL) { 809 au_uwrite(au_to_path(fad->fad_aupath)); 810 } else { 811 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 812 } 813 814 vp = fp->f_vnode; 815 audit_attributes(vp); 816 817 /* decrement file descriptor reference count */ 818 releasef(fd); 819 } 820 821 /*ARGSUSED*/ 822 static void 823 aus_lchown(struct t_audit_data *tad) 824 { 825 klwp_t *clwp = ttolwp(curthread); 826 uint32_t uid, gid; 827 828 829 struct a { 830 long fname; /* char * */ 831 long uid; 832 long gid; 833 } *uap = (struct a *)clwp->lwp_ap; 834 835 uid = (uint32_t)uap->uid; 836 gid = (uint32_t)uap->gid; 837 838 au_uwrite(au_to_arg32(2, "new file uid", uid)); 839 au_uwrite(au_to_arg32(3, "new file gid", gid)); 840 } 841 842 /* chmod start function */ 843 /*ARGSUSED*/ 844 static void 845 aus_chmod(struct t_audit_data *tad) 846 { 847 klwp_t *clwp = ttolwp(curthread); 848 uint32_t fmode; 849 850 struct a { 851 long fname; /* char * */ 852 long fmode; 853 } *uap = (struct a *)clwp->lwp_ap; 854 855 fmode = (uint32_t)uap->fmode; 856 857 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 858 } 859 860 /* chmod start function */ 861 /*ARGSUSED*/ 862 static void 863 aus_fchmod(struct t_audit_data *tad) 864 { 865 klwp_t *clwp = ttolwp(curthread); 866 uint32_t fmode, fd; 867 struct file *fp; 868 struct vnode *vp; 869 struct f_audit_data *fad; 870 871 struct a { 872 long fd; 873 long fmode; 874 } *uap = (struct a *)clwp->lwp_ap; 875 876 fd = (uint32_t)uap->fd; 877 fmode = (uint32_t)uap->fmode; 878 879 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 880 881 /* 882 * convert file pointer to file descriptor 883 * Note: fd ref count incremented here. 884 */ 885 if ((fp = getf(fd)) == NULL) 886 return; 887 888 /* get path from file struct here */ 889 fad = F2A(fp); 890 if (fad->fad_aupath != NULL) { 891 au_uwrite(au_to_path(fad->fad_aupath)); 892 } else { 893 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 894 } 895 896 vp = fp->f_vnode; 897 audit_attributes(vp); 898 899 /* decrement file descriptor reference count */ 900 releasef(fd); 901 } 902 903 904 /* convert open to appropriate event */ 905 static au_event_t 906 aui_open(au_event_t e) 907 { 908 klwp_t *clwp = ttolwp(curthread); 909 uint_t fm; 910 911 struct a { 912 long fnamep; /* char * */ 913 long fmode; 914 long cmode; 915 } *uap = (struct a *)clwp->lwp_ap; 916 917 fm = (uint_t)uap->fmode; 918 919 if (fm & O_WRONLY) 920 e = AUE_OPEN_W; 921 else if (fm & O_RDWR) 922 e = AUE_OPEN_RW; 923 else 924 e = AUE_OPEN_R; 925 926 if (fm & O_CREAT) 927 e += 1; 928 if (fm & O_TRUNC) 929 e += 2; 930 931 return (e); 932 } 933 934 /*ARGSUSED*/ 935 static void 936 aus_open(struct t_audit_data *tad) 937 { 938 klwp_t *clwp = ttolwp(curthread); 939 uint_t fm; 940 941 struct a { 942 long fnamep; /* char * */ 943 long fmode; 944 long cmode; 945 } *uap = (struct a *)clwp->lwp_ap; 946 947 fm = (uint_t)uap->fmode; 948 949 /* If no write, create, or trunc modes, mark as a public op */ 950 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 951 tad->tad_ctrl |= PAD_PUBLIC_EV; 952 } 953 954 /* convert openat(2) to appropriate event */ 955 static au_event_t 956 aui_fsat(au_event_t e) 957 { 958 t_audit_data_t *tad = U2A(u); 959 klwp_t *clwp = ttolwp(curthread); 960 uint_t fmcode, fm; 961 struct a { 962 long id; 963 long arg1; 964 long arg2; 965 long arg3; 966 long arg4; 967 long arg5; 968 } *uap = (struct a *)clwp->lwp_ap; 969 970 fmcode = (uint_t)uap->id; 971 972 switch (fmcode) { 973 974 case 0: /* openat */ 975 case 1: /* openat64 */ 976 fm = (uint_t)uap->arg3; 977 if (fm & O_WRONLY) 978 e = AUE_OPENAT_W; 979 else if (fm & O_RDWR) 980 e = AUE_OPENAT_RW; 981 else 982 e = AUE_OPENAT_R; 983 984 /* 985 * openat modes are defined in the following order: 986 * Read only 987 * Read|Create 988 * Read|Trunc 989 * Read|Create|Trunc 990 * Write Only 991 * Write|Create 992 * Write|Trunc 993 * Write|Create|Trunc * RW Only 994 * RW|Create 995 * RW|Trunc 996 * RW|Create|Trunc 997 */ 998 if (fm & O_CREAT) 999 e += 1; /* increment to include CREAT in mode */ 1000 if (fm & O_TRUNC) 1001 e += 2; /* increment to include TRUNC in mode */ 1002 1003 /* convert to appropriate au_ctrl */ 1004 tad->tad_ctrl |= PAD_SAVPATH; 1005 if (fm & FXATTR) 1006 tad->tad_ctrl |= PAD_ATPATH; 1007 1008 1009 break; 1010 case 2: /* fstatat64 */ 1011 case 3: /* fstatat */ 1012 e = AUE_FSTATAT; 1013 break; 1014 case 4: /* fchownat */ 1015 e = AUE_FCHOWNAT; 1016 break; 1017 case 5: /* unlinkat */ 1018 e = AUE_UNLINKAT; 1019 break; 1020 case 6: /* futimesat */ 1021 e = AUE_FUTIMESAT; 1022 break; 1023 case 7: /* renameat */ 1024 e = AUE_RENAMEAT; 1025 break; 1026 case 9: /* __openattrdirat */ 1027 tad->tad_ctrl |= PAD_SAVPATH; 1028 /*FALLTHROUGH*/ 1029 default: 1030 e = AUE_NULL; 1031 break; 1032 } 1033 1034 return (e); 1035 } 1036 1037 /*ARGSUSED*/ 1038 static void 1039 aus_fsat(struct t_audit_data *tad) 1040 { 1041 klwp_t *clwp = ttolwp(curthread); 1042 uint_t fmcode, fm; 1043 struct a { 1044 long id; 1045 long arg1; 1046 long arg2; 1047 long arg3; 1048 long arg4; 1049 long arg5; 1050 } *uap = (struct a *)clwp->lwp_ap; 1051 1052 fmcode = (uint_t)uap->id; 1053 1054 switch (fmcode) { 1055 1056 case 0: /* openat */ 1057 case 1: /* openat64 */ 1058 fm = (uint_t)uap->arg3; 1059 /* If no write, create, or trunc modes, mark as a public op */ 1060 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1061 tad->tad_ctrl |= PAD_PUBLIC_EV; 1062 1063 break; 1064 case 2: /* fstatat64 */ 1065 case 3: /* fstatat */ 1066 tad->tad_ctrl |= PAD_PUBLIC_EV; 1067 break; 1068 default: 1069 break; 1070 } 1071 } 1072 1073 /* msgsys */ 1074 static au_event_t 1075 aui_msgsys(au_event_t e) 1076 { 1077 klwp_t *clwp = ttolwp(curthread); 1078 uint_t fm; 1079 1080 struct a { 1081 long id; /* function code id */ 1082 long ap; /* arg pointer for recvmsg */ 1083 } *uap = (struct a *)clwp->lwp_ap; 1084 1085 struct b { 1086 long msgid; 1087 long cmd; 1088 long buf; /* struct msqid_ds * */ 1089 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1090 1091 fm = (uint_t)uap->id; 1092 1093 switch (fm) { 1094 case 0: /* msgget */ 1095 e = AUE_MSGGET; 1096 break; 1097 case 1: /* msgctl */ 1098 switch ((uint_t)uap1->cmd) { 1099 case IPC_RMID: 1100 e = AUE_MSGCTL_RMID; 1101 break; 1102 case IPC_SET: 1103 e = AUE_MSGCTL_SET; 1104 break; 1105 case IPC_STAT: 1106 e = AUE_MSGCTL_STAT; 1107 break; 1108 default: 1109 e = AUE_MSGCTL; 1110 break; 1111 } 1112 break; 1113 case 2: /* msgrcv */ 1114 e = AUE_MSGRCV; 1115 break; 1116 case 3: /* msgsnd */ 1117 e = AUE_MSGSND; 1118 break; 1119 default: /* illegal system call */ 1120 e = AUE_NULL; 1121 break; 1122 } 1123 1124 return (e); 1125 } 1126 1127 1128 /* shmsys */ 1129 static au_event_t 1130 aui_shmsys(au_event_t e) 1131 { 1132 klwp_t *clwp = ttolwp(curthread); 1133 int fm; 1134 1135 struct a { /* shmsys */ 1136 long id; /* function code id */ 1137 } *uap = (struct a *)clwp->lwp_ap; 1138 1139 struct b { /* ctrl */ 1140 long shmid; 1141 long cmd; 1142 long arg; /* struct shmid_ds * */ 1143 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1144 fm = (uint_t)uap->id; 1145 1146 switch (fm) { 1147 case 0: /* shmat */ 1148 e = AUE_SHMAT; 1149 break; 1150 case 1: /* shmctl */ 1151 switch ((uint_t)uap1->cmd) { 1152 case IPC_RMID: 1153 e = AUE_SHMCTL_RMID; 1154 break; 1155 case IPC_SET: 1156 e = AUE_SHMCTL_SET; 1157 break; 1158 case IPC_STAT: 1159 e = AUE_SHMCTL_STAT; 1160 break; 1161 default: 1162 e = AUE_SHMCTL; 1163 break; 1164 } 1165 break; 1166 case 2: /* shmdt */ 1167 e = AUE_SHMDT; 1168 break; 1169 case 3: /* shmget */ 1170 e = AUE_SHMGET; 1171 break; 1172 default: /* illegal system call */ 1173 e = AUE_NULL; 1174 break; 1175 } 1176 1177 return (e); 1178 } 1179 1180 1181 /* semsys */ 1182 static au_event_t 1183 aui_semsys(au_event_t e) 1184 { 1185 klwp_t *clwp = ttolwp(curthread); 1186 uint_t fm; 1187 1188 struct a { /* semsys */ 1189 long id; 1190 } *uap = (struct a *)clwp->lwp_ap; 1191 1192 struct b { /* ctrl */ 1193 long semid; 1194 long semnum; 1195 long cmd; 1196 long arg; 1197 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1198 1199 fm = (uint_t)uap->id; 1200 1201 switch (fm) { 1202 case 0: /* semctl */ 1203 switch ((uint_t)uap1->cmd) { 1204 case IPC_RMID: 1205 e = AUE_SEMCTL_RMID; 1206 break; 1207 case IPC_SET: 1208 e = AUE_SEMCTL_SET; 1209 break; 1210 case IPC_STAT: 1211 e = AUE_SEMCTL_STAT; 1212 break; 1213 case GETNCNT: 1214 e = AUE_SEMCTL_GETNCNT; 1215 break; 1216 case GETPID: 1217 e = AUE_SEMCTL_GETPID; 1218 break; 1219 case GETVAL: 1220 e = AUE_SEMCTL_GETVAL; 1221 break; 1222 case GETALL: 1223 e = AUE_SEMCTL_GETALL; 1224 break; 1225 case GETZCNT: 1226 e = AUE_SEMCTL_GETZCNT; 1227 break; 1228 case SETVAL: 1229 e = AUE_SEMCTL_SETVAL; 1230 break; 1231 case SETALL: 1232 e = AUE_SEMCTL_SETALL; 1233 break; 1234 default: 1235 e = AUE_SEMCTL; 1236 break; 1237 } 1238 break; 1239 case 1: /* semget */ 1240 e = AUE_SEMGET; 1241 break; 1242 case 2: /* semop */ 1243 e = AUE_SEMOP; 1244 break; 1245 default: /* illegal system call */ 1246 e = AUE_NULL; 1247 break; 1248 } 1249 1250 return (e); 1251 } 1252 1253 /* utssys - uname(2), ustat(2), fusers(2) */ 1254 static au_event_t 1255 aui_utssys(au_event_t e) 1256 { 1257 klwp_t *clwp = ttolwp(curthread); 1258 uint_t type; 1259 1260 struct a { 1261 union { 1262 long cbuf; /* char * */ 1263 long ubuf; /* struct stat * */ 1264 } ub; 1265 union { 1266 long mv; /* for USTAT */ 1267 long flags; /* for FUSERS */ 1268 } un; 1269 long type; 1270 long outbp; /* char * for FUSERS */ 1271 } *uap = (struct a *)clwp->lwp_ap; 1272 1273 type = (uint_t)uap->type; 1274 1275 if (type == UTS_FUSERS) 1276 return (e); 1277 else 1278 return ((au_event_t)AUE_NULL); 1279 } 1280 1281 static au_event_t 1282 aui_fcntl(au_event_t e) 1283 { 1284 klwp_t *clwp = ttolwp(curthread); 1285 uint_t cmd; 1286 1287 struct a { 1288 long fdes; 1289 long cmd; 1290 long arg; 1291 } *uap = (struct a *)clwp->lwp_ap; 1292 1293 cmd = (uint_t)uap->cmd; 1294 1295 switch (cmd) { 1296 case F_GETLK: 1297 case F_SETLK: 1298 case F_SETLKW: 1299 break; 1300 case F_SETFL: 1301 case F_GETFL: 1302 case F_GETFD: 1303 break; 1304 default: 1305 e = (au_event_t)AUE_NULL; 1306 break; 1307 } 1308 return ((au_event_t)e); 1309 } 1310 1311 /* null function for now */ 1312 static au_event_t 1313 aui_execv(au_event_t e) 1314 { 1315 return (e); 1316 } 1317 1318 /* null function for now */ 1319 static au_event_t 1320 aui_execve(au_event_t e) 1321 { 1322 return (e); 1323 } 1324 1325 /*ARGSUSED*/ 1326 static void 1327 aus_fcntl(struct t_audit_data *tad) 1328 { 1329 klwp_t *clwp = ttolwp(curthread); 1330 uint32_t cmd, fd; 1331 struct file *fp; 1332 struct vnode *vp; 1333 struct f_audit_data *fad; 1334 1335 struct a { 1336 long fd; 1337 long cmd; 1338 long arg; 1339 } *uap = (struct a *)clwp->lwp_ap; 1340 1341 cmd = (uint32_t)uap->cmd; 1342 fd = (uint32_t)uap->fd; 1343 1344 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1345 1346 /* 1347 * convert file pointer to file descriptor 1348 * Note: fd ref count incremented here. 1349 */ 1350 if ((fp = getf(fd)) == NULL) 1351 return; 1352 1353 /* get path from file struct here */ 1354 fad = F2A(fp); 1355 if (fad->fad_aupath != NULL) { 1356 au_uwrite(au_to_path(fad->fad_aupath)); 1357 } else { 1358 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1359 } 1360 1361 vp = fp->f_vnode; 1362 audit_attributes(vp); 1363 1364 /* decrement file descriptor reference count */ 1365 releasef(fd); 1366 } 1367 1368 /*ARGSUSED*/ 1369 static void 1370 aus_kill(struct t_audit_data *tad) 1371 { 1372 klwp_t *clwp = ttolwp(curthread); 1373 struct proc *p; 1374 uint32_t signo; 1375 uid_t uid, ruid; 1376 gid_t gid, rgid; 1377 pid_t pid; 1378 const auditinfo_addr_t *ainfo; 1379 cred_t *cr; 1380 1381 struct a { 1382 long pid; 1383 long signo; 1384 } *uap = (struct a *)clwp->lwp_ap; 1385 1386 pid = (pid_t)uap->pid; 1387 signo = (uint32_t)uap->signo; 1388 1389 au_uwrite(au_to_arg32(2, "signal", signo)); 1390 if (pid > 0) { 1391 mutex_enter(&pidlock); 1392 if (((p = prfind(pid)) == (struct proc *)0) || 1393 (p->p_stat == SIDL)) { 1394 mutex_exit(&pidlock); 1395 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1396 return; 1397 } 1398 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1399 mutex_exit(&pidlock); 1400 1401 mutex_enter(&p->p_crlock); 1402 crhold(cr = p->p_cred); 1403 mutex_exit(&p->p_crlock); 1404 mutex_exit(&p->p_lock); 1405 1406 ainfo = crgetauinfo(cr); 1407 if (ainfo == NULL) { 1408 crfree(cr); 1409 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1410 return; 1411 } 1412 1413 uid = crgetuid(cr); 1414 gid = crgetgid(cr); 1415 ruid = crgetruid(cr); 1416 rgid = crgetrgid(cr); 1417 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1418 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1419 1420 if (is_system_labeled()) 1421 au_uwrite(au_to_label(CR_SL(cr))); 1422 1423 crfree(cr); 1424 } 1425 else 1426 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1427 } 1428 1429 /*ARGSUSED*/ 1430 static void 1431 aus_mkdir(struct t_audit_data *tad) 1432 { 1433 klwp_t *clwp = ttolwp(curthread); 1434 uint32_t dmode; 1435 1436 struct a { 1437 long dirnamep; /* char * */ 1438 long dmode; 1439 } *uap = (struct a *)clwp->lwp_ap; 1440 1441 dmode = (uint32_t)uap->dmode; 1442 1443 au_uwrite(au_to_arg32(2, "mode", dmode)); 1444 } 1445 1446 /*ARGSUSED*/ 1447 static void 1448 aus_mknod(struct t_audit_data *tad) 1449 { 1450 klwp_t *clwp = ttolwp(curthread); 1451 uint32_t fmode; 1452 dev_t dev; 1453 1454 struct a { 1455 long pnamep; /* char * */ 1456 long fmode; 1457 long dev; 1458 } *uap = (struct a *)clwp->lwp_ap; 1459 1460 fmode = (uint32_t)uap->fmode; 1461 dev = (dev_t)uap->dev; 1462 1463 au_uwrite(au_to_arg32(2, "mode", fmode)); 1464 #ifdef _LP64 1465 au_uwrite(au_to_arg64(3, "dev", dev)); 1466 #else 1467 au_uwrite(au_to_arg32(3, "dev", dev)); 1468 #endif 1469 } 1470 1471 /*ARGSUSED*/ 1472 static void 1473 aus_xmknod(struct t_audit_data *tad) 1474 { 1475 klwp_t *clwp = ttolwp(curthread); 1476 uint32_t fmode; 1477 dev_t dev; 1478 1479 struct a { 1480 long version; /* version */ 1481 long pnamep; /* char * */ 1482 long fmode; 1483 long dev; 1484 } *uap = (struct a *)clwp->lwp_ap; 1485 1486 fmode = (uint32_t)uap->fmode; 1487 dev = (dev_t)uap->dev; 1488 1489 au_uwrite(au_to_arg32(2, "mode", fmode)); 1490 #ifdef _LP64 1491 au_uwrite(au_to_arg64(3, "dev", dev)); 1492 #else 1493 au_uwrite(au_to_arg32(3, "dev", dev)); 1494 #endif 1495 } 1496 1497 /*ARGSUSED*/ 1498 static void 1499 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1500 { 1501 klwp_t *clwp = ttolwp(curthread); 1502 vnode_t *dvp; 1503 caddr_t pnamep; 1504 1505 struct a { 1506 long pnamep; /* char * */ 1507 long fmode; 1508 long dev; 1509 } *uap = (struct a *)clwp->lwp_ap; 1510 1511 /* no error, then already path token in audit record */ 1512 if (error != EPERM) 1513 return; 1514 1515 /* not auditing this event, nothing then to do */ 1516 if (tad->tad_flag == 0) 1517 return; 1518 1519 /* do the lookup to force generation of path token */ 1520 pnamep = (caddr_t)uap->pnamep; 1521 tad->tad_ctrl |= PAD_NOATTRB; 1522 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1523 if (error == 0) 1524 VN_RELE(dvp); 1525 } 1526 1527 /*ARGSUSED*/ 1528 static void 1529 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1530 { 1531 klwp_t *clwp = ttolwp(curthread); 1532 vnode_t *dvp; 1533 caddr_t pnamep; 1534 1535 struct a { 1536 long version; /* version */ 1537 long pnamep; /* char * */ 1538 long fmode; 1539 long dev; 1540 } *uap = (struct a *)clwp->lwp_arg; 1541 1542 1543 /* no error, then already path token in audit record */ 1544 if (error != EPERM) 1545 return; 1546 1547 /* not auditing this event, nothing then to do */ 1548 if (tad->tad_flag == 0) 1549 return; 1550 1551 /* do the lookup to force generation of path token */ 1552 pnamep = (caddr_t)uap->pnamep; 1553 tad->tad_ctrl |= PAD_NOATTRB; 1554 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1555 if (error == 0) 1556 VN_RELE(dvp); 1557 } 1558 1559 /*ARGSUSED*/ 1560 static void 1561 aus_mount(struct t_audit_data *tad) 1562 { /* AUS_START */ 1563 klwp_t *clwp = ttolwp(curthread); 1564 uint32_t flags; 1565 uintptr_t u_fstype, dataptr; 1566 STRUCT_DECL(nfs_args, nfsargs); 1567 size_t len; 1568 char *fstype, *hostname; 1569 1570 struct a { 1571 long spec; /* char * */ 1572 long dir; /* char * */ 1573 long flags; 1574 long fstype; /* char * */ 1575 long dataptr; /* char * */ 1576 long datalen; 1577 } *uap = (struct a *)clwp->lwp_ap; 1578 1579 u_fstype = (uintptr_t)uap->fstype; 1580 flags = (uint32_t)uap->flags; 1581 dataptr = (uintptr_t)uap->dataptr; 1582 1583 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1584 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1585 goto mount_free_fstype; 1586 1587 au_uwrite(au_to_arg32(3, "flags", flags)); 1588 au_uwrite(au_to_text(fstype)); 1589 1590 if (strncmp(fstype, "nfs", 3) == 0) { 1591 1592 STRUCT_INIT(nfsargs, get_udatamodel()); 1593 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1594 1595 if (copyin((caddr_t)dataptr, 1596 STRUCT_BUF(nfsargs), 1597 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1598 /* DEBUG debug_enter((char *)NULL); */ 1599 goto mount_free_fstype; 1600 } 1601 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1602 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1603 (caddr_t)hostname, 1604 MAXNAMELEN, &len)) { 1605 goto mount_free_hostname; 1606 } 1607 au_uwrite(au_to_text(hostname)); 1608 au_uwrite(au_to_arg32(3, "internal flags", 1609 (uint_t)STRUCT_FGET(nfsargs, flags))); 1610 1611 mount_free_hostname: 1612 kmem_free(hostname, MAXNAMELEN); 1613 } 1614 1615 mount_free_fstype: 1616 kmem_free(fstype, MAXNAMELEN); 1617 } /* AUS_MOUNT */ 1618 1619 static void 1620 aus_umount_path(caddr_t umount_dir) 1621 { 1622 char *dir_path; 1623 struct audit_path *path; 1624 size_t path_len, dir_len; 1625 1626 /* length alloc'd for two string pointers */ 1627 path_len = sizeof (struct audit_path) + sizeof (char *); 1628 path = kmem_alloc(path_len, KM_SLEEP); 1629 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1630 1631 if (copyinstr(umount_dir, (caddr_t)dir_path, 1632 MAXPATHLEN, &dir_len)) 1633 goto umount2_free_dir; 1634 1635 /* 1636 * the audit_path struct assumes that the buffer pointed to 1637 * by audp_sect[n] contains string 0 immediatedly followed 1638 * by string 1. 1639 */ 1640 path->audp_sect[0] = dir_path; 1641 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1642 path->audp_size = path_len; 1643 path->audp_ref = 1; /* not used */ 1644 path->audp_cnt = 1; /* one path string */ 1645 1646 au_uwrite(au_to_path(path)); 1647 1648 umount2_free_dir: 1649 kmem_free(dir_path, MAXPATHLEN); 1650 kmem_free(path, path_len); 1651 } 1652 1653 /* 1654 * the umount syscall is implemented as a call to umount2, but the args 1655 * are different... 1656 */ 1657 1658 /*ARGSUSED*/ 1659 static void 1660 aus_umount(struct t_audit_data *tad) 1661 { 1662 klwp_t *clwp = ttolwp(curthread); 1663 struct a { 1664 long dir; /* char * */ 1665 } *uap = (struct a *)clwp->lwp_ap; 1666 1667 aus_umount_path((caddr_t)uap->dir); 1668 } 1669 1670 /*ARGSUSED*/ 1671 static void 1672 aus_umount2(struct t_audit_data *tad) 1673 { 1674 klwp_t *clwp = ttolwp(curthread); 1675 struct a { 1676 long dir; /* char * */ 1677 long flags; 1678 } *uap = (struct a *)clwp->lwp_ap; 1679 1680 aus_umount_path((caddr_t)uap->dir); 1681 1682 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1683 } 1684 1685 static void 1686 aus_msgsys(struct t_audit_data *tad) 1687 { 1688 klwp_t *clwp = ttolwp(curthread); 1689 uint32_t msgid; 1690 1691 struct b { 1692 long msgid; 1693 long cmd; 1694 long buf; /* struct msqid_ds * */ 1695 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1696 1697 msgid = (uint32_t)uap1->msgid; 1698 1699 1700 switch (tad->tad_event) { 1701 case AUE_MSGGET: /* msgget */ 1702 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1703 break; 1704 case AUE_MSGCTL: /* msgctl */ 1705 case AUE_MSGCTL_RMID: /* msgctl */ 1706 case AUE_MSGCTL_STAT: /* msgctl */ 1707 case AUE_MSGRCV: /* msgrcv */ 1708 case AUE_MSGSND: /* msgsnd */ 1709 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1710 break; 1711 case AUE_MSGCTL_SET: /* msgctl */ 1712 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1713 break; 1714 } 1715 } 1716 1717 /*ARGSUSED*/ 1718 static void 1719 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1720 { 1721 int id; 1722 1723 if (error != 0) 1724 return; 1725 if (tad->tad_event == AUE_MSGGET) { 1726 uint32_t scid; 1727 uint32_t sy_flags; 1728 1729 /* need to determine type of executing binary */ 1730 scid = tad->tad_scid; 1731 #ifdef _SYSCALL32_IMPL 1732 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1733 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1734 else 1735 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1736 #else 1737 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1738 #endif 1739 if (sy_flags == SE_32RVAL1) 1740 id = rval->r_val1; 1741 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1742 id = rval->r_val1; 1743 if (sy_flags == SE_64RVAL) 1744 id = (int)rval->r_vals; 1745 1746 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1747 } 1748 } 1749 1750 static void 1751 aus_semsys(struct t_audit_data *tad) 1752 { 1753 klwp_t *clwp = ttolwp(curthread); 1754 uint32_t semid; 1755 1756 struct b { /* ctrl */ 1757 long semid; 1758 long semnum; 1759 long cmd; 1760 long arg; 1761 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1762 1763 semid = (uint32_t)uap1->semid; 1764 1765 switch (tad->tad_event) { 1766 case AUE_SEMCTL_RMID: 1767 case AUE_SEMCTL_STAT: 1768 case AUE_SEMCTL_GETNCNT: 1769 case AUE_SEMCTL_GETPID: 1770 case AUE_SEMCTL_GETVAL: 1771 case AUE_SEMCTL_GETALL: 1772 case AUE_SEMCTL_GETZCNT: 1773 case AUE_SEMCTL_SETVAL: 1774 case AUE_SEMCTL_SETALL: 1775 case AUE_SEMCTL: 1776 case AUE_SEMOP: 1777 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1778 break; 1779 case AUE_SEMCTL_SET: 1780 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1781 break; 1782 case AUE_SEMGET: 1783 au_uwrite(au_to_arg32(1, "sem key", semid)); 1784 break; 1785 } 1786 } 1787 1788 /*ARGSUSED*/ 1789 static void 1790 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1791 { 1792 int id; 1793 1794 if (error != 0) 1795 return; 1796 if (tad->tad_event == AUE_SEMGET) { 1797 uint32_t scid; 1798 uint32_t sy_flags; 1799 1800 /* need to determine type of executing binary */ 1801 scid = tad->tad_scid; 1802 #ifdef _SYSCALL32_IMPL 1803 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1804 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1805 else 1806 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1807 #else 1808 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1809 #endif 1810 if (sy_flags == SE_32RVAL1) 1811 id = rval->r_val1; 1812 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1813 id = rval->r_val1; 1814 if (sy_flags == SE_64RVAL) 1815 id = (int)rval->r_vals; 1816 1817 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1818 } 1819 } 1820 1821 /*ARGSUSED*/ 1822 static void 1823 aus_close(struct t_audit_data *tad) 1824 { 1825 klwp_t *clwp = ttolwp(curthread); 1826 uint32_t fd; 1827 struct file *fp; 1828 struct f_audit_data *fad; 1829 struct vnode *vp; 1830 struct vattr attr; 1831 au_kcontext_t *kctx = GET_KCTX_PZ; 1832 1833 struct a { 1834 long i; 1835 } *uap = (struct a *)clwp->lwp_ap; 1836 1837 fd = (uint32_t)uap->i; 1838 1839 attr.va_mask = 0; 1840 au_uwrite(au_to_arg32(1, "fd", fd)); 1841 1842 /* 1843 * convert file pointer to file descriptor 1844 * Note: fd ref count incremented here. 1845 */ 1846 if ((fp = getf(fd)) == NULL) 1847 return; 1848 1849 fad = F2A(fp); 1850 tad->tad_evmod = (short)fad->fad_flags; 1851 if (fad->fad_aupath != NULL) { 1852 au_uwrite(au_to_path(fad->fad_aupath)); 1853 if ((vp = fp->f_vnode) != NULL) { 1854 attr.va_mask = AT_ALL; 1855 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1856 /* 1857 * When write was not used and the file can be 1858 * considered public, skip the audit. 1859 */ 1860 if (((fp->f_flag & FWRITE) == 0) && 1861 file_is_public(&attr)) { 1862 tad->tad_flag = 0; 1863 tad->tad_evmod = 0; 1864 /* free any residual audit data */ 1865 au_close(kctx, &(u_ad), 0, 0, 0); 1866 releasef(fd); 1867 return; 1868 } 1869 au_uwrite(au_to_attr(&attr)); 1870 audit_sec_attributes(&(u_ad), vp); 1871 } 1872 } 1873 } 1874 1875 /* decrement file descriptor reference count */ 1876 releasef(fd); 1877 } 1878 1879 /*ARGSUSED*/ 1880 static void 1881 aus_fstatfs(struct t_audit_data *tad) 1882 { 1883 klwp_t *clwp = ttolwp(curthread); 1884 uint32_t fd; 1885 struct file *fp; 1886 struct vnode *vp; 1887 struct f_audit_data *fad; 1888 1889 struct a { 1890 long fd; 1891 long buf; /* struct statfs * */ 1892 } *uap = (struct a *)clwp->lwp_ap; 1893 1894 fd = (uint_t)uap->fd; 1895 1896 /* 1897 * convert file pointer to file descriptor 1898 * Note: fd ref count incremented here. 1899 */ 1900 if ((fp = getf(fd)) == NULL) 1901 return; 1902 1903 /* get path from file struct here */ 1904 fad = F2A(fp); 1905 if (fad->fad_aupath != NULL) { 1906 au_uwrite(au_to_path(fad->fad_aupath)); 1907 } else { 1908 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1909 } 1910 1911 vp = fp->f_vnode; 1912 audit_attributes(vp); 1913 1914 /* decrement file descriptor reference count */ 1915 releasef(fd); 1916 } 1917 1918 #ifdef NOTYET 1919 /*ARGSUSED*/ 1920 static void 1921 aus_setpgrp(struct t_audit_data *tad) 1922 { 1923 klwp_t *clwp = ttolwp(curthread); 1924 uint32_t pgrp; 1925 struct proc *p; 1926 uid_t uid, ruid; 1927 gid_t gid, rgid; 1928 pid_t pid; 1929 const auditinfo_addr_t *ainfo; 1930 cred_t *cr; 1931 1932 struct a { 1933 long pid; 1934 long pgrp; 1935 } *uap = (struct a *)clwp->lwp_ap; 1936 1937 pid = (pid_t)uap->pid; 1938 pgrp = (uint32_t)uap->pgrp; 1939 1940 /* current process? */ 1941 if (pid == 0) 1942 (return); 1943 1944 mutex_enter(&pidlock); 1945 p = prfind(pid); 1946 if (p == NULL || p->p_as == &kas) { 1947 mutex_exit(&pidlock); 1948 return; 1949 } 1950 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1951 mutex_exit(&pidlock); 1952 1953 mutex_enter(&p->p_crlock); 1954 crhold(cr = p->p_cred); 1955 mutex_exit(&p->p_crlock); 1956 mutex_exit(&p->p_lock); 1957 1958 ainfo = crgetauinfo(cr); 1959 if (ainfo == NULL) { 1960 crfree(cr); 1961 return; 1962 } 1963 1964 uid = crgetuid(cr); 1965 gid = crgetgid(cr); 1966 ruid = crgetruid(cr); 1967 rgid = crgetrgid(cr); 1968 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1969 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1970 crfree(cr); 1971 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1972 } 1973 #endif 1974 1975 /*ARGSUSED*/ 1976 static void 1977 aus_setregid(struct t_audit_data *tad) 1978 { 1979 klwp_t *clwp = ttolwp(curthread); 1980 uint32_t rgid, egid; 1981 1982 struct a { 1983 long rgid; 1984 long egid; 1985 } *uap = (struct a *)clwp->lwp_ap; 1986 1987 rgid = (uint32_t)uap->rgid; 1988 egid = (uint32_t)uap->egid; 1989 1990 au_uwrite(au_to_arg32(1, "rgid", rgid)); 1991 au_uwrite(au_to_arg32(2, "egid", egid)); 1992 } 1993 1994 /*ARGSUSED*/ 1995 static void 1996 aus_setgid(struct t_audit_data *tad) 1997 { 1998 klwp_t *clwp = ttolwp(curthread); 1999 uint32_t gid; 2000 2001 struct a { 2002 long gid; 2003 } *uap = (struct a *)clwp->lwp_ap; 2004 2005 gid = (uint32_t)uap->gid; 2006 2007 au_uwrite(au_to_arg32(1, "gid", gid)); 2008 } 2009 2010 2011 /*ARGSUSED*/ 2012 static void 2013 aus_setreuid(struct t_audit_data *tad) 2014 { 2015 klwp_t *clwp = ttolwp(curthread); 2016 uint32_t ruid, euid; 2017 2018 struct a { 2019 long ruid; 2020 long euid; 2021 } *uap = (struct a *)clwp->lwp_ap; 2022 2023 ruid = (uint32_t)uap->ruid; 2024 euid = (uint32_t)uap->euid; 2025 2026 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2027 au_uwrite(au_to_arg32(2, "euid", euid)); 2028 } 2029 2030 2031 /*ARGSUSED*/ 2032 static void 2033 aus_setuid(struct t_audit_data *tad) 2034 { 2035 klwp_t *clwp = ttolwp(curthread); 2036 uint32_t uid; 2037 2038 struct a { 2039 long uid; 2040 } *uap = (struct a *)clwp->lwp_ap; 2041 2042 uid = (uint32_t)uap->uid; 2043 2044 au_uwrite(au_to_arg32(1, "uid", uid)); 2045 } 2046 2047 /*ARGSUSED*/ 2048 static void 2049 aus_shmsys(struct t_audit_data *tad) 2050 { 2051 klwp_t *clwp = ttolwp(curthread); 2052 uint32_t id, cmd; 2053 2054 struct b { 2055 long id; 2056 long cmd; 2057 long buf; /* struct shmid_ds * */ 2058 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2059 2060 id = (uint32_t)uap1->id; 2061 cmd = (uint32_t)uap1->cmd; 2062 2063 switch (tad->tad_event) { 2064 case AUE_SHMGET: /* shmget */ 2065 au_uwrite(au_to_arg32(1, "shm key", id)); 2066 break; 2067 case AUE_SHMCTL: /* shmctl */ 2068 case AUE_SHMCTL_RMID: /* shmctl */ 2069 case AUE_SHMCTL_STAT: /* shmctl */ 2070 case AUE_SHMCTL_SET: /* shmctl */ 2071 au_uwrite(au_to_arg32(1, "shm ID", id)); 2072 break; 2073 case AUE_SHMDT: /* shmdt */ 2074 au_uwrite(au_to_arg32(1, "shm adr", id)); 2075 break; 2076 case AUE_SHMAT: /* shmat */ 2077 au_uwrite(au_to_arg32(1, "shm ID", id)); 2078 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2079 break; 2080 } 2081 } 2082 2083 /*ARGSUSED*/ 2084 static void 2085 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2086 { 2087 int id; 2088 2089 if (error != 0) 2090 return; 2091 if (tad->tad_event == AUE_SHMGET) { 2092 uint32_t scid; 2093 uint32_t sy_flags; 2094 2095 /* need to determine type of executing binary */ 2096 scid = tad->tad_scid; 2097 #ifdef _SYSCALL32_IMPL 2098 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2099 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2100 else 2101 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2102 #else 2103 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2104 #endif 2105 if (sy_flags == SE_32RVAL1) 2106 id = rval->r_val1; 2107 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2108 id = rval->r_val1; 2109 if (sy_flags == SE_64RVAL) 2110 id = (int)rval->r_vals; 2111 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2112 } 2113 } 2114 2115 2116 /*ARGSUSED*/ 2117 static void 2118 aus_ioctl(struct t_audit_data *tad) 2119 { 2120 klwp_t *clwp = ttolwp(curthread); 2121 struct file *fp; 2122 struct vnode *vp; 2123 struct f_audit_data *fad; 2124 uint32_t fd, cmd; 2125 uintptr_t cmarg; 2126 2127 /* XX64 */ 2128 struct a { 2129 long fd; 2130 long cmd; 2131 long cmarg; /* caddr_t */ 2132 } *uap = (struct a *)clwp->lwp_ap; 2133 2134 fd = (uint32_t)uap->fd; 2135 cmd = (uint32_t)uap->cmd; 2136 cmarg = (uintptr_t)uap->cmarg; 2137 2138 /* 2139 * convert file pointer to file descriptor 2140 * Note: fd ref count incremented here. 2141 */ 2142 if ((fp = getf(fd)) == NULL) { 2143 au_uwrite(au_to_arg32(1, "fd", fd)); 2144 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2145 #ifndef _LP64 2146 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2147 #else 2148 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2149 #endif 2150 return; 2151 } 2152 2153 /* get path from file struct here */ 2154 fad = F2A(fp); 2155 if (fad->fad_aupath != NULL) { 2156 au_uwrite(au_to_path(fad->fad_aupath)); 2157 } else { 2158 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2159 } 2160 2161 vp = fp->f_vnode; 2162 audit_attributes(vp); 2163 2164 /* decrement file descriptor reference count */ 2165 releasef(fd); 2166 2167 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2168 #ifndef _LP64 2169 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2170 #else 2171 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2172 #endif 2173 } 2174 2175 /* 2176 * null function for memcntl for now. We might want to limit memcntl() 2177 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2178 * require privileges. 2179 */ 2180 static au_event_t 2181 aui_memcntl(au_event_t e) 2182 { 2183 return (e); 2184 } 2185 2186 /*ARGSUSED*/ 2187 static au_event_t 2188 aui_privsys(au_event_t e) 2189 { 2190 klwp_t *clwp = ttolwp(curthread); 2191 2192 struct a { 2193 long opcode; 2194 } *uap = (struct a *)clwp->lwp_ap; 2195 2196 switch (uap->opcode) { 2197 case PRIVSYS_SETPPRIV: 2198 return (AUE_SETPPRIV); 2199 default: 2200 return (AUE_NULL); 2201 } 2202 } 2203 2204 /*ARGSUSED*/ 2205 static void 2206 aus_memcntl(struct t_audit_data *tad) 2207 { 2208 klwp_t *clwp = ttolwp(curthread); 2209 2210 struct a { 2211 long addr; 2212 long len; 2213 long cmd; 2214 long arg; 2215 long attr; 2216 long mask; 2217 } *uap = (struct a *)clwp->lwp_ap; 2218 2219 #ifdef _LP64 2220 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2221 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2222 #else 2223 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2224 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2225 #endif 2226 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2227 #ifdef _LP64 2228 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2229 #else 2230 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2231 #endif 2232 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2233 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2234 } 2235 2236 /*ARGSUSED*/ 2237 static void 2238 aus_mmap(struct t_audit_data *tad) 2239 { 2240 klwp_t *clwp = ttolwp(curthread); 2241 struct file *fp; 2242 struct f_audit_data *fad; 2243 struct vnode *vp; 2244 uint32_t fd; 2245 2246 struct a { 2247 long addr; 2248 long len; 2249 long prot; 2250 long flags; 2251 long fd; 2252 long pos; 2253 } *uap = (struct a *)clwp->lwp_ap; 2254 2255 fd = (uint32_t)uap->fd; 2256 2257 #ifdef _LP64 2258 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2259 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2260 #else 2261 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2262 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2263 #endif 2264 2265 if ((fp = getf(fd)) == NULL) { 2266 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2267 return; 2268 } 2269 2270 /* 2271 * Mark in the tad if write access is NOT requested... if 2272 * this is later detected (in audit_attributes) to be a 2273 * public object, the mmap event may be discarded. 2274 */ 2275 if (((uap->prot) & PROT_WRITE) == 0) { 2276 tad->tad_ctrl |= PAD_PUBLIC_EV; 2277 } 2278 2279 fad = F2A(fp); 2280 if (fad->fad_aupath != NULL) { 2281 au_uwrite(au_to_path(fad->fad_aupath)); 2282 } else { 2283 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2284 } 2285 2286 vp = (struct vnode *)fp->f_vnode; 2287 audit_attributes(vp); 2288 2289 /* mark READ/WRITE since we can't predict access */ 2290 if (uap->prot & PROT_READ) 2291 fad->fad_flags |= FAD_READ; 2292 if (uap->prot & PROT_WRITE) 2293 fad->fad_flags |= FAD_WRITE; 2294 2295 /* decrement file descriptor reference count */ 2296 releasef(fd); 2297 2298 } /* AUS_MMAP */ 2299 2300 2301 2302 2303 /*ARGSUSED*/ 2304 static void 2305 aus_munmap(struct t_audit_data *tad) 2306 { 2307 klwp_t *clwp = ttolwp(curthread); 2308 2309 struct a { 2310 long addr; 2311 long len; 2312 } *uap = (struct a *)clwp->lwp_ap; 2313 2314 #ifdef _LP64 2315 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2316 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2317 #else 2318 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2319 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2320 #endif 2321 2322 } /* AUS_MUNMAP */ 2323 2324 2325 2326 2327 2328 2329 2330 /*ARGSUSED*/ 2331 static void 2332 aus_priocntlsys(struct t_audit_data *tad) 2333 { 2334 klwp_t *clwp = ttolwp(curthread); 2335 2336 struct a { 2337 long pc_version; 2338 long psp; /* procset_t */ 2339 long cmd; 2340 long arg; 2341 } *uap = (struct a *)clwp->lwp_ap; 2342 2343 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2344 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2345 2346 } /* AUS_PRIOCNTLSYS */ 2347 2348 2349 /*ARGSUSED*/ 2350 static void 2351 aus_setegid(struct t_audit_data *tad) 2352 { 2353 klwp_t *clwp = ttolwp(curthread); 2354 uint32_t gid; 2355 2356 struct a { 2357 long gid; 2358 } *uap = (struct a *)clwp->lwp_ap; 2359 2360 gid = (uint32_t)uap->gid; 2361 2362 au_uwrite(au_to_arg32(1, "gid", gid)); 2363 } /* AUS_SETEGID */ 2364 2365 2366 2367 2368 /*ARGSUSED*/ 2369 static void 2370 aus_setgroups(struct t_audit_data *tad) 2371 { 2372 klwp_t *clwp = ttolwp(curthread); 2373 int i; 2374 int gidsetsize; 2375 uintptr_t gidset; 2376 gid_t *gidlist; 2377 2378 struct a { 2379 long gidsetsize; 2380 long gidset; 2381 } *uap = (struct a *)clwp->lwp_ap; 2382 2383 gidsetsize = (uint_t)uap->gidsetsize; 2384 gidset = (uintptr_t)uap->gidset; 2385 2386 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2387 return; 2388 if (gidsetsize != 0) { 2389 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2390 KM_SLEEP); 2391 if (copyin((caddr_t)gidset, gidlist, 2392 gidsetsize * sizeof (gid_t)) == 0) 2393 for (i = 0; i < gidsetsize; i++) 2394 au_uwrite(au_to_arg32(1, "setgroups", 2395 (uint32_t)gidlist[i])); 2396 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2397 } else 2398 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2399 2400 } /* AUS_SETGROUPS */ 2401 2402 2403 2404 2405 2406 /*ARGSUSED*/ 2407 static void 2408 aus_seteuid(struct t_audit_data *tad) 2409 { 2410 klwp_t *clwp = ttolwp(curthread); 2411 uint32_t uid; 2412 2413 struct a { 2414 long uid; 2415 } *uap = (struct a *)clwp->lwp_ap; 2416 2417 uid = (uint32_t)uap->uid; 2418 2419 au_uwrite(au_to_arg32(1, "euid", uid)); 2420 2421 } /* AUS_SETEUID */ 2422 2423 /*ARGSUSED*/ 2424 static void 2425 aus_putmsg(struct t_audit_data *tad) 2426 { 2427 klwp_t *clwp = ttolwp(curthread); 2428 uint32_t fd, pri; 2429 struct file *fp; 2430 struct f_audit_data *fad; 2431 2432 struct a { 2433 long fdes; 2434 long ctl; /* struct strbuf * */ 2435 long data; /* struct strbuf * */ 2436 long pri; 2437 } *uap = (struct a *)clwp->lwp_ap; 2438 2439 fd = (uint32_t)uap->fdes; 2440 pri = (uint32_t)uap->pri; 2441 2442 au_uwrite(au_to_arg32(1, "fd", fd)); 2443 2444 if ((fp = getf(fd)) != NULL) { 2445 fad = F2A(fp); 2446 2447 fad->fad_flags |= FAD_WRITE; 2448 2449 /* add path name to audit record */ 2450 if (fad->fad_aupath != NULL) { 2451 au_uwrite(au_to_path(fad->fad_aupath)); 2452 } 2453 audit_attributes(fp->f_vnode); 2454 2455 releasef(fd); 2456 } 2457 2458 au_uwrite(au_to_arg32(4, "pri", pri)); 2459 } 2460 2461 /*ARGSUSED*/ 2462 static void 2463 aus_putpmsg(struct t_audit_data *tad) 2464 { 2465 klwp_t *clwp = ttolwp(curthread); 2466 uint32_t fd, pri, flags; 2467 struct file *fp; 2468 struct f_audit_data *fad; 2469 2470 struct a { 2471 long fdes; 2472 long ctl; /* struct strbuf * */ 2473 long data; /* struct strbuf * */ 2474 long pri; 2475 long flags; 2476 } *uap = (struct a *)clwp->lwp_ap; 2477 2478 fd = (uint32_t)uap->fdes; 2479 pri = (uint32_t)uap->pri; 2480 flags = (uint32_t)uap->flags; 2481 2482 au_uwrite(au_to_arg32(1, "fd", fd)); 2483 2484 if ((fp = getf(fd)) != NULL) { 2485 fad = F2A(fp); 2486 2487 fad->fad_flags |= FAD_WRITE; 2488 2489 /* add path name to audit record */ 2490 if (fad->fad_aupath != NULL) { 2491 au_uwrite(au_to_path(fad->fad_aupath)); 2492 } 2493 audit_attributes(fp->f_vnode); 2494 2495 releasef(fd); 2496 } 2497 2498 2499 au_uwrite(au_to_arg32(4, "pri", pri)); 2500 au_uwrite(au_to_arg32(5, "flags", flags)); 2501 } 2502 2503 /*ARGSUSED*/ 2504 static void 2505 aus_getmsg(struct t_audit_data *tad) 2506 { 2507 klwp_t *clwp = ttolwp(curthread); 2508 uint32_t fd, pri; 2509 struct file *fp; 2510 struct f_audit_data *fad; 2511 2512 struct a { 2513 long fdes; 2514 long ctl; /* struct strbuf * */ 2515 long data; /* struct strbuf * */ 2516 long pri; 2517 } *uap = (struct a *)clwp->lwp_ap; 2518 2519 fd = (uint32_t)uap->fdes; 2520 pri = (uint32_t)uap->pri; 2521 2522 au_uwrite(au_to_arg32(1, "fd", fd)); 2523 2524 if ((fp = getf(fd)) != NULL) { 2525 fad = F2A(fp); 2526 2527 /* 2528 * read operation on this object 2529 */ 2530 fad->fad_flags |= FAD_READ; 2531 2532 /* add path name to audit record */ 2533 if (fad->fad_aupath != NULL) { 2534 au_uwrite(au_to_path(fad->fad_aupath)); 2535 } 2536 audit_attributes(fp->f_vnode); 2537 2538 releasef(fd); 2539 } 2540 2541 au_uwrite(au_to_arg32(4, "pri", pri)); 2542 } 2543 2544 /*ARGSUSED*/ 2545 static void 2546 aus_getpmsg(struct t_audit_data *tad) 2547 { 2548 klwp_t *clwp = ttolwp(curthread); 2549 uint32_t fd; 2550 struct file *fp; 2551 struct f_audit_data *fad; 2552 2553 struct a { 2554 long fdes; 2555 long ctl; /* struct strbuf * */ 2556 long data; /* struct strbuf * */ 2557 long pri; 2558 long flags; 2559 } *uap = (struct a *)clwp->lwp_ap; 2560 2561 fd = (uint32_t)uap->fdes; 2562 2563 au_uwrite(au_to_arg32(1, "fd", fd)); 2564 2565 if ((fp = getf(fd)) != NULL) { 2566 fad = F2A(fp); 2567 2568 /* 2569 * read operation on this object 2570 */ 2571 fad->fad_flags |= FAD_READ; 2572 2573 /* add path name to audit record */ 2574 if (fad->fad_aupath != NULL) { 2575 au_uwrite(au_to_path(fad->fad_aupath)); 2576 } 2577 audit_attributes(fp->f_vnode); 2578 2579 releasef(fd); 2580 } 2581 } 2582 2583 static au_event_t 2584 aui_labelsys(au_event_t e) 2585 { 2586 klwp_t *clwp = ttolwp(curthread); 2587 uint32_t code; 2588 uint32_t cmd; 2589 2590 struct a { 2591 long code; 2592 long cmd; 2593 } *uap = (struct a *)clwp->lwp_ap; 2594 2595 code = (uint32_t)uap->code; 2596 cmd = (uint32_t)uap->cmd; 2597 2598 /* not security relevant if not changing kernel cache */ 2599 if (cmd == TNDB_GET) 2600 return (NULL); 2601 2602 switch (code) { 2603 case TSOL_TNRH: 2604 e = AUE_LABELSYS_TNRH; 2605 break; 2606 case TSOL_TNRHTP: 2607 e = AUE_LABELSYS_TNRHTP; 2608 break; 2609 case TSOL_TNMLP: 2610 e = AUE_LABELSYS_TNMLP; 2611 break; 2612 default: 2613 e = AUE_NULL; 2614 break; 2615 } 2616 2617 return (e); 2618 2619 } 2620 2621 /*ARGSUSED*/ 2622 static void 2623 aus_labelsys(struct t_audit_data *tad) 2624 { 2625 klwp_t *clwp = ttolwp(curthread); 2626 uint32_t cmd; 2627 uintptr_t a2; 2628 2629 struct a { 2630 long code; 2631 long cmd; 2632 long a2; 2633 } *uap = (struct a *)clwp->lwp_ap; 2634 2635 cmd = (uint32_t)uap->cmd; 2636 a2 = (uintptr_t)uap->a2; 2637 2638 switch (tad->tad_event) { 2639 case AUE_LABELSYS_TNRH: 2640 { 2641 tsol_rhent_t *rhent; 2642 tnaddr_t *rh_addr; 2643 2644 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2645 2646 /* Remaining args don't apply for FLUSH, so skip */ 2647 if (cmd == TNDB_FLUSH) 2648 break; 2649 2650 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2651 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2652 kmem_free(rhent, sizeof (tsol_rhent_t)); 2653 return; 2654 } 2655 2656 rh_addr = &rhent->rh_address; 2657 if (rh_addr->ta_family == AF_INET) { 2658 struct in_addr *ipaddr; 2659 2660 ipaddr = &(rh_addr->ta_addr_v4); 2661 au_uwrite(au_to_in_addr(ipaddr)); 2662 } else if (rh_addr->ta_family == AF_INET6) { 2663 int32_t *ipaddr; 2664 2665 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2666 au_uwrite(au_to_in_addr_ex(ipaddr)); 2667 } 2668 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2669 2670 kmem_free(rhent, sizeof (tsol_rhent_t)); 2671 2672 break; 2673 } 2674 case AUE_LABELSYS_TNRHTP: 2675 { 2676 tsol_tpent_t *tpent; 2677 2678 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2679 2680 /* Remaining args don't apply for FLUSH, so skip */ 2681 if (cmd == TNDB_FLUSH) 2682 break; 2683 2684 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2685 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2686 kmem_free(tpent, sizeof (tsol_tpent_t)); 2687 return; 2688 } 2689 2690 au_uwrite(au_to_text(tpent->name)); 2691 kmem_free(tpent, sizeof (tsol_tpent_t)); 2692 2693 break; 2694 } 2695 case AUE_LABELSYS_TNMLP: 2696 { 2697 tsol_mlpent_t *mlpent; 2698 2699 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2700 2701 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2702 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2703 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2704 return; 2705 } 2706 2707 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2708 au_uwrite(au_to_text("shared")); 2709 } else { 2710 zone_t *zone; 2711 2712 zone = zone_find_by_id(mlpent->tsme_zoneid); 2713 if (zone != NULL) { 2714 au_uwrite(au_to_text(zone->zone_name)); 2715 zone_rele(zone); 2716 } 2717 } 2718 2719 /* Remaining args don't apply for FLUSH, so skip */ 2720 if (cmd == TNDB_FLUSH) { 2721 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2722 break; 2723 } 2724 2725 au_uwrite(au_to_arg32(2, "proto num", 2726 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2727 au_uwrite(au_to_arg32(2, "mlp_port", 2728 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2729 2730 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2731 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2732 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2733 2734 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2735 2736 break; 2737 } 2738 default: 2739 break; 2740 } 2741 } 2742 2743 2744 static au_event_t 2745 aui_auditsys(au_event_t e) 2746 { 2747 klwp_t *clwp = ttolwp(curthread); 2748 uint32_t code; 2749 2750 struct a { 2751 long code; 2752 long a1; 2753 long a2; 2754 long a3; 2755 long a4; 2756 long a5; 2757 long a6; 2758 long a7; 2759 } *uap = (struct a *)clwp->lwp_ap; 2760 2761 code = (uint32_t)uap->code; 2762 2763 switch (code) { 2764 2765 case BSM_GETAUID: 2766 e = AUE_GETAUID; 2767 break; 2768 case BSM_SETAUID: 2769 e = AUE_SETAUID; 2770 break; 2771 case BSM_GETAUDIT: 2772 e = AUE_GETAUDIT; 2773 break; 2774 case BSM_GETAUDIT_ADDR: 2775 e = AUE_GETAUDIT_ADDR; 2776 break; 2777 case BSM_SETAUDIT: 2778 e = AUE_SETAUDIT; 2779 break; 2780 case BSM_SETAUDIT_ADDR: 2781 e = AUE_SETAUDIT_ADDR; 2782 break; 2783 case BSM_AUDIT: 2784 e = AUE_AUDIT; 2785 break; 2786 case BSM_GETPORTAUDIT: 2787 e = AUE_GETPORTAUDIT; 2788 break; 2789 case BSM_AUDITON: 2790 case BSM_AUDITCTL: 2791 2792 switch ((uint_t)uap->a1) { 2793 2794 case A_GETPOLICY: 2795 e = AUE_AUDITON_GPOLICY; 2796 break; 2797 case A_SETPOLICY: 2798 e = AUE_AUDITON_SPOLICY; 2799 break; 2800 case A_GETKMASK: 2801 e = AUE_AUDITON_GETKMASK; 2802 break; 2803 case A_SETKMASK: 2804 e = AUE_AUDITON_SETKMASK; 2805 break; 2806 case A_GETQCTRL: 2807 e = AUE_AUDITON_GQCTRL; 2808 break; 2809 case A_SETQCTRL: 2810 e = AUE_AUDITON_SQCTRL; 2811 break; 2812 case A_GETCWD: 2813 e = AUE_AUDITON_GETCWD; 2814 break; 2815 case A_GETCAR: 2816 e = AUE_AUDITON_GETCAR; 2817 break; 2818 case A_GETSTAT: 2819 e = AUE_AUDITON_GETSTAT; 2820 break; 2821 case A_SETSTAT: 2822 e = AUE_AUDITON_SETSTAT; 2823 break; 2824 case A_SETUMASK: 2825 e = AUE_AUDITON_SETUMASK; 2826 break; 2827 case A_SETSMASK: 2828 e = AUE_AUDITON_SETSMASK; 2829 break; 2830 case A_GETCOND: 2831 e = AUE_AUDITON_GETCOND; 2832 break; 2833 case A_SETCOND: 2834 e = AUE_AUDITON_SETCOND; 2835 break; 2836 case A_GETCLASS: 2837 e = AUE_AUDITON_GETCLASS; 2838 break; 2839 case A_SETCLASS: 2840 e = AUE_AUDITON_SETCLASS; 2841 break; 2842 default: 2843 e = AUE_NULL; 2844 break; 2845 } 2846 break; 2847 default: 2848 e = AUE_NULL; 2849 break; 2850 } 2851 2852 return (e); 2853 2854 } /* AUI_AUDITSYS */ 2855 2856 2857 static void 2858 aus_auditsys(struct t_audit_data *tad) 2859 { 2860 klwp_t *clwp = ttolwp(curthread); 2861 uintptr_t a1, a2; 2862 STRUCT_DECL(auditinfo, ainfo); 2863 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2864 au_evclass_map_t event; 2865 au_mask_t mask; 2866 int auditstate, policy; 2867 au_id_t auid; 2868 2869 2870 struct a { 2871 long code; 2872 long a1; 2873 long a2; 2874 long a3; 2875 long a4; 2876 long a5; 2877 long a6; 2878 long a7; 2879 } *uap = (struct a *)clwp->lwp_ap; 2880 2881 a1 = (uintptr_t)uap->a1; 2882 a2 = (uintptr_t)uap->a2; 2883 2884 switch (tad->tad_event) { 2885 case AUE_SETAUID: 2886 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2887 return; 2888 au_uwrite(au_to_arg32(2, "setauid", auid)); 2889 break; 2890 case AUE_SETAUDIT: 2891 STRUCT_INIT(ainfo, get_udatamodel()); 2892 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2893 STRUCT_SIZE(ainfo))) { 2894 return; 2895 } 2896 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2897 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2898 #ifdef _LP64 2899 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2900 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2901 #else 2902 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2903 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2904 #endif 2905 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2906 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2907 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2908 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2909 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2910 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2911 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2912 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2913 break; 2914 case AUE_SETAUDIT_ADDR: 2915 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2916 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2917 STRUCT_SIZE(ainfo_addr))) { 2918 return; 2919 } 2920 au_uwrite(au_to_arg32((char)1, "auid", 2921 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2922 #ifdef _LP64 2923 au_uwrite(au_to_arg64((char)1, "port", 2924 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2925 #else 2926 au_uwrite(au_to_arg32((char)1, "port", 2927 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2928 #endif 2929 au_uwrite(au_to_arg32((char)1, "type", 2930 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2931 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2932 AU_IPv4) { 2933 au_uwrite(au_to_in_addr( 2934 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2935 ai_termid.at_addr))); 2936 } else { 2937 au_uwrite(au_to_in_addr_ex( 2938 (int32_t *)STRUCT_FGETP(ainfo_addr, 2939 ai_termid.at_addr))); 2940 } 2941 au_uwrite(au_to_arg32((char)1, "as_success", 2942 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2943 au_uwrite(au_to_arg32((char)1, "as_failure", 2944 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2945 au_uwrite(au_to_arg32((char)1, "asid", 2946 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2947 break; 2948 case AUE_AUDITON_SETKMASK: 2949 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2950 return; 2951 au_uwrite(au_to_arg32( 2952 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2953 au_uwrite(au_to_arg32( 2954 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2955 break; 2956 case AUE_AUDITON_SPOLICY: 2957 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2958 return; 2959 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2960 break; 2961 case AUE_AUDITON_SQCTRL: { 2962 STRUCT_DECL(au_qctrl, qctrl); 2963 model_t model; 2964 2965 model = get_udatamodel(); 2966 STRUCT_INIT(qctrl, model); 2967 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2968 return; 2969 if (model == DATAMODEL_ILP32) { 2970 au_uwrite(au_to_arg32( 2971 3, "setqctrl:aq_hiwater", 2972 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2973 au_uwrite(au_to_arg32( 2974 3, "setqctrl:aq_lowater", 2975 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2976 au_uwrite(au_to_arg32( 2977 3, "setqctrl:aq_bufsz", 2978 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2979 au_uwrite(au_to_arg32( 2980 3, "setqctrl:aq_delay", 2981 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2982 } else { 2983 au_uwrite(au_to_arg64( 2984 3, "setqctrl:aq_hiwater", 2985 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2986 au_uwrite(au_to_arg64( 2987 3, "setqctrl:aq_lowater", 2988 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2989 au_uwrite(au_to_arg64( 2990 3, "setqctrl:aq_bufsz", 2991 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2992 au_uwrite(au_to_arg64( 2993 3, "setqctrl:aq_delay", 2994 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2995 } 2996 break; 2997 } 2998 case AUE_AUDITON_SETUMASK: 2999 STRUCT_INIT(ainfo, get_udatamodel()); 3000 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3001 STRUCT_SIZE(ainfo))) { 3002 return; 3003 } 3004 au_uwrite(au_to_arg32(3, "setumask:as_success", 3005 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3006 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3007 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3008 break; 3009 case AUE_AUDITON_SETSMASK: 3010 STRUCT_INIT(ainfo, get_udatamodel()); 3011 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3012 STRUCT_SIZE(ainfo))) { 3013 return; 3014 } 3015 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3016 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3017 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3018 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3019 break; 3020 case AUE_AUDITON_SETCOND: 3021 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3022 return; 3023 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3024 break; 3025 case AUE_AUDITON_SETCLASS: 3026 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3027 return; 3028 au_uwrite(au_to_arg32( 3029 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3030 au_uwrite(au_to_arg32( 3031 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3032 break; 3033 case AUE_GETAUID: 3034 case AUE_GETAUDIT: 3035 case AUE_GETAUDIT_ADDR: 3036 case AUE_AUDIT: 3037 case AUE_GETPORTAUDIT: 3038 case AUE_AUDITON_GPOLICY: 3039 case AUE_AUDITON_GQCTRL: 3040 case AUE_AUDITON_GETKMASK: 3041 case AUE_AUDITON_GETCWD: 3042 case AUE_AUDITON_GETCAR: 3043 case AUE_AUDITON_GETSTAT: 3044 case AUE_AUDITON_SETSTAT: 3045 case AUE_AUDITON_GETCOND: 3046 case AUE_AUDITON_GETCLASS: 3047 break; 3048 default: 3049 break; 3050 } 3051 3052 } /* AUS_AUDITSYS */ 3053 3054 3055 /* only audit privileged operations for systeminfo(2) system call */ 3056 static au_event_t 3057 aui_sysinfo(au_event_t e) 3058 { 3059 klwp_t *clwp = ttolwp(curthread); 3060 uint32_t command; 3061 3062 struct a { 3063 long command; 3064 long buf; /* char * */ 3065 long count; 3066 } *uap = (struct a *)clwp->lwp_ap; 3067 3068 command = (uint32_t)uap->command; 3069 3070 switch (command) { 3071 case SI_SET_HOSTNAME: 3072 case SI_SET_SRPC_DOMAIN: 3073 e = (au_event_t)AUE_SYSINFO; 3074 break; 3075 default: 3076 e = (au_event_t)AUE_NULL; 3077 break; 3078 } 3079 return (e); 3080 } 3081 3082 /*ARGSUSED*/ 3083 static void 3084 aus_sysinfo(struct t_audit_data *tad) 3085 { 3086 klwp_t *clwp = ttolwp(curthread); 3087 uint32_t command; 3088 size_t len, maxlen; 3089 char *name; 3090 uintptr_t buf; 3091 3092 struct a { 3093 long command; 3094 long buf; /* char * */ 3095 long count; 3096 } *uap = (struct a *)clwp->lwp_ap; 3097 3098 command = (uint32_t)uap->command; 3099 buf = (uintptr_t)uap->buf; 3100 3101 au_uwrite(au_to_arg32(1, "cmd", command)); 3102 3103 switch (command) { 3104 case SI_SET_HOSTNAME: 3105 { 3106 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3107 return; 3108 3109 maxlen = SYS_NMLN; 3110 name = kmem_alloc(maxlen, KM_SLEEP); 3111 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3112 break; 3113 3114 /* 3115 * Must be non-NULL string and string 3116 * must be less than SYS_NMLN chars. 3117 */ 3118 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3119 break; 3120 3121 au_uwrite(au_to_text(name)); 3122 break; 3123 } 3124 3125 case SI_SET_SRPC_DOMAIN: 3126 { 3127 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3128 return; 3129 3130 maxlen = SYS_NMLN; 3131 name = kmem_alloc(maxlen, KM_SLEEP); 3132 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3133 break; 3134 3135 /* 3136 * If string passed in is longer than length 3137 * allowed for domain name, fail. 3138 */ 3139 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3140 break; 3141 3142 au_uwrite(au_to_text(name)); 3143 break; 3144 } 3145 3146 default: 3147 return; 3148 } 3149 3150 kmem_free(name, maxlen); 3151 } 3152 3153 static au_event_t 3154 aui_modctl(au_event_t e) 3155 { 3156 klwp_t *clwp = ttolwp(curthread); 3157 uint_t cmd; 3158 3159 struct a { 3160 long cmd; 3161 } *uap = (struct a *)clwp->lwp_ap; 3162 3163 cmd = (uint_t)uap->cmd; 3164 3165 switch (cmd) { 3166 case MODLOAD: 3167 e = AUE_MODLOAD; 3168 break; 3169 case MODUNLOAD: 3170 e = AUE_MODUNLOAD; 3171 break; 3172 case MODADDMAJBIND: 3173 e = AUE_MODADDMAJ; 3174 break; 3175 case MODSETDEVPOLICY: 3176 e = AUE_MODDEVPLCY; 3177 break; 3178 case MODALLOCPRIV: 3179 e = AUE_MODADDPRIV; 3180 break; 3181 default: 3182 e = AUE_NULL; 3183 break; 3184 } 3185 return (e); 3186 } 3187 3188 3189 /*ARGSUSED*/ 3190 static void 3191 aus_modctl(struct t_audit_data *tad) 3192 { 3193 klwp_t *clwp = ttolwp(curthread); 3194 void *a = clwp->lwp_ap; 3195 uint_t use_path; 3196 3197 switch (tad->tad_event) { 3198 case AUE_MODLOAD: { 3199 typedef struct { 3200 long cmd; 3201 long use_path; 3202 long filename; /* char * */ 3203 } modloada_t; 3204 3205 char *filenamep; 3206 uintptr_t fname; 3207 extern char *default_path; 3208 3209 fname = (uintptr_t)((modloada_t *)a)->filename; 3210 use_path = (uint_t)((modloada_t *)a)->use_path; 3211 3212 /* space to hold path */ 3213 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3214 /* get string */ 3215 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3216 /* free allocated path */ 3217 kmem_free(filenamep, MOD_MAXPATH); 3218 return; 3219 } 3220 /* ensure it's null terminated */ 3221 filenamep[MOD_MAXPATH - 1] = 0; 3222 3223 if (use_path) 3224 au_uwrite(au_to_text(default_path)); 3225 au_uwrite(au_to_text(filenamep)); 3226 3227 /* release temporary memory */ 3228 kmem_free(filenamep, MOD_MAXPATH); 3229 break; 3230 } 3231 case AUE_MODUNLOAD: { 3232 typedef struct { 3233 long cmd; 3234 long id; 3235 } modunloada_t; 3236 3237 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3238 3239 au_uwrite(au_to_arg32(1, "id", id)); 3240 break; 3241 } 3242 case AUE_MODADDMAJ: { 3243 STRUCT_DECL(modconfig, mc); 3244 typedef struct { 3245 long cmd; 3246 long subcmd; 3247 long data; /* int * */ 3248 } modconfiga_t; 3249 3250 STRUCT_DECL(aliases, alias); 3251 caddr_t ap; 3252 int i, num_aliases; 3253 char *drvname, *mc_drvname; 3254 char *name; 3255 extern char *ddi_major_to_name(major_t); 3256 model_t model; 3257 3258 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3259 3260 model = get_udatamodel(); 3261 STRUCT_INIT(mc, model); 3262 /* sanitize buffer */ 3263 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3264 /* get user arguments */ 3265 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3266 STRUCT_SIZE(mc)) != 0) 3267 return; 3268 3269 mc_drvname = STRUCT_FGET(mc, drvname); 3270 if ((drvname = ddi_major_to_name( 3271 (major_t)STRUCT_FGET(mc, major))) != NULL && 3272 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3273 /* safety */ 3274 if (mc_drvname[0] != '\0') { 3275 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3276 au_uwrite(au_to_text(mc_drvname)); 3277 } 3278 /* drvname != NULL from test above */ 3279 au_uwrite(au_to_text(drvname)); 3280 return; 3281 } 3282 3283 if (mc_drvname[0] != '\0') { 3284 /* safety */ 3285 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3286 au_uwrite(au_to_text(mc_drvname)); 3287 } else 3288 au_uwrite(au_to_text("no drvname")); 3289 3290 num_aliases = STRUCT_FGET(mc, num_aliases); 3291 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3292 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3293 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3294 STRUCT_INIT(alias, model); 3295 for (i = 0; i < num_aliases; i++) { 3296 bzero((caddr_t)STRUCT_BUF(alias), 3297 STRUCT_SIZE(alias)); 3298 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3299 STRUCT_SIZE(alias)) != 0) 3300 break; 3301 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3302 MAXMODCONFNAME, NULL) != 0) { 3303 break; 3304 } 3305 3306 au_uwrite(au_to_text(name)); 3307 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3308 } 3309 kmem_free(name, MAXMODCONFNAME); 3310 break; 3311 } 3312 default: 3313 break; 3314 } 3315 } 3316 3317 3318 /*ARGSUSED*/ 3319 static void 3320 auf_accept( 3321 struct t_audit_data *tad, 3322 int error, 3323 rval_t *rval) 3324 { 3325 uint32_t scid; 3326 uint32_t sy_flags; 3327 int fd; 3328 struct sonode *so; 3329 char so_laddr[sizeof (struct sockaddr_in6)]; 3330 char so_faddr[sizeof (struct sockaddr_in6)]; 3331 int err; 3332 int len; 3333 short so_family, so_type; 3334 int add_sock_token = 0; 3335 3336 /* need to determine type of executing binary */ 3337 scid = tad->tad_scid; 3338 #ifdef _SYSCALL32_IMPL 3339 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3340 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3341 else 3342 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3343 #else 3344 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3345 #endif 3346 if (sy_flags == SE_32RVAL1) 3347 fd = rval->r_val1; 3348 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3349 fd = rval->r_val1; 3350 if (sy_flags == SE_64RVAL) 3351 fd = (int)rval->r_vals; 3352 3353 if (error) { 3354 /* can't trust socket contents. Just return */ 3355 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3356 return; 3357 } 3358 3359 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3360 /* 3361 * not security relevant if doing a accept from non socket 3362 * so no extra tokens. Should probably turn off audit record 3363 * generation here. 3364 */ 3365 return; 3366 } 3367 3368 so_family = so->so_family; 3369 so_type = so->so_type; 3370 3371 switch (so_family) { 3372 case AF_INET: 3373 case AF_INET6: 3374 /* 3375 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3376 */ 3377 if (so->so_type == SOCK_STREAM) { 3378 3379 bzero((void *)so_laddr, sizeof (so_laddr)); 3380 bzero((void *)so_faddr, sizeof (so_faddr)); 3381 3382 /* 3383 * no local address then need to get it from lower 3384 * levels. only put out record on first read ala 3385 * AUE_WRITE. 3386 */ 3387 if (so->so_state & SS_ISBOUND) { 3388 /* only done once on a connection */ 3389 (void) SOP_GETSOCKNAME(so); 3390 (void) SOP_GETPEERNAME(so); 3391 3392 /* get local and foreign addresses */ 3393 mutex_enter(&so->so_lock); 3394 len = min(so->so_laddr_len, sizeof (so_laddr)); 3395 bcopy(so->so_laddr_sa, so_laddr, len); 3396 len = min(so->so_faddr_len, sizeof (so_faddr)); 3397 bcopy(so->so_faddr_sa, so_faddr, len); 3398 mutex_exit(&so->so_lock); 3399 } 3400 3401 add_sock_token = 1; 3402 } 3403 break; 3404 3405 default: 3406 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3407 break; 3408 } 3409 3410 releasef(fd); 3411 3412 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3413 3414 if (add_sock_token == 0) { 3415 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3416 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3417 return; 3418 } 3419 3420 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3421 3422 } 3423 3424 /*ARGSUSED*/ 3425 static void 3426 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3427 { 3428 struct a { 3429 long fd; 3430 long addr; 3431 long len; 3432 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3433 3434 struct sonode *so; 3435 char so_laddr[sizeof (struct sockaddr_in6)]; 3436 char so_faddr[sizeof (struct sockaddr_in6)]; 3437 int err, fd; 3438 int len; 3439 short so_family, so_type; 3440 int add_sock_token = 0; 3441 3442 fd = (int)uap->fd; 3443 3444 /* 3445 * bind failed, then nothing extra to add to audit record. 3446 */ 3447 if (error) { 3448 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3449 /* XXX may want to add failed address some day */ 3450 return; 3451 } 3452 3453 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3454 /* 3455 * not security relevant if doing a bind from non socket 3456 * so no extra tokens. Should probably turn off audit record 3457 * generation here. 3458 */ 3459 return; 3460 } 3461 3462 so_family = so->so_family; 3463 so_type = so->so_type; 3464 3465 switch (so_family) { 3466 case AF_INET: 3467 case AF_INET6: 3468 3469 bzero(so_faddr, sizeof (so_faddr)); 3470 3471 if (so->so_state & SS_ISBOUND) { 3472 /* only done once on a connection */ 3473 (void) SOP_GETSOCKNAME(so); 3474 } 3475 3476 mutex_enter(&so->so_lock); 3477 len = min(so->so_laddr_len, sizeof (so_laddr)); 3478 bcopy(so->so_laddr_sa, so_laddr, len); 3479 mutex_exit(&so->so_lock); 3480 3481 add_sock_token = 1; 3482 3483 break; 3484 3485 case AF_UNIX: 3486 /* token added by lookup */ 3487 break; 3488 default: 3489 /* AF_ROUTE, AF_KEY do not support accept */ 3490 break; 3491 } 3492 3493 releasef(fd); 3494 3495 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3496 3497 if (add_sock_token == 0) { 3498 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3499 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3500 return; 3501 } 3502 3503 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3504 3505 } 3506 3507 /*ARGSUSED*/ 3508 static void 3509 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3510 { 3511 struct a { 3512 long fd; 3513 long addr; 3514 long len; 3515 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3516 3517 struct sonode *so; 3518 char so_laddr[sizeof (struct sockaddr_in6)]; 3519 char so_faddr[sizeof (struct sockaddr_in6)]; 3520 int err, fd; 3521 int len; 3522 short so_family, so_type; 3523 int add_sock_token = 0; 3524 3525 fd = (int)uap->fd; 3526 3527 3528 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3529 /* 3530 * not security relevant if doing a connect from non socket 3531 * so no extra tokens. Should probably turn off audit record 3532 * generation here. 3533 */ 3534 return; 3535 } 3536 3537 so_family = so->so_family; 3538 so_type = so->so_type; 3539 3540 switch (so_family) { 3541 case AF_INET: 3542 case AF_INET6: 3543 /* 3544 * no local address then need to get it from lower 3545 * levels. 3546 */ 3547 if (so->so_state & SS_ISBOUND) { 3548 /* only done once on a connection */ 3549 (void) SOP_GETSOCKNAME(so); 3550 (void) SOP_GETPEERNAME(so); 3551 } 3552 3553 bzero(so_laddr, sizeof (so_laddr)); 3554 bzero(so_faddr, sizeof (so_faddr)); 3555 3556 mutex_enter(&so->so_lock); 3557 len = min(so->so_laddr_len, sizeof (so_laddr)); 3558 bcopy(so->so_laddr_sa, so_laddr, len); 3559 if (error) { 3560 mutex_exit(&so->so_lock); 3561 if (uap->addr == NULL) 3562 break; 3563 if (uap->len <= 0) 3564 break; 3565 len = min(uap->len, sizeof (so_faddr)); 3566 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3567 break; 3568 #ifdef NOTYET 3569 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3570 #endif 3571 } else { 3572 /* sanity check on length */ 3573 len = min(so->so_faddr_len, sizeof (so_faddr)); 3574 bcopy(so->so_faddr_sa, so_faddr, len); 3575 mutex_exit(&so->so_lock); 3576 } 3577 3578 add_sock_token = 1; 3579 3580 break; 3581 3582 case AF_UNIX: 3583 /* does a lookup on name */ 3584 break; 3585 3586 default: 3587 /* AF_ROUTE, AF_KEY do not support accept */ 3588 break; 3589 } 3590 3591 releasef(fd); 3592 3593 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3594 3595 if (add_sock_token == 0) { 3596 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3597 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3598 return; 3599 } 3600 3601 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3602 3603 } 3604 3605 /*ARGSUSED*/ 3606 static void 3607 aus_shutdown(struct t_audit_data *tad) 3608 { 3609 struct a { 3610 long fd; 3611 long how; 3612 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3613 3614 struct sonode *so; 3615 char so_laddr[sizeof (struct sockaddr_in6)]; 3616 char so_faddr[sizeof (struct sockaddr_in6)]; 3617 int err, fd; 3618 int len; 3619 short so_family, so_type; 3620 int add_sock_token = 0; 3621 file_t *fp; /* unix domain sockets */ 3622 struct f_audit_data *fad; /* unix domain sockets */ 3623 3624 fd = (int)uap->fd; 3625 3626 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3627 /* 3628 * not security relevant if doing a shutdown using non socket 3629 * so no extra tokens. Should probably turn off audit record 3630 * generation here. 3631 */ 3632 return; 3633 } 3634 3635 so_family = so->so_family; 3636 so_type = so->so_type; 3637 3638 switch (so_family) { 3639 case AF_INET: 3640 case AF_INET6: 3641 3642 bzero(so_laddr, sizeof (so_laddr)); 3643 bzero(so_faddr, sizeof (so_faddr)); 3644 3645 if (so->so_state & SS_ISBOUND) { 3646 /* 3647 * no local address then need to get it from lower 3648 * levels. 3649 */ 3650 if (so->so_laddr_len == 0) 3651 (void) SOP_GETSOCKNAME(so); 3652 if (so->so_faddr_len == 0) 3653 (void) SOP_GETPEERNAME(so); 3654 } 3655 3656 mutex_enter(&so->so_lock); 3657 len = min(so->so_laddr_len, sizeof (so_laddr)); 3658 bcopy(so->so_laddr_sa, so_laddr, len); 3659 len = min(so->so_faddr_len, sizeof (so_faddr)); 3660 bcopy(so->so_faddr_sa, so_faddr, len); 3661 mutex_exit(&so->so_lock); 3662 3663 add_sock_token = 1; 3664 3665 break; 3666 3667 case AF_UNIX: 3668 3669 /* get path from file struct here */ 3670 fad = F2A(fp); 3671 ASSERT(fad); 3672 3673 if (fad->fad_aupath != NULL) { 3674 au_uwrite(au_to_path(fad->fad_aupath)); 3675 } else { 3676 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3677 } 3678 3679 audit_attributes(fp->f_vnode); 3680 3681 break; 3682 3683 default: 3684 /* 3685 * AF_KEY and AF_ROUTE support shutdown. No socket token 3686 * added. 3687 */ 3688 break; 3689 } 3690 3691 releasef(fd); 3692 3693 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3694 3695 if (add_sock_token == 0) { 3696 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3697 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3698 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3699 return; 3700 } 3701 3702 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3703 3704 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3705 3706 } 3707 3708 /*ARGSUSED*/ 3709 static void 3710 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3711 { 3712 struct a { 3713 long fd; 3714 long level; 3715 long optname; 3716 long *optval; 3717 long optlen; 3718 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3719 3720 struct sonode *so; 3721 char so_laddr[sizeof (struct sockaddr_in6)]; 3722 char so_faddr[sizeof (struct sockaddr_in6)]; 3723 char val[AU_BUFSIZE]; 3724 int err, fd; 3725 int len; 3726 short so_family, so_type; 3727 int add_sock_token = 0; 3728 file_t *fp; /* unix domain sockets */ 3729 struct f_audit_data *fad; /* unix domain sockets */ 3730 3731 fd = (int)uap->fd; 3732 3733 if (error) { 3734 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3735 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3736 /* XXX may want to include other arguments */ 3737 return; 3738 } 3739 3740 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3741 /* 3742 * not security relevant if doing a setsockopt from non socket 3743 * so no extra tokens. Should probably turn off audit record 3744 * generation here. 3745 */ 3746 return; 3747 } 3748 3749 so_family = so->so_family; 3750 so_type = so->so_type; 3751 3752 switch (so_family) { 3753 case AF_INET: 3754 case AF_INET6: 3755 3756 bzero((void *)so_laddr, sizeof (so_laddr)); 3757 bzero((void *)so_faddr, sizeof (so_faddr)); 3758 3759 if (so->so_state & SS_ISBOUND) { 3760 if (so->so_laddr_len == 0) 3761 (void) SOP_GETSOCKNAME(so); 3762 if (so->so_faddr_len == 0) 3763 (void) SOP_GETPEERNAME(so); 3764 } 3765 3766 /* get local and foreign addresses */ 3767 mutex_enter(&so->so_lock); 3768 len = min(so->so_laddr_len, sizeof (so_laddr)); 3769 bcopy(so->so_laddr_sa, so_laddr, len); 3770 len = min(so->so_faddr_len, sizeof (so_faddr)); 3771 bcopy(so->so_faddr_sa, so_faddr, len); 3772 mutex_exit(&so->so_lock); 3773 3774 add_sock_token = 1; 3775 3776 break; 3777 3778 case AF_UNIX: 3779 3780 /* get path from file struct here */ 3781 fad = F2A(fp); 3782 ASSERT(fad); 3783 3784 if (fad->fad_aupath != NULL) { 3785 au_uwrite(au_to_path(fad->fad_aupath)); 3786 } else { 3787 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3788 } 3789 3790 audit_attributes(fp->f_vnode); 3791 3792 break; 3793 3794 default: 3795 /* 3796 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3797 * added. 3798 */ 3799 break; 3800 } 3801 3802 releasef(fd); 3803 3804 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3805 3806 if (add_sock_token == 0) { 3807 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3808 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3809 } 3810 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3811 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3812 3813 bzero(val, sizeof (val)); 3814 len = min(uap->optlen, sizeof (val)); 3815 if ((len > 0) && 3816 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3817 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3818 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3819 } 3820 3821 if (add_sock_token == 0) 3822 return; 3823 3824 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3825 3826 } 3827 3828 /*ARGSUSED*/ 3829 static void 3830 aus_sockconfig(tad) 3831 struct t_audit_data *tad; 3832 { 3833 struct a { 3834 long domain; 3835 long type; 3836 long protocol; 3837 long devpath; 3838 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3839 3840 char *kdevpath; 3841 int kdevpathlen = MAXPATHLEN + 1; 3842 size_t size; 3843 3844 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3845 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3846 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3847 3848 if (uap->devpath == 0) { 3849 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3850 } else { 3851 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3852 3853 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3854 &size)) { 3855 kmem_free(kdevpath, kdevpathlen); 3856 return; 3857 } 3858 3859 if (size > MAXPATHLEN) { 3860 kmem_free(kdevpath, kdevpathlen); 3861 return; 3862 } 3863 3864 au_uwrite(au_to_text(kdevpath)); 3865 kmem_free(kdevpath, kdevpathlen); 3866 } 3867 } 3868 3869 /* 3870 * only audit recvmsg when the system call represents the creation of a new 3871 * circuit. This effectively occurs for all UDP packets and may occur for 3872 * special TCP situations where the local host has not set a local address 3873 * in the socket structure. 3874 */ 3875 /*ARGSUSED*/ 3876 static void 3877 auf_recvmsg( 3878 struct t_audit_data *tad, 3879 int error, 3880 rval_t *rvp) 3881 { 3882 struct a { 3883 long fd; 3884 long msg; /* struct msghdr */ 3885 long flags; 3886 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3887 3888 struct sonode *so; 3889 STRUCT_DECL(msghdr, msg); 3890 caddr_t msg_name; 3891 socklen_t msg_namelen; 3892 int fd; 3893 int err; 3894 char so_laddr[sizeof (struct sockaddr_in6)]; 3895 char so_faddr[sizeof (struct sockaddr_in6)]; 3896 int len; 3897 file_t *fp; /* unix domain sockets */ 3898 struct f_audit_data *fad; /* unix domain sockets */ 3899 short so_family, so_type; 3900 int add_sock_token = 0; 3901 au_kcontext_t *kctx = GET_KCTX_PZ; 3902 3903 fd = (int)uap->fd; 3904 3905 /* bail if an error */ 3906 if (error) { 3907 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3908 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3909 return; 3910 } 3911 3912 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3913 /* 3914 * not security relevant if doing a recvmsg from non socket 3915 * so no extra tokens. Should probably turn off audit record 3916 * generation here. 3917 */ 3918 return; 3919 } 3920 3921 so_family = so->so_family; 3922 so_type = so->so_type; 3923 3924 /* 3925 * only putout SOCKET_EX token if INET/INET6 family. 3926 * XXX - what do we do about other families? 3927 */ 3928 3929 switch (so_family) { 3930 case AF_INET: 3931 case AF_INET6: 3932 3933 /* 3934 * if datagram type socket, then just use what is in 3935 * socket structure for local address. 3936 * XXX - what do we do for other types? 3937 */ 3938 if ((so->so_type == SOCK_DGRAM) || 3939 (so->so_type == SOCK_RAW)) { 3940 add_sock_token = 1; 3941 3942 bzero((void *)so_laddr, sizeof (so_laddr)); 3943 bzero((void *)so_faddr, sizeof (so_faddr)); 3944 3945 /* get local address */ 3946 mutex_enter(&so->so_lock); 3947 len = min(so->so_laddr_len, sizeof (so_laddr)); 3948 bcopy(so->so_laddr_sa, so_laddr, len); 3949 mutex_exit(&so->so_lock); 3950 3951 /* get peer address */ 3952 STRUCT_INIT(msg, get_udatamodel()); 3953 3954 if (copyin((caddr_t)(uap->msg), 3955 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3956 break; 3957 } 3958 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3959 if (msg_name == NULL) { 3960 break; 3961 } 3962 3963 /* length is value from recvmsg - sanity check */ 3964 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3965 if (msg_namelen == 0) { 3966 break; 3967 } 3968 if (copyin(msg_name, so_faddr, 3969 sizeof (so_faddr)) != 0) { 3970 break; 3971 } 3972 3973 } else if (so->so_type == SOCK_STREAM) { 3974 3975 /* get path from file struct here */ 3976 fad = F2A(fp); 3977 ASSERT(fad); 3978 3979 /* 3980 * already processed this file for read attempt 3981 */ 3982 if (fad->fad_flags & FAD_READ) { 3983 /* don't want to audit every recvmsg attempt */ 3984 tad->tad_flag = 0; 3985 /* free any residual audit data */ 3986 au_close(kctx, &(u_ad), 0, 0, 0); 3987 releasef(fd); 3988 return; 3989 } 3990 /* 3991 * mark things so we know what happened and don't 3992 * repeat things 3993 */ 3994 fad->fad_flags |= FAD_READ; 3995 3996 bzero((void *)so_laddr, sizeof (so_laddr)); 3997 bzero((void *)so_faddr, sizeof (so_faddr)); 3998 3999 if (so->so_state & SS_ISBOUND) { 4000 4001 if (so->so_laddr_len == 0) 4002 (void) SOP_GETSOCKNAME(so); 4003 if (so->so_faddr_len == 0) 4004 (void) SOP_GETPEERNAME(so); 4005 4006 /* get local and foreign addresses */ 4007 mutex_enter(&so->so_lock); 4008 len = min(so->so_laddr_len, sizeof (so_laddr)); 4009 bcopy(so->so_laddr_sa, so_laddr, len); 4010 len = min(so->so_faddr_len, sizeof (so_faddr)); 4011 bcopy(so->so_faddr_sa, so_faddr, len); 4012 mutex_exit(&so->so_lock); 4013 } 4014 4015 add_sock_token = 1; 4016 } 4017 4018 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4019 4020 break; 4021 4022 case AF_UNIX: 4023 /* 4024 * first check if this is first time through. Too much 4025 * duplicate code to put this in an aui_ routine. 4026 */ 4027 4028 /* get path from file struct here */ 4029 fad = F2A(fp); 4030 ASSERT(fad); 4031 4032 /* 4033 * already processed this file for read attempt 4034 */ 4035 if (fad->fad_flags & FAD_READ) { 4036 releasef(fd); 4037 /* don't want to audit every recvmsg attempt */ 4038 tad->tad_flag = 0; 4039 /* free any residual audit data */ 4040 au_close(kctx, &(u_ad), 0, 0, 0); 4041 return; 4042 } 4043 /* 4044 * mark things so we know what happened and don't 4045 * repeat things 4046 */ 4047 fad->fad_flags |= FAD_READ; 4048 4049 if (fad->fad_aupath != NULL) { 4050 au_uwrite(au_to_path(fad->fad_aupath)); 4051 } else { 4052 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4053 } 4054 4055 audit_attributes(fp->f_vnode); 4056 4057 releasef(fd); 4058 4059 return; 4060 4061 default: 4062 break; 4063 4064 } 4065 4066 releasef(fd); 4067 4068 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4069 4070 if (add_sock_token == 0) { 4071 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4072 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4073 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4074 return; 4075 } 4076 4077 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4078 4079 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4080 4081 } 4082 4083 /*ARGSUSED*/ 4084 static void 4085 auf_recvfrom( 4086 struct t_audit_data *tad, 4087 int error, 4088 rval_t *rvp) 4089 { 4090 4091 struct a { 4092 long fd; 4093 long msg; /* char */ 4094 long len; 4095 long flags; 4096 long from; /* struct sockaddr */ 4097 long fromlen; 4098 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4099 4100 socklen_t fromlen; 4101 struct sonode *so; 4102 char so_laddr[sizeof (struct sockaddr_in6)]; 4103 char so_faddr[sizeof (struct sockaddr_in6)]; 4104 int fd; 4105 short so_family, so_type; 4106 int add_sock_token = 0; 4107 int len; 4108 int err; 4109 struct file *fp; 4110 struct f_audit_data *fad; /* unix domain sockets */ 4111 au_kcontext_t *kctx = GET_KCTX_PZ; 4112 4113 fd = (int)uap->fd; 4114 4115 /* bail if an error */ 4116 if (error) { 4117 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4118 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4119 return; 4120 } 4121 4122 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4123 /* 4124 * not security relevant if doing a recvmsg from non socket 4125 * so no extra tokens. Should probably turn off audit record 4126 * generation here. 4127 */ 4128 return; 4129 } 4130 4131 so_family = so->so_family; 4132 so_type = so->so_type; 4133 4134 /* 4135 * only putout SOCKET_EX token if INET/INET6 family. 4136 * XXX - what do we do about other families? 4137 */ 4138 4139 switch (so_family) { 4140 case AF_INET: 4141 case AF_INET6: 4142 4143 /* 4144 * if datagram type socket, then just use what is in 4145 * socket structure for local address. 4146 * XXX - what do we do for other types? 4147 */ 4148 if ((so->so_type == SOCK_DGRAM) || 4149 (so->so_type == SOCK_RAW)) { 4150 add_sock_token = 1; 4151 4152 /* get local address */ 4153 mutex_enter(&so->so_lock); 4154 len = min(so->so_laddr_len, sizeof (so_laddr)); 4155 bcopy(so->so_laddr_sa, so_laddr, len); 4156 mutex_exit(&so->so_lock); 4157 4158 /* get peer address */ 4159 bzero((void *)so_faddr, sizeof (so_faddr)); 4160 4161 /* sanity check */ 4162 if (uap->from == NULL) 4163 break; 4164 4165 /* sanity checks */ 4166 if (uap->fromlen == 0) 4167 break; 4168 4169 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4170 sizeof (fromlen)) != 0) 4171 break; 4172 4173 if (fromlen == 0) 4174 break; 4175 4176 /* enforce maximum size */ 4177 if (fromlen > sizeof (so_faddr)) 4178 fromlen = sizeof (so_faddr); 4179 4180 if (copyin((caddr_t)(uap->from), so_faddr, 4181 fromlen) != 0) 4182 break; 4183 4184 } else if (so->so_type == SOCK_STREAM) { 4185 4186 /* get path from file struct here */ 4187 fad = F2A(fp); 4188 ASSERT(fad); 4189 4190 /* 4191 * already processed this file for read attempt 4192 */ 4193 if (fad->fad_flags & FAD_READ) { 4194 /* don't want to audit every recvfrom attempt */ 4195 tad->tad_flag = 0; 4196 /* free any residual audit data */ 4197 au_close(kctx, &(u_ad), 0, 0, 0); 4198 releasef(fd); 4199 return; 4200 } 4201 /* 4202 * mark things so we know what happened and don't 4203 * repeat things 4204 */ 4205 fad->fad_flags |= FAD_READ; 4206 4207 bzero((void *)so_laddr, sizeof (so_laddr)); 4208 bzero((void *)so_faddr, sizeof (so_faddr)); 4209 4210 if (so->so_state & SS_ISBOUND) { 4211 4212 if (so->so_laddr_len == 0) 4213 (void) SOP_GETSOCKNAME(so); 4214 if (so->so_faddr_len == 0) 4215 (void) SOP_GETPEERNAME(so); 4216 4217 /* get local and foreign addresses */ 4218 mutex_enter(&so->so_lock); 4219 len = min(so->so_laddr_len, sizeof (so_laddr)); 4220 bcopy(so->so_laddr_sa, so_laddr, len); 4221 len = min(so->so_faddr_len, sizeof (so_faddr)); 4222 bcopy(so->so_faddr_sa, so_faddr, len); 4223 mutex_exit(&so->so_lock); 4224 } 4225 4226 add_sock_token = 1; 4227 } 4228 4229 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4230 4231 break; 4232 4233 case AF_UNIX: 4234 /* 4235 * first check if this is first time through. Too much 4236 * duplicate code to put this in an aui_ routine. 4237 */ 4238 4239 /* get path from file struct here */ 4240 fad = F2A(fp); 4241 ASSERT(fad); 4242 4243 /* 4244 * already processed this file for read attempt 4245 */ 4246 if (fad->fad_flags & FAD_READ) { 4247 /* don't want to audit every recvfrom attempt */ 4248 tad->tad_flag = 0; 4249 /* free any residual audit data */ 4250 au_close(kctx, &(u_ad), 0, 0, 0); 4251 releasef(fd); 4252 return; 4253 } 4254 /* 4255 * mark things so we know what happened and don't 4256 * repeat things 4257 */ 4258 fad->fad_flags |= FAD_READ; 4259 4260 if (fad->fad_aupath != NULL) { 4261 au_uwrite(au_to_path(fad->fad_aupath)); 4262 } else { 4263 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4264 } 4265 4266 audit_attributes(fp->f_vnode); 4267 4268 releasef(fd); 4269 4270 return; 4271 4272 default: 4273 break; 4274 4275 } 4276 4277 releasef(fd); 4278 4279 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4280 4281 if (add_sock_token == 0) { 4282 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4283 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4284 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4285 return; 4286 } 4287 4288 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4289 4290 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4291 } 4292 4293 /*ARGSUSED*/ 4294 static void 4295 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4296 { 4297 struct a { 4298 long fd; 4299 long msg; /* struct msghdr */ 4300 long flags; 4301 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4302 4303 struct sonode *so; 4304 char so_laddr[sizeof (struct sockaddr_in6)]; 4305 char so_faddr[sizeof (struct sockaddr_in6)]; 4306 int err; 4307 int fd; 4308 short so_family, so_type; 4309 int add_sock_token = 0; 4310 int len; 4311 struct file *fp; 4312 struct f_audit_data *fad; 4313 caddr_t msg_name; 4314 socklen_t msg_namelen; 4315 STRUCT_DECL(msghdr, msg); 4316 au_kcontext_t *kctx = GET_KCTX_PZ; 4317 4318 fd = (int)uap->fd; 4319 4320 /* bail if an error */ 4321 if (error) { 4322 /* XXX include destination address from system call arguments */ 4323 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4324 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4325 return; 4326 } 4327 4328 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4329 /* 4330 * not security relevant if doing a sendmsg from non socket 4331 * so no extra tokens. Should probably turn off audit record 4332 * generation here. 4333 */ 4334 return; 4335 } 4336 4337 so_family = so->so_family; 4338 so_type = so->so_type; 4339 4340 switch (so_family) { 4341 case AF_INET: 4342 case AF_INET6: 4343 /* 4344 * if datagram type socket, then just use what is in 4345 * socket structure for local address. 4346 * XXX - what do we do for other types? 4347 */ 4348 if ((so->so_type == SOCK_DGRAM) || 4349 (so->so_type == SOCK_RAW)) { 4350 4351 bzero((void *)so_laddr, sizeof (so_laddr)); 4352 bzero((void *)so_faddr, sizeof (so_faddr)); 4353 4354 /* get local address */ 4355 mutex_enter(&so->so_lock); 4356 len = min(so->so_laddr_len, sizeof (so_laddr)); 4357 bcopy(so->so_laddr_sa, so_laddr, len); 4358 mutex_exit(&so->so_lock); 4359 4360 /* get peer address */ 4361 STRUCT_INIT(msg, get_udatamodel()); 4362 4363 if (copyin((caddr_t)(uap->msg), 4364 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4365 break; 4366 } 4367 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4368 if (msg_name == NULL) 4369 break; 4370 4371 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4372 /* length is value from recvmsg - sanity check */ 4373 if (msg_namelen == 0) 4374 break; 4375 4376 if (copyin(msg_name, so_faddr, 4377 sizeof (so_faddr)) != 0) 4378 break; 4379 4380 add_sock_token = 1; 4381 4382 } else if (so->so_type == SOCK_STREAM) { 4383 4384 /* get path from file struct here */ 4385 fad = F2A(fp); 4386 ASSERT(fad); 4387 4388 /* 4389 * already processed this file for write attempt 4390 */ 4391 if (fad->fad_flags & FAD_WRITE) { 4392 releasef(fd); 4393 /* don't want to audit every sendmsg attempt */ 4394 tad->tad_flag = 0; 4395 /* free any residual audit data */ 4396 au_close(kctx, &(u_ad), 0, 0, 0); 4397 return; 4398 } 4399 4400 /* 4401 * mark things so we know what happened and don't 4402 * repeat things 4403 */ 4404 fad->fad_flags |= FAD_WRITE; 4405 4406 bzero((void *)so_laddr, sizeof (so_laddr)); 4407 bzero((void *)so_faddr, sizeof (so_faddr)); 4408 4409 if (so->so_state & SS_ISBOUND) { 4410 4411 if (so->so_laddr_len == 0) 4412 (void) SOP_GETSOCKNAME(so); 4413 if (so->so_faddr_len == 0) 4414 (void) SOP_GETPEERNAME(so); 4415 4416 /* get local and foreign addresses */ 4417 mutex_enter(&so->so_lock); 4418 len = min(so->so_laddr_len, sizeof (so_laddr)); 4419 bcopy(so->so_laddr_sa, so_laddr, len); 4420 len = min(so->so_faddr_len, sizeof (so_faddr)); 4421 bcopy(so->so_faddr_sa, so_faddr, len); 4422 mutex_exit(&so->so_lock); 4423 } 4424 4425 add_sock_token = 1; 4426 } 4427 4428 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4429 4430 break; 4431 4432 case AF_UNIX: 4433 /* 4434 * first check if this is first time through. Too much 4435 * duplicate code to put this in an aui_ routine. 4436 */ 4437 4438 /* get path from file struct here */ 4439 fad = F2A(fp); 4440 ASSERT(fad); 4441 4442 /* 4443 * already processed this file for write attempt 4444 */ 4445 if (fad->fad_flags & FAD_WRITE) { 4446 releasef(fd); 4447 /* don't want to audit every sendmsg attempt */ 4448 tad->tad_flag = 0; 4449 /* free any residual audit data */ 4450 au_close(kctx, &(u_ad), 0, 0, 0); 4451 return; 4452 } 4453 /* 4454 * mark things so we know what happened and don't 4455 * repeat things 4456 */ 4457 fad->fad_flags |= FAD_WRITE; 4458 4459 if (fad->fad_aupath != NULL) { 4460 au_uwrite(au_to_path(fad->fad_aupath)); 4461 } else { 4462 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4463 } 4464 4465 audit_attributes(fp->f_vnode); 4466 4467 releasef(fd); 4468 4469 return; 4470 4471 default: 4472 break; 4473 } 4474 4475 releasef(fd); 4476 4477 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4478 4479 if (add_sock_token == 0) { 4480 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4481 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4482 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4483 return; 4484 } 4485 4486 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4487 4488 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4489 } 4490 4491 /*ARGSUSED*/ 4492 static void 4493 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4494 { 4495 struct a { 4496 long fd; 4497 long msg; /* char */ 4498 long len; 4499 long flags; 4500 long to; /* struct sockaddr */ 4501 long tolen; 4502 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4503 4504 struct sonode *so; 4505 char so_laddr[sizeof (struct sockaddr_in6)]; 4506 char so_faddr[sizeof (struct sockaddr_in6)]; 4507 socklen_t tolen; 4508 int err; 4509 int fd; 4510 int len; 4511 short so_family, so_type; 4512 int add_sock_token = 0; 4513 struct file *fp; 4514 struct f_audit_data *fad; 4515 au_kcontext_t *kctx = GET_KCTX_PZ; 4516 4517 fd = (int)uap->fd; 4518 4519 /* bail if an error */ 4520 if (error) { 4521 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4522 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4523 /* XXX include destination address from system call arguments */ 4524 return; 4525 } 4526 4527 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4528 /* 4529 * not security relevant if doing a sendto using non socket 4530 * so no extra tokens. Should probably turn off audit record 4531 * generation here. 4532 */ 4533 return; 4534 } 4535 4536 so_family = so->so_family; 4537 so_type = so->so_type; 4538 4539 /* 4540 * only putout SOCKET_EX token if INET/INET6 family. 4541 * XXX - what do we do about other families? 4542 */ 4543 4544 switch (so_family) { 4545 case AF_INET: 4546 case AF_INET6: 4547 4548 /* 4549 * if datagram type socket, then just use what is in 4550 * socket structure for local address. 4551 * XXX - what do we do for other types? 4552 */ 4553 if ((so->so_type == SOCK_DGRAM) || 4554 (so->so_type == SOCK_RAW)) { 4555 4556 bzero((void *)so_laddr, sizeof (so_laddr)); 4557 bzero((void *)so_faddr, sizeof (so_faddr)); 4558 4559 /* get local address */ 4560 mutex_enter(&so->so_lock); 4561 len = min(so->so_laddr_len, sizeof (so_laddr)); 4562 bcopy(so->so_laddr_sa, so_laddr, len); 4563 mutex_exit(&so->so_lock); 4564 4565 /* get peer address */ 4566 4567 /* sanity check */ 4568 if (uap->to == NULL) 4569 break; 4570 4571 /* sanity checks */ 4572 if (uap->tolen == 0) 4573 break; 4574 4575 tolen = (socklen_t)uap->tolen; 4576 4577 /* enforce maximum size */ 4578 if (tolen > sizeof (so_faddr)) 4579 tolen = sizeof (so_faddr); 4580 4581 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4582 break; 4583 4584 add_sock_token = 1; 4585 } else { 4586 /* 4587 * check if this is first time through. 4588 */ 4589 4590 /* get path from file struct here */ 4591 fad = F2A(fp); 4592 ASSERT(fad); 4593 4594 /* 4595 * already processed this file for write attempt 4596 */ 4597 if (fad->fad_flags & FAD_WRITE) { 4598 /* don't want to audit every sendto attempt */ 4599 tad->tad_flag = 0; 4600 /* free any residual audit data */ 4601 au_close(kctx, &(u_ad), 0, 0, 0); 4602 releasef(fd); 4603 return; 4604 } 4605 /* 4606 * mark things so we know what happened and don't 4607 * repeat things 4608 */ 4609 fad->fad_flags |= FAD_WRITE; 4610 4611 bzero((void *)so_laddr, sizeof (so_laddr)); 4612 bzero((void *)so_faddr, sizeof (so_faddr)); 4613 4614 if (so->so_state & SS_ISBOUND) { 4615 4616 if (so->so_laddr_len == 0) 4617 (void) SOP_GETSOCKNAME(so); 4618 if (so->so_faddr_len == 0) 4619 (void) SOP_GETPEERNAME(so); 4620 4621 /* get local and foreign addresses */ 4622 mutex_enter(&so->so_lock); 4623 len = min(so->so_laddr_len, sizeof (so_laddr)); 4624 bcopy(so->so_laddr_sa, so_laddr, len); 4625 len = min(so->so_faddr_len, sizeof (so_faddr)); 4626 bcopy(so->so_faddr_sa, so_faddr, len); 4627 mutex_exit(&so->so_lock); 4628 } 4629 4630 add_sock_token = 1; 4631 } 4632 4633 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4634 4635 break; 4636 4637 case AF_UNIX: 4638 /* 4639 * first check if this is first time through. Too much 4640 * duplicate code to put this in an aui_ routine. 4641 */ 4642 4643 /* get path from file struct here */ 4644 fad = F2A(fp); 4645 ASSERT(fad); 4646 4647 /* 4648 * already processed this file for write attempt 4649 */ 4650 if (fad->fad_flags & FAD_WRITE) { 4651 /* don't want to audit every sendto attempt */ 4652 tad->tad_flag = 0; 4653 /* free any residual audit data */ 4654 au_close(kctx, &(u_ad), 0, 0, 0); 4655 releasef(fd); 4656 return; 4657 } 4658 /* 4659 * mark things so we know what happened and don't 4660 * repeat things 4661 */ 4662 fad->fad_flags |= FAD_WRITE; 4663 4664 if (fad->fad_aupath != NULL) { 4665 au_uwrite(au_to_path(fad->fad_aupath)); 4666 } else { 4667 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4668 } 4669 4670 audit_attributes(fp->f_vnode); 4671 4672 releasef(fd); 4673 4674 return; 4675 4676 default: 4677 break; 4678 4679 } 4680 4681 releasef(fd); 4682 4683 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4684 4685 if (add_sock_token == 0) { 4686 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4687 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4688 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4689 return; 4690 } 4691 4692 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4693 4694 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4695 4696 } 4697 4698 /* 4699 * XXX socket(2) may be equivalent to open(2) on a unix domain 4700 * socket. This needs investigation. 4701 */ 4702 4703 /*ARGSUSED*/ 4704 static void 4705 aus_socket(struct t_audit_data *tad) 4706 { 4707 struct a { 4708 long domain; 4709 long type; 4710 long protocol; 4711 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4712 4713 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4714 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4715 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4716 } 4717 4718 /*ARGSUSED*/ 4719 static void 4720 aus_sigqueue(struct t_audit_data *tad) 4721 { 4722 struct a { 4723 long pid; 4724 long signo; 4725 long *val; 4726 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4727 struct proc *p; 4728 uid_t uid, ruid; 4729 gid_t gid, rgid; 4730 pid_t pid; 4731 const auditinfo_addr_t *ainfo; 4732 cred_t *cr; 4733 4734 pid = (pid_t)uap->pid; 4735 4736 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4737 if (pid > 0) { 4738 mutex_enter(&pidlock); 4739 if ((p = prfind(pid)) == (struct proc *)0) { 4740 mutex_exit(&pidlock); 4741 return; 4742 } 4743 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4744 mutex_exit(&pidlock); 4745 4746 mutex_enter(&p->p_crlock); 4747 crhold(cr = p->p_cred); 4748 mutex_exit(&p->p_crlock); 4749 mutex_exit(&p->p_lock); 4750 4751 ainfo = crgetauinfo(cr); 4752 if (ainfo == NULL) { 4753 crfree(cr); 4754 return; 4755 } 4756 4757 uid = crgetuid(cr); 4758 gid = crgetgid(cr); 4759 ruid = crgetruid(cr); 4760 rgid = crgetrgid(cr); 4761 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4762 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4763 crfree(cr); 4764 } 4765 else 4766 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4767 } 4768 4769 /*ARGSUSED*/ 4770 static void 4771 aus_inst_sync(struct t_audit_data *tad) 4772 { 4773 struct a { 4774 long name; /* char */ 4775 long flags; 4776 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4777 4778 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4779 } 4780 4781 /*ARGSUSED*/ 4782 static void 4783 aus_brandsys(struct t_audit_data *tad) 4784 { 4785 klwp_t *clwp = ttolwp(curthread); 4786 4787 struct a { 4788 long cmd; 4789 long arg1; 4790 long arg2; 4791 long arg3; 4792 long arg4; 4793 long arg5; 4794 long arg6; 4795 } *uap = (struct a *)clwp->lwp_ap; 4796 4797 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4798 #ifdef _LP64 4799 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4800 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4801 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4802 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4803 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4804 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4805 #else 4806 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4807 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4808 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4809 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4810 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4811 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4812 #endif 4813 } 4814 4815 /*ARGSUSED*/ 4816 static void 4817 aus_p_online(struct t_audit_data *tad) 4818 { 4819 struct a { 4820 long processor_id; 4821 long flag; 4822 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4823 4824 struct flags { 4825 int flag; 4826 char *cflag; 4827 } aflags[6] = { 4828 { P_ONLINE, "P_ONLINE"}, 4829 { P_OFFLINE, "P_OFFLINE"}, 4830 { P_NOINTR, "P_NOINTR"}, 4831 { P_SPARE, "P_SPARE"}, 4832 { P_FAULTED, "P_FAULTED"}, 4833 { P_STATUS, "P_STATUS"} 4834 }; 4835 int i; 4836 char *cflag; 4837 4838 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4839 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4840 4841 for (i = 0; i < 6; i++) { 4842 if (aflags[i].flag == uap->flag) 4843 break; 4844 } 4845 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4846 4847 au_uwrite(au_to_text(cflag)); 4848 } 4849 4850 /*ARGSUSED*/ 4851 static void 4852 aus_processor_bind(struct t_audit_data *tad) 4853 { 4854 struct a { 4855 long id_type; 4856 long id; 4857 long processor_id; 4858 long obind; 4859 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4860 4861 struct proc *p; 4862 int lwpcnt; 4863 uid_t uid, ruid; 4864 gid_t gid, rgid; 4865 pid_t pid; 4866 const auditinfo_addr_t *ainfo; 4867 cred_t *cr; 4868 4869 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4870 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4871 if (uap->processor_id == PBIND_NONE) 4872 au_uwrite(au_to_text("PBIND_NONE")); 4873 else 4874 au_uwrite(au_to_arg32(3, "processor_id", 4875 (uint32_t)uap->processor_id)); 4876 4877 switch (uap->id_type) { 4878 case P_MYID: 4879 case P_LWPID: 4880 mutex_enter(&pidlock); 4881 p = ttoproc(curthread); 4882 if (p == NULL || p->p_as == &kas) { 4883 mutex_exit(&pidlock); 4884 return; 4885 } 4886 mutex_enter(&p->p_lock); 4887 mutex_exit(&pidlock); 4888 lwpcnt = p->p_lwpcnt; 4889 pid = p->p_pid; 4890 4891 mutex_enter(&p->p_crlock); 4892 crhold(cr = p->p_cred); 4893 mutex_exit(&p->p_crlock); 4894 mutex_exit(&p->p_lock); 4895 4896 ainfo = crgetauinfo(cr); 4897 if (ainfo == NULL) { 4898 crfree(cr); 4899 return; 4900 } 4901 4902 uid = crgetuid(cr); 4903 gid = crgetgid(cr); 4904 ruid = crgetruid(cr); 4905 rgid = crgetrgid(cr); 4906 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4907 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4908 crfree(cr); 4909 break; 4910 case P_PID: 4911 mutex_enter(&pidlock); 4912 p = prfind(uap->id); 4913 if (p == NULL || p->p_as == &kas) { 4914 mutex_exit(&pidlock); 4915 return; 4916 } 4917 mutex_enter(&p->p_lock); 4918 mutex_exit(&pidlock); 4919 lwpcnt = p->p_lwpcnt; 4920 pid = p->p_pid; 4921 4922 mutex_enter(&p->p_crlock); 4923 crhold(cr = p->p_cred); 4924 mutex_exit(&p->p_crlock); 4925 mutex_exit(&p->p_lock); 4926 4927 ainfo = crgetauinfo(cr); 4928 if (ainfo == NULL) { 4929 crfree(cr); 4930 return; 4931 } 4932 4933 uid = crgetuid(cr); 4934 gid = crgetgid(cr); 4935 ruid = crgetruid(cr); 4936 rgid = crgetrgid(cr); 4937 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4938 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4939 crfree(cr); 4940 4941 break; 4942 default: 4943 return; 4944 } 4945 4946 if (uap->processor_id == PBIND_NONE && 4947 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4948 au_uwrite(au_to_text("PBIND_NONE for process")); 4949 else 4950 au_uwrite(au_to_arg32(3, "processor_id", 4951 (uint32_t)uap->processor_id)); 4952 } 4953 4954 /*ARGSUSED*/ 4955 static au_event_t 4956 aui_doorfs(au_event_t e) 4957 { 4958 uint32_t code; 4959 4960 struct a { /* doorfs */ 4961 long a1; 4962 long a2; 4963 long a3; 4964 long a4; 4965 long a5; 4966 long code; 4967 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4968 4969 /* 4970 * audit formats for several of the 4971 * door calls have not yet been determined 4972 */ 4973 code = (uint32_t)uap->code; 4974 switch (code) { 4975 case DOOR_CALL: 4976 e = AUE_DOORFS_DOOR_CALL; 4977 break; 4978 case DOOR_RETURN: 4979 e = AUE_NULL; 4980 break; 4981 case DOOR_CREATE: 4982 e = AUE_DOORFS_DOOR_CREATE; 4983 break; 4984 case DOOR_REVOKE: 4985 e = AUE_DOORFS_DOOR_REVOKE; 4986 break; 4987 case DOOR_INFO: 4988 e = AUE_NULL; 4989 break; 4990 case DOOR_UCRED: 4991 e = AUE_NULL; 4992 break; 4993 case DOOR_BIND: 4994 e = AUE_NULL; 4995 break; 4996 case DOOR_UNBIND: 4997 e = AUE_NULL; 4998 break; 4999 case DOOR_GETPARAM: 5000 e = AUE_NULL; 5001 break; 5002 case DOOR_SETPARAM: 5003 e = AUE_NULL; 5004 break; 5005 default: /* illegal system call */ 5006 e = AUE_NULL; 5007 break; 5008 } 5009 5010 return (e); 5011 } 5012 5013 static door_node_t * 5014 au_door_lookup(int did) 5015 { 5016 vnode_t *vp; 5017 file_t *fp; 5018 5019 if ((fp = getf(did)) == NULL) 5020 return (NULL); 5021 /* 5022 * Use the underlying vnode (we may be namefs mounted) 5023 */ 5024 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5025 vp = fp->f_vnode; 5026 5027 if (vp == NULL || vp->v_type != VDOOR) { 5028 releasef(did); 5029 return (NULL); 5030 } 5031 5032 return (VTOD(vp)); 5033 } 5034 5035 /*ARGSUSED*/ 5036 static void 5037 aus_doorfs(struct t_audit_data *tad) 5038 { 5039 5040 struct a { /* doorfs */ 5041 long a1; 5042 long a2; 5043 long a3; 5044 long a4; 5045 long a5; 5046 long code; 5047 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5048 5049 door_node_t *dp; 5050 struct proc *p; 5051 uint32_t did; 5052 uid_t uid, ruid; 5053 gid_t gid, rgid; 5054 pid_t pid; 5055 const auditinfo_addr_t *ainfo; 5056 cred_t *cr; 5057 5058 did = (uint32_t)uap->a1; 5059 5060 switch (tad->tad_event) { 5061 case AUE_DOORFS_DOOR_CALL: 5062 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5063 if ((dp = au_door_lookup(did)) == NULL) 5064 break; 5065 5066 if (DOOR_INVALID(dp)) { 5067 releasef(did); 5068 break; 5069 } 5070 5071 if ((p = dp->door_target) == NULL) { 5072 releasef(did); 5073 break; 5074 } 5075 mutex_enter(&p->p_lock); 5076 releasef(did); 5077 5078 pid = p->p_pid; 5079 5080 mutex_enter(&p->p_crlock); 5081 crhold(cr = p->p_cred); 5082 mutex_exit(&p->p_crlock); 5083 mutex_exit(&p->p_lock); 5084 5085 ainfo = crgetauinfo(cr); 5086 if (ainfo == NULL) { 5087 crfree(cr); 5088 return; 5089 } 5090 uid = crgetuid(cr); 5091 gid = crgetgid(cr); 5092 ruid = crgetruid(cr); 5093 rgid = crgetrgid(cr); 5094 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5095 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5096 crfree(cr); 5097 break; 5098 case AUE_DOORFS_DOOR_RETURN: 5099 /* 5100 * We may want to write information about 5101 * all doors (if any) which will be copied 5102 * by this call to the user space 5103 */ 5104 break; 5105 case AUE_DOORFS_DOOR_CREATE: 5106 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5107 break; 5108 case AUE_DOORFS_DOOR_REVOKE: 5109 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5110 break; 5111 case AUE_DOORFS_DOOR_INFO: 5112 break; 5113 case AUE_DOORFS_DOOR_CRED: 5114 break; 5115 case AUE_DOORFS_DOOR_BIND: 5116 break; 5117 case AUE_DOORFS_DOOR_UNBIND: { 5118 break; 5119 } 5120 default: /* illegal system call */ 5121 break; 5122 } 5123 } 5124 5125 /*ARGSUSED*/ 5126 static au_event_t 5127 aui_acl(au_event_t e) 5128 { 5129 struct a { 5130 union { 5131 long name; /* char */ 5132 long fd; 5133 } obj; 5134 5135 long cmd; 5136 long nentries; 5137 long arg; /* aclent_t */ 5138 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5139 5140 switch (uap->cmd) { 5141 case SETACL: 5142 case ACE_SETACL: 5143 /* 5144 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5145 * are expected. 5146 */ 5147 break; 5148 case GETACL: 5149 case GETACLCNT: 5150 case ACE_GETACLCNT: 5151 /* do nothing for these two values. */ 5152 e = AUE_NULL; 5153 break; 5154 default: 5155 /* illegal system call */ 5156 break; 5157 } 5158 5159 return (e); 5160 } 5161 5162 static void 5163 au_acl(int cmd, int nentries, caddr_t bufp) 5164 { 5165 size_t a_size; 5166 aclent_t *aclbufp; 5167 ace_t *acebufp; 5168 int i; 5169 5170 switch (cmd) { 5171 case GETACL: 5172 case GETACLCNT: 5173 break; 5174 case SETACL: 5175 if (nentries < 3) 5176 break; 5177 5178 a_size = nentries * sizeof (aclent_t); 5179 5180 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5181 break; 5182 if (copyin(bufp, aclbufp, a_size)) { 5183 kmem_free(aclbufp, a_size); 5184 break; 5185 } 5186 for (i = 0; i < nentries; i++) { 5187 au_uwrite(au_to_acl(aclbufp + i)); 5188 } 5189 kmem_free(aclbufp, a_size); 5190 break; 5191 5192 case ACE_SETACL: 5193 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5194 break; 5195 5196 a_size = nentries * sizeof (ace_t); 5197 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5198 break; 5199 if (copyin(bufp, acebufp, a_size)) { 5200 kmem_free(acebufp, a_size); 5201 break; 5202 } 5203 for (i = 0; i < nentries; i++) { 5204 au_uwrite(au_to_ace(acebufp + i)); 5205 } 5206 kmem_free(acebufp, a_size); 5207 break; 5208 default: 5209 break; 5210 } 5211 } 5212 5213 /*ARGSUSED*/ 5214 static void 5215 aus_acl(struct t_audit_data *tad) 5216 { 5217 struct a { 5218 long fname; 5219 long cmd; 5220 long nentries; 5221 long aclbufp; 5222 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5223 5224 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5225 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5226 5227 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5228 } 5229 5230 /*ARGSUSED*/ 5231 static void 5232 aus_facl(struct t_audit_data *tad) 5233 { 5234 struct a { 5235 long fd; 5236 long cmd; 5237 long nentries; 5238 long aclbufp; 5239 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5240 struct file *fp; 5241 struct vnode *vp; 5242 struct f_audit_data *fad; 5243 int fd; 5244 5245 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5246 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5247 5248 fd = (int)uap->fd; 5249 5250 if ((fp = getf(fd)) == NULL) 5251 return; 5252 5253 /* get path from file struct here */ 5254 fad = F2A(fp); 5255 if (fad->fad_aupath != NULL) { 5256 au_uwrite(au_to_path(fad->fad_aupath)); 5257 } else { 5258 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5259 } 5260 5261 vp = fp->f_vnode; 5262 audit_attributes(vp); 5263 5264 /* decrement file descriptor reference count */ 5265 releasef(fd); 5266 5267 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5268 } 5269 5270 /*ARGSUSED*/ 5271 static void 5272 auf_read(tad, error, rval) 5273 struct t_audit_data *tad; 5274 int error; 5275 rval_t *rval; 5276 { 5277 struct file *fp; 5278 struct f_audit_data *fad; 5279 int fd; 5280 register struct a { 5281 long fd; 5282 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5283 au_kcontext_t *kctx = GET_KCTX_PZ; 5284 5285 fd = (int)uap->fd; 5286 5287 /* 5288 * convert file pointer to file descriptor 5289 * Note: fd ref count incremented here. 5290 */ 5291 if ((fp = getf(fd)) == NULL) 5292 return; 5293 5294 /* get path from file struct here */ 5295 fad = F2A(fp); 5296 ASSERT(fad); 5297 5298 /* 5299 * already processed this file for read attempt 5300 * 5301 * XXX might be better to turn off auditing in a aui_read() routine. 5302 */ 5303 if (fad->fad_flags & FAD_READ) { 5304 /* don't really want to audit every read attempt */ 5305 tad->tad_flag = 0; 5306 /* free any residual audit data */ 5307 au_close(kctx, &(u_ad), 0, 0, 0); 5308 releasef(fd); 5309 return; 5310 } 5311 /* mark things so we know what happened and don't repeat things */ 5312 fad->fad_flags |= FAD_READ; 5313 5314 if (fad->fad_aupath != NULL) { 5315 au_uwrite(au_to_path(fad->fad_aupath)); 5316 } else { 5317 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5318 } 5319 5320 /* include attributes */ 5321 audit_attributes(fp->f_vnode); 5322 5323 /* decrement file descriptor reference count */ 5324 releasef(fd); 5325 } 5326 5327 /*ARGSUSED*/ 5328 static void 5329 auf_write(tad, error, rval) 5330 struct t_audit_data *tad; 5331 int error; 5332 rval_t *rval; 5333 { 5334 struct file *fp; 5335 struct f_audit_data *fad; 5336 int fd; 5337 register struct a { 5338 long fd; 5339 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5340 au_kcontext_t *kctx = GET_KCTX_PZ; 5341 5342 fd = (int)uap->fd; 5343 5344 /* 5345 * convert file pointer to file descriptor 5346 * Note: fd ref count incremented here. 5347 */ 5348 if ((fp = getf(fd)) == NULL) 5349 return; 5350 5351 /* get path from file struct here */ 5352 fad = F2A(fp); 5353 ASSERT(fad); 5354 5355 /* 5356 * already processed this file for write attempt 5357 * 5358 * XXX might be better to turn off auditing in a aus_write() routine. 5359 */ 5360 if (fad->fad_flags & FAD_WRITE) { 5361 /* don't really want to audit every write attempt */ 5362 tad->tad_flag = 0; 5363 /* free any residual audit data */ 5364 au_close(kctx, &(u_ad), 0, 0, 0); 5365 releasef(fd); 5366 return; 5367 } 5368 /* mark things so we know what happened and don't repeat things */ 5369 fad->fad_flags |= FAD_WRITE; 5370 5371 if (fad->fad_aupath != NULL) { 5372 au_uwrite(au_to_path(fad->fad_aupath)); 5373 } else { 5374 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5375 } 5376 5377 /* include attributes */ 5378 audit_attributes(fp->f_vnode); 5379 5380 /* decrement file descriptor reference count */ 5381 releasef(fd); 5382 } 5383 5384 /*ARGSUSED*/ 5385 static void 5386 auf_recv(tad, error, rval) 5387 struct t_audit_data *tad; 5388 int error; 5389 rval_t *rval; 5390 { 5391 struct sonode *so; 5392 char so_laddr[sizeof (struct sockaddr_in6)]; 5393 char so_faddr[sizeof (struct sockaddr_in6)]; 5394 struct file *fp; 5395 struct f_audit_data *fad; 5396 int fd; 5397 int err; 5398 int len; 5399 short so_family, so_type; 5400 register struct a { 5401 long fd; 5402 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5403 au_kcontext_t *kctx = GET_KCTX_PZ; 5404 5405 /* 5406 * If there was an error, then nothing to do. Only generate 5407 * audit record on first successful recv. 5408 */ 5409 if (error) { 5410 /* Turn off audit record generation here. */ 5411 tad->tad_flag = 0; 5412 /* free any residual audit data */ 5413 au_close(kctx, &(u_ad), 0, 0, 0); 5414 return; 5415 } 5416 5417 fd = (int)uap->fd; 5418 5419 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5420 /* Turn off audit record generation here. */ 5421 tad->tad_flag = 0; 5422 /* free any residual audit data */ 5423 au_close(kctx, &(u_ad), 0, 0, 0); 5424 return; 5425 } 5426 5427 /* get path from file struct here */ 5428 fad = F2A(fp); 5429 ASSERT(fad); 5430 5431 /* 5432 * already processed this file for read attempt 5433 */ 5434 if (fad->fad_flags & FAD_READ) { 5435 releasef(fd); 5436 /* don't really want to audit every recv call */ 5437 tad->tad_flag = 0; 5438 /* free any residual audit data */ 5439 au_close(kctx, &(u_ad), 0, 0, 0); 5440 return; 5441 } 5442 5443 /* mark things so we know what happened and don't repeat things */ 5444 fad->fad_flags |= FAD_READ; 5445 5446 so_family = so->so_family; 5447 so_type = so->so_type; 5448 5449 switch (so_family) { 5450 case AF_INET: 5451 case AF_INET6: 5452 /* 5453 * Only for connections. 5454 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5455 */ 5456 if (so->so_state & SS_ISBOUND) { 5457 5458 bzero((void *)so_laddr, sizeof (so_laddr)); 5459 bzero((void *)so_faddr, sizeof (so_faddr)); 5460 5461 /* only done once on a connection */ 5462 (void) SOP_GETSOCKNAME(so); 5463 (void) SOP_GETPEERNAME(so); 5464 5465 /* get local and foreign addresses */ 5466 mutex_enter(&so->so_lock); 5467 len = min(so->so_laddr_len, sizeof (so_laddr)); 5468 bcopy(so->so_laddr_sa, so_laddr, len); 5469 len = min(so->so_faddr_len, sizeof (so_faddr)); 5470 bcopy(so->so_faddr_sa, so_faddr, len); 5471 mutex_exit(&so->so_lock); 5472 5473 /* 5474 * only way to drop out of switch. Note that we 5475 * we release fd below. 5476 */ 5477 5478 break; 5479 } 5480 5481 releasef(fd); 5482 5483 /* don't really want to audit every recv call */ 5484 tad->tad_flag = 0; 5485 /* free any residual audit data */ 5486 au_close(kctx, &(u_ad), 0, 0, 0); 5487 5488 return; 5489 5490 case AF_UNIX: 5491 5492 if (fad->fad_aupath != NULL) { 5493 au_uwrite(au_to_path(fad->fad_aupath)); 5494 } else { 5495 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5496 } 5497 5498 audit_attributes(fp->f_vnode); 5499 5500 releasef(fd); 5501 5502 return; 5503 5504 default: 5505 releasef(fd); 5506 5507 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5508 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5509 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5510 5511 return; 5512 } 5513 5514 releasef(fd); 5515 5516 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5517 5518 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5519 5520 } 5521 5522 /*ARGSUSED*/ 5523 static void 5524 auf_send(tad, error, rval) 5525 struct t_audit_data *tad; 5526 int error; 5527 rval_t *rval; 5528 { 5529 struct sonode *so; 5530 char so_laddr[sizeof (struct sockaddr_in6)]; 5531 char so_faddr[sizeof (struct sockaddr_in6)]; 5532 struct file *fp; 5533 struct f_audit_data *fad; 5534 int fd; 5535 int err; 5536 int len; 5537 short so_family, so_type; 5538 register struct a { 5539 long fd; 5540 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5541 au_kcontext_t *kctx = GET_KCTX_PZ; 5542 5543 fd = (int)uap->fd; 5544 5545 /* 5546 * If there was an error, then nothing to do. Only generate 5547 * audit record on first successful send. 5548 */ 5549 if (error != 0) { 5550 /* Turn off audit record generation here. */ 5551 tad->tad_flag = 0; 5552 /* free any residual audit data */ 5553 au_close(kctx, &(u_ad), 0, 0, 0); 5554 return; 5555 } 5556 5557 fd = (int)uap->fd; 5558 5559 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5560 /* Turn off audit record generation here. */ 5561 tad->tad_flag = 0; 5562 /* free any residual audit data */ 5563 au_close(kctx, &(u_ad), 0, 0, 0); 5564 return; 5565 } 5566 5567 /* get path from file struct here */ 5568 fad = F2A(fp); 5569 ASSERT(fad); 5570 5571 /* 5572 * already processed this file for write attempt 5573 */ 5574 if (fad->fad_flags & FAD_WRITE) { 5575 releasef(fd); 5576 /* don't really want to audit every send call */ 5577 tad->tad_flag = 0; 5578 /* free any residual audit data */ 5579 au_close(kctx, &(u_ad), 0, 0, 0); 5580 return; 5581 } 5582 5583 /* mark things so we know what happened and don't repeat things */ 5584 fad->fad_flags |= FAD_WRITE; 5585 5586 so_family = so->so_family; 5587 so_type = so->so_type; 5588 5589 switch (so_family) { 5590 case AF_INET: 5591 case AF_INET6: 5592 /* 5593 * Only for connections. 5594 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5595 */ 5596 if (so->so_state & SS_ISBOUND) { 5597 5598 bzero((void *)so_laddr, sizeof (so_laddr)); 5599 bzero((void *)so_faddr, sizeof (so_faddr)); 5600 5601 /* only done once on a connection */ 5602 (void) SOP_GETSOCKNAME(so); 5603 (void) SOP_GETPEERNAME(so); 5604 5605 /* get local and foreign addresses */ 5606 mutex_enter(&so->so_lock); 5607 len = min(so->so_laddr_len, sizeof (so_laddr)); 5608 bcopy(so->so_laddr_sa, so_laddr, len); 5609 len = min(so->so_faddr_len, sizeof (so_faddr)); 5610 bcopy(so->so_faddr_sa, so_faddr, len); 5611 mutex_exit(&so->so_lock); 5612 5613 /* 5614 * only way to drop out of switch. Note that we 5615 * we release fd below. 5616 */ 5617 5618 break; 5619 } 5620 5621 releasef(fd); 5622 /* don't really want to audit every send call */ 5623 tad->tad_flag = 0; 5624 /* free any residual audit data */ 5625 au_close(kctx, &(u_ad), 0, 0, 0); 5626 5627 return; 5628 5629 case AF_UNIX: 5630 5631 if (fad->fad_aupath != NULL) { 5632 au_uwrite(au_to_path(fad->fad_aupath)); 5633 } else { 5634 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5635 } 5636 5637 audit_attributes(fp->f_vnode); 5638 5639 releasef(fd); 5640 5641 return; 5642 5643 default: 5644 releasef(fd); 5645 5646 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5647 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5648 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5649 5650 return; 5651 } 5652 5653 releasef(fd); 5654 5655 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5656 5657 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5658 } 5659 5660 static au_event_t 5661 aui_forksys(au_event_t e) 5662 { 5663 struct a { 5664 long subcode; 5665 long flags; 5666 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5667 5668 switch ((uint_t)uap->subcode) { 5669 case 0: 5670 e = AUE_FORK1; 5671 break; 5672 case 1: 5673 e = AUE_FORKALL; 5674 break; 5675 case 2: 5676 e = AUE_VFORK; 5677 break; 5678 default: 5679 e = AUE_NULL; 5680 break; 5681 } 5682 5683 return (e); 5684 } 5685 5686 /*ARGSUSED*/ 5687 static au_event_t 5688 aui_portfs(au_event_t e) 5689 { 5690 struct a { /* portfs */ 5691 long a1; 5692 long a2; 5693 long a3; 5694 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5695 5696 /* 5697 * check opcode 5698 */ 5699 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5700 case PORT_ASSOCIATE: 5701 case PORT_DISSOCIATE: 5702 /* 5703 * check source 5704 */ 5705 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5706 e = AUE_PORTFS; 5707 } else { 5708 e = AUE_NULL; 5709 } 5710 break; 5711 default: 5712 e = AUE_NULL; 5713 } 5714 return (e); 5715 } 5716