1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 int au_naevent; 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_null(au_event_t); 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 103 static void aus_null(struct t_audit_data *); 104 static void aus_open(struct t_audit_data *); 105 static void aus_acl(struct t_audit_data *); 106 static void aus_acct(struct t_audit_data *); 107 static void aus_chown(struct t_audit_data *); 108 static void aus_fchown(struct t_audit_data *); 109 static void aus_lchown(struct t_audit_data *); 110 static void aus_chmod(struct t_audit_data *); 111 static void aus_facl(struct t_audit_data *); 112 static void aus_fchmod(struct t_audit_data *); 113 static void aus_fcntl(struct t_audit_data *); 114 static void aus_fsat(struct t_audit_data *); 115 static void aus_mkdir(struct t_audit_data *); 116 static void aus_mknod(struct t_audit_data *); 117 static void aus_mount(struct t_audit_data *); 118 static void aus_umount(struct t_audit_data *); 119 static void aus_umount2(struct t_audit_data *); 120 static void aus_msgsys(struct t_audit_data *); 121 static void aus_semsys(struct t_audit_data *); 122 static void aus_close(struct t_audit_data *); 123 static void aus_fstatfs(struct t_audit_data *); 124 static void aus_setgid(struct t_audit_data *); 125 static void aus_setuid(struct t_audit_data *); 126 static void aus_shmsys(struct t_audit_data *); 127 static void aus_doorfs(struct t_audit_data *); 128 static void aus_ioctl(struct t_audit_data *); 129 static void aus_memcntl(struct t_audit_data *); 130 static void aus_mmap(struct t_audit_data *); 131 static void aus_munmap(struct t_audit_data *); 132 static void aus_priocntlsys(struct t_audit_data *); 133 static void aus_setegid(struct t_audit_data *); 134 static void aus_setgroups(struct t_audit_data *); 135 static void aus_seteuid(struct t_audit_data *); 136 static void aus_putmsg(struct t_audit_data *); 137 static void aus_putpmsg(struct t_audit_data *); 138 static void aus_getmsg(struct t_audit_data *); 139 static void aus_getpmsg(struct t_audit_data *); 140 static void aus_auditsys(struct t_audit_data *); 141 static void aus_sysinfo(struct t_audit_data *); 142 static void aus_modctl(struct t_audit_data *); 143 static void aus_kill(struct t_audit_data *); 144 static void aus_xmknod(struct t_audit_data *); 145 static void aus_setregid(struct t_audit_data *); 146 static void aus_setreuid(struct t_audit_data *); 147 148 static void auf_null(struct t_audit_data *, int, rval_t *); 149 static void auf_mknod(struct t_audit_data *, int, rval_t *); 150 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 151 static void auf_semsys(struct t_audit_data *, int, rval_t *); 152 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 153 #if 0 154 static void auf_open(struct t_audit_data *, int, rval_t *); 155 #endif 156 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 157 static void auf_read(struct t_audit_data *, int, rval_t *); 158 static void auf_write(struct t_audit_data *, int, rval_t *); 159 160 static void aus_sigqueue(struct t_audit_data *); 161 static void aus_p_online(struct t_audit_data *); 162 static void aus_processor_bind(struct t_audit_data *); 163 static void aus_inst_sync(struct t_audit_data *); 164 static void aus_brandsys(struct t_audit_data *); 165 166 static void auf_accept(struct t_audit_data *, int, rval_t *); 167 168 static void auf_bind(struct t_audit_data *, int, rval_t *); 169 static void auf_connect(struct t_audit_data *, int, rval_t *); 170 static void aus_shutdown(struct t_audit_data *); 171 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 172 static void aus_sockconfig(struct t_audit_data *); 173 static void auf_recv(struct t_audit_data *, int, rval_t *); 174 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_send(struct t_audit_data *, int, rval_t *); 176 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 177 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 178 static void auf_sendto(struct t_audit_data *, int, rval_t *); 179 static void aus_socket(struct t_audit_data *); 180 /* 181 * This table contains mapping information for converting system call numbers 182 * to audit event IDs. In several cases it is necessary to map a single system 183 * call to several events. 184 */ 185 186 struct audit_s2e audit_s2e[] = 187 { 188 /* 189 * ---------- ---------- ---------- ---------- 190 * INITIAL AUDIT START SYSTEM 191 * PROCESSING EVENT PROCESSING CALL 192 * ---------- ---------- ---------- ----------- 193 * FINISH EVENT 194 * PROCESSING CONTROL 195 * ---------------------------------------------------------- 196 */ 197 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 198 auf_null, 0, 199 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 200 auf_null, S2E_NPT, 201 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 202 auf_null, 0, 203 aui_null, AUE_READ, aus_null, /* 3 read */ 204 auf_read, S2E_PUB, 205 aui_null, AUE_WRITE, aus_null, /* 4 write */ 206 auf_write, 0, 207 aui_open, AUE_OPEN, aus_open, /* 5 open */ 208 auf_null, S2E_SP, 209 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 210 auf_null, 0, 211 aui_null, AUE_NULL, aus_null, /* 7 wait */ 212 auf_null, 0, 213 aui_null, AUE_CREAT, aus_null, /* 8 create */ 214 auf_null, S2E_SP, 215 aui_null, AUE_LINK, aus_null, /* 9 link */ 216 auf_null, 0, 217 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 218 auf_null, 0, 219 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 220 auf_null, S2E_MLD, 221 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 222 auf_null, S2E_SP, 223 aui_null, AUE_NULL, aus_null, /* 13 time */ 224 auf_null, 0, 225 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 226 auf_mknod, 0, 227 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 228 auf_null, 0, 229 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 230 auf_null, 0, 231 aui_null, AUE_NULL, aus_null, /* 17 brk */ 232 auf_null, 0, 233 aui_null, AUE_STAT, aus_null, /* 18 stat */ 234 auf_null, S2E_PUB, 235 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 236 auf_null, 0, 237 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 238 auf_null, 0, 239 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 240 auf_null, S2E_MLD, 241 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 242 auf_null, 0, 243 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 246 auf_null, 0, 247 aui_null, AUE_STIME, aus_null, /* 25 stime */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 29 pause */ 256 auf_null, 0, 257 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 262 auf_null, 0, 263 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 264 auf_null, S2E_PUB, 265 aui_null, AUE_NICE, aus_null, /* 34 nice */ 266 auf_null, 0, 267 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 268 auf_null, S2E_PUB, 269 aui_null, AUE_NULL, aus_null, /* 36 sync */ 270 auf_null, 0, 271 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 272 auf_null, 0, 273 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 274 auf_null, S2E_PUB, 275 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 276 auf_null, 0, 277 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 41 dup */ 280 auf_null, 0, 281 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 43 times */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 44 profil */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 288 /* was proc lock */ 289 auf_null, 0, 290 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 291 auf_null, 0, 292 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 48 sig */ 295 auf_null, 0, 296 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 297 auf_msgsys, 0, 298 #if defined(__x86) 299 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 300 auf_null, 0, 301 #else 302 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 303 auf_null, 0, 304 #endif /* __x86 */ 305 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 306 auf_null, 0, 307 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 308 auf_shmsys, 0, 309 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 310 auf_semsys, 0, 311 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 312 auf_null, 0, 313 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 316 auf_null, 0, 317 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 318 auf_null, 0, 319 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 320 auf_null, 0, 321 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 322 auf_null, S2E_MLD, 323 aui_null, AUE_NULL, aus_null, /* 60 umask */ 324 auf_null, 0, 325 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 326 auf_null, S2E_SP, 327 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 328 auf_null, 0, 329 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 334 auf_null, 0, 335 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 338 /* file locking call */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 341 /* local system calls */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 356 /* was sigret (SunOS) */ 357 auf_null, 0, 358 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 363 auf_null, 0, 364 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 365 auf_null, 0, 366 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 367 auf_null, 0, 368 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 369 auf_null, 0, 370 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 371 /* was libattach */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 374 /* was libdetach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 377 auf_null, 0, 378 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 379 auf_null, 0, 380 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 381 auf_null, 0, 382 aui_null, AUE_NULL, aus_null, /* 87 poll */ 383 auf_null, 0, 384 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 387 auf_null, 0, 388 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 389 auf_null, S2E_PUB, 390 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 391 auf_null, 0, 392 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 393 auf_null, 0, 394 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 395 auf_null, 0, 396 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 411 auf_null, 0, 412 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 413 /* was evtrapret */ 414 auf_null, 0, 415 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 416 auf_null, S2E_PUB, 417 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 426 auf_null, 0, 427 #if defined(__x86) 428 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 429 auf_null, 0, 430 #else 431 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 432 auf_null, 0, 433 #endif /* __x86 */ 434 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 435 auf_null, 0, 436 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 437 auf_null, 0, 438 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 439 auf_null, 0, /* 112 priocntlsys */ 440 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 441 auf_null, S2E_PUB, 442 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 443 auf_null, 0, 444 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 445 auf_null, 0, 446 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 447 auf_null, 0, 448 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 449 auf_null, 0, 450 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 451 auf_null, 0, 452 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 453 auf_null, 0, 454 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 455 auf_null, 0, 456 aui_null, AUE_READ, aus_null, /* 121 readv */ 457 auf_read, S2E_PUB, 458 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 459 auf_write, 0, 460 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 461 auf_null, S2E_PUB, 462 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 463 auf_null, S2E_PUB, 464 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 465 auf_null, 0, 466 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 467 auf_xmknod, 0, 468 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 469 auf_null, 0, 470 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 471 auf_null, 0, 472 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 473 auf_null, 0, 474 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 475 auf_null, 0, 476 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 477 auf_null, 0, 478 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 479 auf_null, 0, 480 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 481 auf_null, 0, 482 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 483 auf_null, 0, 484 aui_null, AUE_NULL, aus_null, /* 135 uname */ 485 auf_null, 0, 486 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 487 auf_null, 0, 488 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 489 auf_null, 0, 490 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 491 auf_null, 0, 492 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 493 auf_null, 0, 494 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 495 auf_null, 0, 496 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 497 auf_null, 0, 498 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 499 auf_null, 0, 500 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 146 yield */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 517 auf_null, 0, 518 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 519 auf_null, 0, 520 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 521 auf_null, 0, 522 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 545 /* was lwp_setprivate */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 548 /* was lwp_getprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 561 auf_null, 0, 562 aui_null, AUE_READ, aus_null, /* 173 pread */ 563 auf_read, S2E_PUB, 564 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 565 auf_write, 0, 566 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 567 auf_null, 0, 568 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 569 /* aus_inst_sync */ 570 auf_null, 0, 571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 580 auf_null, 0, 581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 582 auf_null, 0, 583 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 584 auf_null, 0, 585 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 586 auf_null, 0, 587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 588 auf_null, 0, 589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 590 auf_null, 0, 591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 592 auf_null, 0, /* 187 processor_bind */ 593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 594 auf_null, 0, 595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 600 auf_null, 0, 601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 616 auf_null, 0, 617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 618 auf_null, 0, 619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 620 auf_null, 0, 621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 622 auf_null, 0, 623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 644 auf_null, 0, 645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 646 auf_null, 0, 647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 652 auf_null, 0, 653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 656 auf_null, 0, 657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 662 auf_read, S2E_PUB, 663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 664 auf_write, 0, 665 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 666 auf_null, S2E_SP, 667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 668 auf_null, S2E_SP, 669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 676 auf_null, 0, 677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 680 auf_null, 0, 681 aui_null, AUE_BIND, aus_null, /* 232 bind */ 682 auf_bind, 0, 683 aui_null, AUE_NULL, aus_null, /* 233 listen */ 684 auf_null, 0, 685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 686 auf_accept, 0, 687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 688 auf_connect, 0, 689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 690 auf_null, 0, 691 aui_null, AUE_READ, aus_null, /* 237 recv */ 692 auf_recv, 0, 693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 694 auf_recvfrom, 0, 695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 696 auf_recvmsg, 0, 697 aui_null, AUE_WRITE, aus_null, /* 240 send */ 698 auf_send, 0, 699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 700 auf_sendmsg, 0, 701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 702 auf_sendto, 0, 703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 708 auf_null, 0, 709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 710 auf_setsockopt, 0, 711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 714 auf_null, 0, 715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 726 auf_null, 0, 727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 728 auf_null, 0 729 }; 730 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 732 733 /* null start function */ 734 /*ARGSUSED*/ 735 static void 736 aus_null(struct t_audit_data *tad) 737 { 738 } 739 740 /* acct start function */ 741 /*ARGSUSED*/ 742 static void 743 aus_acct(struct t_audit_data *tad) 744 { 745 klwp_t *clwp = ttolwp(curthread); 746 uintptr_t fname; 747 748 struct a { 749 long fname; /* char * */ 750 } *uap = (struct a *)clwp->lwp_ap; 751 752 fname = (uintptr_t)uap->fname; 753 754 if (fname == 0) 755 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 756 } 757 758 /* chown start function */ 759 /*ARGSUSED*/ 760 static void 761 aus_chown(struct t_audit_data *tad) 762 { 763 klwp_t *clwp = ttolwp(curthread); 764 uint32_t uid, gid; 765 766 struct a { 767 long fname; /* char * */ 768 long uid; 769 long gid; 770 } *uap = (struct a *)clwp->lwp_ap; 771 772 uid = (uint32_t)uap->uid; 773 gid = (uint32_t)uap->gid; 774 775 au_uwrite(au_to_arg32(2, "new file uid", uid)); 776 au_uwrite(au_to_arg32(3, "new file gid", gid)); 777 } 778 779 /* fchown start function */ 780 /*ARGSUSED*/ 781 static void 782 aus_fchown(struct t_audit_data *tad) 783 { 784 klwp_t *clwp = ttolwp(curthread); 785 uint32_t uid, gid, fd; 786 struct file *fp; 787 struct vnode *vp; 788 struct f_audit_data *fad; 789 790 struct a { 791 long fd; 792 long uid; 793 long gid; 794 } *uap = (struct a *)clwp->lwp_ap; 795 796 fd = (uint32_t)uap->fd; 797 uid = (uint32_t)uap->uid; 798 gid = (uint32_t)uap->gid; 799 800 au_uwrite(au_to_arg32(2, "new file uid", uid)); 801 au_uwrite(au_to_arg32(3, "new file gid", gid)); 802 803 /* 804 * convert file pointer to file descriptor 805 * Note: fd ref count incremented here. 806 */ 807 if ((fp = getf(fd)) == NULL) 808 return; 809 810 /* get path from file struct here */ 811 fad = F2A(fp); 812 if (fad->fad_aupath != NULL) { 813 au_uwrite(au_to_path(fad->fad_aupath)); 814 } else { 815 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 816 } 817 818 vp = fp->f_vnode; 819 audit_attributes(vp); 820 821 /* decrement file descriptor reference count */ 822 releasef(fd); 823 } 824 825 /*ARGSUSED*/ 826 static void 827 aus_lchown(struct t_audit_data *tad) 828 { 829 klwp_t *clwp = ttolwp(curthread); 830 uint32_t uid, gid; 831 832 833 struct a { 834 long fname; /* char * */ 835 long uid; 836 long gid; 837 } *uap = (struct a *)clwp->lwp_ap; 838 839 uid = (uint32_t)uap->uid; 840 gid = (uint32_t)uap->gid; 841 842 au_uwrite(au_to_arg32(2, "new file uid", uid)); 843 au_uwrite(au_to_arg32(3, "new file gid", gid)); 844 } 845 846 /* chmod start function */ 847 /*ARGSUSED*/ 848 static void 849 aus_chmod(struct t_audit_data *tad) 850 { 851 klwp_t *clwp = ttolwp(curthread); 852 uint32_t fmode; 853 854 struct a { 855 long fname; /* char * */ 856 long fmode; 857 } *uap = (struct a *)clwp->lwp_ap; 858 859 fmode = (uint32_t)uap->fmode; 860 861 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 862 } 863 864 /* chmod start function */ 865 /*ARGSUSED*/ 866 static void 867 aus_fchmod(struct t_audit_data *tad) 868 { 869 klwp_t *clwp = ttolwp(curthread); 870 uint32_t fmode, fd; 871 struct file *fp; 872 struct vnode *vp; 873 struct f_audit_data *fad; 874 875 struct a { 876 long fd; 877 long fmode; 878 } *uap = (struct a *)clwp->lwp_ap; 879 880 fd = (uint32_t)uap->fd; 881 fmode = (uint32_t)uap->fmode; 882 883 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 884 885 /* 886 * convert file pointer to file descriptor 887 * Note: fd ref count incremented here. 888 */ 889 if ((fp = getf(fd)) == NULL) 890 return; 891 892 /* get path from file struct here */ 893 fad = F2A(fp); 894 if (fad->fad_aupath != NULL) { 895 au_uwrite(au_to_path(fad->fad_aupath)); 896 } else { 897 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 898 } 899 900 vp = fp->f_vnode; 901 audit_attributes(vp); 902 903 /* decrement file descriptor reference count */ 904 releasef(fd); 905 } 906 907 /* null function */ 908 /*ARGSUSED*/ 909 static void 910 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 911 { 912 } 913 914 /* null function */ 915 static au_event_t 916 aui_null(au_event_t e) 917 { 918 return (e); 919 } 920 921 /* convert open to appropriate event */ 922 static au_event_t 923 aui_open(au_event_t e) 924 { 925 klwp_t *clwp = ttolwp(curthread); 926 uint_t fm; 927 928 struct a { 929 long fnamep; /* char * */ 930 long fmode; 931 long cmode; 932 } *uap = (struct a *)clwp->lwp_ap; 933 934 fm = (uint_t)uap->fmode; 935 936 if (fm & O_WRONLY) 937 e = AUE_OPEN_W; 938 else if (fm & O_RDWR) 939 e = AUE_OPEN_RW; 940 else 941 e = AUE_OPEN_R; 942 943 if (fm & O_CREAT) 944 e += 1; 945 if (fm & O_TRUNC) 946 e += 2; 947 948 return (e); 949 } 950 951 /*ARGSUSED*/ 952 static void 953 aus_open(struct t_audit_data *tad) 954 { 955 klwp_t *clwp = ttolwp(curthread); 956 uint_t fm; 957 958 struct a { 959 long fnamep; /* char * */ 960 long fmode; 961 long cmode; 962 } *uap = (struct a *)clwp->lwp_ap; 963 964 fm = (uint_t)uap->fmode; 965 966 /* If no write, create, or trunc modes, mark as a public op */ 967 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 968 tad->tad_ctrl |= PAD_PUBLIC_EV; 969 } 970 971 /* convert openat(2) to appropriate event */ 972 static au_event_t 973 aui_fsat(au_event_t e) 974 { 975 t_audit_data_t *tad = U2A(u); 976 klwp_t *clwp = ttolwp(curthread); 977 uint_t fmcode, fm; 978 struct a { 979 long id; 980 long arg1; 981 long arg2; 982 long arg3; 983 long arg4; 984 long arg5; 985 } *uap = (struct a *)clwp->lwp_ap; 986 987 fmcode = (uint_t)uap->id; 988 989 switch (fmcode) { 990 991 case 0: /* openat */ 992 case 1: /* openat64 */ 993 fm = (uint_t)uap->arg3; 994 if (fm & O_WRONLY) 995 e = AUE_OPENAT_W; 996 else if (fm & O_RDWR) 997 e = AUE_OPENAT_RW; 998 else 999 e = AUE_OPENAT_R; 1000 1001 /* 1002 * openat modes are defined in the following order: 1003 * Read only 1004 * Read|Create 1005 * Read|Trunc 1006 * Read|Create|Trunc 1007 * Write Only 1008 * Write|Create 1009 * Write|Trunc 1010 * Write|Create|Trunc * RW Only 1011 * RW|Create 1012 * RW|Trunc 1013 * RW|Create|Trunc 1014 */ 1015 if (fm & O_CREAT) 1016 e += 1; /* increment to include CREAT in mode */ 1017 if (fm & O_TRUNC) 1018 e += 2; /* increment to include TRUNC in mode */ 1019 1020 /* convert to appropriate au_ctrl */ 1021 tad->tad_ctrl |= PAD_SAVPATH; 1022 if (fm & FXATTR) 1023 tad->tad_ctrl |= PAD_ATPATH; 1024 1025 1026 break; 1027 case 2: /* fstatat64 */ 1028 case 3: /* fstatat */ 1029 e = AUE_FSTATAT; 1030 break; 1031 case 4: /* fchownat */ 1032 e = AUE_FCHOWNAT; 1033 break; 1034 case 5: /* unlinkat */ 1035 e = AUE_UNLINKAT; 1036 break; 1037 case 6: /* futimesat */ 1038 e = AUE_FUTIMESAT; 1039 break; 1040 case 7: /* renameat */ 1041 e = AUE_RENAMEAT; 1042 break; 1043 case 9: /* __openattrdirat */ 1044 tad->tad_ctrl |= PAD_SAVPATH; 1045 /*FALLTHROUGH*/ 1046 default: 1047 e = AUE_NULL; 1048 break; 1049 } 1050 1051 return (e); 1052 } 1053 1054 /*ARGSUSED*/ 1055 static void 1056 aus_fsat(struct t_audit_data *tad) 1057 { 1058 klwp_t *clwp = ttolwp(curthread); 1059 uint_t fmcode, fm; 1060 struct a { 1061 long id; 1062 long arg1; 1063 long arg2; 1064 long arg3; 1065 long arg4; 1066 long arg5; 1067 } *uap = (struct a *)clwp->lwp_ap; 1068 1069 fmcode = (uint_t)uap->id; 1070 1071 switch (fmcode) { 1072 1073 case 0: /* openat */ 1074 case 1: /* openat64 */ 1075 fm = (uint_t)uap->arg3; 1076 /* If no write, create, or trunc modes, mark as a public op */ 1077 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1078 tad->tad_ctrl |= PAD_PUBLIC_EV; 1079 1080 break; 1081 case 2: /* fstatat64 */ 1082 case 3: /* fstatat */ 1083 tad->tad_ctrl |= PAD_PUBLIC_EV; 1084 break; 1085 default: 1086 break; 1087 } 1088 } 1089 1090 /* msgsys */ 1091 static au_event_t 1092 aui_msgsys(au_event_t e) 1093 { 1094 klwp_t *clwp = ttolwp(curthread); 1095 uint_t fm; 1096 1097 struct a { 1098 long id; /* function code id */ 1099 long ap; /* arg pointer for recvmsg */ 1100 } *uap = (struct a *)clwp->lwp_ap; 1101 1102 struct b { 1103 long msgid; 1104 long cmd; 1105 long buf; /* struct msqid_ds * */ 1106 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1107 1108 fm = (uint_t)uap->id; 1109 1110 switch (fm) { 1111 case 0: /* msgget */ 1112 e = AUE_MSGGET; 1113 break; 1114 case 1: /* msgctl */ 1115 switch ((uint_t)uap1->cmd) { 1116 case IPC_RMID: 1117 e = AUE_MSGCTL_RMID; 1118 break; 1119 case IPC_SET: 1120 e = AUE_MSGCTL_SET; 1121 break; 1122 case IPC_STAT: 1123 e = AUE_MSGCTL_STAT; 1124 break; 1125 default: 1126 e = AUE_MSGCTL; 1127 break; 1128 } 1129 break; 1130 case 2: /* msgrcv */ 1131 e = AUE_MSGRCV; 1132 break; 1133 case 3: /* msgsnd */ 1134 e = AUE_MSGSND; 1135 break; 1136 default: /* illegal system call */ 1137 e = AUE_NULL; 1138 break; 1139 } 1140 1141 return (e); 1142 } 1143 1144 1145 /* shmsys */ 1146 static au_event_t 1147 aui_shmsys(au_event_t e) 1148 { 1149 klwp_t *clwp = ttolwp(curthread); 1150 int fm; 1151 1152 struct a { /* shmsys */ 1153 long id; /* function code id */ 1154 } *uap = (struct a *)clwp->lwp_ap; 1155 1156 struct b { /* ctrl */ 1157 long shmid; 1158 long cmd; 1159 long arg; /* struct shmid_ds * */ 1160 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1161 fm = (uint_t)uap->id; 1162 1163 switch (fm) { 1164 case 0: /* shmat */ 1165 e = AUE_SHMAT; 1166 break; 1167 case 1: /* shmctl */ 1168 switch ((uint_t)uap1->cmd) { 1169 case IPC_RMID: 1170 e = AUE_SHMCTL_RMID; 1171 break; 1172 case IPC_SET: 1173 e = AUE_SHMCTL_SET; 1174 break; 1175 case IPC_STAT: 1176 e = AUE_SHMCTL_STAT; 1177 break; 1178 default: 1179 e = AUE_SHMCTL; 1180 break; 1181 } 1182 break; 1183 case 2: /* shmdt */ 1184 e = AUE_SHMDT; 1185 break; 1186 case 3: /* shmget */ 1187 e = AUE_SHMGET; 1188 break; 1189 default: /* illegal system call */ 1190 e = AUE_NULL; 1191 break; 1192 } 1193 1194 return (e); 1195 } 1196 1197 1198 /* semsys */ 1199 static au_event_t 1200 aui_semsys(au_event_t e) 1201 { 1202 klwp_t *clwp = ttolwp(curthread); 1203 uint_t fm; 1204 1205 struct a { /* semsys */ 1206 long id; 1207 } *uap = (struct a *)clwp->lwp_ap; 1208 1209 struct b { /* ctrl */ 1210 long semid; 1211 long semnum; 1212 long cmd; 1213 long arg; 1214 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1215 1216 fm = (uint_t)uap->id; 1217 1218 switch (fm) { 1219 case 0: /* semctl */ 1220 switch ((uint_t)uap1->cmd) { 1221 case IPC_RMID: 1222 e = AUE_SEMCTL_RMID; 1223 break; 1224 case IPC_SET: 1225 e = AUE_SEMCTL_SET; 1226 break; 1227 case IPC_STAT: 1228 e = AUE_SEMCTL_STAT; 1229 break; 1230 case GETNCNT: 1231 e = AUE_SEMCTL_GETNCNT; 1232 break; 1233 case GETPID: 1234 e = AUE_SEMCTL_GETPID; 1235 break; 1236 case GETVAL: 1237 e = AUE_SEMCTL_GETVAL; 1238 break; 1239 case GETALL: 1240 e = AUE_SEMCTL_GETALL; 1241 break; 1242 case GETZCNT: 1243 e = AUE_SEMCTL_GETZCNT; 1244 break; 1245 case SETVAL: 1246 e = AUE_SEMCTL_SETVAL; 1247 break; 1248 case SETALL: 1249 e = AUE_SEMCTL_SETALL; 1250 break; 1251 default: 1252 e = AUE_SEMCTL; 1253 break; 1254 } 1255 break; 1256 case 1: /* semget */ 1257 e = AUE_SEMGET; 1258 break; 1259 case 2: /* semop */ 1260 e = AUE_SEMOP; 1261 break; 1262 default: /* illegal system call */ 1263 e = AUE_NULL; 1264 break; 1265 } 1266 1267 return (e); 1268 } 1269 1270 /* utssys - uname(2), ustat(2), fusers(2) */ 1271 static au_event_t 1272 aui_utssys(au_event_t e) 1273 { 1274 klwp_t *clwp = ttolwp(curthread); 1275 uint_t type; 1276 1277 struct a { 1278 union { 1279 long cbuf; /* char * */ 1280 long ubuf; /* struct stat * */ 1281 } ub; 1282 union { 1283 long mv; /* for USTAT */ 1284 long flags; /* for FUSERS */ 1285 } un; 1286 long type; 1287 long outbp; /* char * for FUSERS */ 1288 } *uap = (struct a *)clwp->lwp_ap; 1289 1290 type = (uint_t)uap->type; 1291 1292 if (type == UTS_FUSERS) 1293 return (e); 1294 else 1295 return ((au_event_t)AUE_NULL); 1296 } 1297 1298 static au_event_t 1299 aui_fcntl(au_event_t e) 1300 { 1301 klwp_t *clwp = ttolwp(curthread); 1302 uint_t cmd; 1303 1304 struct a { 1305 long fdes; 1306 long cmd; 1307 long arg; 1308 } *uap = (struct a *)clwp->lwp_ap; 1309 1310 cmd = (uint_t)uap->cmd; 1311 1312 switch (cmd) { 1313 case F_GETLK: 1314 case F_SETLK: 1315 case F_SETLKW: 1316 break; 1317 case F_SETFL: 1318 case F_GETFL: 1319 case F_GETFD: 1320 break; 1321 default: 1322 e = (au_event_t)AUE_NULL; 1323 break; 1324 } 1325 return ((au_event_t)e); 1326 } 1327 1328 /* null function for now */ 1329 static au_event_t 1330 aui_execv(au_event_t e) 1331 { 1332 return (e); 1333 } 1334 1335 /* null function for now */ 1336 static au_event_t 1337 aui_execve(au_event_t e) 1338 { 1339 return (e); 1340 } 1341 1342 /*ARGSUSED*/ 1343 static void 1344 aus_fcntl(struct t_audit_data *tad) 1345 { 1346 klwp_t *clwp = ttolwp(curthread); 1347 uint32_t cmd, fd; 1348 struct file *fp; 1349 struct vnode *vp; 1350 struct f_audit_data *fad; 1351 1352 struct a { 1353 long fd; 1354 long cmd; 1355 long arg; 1356 } *uap = (struct a *)clwp->lwp_ap; 1357 1358 cmd = (uint32_t)uap->cmd; 1359 fd = (uint32_t)uap->fd; 1360 1361 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1362 1363 /* 1364 * convert file pointer to file descriptor 1365 * Note: fd ref count incremented here. 1366 */ 1367 if ((fp = getf(fd)) == NULL) 1368 return; 1369 1370 /* get path from file struct here */ 1371 fad = F2A(fp); 1372 if (fad->fad_aupath != NULL) { 1373 au_uwrite(au_to_path(fad->fad_aupath)); 1374 } else { 1375 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1376 } 1377 1378 vp = fp->f_vnode; 1379 audit_attributes(vp); 1380 1381 /* decrement file descriptor reference count */ 1382 releasef(fd); 1383 } 1384 1385 /*ARGSUSED*/ 1386 static void 1387 aus_kill(struct t_audit_data *tad) 1388 { 1389 klwp_t *clwp = ttolwp(curthread); 1390 struct proc *p; 1391 uint32_t signo; 1392 uid_t uid, ruid; 1393 gid_t gid, rgid; 1394 pid_t pid; 1395 const auditinfo_addr_t *ainfo; 1396 cred_t *cr; 1397 1398 struct a { 1399 long pid; 1400 long signo; 1401 } *uap = (struct a *)clwp->lwp_ap; 1402 1403 pid = (pid_t)uap->pid; 1404 signo = (uint32_t)uap->signo; 1405 1406 au_uwrite(au_to_arg32(2, "signal", signo)); 1407 if (pid > 0) { 1408 mutex_enter(&pidlock); 1409 if (((p = prfind(pid)) == (struct proc *)0) || 1410 (p->p_stat == SIDL)) { 1411 mutex_exit(&pidlock); 1412 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1413 return; 1414 } 1415 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1416 mutex_exit(&pidlock); 1417 1418 mutex_enter(&p->p_crlock); 1419 crhold(cr = p->p_cred); 1420 mutex_exit(&p->p_crlock); 1421 mutex_exit(&p->p_lock); 1422 1423 ainfo = crgetauinfo(cr); 1424 if (ainfo == NULL) { 1425 crfree(cr); 1426 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1427 return; 1428 } 1429 1430 uid = crgetuid(cr); 1431 gid = crgetgid(cr); 1432 ruid = crgetruid(cr); 1433 rgid = crgetrgid(cr); 1434 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1435 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1436 1437 if (is_system_labeled()) 1438 au_uwrite(au_to_label(CR_SL(cr))); 1439 1440 crfree(cr); 1441 } 1442 else 1443 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1444 } 1445 1446 /*ARGSUSED*/ 1447 static void 1448 aus_mkdir(struct t_audit_data *tad) 1449 { 1450 klwp_t *clwp = ttolwp(curthread); 1451 uint32_t dmode; 1452 1453 struct a { 1454 long dirnamep; /* char * */ 1455 long dmode; 1456 } *uap = (struct a *)clwp->lwp_ap; 1457 1458 dmode = (uint32_t)uap->dmode; 1459 1460 au_uwrite(au_to_arg32(2, "mode", dmode)); 1461 } 1462 1463 /*ARGSUSED*/ 1464 static void 1465 aus_mknod(struct t_audit_data *tad) 1466 { 1467 klwp_t *clwp = ttolwp(curthread); 1468 uint32_t fmode; 1469 dev_t dev; 1470 1471 struct a { 1472 long pnamep; /* char * */ 1473 long fmode; 1474 long dev; 1475 } *uap = (struct a *)clwp->lwp_ap; 1476 1477 fmode = (uint32_t)uap->fmode; 1478 dev = (dev_t)uap->dev; 1479 1480 au_uwrite(au_to_arg32(2, "mode", fmode)); 1481 #ifdef _LP64 1482 au_uwrite(au_to_arg64(3, "dev", dev)); 1483 #else 1484 au_uwrite(au_to_arg32(3, "dev", dev)); 1485 #endif 1486 } 1487 1488 /*ARGSUSED*/ 1489 static void 1490 aus_xmknod(struct t_audit_data *tad) 1491 { 1492 klwp_t *clwp = ttolwp(curthread); 1493 uint32_t fmode; 1494 dev_t dev; 1495 1496 struct a { 1497 long version; /* version */ 1498 long pnamep; /* char * */ 1499 long fmode; 1500 long dev; 1501 } *uap = (struct a *)clwp->lwp_ap; 1502 1503 fmode = (uint32_t)uap->fmode; 1504 dev = (dev_t)uap->dev; 1505 1506 au_uwrite(au_to_arg32(2, "mode", fmode)); 1507 #ifdef _LP64 1508 au_uwrite(au_to_arg64(3, "dev", dev)); 1509 #else 1510 au_uwrite(au_to_arg32(3, "dev", dev)); 1511 #endif 1512 } 1513 1514 /*ARGSUSED*/ 1515 static void 1516 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1517 { 1518 klwp_t *clwp = ttolwp(curthread); 1519 vnode_t *dvp; 1520 caddr_t pnamep; 1521 1522 struct a { 1523 long pnamep; /* char * */ 1524 long fmode; 1525 long dev; 1526 } *uap = (struct a *)clwp->lwp_ap; 1527 1528 /* no error, then already path token in audit record */ 1529 if (error != EPERM) 1530 return; 1531 1532 /* not auditing this event, nothing then to do */ 1533 if (tad->tad_flag == 0) 1534 return; 1535 1536 /* do the lookup to force generation of path token */ 1537 pnamep = (caddr_t)uap->pnamep; 1538 tad->tad_ctrl |= PAD_NOATTRB; 1539 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1540 if (error == 0) 1541 VN_RELE(dvp); 1542 } 1543 1544 /*ARGSUSED*/ 1545 static void 1546 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1547 { 1548 klwp_t *clwp = ttolwp(curthread); 1549 vnode_t *dvp; 1550 caddr_t pnamep; 1551 1552 struct a { 1553 long version; /* version */ 1554 long pnamep; /* char * */ 1555 long fmode; 1556 long dev; 1557 } *uap = (struct a *)clwp->lwp_arg; 1558 1559 1560 /* no error, then already path token in audit record */ 1561 if (error != EPERM) 1562 return; 1563 1564 /* not auditing this event, nothing then to do */ 1565 if (tad->tad_flag == 0) 1566 return; 1567 1568 /* do the lookup to force generation of path token */ 1569 pnamep = (caddr_t)uap->pnamep; 1570 tad->tad_ctrl |= PAD_NOATTRB; 1571 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1572 if (error == 0) 1573 VN_RELE(dvp); 1574 } 1575 1576 /*ARGSUSED*/ 1577 static void 1578 aus_mount(struct t_audit_data *tad) 1579 { /* AUS_START */ 1580 klwp_t *clwp = ttolwp(curthread); 1581 uint32_t flags; 1582 uintptr_t u_fstype, dataptr; 1583 STRUCT_DECL(nfs_args, nfsargs); 1584 size_t len; 1585 char *fstype, *hostname; 1586 1587 struct a { 1588 long spec; /* char * */ 1589 long dir; /* char * */ 1590 long flags; 1591 long fstype; /* char * */ 1592 long dataptr; /* char * */ 1593 long datalen; 1594 } *uap = (struct a *)clwp->lwp_ap; 1595 1596 u_fstype = (uintptr_t)uap->fstype; 1597 flags = (uint32_t)uap->flags; 1598 dataptr = (uintptr_t)uap->dataptr; 1599 1600 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1601 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1602 goto mount_free_fstype; 1603 1604 au_uwrite(au_to_arg32(3, "flags", flags)); 1605 au_uwrite(au_to_text(fstype)); 1606 1607 if (strncmp(fstype, "nfs", 3) == 0) { 1608 1609 STRUCT_INIT(nfsargs, get_udatamodel()); 1610 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1611 1612 if (copyin((caddr_t)dataptr, 1613 STRUCT_BUF(nfsargs), 1614 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1615 /* DEBUG debug_enter((char *)NULL); */ 1616 goto mount_free_fstype; 1617 } 1618 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1619 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1620 (caddr_t)hostname, 1621 MAXNAMELEN, &len)) { 1622 goto mount_free_hostname; 1623 } 1624 au_uwrite(au_to_text(hostname)); 1625 au_uwrite(au_to_arg32(3, "internal flags", 1626 (uint_t)STRUCT_FGET(nfsargs, flags))); 1627 1628 mount_free_hostname: 1629 kmem_free(hostname, MAXNAMELEN); 1630 } 1631 1632 mount_free_fstype: 1633 kmem_free(fstype, MAXNAMELEN); 1634 } /* AUS_MOUNT */ 1635 1636 static void 1637 aus_umount_path(caddr_t umount_dir) 1638 { 1639 char *dir_path; 1640 struct audit_path *path; 1641 size_t path_len, dir_len; 1642 1643 /* length alloc'd for two string pointers */ 1644 path_len = sizeof (struct audit_path) + sizeof (char *); 1645 path = kmem_alloc(path_len, KM_SLEEP); 1646 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1647 1648 if (copyinstr(umount_dir, (caddr_t)dir_path, 1649 MAXPATHLEN, &dir_len)) 1650 goto umount2_free_dir; 1651 1652 /* 1653 * the audit_path struct assumes that the buffer pointed to 1654 * by audp_sect[n] contains string 0 immediatedly followed 1655 * by string 1. 1656 */ 1657 path->audp_sect[0] = dir_path; 1658 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1659 path->audp_size = path_len; 1660 path->audp_ref = 1; /* not used */ 1661 path->audp_cnt = 1; /* one path string */ 1662 1663 au_uwrite(au_to_path(path)); 1664 1665 umount2_free_dir: 1666 kmem_free(dir_path, MAXPATHLEN); 1667 kmem_free(path, path_len); 1668 } 1669 1670 /* 1671 * the umount syscall is implemented as a call to umount2, but the args 1672 * are different... 1673 */ 1674 1675 /*ARGSUSED*/ 1676 static void 1677 aus_umount(struct t_audit_data *tad) 1678 { 1679 klwp_t *clwp = ttolwp(curthread); 1680 struct a { 1681 long dir; /* char * */ 1682 } *uap = (struct a *)clwp->lwp_ap; 1683 1684 aus_umount_path((caddr_t)uap->dir); 1685 } 1686 1687 /*ARGSUSED*/ 1688 static void 1689 aus_umount2(struct t_audit_data *tad) 1690 { 1691 klwp_t *clwp = ttolwp(curthread); 1692 struct a { 1693 long dir; /* char * */ 1694 long flags; 1695 } *uap = (struct a *)clwp->lwp_ap; 1696 1697 aus_umount_path((caddr_t)uap->dir); 1698 1699 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1700 } 1701 1702 static void 1703 aus_msgsys(struct t_audit_data *tad) 1704 { 1705 klwp_t *clwp = ttolwp(curthread); 1706 uint32_t msgid; 1707 1708 struct b { 1709 long msgid; 1710 long cmd; 1711 long buf; /* struct msqid_ds * */ 1712 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1713 1714 msgid = (uint32_t)uap1->msgid; 1715 1716 1717 switch (tad->tad_event) { 1718 case AUE_MSGGET: /* msgget */ 1719 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1720 break; 1721 case AUE_MSGCTL: /* msgctl */ 1722 case AUE_MSGCTL_RMID: /* msgctl */ 1723 case AUE_MSGCTL_STAT: /* msgctl */ 1724 case AUE_MSGRCV: /* msgrcv */ 1725 case AUE_MSGSND: /* msgsnd */ 1726 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1727 break; 1728 case AUE_MSGCTL_SET: /* msgctl */ 1729 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1730 break; 1731 } 1732 } 1733 1734 /*ARGSUSED*/ 1735 static void 1736 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1737 { 1738 int id; 1739 1740 if (error != 0) 1741 return; 1742 if (tad->tad_event == AUE_MSGGET) { 1743 uint32_t scid; 1744 uint32_t sy_flags; 1745 1746 /* need to determine type of executing binary */ 1747 scid = tad->tad_scid; 1748 #ifdef _SYSCALL32_IMPL 1749 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1750 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1751 else 1752 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1753 #else 1754 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1755 #endif 1756 if (sy_flags == SE_32RVAL1) 1757 id = rval->r_val1; 1758 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1759 id = rval->r_val1; 1760 if (sy_flags == SE_64RVAL) 1761 id = (int)rval->r_vals; 1762 1763 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1764 } 1765 } 1766 1767 static void 1768 aus_semsys(struct t_audit_data *tad) 1769 { 1770 klwp_t *clwp = ttolwp(curthread); 1771 uint32_t semid; 1772 1773 struct b { /* ctrl */ 1774 long semid; 1775 long semnum; 1776 long cmd; 1777 long arg; 1778 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1779 1780 semid = (uint32_t)uap1->semid; 1781 1782 switch (tad->tad_event) { 1783 case AUE_SEMCTL_RMID: 1784 case AUE_SEMCTL_STAT: 1785 case AUE_SEMCTL_GETNCNT: 1786 case AUE_SEMCTL_GETPID: 1787 case AUE_SEMCTL_GETVAL: 1788 case AUE_SEMCTL_GETALL: 1789 case AUE_SEMCTL_GETZCNT: 1790 case AUE_SEMCTL_SETVAL: 1791 case AUE_SEMCTL_SETALL: 1792 case AUE_SEMCTL: 1793 case AUE_SEMOP: 1794 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1795 break; 1796 case AUE_SEMCTL_SET: 1797 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1798 break; 1799 case AUE_SEMGET: 1800 au_uwrite(au_to_arg32(1, "sem key", semid)); 1801 break; 1802 } 1803 } 1804 1805 /*ARGSUSED*/ 1806 static void 1807 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1808 { 1809 int id; 1810 1811 if (error != 0) 1812 return; 1813 if (tad->tad_event == AUE_SEMGET) { 1814 uint32_t scid; 1815 uint32_t sy_flags; 1816 1817 /* need to determine type of executing binary */ 1818 scid = tad->tad_scid; 1819 #ifdef _SYSCALL32_IMPL 1820 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1821 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1822 else 1823 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1824 #else 1825 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1826 #endif 1827 if (sy_flags == SE_32RVAL1) 1828 id = rval->r_val1; 1829 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1830 id = rval->r_val1; 1831 if (sy_flags == SE_64RVAL) 1832 id = (int)rval->r_vals; 1833 1834 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1835 } 1836 } 1837 1838 /*ARGSUSED*/ 1839 static void 1840 aus_close(struct t_audit_data *tad) 1841 { 1842 klwp_t *clwp = ttolwp(curthread); 1843 uint32_t fd; 1844 struct file *fp; 1845 struct f_audit_data *fad; 1846 struct vnode *vp; 1847 struct vattr attr; 1848 au_kcontext_t *kctx = GET_KCTX_PZ; 1849 1850 struct a { 1851 long i; 1852 } *uap = (struct a *)clwp->lwp_ap; 1853 1854 fd = (uint32_t)uap->i; 1855 1856 attr.va_mask = 0; 1857 au_uwrite(au_to_arg32(1, "fd", fd)); 1858 1859 /* 1860 * convert file pointer to file descriptor 1861 * Note: fd ref count incremented here. 1862 */ 1863 if ((fp = getf(fd)) == NULL) 1864 return; 1865 1866 fad = F2A(fp); 1867 tad->tad_evmod = (short)fad->fad_flags; 1868 if (fad->fad_aupath != NULL) { 1869 au_uwrite(au_to_path(fad->fad_aupath)); 1870 if ((vp = fp->f_vnode) != NULL) { 1871 attr.va_mask = AT_ALL; 1872 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1873 /* 1874 * When write was not used and the file can be 1875 * considered public, skip the audit. 1876 */ 1877 if (((fp->f_flag & FWRITE) == 0) && 1878 file_is_public(&attr)) { 1879 tad->tad_flag = 0; 1880 tad->tad_evmod = 0; 1881 /* free any residual audit data */ 1882 au_close(kctx, &(u_ad), 0, 0, 0); 1883 releasef(fd); 1884 return; 1885 } 1886 au_uwrite(au_to_attr(&attr)); 1887 audit_sec_attributes(&(u_ad), vp); 1888 } 1889 } 1890 } 1891 1892 /* decrement file descriptor reference count */ 1893 releasef(fd); 1894 } 1895 1896 /*ARGSUSED*/ 1897 static void 1898 aus_fstatfs(struct t_audit_data *tad) 1899 { 1900 klwp_t *clwp = ttolwp(curthread); 1901 uint32_t fd; 1902 struct file *fp; 1903 struct vnode *vp; 1904 struct f_audit_data *fad; 1905 1906 struct a { 1907 long fd; 1908 long buf; /* struct statfs * */ 1909 } *uap = (struct a *)clwp->lwp_ap; 1910 1911 fd = (uint_t)uap->fd; 1912 1913 /* 1914 * convert file pointer to file descriptor 1915 * Note: fd ref count incremented here. 1916 */ 1917 if ((fp = getf(fd)) == NULL) 1918 return; 1919 1920 /* get path from file struct here */ 1921 fad = F2A(fp); 1922 if (fad->fad_aupath != NULL) { 1923 au_uwrite(au_to_path(fad->fad_aupath)); 1924 } else { 1925 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1926 } 1927 1928 vp = fp->f_vnode; 1929 audit_attributes(vp); 1930 1931 /* decrement file descriptor reference count */ 1932 releasef(fd); 1933 } 1934 1935 #ifdef NOTYET 1936 /*ARGSUSED*/ 1937 static void 1938 aus_setpgrp(struct t_audit_data *tad) 1939 { 1940 klwp_t *clwp = ttolwp(curthread); 1941 uint32_t pgrp; 1942 struct proc *p; 1943 uid_t uid, ruid; 1944 gid_t gid, rgid; 1945 pid_t pid; 1946 const auditinfo_addr_t *ainfo; 1947 cred_t *cr; 1948 1949 struct a { 1950 long pid; 1951 long pgrp; 1952 } *uap = (struct a *)clwp->lwp_ap; 1953 1954 pid = (pid_t)uap->pid; 1955 pgrp = (uint32_t)uap->pgrp; 1956 1957 /* current process? */ 1958 if (pid == 0) 1959 (return); 1960 1961 mutex_enter(&pidlock); 1962 p = prfind(pid); 1963 if (p == NULL || p->p_as == &kas) { 1964 mutex_exit(&pidlock); 1965 return; 1966 } 1967 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1968 mutex_exit(&pidlock); 1969 1970 mutex_enter(&p->p_crlock); 1971 crhold(cr = p->p_cred); 1972 mutex_exit(&p->p_crlock); 1973 mutex_exit(&p->p_lock); 1974 1975 ainfo = crgetauinfo(cr); 1976 if (ainfo == NULL) { 1977 crfree(cr); 1978 return; 1979 } 1980 1981 uid = crgetuid(cr); 1982 gid = crgetgid(cr); 1983 ruid = crgetruid(cr); 1984 rgid = crgetrgid(cr); 1985 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1986 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1987 crfree(cr); 1988 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1989 } 1990 #endif 1991 1992 /*ARGSUSED*/ 1993 static void 1994 aus_setregid(struct t_audit_data *tad) 1995 { 1996 klwp_t *clwp = ttolwp(curthread); 1997 uint32_t rgid, egid; 1998 1999 struct a { 2000 long rgid; 2001 long egid; 2002 } *uap = (struct a *)clwp->lwp_ap; 2003 2004 rgid = (uint32_t)uap->rgid; 2005 egid = (uint32_t)uap->egid; 2006 2007 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2008 au_uwrite(au_to_arg32(2, "egid", egid)); 2009 } 2010 2011 /*ARGSUSED*/ 2012 static void 2013 aus_setgid(struct t_audit_data *tad) 2014 { 2015 klwp_t *clwp = ttolwp(curthread); 2016 uint32_t gid; 2017 2018 struct a { 2019 long gid; 2020 } *uap = (struct a *)clwp->lwp_ap; 2021 2022 gid = (uint32_t)uap->gid; 2023 2024 au_uwrite(au_to_arg32(1, "gid", gid)); 2025 } 2026 2027 2028 /*ARGSUSED*/ 2029 static void 2030 aus_setreuid(struct t_audit_data *tad) 2031 { 2032 klwp_t *clwp = ttolwp(curthread); 2033 uint32_t ruid, euid; 2034 2035 struct a { 2036 long ruid; 2037 long euid; 2038 } *uap = (struct a *)clwp->lwp_ap; 2039 2040 ruid = (uint32_t)uap->ruid; 2041 euid = (uint32_t)uap->euid; 2042 2043 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2044 au_uwrite(au_to_arg32(2, "euid", euid)); 2045 } 2046 2047 2048 /*ARGSUSED*/ 2049 static void 2050 aus_setuid(struct t_audit_data *tad) 2051 { 2052 klwp_t *clwp = ttolwp(curthread); 2053 uint32_t uid; 2054 2055 struct a { 2056 long uid; 2057 } *uap = (struct a *)clwp->lwp_ap; 2058 2059 uid = (uint32_t)uap->uid; 2060 2061 au_uwrite(au_to_arg32(1, "uid", uid)); 2062 } 2063 2064 /*ARGSUSED*/ 2065 static void 2066 aus_shmsys(struct t_audit_data *tad) 2067 { 2068 klwp_t *clwp = ttolwp(curthread); 2069 uint32_t id, cmd; 2070 2071 struct b { 2072 long id; 2073 long cmd; 2074 long buf; /* struct shmid_ds * */ 2075 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2076 2077 id = (uint32_t)uap1->id; 2078 cmd = (uint32_t)uap1->cmd; 2079 2080 switch (tad->tad_event) { 2081 case AUE_SHMGET: /* shmget */ 2082 au_uwrite(au_to_arg32(1, "shm key", id)); 2083 break; 2084 case AUE_SHMCTL: /* shmctl */ 2085 case AUE_SHMCTL_RMID: /* shmctl */ 2086 case AUE_SHMCTL_STAT: /* shmctl */ 2087 case AUE_SHMCTL_SET: /* shmctl */ 2088 au_uwrite(au_to_arg32(1, "shm ID", id)); 2089 break; 2090 case AUE_SHMDT: /* shmdt */ 2091 au_uwrite(au_to_arg32(1, "shm adr", id)); 2092 break; 2093 case AUE_SHMAT: /* shmat */ 2094 au_uwrite(au_to_arg32(1, "shm ID", id)); 2095 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2096 break; 2097 } 2098 } 2099 2100 /*ARGSUSED*/ 2101 static void 2102 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2103 { 2104 int id; 2105 2106 if (error != 0) 2107 return; 2108 if (tad->tad_event == AUE_SHMGET) { 2109 uint32_t scid; 2110 uint32_t sy_flags; 2111 2112 /* need to determine type of executing binary */ 2113 scid = tad->tad_scid; 2114 #ifdef _SYSCALL32_IMPL 2115 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2116 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2117 else 2118 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2119 #else 2120 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2121 #endif 2122 if (sy_flags == SE_32RVAL1) 2123 id = rval->r_val1; 2124 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2125 id = rval->r_val1; 2126 if (sy_flags == SE_64RVAL) 2127 id = (int)rval->r_vals; 2128 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2129 } 2130 } 2131 2132 2133 /*ARGSUSED*/ 2134 static void 2135 aus_ioctl(struct t_audit_data *tad) 2136 { 2137 klwp_t *clwp = ttolwp(curthread); 2138 struct file *fp; 2139 struct vnode *vp; 2140 struct f_audit_data *fad; 2141 uint32_t fd, cmd; 2142 uintptr_t cmarg; 2143 2144 /* XX64 */ 2145 struct a { 2146 long fd; 2147 long cmd; 2148 long cmarg; /* caddr_t */ 2149 } *uap = (struct a *)clwp->lwp_ap; 2150 2151 fd = (uint32_t)uap->fd; 2152 cmd = (uint32_t)uap->cmd; 2153 cmarg = (uintptr_t)uap->cmarg; 2154 2155 /* 2156 * convert file pointer to file descriptor 2157 * Note: fd ref count incremented here. 2158 */ 2159 if ((fp = getf(fd)) == NULL) { 2160 au_uwrite(au_to_arg32(1, "fd", fd)); 2161 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2162 #ifndef _LP64 2163 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2164 #else 2165 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2166 #endif 2167 return; 2168 } 2169 2170 /* get path from file struct here */ 2171 fad = F2A(fp); 2172 if (fad->fad_aupath != NULL) { 2173 au_uwrite(au_to_path(fad->fad_aupath)); 2174 } else { 2175 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2176 } 2177 2178 vp = fp->f_vnode; 2179 audit_attributes(vp); 2180 2181 /* decrement file descriptor reference count */ 2182 releasef(fd); 2183 2184 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2185 #ifndef _LP64 2186 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2187 #else 2188 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2189 #endif 2190 } 2191 2192 /* 2193 * null function for memcntl for now. We might want to limit memcntl() 2194 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2195 * require privileges. 2196 */ 2197 static au_event_t 2198 aui_memcntl(au_event_t e) 2199 { 2200 return (e); 2201 } 2202 2203 /*ARGSUSED*/ 2204 static au_event_t 2205 aui_privsys(au_event_t e) 2206 { 2207 klwp_t *clwp = ttolwp(curthread); 2208 2209 struct a { 2210 long opcode; 2211 } *uap = (struct a *)clwp->lwp_ap; 2212 2213 switch (uap->opcode) { 2214 case PRIVSYS_SETPPRIV: 2215 return (AUE_SETPPRIV); 2216 default: 2217 return (AUE_NULL); 2218 } 2219 } 2220 2221 /*ARGSUSED*/ 2222 static void 2223 aus_memcntl(struct t_audit_data *tad) 2224 { 2225 klwp_t *clwp = ttolwp(curthread); 2226 2227 struct a { 2228 long addr; 2229 long len; 2230 long cmd; 2231 long arg; 2232 long attr; 2233 long mask; 2234 } *uap = (struct a *)clwp->lwp_ap; 2235 2236 #ifdef _LP64 2237 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2238 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2239 #else 2240 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2241 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2242 #endif 2243 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2244 #ifdef _LP64 2245 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2246 #else 2247 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2248 #endif 2249 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2250 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2251 } 2252 2253 /*ARGSUSED*/ 2254 static void 2255 aus_mmap(struct t_audit_data *tad) 2256 { 2257 klwp_t *clwp = ttolwp(curthread); 2258 struct file *fp; 2259 struct f_audit_data *fad; 2260 struct vnode *vp; 2261 uint32_t fd; 2262 2263 struct a { 2264 long addr; 2265 long len; 2266 long prot; 2267 long flags; 2268 long fd; 2269 long pos; 2270 } *uap = (struct a *)clwp->lwp_ap; 2271 2272 fd = (uint32_t)uap->fd; 2273 2274 #ifdef _LP64 2275 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2276 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2277 #else 2278 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2279 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2280 #endif 2281 2282 if ((fp = getf(fd)) == NULL) { 2283 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2284 return; 2285 } 2286 2287 /* 2288 * Mark in the tad if write access is NOT requested... if 2289 * this is later detected (in audit_attributes) to be a 2290 * public object, the mmap event may be discarded. 2291 */ 2292 if (((uap->prot) & PROT_WRITE) == 0) { 2293 tad->tad_ctrl |= PAD_PUBLIC_EV; 2294 } 2295 2296 fad = F2A(fp); 2297 if (fad->fad_aupath != NULL) { 2298 au_uwrite(au_to_path(fad->fad_aupath)); 2299 } else { 2300 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2301 } 2302 2303 vp = (struct vnode *)fp->f_vnode; 2304 audit_attributes(vp); 2305 2306 /* mark READ/WRITE since we can't predict access */ 2307 if (uap->prot & PROT_READ) 2308 fad->fad_flags |= FAD_READ; 2309 if (uap->prot & PROT_WRITE) 2310 fad->fad_flags |= FAD_WRITE; 2311 2312 /* decrement file descriptor reference count */ 2313 releasef(fd); 2314 2315 } /* AUS_MMAP */ 2316 2317 2318 2319 2320 /*ARGSUSED*/ 2321 static void 2322 aus_munmap(struct t_audit_data *tad) 2323 { 2324 klwp_t *clwp = ttolwp(curthread); 2325 2326 struct a { 2327 long addr; 2328 long len; 2329 } *uap = (struct a *)clwp->lwp_ap; 2330 2331 #ifdef _LP64 2332 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2333 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2334 #else 2335 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2336 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2337 #endif 2338 2339 } /* AUS_MUNMAP */ 2340 2341 2342 2343 2344 2345 2346 2347 /*ARGSUSED*/ 2348 static void 2349 aus_priocntlsys(struct t_audit_data *tad) 2350 { 2351 klwp_t *clwp = ttolwp(curthread); 2352 2353 struct a { 2354 long pc_version; 2355 long psp; /* procset_t */ 2356 long cmd; 2357 long arg; 2358 } *uap = (struct a *)clwp->lwp_ap; 2359 2360 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2361 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2362 2363 } /* AUS_PRIOCNTLSYS */ 2364 2365 2366 /*ARGSUSED*/ 2367 static void 2368 aus_setegid(struct t_audit_data *tad) 2369 { 2370 klwp_t *clwp = ttolwp(curthread); 2371 uint32_t gid; 2372 2373 struct a { 2374 long gid; 2375 } *uap = (struct a *)clwp->lwp_ap; 2376 2377 gid = (uint32_t)uap->gid; 2378 2379 au_uwrite(au_to_arg32(1, "gid", gid)); 2380 } /* AUS_SETEGID */ 2381 2382 2383 2384 2385 /*ARGSUSED*/ 2386 static void 2387 aus_setgroups(struct t_audit_data *tad) 2388 { 2389 klwp_t *clwp = ttolwp(curthread); 2390 int i; 2391 int gidsetsize; 2392 uintptr_t gidset; 2393 gid_t *gidlist; 2394 2395 struct a { 2396 long gidsetsize; 2397 long gidset; 2398 } *uap = (struct a *)clwp->lwp_ap; 2399 2400 gidsetsize = (uint_t)uap->gidsetsize; 2401 gidset = (uintptr_t)uap->gidset; 2402 2403 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2404 return; 2405 if (gidsetsize != 0) { 2406 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2407 KM_SLEEP); 2408 if (copyin((caddr_t)gidset, gidlist, 2409 gidsetsize * sizeof (gid_t)) == 0) 2410 for (i = 0; i < gidsetsize; i++) 2411 au_uwrite(au_to_arg32(1, "setgroups", 2412 (uint32_t)gidlist[i])); 2413 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2414 } else 2415 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2416 2417 } /* AUS_SETGROUPS */ 2418 2419 2420 2421 2422 2423 /*ARGSUSED*/ 2424 static void 2425 aus_seteuid(struct t_audit_data *tad) 2426 { 2427 klwp_t *clwp = ttolwp(curthread); 2428 uint32_t uid; 2429 2430 struct a { 2431 long uid; 2432 } *uap = (struct a *)clwp->lwp_ap; 2433 2434 uid = (uint32_t)uap->uid; 2435 2436 au_uwrite(au_to_arg32(1, "euid", uid)); 2437 2438 } /* AUS_SETEUID */ 2439 2440 /*ARGSUSED*/ 2441 static void 2442 aus_putmsg(struct t_audit_data *tad) 2443 { 2444 klwp_t *clwp = ttolwp(curthread); 2445 uint32_t fd, pri; 2446 struct file *fp; 2447 struct f_audit_data *fad; 2448 2449 struct a { 2450 long fdes; 2451 long ctl; /* struct strbuf * */ 2452 long data; /* struct strbuf * */ 2453 long pri; 2454 } *uap = (struct a *)clwp->lwp_ap; 2455 2456 fd = (uint32_t)uap->fdes; 2457 pri = (uint32_t)uap->pri; 2458 2459 au_uwrite(au_to_arg32(1, "fd", fd)); 2460 2461 if ((fp = getf(fd)) != NULL) { 2462 fad = F2A(fp); 2463 2464 fad->fad_flags |= FAD_WRITE; 2465 2466 /* add path name to audit record */ 2467 if (fad->fad_aupath != NULL) { 2468 au_uwrite(au_to_path(fad->fad_aupath)); 2469 } 2470 audit_attributes(fp->f_vnode); 2471 2472 releasef(fd); 2473 } 2474 2475 au_uwrite(au_to_arg32(4, "pri", pri)); 2476 } 2477 2478 /*ARGSUSED*/ 2479 static void 2480 aus_putpmsg(struct t_audit_data *tad) 2481 { 2482 klwp_t *clwp = ttolwp(curthread); 2483 uint32_t fd, pri, flags; 2484 struct file *fp; 2485 struct f_audit_data *fad; 2486 2487 struct a { 2488 long fdes; 2489 long ctl; /* struct strbuf * */ 2490 long data; /* struct strbuf * */ 2491 long pri; 2492 long flags; 2493 } *uap = (struct a *)clwp->lwp_ap; 2494 2495 fd = (uint32_t)uap->fdes; 2496 pri = (uint32_t)uap->pri; 2497 flags = (uint32_t)uap->flags; 2498 2499 au_uwrite(au_to_arg32(1, "fd", fd)); 2500 2501 if ((fp = getf(fd)) != NULL) { 2502 fad = F2A(fp); 2503 2504 fad->fad_flags |= FAD_WRITE; 2505 2506 /* add path name to audit record */ 2507 if (fad->fad_aupath != NULL) { 2508 au_uwrite(au_to_path(fad->fad_aupath)); 2509 } 2510 audit_attributes(fp->f_vnode); 2511 2512 releasef(fd); 2513 } 2514 2515 2516 au_uwrite(au_to_arg32(4, "pri", pri)); 2517 au_uwrite(au_to_arg32(5, "flags", flags)); 2518 } 2519 2520 /*ARGSUSED*/ 2521 static void 2522 aus_getmsg(struct t_audit_data *tad) 2523 { 2524 klwp_t *clwp = ttolwp(curthread); 2525 uint32_t fd, pri; 2526 struct file *fp; 2527 struct f_audit_data *fad; 2528 2529 struct a { 2530 long fdes; 2531 long ctl; /* struct strbuf * */ 2532 long data; /* struct strbuf * */ 2533 long pri; 2534 } *uap = (struct a *)clwp->lwp_ap; 2535 2536 fd = (uint32_t)uap->fdes; 2537 pri = (uint32_t)uap->pri; 2538 2539 au_uwrite(au_to_arg32(1, "fd", fd)); 2540 2541 if ((fp = getf(fd)) != NULL) { 2542 fad = F2A(fp); 2543 2544 /* 2545 * read operation on this object 2546 */ 2547 fad->fad_flags |= FAD_READ; 2548 2549 /* add path name to audit record */ 2550 if (fad->fad_aupath != NULL) { 2551 au_uwrite(au_to_path(fad->fad_aupath)); 2552 } 2553 audit_attributes(fp->f_vnode); 2554 2555 releasef(fd); 2556 } 2557 2558 au_uwrite(au_to_arg32(4, "pri", pri)); 2559 } 2560 2561 /*ARGSUSED*/ 2562 static void 2563 aus_getpmsg(struct t_audit_data *tad) 2564 { 2565 klwp_t *clwp = ttolwp(curthread); 2566 uint32_t fd; 2567 struct file *fp; 2568 struct f_audit_data *fad; 2569 2570 struct a { 2571 long fdes; 2572 long ctl; /* struct strbuf * */ 2573 long data; /* struct strbuf * */ 2574 long pri; 2575 long flags; 2576 } *uap = (struct a *)clwp->lwp_ap; 2577 2578 fd = (uint32_t)uap->fdes; 2579 2580 au_uwrite(au_to_arg32(1, "fd", fd)); 2581 2582 if ((fp = getf(fd)) != NULL) { 2583 fad = F2A(fp); 2584 2585 /* 2586 * read operation on this object 2587 */ 2588 fad->fad_flags |= FAD_READ; 2589 2590 /* add path name to audit record */ 2591 if (fad->fad_aupath != NULL) { 2592 au_uwrite(au_to_path(fad->fad_aupath)); 2593 } 2594 audit_attributes(fp->f_vnode); 2595 2596 releasef(fd); 2597 } 2598 } 2599 2600 static au_event_t 2601 aui_auditsys(au_event_t e) 2602 { 2603 klwp_t *clwp = ttolwp(curthread); 2604 uint32_t code; 2605 2606 struct a { 2607 long code; 2608 long a1; 2609 long a2; 2610 long a3; 2611 long a4; 2612 long a5; 2613 long a6; 2614 long a7; 2615 } *uap = (struct a *)clwp->lwp_ap; 2616 2617 code = (uint32_t)uap->code; 2618 2619 switch (code) { 2620 2621 case BSM_GETAUID: 2622 e = AUE_GETAUID; 2623 break; 2624 case BSM_SETAUID: 2625 e = AUE_SETAUID; 2626 break; 2627 case BSM_GETAUDIT: 2628 e = AUE_GETAUDIT; 2629 break; 2630 case BSM_GETAUDIT_ADDR: 2631 e = AUE_GETAUDIT_ADDR; 2632 break; 2633 case BSM_SETAUDIT: 2634 e = AUE_SETAUDIT; 2635 break; 2636 case BSM_SETAUDIT_ADDR: 2637 e = AUE_SETAUDIT_ADDR; 2638 break; 2639 case BSM_AUDIT: 2640 e = AUE_AUDIT; 2641 break; 2642 case BSM_GETPORTAUDIT: 2643 e = AUE_GETPORTAUDIT; 2644 break; 2645 case BSM_AUDITON: 2646 case BSM_AUDITCTL: 2647 2648 switch ((uint_t)uap->a1) { 2649 2650 case A_GETPOLICY: 2651 e = AUE_AUDITON_GPOLICY; 2652 break; 2653 case A_SETPOLICY: 2654 e = AUE_AUDITON_SPOLICY; 2655 break; 2656 case A_GETKMASK: 2657 e = AUE_AUDITON_GETKMASK; 2658 break; 2659 case A_SETKMASK: 2660 e = AUE_AUDITON_SETKMASK; 2661 break; 2662 case A_GETQCTRL: 2663 e = AUE_AUDITON_GQCTRL; 2664 break; 2665 case A_SETQCTRL: 2666 e = AUE_AUDITON_SQCTRL; 2667 break; 2668 case A_GETCWD: 2669 e = AUE_AUDITON_GETCWD; 2670 break; 2671 case A_GETCAR: 2672 e = AUE_AUDITON_GETCAR; 2673 break; 2674 case A_GETSTAT: 2675 e = AUE_AUDITON_GETSTAT; 2676 break; 2677 case A_SETSTAT: 2678 e = AUE_AUDITON_SETSTAT; 2679 break; 2680 case A_SETUMASK: 2681 e = AUE_AUDITON_SETUMASK; 2682 break; 2683 case A_SETSMASK: 2684 e = AUE_AUDITON_SETSMASK; 2685 break; 2686 case A_GETCOND: 2687 e = AUE_AUDITON_GETCOND; 2688 break; 2689 case A_SETCOND: 2690 e = AUE_AUDITON_SETCOND; 2691 break; 2692 case A_GETCLASS: 2693 e = AUE_AUDITON_GETCLASS; 2694 break; 2695 case A_SETCLASS: 2696 e = AUE_AUDITON_SETCLASS; 2697 break; 2698 default: 2699 e = AUE_NULL; 2700 break; 2701 } 2702 break; 2703 default: 2704 e = AUE_NULL; 2705 break; 2706 } 2707 2708 return (e); 2709 2710 2711 2712 2713 } /* AUI_AUDITSYS */ 2714 2715 2716 2717 2718 2719 2720 2721 static void 2722 aus_auditsys(struct t_audit_data *tad) 2723 { 2724 klwp_t *clwp = ttolwp(curthread); 2725 uintptr_t a1, a2; 2726 STRUCT_DECL(auditinfo, ainfo); 2727 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2728 au_evclass_map_t event; 2729 au_mask_t mask; 2730 int auditstate, policy; 2731 au_id_t auid; 2732 2733 2734 struct a { 2735 long code; 2736 long a1; 2737 long a2; 2738 long a3; 2739 long a4; 2740 long a5; 2741 long a6; 2742 long a7; 2743 } *uap = (struct a *)clwp->lwp_ap; 2744 2745 a1 = (uintptr_t)uap->a1; 2746 a2 = (uintptr_t)uap->a2; 2747 2748 switch (tad->tad_event) { 2749 case AUE_SETAUID: 2750 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2751 return; 2752 au_uwrite(au_to_arg32(2, "setauid", auid)); 2753 break; 2754 case AUE_SETAUDIT: 2755 STRUCT_INIT(ainfo, get_udatamodel()); 2756 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2757 STRUCT_SIZE(ainfo))) { 2758 return; 2759 } 2760 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2761 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2762 #ifdef _LP64 2763 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2764 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2765 #else 2766 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2767 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2768 #endif 2769 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2770 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2771 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2772 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2773 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2774 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2775 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2776 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2777 break; 2778 case AUE_SETAUDIT_ADDR: 2779 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2780 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2781 STRUCT_SIZE(ainfo_addr))) { 2782 return; 2783 } 2784 au_uwrite(au_to_arg32((char)1, "auid", 2785 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2786 #ifdef _LP64 2787 au_uwrite(au_to_arg64((char)1, "port", 2788 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2789 #else 2790 au_uwrite(au_to_arg32((char)1, "port", 2791 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2792 #endif 2793 au_uwrite(au_to_arg32((char)1, "type", 2794 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2795 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2796 AU_IPv4) { 2797 au_uwrite(au_to_in_addr( 2798 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2799 ai_termid.at_addr))); 2800 } else { 2801 au_uwrite(au_to_in_addr_ex( 2802 (int32_t *)STRUCT_FGETP(ainfo_addr, 2803 ai_termid.at_addr))); 2804 } 2805 au_uwrite(au_to_arg32((char)1, "as_success", 2806 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2807 au_uwrite(au_to_arg32((char)1, "as_failure", 2808 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2809 au_uwrite(au_to_arg32((char)1, "asid", 2810 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2811 break; 2812 case AUE_AUDITON_SETKMASK: 2813 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2814 return; 2815 au_uwrite(au_to_arg32( 2816 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2817 au_uwrite(au_to_arg32( 2818 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2819 break; 2820 case AUE_AUDITON_SPOLICY: 2821 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2822 return; 2823 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2824 break; 2825 case AUE_AUDITON_SQCTRL: { 2826 STRUCT_DECL(au_qctrl, qctrl); 2827 model_t model; 2828 2829 model = get_udatamodel(); 2830 STRUCT_INIT(qctrl, model); 2831 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2832 return; 2833 if (model == DATAMODEL_ILP32) { 2834 au_uwrite(au_to_arg32( 2835 3, "setqctrl:aq_hiwater", 2836 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2837 au_uwrite(au_to_arg32( 2838 3, "setqctrl:aq_lowater", 2839 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2840 au_uwrite(au_to_arg32( 2841 3, "setqctrl:aq_bufsz", 2842 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2843 au_uwrite(au_to_arg32( 2844 3, "setqctrl:aq_delay", 2845 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2846 } else { 2847 au_uwrite(au_to_arg64( 2848 3, "setqctrl:aq_hiwater", 2849 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2850 au_uwrite(au_to_arg64( 2851 3, "setqctrl:aq_lowater", 2852 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2853 au_uwrite(au_to_arg64( 2854 3, "setqctrl:aq_bufsz", 2855 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2856 au_uwrite(au_to_arg64( 2857 3, "setqctrl:aq_delay", 2858 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2859 } 2860 break; 2861 } 2862 case AUE_AUDITON_SETUMASK: 2863 STRUCT_INIT(ainfo, get_udatamodel()); 2864 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2865 STRUCT_SIZE(ainfo))) { 2866 return; 2867 } 2868 au_uwrite(au_to_arg32(3, "setumask:as_success", 2869 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2870 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2871 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2872 break; 2873 case AUE_AUDITON_SETSMASK: 2874 STRUCT_INIT(ainfo, get_udatamodel()); 2875 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2876 STRUCT_SIZE(ainfo))) { 2877 return; 2878 } 2879 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2880 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2881 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2882 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2883 break; 2884 case AUE_AUDITON_SETCOND: 2885 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2886 return; 2887 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2888 break; 2889 case AUE_AUDITON_SETCLASS: 2890 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2891 return; 2892 au_uwrite(au_to_arg32( 2893 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2894 au_uwrite(au_to_arg32( 2895 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2896 break; 2897 case AUE_GETAUID: 2898 case AUE_GETAUDIT: 2899 case AUE_GETAUDIT_ADDR: 2900 case AUE_AUDIT: 2901 case AUE_GETPORTAUDIT: 2902 case AUE_AUDITON_GPOLICY: 2903 case AUE_AUDITON_GQCTRL: 2904 case AUE_AUDITON_GETKMASK: 2905 case AUE_AUDITON_GETCWD: 2906 case AUE_AUDITON_GETCAR: 2907 case AUE_AUDITON_GETSTAT: 2908 case AUE_AUDITON_SETSTAT: 2909 case AUE_AUDITON_GETCOND: 2910 case AUE_AUDITON_GETCLASS: 2911 break; 2912 default: 2913 break; 2914 } 2915 2916 } /* AUS_AUDITSYS */ 2917 2918 2919 /* only audit privileged operations for systeminfo(2) system call */ 2920 static au_event_t 2921 aui_sysinfo(au_event_t e) 2922 { 2923 klwp_t *clwp = ttolwp(curthread); 2924 uint32_t command; 2925 2926 struct a { 2927 long command; 2928 long buf; /* char * */ 2929 long count; 2930 } *uap = (struct a *)clwp->lwp_ap; 2931 2932 command = (uint32_t)uap->command; 2933 2934 switch (command) { 2935 case SI_SET_HOSTNAME: 2936 case SI_SET_SRPC_DOMAIN: 2937 e = (au_event_t)AUE_SYSINFO; 2938 break; 2939 default: 2940 e = (au_event_t)AUE_NULL; 2941 break; 2942 } 2943 return (e); 2944 } 2945 2946 /*ARGSUSED*/ 2947 static void 2948 aus_sysinfo(struct t_audit_data *tad) 2949 { 2950 klwp_t *clwp = ttolwp(curthread); 2951 uint32_t command; 2952 size_t len, maxlen; 2953 char *name; 2954 uintptr_t buf; 2955 2956 struct a { 2957 long command; 2958 long buf; /* char * */ 2959 long count; 2960 } *uap = (struct a *)clwp->lwp_ap; 2961 2962 command = (uint32_t)uap->command; 2963 buf = (uintptr_t)uap->buf; 2964 2965 au_uwrite(au_to_arg32(1, "cmd", command)); 2966 2967 switch (command) { 2968 case SI_SET_HOSTNAME: 2969 { 2970 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2971 return; 2972 2973 maxlen = SYS_NMLN; 2974 name = kmem_alloc(maxlen, KM_SLEEP); 2975 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 2976 break; 2977 2978 /* 2979 * Must be non-NULL string and string 2980 * must be less than SYS_NMLN chars. 2981 */ 2982 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 2983 break; 2984 2985 au_uwrite(au_to_text(name)); 2986 break; 2987 } 2988 2989 case SI_SET_SRPC_DOMAIN: 2990 { 2991 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2992 return; 2993 2994 maxlen = SYS_NMLN; 2995 name = kmem_alloc(maxlen, KM_SLEEP); 2996 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 2997 break; 2998 2999 /* 3000 * If string passed in is longer than length 3001 * allowed for domain name, fail. 3002 */ 3003 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3004 break; 3005 3006 au_uwrite(au_to_text(name)); 3007 break; 3008 } 3009 3010 default: 3011 return; 3012 } 3013 3014 kmem_free(name, maxlen); 3015 } 3016 3017 static au_event_t 3018 aui_modctl(au_event_t e) 3019 { 3020 klwp_t *clwp = ttolwp(curthread); 3021 uint_t cmd; 3022 3023 struct a { 3024 long cmd; 3025 } *uap = (struct a *)clwp->lwp_ap; 3026 3027 cmd = (uint_t)uap->cmd; 3028 3029 switch (cmd) { 3030 case MODLOAD: 3031 e = AUE_MODLOAD; 3032 break; 3033 case MODUNLOAD: 3034 e = AUE_MODUNLOAD; 3035 break; 3036 case MODADDMAJBIND: 3037 e = AUE_MODADDMAJ; 3038 break; 3039 case MODSETDEVPOLICY: 3040 e = AUE_MODDEVPLCY; 3041 break; 3042 case MODALLOCPRIV: 3043 e = AUE_MODADDPRIV; 3044 break; 3045 default: 3046 e = AUE_NULL; 3047 break; 3048 } 3049 return (e); 3050 } 3051 3052 3053 /*ARGSUSED*/ 3054 static void 3055 aus_modctl(struct t_audit_data *tad) 3056 { 3057 klwp_t *clwp = ttolwp(curthread); 3058 void *a = clwp->lwp_ap; 3059 uint_t use_path; 3060 3061 switch (tad->tad_event) { 3062 case AUE_MODLOAD: { 3063 typedef struct { 3064 long cmd; 3065 long use_path; 3066 long filename; /* char * */ 3067 } modloada_t; 3068 3069 char *filenamep; 3070 uintptr_t fname; 3071 extern char *default_path; 3072 3073 fname = (uintptr_t)((modloada_t *)a)->filename; 3074 use_path = (uint_t)((modloada_t *)a)->use_path; 3075 3076 /* space to hold path */ 3077 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3078 /* get string */ 3079 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3080 /* free allocated path */ 3081 kmem_free(filenamep, MOD_MAXPATH); 3082 return; 3083 } 3084 /* ensure it's null terminated */ 3085 filenamep[MOD_MAXPATH - 1] = 0; 3086 3087 if (use_path) 3088 au_uwrite(au_to_text(default_path)); 3089 au_uwrite(au_to_text(filenamep)); 3090 3091 /* release temporary memory */ 3092 kmem_free(filenamep, MOD_MAXPATH); 3093 break; 3094 } 3095 case AUE_MODUNLOAD: { 3096 typedef struct { 3097 long cmd; 3098 long id; 3099 } modunloada_t; 3100 3101 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3102 3103 au_uwrite(au_to_arg32(1, "id", id)); 3104 break; 3105 } 3106 case AUE_MODADDMAJ: { 3107 STRUCT_DECL(modconfig, mc); 3108 typedef struct { 3109 long cmd; 3110 long subcmd; 3111 long data; /* int * */ 3112 } modconfiga_t; 3113 3114 STRUCT_DECL(aliases, alias); 3115 caddr_t ap; 3116 int i, num_aliases; 3117 char *drvname, *mc_drvname; 3118 char *name; 3119 extern char *ddi_major_to_name(major_t); 3120 model_t model; 3121 3122 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3123 3124 model = get_udatamodel(); 3125 STRUCT_INIT(mc, model); 3126 /* sanitize buffer */ 3127 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3128 /* get user arguments */ 3129 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3130 STRUCT_SIZE(mc)) != 0) 3131 return; 3132 3133 mc_drvname = STRUCT_FGET(mc, drvname); 3134 if ((drvname = ddi_major_to_name( 3135 (major_t)STRUCT_FGET(mc, major))) != NULL && 3136 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3137 /* safety */ 3138 if (mc_drvname[0] != '\0') { 3139 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3140 au_uwrite(au_to_text(mc_drvname)); 3141 } 3142 /* drvname != NULL from test above */ 3143 au_uwrite(au_to_text(drvname)); 3144 return; 3145 } 3146 3147 if (mc_drvname[0] != '\0') { 3148 /* safety */ 3149 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3150 au_uwrite(au_to_text(mc_drvname)); 3151 } else 3152 au_uwrite(au_to_text("no drvname")); 3153 3154 num_aliases = STRUCT_FGET(mc, num_aliases); 3155 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3156 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3157 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3158 STRUCT_INIT(alias, model); 3159 for (i = 0; i < num_aliases; i++) { 3160 bzero((caddr_t)STRUCT_BUF(alias), 3161 STRUCT_SIZE(alias)); 3162 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3163 STRUCT_SIZE(alias)) != 0) 3164 break; 3165 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3166 MAXMODCONFNAME, NULL) != 0) { 3167 break; 3168 } 3169 3170 au_uwrite(au_to_text(name)); 3171 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3172 } 3173 kmem_free(name, MAXMODCONFNAME); 3174 break; 3175 } 3176 default: 3177 break; 3178 } 3179 } 3180 3181 3182 /*ARGSUSED*/ 3183 static void 3184 auf_accept( 3185 struct t_audit_data *tad, 3186 int error, 3187 rval_t *rval) 3188 { 3189 uint32_t scid; 3190 uint32_t sy_flags; 3191 int fd; 3192 struct sonode *so; 3193 char so_laddr[sizeof (struct sockaddr_in6)]; 3194 char so_faddr[sizeof (struct sockaddr_in6)]; 3195 int err; 3196 int len; 3197 short so_family, so_type; 3198 int add_sock_token = 0; 3199 3200 /* need to determine type of executing binary */ 3201 scid = tad->tad_scid; 3202 #ifdef _SYSCALL32_IMPL 3203 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3204 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3205 else 3206 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3207 #else 3208 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3209 #endif 3210 if (sy_flags == SE_32RVAL1) 3211 fd = rval->r_val1; 3212 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3213 fd = rval->r_val1; 3214 if (sy_flags == SE_64RVAL) 3215 fd = (int)rval->r_vals; 3216 3217 if (error) { 3218 /* can't trust socket contents. Just return */ 3219 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3220 return; 3221 } 3222 3223 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3224 /* 3225 * not security relevant if doing a accept from non socket 3226 * so no extra tokens. Should probably turn off audit record 3227 * generation here. 3228 */ 3229 return; 3230 } 3231 3232 so_family = so->so_family; 3233 so_type = so->so_type; 3234 3235 switch (so_family) { 3236 case AF_INET: 3237 case AF_INET6: 3238 /* 3239 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3240 */ 3241 if (so->so_type == SOCK_STREAM) { 3242 3243 bzero((void *)so_laddr, sizeof (so_laddr)); 3244 bzero((void *)so_faddr, sizeof (so_faddr)); 3245 3246 /* 3247 * no local address then need to get it from lower 3248 * levels. only put out record on first read ala 3249 * AUE_WRITE. 3250 */ 3251 if (so->so_state & SS_ISBOUND) { 3252 /* only done once on a connection */ 3253 (void) SOP_GETSOCKNAME(so); 3254 (void) SOP_GETPEERNAME(so); 3255 3256 /* get local and foreign addresses */ 3257 mutex_enter(&so->so_lock); 3258 len = min(so->so_laddr_len, sizeof (so_laddr)); 3259 bcopy(so->so_laddr_sa, so_laddr, len); 3260 len = min(so->so_faddr_len, sizeof (so_faddr)); 3261 bcopy(so->so_faddr_sa, so_faddr, len); 3262 mutex_exit(&so->so_lock); 3263 } 3264 3265 add_sock_token = 1; 3266 } 3267 break; 3268 3269 default: 3270 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3271 break; 3272 } 3273 3274 releasef(fd); 3275 3276 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3277 3278 if (add_sock_token == 0) { 3279 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3280 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3281 return; 3282 } 3283 3284 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3285 3286 } 3287 3288 /*ARGSUSED*/ 3289 static void 3290 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3291 { 3292 struct a { 3293 long fd; 3294 long addr; 3295 long len; 3296 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3297 3298 struct sonode *so; 3299 char so_laddr[sizeof (struct sockaddr_in6)]; 3300 char so_faddr[sizeof (struct sockaddr_in6)]; 3301 int err, fd; 3302 int len; 3303 short so_family, so_type; 3304 int add_sock_token = 0; 3305 3306 fd = (int)uap->fd; 3307 3308 /* 3309 * bind failed, then nothing extra to add to audit record. 3310 */ 3311 if (error) { 3312 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3313 /* XXX may want to add failed address some day */ 3314 return; 3315 } 3316 3317 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3318 /* 3319 * not security relevant if doing a bind from non socket 3320 * so no extra tokens. Should probably turn off audit record 3321 * generation here. 3322 */ 3323 return; 3324 } 3325 3326 so_family = so->so_family; 3327 so_type = so->so_type; 3328 3329 switch (so_family) { 3330 case AF_INET: 3331 case AF_INET6: 3332 3333 bzero(so_faddr, sizeof (so_faddr)); 3334 3335 if (so->so_state & SS_ISBOUND) { 3336 /* only done once on a connection */ 3337 (void) SOP_GETSOCKNAME(so); 3338 } 3339 3340 mutex_enter(&so->so_lock); 3341 len = min(so->so_laddr_len, sizeof (so_laddr)); 3342 bcopy(so->so_laddr_sa, so_laddr, len); 3343 mutex_exit(&so->so_lock); 3344 3345 add_sock_token = 1; 3346 3347 break; 3348 3349 case AF_UNIX: 3350 /* token added by lookup */ 3351 break; 3352 default: 3353 /* AF_ROUTE, AF_KEY do not support accept */ 3354 break; 3355 } 3356 3357 releasef(fd); 3358 3359 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3360 3361 if (add_sock_token == 0) { 3362 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3363 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3364 return; 3365 } 3366 3367 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3368 3369 } 3370 3371 /*ARGSUSED*/ 3372 static void 3373 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3374 { 3375 struct a { 3376 long fd; 3377 long addr; 3378 long len; 3379 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3380 3381 struct sonode *so; 3382 char so_laddr[sizeof (struct sockaddr_in6)]; 3383 char so_faddr[sizeof (struct sockaddr_in6)]; 3384 int err, fd; 3385 int len; 3386 short so_family, so_type; 3387 int add_sock_token = 0; 3388 3389 fd = (int)uap->fd; 3390 3391 3392 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3393 /* 3394 * not security relevant if doing a connect from non socket 3395 * so no extra tokens. Should probably turn off audit record 3396 * generation here. 3397 */ 3398 return; 3399 } 3400 3401 so_family = so->so_family; 3402 so_type = so->so_type; 3403 3404 switch (so_family) { 3405 case AF_INET: 3406 case AF_INET6: 3407 /* 3408 * no local address then need to get it from lower 3409 * levels. 3410 */ 3411 if (so->so_state & SS_ISBOUND) { 3412 /* only done once on a connection */ 3413 (void) SOP_GETSOCKNAME(so); 3414 (void) SOP_GETPEERNAME(so); 3415 } 3416 3417 bzero(so_laddr, sizeof (so_laddr)); 3418 bzero(so_faddr, sizeof (so_faddr)); 3419 3420 mutex_enter(&so->so_lock); 3421 len = min(so->so_laddr_len, sizeof (so_laddr)); 3422 bcopy(so->so_laddr_sa, so_laddr, len); 3423 if (error) { 3424 mutex_exit(&so->so_lock); 3425 if (uap->addr == NULL) 3426 break; 3427 if (uap->len <= 0) 3428 break; 3429 len = min(uap->len, sizeof (so_faddr)); 3430 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3431 break; 3432 #ifdef NOTYET 3433 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3434 #endif 3435 } else { 3436 /* sanity check on length */ 3437 len = min(so->so_faddr_len, sizeof (so_faddr)); 3438 bcopy(so->so_faddr_sa, so_faddr, len); 3439 mutex_exit(&so->so_lock); 3440 } 3441 3442 add_sock_token = 1; 3443 3444 break; 3445 3446 case AF_UNIX: 3447 /* does a lookup on name */ 3448 break; 3449 3450 default: 3451 /* AF_ROUTE, AF_KEY do not support accept */ 3452 break; 3453 } 3454 3455 releasef(fd); 3456 3457 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3458 3459 if (add_sock_token == 0) { 3460 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3461 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3462 return; 3463 } 3464 3465 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3466 3467 } 3468 3469 /*ARGSUSED*/ 3470 static void 3471 aus_shutdown(struct t_audit_data *tad) 3472 { 3473 struct a { 3474 long fd; 3475 long how; 3476 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3477 3478 struct sonode *so; 3479 char so_laddr[sizeof (struct sockaddr_in6)]; 3480 char so_faddr[sizeof (struct sockaddr_in6)]; 3481 int err, fd; 3482 int len; 3483 short so_family, so_type; 3484 int add_sock_token = 0; 3485 file_t *fp; /* unix domain sockets */ 3486 struct f_audit_data *fad; /* unix domain sockets */ 3487 3488 fd = (int)uap->fd; 3489 3490 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3491 /* 3492 * not security relevant if doing a shutdown using non socket 3493 * so no extra tokens. Should probably turn off audit record 3494 * generation here. 3495 */ 3496 return; 3497 } 3498 3499 so_family = so->so_family; 3500 so_type = so->so_type; 3501 3502 switch (so_family) { 3503 case AF_INET: 3504 case AF_INET6: 3505 3506 bzero(so_laddr, sizeof (so_laddr)); 3507 bzero(so_faddr, sizeof (so_faddr)); 3508 3509 if (so->so_state & SS_ISBOUND) { 3510 /* 3511 * no local address then need to get it from lower 3512 * levels. 3513 */ 3514 if (so->so_laddr_len == 0) 3515 (void) SOP_GETSOCKNAME(so); 3516 if (so->so_faddr_len == 0) 3517 (void) SOP_GETPEERNAME(so); 3518 } 3519 3520 mutex_enter(&so->so_lock); 3521 len = min(so->so_laddr_len, sizeof (so_laddr)); 3522 bcopy(so->so_laddr_sa, so_laddr, len); 3523 len = min(so->so_faddr_len, sizeof (so_faddr)); 3524 bcopy(so->so_faddr_sa, so_faddr, len); 3525 mutex_exit(&so->so_lock); 3526 3527 add_sock_token = 1; 3528 3529 break; 3530 3531 case AF_UNIX: 3532 3533 /* get path from file struct here */ 3534 fad = F2A(fp); 3535 ASSERT(fad); 3536 3537 if (fad->fad_aupath != NULL) { 3538 au_uwrite(au_to_path(fad->fad_aupath)); 3539 } else { 3540 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3541 } 3542 3543 audit_attributes(fp->f_vnode); 3544 3545 break; 3546 3547 default: 3548 /* 3549 * AF_KEY and AF_ROUTE support shutdown. No socket token 3550 * added. 3551 */ 3552 break; 3553 } 3554 3555 releasef(fd); 3556 3557 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3558 3559 if (add_sock_token == 0) { 3560 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3561 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3562 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3563 return; 3564 } 3565 3566 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3567 3568 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3569 3570 } 3571 3572 /*ARGSUSED*/ 3573 static void 3574 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3575 { 3576 struct a { 3577 long fd; 3578 long level; 3579 long optname; 3580 long *optval; 3581 long optlen; 3582 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3583 3584 struct sonode *so; 3585 char so_laddr[sizeof (struct sockaddr_in6)]; 3586 char so_faddr[sizeof (struct sockaddr_in6)]; 3587 char val[AU_BUFSIZE]; 3588 int err, fd; 3589 int len; 3590 short so_family, so_type; 3591 int add_sock_token = 0; 3592 file_t *fp; /* unix domain sockets */ 3593 struct f_audit_data *fad; /* unix domain sockets */ 3594 3595 fd = (int)uap->fd; 3596 3597 if (error) { 3598 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3599 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3600 /* XXX may want to include other arguments */ 3601 return; 3602 } 3603 3604 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3605 /* 3606 * not security relevant if doing a setsockopt from non socket 3607 * so no extra tokens. Should probably turn off audit record 3608 * generation here. 3609 */ 3610 return; 3611 } 3612 3613 so_family = so->so_family; 3614 so_type = so->so_type; 3615 3616 switch (so_family) { 3617 case AF_INET: 3618 case AF_INET6: 3619 3620 bzero((void *)so_laddr, sizeof (so_laddr)); 3621 bzero((void *)so_faddr, sizeof (so_faddr)); 3622 3623 if (so->so_state & SS_ISBOUND) { 3624 if (so->so_laddr_len == 0) 3625 (void) SOP_GETSOCKNAME(so); 3626 if (so->so_faddr_len == 0) 3627 (void) SOP_GETPEERNAME(so); 3628 } 3629 3630 /* get local and foreign addresses */ 3631 mutex_enter(&so->so_lock); 3632 len = min(so->so_laddr_len, sizeof (so_laddr)); 3633 bcopy(so->so_laddr_sa, so_laddr, len); 3634 len = min(so->so_faddr_len, sizeof (so_faddr)); 3635 bcopy(so->so_faddr_sa, so_faddr, len); 3636 mutex_exit(&so->so_lock); 3637 3638 add_sock_token = 1; 3639 3640 break; 3641 3642 case AF_UNIX: 3643 3644 /* get path from file struct here */ 3645 fad = F2A(fp); 3646 ASSERT(fad); 3647 3648 if (fad->fad_aupath != NULL) { 3649 au_uwrite(au_to_path(fad->fad_aupath)); 3650 } else { 3651 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3652 } 3653 3654 audit_attributes(fp->f_vnode); 3655 3656 break; 3657 3658 default: 3659 /* 3660 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3661 * added. 3662 */ 3663 break; 3664 } 3665 3666 releasef(fd); 3667 3668 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3669 3670 if (add_sock_token == 0) { 3671 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3672 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3673 } 3674 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3675 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3676 3677 bzero(val, sizeof (val)); 3678 len = min(uap->optlen, sizeof (val)); 3679 if ((len > 0) && 3680 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3681 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3682 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3683 } 3684 3685 if (add_sock_token == 0) 3686 return; 3687 3688 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3689 3690 } 3691 3692 /*ARGSUSED*/ 3693 static void 3694 aus_sockconfig(tad) 3695 struct t_audit_data *tad; 3696 { 3697 struct a { 3698 long domain; 3699 long type; 3700 long protocol; 3701 long devpath; 3702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3703 3704 char *kdevpath; 3705 int kdevpathlen = MAXPATHLEN + 1; 3706 size_t size; 3707 3708 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3709 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3710 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3711 3712 if (uap->devpath == 0) { 3713 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3714 } else { 3715 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3716 3717 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3718 &size)) { 3719 kmem_free(kdevpath, kdevpathlen); 3720 return; 3721 } 3722 3723 if (size > MAXPATHLEN) { 3724 kmem_free(kdevpath, kdevpathlen); 3725 return; 3726 } 3727 3728 au_uwrite(au_to_text(kdevpath)); 3729 kmem_free(kdevpath, kdevpathlen); 3730 } 3731 } 3732 3733 /* 3734 * only audit recvmsg when the system call represents the creation of a new 3735 * circuit. This effectively occurs for all UDP packets and may occur for 3736 * special TCP situations where the local host has not set a local address 3737 * in the socket structure. 3738 */ 3739 /*ARGSUSED*/ 3740 static void 3741 auf_recvmsg( 3742 struct t_audit_data *tad, 3743 int error, 3744 rval_t *rvp) 3745 { 3746 struct a { 3747 long fd; 3748 long msg; /* struct msghdr */ 3749 long flags; 3750 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3751 3752 struct sonode *so; 3753 STRUCT_DECL(msghdr, msg); 3754 caddr_t msg_name; 3755 socklen_t msg_namelen; 3756 int fd; 3757 int err; 3758 char so_laddr[sizeof (struct sockaddr_in6)]; 3759 char so_faddr[sizeof (struct sockaddr_in6)]; 3760 int len; 3761 file_t *fp; /* unix domain sockets */ 3762 struct f_audit_data *fad; /* unix domain sockets */ 3763 short so_family, so_type; 3764 int add_sock_token = 0; 3765 au_kcontext_t *kctx = GET_KCTX_PZ; 3766 3767 fd = (int)uap->fd; 3768 3769 /* bail if an error */ 3770 if (error) { 3771 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3772 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3773 return; 3774 } 3775 3776 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3777 /* 3778 * not security relevant if doing a recvmsg from non socket 3779 * so no extra tokens. Should probably turn off audit record 3780 * generation here. 3781 */ 3782 return; 3783 } 3784 3785 so_family = so->so_family; 3786 so_type = so->so_type; 3787 3788 /* 3789 * only putout SOCKET_EX token if INET/INET6 family. 3790 * XXX - what do we do about other families? 3791 */ 3792 3793 switch (so_family) { 3794 case AF_INET: 3795 case AF_INET6: 3796 3797 /* 3798 * if datagram type socket, then just use what is in 3799 * socket structure for local address. 3800 * XXX - what do we do for other types? 3801 */ 3802 if ((so->so_type == SOCK_DGRAM) || 3803 (so->so_type == SOCK_RAW)) { 3804 add_sock_token = 1; 3805 3806 bzero((void *)so_laddr, sizeof (so_laddr)); 3807 bzero((void *)so_faddr, sizeof (so_faddr)); 3808 3809 /* get local address */ 3810 mutex_enter(&so->so_lock); 3811 len = min(so->so_laddr_len, sizeof (so_laddr)); 3812 bcopy(so->so_laddr_sa, so_laddr, len); 3813 mutex_exit(&so->so_lock); 3814 3815 /* get peer address */ 3816 STRUCT_INIT(msg, get_udatamodel()); 3817 3818 if (copyin((caddr_t)(uap->msg), 3819 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3820 break; 3821 } 3822 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3823 if (msg_name == NULL) { 3824 break; 3825 } 3826 3827 /* length is value from recvmsg - sanity check */ 3828 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3829 if (msg_namelen == 0) { 3830 break; 3831 } 3832 if (copyin(msg_name, so_faddr, 3833 sizeof (so_faddr)) != 0) { 3834 break; 3835 } 3836 3837 } else if (so->so_type == SOCK_STREAM) { 3838 3839 /* get path from file struct here */ 3840 fad = F2A(fp); 3841 ASSERT(fad); 3842 3843 /* 3844 * already processed this file for read attempt 3845 */ 3846 if (fad->fad_flags & FAD_READ) { 3847 /* don't want to audit every recvmsg attempt */ 3848 tad->tad_flag = 0; 3849 /* free any residual audit data */ 3850 au_close(kctx, &(u_ad), 0, 0, 0); 3851 releasef(fd); 3852 return; 3853 } 3854 /* 3855 * mark things so we know what happened and don't 3856 * repeat things 3857 */ 3858 fad->fad_flags |= FAD_READ; 3859 3860 bzero((void *)so_laddr, sizeof (so_laddr)); 3861 bzero((void *)so_faddr, sizeof (so_faddr)); 3862 3863 if (so->so_state & SS_ISBOUND) { 3864 3865 if (so->so_laddr_len == 0) 3866 (void) SOP_GETSOCKNAME(so); 3867 if (so->so_faddr_len == 0) 3868 (void) SOP_GETPEERNAME(so); 3869 3870 /* get local and foreign addresses */ 3871 mutex_enter(&so->so_lock); 3872 len = min(so->so_laddr_len, sizeof (so_laddr)); 3873 bcopy(so->so_laddr_sa, so_laddr, len); 3874 len = min(so->so_faddr_len, sizeof (so_faddr)); 3875 bcopy(so->so_faddr_sa, so_faddr, len); 3876 mutex_exit(&so->so_lock); 3877 } 3878 3879 add_sock_token = 1; 3880 } 3881 3882 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3883 3884 break; 3885 3886 case AF_UNIX: 3887 /* 3888 * first check if this is first time through. Too much 3889 * duplicate code to put this in an aui_ routine. 3890 */ 3891 3892 /* get path from file struct here */ 3893 fad = F2A(fp); 3894 ASSERT(fad); 3895 3896 /* 3897 * already processed this file for read attempt 3898 */ 3899 if (fad->fad_flags & FAD_READ) { 3900 releasef(fd); 3901 /* don't want to audit every recvmsg attempt */ 3902 tad->tad_flag = 0; 3903 /* free any residual audit data */ 3904 au_close(kctx, &(u_ad), 0, 0, 0); 3905 return; 3906 } 3907 /* 3908 * mark things so we know what happened and don't 3909 * repeat things 3910 */ 3911 fad->fad_flags |= FAD_READ; 3912 3913 if (fad->fad_aupath != NULL) { 3914 au_uwrite(au_to_path(fad->fad_aupath)); 3915 } else { 3916 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3917 } 3918 3919 audit_attributes(fp->f_vnode); 3920 3921 releasef(fd); 3922 3923 return; 3924 3925 default: 3926 break; 3927 3928 } 3929 3930 releasef(fd); 3931 3932 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3933 3934 if (add_sock_token == 0) { 3935 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 3936 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 3937 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3938 return; 3939 } 3940 3941 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3942 3943 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3944 3945 } 3946 3947 /*ARGSUSED*/ 3948 static void 3949 auf_recvfrom( 3950 struct t_audit_data *tad, 3951 int error, 3952 rval_t *rvp) 3953 { 3954 3955 struct a { 3956 long fd; 3957 long msg; /* char */ 3958 long len; 3959 long flags; 3960 long from; /* struct sockaddr */ 3961 long fromlen; 3962 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3963 3964 socklen_t fromlen; 3965 struct sonode *so; 3966 char so_laddr[sizeof (struct sockaddr_in6)]; 3967 char so_faddr[sizeof (struct sockaddr_in6)]; 3968 int fd; 3969 short so_family, so_type; 3970 int add_sock_token = 0; 3971 int len; 3972 int err; 3973 struct file *fp; 3974 struct f_audit_data *fad; /* unix domain sockets */ 3975 au_kcontext_t *kctx = GET_KCTX_PZ; 3976 3977 fd = (int)uap->fd; 3978 3979 /* bail if an error */ 3980 if (error) { 3981 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3982 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3983 return; 3984 } 3985 3986 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3987 /* 3988 * not security relevant if doing a recvmsg from non socket 3989 * so no extra tokens. Should probably turn off audit record 3990 * generation here. 3991 */ 3992 return; 3993 } 3994 3995 so_family = so->so_family; 3996 so_type = so->so_type; 3997 3998 /* 3999 * only putout SOCKET_EX token if INET/INET6 family. 4000 * XXX - what do we do about other families? 4001 */ 4002 4003 switch (so_family) { 4004 case AF_INET: 4005 case AF_INET6: 4006 4007 /* 4008 * if datagram type socket, then just use what is in 4009 * socket structure for local address. 4010 * XXX - what do we do for other types? 4011 */ 4012 if ((so->so_type == SOCK_DGRAM) || 4013 (so->so_type == SOCK_RAW)) { 4014 add_sock_token = 1; 4015 4016 /* get local address */ 4017 mutex_enter(&so->so_lock); 4018 len = min(so->so_laddr_len, sizeof (so_laddr)); 4019 bcopy(so->so_laddr_sa, so_laddr, len); 4020 mutex_exit(&so->so_lock); 4021 4022 /* get peer address */ 4023 bzero((void *)so_faddr, sizeof (so_faddr)); 4024 4025 /* sanity check */ 4026 if (uap->from == NULL) 4027 break; 4028 4029 /* sanity checks */ 4030 if (uap->fromlen == 0) 4031 break; 4032 4033 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4034 sizeof (fromlen)) != 0) 4035 break; 4036 4037 if (fromlen == 0) 4038 break; 4039 4040 /* enforce maximum size */ 4041 if (fromlen > sizeof (so_faddr)) 4042 fromlen = sizeof (so_faddr); 4043 4044 if (copyin((caddr_t)(uap->from), so_faddr, 4045 fromlen) != 0) 4046 break; 4047 4048 } else if (so->so_type == SOCK_STREAM) { 4049 4050 /* get path from file struct here */ 4051 fad = F2A(fp); 4052 ASSERT(fad); 4053 4054 /* 4055 * already processed this file for read attempt 4056 */ 4057 if (fad->fad_flags & FAD_READ) { 4058 /* don't want to audit every recvfrom attempt */ 4059 tad->tad_flag = 0; 4060 /* free any residual audit data */ 4061 au_close(kctx, &(u_ad), 0, 0, 0); 4062 releasef(fd); 4063 return; 4064 } 4065 /* 4066 * mark things so we know what happened and don't 4067 * repeat things 4068 */ 4069 fad->fad_flags |= FAD_READ; 4070 4071 bzero((void *)so_laddr, sizeof (so_laddr)); 4072 bzero((void *)so_faddr, sizeof (so_faddr)); 4073 4074 if (so->so_state & SS_ISBOUND) { 4075 4076 if (so->so_laddr_len == 0) 4077 (void) SOP_GETSOCKNAME(so); 4078 if (so->so_faddr_len == 0) 4079 (void) SOP_GETPEERNAME(so); 4080 4081 /* get local and foreign addresses */ 4082 mutex_enter(&so->so_lock); 4083 len = min(so->so_laddr_len, sizeof (so_laddr)); 4084 bcopy(so->so_laddr_sa, so_laddr, len); 4085 len = min(so->so_faddr_len, sizeof (so_faddr)); 4086 bcopy(so->so_faddr_sa, so_faddr, len); 4087 mutex_exit(&so->so_lock); 4088 } 4089 4090 add_sock_token = 1; 4091 } 4092 4093 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4094 4095 break; 4096 4097 case AF_UNIX: 4098 /* 4099 * first check if this is first time through. Too much 4100 * duplicate code to put this in an aui_ routine. 4101 */ 4102 4103 /* get path from file struct here */ 4104 fad = F2A(fp); 4105 ASSERT(fad); 4106 4107 /* 4108 * already processed this file for read attempt 4109 */ 4110 if (fad->fad_flags & FAD_READ) { 4111 /* don't want to audit every recvfrom attempt */ 4112 tad->tad_flag = 0; 4113 /* free any residual audit data */ 4114 au_close(kctx, &(u_ad), 0, 0, 0); 4115 releasef(fd); 4116 return; 4117 } 4118 /* 4119 * mark things so we know what happened and don't 4120 * repeat things 4121 */ 4122 fad->fad_flags |= FAD_READ; 4123 4124 if (fad->fad_aupath != NULL) { 4125 au_uwrite(au_to_path(fad->fad_aupath)); 4126 } else { 4127 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4128 } 4129 4130 audit_attributes(fp->f_vnode); 4131 4132 releasef(fd); 4133 4134 return; 4135 4136 default: 4137 break; 4138 4139 } 4140 4141 releasef(fd); 4142 4143 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4144 4145 if (add_sock_token == 0) { 4146 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4147 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4148 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4149 return; 4150 } 4151 4152 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4153 4154 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4155 } 4156 4157 /*ARGSUSED*/ 4158 static void 4159 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4160 { 4161 struct a { 4162 long fd; 4163 long msg; /* struct msghdr */ 4164 long flags; 4165 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4166 4167 struct sonode *so; 4168 char so_laddr[sizeof (struct sockaddr_in6)]; 4169 char so_faddr[sizeof (struct sockaddr_in6)]; 4170 int err; 4171 int fd; 4172 short so_family, so_type; 4173 int add_sock_token = 0; 4174 int len; 4175 struct file *fp; 4176 struct f_audit_data *fad; 4177 caddr_t msg_name; 4178 socklen_t msg_namelen; 4179 STRUCT_DECL(msghdr, msg); 4180 au_kcontext_t *kctx = GET_KCTX_PZ; 4181 4182 fd = (int)uap->fd; 4183 4184 /* bail if an error */ 4185 if (error) { 4186 /* XXX include destination address from system call arguments */ 4187 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4188 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4189 return; 4190 } 4191 4192 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4193 /* 4194 * not security relevant if doing a sendmsg from non socket 4195 * so no extra tokens. Should probably turn off audit record 4196 * generation here. 4197 */ 4198 return; 4199 } 4200 4201 so_family = so->so_family; 4202 so_type = so->so_type; 4203 4204 switch (so_family) { 4205 case AF_INET: 4206 case AF_INET6: 4207 /* 4208 * if datagram type socket, then just use what is in 4209 * socket structure for local address. 4210 * XXX - what do we do for other types? 4211 */ 4212 if ((so->so_type == SOCK_DGRAM) || 4213 (so->so_type == SOCK_RAW)) { 4214 4215 bzero((void *)so_laddr, sizeof (so_laddr)); 4216 bzero((void *)so_faddr, sizeof (so_faddr)); 4217 4218 /* get local address */ 4219 mutex_enter(&so->so_lock); 4220 len = min(so->so_laddr_len, sizeof (so_laddr)); 4221 bcopy(so->so_laddr_sa, so_laddr, len); 4222 mutex_exit(&so->so_lock); 4223 4224 /* get peer address */ 4225 STRUCT_INIT(msg, get_udatamodel()); 4226 4227 if (copyin((caddr_t)(uap->msg), 4228 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4229 break; 4230 } 4231 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4232 if (msg_name == NULL) 4233 break; 4234 4235 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4236 /* length is value from recvmsg - sanity check */ 4237 if (msg_namelen == 0) 4238 break; 4239 4240 if (copyin(msg_name, so_faddr, 4241 sizeof (so_faddr)) != 0) 4242 break; 4243 4244 add_sock_token = 1; 4245 4246 } else if (so->so_type == SOCK_STREAM) { 4247 4248 /* get path from file struct here */ 4249 fad = F2A(fp); 4250 ASSERT(fad); 4251 4252 /* 4253 * already processed this file for write attempt 4254 */ 4255 if (fad->fad_flags & FAD_WRITE) { 4256 releasef(fd); 4257 /* don't want to audit every sendmsg attempt */ 4258 tad->tad_flag = 0; 4259 /* free any residual audit data */ 4260 au_close(kctx, &(u_ad), 0, 0, 0); 4261 return; 4262 } 4263 4264 /* 4265 * mark things so we know what happened and don't 4266 * repeat things 4267 */ 4268 fad->fad_flags |= FAD_WRITE; 4269 4270 bzero((void *)so_laddr, sizeof (so_laddr)); 4271 bzero((void *)so_faddr, sizeof (so_faddr)); 4272 4273 if (so->so_state & SS_ISBOUND) { 4274 4275 if (so->so_laddr_len == 0) 4276 (void) SOP_GETSOCKNAME(so); 4277 if (so->so_faddr_len == 0) 4278 (void) SOP_GETPEERNAME(so); 4279 4280 /* get local and foreign addresses */ 4281 mutex_enter(&so->so_lock); 4282 len = min(so->so_laddr_len, sizeof (so_laddr)); 4283 bcopy(so->so_laddr_sa, so_laddr, len); 4284 len = min(so->so_faddr_len, sizeof (so_faddr)); 4285 bcopy(so->so_faddr_sa, so_faddr, len); 4286 mutex_exit(&so->so_lock); 4287 } 4288 4289 add_sock_token = 1; 4290 } 4291 4292 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4293 4294 break; 4295 4296 case AF_UNIX: 4297 /* 4298 * first check if this is first time through. Too much 4299 * duplicate code to put this in an aui_ routine. 4300 */ 4301 4302 /* get path from file struct here */ 4303 fad = F2A(fp); 4304 ASSERT(fad); 4305 4306 /* 4307 * already processed this file for write attempt 4308 */ 4309 if (fad->fad_flags & FAD_WRITE) { 4310 releasef(fd); 4311 /* don't want to audit every sendmsg attempt */ 4312 tad->tad_flag = 0; 4313 /* free any residual audit data */ 4314 au_close(kctx, &(u_ad), 0, 0, 0); 4315 return; 4316 } 4317 /* 4318 * mark things so we know what happened and don't 4319 * repeat things 4320 */ 4321 fad->fad_flags |= FAD_WRITE; 4322 4323 if (fad->fad_aupath != NULL) { 4324 au_uwrite(au_to_path(fad->fad_aupath)); 4325 } else { 4326 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4327 } 4328 4329 audit_attributes(fp->f_vnode); 4330 4331 releasef(fd); 4332 4333 return; 4334 4335 default: 4336 break; 4337 } 4338 4339 releasef(fd); 4340 4341 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4342 4343 if (add_sock_token == 0) { 4344 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4345 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4346 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4347 return; 4348 } 4349 4350 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4351 4352 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4353 } 4354 4355 /*ARGSUSED*/ 4356 static void 4357 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4358 { 4359 struct a { 4360 long fd; 4361 long msg; /* char */ 4362 long len; 4363 long flags; 4364 long to; /* struct sockaddr */ 4365 long tolen; 4366 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4367 4368 struct sonode *so; 4369 char so_laddr[sizeof (struct sockaddr_in6)]; 4370 char so_faddr[sizeof (struct sockaddr_in6)]; 4371 socklen_t tolen; 4372 int err; 4373 int fd; 4374 int len; 4375 short so_family, so_type; 4376 int add_sock_token = 0; 4377 struct file *fp; 4378 struct f_audit_data *fad; 4379 au_kcontext_t *kctx = GET_KCTX_PZ; 4380 4381 fd = (int)uap->fd; 4382 4383 /* bail if an error */ 4384 if (error) { 4385 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4386 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4387 /* XXX include destination address from system call arguments */ 4388 return; 4389 } 4390 4391 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4392 /* 4393 * not security relevant if doing a sendto using non socket 4394 * so no extra tokens. Should probably turn off audit record 4395 * generation here. 4396 */ 4397 return; 4398 } 4399 4400 so_family = so->so_family; 4401 so_type = so->so_type; 4402 4403 /* 4404 * only putout SOCKET_EX token if INET/INET6 family. 4405 * XXX - what do we do about other families? 4406 */ 4407 4408 switch (so_family) { 4409 case AF_INET: 4410 case AF_INET6: 4411 4412 /* 4413 * if datagram type socket, then just use what is in 4414 * socket structure for local address. 4415 * XXX - what do we do for other types? 4416 */ 4417 if ((so->so_type == SOCK_DGRAM) || 4418 (so->so_type == SOCK_RAW)) { 4419 4420 bzero((void *)so_laddr, sizeof (so_laddr)); 4421 bzero((void *)so_faddr, sizeof (so_faddr)); 4422 4423 /* get local address */ 4424 mutex_enter(&so->so_lock); 4425 len = min(so->so_laddr_len, sizeof (so_laddr)); 4426 bcopy(so->so_laddr_sa, so_laddr, len); 4427 mutex_exit(&so->so_lock); 4428 4429 /* get peer address */ 4430 4431 /* sanity check */ 4432 if (uap->to == NULL) 4433 break; 4434 4435 /* sanity checks */ 4436 if (uap->tolen == 0) 4437 break; 4438 4439 tolen = (socklen_t)uap->tolen; 4440 4441 /* enforce maximum size */ 4442 if (tolen > sizeof (so_faddr)) 4443 tolen = sizeof (so_faddr); 4444 4445 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4446 break; 4447 4448 add_sock_token = 1; 4449 } else { 4450 /* 4451 * check if this is first time through. 4452 */ 4453 4454 /* get path from file struct here */ 4455 fad = F2A(fp); 4456 ASSERT(fad); 4457 4458 /* 4459 * already processed this file for write attempt 4460 */ 4461 if (fad->fad_flags & FAD_WRITE) { 4462 /* don't want to audit every sendto attempt */ 4463 tad->tad_flag = 0; 4464 /* free any residual audit data */ 4465 au_close(kctx, &(u_ad), 0, 0, 0); 4466 releasef(fd); 4467 return; 4468 } 4469 /* 4470 * mark things so we know what happened and don't 4471 * repeat things 4472 */ 4473 fad->fad_flags |= FAD_WRITE; 4474 4475 bzero((void *)so_laddr, sizeof (so_laddr)); 4476 bzero((void *)so_faddr, sizeof (so_faddr)); 4477 4478 if (so->so_state & SS_ISBOUND) { 4479 4480 if (so->so_laddr_len == 0) 4481 (void) SOP_GETSOCKNAME(so); 4482 if (so->so_faddr_len == 0) 4483 (void) SOP_GETPEERNAME(so); 4484 4485 /* get local and foreign addresses */ 4486 mutex_enter(&so->so_lock); 4487 len = min(so->so_laddr_len, sizeof (so_laddr)); 4488 bcopy(so->so_laddr_sa, so_laddr, len); 4489 len = min(so->so_faddr_len, sizeof (so_faddr)); 4490 bcopy(so->so_faddr_sa, so_faddr, len); 4491 mutex_exit(&so->so_lock); 4492 } 4493 4494 add_sock_token = 1; 4495 } 4496 4497 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4498 4499 break; 4500 4501 case AF_UNIX: 4502 /* 4503 * first check if this is first time through. Too much 4504 * duplicate code to put this in an aui_ routine. 4505 */ 4506 4507 /* get path from file struct here */ 4508 fad = F2A(fp); 4509 ASSERT(fad); 4510 4511 /* 4512 * already processed this file for write attempt 4513 */ 4514 if (fad->fad_flags & FAD_WRITE) { 4515 /* don't want to audit every sendto attempt */ 4516 tad->tad_flag = 0; 4517 /* free any residual audit data */ 4518 au_close(kctx, &(u_ad), 0, 0, 0); 4519 releasef(fd); 4520 return; 4521 } 4522 /* 4523 * mark things so we know what happened and don't 4524 * repeat things 4525 */ 4526 fad->fad_flags |= FAD_WRITE; 4527 4528 if (fad->fad_aupath != NULL) { 4529 au_uwrite(au_to_path(fad->fad_aupath)); 4530 } else { 4531 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4532 } 4533 4534 audit_attributes(fp->f_vnode); 4535 4536 releasef(fd); 4537 4538 return; 4539 4540 default: 4541 break; 4542 4543 } 4544 4545 releasef(fd); 4546 4547 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4548 4549 if (add_sock_token == 0) { 4550 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4551 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4552 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4553 return; 4554 } 4555 4556 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4557 4558 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4559 4560 } 4561 4562 /* 4563 * XXX socket(2) may be equivalent to open(2) on a unix domain 4564 * socket. This needs investigation. 4565 */ 4566 4567 /*ARGSUSED*/ 4568 static void 4569 aus_socket(struct t_audit_data *tad) 4570 { 4571 struct a { 4572 long domain; 4573 long type; 4574 long protocol; 4575 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4576 4577 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4578 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4579 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4580 } 4581 4582 /*ARGSUSED*/ 4583 static void 4584 aus_sigqueue(struct t_audit_data *tad) 4585 { 4586 struct a { 4587 long pid; 4588 long signo; 4589 long *val; 4590 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4591 struct proc *p; 4592 uid_t uid, ruid; 4593 gid_t gid, rgid; 4594 pid_t pid; 4595 const auditinfo_addr_t *ainfo; 4596 cred_t *cr; 4597 4598 pid = (pid_t)uap->pid; 4599 4600 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4601 if (pid > 0) { 4602 mutex_enter(&pidlock); 4603 if ((p = prfind(pid)) == (struct proc *)0) { 4604 mutex_exit(&pidlock); 4605 return; 4606 } 4607 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4608 mutex_exit(&pidlock); 4609 4610 mutex_enter(&p->p_crlock); 4611 crhold(cr = p->p_cred); 4612 mutex_exit(&p->p_crlock); 4613 mutex_exit(&p->p_lock); 4614 4615 ainfo = crgetauinfo(cr); 4616 if (ainfo == NULL) { 4617 crfree(cr); 4618 return; 4619 } 4620 4621 uid = crgetuid(cr); 4622 gid = crgetgid(cr); 4623 ruid = crgetruid(cr); 4624 rgid = crgetrgid(cr); 4625 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4626 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4627 crfree(cr); 4628 } 4629 else 4630 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4631 } 4632 4633 /*ARGSUSED*/ 4634 static void 4635 aus_inst_sync(struct t_audit_data *tad) 4636 { 4637 struct a { 4638 long name; /* char */ 4639 long flags; 4640 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4641 4642 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4643 } 4644 4645 /*ARGSUSED*/ 4646 static void 4647 aus_brandsys(struct t_audit_data *tad) 4648 { 4649 klwp_t *clwp = ttolwp(curthread); 4650 4651 struct a { 4652 long cmd; 4653 long arg1; 4654 long arg2; 4655 long arg3; 4656 long arg4; 4657 long arg5; 4658 long arg6; 4659 } *uap = (struct a *)clwp->lwp_ap; 4660 4661 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4662 #ifdef _LP64 4663 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4664 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4665 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4666 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4667 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4668 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4669 #else 4670 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4671 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4672 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4673 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4674 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4675 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4676 #endif 4677 } 4678 4679 /*ARGSUSED*/ 4680 static void 4681 aus_p_online(struct t_audit_data *tad) 4682 { 4683 struct a { 4684 long processor_id; 4685 long flag; 4686 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4687 4688 struct flags { 4689 int flag; 4690 char *cflag; 4691 } aflags[6] = { 4692 { P_ONLINE, "P_ONLINE"}, 4693 { P_OFFLINE, "P_OFFLINE"}, 4694 { P_NOINTR, "P_NOINTR"}, 4695 { P_SPARE, "P_SPARE"}, 4696 { P_FAULTED, "P_FAULTED"}, 4697 { P_STATUS, "P_STATUS"} 4698 }; 4699 int i; 4700 char *cflag; 4701 4702 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4703 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4704 4705 for (i = 0; i < 6; i++) { 4706 if (aflags[i].flag == uap->flag) 4707 break; 4708 } 4709 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4710 4711 au_uwrite(au_to_text(cflag)); 4712 } 4713 4714 /*ARGSUSED*/ 4715 static void 4716 aus_processor_bind(struct t_audit_data *tad) 4717 { 4718 struct a { 4719 long id_type; 4720 long id; 4721 long processor_id; 4722 long obind; 4723 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4724 4725 struct proc *p; 4726 int lwpcnt; 4727 uid_t uid, ruid; 4728 gid_t gid, rgid; 4729 pid_t pid; 4730 const auditinfo_addr_t *ainfo; 4731 cred_t *cr; 4732 4733 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4734 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4735 if (uap->processor_id == PBIND_NONE) 4736 au_uwrite(au_to_text("PBIND_NONE")); 4737 else 4738 au_uwrite(au_to_arg32(3, "processor_id", 4739 (uint32_t)uap->processor_id)); 4740 4741 switch (uap->id_type) { 4742 case P_MYID: 4743 case P_LWPID: 4744 mutex_enter(&pidlock); 4745 p = ttoproc(curthread); 4746 if (p == NULL || p->p_as == &kas) { 4747 mutex_exit(&pidlock); 4748 return; 4749 } 4750 mutex_enter(&p->p_lock); 4751 mutex_exit(&pidlock); 4752 lwpcnt = p->p_lwpcnt; 4753 pid = p->p_pid; 4754 4755 mutex_enter(&p->p_crlock); 4756 crhold(cr = p->p_cred); 4757 mutex_exit(&p->p_crlock); 4758 mutex_exit(&p->p_lock); 4759 4760 ainfo = crgetauinfo(cr); 4761 if (ainfo == NULL) { 4762 crfree(cr); 4763 return; 4764 } 4765 4766 uid = crgetuid(cr); 4767 gid = crgetgid(cr); 4768 ruid = crgetruid(cr); 4769 rgid = crgetrgid(cr); 4770 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4771 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4772 crfree(cr); 4773 break; 4774 case P_PID: 4775 mutex_enter(&pidlock); 4776 p = prfind(uap->id); 4777 if (p == NULL || p->p_as == &kas) { 4778 mutex_exit(&pidlock); 4779 return; 4780 } 4781 mutex_enter(&p->p_lock); 4782 mutex_exit(&pidlock); 4783 lwpcnt = p->p_lwpcnt; 4784 pid = p->p_pid; 4785 4786 mutex_enter(&p->p_crlock); 4787 crhold(cr = p->p_cred); 4788 mutex_exit(&p->p_crlock); 4789 mutex_exit(&p->p_lock); 4790 4791 ainfo = crgetauinfo(cr); 4792 if (ainfo == NULL) { 4793 crfree(cr); 4794 return; 4795 } 4796 4797 uid = crgetuid(cr); 4798 gid = crgetgid(cr); 4799 ruid = crgetruid(cr); 4800 rgid = crgetrgid(cr); 4801 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4802 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4803 crfree(cr); 4804 4805 break; 4806 default: 4807 return; 4808 } 4809 4810 if (uap->processor_id == PBIND_NONE && 4811 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4812 au_uwrite(au_to_text("PBIND_NONE for process")); 4813 else 4814 au_uwrite(au_to_arg32(3, "processor_id", 4815 (uint32_t)uap->processor_id)); 4816 } 4817 4818 /*ARGSUSED*/ 4819 static au_event_t 4820 aui_doorfs(au_event_t e) 4821 { 4822 uint32_t code; 4823 4824 struct a { /* doorfs */ 4825 long a1; 4826 long a2; 4827 long a3; 4828 long a4; 4829 long a5; 4830 long code; 4831 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4832 4833 /* 4834 * audit formats for several of the 4835 * door calls have not yet been determined 4836 */ 4837 code = (uint32_t)uap->code; 4838 switch (code) { 4839 case DOOR_CALL: 4840 e = AUE_DOORFS_DOOR_CALL; 4841 break; 4842 case DOOR_RETURN: 4843 e = AUE_NULL; 4844 break; 4845 case DOOR_CREATE: 4846 e = AUE_DOORFS_DOOR_CREATE; 4847 break; 4848 case DOOR_REVOKE: 4849 e = AUE_DOORFS_DOOR_REVOKE; 4850 break; 4851 case DOOR_INFO: 4852 e = AUE_NULL; 4853 break; 4854 case DOOR_UCRED: 4855 e = AUE_NULL; 4856 break; 4857 case DOOR_BIND: 4858 e = AUE_NULL; 4859 break; 4860 case DOOR_UNBIND: 4861 e = AUE_NULL; 4862 break; 4863 case DOOR_GETPARAM: 4864 e = AUE_NULL; 4865 break; 4866 case DOOR_SETPARAM: 4867 e = AUE_NULL; 4868 break; 4869 default: /* illegal system call */ 4870 e = AUE_NULL; 4871 break; 4872 } 4873 4874 return (e); 4875 } 4876 4877 static door_node_t * 4878 au_door_lookup(int did) 4879 { 4880 vnode_t *vp; 4881 file_t *fp; 4882 4883 if ((fp = getf(did)) == NULL) 4884 return (NULL); 4885 /* 4886 * Use the underlying vnode (we may be namefs mounted) 4887 */ 4888 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4889 vp = fp->f_vnode; 4890 4891 if (vp == NULL || vp->v_type != VDOOR) { 4892 releasef(did); 4893 return (NULL); 4894 } 4895 4896 return (VTOD(vp)); 4897 } 4898 4899 /*ARGSUSED*/ 4900 static void 4901 aus_doorfs(struct t_audit_data *tad) 4902 { 4903 4904 struct a { /* doorfs */ 4905 long a1; 4906 long a2; 4907 long a3; 4908 long a4; 4909 long a5; 4910 long code; 4911 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4912 4913 door_node_t *dp; 4914 struct proc *p; 4915 uint32_t did; 4916 uid_t uid, ruid; 4917 gid_t gid, rgid; 4918 pid_t pid; 4919 const auditinfo_addr_t *ainfo; 4920 cred_t *cr; 4921 4922 did = (uint32_t)uap->a1; 4923 4924 switch (tad->tad_event) { 4925 case AUE_DOORFS_DOOR_CALL: 4926 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4927 if ((dp = au_door_lookup(did)) == NULL) 4928 break; 4929 4930 if (DOOR_INVALID(dp)) { 4931 releasef(did); 4932 break; 4933 } 4934 4935 if ((p = dp->door_target) == NULL) { 4936 releasef(did); 4937 break; 4938 } 4939 mutex_enter(&p->p_lock); 4940 releasef(did); 4941 4942 pid = p->p_pid; 4943 4944 mutex_enter(&p->p_crlock); 4945 crhold(cr = p->p_cred); 4946 mutex_exit(&p->p_crlock); 4947 mutex_exit(&p->p_lock); 4948 4949 ainfo = crgetauinfo(cr); 4950 if (ainfo == NULL) { 4951 crfree(cr); 4952 return; 4953 } 4954 uid = crgetuid(cr); 4955 gid = crgetgid(cr); 4956 ruid = crgetruid(cr); 4957 rgid = crgetrgid(cr); 4958 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4959 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4960 crfree(cr); 4961 break; 4962 case AUE_DOORFS_DOOR_RETURN: 4963 /* 4964 * We may want to write information about 4965 * all doors (if any) which will be copied 4966 * by this call to the user space 4967 */ 4968 break; 4969 case AUE_DOORFS_DOOR_CREATE: 4970 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 4971 break; 4972 case AUE_DOORFS_DOOR_REVOKE: 4973 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4974 break; 4975 case AUE_DOORFS_DOOR_INFO: 4976 break; 4977 case AUE_DOORFS_DOOR_CRED: 4978 break; 4979 case AUE_DOORFS_DOOR_BIND: 4980 break; 4981 case AUE_DOORFS_DOOR_UNBIND: { 4982 break; 4983 } 4984 default: /* illegal system call */ 4985 break; 4986 } 4987 } 4988 4989 /*ARGSUSED*/ 4990 static au_event_t 4991 aui_acl(au_event_t e) 4992 { 4993 struct a { 4994 union { 4995 long name; /* char */ 4996 long fd; 4997 } obj; 4998 4999 long cmd; 5000 long nentries; 5001 long arg; /* aclent_t */ 5002 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5003 5004 switch (uap->cmd) { 5005 case SETACL: 5006 case ACE_SETACL: 5007 /* 5008 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5009 * are expected. 5010 */ 5011 break; 5012 case GETACL: 5013 case GETACLCNT: 5014 case ACE_GETACLCNT: 5015 /* do nothing for these two values. */ 5016 e = AUE_NULL; 5017 break; 5018 default: 5019 /* illegal system call */ 5020 break; 5021 } 5022 5023 return (e); 5024 } 5025 5026 static void 5027 au_acl(int cmd, int nentries, caddr_t bufp) 5028 { 5029 size_t a_size; 5030 aclent_t *aclbufp; 5031 ace_t *acebufp; 5032 int i; 5033 5034 switch (cmd) { 5035 case GETACL: 5036 case GETACLCNT: 5037 break; 5038 case SETACL: 5039 if (nentries < 3) 5040 break; 5041 5042 a_size = nentries * sizeof (aclent_t); 5043 5044 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5045 break; 5046 if (copyin(bufp, aclbufp, a_size)) { 5047 kmem_free(aclbufp, a_size); 5048 break; 5049 } 5050 for (i = 0; i < nentries; i++) { 5051 au_uwrite(au_to_acl(aclbufp + i)); 5052 } 5053 kmem_free(aclbufp, a_size); 5054 break; 5055 5056 case ACE_SETACL: 5057 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5058 break; 5059 5060 a_size = nentries * sizeof (ace_t); 5061 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5062 break; 5063 if (copyin(bufp, acebufp, a_size)) { 5064 kmem_free(acebufp, a_size); 5065 break; 5066 } 5067 for (i = 0; i < nentries; i++) { 5068 au_uwrite(au_to_ace(acebufp + i)); 5069 } 5070 kmem_free(acebufp, a_size); 5071 break; 5072 default: 5073 break; 5074 } 5075 } 5076 5077 /*ARGSUSED*/ 5078 static void 5079 aus_acl(struct t_audit_data *tad) 5080 { 5081 struct a { 5082 long fname; 5083 long cmd; 5084 long nentries; 5085 long aclbufp; 5086 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5087 5088 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5089 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5090 5091 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5092 } 5093 5094 /*ARGSUSED*/ 5095 static void 5096 aus_facl(struct t_audit_data *tad) 5097 { 5098 struct a { 5099 long fd; 5100 long cmd; 5101 long nentries; 5102 long aclbufp; 5103 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5104 struct file *fp; 5105 struct vnode *vp; 5106 struct f_audit_data *fad; 5107 int fd; 5108 5109 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5110 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5111 5112 fd = (int)uap->fd; 5113 5114 if ((fp = getf(fd)) == NULL) 5115 return; 5116 5117 /* get path from file struct here */ 5118 fad = F2A(fp); 5119 if (fad->fad_aupath != NULL) { 5120 au_uwrite(au_to_path(fad->fad_aupath)); 5121 } else { 5122 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5123 } 5124 5125 vp = fp->f_vnode; 5126 audit_attributes(vp); 5127 5128 /* decrement file descriptor reference count */ 5129 releasef(fd); 5130 5131 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5132 } 5133 5134 /*ARGSUSED*/ 5135 static void 5136 auf_read(tad, error, rval) 5137 struct t_audit_data *tad; 5138 int error; 5139 rval_t *rval; 5140 { 5141 struct file *fp; 5142 struct f_audit_data *fad; 5143 int fd; 5144 register struct a { 5145 long fd; 5146 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5147 au_kcontext_t *kctx = GET_KCTX_PZ; 5148 5149 fd = (int)uap->fd; 5150 5151 /* 5152 * convert file pointer to file descriptor 5153 * Note: fd ref count incremented here. 5154 */ 5155 if ((fp = getf(fd)) == NULL) 5156 return; 5157 5158 /* get path from file struct here */ 5159 fad = F2A(fp); 5160 ASSERT(fad); 5161 5162 /* 5163 * already processed this file for read attempt 5164 * 5165 * XXX might be better to turn off auditing in a aui_read() routine. 5166 */ 5167 if (fad->fad_flags & FAD_READ) { 5168 /* don't really want to audit every read attempt */ 5169 tad->tad_flag = 0; 5170 /* free any residual audit data */ 5171 au_close(kctx, &(u_ad), 0, 0, 0); 5172 releasef(fd); 5173 return; 5174 } 5175 /* mark things so we know what happened and don't repeat things */ 5176 fad->fad_flags |= FAD_READ; 5177 5178 if (fad->fad_aupath != NULL) { 5179 au_uwrite(au_to_path(fad->fad_aupath)); 5180 } else { 5181 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5182 } 5183 5184 /* include attributes */ 5185 audit_attributes(fp->f_vnode); 5186 5187 /* decrement file descriptor reference count */ 5188 releasef(fd); 5189 } 5190 5191 /*ARGSUSED*/ 5192 static void 5193 auf_write(tad, error, rval) 5194 struct t_audit_data *tad; 5195 int error; 5196 rval_t *rval; 5197 { 5198 struct file *fp; 5199 struct f_audit_data *fad; 5200 int fd; 5201 register struct a { 5202 long fd; 5203 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5204 au_kcontext_t *kctx = GET_KCTX_PZ; 5205 5206 fd = (int)uap->fd; 5207 5208 /* 5209 * convert file pointer to file descriptor 5210 * Note: fd ref count incremented here. 5211 */ 5212 if ((fp = getf(fd)) == NULL) 5213 return; 5214 5215 /* get path from file struct here */ 5216 fad = F2A(fp); 5217 ASSERT(fad); 5218 5219 /* 5220 * already processed this file for write attempt 5221 * 5222 * XXX might be better to turn off auditing in a aus_write() routine. 5223 */ 5224 if (fad->fad_flags & FAD_WRITE) { 5225 /* don't really want to audit every write attempt */ 5226 tad->tad_flag = 0; 5227 /* free any residual audit data */ 5228 au_close(kctx, &(u_ad), 0, 0, 0); 5229 releasef(fd); 5230 return; 5231 } 5232 /* mark things so we know what happened and don't repeat things */ 5233 fad->fad_flags |= FAD_WRITE; 5234 5235 if (fad->fad_aupath != NULL) { 5236 au_uwrite(au_to_path(fad->fad_aupath)); 5237 } else { 5238 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5239 } 5240 5241 /* include attributes */ 5242 audit_attributes(fp->f_vnode); 5243 5244 /* decrement file descriptor reference count */ 5245 releasef(fd); 5246 } 5247 5248 /*ARGSUSED*/ 5249 static void 5250 auf_recv(tad, error, rval) 5251 struct t_audit_data *tad; 5252 int error; 5253 rval_t *rval; 5254 { 5255 struct sonode *so; 5256 char so_laddr[sizeof (struct sockaddr_in6)]; 5257 char so_faddr[sizeof (struct sockaddr_in6)]; 5258 struct file *fp; 5259 struct f_audit_data *fad; 5260 int fd; 5261 int err; 5262 int len; 5263 short so_family, so_type; 5264 register struct a { 5265 long fd; 5266 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5267 au_kcontext_t *kctx = GET_KCTX_PZ; 5268 5269 /* 5270 * If there was an error, then nothing to do. Only generate 5271 * audit record on first successful recv. 5272 */ 5273 if (error) { 5274 /* Turn off audit record generation here. */ 5275 tad->tad_flag = 0; 5276 /* free any residual audit data */ 5277 au_close(kctx, &(u_ad), 0, 0, 0); 5278 return; 5279 } 5280 5281 fd = (int)uap->fd; 5282 5283 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5284 /* Turn off audit record generation here. */ 5285 tad->tad_flag = 0; 5286 /* free any residual audit data */ 5287 au_close(kctx, &(u_ad), 0, 0, 0); 5288 return; 5289 } 5290 5291 /* get path from file struct here */ 5292 fad = F2A(fp); 5293 ASSERT(fad); 5294 5295 /* 5296 * already processed this file for read attempt 5297 */ 5298 if (fad->fad_flags & FAD_READ) { 5299 releasef(fd); 5300 /* don't really want to audit every recv call */ 5301 tad->tad_flag = 0; 5302 /* free any residual audit data */ 5303 au_close(kctx, &(u_ad), 0, 0, 0); 5304 return; 5305 } 5306 5307 /* mark things so we know what happened and don't repeat things */ 5308 fad->fad_flags |= FAD_READ; 5309 5310 so_family = so->so_family; 5311 so_type = so->so_type; 5312 5313 switch (so_family) { 5314 case AF_INET: 5315 case AF_INET6: 5316 /* 5317 * Only for connections. 5318 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5319 */ 5320 if (so->so_state & SS_ISBOUND) { 5321 5322 bzero((void *)so_laddr, sizeof (so_laddr)); 5323 bzero((void *)so_faddr, sizeof (so_faddr)); 5324 5325 /* only done once on a connection */ 5326 (void) SOP_GETSOCKNAME(so); 5327 (void) SOP_GETPEERNAME(so); 5328 5329 /* get local and foreign addresses */ 5330 mutex_enter(&so->so_lock); 5331 len = min(so->so_laddr_len, sizeof (so_laddr)); 5332 bcopy(so->so_laddr_sa, so_laddr, len); 5333 len = min(so->so_faddr_len, sizeof (so_faddr)); 5334 bcopy(so->so_faddr_sa, so_faddr, len); 5335 mutex_exit(&so->so_lock); 5336 5337 /* 5338 * only way to drop out of switch. Note that we 5339 * we release fd below. 5340 */ 5341 5342 break; 5343 } 5344 5345 releasef(fd); 5346 5347 /* don't really want to audit every recv call */ 5348 tad->tad_flag = 0; 5349 /* free any residual audit data */ 5350 au_close(kctx, &(u_ad), 0, 0, 0); 5351 5352 return; 5353 5354 case AF_UNIX: 5355 5356 if (fad->fad_aupath != NULL) { 5357 au_uwrite(au_to_path(fad->fad_aupath)); 5358 } else { 5359 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5360 } 5361 5362 audit_attributes(fp->f_vnode); 5363 5364 releasef(fd); 5365 5366 return; 5367 5368 default: 5369 releasef(fd); 5370 5371 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5372 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5373 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5374 5375 return; 5376 } 5377 5378 releasef(fd); 5379 5380 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5381 5382 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5383 5384 } 5385 5386 /*ARGSUSED*/ 5387 static void 5388 auf_send(tad, error, rval) 5389 struct t_audit_data *tad; 5390 int error; 5391 rval_t *rval; 5392 { 5393 struct sonode *so; 5394 char so_laddr[sizeof (struct sockaddr_in6)]; 5395 char so_faddr[sizeof (struct sockaddr_in6)]; 5396 struct file *fp; 5397 struct f_audit_data *fad; 5398 int fd; 5399 int err; 5400 int len; 5401 short so_family, so_type; 5402 register struct a { 5403 long fd; 5404 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5405 au_kcontext_t *kctx = GET_KCTX_PZ; 5406 5407 fd = (int)uap->fd; 5408 5409 /* 5410 * If there was an error, then nothing to do. Only generate 5411 * audit record on first successful send. 5412 */ 5413 if (error != 0) { 5414 /* Turn off audit record generation here. */ 5415 tad->tad_flag = 0; 5416 /* free any residual audit data */ 5417 au_close(kctx, &(u_ad), 0, 0, 0); 5418 return; 5419 } 5420 5421 fd = (int)uap->fd; 5422 5423 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5424 /* Turn off audit record generation here. */ 5425 tad->tad_flag = 0; 5426 /* free any residual audit data */ 5427 au_close(kctx, &(u_ad), 0, 0, 0); 5428 return; 5429 } 5430 5431 /* get path from file struct here */ 5432 fad = F2A(fp); 5433 ASSERT(fad); 5434 5435 /* 5436 * already processed this file for write attempt 5437 */ 5438 if (fad->fad_flags & FAD_WRITE) { 5439 releasef(fd); 5440 /* don't really want to audit every send call */ 5441 tad->tad_flag = 0; 5442 /* free any residual audit data */ 5443 au_close(kctx, &(u_ad), 0, 0, 0); 5444 return; 5445 } 5446 5447 /* mark things so we know what happened and don't repeat things */ 5448 fad->fad_flags |= FAD_WRITE; 5449 5450 so_family = so->so_family; 5451 so_type = so->so_type; 5452 5453 switch (so_family) { 5454 case AF_INET: 5455 case AF_INET6: 5456 /* 5457 * Only for connections. 5458 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5459 */ 5460 if (so->so_state & SS_ISBOUND) { 5461 5462 bzero((void *)so_laddr, sizeof (so_laddr)); 5463 bzero((void *)so_faddr, sizeof (so_faddr)); 5464 5465 /* only done once on a connection */ 5466 (void) SOP_GETSOCKNAME(so); 5467 (void) SOP_GETPEERNAME(so); 5468 5469 /* get local and foreign addresses */ 5470 mutex_enter(&so->so_lock); 5471 len = min(so->so_laddr_len, sizeof (so_laddr)); 5472 bcopy(so->so_laddr_sa, so_laddr, len); 5473 len = min(so->so_faddr_len, sizeof (so_faddr)); 5474 bcopy(so->so_faddr_sa, so_faddr, len); 5475 mutex_exit(&so->so_lock); 5476 5477 /* 5478 * only way to drop out of switch. Note that we 5479 * we release fd below. 5480 */ 5481 5482 break; 5483 } 5484 5485 releasef(fd); 5486 /* don't really want to audit every send call */ 5487 tad->tad_flag = 0; 5488 /* free any residual audit data */ 5489 au_close(kctx, &(u_ad), 0, 0, 0); 5490 5491 return; 5492 5493 case AF_UNIX: 5494 5495 if (fad->fad_aupath != NULL) { 5496 au_uwrite(au_to_path(fad->fad_aupath)); 5497 } else { 5498 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5499 } 5500 5501 audit_attributes(fp->f_vnode); 5502 5503 releasef(fd); 5504 5505 return; 5506 5507 default: 5508 releasef(fd); 5509 5510 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5511 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5512 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5513 5514 return; 5515 } 5516 5517 releasef(fd); 5518 5519 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5520 5521 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5522 } 5523 5524 static au_event_t 5525 aui_forksys(au_event_t e) 5526 { 5527 struct a { 5528 long subcode; 5529 long flags; 5530 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5531 5532 switch ((uint_t)uap->subcode) { 5533 case 0: 5534 e = AUE_FORK1; 5535 break; 5536 case 1: 5537 e = AUE_FORKALL; 5538 break; 5539 case 2: 5540 e = AUE_VFORK; 5541 break; 5542 default: 5543 e = AUE_NULL; 5544 break; 5545 } 5546 5547 return (e); 5548 } 5549 5550 /*ARGSUSED*/ 5551 static au_event_t 5552 aui_portfs(au_event_t e) 5553 { 5554 struct a { /* portfs */ 5555 long a1; 5556 long a2; 5557 long a3; 5558 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5559 5560 /* 5561 * check opcode 5562 */ 5563 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5564 case PORT_ASSOCIATE: 5565 case PORT_DISSOCIATE: 5566 /* 5567 * check source 5568 */ 5569 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5570 e = AUE_PORTFS; 5571 } else { 5572 e = AUE_NULL; 5573 } 5574 break; 5575 default: 5576 e = AUE_NULL; 5577 } 5578 return (e); 5579 } 5580