1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * This file contains the audit event table used to control the production 30 * of audit records for each system call. 31 */ 32 33 #include <sys/policy.h> 34 #include <sys/cred.h> 35 #include <sys/types.h> 36 #include <sys/systm.h> 37 #include <sys/systeminfo.h> /* for sysinfo auditing */ 38 #include <sys/utsname.h> /* for sysinfo auditing */ 39 #include <sys/proc.h> 40 #include <sys/vnode.h> 41 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 42 #include <sys/fcntl.h> 43 #include <sys/modctl.h> /* for modctl auditing */ 44 #include <sys/vnode.h> 45 #include <sys/user.h> 46 #include <sys/types.h> 47 #include <sys/processor.h> 48 #include <sys/procset.h> 49 #include <sys/acl.h> 50 #include <sys/ipc.h> 51 #include <sys/door.h> 52 #include <sys/sem.h> 53 #include <sys/msg.h> 54 #include <sys/shm.h> 55 #include <sys/kmem.h> 56 #include <sys/file.h> /* for accept */ 57 #include <sys/utssys.h> /* for fuser */ 58 #include <sys/tsol/label.h> 59 #include <c2/audit.h> 60 #include <c2/audit_kernel.h> 61 #include <c2/audit_kevents.h> 62 #include <c2/audit_record.h> 63 #include <sys/procset.h> 64 #include <nfs/mount.h> 65 #include <sys/param.h> 66 #include <sys/debug.h> 67 #include <sys/sysmacros.h> 68 #include <sys/stream.h> 69 #include <sys/strsubr.h> 70 #include <sys/stropts.h> 71 #include <sys/tihdr.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <netinet/in.h> 75 #include <sys/ddi.h> 76 77 extern token_t *au_to_sock_inet(struct sockaddr_in *); 78 79 int au_naevent; 80 char _depends_on[] = "fs/sockfs"; 81 82 static au_event_t aui_null(au_event_t); 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_fsat(au_event_t); 85 static au_event_t aui_msgsys(au_event_t); 86 static au_event_t aui_shmsys(au_event_t); 87 static au_event_t aui_semsys(au_event_t); 88 static au_event_t aui_utssys(au_event_t); 89 static au_event_t aui_fcntl(au_event_t); 90 static au_event_t aui_execv(au_event_t); 91 static au_event_t aui_execve(au_event_t); 92 static au_event_t aui_memcntl(au_event_t); 93 static au_event_t aui_sysinfo(au_event_t); 94 static au_event_t aui_auditsys(au_event_t); 95 static au_event_t aui_modctl(au_event_t); 96 static au_event_t aui_acl(au_event_t); 97 static au_event_t aui_doorfs(au_event_t); 98 static au_event_t aui_privsys(au_event_t); 99 100 static void aus_null(struct t_audit_data *); 101 static void aus_open(struct t_audit_data *); 102 static void aus_acl(struct t_audit_data *); 103 static void aus_acct(struct t_audit_data *); 104 static void aus_chown(struct t_audit_data *); 105 static void aus_fchown(struct t_audit_data *); 106 static void aus_lchown(struct t_audit_data *); 107 static void aus_chmod(struct t_audit_data *); 108 static void aus_facl(struct t_audit_data *); 109 static void aus_fchmod(struct t_audit_data *); 110 static void aus_fcntl(struct t_audit_data *); 111 static void aus_fsat(struct t_audit_data *); 112 static void aus_mkdir(struct t_audit_data *); 113 static void aus_mknod(struct t_audit_data *); 114 static void aus_mount(struct t_audit_data *); 115 static void aus_umount(struct t_audit_data *); 116 static void aus_umount2(struct t_audit_data *); 117 static void aus_msgsys(struct t_audit_data *); 118 static void aus_semsys(struct t_audit_data *); 119 static void aus_close(struct t_audit_data *); 120 static void aus_fstatfs(struct t_audit_data *); 121 static void aus_setgid(struct t_audit_data *); 122 static void aus_setuid(struct t_audit_data *); 123 static void aus_shmsys(struct t_audit_data *); 124 static void aus_doorfs(struct t_audit_data *); 125 static void aus_ioctl(struct t_audit_data *); 126 static void aus_memcntl(struct t_audit_data *); 127 static void aus_mmap(struct t_audit_data *); 128 static void aus_munmap(struct t_audit_data *); 129 static void aus_priocntlsys(struct t_audit_data *); 130 static void aus_setegid(struct t_audit_data *); 131 static void aus_setgroups(struct t_audit_data *); 132 static void aus_seteuid(struct t_audit_data *); 133 static void aus_putmsg(struct t_audit_data *); 134 static void aus_putpmsg(struct t_audit_data *); 135 static void aus_getmsg(struct t_audit_data *); 136 static void aus_getpmsg(struct t_audit_data *); 137 static void aus_auditsys(struct t_audit_data *); 138 static void aus_sysinfo(struct t_audit_data *); 139 static void aus_modctl(struct t_audit_data *); 140 static void aus_kill(struct t_audit_data *); 141 static void aus_xmknod(struct t_audit_data *); 142 static void aus_setregid(struct t_audit_data *); 143 static void aus_setreuid(struct t_audit_data *); 144 145 static void auf_null(struct t_audit_data *, int, rval_t *); 146 static void auf_mknod(struct t_audit_data *, int, rval_t *); 147 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 148 static void auf_semsys(struct t_audit_data *, int, rval_t *); 149 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 150 #if 0 151 static void auf_open(struct t_audit_data *, int, rval_t *); 152 #endif 153 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 154 static void auf_read(struct t_audit_data *, int, rval_t *); 155 static void auf_write(struct t_audit_data *, int, rval_t *); 156 157 static void aus_sigqueue(struct t_audit_data *); 158 static void aus_p_online(struct t_audit_data *); 159 static void aus_processor_bind(struct t_audit_data *); 160 static void aus_inst_sync(struct t_audit_data *); 161 162 static void auf_accept(struct t_audit_data *, int, rval_t *); 163 164 static void auf_bind(struct t_audit_data *, int, rval_t *); 165 static void auf_connect(struct t_audit_data *, int, rval_t *); 166 static void aus_shutdown(struct t_audit_data *); 167 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 168 static void aus_sockconfig(struct t_audit_data *); 169 static void auf_recv(struct t_audit_data *, int, rval_t *); 170 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 171 static void auf_send(struct t_audit_data *, int, rval_t *); 172 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 173 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 174 static void auf_sendto(struct t_audit_data *, int, rval_t *); 175 static void aus_socket(struct t_audit_data *); 176 /* 177 * This table contains mapping information for converting system call numbers 178 * to audit event IDs. In several cases it is necessary to map a single system 179 * call to several events. 180 */ 181 182 struct audit_s2e audit_s2e[] = 183 { 184 /* 185 * ---------- ---------- ---------- ---------- 186 * INITIAL AUDIT START SYSTEM 187 * PROCESSING EVENT PROCESSING CALL 188 * ---------- ---------- ---------- ----------- 189 * FINISH EVENT 190 * PROCESSING CONTROL 191 * ---------------------------------------------------------- 192 */ 193 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 194 auf_null, 0, 195 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 196 auf_null, S2E_NPT, 197 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 198 auf_null, 0, 199 aui_null, AUE_READ, aus_null, /* 3 read */ 200 auf_read, S2E_PUB, 201 aui_null, AUE_WRITE, aus_null, /* 4 write */ 202 auf_write, 0, 203 aui_open, AUE_OPEN, aus_open, /* 5 open */ 204 auf_null, S2E_SP, 205 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 206 auf_null, 0, 207 aui_null, AUE_NULL, aus_null, /* 7 wait */ 208 auf_null, 0, 209 aui_null, AUE_CREAT, aus_null, /* 8 create */ 210 auf_null, S2E_SP, 211 aui_null, AUE_LINK, aus_null, /* 9 link */ 212 auf_null, 0, 213 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 214 auf_null, 0, 215 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 216 auf_null, S2E_MLD, 217 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 218 auf_null, S2E_SP, 219 aui_null, AUE_NULL, aus_null, /* 13 time */ 220 auf_null, 0, 221 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 222 auf_mknod, 0, 223 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 224 auf_null, 0, 225 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 226 auf_null, 0, 227 aui_null, AUE_NULL, aus_null, /* 17 brk */ 228 auf_null, 0, 229 aui_null, AUE_STAT, aus_null, /* 18 stat */ 230 auf_null, S2E_PUB, 231 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 232 auf_null, 0, 233 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 234 auf_null, 0, 235 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 236 auf_null, S2E_MLD, 237 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 238 auf_null, 0, 239 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 240 auf_null, 0, 241 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 242 auf_null, 0, 243 aui_null, AUE_STIME, aus_null, /* 25 stime */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 29 pause */ 252 auf_null, 0, 253 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 258 auf_null, 0, 259 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 260 auf_null, S2E_PUB, 261 aui_null, AUE_NICE, aus_null, /* 34 nice */ 262 auf_null, 0, 263 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 264 auf_null, S2E_PUB, 265 aui_null, AUE_NULL, aus_null, /* 36 sync */ 266 auf_null, 0, 267 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 268 auf_null, 0, 269 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 272 auf_null, 0, 273 aui_null, AUE_NULL, aus_null, /* 40 (loadable) was cxenix */ 274 auf_null, 0, 275 aui_null, AUE_NULL, aus_null, /* 41 dup */ 276 auf_null, 0, 277 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 43 times */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 44 profil */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 284 /* was proc lock */ 285 auf_null, 0, 286 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 289 auf_null, 0, 290 aui_null, AUE_NULL, aus_null, /* 48 sig */ 291 auf_null, 0, 292 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 293 auf_msgsys, 0, 294 #if defined(__x86) 295 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 296 auf_null, 0, 297 #else 298 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 299 auf_null, 0, 300 #endif /* __x86 */ 301 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 302 auf_null, 0, 303 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 304 auf_shmsys, 0, 305 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 306 auf_semsys, 0, 307 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 308 auf_null, 0, 309 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 310 auf_null, 0, 311 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 312 auf_null, 0, 313 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 316 auf_null, 0, 317 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 318 auf_null, S2E_MLD, 319 aui_null, AUE_NULL, aus_null, /* 60 umask */ 320 auf_null, 0, 321 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 322 auf_null, S2E_SP, 323 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 324 auf_null, 0, 325 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 326 auf_null, 0, 327 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 328 auf_null, 0, 329 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 334 /* file locking call */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 337 /* local system calls */ 338 auf_null, 0, 339 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 340 auf_null, 0, 341 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 75 issetugid */ 352 /* was sigret (SunOS) */ 353 auf_null, 0, 354 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 359 auf_null, 0, 360 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 361 auf_null, 0, 362 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 365 auf_null, 0, 366 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 367 /* was libattach */ 368 auf_null, 0, 369 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 370 /* was libdetach */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 373 auf_null, 0, 374 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 375 auf_null, 0, 376 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 87 poll */ 379 auf_null, 0, 380 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 381 auf_null, S2E_PUB, 382 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 383 auf_null, 0, 384 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 387 auf_null, 0, 388 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 389 auf_null, 0, 390 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 391 auf_null, 0, 392 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 409 /* was evtrapret */ 410 auf_null, 0, 411 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 412 auf_null, S2E_PUB, 413 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 414 auf_null, 0, 415 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 416 auf_null, 0, 417 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 422 auf_null, 0, 423 #if defined(__x86) 424 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 425 auf_null, 0, 426 #else 427 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 428 auf_null, 0, 429 #endif /* __x86 */ 430 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 431 auf_null, 0, 432 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 433 auf_null, 0, 434 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 435 auf_null, 0, /* 112 priocntlsys */ 436 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 437 auf_null, S2E_PUB, 438 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 439 auf_null, 0, 440 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 441 auf_null, 0, 442 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 443 auf_null, 0, 444 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 445 auf_null, 0, 446 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 447 auf_null, 0, 448 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 449 auf_null, 0, 450 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 451 auf_null, 0, 452 aui_null, AUE_READ, aus_null, /* 121 readv */ 453 auf_read, S2E_PUB, 454 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 455 auf_write, 0, 456 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 457 auf_null, S2E_PUB, 458 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 459 auf_null, S2E_PUB, 460 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 461 auf_null, 0, 462 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 463 auf_xmknod, 0, 464 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 465 auf_null, 0, 466 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 467 auf_null, 0, 468 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 469 auf_null, 0, 470 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 471 auf_null, 0, 472 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 473 auf_null, 0, 474 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 475 auf_null, 0, 476 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 477 auf_null, 0, 478 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 479 auf_null, 0, 480 aui_null, AUE_NULL, aus_null, /* 135 uname */ 481 auf_null, 0, 482 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 483 auf_null, 0, 484 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 485 auf_null, 0, 486 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 487 auf_null, 0, 488 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 489 auf_null, 0, 490 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 491 auf_null, 0, 492 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 493 auf_null, 0, 494 aui_null, AUE_NULL, aus_null, /* 142 (loadable reserved) */ 495 auf_null, 0, 496 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 497 auf_null, 0, 498 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 499 auf_null, 0, 500 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 146 yield */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 513 auf_null, 0, 514 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 515 auf_null, 0, 516 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 517 auf_null, 0, 518 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 541 /* was lwp_setprivate */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 544 /* was lwp_getprivate */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_unlock */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 557 auf_null, 0, 558 aui_null, AUE_READ, aus_null, /* 173 pread */ 559 auf_read, S2E_PUB, 560 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 561 auf_write, 0, 562 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 563 auf_null, 0, 564 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 565 /* aus_inst_sync */ 566 auf_null, 0, 567 aui_null, AUE_NULL, aus_null, /* 177 (loadable) */ 568 auf_null, 0, 569 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 182 (loadable) */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 580 auf_null, 0, 581 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 582 auf_null, 0, 583 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 584 auf_null, 0, 585 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 586 auf_null, 0, 587 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 588 auf_null, 0, /* 187 processor_bind */ 589 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 590 auf_null, 0, 591 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 594 auf_null, 0, 595 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 596 auf_null, 0, 597 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 612 auf_null, 0, 613 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 614 auf_null, 0, 615 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 616 auf_null, 0, 617 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 618 auf_null, 0, 619 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 620 auf_null, 0, 621 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 640 auf_null, 0, 641 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 642 auf_null, 0, 643 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 644 auf_null, S2E_PUB, 645 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 646 auf_null, S2E_PUB, 647 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 648 auf_null, 0, 649 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 652 auf_null, 0, 653 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 654 auf_null, 0, 655 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 656 auf_null, 0, 657 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 658 auf_read, S2E_PUB, 659 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 660 auf_write, 0, 661 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 662 auf_null, S2E_SP, 663 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 664 auf_null, S2E_SP, 665 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 666 auf_null, 0, 667 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 672 auf_null, 0, 673 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 676 auf_null, 0, 677 aui_null, AUE_BIND, aus_null, /* 232 bind */ 678 auf_bind, 0, 679 aui_null, AUE_NULL, aus_null, /* 233 listen */ 680 auf_null, 0, 681 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 682 auf_accept, 0, 683 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 684 auf_connect, 0, 685 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 686 auf_null, 0, 687 aui_null, AUE_READ, aus_null, /* 237 recv */ 688 auf_recv, 0, 689 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 690 auf_recvfrom, 0, 691 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 692 auf_recvmsg, 0, 693 aui_null, AUE_WRITE, aus_null, /* 240 send */ 694 auf_send, 0, 695 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 696 auf_sendmsg, 0, 697 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 698 auf_sendto, 0, 699 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 700 auf_null, 0, 701 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 702 auf_null, 0, 703 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 704 auf_null, 0, 705 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 706 auf_setsockopt, 0, 707 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 708 auf_null, 0, 709 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 710 auf_null, 0, 711 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_init */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 254 (loadable) */ 722 /* was lwp_sigtimedwait */ 723 auf_null, 0, 724 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 725 auf_null, 0 726 }; 727 728 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 729 730 char *so_not_bound = "socket not bound"; 731 char *so_not_conn = "socket not connected"; 732 char *so_bad_addr = "bad socket address"; 733 char *so_bad_peer_addr = "bad peer address"; 734 735 /* null start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_null(struct t_audit_data *tad) 739 { 740 } 741 742 /* acct start function */ 743 /*ARGSUSED*/ 744 static void 745 aus_acct(struct t_audit_data *tad) 746 { 747 klwp_t *clwp = ttolwp(curthread); 748 uintptr_t fname; 749 750 struct a { 751 long fname; /* char * */ 752 } *uap = (struct a *)clwp->lwp_ap; 753 754 fname = (uintptr_t)uap->fname; 755 756 if (fname == 0) 757 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 758 } 759 760 /* chown start function */ 761 /*ARGSUSED*/ 762 static void 763 aus_chown(struct t_audit_data *tad) 764 { 765 klwp_t *clwp = ttolwp(curthread); 766 uint32_t uid, gid; 767 768 struct a { 769 long fname; /* char * */ 770 long uid; 771 long gid; 772 } *uap = (struct a *)clwp->lwp_ap; 773 774 uid = (uint32_t)uap->uid; 775 gid = (uint32_t)uap->gid; 776 777 au_uwrite(au_to_arg32(2, "new file uid", uid)); 778 au_uwrite(au_to_arg32(3, "new file gid", gid)); 779 } 780 781 /* fchown start function */ 782 /*ARGSUSED*/ 783 static void 784 aus_fchown(struct t_audit_data *tad) 785 { 786 klwp_t *clwp = ttolwp(curthread); 787 uint32_t uid, gid, fd; 788 struct file *fp; 789 struct vnode *vp; 790 struct f_audit_data *fad; 791 792 struct a { 793 long fd; 794 long uid; 795 long gid; 796 } *uap = (struct a *)clwp->lwp_ap; 797 798 fd = (uint32_t)uap->fd; 799 uid = (uint32_t)uap->uid; 800 gid = (uint32_t)uap->gid; 801 802 au_uwrite(au_to_arg32(2, "new file uid", uid)); 803 au_uwrite(au_to_arg32(3, "new file gid", gid)); 804 805 /* 806 * convert file pointer to file descriptor 807 * Note: fd ref count incremented here. 808 */ 809 if ((fp = getf(fd)) == NULL) 810 return; 811 812 /* get path from file struct here */ 813 fad = F2A(fp); 814 if (fad->fad_aupath != NULL) { 815 au_uwrite(au_to_path(fad->fad_aupath)); 816 } else { 817 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 818 } 819 820 vp = fp->f_vnode; 821 audit_attributes(vp); 822 823 /* decrement file descriptor reference count */ 824 releasef(fd); 825 } 826 827 /*ARGSUSED*/ 828 static void 829 aus_lchown(struct t_audit_data *tad) 830 { 831 klwp_t *clwp = ttolwp(curthread); 832 uint32_t uid, gid; 833 834 835 struct a { 836 long fname; /* char * */ 837 long uid; 838 long gid; 839 } *uap = (struct a *)clwp->lwp_ap; 840 841 uid = (uint32_t)uap->uid; 842 gid = (uint32_t)uap->gid; 843 844 au_uwrite(au_to_arg32(2, "new file uid", uid)); 845 au_uwrite(au_to_arg32(3, "new file gid", gid)); 846 } 847 848 /* chmod start function */ 849 /*ARGSUSED*/ 850 static void 851 aus_chmod(struct t_audit_data *tad) 852 { 853 klwp_t *clwp = ttolwp(curthread); 854 uint32_t fmode; 855 856 struct a { 857 long fname; /* char * */ 858 long fmode; 859 } *uap = (struct a *)clwp->lwp_ap; 860 861 fmode = (uint32_t)uap->fmode; 862 863 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 864 } 865 866 /* chmod start function */ 867 /*ARGSUSED*/ 868 static void 869 aus_fchmod(struct t_audit_data *tad) 870 { 871 klwp_t *clwp = ttolwp(curthread); 872 uint32_t fmode, fd; 873 struct file *fp; 874 struct vnode *vp; 875 struct f_audit_data *fad; 876 877 struct a { 878 long fd; 879 long fmode; 880 } *uap = (struct a *)clwp->lwp_ap; 881 882 fd = (uint32_t)uap->fd; 883 fmode = (uint32_t)uap->fmode; 884 885 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 886 887 /* 888 * convert file pointer to file descriptor 889 * Note: fd ref count incremented here. 890 */ 891 if ((fp = getf(fd)) == NULL) 892 return; 893 894 /* get path from file struct here */ 895 fad = F2A(fp); 896 if (fad->fad_aupath != NULL) { 897 au_uwrite(au_to_path(fad->fad_aupath)); 898 } else { 899 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 900 } 901 902 vp = fp->f_vnode; 903 audit_attributes(vp); 904 905 /* decrement file descriptor reference count */ 906 releasef(fd); 907 } 908 909 /* null function */ 910 /*ARGSUSED*/ 911 static void 912 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 913 { 914 } 915 916 /* null function */ 917 static au_event_t 918 aui_null(au_event_t e) 919 { 920 return (e); 921 } 922 923 /* convert open to appropriate event */ 924 static au_event_t 925 aui_open(au_event_t e) 926 { 927 klwp_t *clwp = ttolwp(curthread); 928 uint_t fm; 929 930 struct a { 931 long fnamep; /* char * */ 932 long fmode; 933 long cmode; 934 } *uap = (struct a *)clwp->lwp_ap; 935 936 fm = (uint_t)uap->fmode; 937 938 if (fm & O_WRONLY) 939 e = AUE_OPEN_W; 940 else if (fm & O_RDWR) 941 e = AUE_OPEN_RW; 942 else 943 e = AUE_OPEN_R; 944 945 if (fm & O_CREAT) 946 e += 1; 947 if (fm & O_TRUNC) 948 e += 2; 949 950 return (e); 951 } 952 953 /*ARGSUSED*/ 954 static void 955 aus_open(struct t_audit_data *tad) 956 { 957 klwp_t *clwp = ttolwp(curthread); 958 uint_t fm; 959 960 struct a { 961 long fnamep; /* char * */ 962 long fmode; 963 long cmode; 964 } *uap = (struct a *)clwp->lwp_ap; 965 966 fm = (uint_t)uap->fmode; 967 968 /* If no write, create, or trunc modes, mark as a public op */ 969 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 970 tad->tad_ctrl |= PAD_PUBLIC_EV; 971 } 972 973 /* convert openat(2) to appropriate event */ 974 static au_event_t 975 aui_fsat(au_event_t e) 976 { 977 t_audit_data_t *tad = U2A(u); 978 klwp_t *clwp = ttolwp(curthread); 979 uint_t fmcode, fm; 980 struct a { 981 long id; 982 long arg1; 983 long arg2; 984 long arg3; 985 long arg4; 986 long arg5; 987 } *uap = (struct a *)clwp->lwp_ap; 988 989 fmcode = (uint_t)uap->id; 990 991 switch (fmcode) { 992 993 case 0: /* openat */ 994 case 1: /* openat64 */ 995 fm = (uint_t)uap->arg3; 996 if (fm & O_WRONLY) 997 e = AUE_OPENAT_W; 998 else if (fm & O_RDWR) 999 e = AUE_OPENAT_RW; 1000 else 1001 e = AUE_OPENAT_R; 1002 1003 /* 1004 * openat modes are defined in the following order: 1005 * Read only 1006 * Read|Create 1007 * Read|Trunc 1008 * Read|Create|Trunc 1009 * Write Only 1010 * Write|Create 1011 * Write|Trunc 1012 * Write|Create|Trunc * RW Only 1013 * RW|Create 1014 * RW|Trunc 1015 * RW|Create|Trunc 1016 */ 1017 if (fm & O_CREAT) 1018 e += 1; /* increment to include CREAT in mode */ 1019 if (fm & O_TRUNC) 1020 e += 2; /* increment to include TRUNC in mode */ 1021 1022 /* convert to appropriate au_ctrl */ 1023 tad->tad_ctrl |= PAD_SAVPATH; 1024 if (fm & FXATTR) 1025 tad->tad_ctrl |= PAD_ATPATH; 1026 1027 1028 break; 1029 case 2: /* fstatat64 */ 1030 case 3: /* fstatat */ 1031 e = AUE_FSTATAT; 1032 break; 1033 case 4: /* fchownat */ 1034 e = AUE_FCHOWNAT; 1035 break; 1036 case 5: /* unlinkat */ 1037 e = AUE_UNLINKAT; 1038 break; 1039 case 6: /* futimesat */ 1040 e = AUE_FUTIMESAT; 1041 break; 1042 case 7: /* renameat */ 1043 e = AUE_RENAMEAT; 1044 break; 1045 default: 1046 e = AUE_NULL; 1047 break; 1048 } 1049 1050 return (e); 1051 } 1052 1053 /*ARGSUSED*/ 1054 static void 1055 aus_fsat(struct t_audit_data *tad) 1056 { 1057 klwp_t *clwp = ttolwp(curthread); 1058 uint_t fmcode, fm; 1059 struct a { 1060 long id; 1061 long arg1; 1062 long arg2; 1063 long arg3; 1064 long arg4; 1065 long arg5; 1066 } *uap = (struct a *)clwp->lwp_ap; 1067 1068 fmcode = (uint_t)uap->id; 1069 1070 switch (fmcode) { 1071 1072 case 0: /* openat */ 1073 case 1: /* openat64 */ 1074 fm = (uint_t)uap->arg3; 1075 /* If no write, create, or trunc modes, mark as a public op */ 1076 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1077 tad->tad_ctrl |= PAD_PUBLIC_EV; 1078 1079 break; 1080 case 2: /* fstatat64 */ 1081 case 3: /* fstatat */ 1082 tad->tad_ctrl |= PAD_PUBLIC_EV; 1083 break; 1084 default: 1085 break; 1086 } 1087 } 1088 1089 /* msgsys */ 1090 static au_event_t 1091 aui_msgsys(au_event_t e) 1092 { 1093 klwp_t *clwp = ttolwp(curthread); 1094 uint_t fm; 1095 1096 struct a { 1097 long id; /* function code id */ 1098 long ap; /* arg pointer for recvmsg */ 1099 } *uap = (struct a *)clwp->lwp_ap; 1100 1101 struct b { 1102 long msgid; 1103 long cmd; 1104 long buf; /* struct msqid_ds * */ 1105 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1106 1107 fm = (uint_t)uap->id; 1108 1109 switch (fm) { 1110 case 0: /* msgget */ 1111 e = AUE_MSGGET; 1112 break; 1113 case 1: /* msgctl */ 1114 switch ((uint_t)uap1->cmd) { 1115 case IPC_RMID: 1116 e = AUE_MSGCTL_RMID; 1117 break; 1118 case IPC_SET: 1119 e = AUE_MSGCTL_SET; 1120 break; 1121 case IPC_STAT: 1122 e = AUE_MSGCTL_STAT; 1123 break; 1124 default: 1125 e = AUE_MSGCTL; 1126 break; 1127 } 1128 break; 1129 case 2: /* msgrcv */ 1130 e = AUE_MSGRCV; 1131 break; 1132 case 3: /* msgsnd */ 1133 e = AUE_MSGSND; 1134 break; 1135 default: /* illegal system call */ 1136 e = AUE_NULL; 1137 break; 1138 } 1139 1140 return (e); 1141 } 1142 1143 1144 /* shmsys */ 1145 static au_event_t 1146 aui_shmsys(au_event_t e) 1147 { 1148 klwp_t *clwp = ttolwp(curthread); 1149 int fm; 1150 1151 struct a { /* shmsys */ 1152 long id; /* function code id */ 1153 } *uap = (struct a *)clwp->lwp_ap; 1154 1155 struct b { /* ctrl */ 1156 long shmid; 1157 long cmd; 1158 long arg; /* struct shmid_ds * */ 1159 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1160 fm = (uint_t)uap->id; 1161 1162 switch (fm) { 1163 case 0: /* shmat */ 1164 e = AUE_SHMAT; 1165 break; 1166 case 1: /* shmctl */ 1167 switch ((uint_t)uap1->cmd) { 1168 case IPC_RMID: 1169 e = AUE_SHMCTL_RMID; 1170 break; 1171 case IPC_SET: 1172 e = AUE_SHMCTL_SET; 1173 break; 1174 case IPC_STAT: 1175 e = AUE_SHMCTL_STAT; 1176 break; 1177 default: 1178 e = AUE_SHMCTL; 1179 break; 1180 } 1181 break; 1182 case 2: /* shmdt */ 1183 e = AUE_SHMDT; 1184 break; 1185 case 3: /* shmget */ 1186 e = AUE_SHMGET; 1187 break; 1188 default: /* illegal system call */ 1189 e = AUE_NULL; 1190 break; 1191 } 1192 1193 return (e); 1194 } 1195 1196 1197 /* semsys */ 1198 static au_event_t 1199 aui_semsys(au_event_t e) 1200 { 1201 klwp_t *clwp = ttolwp(curthread); 1202 uint_t fm; 1203 1204 struct a { /* semsys */ 1205 long id; 1206 } *uap = (struct a *)clwp->lwp_ap; 1207 1208 struct b { /* ctrl */ 1209 long semid; 1210 long semnum; 1211 long cmd; 1212 long arg; 1213 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1214 1215 fm = (uint_t)uap->id; 1216 1217 switch (fm) { 1218 case 0: /* semctl */ 1219 switch ((uint_t)uap1->cmd) { 1220 case IPC_RMID: 1221 e = AUE_SEMCTL_RMID; 1222 break; 1223 case IPC_SET: 1224 e = AUE_SEMCTL_SET; 1225 break; 1226 case IPC_STAT: 1227 e = AUE_SEMCTL_STAT; 1228 break; 1229 case GETNCNT: 1230 e = AUE_SEMCTL_GETNCNT; 1231 break; 1232 case GETPID: 1233 e = AUE_SEMCTL_GETPID; 1234 break; 1235 case GETVAL: 1236 e = AUE_SEMCTL_GETVAL; 1237 break; 1238 case GETALL: 1239 e = AUE_SEMCTL_GETALL; 1240 break; 1241 case GETZCNT: 1242 e = AUE_SEMCTL_GETZCNT; 1243 break; 1244 case SETVAL: 1245 e = AUE_SEMCTL_SETVAL; 1246 break; 1247 case SETALL: 1248 e = AUE_SEMCTL_SETALL; 1249 break; 1250 default: 1251 e = AUE_SEMCTL; 1252 break; 1253 } 1254 break; 1255 case 1: /* semget */ 1256 e = AUE_SEMGET; 1257 break; 1258 case 2: /* semop */ 1259 e = AUE_SEMOP; 1260 break; 1261 default: /* illegal system call */ 1262 e = AUE_NULL; 1263 break; 1264 } 1265 1266 return (e); 1267 } 1268 1269 /* utssys - uname(2), ustat(2), fusers(2) */ 1270 static au_event_t 1271 aui_utssys(au_event_t e) 1272 { 1273 klwp_t *clwp = ttolwp(curthread); 1274 uint_t type; 1275 1276 struct a { 1277 union { 1278 long cbuf; /* char * */ 1279 long ubuf; /* struct stat * */ 1280 } ub; 1281 union { 1282 long mv; /* for USTAT */ 1283 long flags; /* for FUSERS */ 1284 } un; 1285 long type; 1286 long outbp; /* char * for FUSERS */ 1287 } *uap = (struct a *)clwp->lwp_ap; 1288 1289 type = (uint_t)uap->type; 1290 1291 if (type == UTS_FUSERS) 1292 return (e); 1293 else 1294 return ((au_event_t)AUE_NULL); 1295 } 1296 1297 static au_event_t 1298 aui_fcntl(au_event_t e) 1299 { 1300 klwp_t *clwp = ttolwp(curthread); 1301 uint_t cmd; 1302 1303 struct a { 1304 long fdes; 1305 long cmd; 1306 long arg; 1307 } *uap = (struct a *)clwp->lwp_ap; 1308 1309 cmd = (uint_t)uap->cmd; 1310 1311 switch (cmd) { 1312 case F_GETLK: 1313 case F_SETLK: 1314 case F_SETLKW: 1315 break; 1316 case F_SETFL: 1317 case F_GETFL: 1318 case F_GETFD: 1319 break; 1320 default: 1321 e = (au_event_t)AUE_NULL; 1322 break; 1323 } 1324 return ((au_event_t)e); 1325 } 1326 1327 /* null function for now */ 1328 static au_event_t 1329 aui_execv(au_event_t e) 1330 { 1331 return (e); 1332 } 1333 1334 /* null function for now */ 1335 static au_event_t 1336 aui_execve(au_event_t e) 1337 { 1338 return (e); 1339 } 1340 1341 /*ARGSUSED*/ 1342 static void 1343 aus_fcntl(struct t_audit_data *tad) 1344 { 1345 klwp_t *clwp = ttolwp(curthread); 1346 uint32_t cmd, fd; 1347 struct file *fp; 1348 struct vnode *vp; 1349 struct f_audit_data *fad; 1350 1351 struct a { 1352 long fd; 1353 long cmd; 1354 long arg; 1355 } *uap = (struct a *)clwp->lwp_ap; 1356 1357 cmd = (uint32_t)uap->cmd; 1358 fd = (uint32_t)uap->fd; 1359 1360 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1361 1362 /* 1363 * convert file pointer to file descriptor 1364 * Note: fd ref count incremented here. 1365 */ 1366 if ((fp = getf(fd)) == NULL) 1367 return; 1368 1369 /* get path from file struct here */ 1370 fad = F2A(fp); 1371 if (fad->fad_aupath != NULL) { 1372 au_uwrite(au_to_path(fad->fad_aupath)); 1373 } else { 1374 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1375 } 1376 1377 vp = fp->f_vnode; 1378 audit_attributes(vp); 1379 1380 /* decrement file descriptor reference count */ 1381 releasef(fd); 1382 } 1383 1384 /*ARGSUSED*/ 1385 static void 1386 aus_kill(struct t_audit_data *tad) 1387 { 1388 klwp_t *clwp = ttolwp(curthread); 1389 struct proc *p; 1390 uint32_t signo; 1391 uid_t uid, ruid; 1392 gid_t gid, rgid; 1393 pid_t pid; 1394 const auditinfo_addr_t *ainfo; 1395 cred_t *cr; 1396 1397 struct a { 1398 long pid; 1399 long signo; 1400 } *uap = (struct a *)clwp->lwp_ap; 1401 1402 pid = (pid_t)uap->pid; 1403 signo = (uint32_t)uap->signo; 1404 1405 au_uwrite(au_to_arg32(2, "signal", signo)); 1406 if (pid > 0) { 1407 mutex_enter(&pidlock); 1408 if (((p = prfind(pid)) == (struct proc *)0) || 1409 (p->p_stat == SIDL)) { 1410 mutex_exit(&pidlock); 1411 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1412 return; 1413 } 1414 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1415 mutex_exit(&pidlock); 1416 1417 mutex_enter(&p->p_crlock); 1418 crhold(cr = p->p_cred); 1419 mutex_exit(&p->p_crlock); 1420 mutex_exit(&p->p_lock); 1421 1422 ainfo = crgetauinfo(cr); 1423 if (ainfo == NULL) { 1424 crfree(cr); 1425 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1426 return; 1427 } 1428 1429 uid = crgetuid(cr); 1430 gid = crgetgid(cr); 1431 ruid = crgetruid(cr); 1432 rgid = crgetrgid(cr); 1433 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1434 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1435 1436 if (is_system_labeled()) 1437 au_uwrite(au_to_label(CR_SL(cr))); 1438 1439 crfree(cr); 1440 } 1441 else 1442 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1443 } 1444 1445 /*ARGSUSED*/ 1446 static void 1447 aus_mkdir(struct t_audit_data *tad) 1448 { 1449 klwp_t *clwp = ttolwp(curthread); 1450 uint32_t dmode; 1451 1452 struct a { 1453 long dirnamep; /* char * */ 1454 long dmode; 1455 } *uap = (struct a *)clwp->lwp_ap; 1456 1457 dmode = (uint32_t)uap->dmode; 1458 1459 au_uwrite(au_to_arg32(2, "mode", dmode)); 1460 } 1461 1462 /*ARGSUSED*/ 1463 static void 1464 aus_mknod(struct t_audit_data *tad) 1465 { 1466 klwp_t *clwp = ttolwp(curthread); 1467 uint32_t fmode; 1468 dev_t dev; 1469 1470 struct a { 1471 long pnamep; /* char * */ 1472 long fmode; 1473 long dev; 1474 } *uap = (struct a *)clwp->lwp_ap; 1475 1476 fmode = (uint32_t)uap->fmode; 1477 dev = (dev_t)uap->dev; 1478 1479 au_uwrite(au_to_arg32(2, "mode", fmode)); 1480 #ifdef _LP64 1481 au_uwrite(au_to_arg64(3, "dev", dev)); 1482 #else 1483 au_uwrite(au_to_arg32(3, "dev", dev)); 1484 #endif 1485 } 1486 1487 /*ARGSUSED*/ 1488 static void 1489 aus_xmknod(struct t_audit_data *tad) 1490 { 1491 klwp_t *clwp = ttolwp(curthread); 1492 uint32_t fmode; 1493 dev_t dev; 1494 1495 struct a { 1496 long version; /* version */ 1497 long pnamep; /* char * */ 1498 long fmode; 1499 long dev; 1500 } *uap = (struct a *)clwp->lwp_ap; 1501 1502 fmode = (uint32_t)uap->fmode; 1503 dev = (dev_t)uap->dev; 1504 1505 au_uwrite(au_to_arg32(2, "mode", fmode)); 1506 #ifdef _LP64 1507 au_uwrite(au_to_arg64(3, "dev", dev)); 1508 #else 1509 au_uwrite(au_to_arg32(3, "dev", dev)); 1510 #endif 1511 } 1512 1513 /*ARGSUSED*/ 1514 static void 1515 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1516 { 1517 klwp_t *clwp = ttolwp(curthread); 1518 vnode_t *dvp; 1519 caddr_t pnamep; 1520 1521 struct a { 1522 long pnamep; /* char * */ 1523 long fmode; 1524 long dev; 1525 } *uap = (struct a *)clwp->lwp_ap; 1526 1527 /* no error, then already path token in audit record */ 1528 if (error != EPERM) 1529 return; 1530 1531 /* not auditing this event, nothing then to do */ 1532 if (tad->tad_flag == 0) 1533 return; 1534 1535 /* do the lookup to force generation of path token */ 1536 pnamep = (caddr_t)uap->pnamep; 1537 tad->tad_ctrl |= PAD_NOATTRB; 1538 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1539 if (error == 0) 1540 VN_RELE(dvp); 1541 } 1542 1543 /*ARGSUSED*/ 1544 static void 1545 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1546 { 1547 klwp_t *clwp = ttolwp(curthread); 1548 vnode_t *dvp; 1549 caddr_t pnamep; 1550 1551 struct a { 1552 long version; /* version */ 1553 long pnamep; /* char * */ 1554 long fmode; 1555 long dev; 1556 } *uap = (struct a *)clwp->lwp_arg; 1557 1558 1559 /* no error, then already path token in audit record */ 1560 if (error != EPERM) 1561 return; 1562 1563 /* not auditing this event, nothing then to do */ 1564 if (tad->tad_flag == 0) 1565 return; 1566 1567 /* do the lookup to force generation of path token */ 1568 pnamep = (caddr_t)uap->pnamep; 1569 tad->tad_ctrl |= PAD_NOATTRB; 1570 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1571 if (error == 0) 1572 VN_RELE(dvp); 1573 } 1574 1575 /*ARGSUSED*/ 1576 static void 1577 aus_mount(struct t_audit_data *tad) 1578 { /* AUS_START */ 1579 klwp_t *clwp = ttolwp(curthread); 1580 uint32_t flags; 1581 uintptr_t u_fstype, dataptr; 1582 STRUCT_DECL(nfs_args, nfsargs); 1583 size_t len; 1584 char *fstype, *hostname; 1585 1586 struct a { 1587 long spec; /* char * */ 1588 long dir; /* char * */ 1589 long flags; 1590 long fstype; /* char * */ 1591 long dataptr; /* char * */ 1592 long datalen; 1593 } *uap = (struct a *)clwp->lwp_ap; 1594 1595 u_fstype = (uintptr_t)uap->fstype; 1596 flags = (uint32_t)uap->flags; 1597 dataptr = (uintptr_t)uap->dataptr; 1598 1599 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1600 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1601 goto mount_free_fstype; 1602 1603 au_uwrite(au_to_arg32(3, "flags", flags)); 1604 au_uwrite(au_to_text(fstype)); 1605 1606 if (strncmp(fstype, "nfs", 3) == 0) { 1607 1608 STRUCT_INIT(nfsargs, get_udatamodel()); 1609 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1610 1611 if (copyin((caddr_t)dataptr, 1612 STRUCT_BUF(nfsargs), 1613 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1614 /* DEBUG debug_enter((char *)NULL); */ 1615 goto mount_free_fstype; 1616 } 1617 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1618 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1619 (caddr_t)hostname, 1620 MAXNAMELEN, &len)) { 1621 goto mount_free_hostname; 1622 } 1623 au_uwrite(au_to_text(hostname)); 1624 au_uwrite(au_to_arg32(3, "internal flags", 1625 (uint_t)STRUCT_FGET(nfsargs, flags))); 1626 1627 mount_free_hostname: 1628 kmem_free(hostname, MAXNAMELEN); 1629 } 1630 1631 mount_free_fstype: 1632 kmem_free(fstype, MAXNAMELEN); 1633 } /* AUS_MOUNT */ 1634 1635 static void 1636 aus_umount_path(caddr_t umount_dir) 1637 { 1638 char *dir_path; 1639 struct audit_path *path; 1640 size_t path_len, dir_len; 1641 1642 /* length alloc'd for two string pointers */ 1643 path_len = sizeof (struct audit_path) + sizeof (char *); 1644 path = kmem_alloc(path_len, KM_SLEEP); 1645 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1646 1647 if (copyinstr(umount_dir, (caddr_t)dir_path, 1648 MAXPATHLEN, &dir_len)) 1649 goto umount2_free_dir; 1650 1651 /* 1652 * the audit_path struct assumes that the buffer pointed to 1653 * by audp_sect[n] contains string 0 immediatedly followed 1654 * by string 1. 1655 */ 1656 path->audp_sect[0] = dir_path; 1657 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1658 path->audp_size = path_len; 1659 path->audp_ref = 1; /* not used */ 1660 path->audp_cnt = 1; /* one path string */ 1661 1662 au_uwrite(au_to_path(path)); 1663 1664 umount2_free_dir: 1665 kmem_free(dir_path, MAXPATHLEN); 1666 kmem_free(path, path_len); 1667 } 1668 1669 /* 1670 * the umount syscall is implemented as a call to umount2, but the args 1671 * are different... 1672 */ 1673 1674 /*ARGSUSED*/ 1675 static void 1676 aus_umount(struct t_audit_data *tad) 1677 { 1678 klwp_t *clwp = ttolwp(curthread); 1679 struct a { 1680 long dir; /* char * */ 1681 } *uap = (struct a *)clwp->lwp_ap; 1682 1683 aus_umount_path((caddr_t)uap->dir); 1684 } 1685 1686 /*ARGSUSED*/ 1687 static void 1688 aus_umount2(struct t_audit_data *tad) 1689 { 1690 klwp_t *clwp = ttolwp(curthread); 1691 struct a { 1692 long dir; /* char * */ 1693 long flags; 1694 } *uap = (struct a *)clwp->lwp_ap; 1695 1696 aus_umount_path((caddr_t)uap->dir); 1697 1698 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1699 } 1700 1701 static void 1702 aus_msgsys(struct t_audit_data *tad) 1703 { 1704 klwp_t *clwp = ttolwp(curthread); 1705 uint32_t msgid; 1706 1707 struct b { 1708 long msgid; 1709 long cmd; 1710 long buf; /* struct msqid_ds * */ 1711 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1712 1713 msgid = (uint32_t)uap1->msgid; 1714 1715 1716 switch (tad->tad_event) { 1717 case AUE_MSGGET: /* msgget */ 1718 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1719 break; 1720 case AUE_MSGCTL: /* msgctl */ 1721 case AUE_MSGCTL_RMID: /* msgctl */ 1722 case AUE_MSGCTL_STAT: /* msgctl */ 1723 case AUE_MSGRCV: /* msgrcv */ 1724 case AUE_MSGSND: /* msgsnd */ 1725 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1726 break; 1727 case AUE_MSGCTL_SET: /* msgctl */ 1728 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1729 break; 1730 } 1731 } 1732 1733 /*ARGSUSED*/ 1734 static void 1735 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1736 { 1737 int id; 1738 1739 if (error != 0) 1740 return; 1741 if (tad->tad_event == AUE_MSGGET) { 1742 uint32_t scid; 1743 uint32_t sy_flags; 1744 1745 /* need to determine type of executing binary */ 1746 scid = tad->tad_scid; 1747 #ifdef _SYSCALL32_IMPL 1748 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1749 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1750 else 1751 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1752 #else 1753 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1754 #endif 1755 if (sy_flags == SE_32RVAL1) 1756 id = rval->r_val1; 1757 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1758 id = rval->r_val1; 1759 if (sy_flags == SE_64RVAL) 1760 id = (int)rval->r_vals; 1761 1762 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1763 } 1764 } 1765 1766 static void 1767 aus_semsys(struct t_audit_data *tad) 1768 { 1769 klwp_t *clwp = ttolwp(curthread); 1770 uint32_t semid; 1771 1772 struct b { /* ctrl */ 1773 long semid; 1774 long semnum; 1775 long cmd; 1776 long arg; 1777 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1778 1779 semid = (uint32_t)uap1->semid; 1780 1781 switch (tad->tad_event) { 1782 case AUE_SEMCTL_RMID: 1783 case AUE_SEMCTL_STAT: 1784 case AUE_SEMCTL_GETNCNT: 1785 case AUE_SEMCTL_GETPID: 1786 case AUE_SEMCTL_GETVAL: 1787 case AUE_SEMCTL_GETALL: 1788 case AUE_SEMCTL_GETZCNT: 1789 case AUE_SEMCTL_SETVAL: 1790 case AUE_SEMCTL_SETALL: 1791 case AUE_SEMCTL: 1792 case AUE_SEMOP: 1793 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1794 break; 1795 case AUE_SEMCTL_SET: 1796 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1797 break; 1798 case AUE_SEMGET: 1799 au_uwrite(au_to_arg32(1, "sem key", semid)); 1800 break; 1801 } 1802 } 1803 1804 /*ARGSUSED*/ 1805 static void 1806 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1807 { 1808 int id; 1809 1810 if (error != 0) 1811 return; 1812 if (tad->tad_event == AUE_SEMGET) { 1813 uint32_t scid; 1814 uint32_t sy_flags; 1815 1816 /* need to determine type of executing binary */ 1817 scid = tad->tad_scid; 1818 #ifdef _SYSCALL32_IMPL 1819 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1820 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1821 else 1822 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1823 #else 1824 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1825 #endif 1826 if (sy_flags == SE_32RVAL1) 1827 id = rval->r_val1; 1828 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1829 id = rval->r_val1; 1830 if (sy_flags == SE_64RVAL) 1831 id = (int)rval->r_vals; 1832 1833 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1834 } 1835 } 1836 1837 /*ARGSUSED*/ 1838 static void 1839 aus_close(struct t_audit_data *tad) 1840 { 1841 klwp_t *clwp = ttolwp(curthread); 1842 uint32_t fd; 1843 struct file *fp; 1844 struct f_audit_data *fad; 1845 struct vnode *vp; 1846 struct vattr attr; 1847 au_kcontext_t *kctx = SET_KCTX_PZ; 1848 1849 struct a { 1850 long i; 1851 } *uap = (struct a *)clwp->lwp_ap; 1852 1853 fd = (uint32_t)uap->i; 1854 1855 attr.va_mask = 0; 1856 au_uwrite(au_to_arg32(1, "fd", fd)); 1857 1858 /* 1859 * convert file pointer to file descriptor 1860 * Note: fd ref count incremented here. 1861 */ 1862 if ((fp = getf(fd)) == NULL) 1863 return; 1864 1865 fad = F2A(fp); 1866 tad->tad_evmod = (short)fad->fad_flags; 1867 if (fad->fad_aupath != NULL) { 1868 au_uwrite(au_to_path(fad->fad_aupath)); 1869 if ((vp = fp->f_vnode) != NULL) { 1870 attr.va_mask = AT_ALL; 1871 if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) { 1872 /* 1873 * When write was not used and the file can be 1874 * considered public, skip the audit. 1875 */ 1876 if (((fp->f_flag & FWRITE) == 0) && 1877 file_is_public(&attr)) { 1878 tad->tad_flag = 0; 1879 tad->tad_evmod = 0; 1880 /* free any residual audit data */ 1881 au_close(kctx, &(u_ad), 0, 0, 0); 1882 releasef(fd); 1883 return; 1884 } 1885 au_uwrite(au_to_attr(&attr)); 1886 audit_sec_attributes(&(u_ad), vp); 1887 } 1888 } 1889 } 1890 1891 /* decrement file descriptor reference count */ 1892 releasef(fd); 1893 } 1894 1895 /*ARGSUSED*/ 1896 static void 1897 aus_fstatfs(struct t_audit_data *tad) 1898 { 1899 klwp_t *clwp = ttolwp(curthread); 1900 uint32_t fd; 1901 struct file *fp; 1902 struct vnode *vp; 1903 struct f_audit_data *fad; 1904 1905 struct a { 1906 long fd; 1907 long buf; /* struct statfs * */ 1908 } *uap = (struct a *)clwp->lwp_ap; 1909 1910 fd = (uint_t)uap->fd; 1911 1912 /* 1913 * convert file pointer to file descriptor 1914 * Note: fd ref count incremented here. 1915 */ 1916 if ((fp = getf(fd)) == NULL) 1917 return; 1918 1919 /* get path from file struct here */ 1920 fad = F2A(fp); 1921 if (fad->fad_aupath != NULL) { 1922 au_uwrite(au_to_path(fad->fad_aupath)); 1923 } else { 1924 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1925 } 1926 1927 vp = fp->f_vnode; 1928 audit_attributes(vp); 1929 1930 /* decrement file descriptor reference count */ 1931 releasef(fd); 1932 } 1933 1934 #ifdef NOTYET 1935 /*ARGSUSED*/ 1936 static void 1937 aus_setpgrp(struct t_audit_data *tad) 1938 { 1939 klwp_t *clwp = ttolwp(curthread); 1940 uint32_t pgrp; 1941 struct proc *p; 1942 uid_t uid, ruid; 1943 gid_t gid, rgid; 1944 pid_t pid; 1945 const auditinfo_addr_t *ainfo; 1946 cred_t *cr; 1947 1948 struct a { 1949 long pid; 1950 long pgrp; 1951 } *uap = (struct a *)clwp->lwp_ap; 1952 1953 pid = (pid_t)uap->pid; 1954 pgrp = (uint32_t)uap->pgrp; 1955 1956 /* current process? */ 1957 if (pid == 0) 1958 (return); 1959 1960 mutex_enter(&pidlock); 1961 p = prfind(pid); 1962 if (p == NULL || p->p_as == &kas) { 1963 mutex_exit(&pidlock); 1964 return; 1965 } 1966 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1967 mutex_exit(&pidlock); 1968 1969 mutex_enter(&p->p_crlock); 1970 crhold(cr = p->p_cred); 1971 mutex_exit(&p->p_crlock); 1972 mutex_exit(&p->p_lock); 1973 1974 ainfo = crgetauinfo(cr); 1975 if (ainfo == NULL) { 1976 crfree(cr); 1977 return; 1978 } 1979 1980 uid = crgetuid(cr); 1981 gid = crgetgid(cr); 1982 ruid = crgetruid(cr); 1983 rgid = crgetrgid(cr); 1984 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1985 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1986 crfree(cr); 1987 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1988 } 1989 #endif 1990 1991 /*ARGSUSED*/ 1992 static void 1993 aus_setregid(struct t_audit_data *tad) 1994 { 1995 klwp_t *clwp = ttolwp(curthread); 1996 uint32_t rgid, egid; 1997 1998 struct a { 1999 long rgid; 2000 long egid; 2001 } *uap = (struct a *)clwp->lwp_ap; 2002 2003 rgid = (uint32_t)uap->rgid; 2004 egid = (uint32_t)uap->egid; 2005 2006 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2007 au_uwrite(au_to_arg32(2, "egid", egid)); 2008 } 2009 2010 /*ARGSUSED*/ 2011 static void 2012 aus_setgid(struct t_audit_data *tad) 2013 { 2014 klwp_t *clwp = ttolwp(curthread); 2015 uint32_t gid; 2016 2017 struct a { 2018 long gid; 2019 } *uap = (struct a *)clwp->lwp_ap; 2020 2021 gid = (uint32_t)uap->gid; 2022 2023 au_uwrite(au_to_arg32(1, "gid", gid)); 2024 } 2025 2026 2027 /*ARGSUSED*/ 2028 static void 2029 aus_setreuid(struct t_audit_data *tad) 2030 { 2031 klwp_t *clwp = ttolwp(curthread); 2032 uint32_t ruid, euid; 2033 2034 struct a { 2035 long ruid; 2036 long euid; 2037 } *uap = (struct a *)clwp->lwp_ap; 2038 2039 ruid = (uint32_t)uap->ruid; 2040 euid = (uint32_t)uap->euid; 2041 2042 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2043 au_uwrite(au_to_arg32(2, "euid", euid)); 2044 } 2045 2046 2047 /*ARGSUSED*/ 2048 static void 2049 aus_setuid(struct t_audit_data *tad) 2050 { 2051 klwp_t *clwp = ttolwp(curthread); 2052 uint32_t uid; 2053 2054 struct a { 2055 long uid; 2056 } *uap = (struct a *)clwp->lwp_ap; 2057 2058 uid = (uint32_t)uap->uid; 2059 2060 au_uwrite(au_to_arg32(1, "uid", uid)); 2061 } 2062 2063 /*ARGSUSED*/ 2064 static void 2065 aus_shmsys(struct t_audit_data *tad) 2066 { 2067 klwp_t *clwp = ttolwp(curthread); 2068 uint32_t id, cmd; 2069 2070 struct b { 2071 long id; 2072 long cmd; 2073 long buf; /* struct shmid_ds * */ 2074 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2075 2076 id = (uint32_t)uap1->id; 2077 cmd = (uint32_t)uap1->cmd; 2078 2079 switch (tad->tad_event) { 2080 case AUE_SHMGET: /* shmget */ 2081 au_uwrite(au_to_arg32(1, "shm key", id)); 2082 break; 2083 case AUE_SHMCTL: /* shmctl */ 2084 case AUE_SHMCTL_RMID: /* shmctl */ 2085 case AUE_SHMCTL_STAT: /* shmctl */ 2086 case AUE_SHMCTL_SET: /* shmctl */ 2087 au_uwrite(au_to_arg32(1, "shm ID", id)); 2088 break; 2089 case AUE_SHMDT: /* shmdt */ 2090 au_uwrite(au_to_arg32(1, "shm adr", id)); 2091 break; 2092 case AUE_SHMAT: /* shmat */ 2093 au_uwrite(au_to_arg32(1, "shm ID", id)); 2094 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2095 break; 2096 } 2097 } 2098 2099 /*ARGSUSED*/ 2100 static void 2101 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2102 { 2103 int id; 2104 2105 if (error != 0) 2106 return; 2107 if (tad->tad_event == AUE_SHMGET) { 2108 uint32_t scid; 2109 uint32_t sy_flags; 2110 2111 /* need to determine type of executing binary */ 2112 scid = tad->tad_scid; 2113 #ifdef _SYSCALL32_IMPL 2114 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2115 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2116 else 2117 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2118 #else 2119 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2120 #endif 2121 if (sy_flags == SE_32RVAL1) 2122 id = rval->r_val1; 2123 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2124 id = rval->r_val1; 2125 if (sy_flags == SE_64RVAL) 2126 id = (int)rval->r_vals; 2127 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2128 } 2129 } 2130 2131 2132 /*ARGSUSED*/ 2133 static void 2134 aus_ioctl(struct t_audit_data *tad) 2135 { 2136 klwp_t *clwp = ttolwp(curthread); 2137 struct file *fp; 2138 struct vnode *vp; 2139 struct f_audit_data *fad; 2140 uint32_t fd, cmd; 2141 uintptr_t cmarg; 2142 2143 /* XX64 */ 2144 struct a { 2145 long fd; 2146 long cmd; 2147 long cmarg; /* caddr_t */ 2148 } *uap = (struct a *)clwp->lwp_ap; 2149 2150 fd = (uint32_t)uap->fd; 2151 cmd = (uint32_t)uap->cmd; 2152 cmarg = (uintptr_t)uap->cmarg; 2153 2154 /* 2155 * convert file pointer to file descriptor 2156 * Note: fd ref count incremented here. 2157 */ 2158 if ((fp = getf(fd)) == NULL) { 2159 au_uwrite(au_to_arg32(1, "fd", fd)); 2160 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2161 #ifndef _LP64 2162 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2163 #else 2164 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2165 #endif 2166 return; 2167 } 2168 2169 /* get path from file struct here */ 2170 fad = F2A(fp); 2171 if (fad->fad_aupath != NULL) { 2172 au_uwrite(au_to_path(fad->fad_aupath)); 2173 } else { 2174 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2175 } 2176 2177 vp = fp->f_vnode; 2178 audit_attributes(vp); 2179 2180 /* decrement file descriptor reference count */ 2181 releasef(fd); 2182 2183 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2184 #ifndef _LP64 2185 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2186 #else 2187 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2188 #endif 2189 } 2190 2191 /* 2192 * null function for memcntl for now. We might want to limit memcntl() 2193 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2194 * require privileges. 2195 */ 2196 static au_event_t 2197 aui_memcntl(au_event_t e) 2198 { 2199 return (e); 2200 } 2201 2202 /*ARGSUSED*/ 2203 static au_event_t 2204 aui_privsys(au_event_t e) 2205 { 2206 klwp_t *clwp = ttolwp(curthread); 2207 2208 struct a { 2209 long opcode; 2210 } *uap = (struct a *)clwp->lwp_ap; 2211 2212 switch (uap->opcode) { 2213 case PRIVSYS_SETPPRIV: 2214 return (AUE_SETPPRIV); 2215 default: 2216 return (AUE_NULL); 2217 } 2218 } 2219 2220 /*ARGSUSED*/ 2221 static void 2222 aus_memcntl(struct t_audit_data *tad) 2223 { 2224 klwp_t *clwp = ttolwp(curthread); 2225 2226 struct a { 2227 long addr; 2228 long len; 2229 long cmd; 2230 long arg; 2231 long attr; 2232 long mask; 2233 } *uap = (struct a *)clwp->lwp_ap; 2234 2235 #ifdef _LP64 2236 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2237 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2238 #else 2239 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2240 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2241 #endif 2242 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2243 #ifdef _LP64 2244 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2245 #else 2246 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2247 #endif 2248 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2249 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2250 } 2251 2252 /*ARGSUSED*/ 2253 static void 2254 aus_mmap(struct t_audit_data *tad) 2255 { 2256 klwp_t *clwp = ttolwp(curthread); 2257 struct file *fp; 2258 struct f_audit_data *fad; 2259 struct vnode *vp; 2260 uint32_t fd; 2261 2262 struct a { 2263 long addr; 2264 long len; 2265 long prot; 2266 long flags; 2267 long fd; 2268 long pos; 2269 } *uap = (struct a *)clwp->lwp_ap; 2270 2271 fd = (uint32_t)uap->fd; 2272 2273 #ifdef _LP64 2274 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2275 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2276 #else 2277 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2278 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2279 #endif 2280 2281 if ((fp = getf(fd)) == NULL) { 2282 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2283 return; 2284 } 2285 2286 /* 2287 * Mark in the tad if write access is NOT requested... if 2288 * this is later detected (in audit_attributes) to be a 2289 * public object, the mmap event may be discarded. 2290 */ 2291 if (((uap->prot) & PROT_WRITE) == 0) { 2292 tad->tad_ctrl |= PAD_PUBLIC_EV; 2293 } 2294 2295 fad = F2A(fp); 2296 if (fad->fad_aupath != NULL) { 2297 au_uwrite(au_to_path(fad->fad_aupath)); 2298 } else { 2299 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2300 } 2301 2302 vp = (struct vnode *)fp->f_vnode; 2303 audit_attributes(vp); 2304 2305 /* mark READ/WRITE since we can't predict access */ 2306 if (uap->prot & PROT_READ) 2307 fad->fad_flags |= FAD_READ; 2308 if (uap->prot & PROT_WRITE) 2309 fad->fad_flags |= FAD_WRITE; 2310 2311 /* decrement file descriptor reference count */ 2312 releasef(fd); 2313 2314 } /* AUS_MMAP */ 2315 2316 2317 2318 2319 /*ARGSUSED*/ 2320 static void 2321 aus_munmap(struct t_audit_data *tad) 2322 { 2323 klwp_t *clwp = ttolwp(curthread); 2324 2325 struct a { 2326 long addr; 2327 long len; 2328 } *uap = (struct a *)clwp->lwp_ap; 2329 2330 #ifdef _LP64 2331 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2332 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2333 #else 2334 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2335 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2336 #endif 2337 2338 } /* AUS_MUNMAP */ 2339 2340 2341 2342 2343 2344 2345 2346 /*ARGSUSED*/ 2347 static void 2348 aus_priocntlsys(struct t_audit_data *tad) 2349 { 2350 klwp_t *clwp = ttolwp(curthread); 2351 2352 struct a { 2353 long pc_version; 2354 long psp; /* procset_t */ 2355 long cmd; 2356 long arg; 2357 } *uap = (struct a *)clwp->lwp_ap; 2358 2359 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2360 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2361 2362 } /* AUS_PRIOCNTLSYS */ 2363 2364 2365 /*ARGSUSED*/ 2366 static void 2367 aus_setegid(struct t_audit_data *tad) 2368 { 2369 klwp_t *clwp = ttolwp(curthread); 2370 uint32_t gid; 2371 2372 struct a { 2373 long gid; 2374 } *uap = (struct a *)clwp->lwp_ap; 2375 2376 gid = (uint32_t)uap->gid; 2377 2378 au_uwrite(au_to_arg32(1, "gid", gid)); 2379 } /* AUS_SETEGID */ 2380 2381 2382 2383 2384 /*ARGSUSED*/ 2385 static void 2386 aus_setgroups(struct t_audit_data *tad) 2387 { 2388 klwp_t *clwp = ttolwp(curthread); 2389 int i; 2390 int gidsetsize; 2391 uintptr_t gidset; 2392 gid_t *gidlist; 2393 2394 struct a { 2395 long gidsetsize; 2396 long gidset; 2397 } *uap = (struct a *)clwp->lwp_ap; 2398 2399 gidsetsize = (uint_t)uap->gidsetsize; 2400 gidset = (uintptr_t)uap->gidset; 2401 2402 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2403 return; 2404 if (gidsetsize != 0) { 2405 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2406 KM_SLEEP); 2407 if (copyin((caddr_t)gidset, gidlist, 2408 gidsetsize * sizeof (gid_t)) == 0) 2409 for (i = 0; i < gidsetsize; i++) 2410 au_uwrite(au_to_arg32(1, "setgroups", 2411 (uint32_t)gidlist[i])); 2412 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2413 } else 2414 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2415 2416 } /* AUS_SETGROUPS */ 2417 2418 2419 2420 2421 2422 /*ARGSUSED*/ 2423 static void 2424 aus_seteuid(struct t_audit_data *tad) 2425 { 2426 klwp_t *clwp = ttolwp(curthread); 2427 uint32_t uid; 2428 2429 struct a { 2430 long uid; 2431 } *uap = (struct a *)clwp->lwp_ap; 2432 2433 uid = (uint32_t)uap->uid; 2434 2435 au_uwrite(au_to_arg32(1, "euid", uid)); 2436 2437 } /* AUS_SETEUID */ 2438 2439 /*ARGSUSED*/ 2440 static void 2441 aus_putmsg(struct t_audit_data *tad) 2442 { 2443 klwp_t *clwp = ttolwp(curthread); 2444 uint32_t fd, pri; 2445 struct file *fp; 2446 struct f_audit_data *fad; 2447 2448 struct a { 2449 long fdes; 2450 long ctl; /* struct strbuf * */ 2451 long data; /* struct strbuf * */ 2452 long pri; 2453 } *uap = (struct a *)clwp->lwp_ap; 2454 2455 fd = (uint32_t)uap->fdes; 2456 pri = (uint32_t)uap->pri; 2457 2458 au_uwrite(au_to_arg32(1, "fd", fd)); 2459 2460 if ((fp = getf(fd)) != NULL) { 2461 fad = F2A(fp); 2462 2463 fad->fad_flags |= FAD_WRITE; 2464 2465 /* add path name to audit record */ 2466 if (fad->fad_aupath != NULL) { 2467 au_uwrite(au_to_path(fad->fad_aupath)); 2468 } 2469 audit_attributes(fp->f_vnode); 2470 2471 releasef(fd); 2472 } 2473 2474 au_uwrite(au_to_arg32(4, "pri", pri)); 2475 } 2476 2477 /*ARGSUSED*/ 2478 static void 2479 aus_putpmsg(struct t_audit_data *tad) 2480 { 2481 klwp_t *clwp = ttolwp(curthread); 2482 uint32_t fd, pri, flags; 2483 struct file *fp; 2484 struct f_audit_data *fad; 2485 2486 struct a { 2487 long fdes; 2488 long ctl; /* struct strbuf * */ 2489 long data; /* struct strbuf * */ 2490 long pri; 2491 long flags; 2492 } *uap = (struct a *)clwp->lwp_ap; 2493 2494 fd = (uint32_t)uap->fdes; 2495 pri = (uint32_t)uap->pri; 2496 flags = (uint32_t)uap->flags; 2497 2498 au_uwrite(au_to_arg32(1, "fd", fd)); 2499 2500 if ((fp = getf(fd)) != NULL) { 2501 fad = F2A(fp); 2502 2503 fad->fad_flags |= FAD_WRITE; 2504 2505 /* add path name to audit record */ 2506 if (fad->fad_aupath != NULL) { 2507 au_uwrite(au_to_path(fad->fad_aupath)); 2508 } 2509 audit_attributes(fp->f_vnode); 2510 2511 releasef(fd); 2512 } 2513 2514 2515 au_uwrite(au_to_arg32(4, "pri", pri)); 2516 au_uwrite(au_to_arg32(5, "flags", flags)); 2517 } 2518 2519 /*ARGSUSED*/ 2520 static void 2521 aus_getmsg(struct t_audit_data *tad) 2522 { 2523 klwp_t *clwp = ttolwp(curthread); 2524 uint32_t fd, pri; 2525 struct file *fp; 2526 struct f_audit_data *fad; 2527 2528 struct a { 2529 long fdes; 2530 long ctl; /* struct strbuf * */ 2531 long data; /* struct strbuf * */ 2532 long pri; 2533 } *uap = (struct a *)clwp->lwp_ap; 2534 2535 fd = (uint32_t)uap->fdes; 2536 pri = (uint32_t)uap->pri; 2537 2538 au_uwrite(au_to_arg32(1, "fd", fd)); 2539 2540 if ((fp = getf(fd)) != NULL) { 2541 fad = F2A(fp); 2542 2543 /* 2544 * read operation on this object 2545 */ 2546 fad->fad_flags |= FAD_READ; 2547 2548 /* add path name to audit record */ 2549 if (fad->fad_aupath != NULL) { 2550 au_uwrite(au_to_path(fad->fad_aupath)); 2551 } 2552 audit_attributes(fp->f_vnode); 2553 2554 releasef(fd); 2555 } 2556 2557 au_uwrite(au_to_arg32(4, "pri", pri)); 2558 } 2559 2560 /*ARGSUSED*/ 2561 static void 2562 aus_getpmsg(struct t_audit_data *tad) 2563 { 2564 klwp_t *clwp = ttolwp(curthread); 2565 uint32_t fd; 2566 struct file *fp; 2567 struct f_audit_data *fad; 2568 2569 struct a { 2570 long fdes; 2571 long ctl; /* struct strbuf * */ 2572 long data; /* struct strbuf * */ 2573 long pri; 2574 long flags; 2575 } *uap = (struct a *)clwp->lwp_ap; 2576 2577 fd = (uint32_t)uap->fdes; 2578 2579 au_uwrite(au_to_arg32(1, "fd", fd)); 2580 2581 if ((fp = getf(fd)) != NULL) { 2582 fad = F2A(fp); 2583 2584 /* 2585 * read operation on this object 2586 */ 2587 fad->fad_flags |= FAD_READ; 2588 2589 /* add path name to audit record */ 2590 if (fad->fad_aupath != NULL) { 2591 au_uwrite(au_to_path(fad->fad_aupath)); 2592 } 2593 audit_attributes(fp->f_vnode); 2594 2595 releasef(fd); 2596 } 2597 } 2598 2599 static au_event_t 2600 aui_auditsys(au_event_t e) 2601 { 2602 klwp_t *clwp = ttolwp(curthread); 2603 uint32_t code; 2604 2605 struct a { 2606 long code; 2607 long a1; 2608 long a2; 2609 long a3; 2610 long a4; 2611 long a5; 2612 long a6; 2613 long a7; 2614 } *uap = (struct a *)clwp->lwp_ap; 2615 2616 code = (uint32_t)uap->code; 2617 2618 switch (code) { 2619 2620 case BSM_GETAUID: 2621 e = AUE_GETAUID; 2622 break; 2623 case BSM_SETAUID: 2624 e = AUE_SETAUID; 2625 break; 2626 case BSM_GETAUDIT: 2627 e = AUE_GETAUDIT; 2628 break; 2629 case BSM_GETAUDIT_ADDR: 2630 e = AUE_GETAUDIT_ADDR; 2631 break; 2632 case BSM_SETAUDIT: 2633 e = AUE_SETAUDIT; 2634 break; 2635 case BSM_SETAUDIT_ADDR: 2636 e = AUE_SETAUDIT_ADDR; 2637 break; 2638 case BSM_AUDIT: 2639 e = AUE_AUDIT; 2640 break; 2641 case BSM_AUDITSVC: 2642 e = AUE_AUDITSVC; 2643 break; 2644 case BSM_GETPORTAUDIT: 2645 e = AUE_GETPORTAUDIT; 2646 break; 2647 case BSM_AUDITON: 2648 case BSM_AUDITCTL: 2649 2650 switch ((uint_t)uap->a1) { 2651 2652 case A_GETPOLICY: 2653 e = AUE_AUDITON_GPOLICY; 2654 break; 2655 case A_SETPOLICY: 2656 e = AUE_AUDITON_SPOLICY; 2657 break; 2658 case A_GETKMASK: 2659 e = AUE_AUDITON_GETKMASK; 2660 break; 2661 case A_SETKMASK: 2662 e = AUE_AUDITON_SETKMASK; 2663 break; 2664 case A_GETQCTRL: 2665 e = AUE_AUDITON_GQCTRL; 2666 break; 2667 case A_SETQCTRL: 2668 e = AUE_AUDITON_SQCTRL; 2669 break; 2670 case A_GETCWD: 2671 e = AUE_AUDITON_GETCWD; 2672 break; 2673 case A_GETCAR: 2674 e = AUE_AUDITON_GETCAR; 2675 break; 2676 case A_GETSTAT: 2677 e = AUE_AUDITON_GETSTAT; 2678 break; 2679 case A_SETSTAT: 2680 e = AUE_AUDITON_SETSTAT; 2681 break; 2682 case A_SETUMASK: 2683 e = AUE_AUDITON_SETUMASK; 2684 break; 2685 case A_SETSMASK: 2686 e = AUE_AUDITON_SETSMASK; 2687 break; 2688 case A_GETCOND: 2689 e = AUE_AUDITON_GETCOND; 2690 break; 2691 case A_SETCOND: 2692 e = AUE_AUDITON_SETCOND; 2693 break; 2694 case A_GETCLASS: 2695 e = AUE_AUDITON_GETCLASS; 2696 break; 2697 case A_SETCLASS: 2698 e = AUE_AUDITON_SETCLASS; 2699 break; 2700 default: 2701 e = AUE_NULL; 2702 break; 2703 } 2704 break; 2705 default: 2706 e = AUE_NULL; 2707 break; 2708 } 2709 2710 return (e); 2711 2712 2713 2714 2715 } /* AUI_AUDITSYS */ 2716 2717 2718 2719 2720 2721 2722 2723 static void 2724 aus_auditsys(struct t_audit_data *tad) 2725 { 2726 klwp_t *clwp = ttolwp(curthread); 2727 uintptr_t a1, a2; 2728 struct file *fp; 2729 struct f_audit_data *fad; 2730 struct vnode *vp; 2731 STRUCT_DECL(auditinfo, ainfo); 2732 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2733 au_evclass_map_t event; 2734 au_mask_t mask; 2735 int auditstate, policy; 2736 2737 2738 struct a { 2739 long code; 2740 long a1; 2741 long a2; 2742 long a3; 2743 long a4; 2744 long a5; 2745 long a6; 2746 long a7; 2747 } *uap = (struct a *)clwp->lwp_ap; 2748 2749 a1 = (uintptr_t)uap->a1; 2750 a2 = (uintptr_t)uap->a2; 2751 2752 switch (tad->tad_event) { 2753 case AUE_SETAUID: 2754 au_uwrite(au_to_arg32(2, "setauid", (uint32_t)a1)); 2755 break; 2756 case AUE_SETAUDIT: 2757 STRUCT_INIT(ainfo, get_udatamodel()); 2758 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2759 STRUCT_SIZE(ainfo))) { 2760 return; 2761 } 2762 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2763 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2764 #ifdef _LP64 2765 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2766 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2767 #else 2768 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2769 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2770 #endif 2771 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2772 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2773 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2774 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2775 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2776 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2777 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2778 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2779 break; 2780 case AUE_SETAUDIT_ADDR: 2781 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2782 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2783 STRUCT_SIZE(ainfo_addr))) { 2784 return; 2785 } 2786 au_uwrite(au_to_arg32((char)1, "auid", 2787 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2788 #ifdef _LP64 2789 au_uwrite(au_to_arg64((char)1, "port", 2790 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2791 #else 2792 au_uwrite(au_to_arg32((char)1, "port", 2793 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2794 #endif 2795 au_uwrite(au_to_arg32((char)1, "type", 2796 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2797 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2798 AU_IPv4) { 2799 au_uwrite(au_to_in_addr( 2800 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2801 ai_termid.at_addr))); 2802 } else { 2803 au_uwrite(au_to_in_addr_ex( 2804 (int32_t *)STRUCT_FGETP(ainfo_addr, 2805 ai_termid.at_addr))); 2806 } 2807 au_uwrite(au_to_arg32((char)1, "as_success", 2808 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2809 au_uwrite(au_to_arg32((char)1, "as_failure", 2810 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2811 au_uwrite(au_to_arg32((char)1, "asid", 2812 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2813 break; 2814 case AUE_AUDITSVC: 2815 /* 2816 * convert file pointer to file descriptor 2817 * Note: fd ref count incremented here 2818 */ 2819 if ((fp = getf((uint_t)a1)) == NULL) 2820 return; 2821 fad = F2A(fp); 2822 if (fad->fad_aupath != NULL) { 2823 au_uwrite(au_to_path(fad->fad_aupath)); 2824 } else { 2825 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2826 } 2827 2828 vp = fp->f_vnode; /* include vnode attributes */ 2829 audit_attributes(vp); 2830 2831 /* decrement file descriptor ref count */ 2832 releasef((uint_t)a1); 2833 2834 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2835 break; 2836 case AUE_AUDITON_SETKMASK: 2837 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2838 return; 2839 au_uwrite(au_to_arg32( 2840 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2841 au_uwrite(au_to_arg32( 2842 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2843 break; 2844 case AUE_AUDITON_SPOLICY: 2845 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2846 return; 2847 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2848 break; 2849 case AUE_AUDITON_SQCTRL: { 2850 STRUCT_DECL(au_qctrl, qctrl); 2851 model_t model; 2852 2853 model = get_udatamodel(); 2854 STRUCT_INIT(qctrl, model); 2855 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2856 return; 2857 if (model == DATAMODEL_ILP32) { 2858 au_uwrite(au_to_arg32( 2859 3, "setqctrl:aq_hiwater", 2860 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2861 au_uwrite(au_to_arg32( 2862 3, "setqctrl:aq_lowater", 2863 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2864 au_uwrite(au_to_arg32( 2865 3, "setqctrl:aq_bufsz", 2866 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2867 au_uwrite(au_to_arg32( 2868 3, "setqctrl:aq_delay", 2869 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2870 } else { 2871 au_uwrite(au_to_arg64( 2872 3, "setqctrl:aq_hiwater", 2873 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2874 au_uwrite(au_to_arg64( 2875 3, "setqctrl:aq_lowater", 2876 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2877 au_uwrite(au_to_arg64( 2878 3, "setqctrl:aq_bufsz", 2879 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2880 au_uwrite(au_to_arg64( 2881 3, "setqctrl:aq_delay", 2882 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2883 } 2884 break; 2885 } 2886 case AUE_AUDITON_SETUMASK: 2887 STRUCT_INIT(ainfo, get_udatamodel()); 2888 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2889 STRUCT_SIZE(ainfo))) { 2890 return; 2891 } 2892 au_uwrite(au_to_arg32(3, "setumask:as_success", 2893 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2894 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2895 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2896 break; 2897 case AUE_AUDITON_SETSMASK: 2898 STRUCT_INIT(ainfo, get_udatamodel()); 2899 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2900 STRUCT_SIZE(ainfo))) { 2901 return; 2902 } 2903 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2904 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2905 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2906 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2907 break; 2908 case AUE_AUDITON_SETCOND: 2909 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2910 return; 2911 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2912 break; 2913 case AUE_AUDITON_SETCLASS: 2914 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2915 return; 2916 au_uwrite(au_to_arg32( 2917 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2918 au_uwrite(au_to_arg32( 2919 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2920 break; 2921 case AUE_GETAUID: 2922 case AUE_GETAUDIT: 2923 case AUE_GETAUDIT_ADDR: 2924 case AUE_AUDIT: 2925 case AUE_GETPORTAUDIT: 2926 case AUE_AUDITON_GPOLICY: 2927 case AUE_AUDITON_GQCTRL: 2928 case AUE_AUDITON_GETKMASK: 2929 case AUE_AUDITON_GETCWD: 2930 case AUE_AUDITON_GETCAR: 2931 case AUE_AUDITON_GETSTAT: 2932 case AUE_AUDITON_SETSTAT: 2933 case AUE_AUDITON_GETCOND: 2934 case AUE_AUDITON_GETCLASS: 2935 break; 2936 default: 2937 break; 2938 } 2939 2940 } /* AUS_AUDITSYS */ 2941 2942 2943 /* only audit privileged operations for systeminfo(2) system call */ 2944 static au_event_t 2945 aui_sysinfo(au_event_t e) 2946 { 2947 klwp_t *clwp = ttolwp(curthread); 2948 uint32_t command; 2949 2950 struct a { 2951 long command; 2952 long buf; /* char * */ 2953 long count; 2954 } *uap = (struct a *)clwp->lwp_ap; 2955 2956 command = (uint32_t)uap->command; 2957 2958 switch (command) { 2959 case SI_SET_HOSTNAME: 2960 case SI_SET_SRPC_DOMAIN: 2961 e = (au_event_t)AUE_SYSINFO; 2962 break; 2963 default: 2964 e = (au_event_t)AUE_NULL; 2965 break; 2966 } 2967 return (e); 2968 } 2969 2970 /*ARGSUSED*/ 2971 static void 2972 aus_sysinfo(struct t_audit_data *tad) 2973 { 2974 klwp_t *clwp = ttolwp(curthread); 2975 uint32_t command; 2976 size_t len, maxlen; 2977 char *name; 2978 uintptr_t buf; 2979 2980 struct a { 2981 long command; 2982 long buf; /* char * */ 2983 long count; 2984 } *uap = (struct a *)clwp->lwp_ap; 2985 2986 command = (uint32_t)uap->command; 2987 buf = (uintptr_t)uap->buf; 2988 2989 au_uwrite(au_to_arg32(1, "cmd", command)); 2990 2991 switch (command) { 2992 case SI_SET_HOSTNAME: 2993 { 2994 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2995 return; 2996 2997 maxlen = SYS_NMLN; 2998 name = kmem_alloc(maxlen, KM_SLEEP); 2999 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3000 break; 3001 3002 /* 3003 * Must be non-NULL string and string 3004 * must be less than SYS_NMLN chars. 3005 */ 3006 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3007 break; 3008 3009 au_uwrite(au_to_text(name)); 3010 break; 3011 } 3012 3013 case SI_SET_SRPC_DOMAIN: 3014 { 3015 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3016 return; 3017 3018 maxlen = SYS_NMLN; 3019 name = kmem_alloc(maxlen, KM_SLEEP); 3020 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3021 break; 3022 3023 /* 3024 * If string passed in is longer than length 3025 * allowed for domain name, fail. 3026 */ 3027 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3028 break; 3029 3030 au_uwrite(au_to_text(name)); 3031 break; 3032 } 3033 3034 default: 3035 return; 3036 } 3037 3038 kmem_free(name, maxlen); 3039 } 3040 3041 static au_event_t 3042 aui_modctl(au_event_t e) 3043 { 3044 klwp_t *clwp = ttolwp(curthread); 3045 uint_t cmd; 3046 3047 struct a { 3048 long cmd; 3049 } *uap = (struct a *)clwp->lwp_ap; 3050 3051 cmd = (uint_t)uap->cmd; 3052 3053 switch (cmd) { 3054 case MODLOAD: 3055 e = AUE_MODLOAD; 3056 break; 3057 case MODUNLOAD: 3058 e = AUE_MODUNLOAD; 3059 break; 3060 case MODADDMAJBIND: 3061 e = AUE_MODADDMAJ; 3062 break; 3063 case MODSETDEVPOLICY: 3064 e = AUE_MODDEVPLCY; 3065 break; 3066 case MODALLOCPRIV: 3067 e = AUE_MODADDPRIV; 3068 break; 3069 default: 3070 e = AUE_NULL; 3071 break; 3072 } 3073 return (e); 3074 } 3075 3076 3077 /*ARGSUSED*/ 3078 static void 3079 aus_modctl(struct t_audit_data *tad) 3080 { 3081 klwp_t *clwp = ttolwp(curthread); 3082 void *a = clwp->lwp_ap; 3083 uint_t use_path; 3084 3085 switch (tad->tad_event) { 3086 case AUE_MODLOAD: { 3087 typedef struct { 3088 long cmd; 3089 long use_path; 3090 long filename; /* char * */ 3091 } modloada_t; 3092 3093 char *filenamep; 3094 uintptr_t fname; 3095 extern char *default_path; 3096 3097 fname = (uintptr_t)((modloada_t *)a)->filename; 3098 use_path = (uint_t)((modloada_t *)a)->use_path; 3099 3100 /* space to hold path */ 3101 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3102 /* get string */ 3103 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3104 /* free allocated path */ 3105 kmem_free(filenamep, MOD_MAXPATH); 3106 return; 3107 } 3108 /* ensure it's null terminated */ 3109 filenamep[MOD_MAXPATH - 1] = 0; 3110 3111 if (use_path) 3112 au_uwrite(au_to_text(default_path)); 3113 au_uwrite(au_to_text(filenamep)); 3114 3115 /* release temporary memory */ 3116 kmem_free(filenamep, MOD_MAXPATH); 3117 break; 3118 } 3119 case AUE_MODUNLOAD: { 3120 typedef struct { 3121 long cmd; 3122 long id; 3123 } modunloada_t; 3124 3125 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3126 3127 au_uwrite(au_to_arg32(1, "id", id)); 3128 break; 3129 } 3130 case AUE_MODADDMAJ: { 3131 STRUCT_DECL(modconfig, mc); 3132 typedef struct { 3133 long cmd; 3134 long subcmd; 3135 long data; /* int * */ 3136 } modconfiga_t; 3137 3138 STRUCT_DECL(aliases, alias); 3139 caddr_t ap; 3140 int i, num_aliases; 3141 char *drvname, *mc_drvname; 3142 char *name; 3143 extern char *ddi_major_to_name(major_t); 3144 model_t model; 3145 3146 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3147 3148 model = get_udatamodel(); 3149 STRUCT_INIT(mc, model); 3150 /* sanitize buffer */ 3151 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3152 /* get user arguments */ 3153 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3154 STRUCT_SIZE(mc)) != 0) 3155 return; 3156 3157 mc_drvname = STRUCT_FGET(mc, drvname); 3158 if ((drvname = ddi_major_to_name( 3159 (major_t)STRUCT_FGET(mc, major))) != NULL && 3160 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3161 /* safety */ 3162 if (mc_drvname[0] != '\0') { 3163 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3164 au_uwrite(au_to_text(mc_drvname)); 3165 } 3166 /* drvname != NULL from test above */ 3167 au_uwrite(au_to_text(drvname)); 3168 return; 3169 } 3170 3171 if (mc_drvname[0] != '\0') { 3172 /* safety */ 3173 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3174 au_uwrite(au_to_text(mc_drvname)); 3175 } else 3176 au_uwrite(au_to_text("no drvname")); 3177 3178 num_aliases = STRUCT_FGET(mc, num_aliases); 3179 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3180 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3181 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3182 STRUCT_INIT(alias, model); 3183 for (i = 0; i < num_aliases; i++) { 3184 bzero((caddr_t)STRUCT_BUF(alias), 3185 STRUCT_SIZE(alias)); 3186 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3187 STRUCT_SIZE(alias)) != 0) 3188 break; 3189 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3190 MAXMODCONFNAME, NULL) != 0) { 3191 break; 3192 } 3193 3194 au_uwrite(au_to_text(name)); 3195 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3196 } 3197 kmem_free(name, MAXMODCONFNAME); 3198 break; 3199 } 3200 default: 3201 break; 3202 } 3203 } 3204 3205 /* 3206 * private version of getsonode that does not do eprintsoline() 3207 */ 3208 static struct sonode * 3209 au_getsonode(int sock, int *errorp, file_t **fpp) 3210 { 3211 file_t *fp; 3212 register vnode_t *vp; 3213 struct sonode *so; 3214 3215 if ((fp = getf(sock)) == NULL) { 3216 *errorp = EBADF; 3217 return (NULL); 3218 } 3219 vp = fp->f_vnode; 3220 /* Check if it is a socket */ 3221 if (vp->v_type != VSOCK) { 3222 releasef(sock); 3223 *errorp = ENOTSOCK; 3224 return (NULL); 3225 } 3226 /* 3227 * Use the stream head to find the real socket vnode. 3228 * This is needed when namefs sits above sockfs. 3229 */ 3230 ASSERT(vp->v_stream); 3231 ASSERT(vp->v_stream->sd_vnode); 3232 vp = vp->v_stream->sd_vnode; 3233 so = VTOSO(vp); 3234 if (so->so_version == SOV_STREAM) { 3235 releasef(sock); 3236 *errorp = ENOTSOCK; 3237 return (NULL); 3238 } 3239 if (fpp) 3240 *fpp = fp; 3241 return (so); 3242 } 3243 3244 /*ARGSUSED*/ 3245 static void 3246 auf_accept( 3247 struct t_audit_data *tad, 3248 int error, 3249 rval_t *rval) 3250 { 3251 uint32_t scid; 3252 uint32_t sy_flags; 3253 int fd; 3254 struct sonode *so; 3255 char so_laddr[sizeof (struct sockaddr_in6)]; 3256 char so_faddr[sizeof (struct sockaddr_in6)]; 3257 int err; 3258 int len; 3259 short so_family, so_type; 3260 int add_sock_token = 0; 3261 3262 /* need to determine type of executing binary */ 3263 scid = tad->tad_scid; 3264 #ifdef _SYSCALL32_IMPL 3265 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3266 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3267 else 3268 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3269 #else 3270 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3271 #endif 3272 if (sy_flags == SE_32RVAL1) 3273 fd = rval->r_val1; 3274 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3275 fd = rval->r_val1; 3276 if (sy_flags == SE_64RVAL) 3277 fd = (int)rval->r_vals; 3278 3279 if (error) { 3280 /* can't trust socket contents. Just return */ 3281 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3282 return; 3283 } 3284 3285 if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) { 3286 /* 3287 * not security relevant if doing a accept from non socket 3288 * so no extra tokens. Should probably turn off audit record 3289 * generation here. 3290 */ 3291 return; 3292 } 3293 3294 so_family = so->so_family; 3295 so_type = so->so_type; 3296 3297 switch (so_family) { 3298 case AF_INET: 3299 case AF_INET6: 3300 /* 3301 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3302 */ 3303 if (so->so_type == SOCK_STREAM) { 3304 3305 bzero((void *)so_laddr, sizeof (so_laddr)); 3306 bzero((void *)so_faddr, sizeof (so_faddr)); 3307 3308 /* 3309 * no local address then need to get it from lower 3310 * levels. only put out record on first read ala 3311 * AUE_WRITE. 3312 */ 3313 if (so->so_state & SS_ISBOUND) { 3314 /* only done once on a connection */ 3315 (void) SOP_GETSOCKNAME(so); 3316 (void) SOP_GETPEERNAME(so); 3317 3318 /* get local and foreign addresses */ 3319 mutex_enter(&so->so_lock); 3320 len = min(so->so_laddr_len, sizeof (so_laddr)); 3321 bcopy(so->so_laddr_sa, so_laddr, len); 3322 len = min(so->so_faddr_len, sizeof (so_faddr)); 3323 bcopy(so->so_faddr_sa, so_faddr, len); 3324 mutex_exit(&so->so_lock); 3325 } 3326 3327 add_sock_token = 1; 3328 } 3329 break; 3330 3331 default: 3332 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3333 break; 3334 } 3335 3336 releasef(fd); 3337 3338 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3339 3340 if (add_sock_token == 0) { 3341 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3342 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3343 return; 3344 } 3345 3346 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3347 3348 } 3349 3350 /*ARGSUSED*/ 3351 static void 3352 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3353 { 3354 struct a { 3355 long fd; 3356 long addr; 3357 long len; 3358 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3359 3360 struct sonode *so; 3361 char so_laddr[sizeof (struct sockaddr_in6)]; 3362 char so_faddr[sizeof (struct sockaddr_in6)]; 3363 int err, fd; 3364 int len; 3365 short so_family, so_type; 3366 int add_sock_token = 0; 3367 3368 fd = (int)uap->fd; 3369 3370 /* 3371 * bind failed, then nothing extra to add to audit record. 3372 */ 3373 if (error) { 3374 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3375 /* XXX may want to add failed address some day */ 3376 return; 3377 } 3378 3379 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3380 /* 3381 * not security relevant if doing a bind from non socket 3382 * so no extra tokens. Should probably turn off audit record 3383 * generation here. 3384 */ 3385 return; 3386 } 3387 3388 so_family = so->so_family; 3389 so_type = so->so_type; 3390 3391 switch (so_family) { 3392 case AF_INET: 3393 case AF_INET6: 3394 3395 bzero(so_faddr, sizeof (so_faddr)); 3396 3397 if (so->so_state & SS_ISBOUND) { 3398 /* only done once on a connection */ 3399 (void) SOP_GETSOCKNAME(so); 3400 } 3401 3402 mutex_enter(&so->so_lock); 3403 len = min(so->so_laddr_len, sizeof (so_laddr)); 3404 bcopy(so->so_laddr_sa, so_laddr, len); 3405 mutex_exit(&so->so_lock); 3406 3407 add_sock_token = 1; 3408 3409 break; 3410 3411 case AF_UNIX: 3412 /* token added by lookup */ 3413 break; 3414 default: 3415 /* AF_ROUTE, AF_KEY do not support accept */ 3416 break; 3417 } 3418 3419 releasef(fd); 3420 3421 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3422 3423 if (add_sock_token == 0) { 3424 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3425 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3426 return; 3427 } 3428 3429 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3430 3431 } 3432 3433 /*ARGSUSED*/ 3434 static void 3435 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3436 { 3437 struct a { 3438 long fd; 3439 long addr; 3440 long len; 3441 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3442 3443 struct sonode *so; 3444 char so_laddr[sizeof (struct sockaddr_in6)]; 3445 char so_faddr[sizeof (struct sockaddr_in6)]; 3446 int err, fd; 3447 int len; 3448 short so_family, so_type; 3449 int add_sock_token = 0; 3450 3451 fd = (int)uap->fd; 3452 3453 3454 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3455 /* 3456 * not security relevant if doing a connect from non socket 3457 * so no extra tokens. Should probably turn off audit record 3458 * generation here. 3459 */ 3460 return; 3461 } 3462 3463 so_family = so->so_family; 3464 so_type = so->so_type; 3465 3466 switch (so_family) { 3467 case AF_INET: 3468 case AF_INET6: 3469 /* 3470 * no local address then need to get it from lower 3471 * levels. 3472 */ 3473 if (so->so_state & SS_ISBOUND) { 3474 /* only done once on a connection */ 3475 (void) SOP_GETSOCKNAME(so); 3476 (void) SOP_GETPEERNAME(so); 3477 } 3478 3479 bzero(so_laddr, sizeof (so_laddr)); 3480 bzero(so_faddr, sizeof (so_faddr)); 3481 3482 mutex_enter(&so->so_lock); 3483 len = min(so->so_laddr_len, sizeof (so_laddr)); 3484 bcopy(so->so_laddr_sa, so_laddr, len); 3485 if (error) { 3486 mutex_exit(&so->so_lock); 3487 if (uap->addr == NULL) 3488 break; 3489 if (uap->len <= 0) 3490 break; 3491 len = min(uap->len, sizeof (so_faddr)); 3492 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3493 break; 3494 #ifdef NOTYET 3495 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3496 #endif 3497 } else { 3498 /* sanity check on length */ 3499 len = min(so->so_faddr_len, sizeof (so_faddr)); 3500 bcopy(so->so_faddr_sa, so_faddr, len); 3501 mutex_exit(&so->so_lock); 3502 } 3503 3504 add_sock_token = 1; 3505 3506 break; 3507 3508 case AF_UNIX: 3509 /* does a lookup on name */ 3510 break; 3511 3512 default: 3513 /* AF_ROUTE, AF_KEY do not support accept */ 3514 break; 3515 } 3516 3517 releasef(fd); 3518 3519 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3520 3521 if (add_sock_token == 0) { 3522 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3523 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3524 return; 3525 } 3526 3527 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3528 3529 } 3530 3531 /*ARGSUSED*/ 3532 static void 3533 aus_shutdown(struct t_audit_data *tad) 3534 { 3535 struct a { 3536 long fd; 3537 long how; 3538 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3539 3540 struct sonode *so; 3541 char so_laddr[sizeof (struct sockaddr_in6)]; 3542 char so_faddr[sizeof (struct sockaddr_in6)]; 3543 int err, fd; 3544 int len; 3545 short so_family, so_type; 3546 int add_sock_token = 0; 3547 file_t *fp; /* unix domain sockets */ 3548 struct f_audit_data *fad; /* unix domain sockets */ 3549 3550 fd = (int)uap->fd; 3551 3552 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3553 /* 3554 * not security relevant if doing a shutdown using non socket 3555 * so no extra tokens. Should probably turn off audit record 3556 * generation here. 3557 */ 3558 return; 3559 } 3560 3561 so_family = so->so_family; 3562 so_type = so->so_type; 3563 3564 switch (so_family) { 3565 case AF_INET: 3566 case AF_INET6: 3567 3568 bzero(so_laddr, sizeof (so_laddr)); 3569 bzero(so_faddr, sizeof (so_faddr)); 3570 3571 if (so->so_state & SS_ISBOUND) { 3572 /* 3573 * no local address then need to get it from lower 3574 * levels. 3575 */ 3576 if (so->so_laddr_len == 0) 3577 (void) SOP_GETSOCKNAME(so); 3578 if (so->so_faddr_len == 0) 3579 (void) SOP_GETPEERNAME(so); 3580 } 3581 3582 mutex_enter(&so->so_lock); 3583 len = min(so->so_laddr_len, sizeof (so_laddr)); 3584 bcopy(so->so_laddr_sa, so_laddr, len); 3585 len = min(so->so_faddr_len, sizeof (so_faddr)); 3586 bcopy(so->so_faddr_sa, so_faddr, len); 3587 mutex_exit(&so->so_lock); 3588 3589 add_sock_token = 1; 3590 3591 break; 3592 3593 case AF_UNIX: 3594 3595 /* get path from file struct here */ 3596 fad = F2A(fp); 3597 ASSERT(fad); 3598 3599 if (fad->fad_aupath != NULL) { 3600 au_uwrite(au_to_path(fad->fad_aupath)); 3601 } else { 3602 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3603 } 3604 3605 audit_attributes(fp->f_vnode); 3606 3607 break; 3608 3609 default: 3610 /* 3611 * AF_KEY and AF_ROUTE support shutdown. No socket token 3612 * added. 3613 */ 3614 break; 3615 } 3616 3617 releasef(fd); 3618 3619 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3620 3621 if (add_sock_token == 0) { 3622 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3623 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3624 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3625 return; 3626 } 3627 3628 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3629 3630 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3631 3632 } 3633 3634 /*ARGSUSED*/ 3635 static void 3636 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3637 { 3638 struct a { 3639 long fd; 3640 long level; 3641 long optname; 3642 long *optval; 3643 long optlen; 3644 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3645 3646 struct sonode *so; 3647 char so_laddr[sizeof (struct sockaddr_in6)]; 3648 char so_faddr[sizeof (struct sockaddr_in6)]; 3649 char val[AU_BUFSIZE]; 3650 int err, fd; 3651 int len; 3652 short so_family, so_type; 3653 int add_sock_token = 0; 3654 file_t *fp; /* unix domain sockets */ 3655 struct f_audit_data *fad; /* unix domain sockets */ 3656 3657 fd = (int)uap->fd; 3658 3659 if (error) { 3660 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3661 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3662 /* XXX may want to include other arguments */ 3663 return; 3664 } 3665 3666 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3667 /* 3668 * not security relevant if doing a setsockopt from non socket 3669 * so no extra tokens. Should probably turn off audit record 3670 * generation here. 3671 */ 3672 return; 3673 } 3674 3675 so_family = so->so_family; 3676 so_type = so->so_type; 3677 3678 switch (so_family) { 3679 case AF_INET: 3680 case AF_INET6: 3681 3682 bzero((void *)so_laddr, sizeof (so_laddr)); 3683 bzero((void *)so_faddr, sizeof (so_faddr)); 3684 3685 if (so->so_state & SS_ISBOUND) { 3686 if (so->so_laddr_len == 0) 3687 (void) SOP_GETSOCKNAME(so); 3688 if (so->so_faddr_len == 0) 3689 (void) SOP_GETPEERNAME(so); 3690 } 3691 3692 /* get local and foreign addresses */ 3693 mutex_enter(&so->so_lock); 3694 len = min(so->so_laddr_len, sizeof (so_laddr)); 3695 bcopy(so->so_laddr_sa, so_laddr, len); 3696 len = min(so->so_faddr_len, sizeof (so_faddr)); 3697 bcopy(so->so_faddr_sa, so_faddr, len); 3698 mutex_exit(&so->so_lock); 3699 3700 add_sock_token = 1; 3701 3702 break; 3703 3704 case AF_UNIX: 3705 3706 /* get path from file struct here */ 3707 fad = F2A(fp); 3708 ASSERT(fad); 3709 3710 if (fad->fad_aupath != NULL) { 3711 au_uwrite(au_to_path(fad->fad_aupath)); 3712 } else { 3713 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3714 } 3715 3716 audit_attributes(fp->f_vnode); 3717 3718 break; 3719 3720 default: 3721 /* 3722 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3723 * added. 3724 */ 3725 break; 3726 } 3727 3728 releasef(fd); 3729 3730 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3731 3732 if (add_sock_token == 0) { 3733 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3734 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3735 } 3736 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3737 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3738 3739 bzero(val, sizeof (val)); 3740 len = min(uap->optlen, sizeof (val)); 3741 if ((len > 0) && 3742 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3743 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3744 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3745 } 3746 3747 if (add_sock_token == 0) 3748 return; 3749 3750 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3751 3752 } 3753 3754 /*ARGSUSED*/ 3755 static void 3756 aus_sockconfig(tad) 3757 struct t_audit_data *tad; 3758 { 3759 struct a { 3760 long domain; 3761 long type; 3762 long protocol; 3763 long devpath; 3764 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3765 3766 char *kdevpath; 3767 int kdevpathlen = MAXPATHLEN + 1; 3768 size_t size; 3769 3770 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3771 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3772 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3773 3774 if (uap->devpath == 0) { 3775 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3776 } else { 3777 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3778 3779 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3780 &size)) { 3781 kmem_free(kdevpath, kdevpathlen); 3782 return; 3783 } 3784 3785 if (size > MAXPATHLEN) { 3786 kmem_free(kdevpath, kdevpathlen); 3787 return; 3788 } 3789 3790 au_uwrite(au_to_text(kdevpath)); 3791 kmem_free(kdevpath, kdevpathlen); 3792 } 3793 } 3794 3795 /* 3796 * only audit recvmsg when the system call represents the creation of a new 3797 * circuit. This effectively occurs for all UDP packets and may occur for 3798 * special TCP situations where the local host has not set a local address 3799 * in the socket structure. 3800 */ 3801 /*ARGSUSED*/ 3802 static void 3803 auf_recvmsg( 3804 struct t_audit_data *tad, 3805 int error, 3806 rval_t *rvp) 3807 { 3808 struct a { 3809 long fd; 3810 long msg; /* struct msghdr */ 3811 long flags; 3812 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3813 3814 struct sonode *so; 3815 STRUCT_DECL(msghdr, msg); 3816 caddr_t msg_name; 3817 socklen_t msg_namelen; 3818 int fd; 3819 int err; 3820 char so_laddr[sizeof (struct sockaddr_in6)]; 3821 char so_faddr[sizeof (struct sockaddr_in6)]; 3822 int len; 3823 file_t *fp; /* unix domain sockets */ 3824 struct f_audit_data *fad; /* unix domain sockets */ 3825 short so_family, so_type; 3826 int add_sock_token = 0; 3827 au_kcontext_t *kctx = SET_KCTX_PZ; 3828 3829 fd = (int)uap->fd; 3830 3831 /* bail if an error */ 3832 if (error) { 3833 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3834 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3835 return; 3836 } 3837 3838 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3839 /* 3840 * not security relevant if doing a recvmsg from non socket 3841 * so no extra tokens. Should probably turn off audit record 3842 * generation here. 3843 */ 3844 return; 3845 } 3846 3847 so_family = so->so_family; 3848 so_type = so->so_type; 3849 3850 /* 3851 * only putout SOCKET_EX token if INET/INET6 family. 3852 * XXX - what do we do about other families? 3853 */ 3854 3855 switch (so_family) { 3856 case AF_INET: 3857 case AF_INET6: 3858 3859 /* 3860 * if datagram type socket, then just use what is in 3861 * socket structure for local address. 3862 * XXX - what do we do for other types? 3863 */ 3864 if ((so->so_type == SOCK_DGRAM) || 3865 (so->so_type == SOCK_RAW)) { 3866 add_sock_token = 1; 3867 3868 bzero((void *)so_laddr, sizeof (so_laddr)); 3869 bzero((void *)so_faddr, sizeof (so_faddr)); 3870 3871 /* get local address */ 3872 mutex_enter(&so->so_lock); 3873 len = min(so->so_laddr_len, sizeof (so_laddr)); 3874 bcopy(so->so_laddr_sa, so_laddr, len); 3875 mutex_exit(&so->so_lock); 3876 3877 /* get peer address */ 3878 STRUCT_INIT(msg, get_udatamodel()); 3879 3880 if (copyin((caddr_t)(uap->msg), 3881 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3882 break; 3883 } 3884 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3885 if (msg_name == NULL) { 3886 break; 3887 } 3888 3889 /* length is value from recvmsg - sanity check */ 3890 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3891 if (msg_namelen == 0) { 3892 break; 3893 } 3894 if (copyin(msg_name, so_faddr, 3895 sizeof (so_faddr)) != 0) { 3896 break; 3897 } 3898 3899 } else if (so->so_type == SOCK_STREAM) { 3900 3901 /* get path from file struct here */ 3902 fad = F2A(fp); 3903 ASSERT(fad); 3904 3905 /* 3906 * already processed this file for read attempt 3907 */ 3908 if (fad->fad_flags & FAD_READ) { 3909 /* don't want to audit every recvmsg attempt */ 3910 tad->tad_flag = 0; 3911 /* free any residual audit data */ 3912 au_close(kctx, &(u_ad), 0, 0, 0); 3913 releasef(fd); 3914 return; 3915 } 3916 /* 3917 * mark things so we know what happened and don't 3918 * repeat things 3919 */ 3920 fad->fad_flags |= FAD_READ; 3921 3922 bzero((void *)so_laddr, sizeof (so_laddr)); 3923 bzero((void *)so_faddr, sizeof (so_faddr)); 3924 3925 if (so->so_state & SS_ISBOUND) { 3926 3927 if (so->so_laddr_len == 0) 3928 (void) SOP_GETSOCKNAME(so); 3929 if (so->so_faddr_len == 0) 3930 (void) SOP_GETPEERNAME(so); 3931 3932 /* get local and foreign addresses */ 3933 mutex_enter(&so->so_lock); 3934 len = min(so->so_laddr_len, sizeof (so_laddr)); 3935 bcopy(so->so_laddr_sa, so_laddr, len); 3936 len = min(so->so_faddr_len, sizeof (so_faddr)); 3937 bcopy(so->so_faddr_sa, so_faddr, len); 3938 mutex_exit(&so->so_lock); 3939 } 3940 3941 add_sock_token = 1; 3942 } 3943 3944 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3945 3946 break; 3947 3948 case AF_UNIX: 3949 /* 3950 * first check if this is first time through. Too much 3951 * duplicate code to put this in an aui_ routine. 3952 */ 3953 3954 /* get path from file struct here */ 3955 fad = F2A(fp); 3956 ASSERT(fad); 3957 3958 /* 3959 * already processed this file for read attempt 3960 */ 3961 if (fad->fad_flags & FAD_READ) { 3962 releasef(fd); 3963 /* don't want to audit every recvmsg attempt */ 3964 tad->tad_flag = 0; 3965 /* free any residual audit data */ 3966 au_close(kctx, &(u_ad), 0, 0, 0); 3967 return; 3968 } 3969 /* 3970 * mark things so we know what happened and don't 3971 * repeat things 3972 */ 3973 fad->fad_flags |= FAD_READ; 3974 3975 if (fad->fad_aupath != NULL) { 3976 au_uwrite(au_to_path(fad->fad_aupath)); 3977 } else { 3978 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3979 } 3980 3981 audit_attributes(fp->f_vnode); 3982 3983 releasef(fd); 3984 3985 return; 3986 3987 default: 3988 break; 3989 3990 } 3991 3992 releasef(fd); 3993 3994 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3995 3996 if (add_sock_token == 0) { 3997 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 3998 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 3999 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4000 return; 4001 } 4002 4003 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4004 4005 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4006 4007 } 4008 4009 /*ARGSUSED*/ 4010 static void 4011 auf_recvfrom( 4012 struct t_audit_data *tad, 4013 int error, 4014 rval_t *rvp) 4015 { 4016 4017 struct a { 4018 long fd; 4019 long msg; /* char */ 4020 long len; 4021 long flags; 4022 long from; /* struct sockaddr */ 4023 long fromlen; 4024 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4025 4026 socklen_t fromlen; 4027 struct sonode *so; 4028 char so_laddr[sizeof (struct sockaddr_in6)]; 4029 char so_faddr[sizeof (struct sockaddr_in6)]; 4030 int fd; 4031 short so_family, so_type; 4032 int add_sock_token = 0; 4033 int len; 4034 int err; 4035 struct file *fp; 4036 struct f_audit_data *fad; /* unix domain sockets */ 4037 au_kcontext_t *kctx = SET_KCTX_PZ; 4038 4039 fd = (int)uap->fd; 4040 4041 /* bail if an error */ 4042 if (error) { 4043 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4044 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4045 return; 4046 } 4047 4048 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4049 /* 4050 * not security relevant if doing a recvmsg from non socket 4051 * so no extra tokens. Should probably turn off audit record 4052 * generation here. 4053 */ 4054 return; 4055 } 4056 4057 so_family = so->so_family; 4058 so_type = so->so_type; 4059 4060 /* 4061 * only putout SOCKET_EX token if INET/INET6 family. 4062 * XXX - what do we do about other families? 4063 */ 4064 4065 switch (so_family) { 4066 case AF_INET: 4067 case AF_INET6: 4068 4069 /* 4070 * if datagram type socket, then just use what is in 4071 * socket structure for local address. 4072 * XXX - what do we do for other types? 4073 */ 4074 if ((so->so_type == SOCK_DGRAM) || 4075 (so->so_type == SOCK_RAW)) { 4076 add_sock_token = 1; 4077 4078 /* get local address */ 4079 mutex_enter(&so->so_lock); 4080 len = min(so->so_laddr_len, sizeof (so_laddr)); 4081 bcopy(so->so_laddr_sa, so_laddr, len); 4082 mutex_exit(&so->so_lock); 4083 4084 /* get peer address */ 4085 bzero((void *)so_faddr, sizeof (so_faddr)); 4086 4087 /* sanity check */ 4088 if (uap->from == NULL) 4089 break; 4090 4091 /* sanity checks */ 4092 if (uap->fromlen == 0) 4093 break; 4094 4095 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4096 sizeof (fromlen)) != 0) 4097 break; 4098 4099 if (fromlen == 0) 4100 break; 4101 4102 /* enforce maximum size */ 4103 if (fromlen > sizeof (so_faddr)) 4104 fromlen = sizeof (so_faddr); 4105 4106 if (copyin((caddr_t)(uap->from), so_faddr, 4107 fromlen) != 0) 4108 break; 4109 4110 } else if (so->so_type == SOCK_STREAM) { 4111 4112 /* get path from file struct here */ 4113 fad = F2A(fp); 4114 ASSERT(fad); 4115 4116 /* 4117 * already processed this file for read attempt 4118 */ 4119 if (fad->fad_flags & FAD_READ) { 4120 /* don't want to audit every recvfrom attempt */ 4121 tad->tad_flag = 0; 4122 /* free any residual audit data */ 4123 au_close(kctx, &(u_ad), 0, 0, 0); 4124 releasef(fd); 4125 return; 4126 } 4127 /* 4128 * mark things so we know what happened and don't 4129 * repeat things 4130 */ 4131 fad->fad_flags |= FAD_READ; 4132 4133 bzero((void *)so_laddr, sizeof (so_laddr)); 4134 bzero((void *)so_faddr, sizeof (so_faddr)); 4135 4136 if (so->so_state & SS_ISBOUND) { 4137 4138 if (so->so_laddr_len == 0) 4139 (void) SOP_GETSOCKNAME(so); 4140 if (so->so_faddr_len == 0) 4141 (void) SOP_GETPEERNAME(so); 4142 4143 /* get local and foreign addresses */ 4144 mutex_enter(&so->so_lock); 4145 len = min(so->so_laddr_len, sizeof (so_laddr)); 4146 bcopy(so->so_laddr_sa, so_laddr, len); 4147 len = min(so->so_faddr_len, sizeof (so_faddr)); 4148 bcopy(so->so_faddr_sa, so_faddr, len); 4149 mutex_exit(&so->so_lock); 4150 } 4151 4152 add_sock_token = 1; 4153 } 4154 4155 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4156 4157 break; 4158 4159 case AF_UNIX: 4160 /* 4161 * first check if this is first time through. Too much 4162 * duplicate code to put this in an aui_ routine. 4163 */ 4164 4165 /* get path from file struct here */ 4166 fad = F2A(fp); 4167 ASSERT(fad); 4168 4169 /* 4170 * already processed this file for read attempt 4171 */ 4172 if (fad->fad_flags & FAD_READ) { 4173 /* don't want to audit every recvfrom attempt */ 4174 tad->tad_flag = 0; 4175 /* free any residual audit data */ 4176 au_close(kctx, &(u_ad), 0, 0, 0); 4177 releasef(fd); 4178 return; 4179 } 4180 /* 4181 * mark things so we know what happened and don't 4182 * repeat things 4183 */ 4184 fad->fad_flags |= FAD_READ; 4185 4186 if (fad->fad_aupath != NULL) { 4187 au_uwrite(au_to_path(fad->fad_aupath)); 4188 } else { 4189 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4190 } 4191 4192 audit_attributes(fp->f_vnode); 4193 4194 releasef(fd); 4195 4196 return; 4197 4198 default: 4199 break; 4200 4201 } 4202 4203 releasef(fd); 4204 4205 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4206 4207 if (add_sock_token == 0) { 4208 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4209 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4210 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4211 return; 4212 } 4213 4214 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4215 4216 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4217 } 4218 4219 /*ARGSUSED*/ 4220 static void 4221 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4222 { 4223 struct a { 4224 long fd; 4225 long msg; /* struct msghdr */ 4226 long flags; 4227 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4228 4229 struct sonode *so; 4230 char so_laddr[sizeof (struct sockaddr_in6)]; 4231 char so_faddr[sizeof (struct sockaddr_in6)]; 4232 int err; 4233 int fd; 4234 short so_family, so_type; 4235 int add_sock_token = 0; 4236 int len; 4237 struct file *fp; 4238 struct f_audit_data *fad; 4239 caddr_t msg_name; 4240 socklen_t msg_namelen; 4241 STRUCT_DECL(msghdr, msg); 4242 au_kcontext_t *kctx = SET_KCTX_PZ; 4243 4244 fd = (int)uap->fd; 4245 4246 /* bail if an error */ 4247 if (error) { 4248 /* XXX include destination address from system call arguments */ 4249 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4250 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4251 return; 4252 } 4253 4254 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4255 /* 4256 * not security relevant if doing a sendmsg from non socket 4257 * so no extra tokens. Should probably turn off audit record 4258 * generation here. 4259 */ 4260 return; 4261 } 4262 4263 so_family = so->so_family; 4264 so_type = so->so_type; 4265 4266 switch (so_family) { 4267 case AF_INET: 4268 case AF_INET6: 4269 /* 4270 * if datagram type socket, then just use what is in 4271 * socket structure for local address. 4272 * XXX - what do we do for other types? 4273 */ 4274 if ((so->so_type == SOCK_DGRAM) || 4275 (so->so_type == SOCK_RAW)) { 4276 4277 bzero((void *)so_laddr, sizeof (so_laddr)); 4278 bzero((void *)so_faddr, sizeof (so_faddr)); 4279 4280 /* get local address */ 4281 mutex_enter(&so->so_lock); 4282 len = min(so->so_laddr_len, sizeof (so_laddr)); 4283 bcopy(so->so_laddr_sa, so_laddr, len); 4284 mutex_exit(&so->so_lock); 4285 4286 /* get peer address */ 4287 STRUCT_INIT(msg, get_udatamodel()); 4288 4289 if (copyin((caddr_t)(uap->msg), 4290 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4291 break; 4292 } 4293 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4294 if (msg_name == NULL) 4295 break; 4296 4297 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4298 /* length is value from recvmsg - sanity check */ 4299 if (msg_namelen == 0) 4300 break; 4301 4302 if (copyin(msg_name, so_faddr, 4303 sizeof (so_faddr)) != 0) 4304 break; 4305 4306 add_sock_token = 1; 4307 4308 } else if (so->so_type == SOCK_STREAM) { 4309 4310 /* get path from file struct here */ 4311 fad = F2A(fp); 4312 ASSERT(fad); 4313 4314 /* 4315 * already processed this file for write attempt 4316 */ 4317 if (fad->fad_flags & FAD_WRITE) { 4318 releasef(fd); 4319 /* don't want to audit every sendmsg attempt */ 4320 tad->tad_flag = 0; 4321 /* free any residual audit data */ 4322 au_close(kctx, &(u_ad), 0, 0, 0); 4323 return; 4324 } 4325 4326 /* 4327 * mark things so we know what happened and don't 4328 * repeat things 4329 */ 4330 fad->fad_flags |= FAD_WRITE; 4331 4332 bzero((void *)so_laddr, sizeof (so_laddr)); 4333 bzero((void *)so_faddr, sizeof (so_faddr)); 4334 4335 if (so->so_state & SS_ISBOUND) { 4336 4337 if (so->so_laddr_len == 0) 4338 (void) SOP_GETSOCKNAME(so); 4339 if (so->so_faddr_len == 0) 4340 (void) SOP_GETPEERNAME(so); 4341 4342 /* get local and foreign addresses */ 4343 mutex_enter(&so->so_lock); 4344 len = min(so->so_laddr_len, sizeof (so_laddr)); 4345 bcopy(so->so_laddr_sa, so_laddr, len); 4346 len = min(so->so_faddr_len, sizeof (so_faddr)); 4347 bcopy(so->so_faddr_sa, so_faddr, len); 4348 mutex_exit(&so->so_lock); 4349 } 4350 4351 add_sock_token = 1; 4352 } 4353 4354 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4355 4356 break; 4357 4358 case AF_UNIX: 4359 /* 4360 * first check if this is first time through. Too much 4361 * duplicate code to put this in an aui_ routine. 4362 */ 4363 4364 /* get path from file struct here */ 4365 fad = F2A(fp); 4366 ASSERT(fad); 4367 4368 /* 4369 * already processed this file for write attempt 4370 */ 4371 if (fad->fad_flags & FAD_WRITE) { 4372 releasef(fd); 4373 /* don't want to audit every sendmsg attempt */ 4374 tad->tad_flag = 0; 4375 /* free any residual audit data */ 4376 au_close(kctx, &(u_ad), 0, 0, 0); 4377 return; 4378 } 4379 /* 4380 * mark things so we know what happened and don't 4381 * repeat things 4382 */ 4383 fad->fad_flags |= FAD_WRITE; 4384 4385 if (fad->fad_aupath != NULL) { 4386 au_uwrite(au_to_path(fad->fad_aupath)); 4387 } else { 4388 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4389 } 4390 4391 audit_attributes(fp->f_vnode); 4392 4393 releasef(fd); 4394 4395 return; 4396 4397 default: 4398 break; 4399 } 4400 4401 releasef(fd); 4402 4403 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4404 4405 if (add_sock_token == 0) { 4406 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4407 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4408 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4409 return; 4410 } 4411 4412 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4413 4414 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4415 } 4416 4417 /*ARGSUSED*/ 4418 static void 4419 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4420 { 4421 struct a { 4422 long fd; 4423 long msg; /* char */ 4424 long len; 4425 long flags; 4426 long to; /* struct sockaddr */ 4427 long tolen; 4428 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4429 4430 struct sonode *so; 4431 char so_laddr[sizeof (struct sockaddr_in6)]; 4432 char so_faddr[sizeof (struct sockaddr_in6)]; 4433 socklen_t tolen; 4434 int err; 4435 int fd; 4436 int len; 4437 short so_family, so_type; 4438 int add_sock_token = 0; 4439 struct file *fp; 4440 struct f_audit_data *fad; 4441 au_kcontext_t *kctx = SET_KCTX_PZ; 4442 4443 fd = (int)uap->fd; 4444 4445 /* bail if an error */ 4446 if (error) { 4447 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4448 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4449 /* XXX include destination address from system call arguments */ 4450 return; 4451 } 4452 4453 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4454 /* 4455 * not security relevant if doing a sendto using non socket 4456 * so no extra tokens. Should probably turn off audit record 4457 * generation here. 4458 */ 4459 return; 4460 } 4461 4462 so_family = so->so_family; 4463 so_type = so->so_type; 4464 4465 /* 4466 * only putout SOCKET_EX token if INET/INET6 family. 4467 * XXX - what do we do about other families? 4468 */ 4469 4470 switch (so_family) { 4471 case AF_INET: 4472 case AF_INET6: 4473 4474 /* 4475 * if datagram type socket, then just use what is in 4476 * socket structure for local address. 4477 * XXX - what do we do for other types? 4478 */ 4479 if ((so->so_type == SOCK_DGRAM) || 4480 (so->so_type == SOCK_RAW)) { 4481 4482 bzero((void *)so_laddr, sizeof (so_laddr)); 4483 bzero((void *)so_faddr, sizeof (so_faddr)); 4484 4485 /* get local address */ 4486 mutex_enter(&so->so_lock); 4487 len = min(so->so_laddr_len, sizeof (so_laddr)); 4488 bcopy(so->so_laddr_sa, so_laddr, len); 4489 mutex_exit(&so->so_lock); 4490 4491 /* get peer address */ 4492 4493 /* sanity check */ 4494 if (uap->to == NULL) 4495 break; 4496 4497 /* sanity checks */ 4498 if (uap->tolen == 0) 4499 break; 4500 4501 tolen = (socklen_t)uap->tolen; 4502 4503 /* enforce maximum size */ 4504 if (tolen > sizeof (so_faddr)) 4505 tolen = sizeof (so_faddr); 4506 4507 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4508 break; 4509 4510 add_sock_token = 1; 4511 } else { 4512 /* 4513 * check if this is first time through. 4514 */ 4515 4516 /* get path from file struct here */ 4517 fad = F2A(fp); 4518 ASSERT(fad); 4519 4520 /* 4521 * already processed this file for write attempt 4522 */ 4523 if (fad->fad_flags & FAD_WRITE) { 4524 /* don't want to audit every sendto attempt */ 4525 tad->tad_flag = 0; 4526 /* free any residual audit data */ 4527 au_close(kctx, &(u_ad), 0, 0, 0); 4528 releasef(fd); 4529 return; 4530 } 4531 /* 4532 * mark things so we know what happened and don't 4533 * repeat things 4534 */ 4535 fad->fad_flags |= FAD_WRITE; 4536 4537 bzero((void *)so_laddr, sizeof (so_laddr)); 4538 bzero((void *)so_faddr, sizeof (so_faddr)); 4539 4540 if (so->so_state & SS_ISBOUND) { 4541 4542 if (so->so_laddr_len == 0) 4543 (void) SOP_GETSOCKNAME(so); 4544 if (so->so_faddr_len == 0) 4545 (void) SOP_GETPEERNAME(so); 4546 4547 /* get local and foreign addresses */ 4548 mutex_enter(&so->so_lock); 4549 len = min(so->so_laddr_len, sizeof (so_laddr)); 4550 bcopy(so->so_laddr_sa, so_laddr, len); 4551 len = min(so->so_faddr_len, sizeof (so_faddr)); 4552 bcopy(so->so_faddr_sa, so_faddr, len); 4553 mutex_exit(&so->so_lock); 4554 } 4555 4556 add_sock_token = 1; 4557 } 4558 4559 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4560 4561 break; 4562 4563 case AF_UNIX: 4564 /* 4565 * first check if this is first time through. Too much 4566 * duplicate code to put this in an aui_ routine. 4567 */ 4568 4569 /* get path from file struct here */ 4570 fad = F2A(fp); 4571 ASSERT(fad); 4572 4573 /* 4574 * already processed this file for write attempt 4575 */ 4576 if (fad->fad_flags & FAD_WRITE) { 4577 /* don't want to audit every sendto attempt */ 4578 tad->tad_flag = 0; 4579 /* free any residual audit data */ 4580 au_close(kctx, &(u_ad), 0, 0, 0); 4581 releasef(fd); 4582 return; 4583 } 4584 /* 4585 * mark things so we know what happened and don't 4586 * repeat things 4587 */ 4588 fad->fad_flags |= FAD_WRITE; 4589 4590 if (fad->fad_aupath != NULL) { 4591 au_uwrite(au_to_path(fad->fad_aupath)); 4592 } else { 4593 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4594 } 4595 4596 audit_attributes(fp->f_vnode); 4597 4598 releasef(fd); 4599 4600 return; 4601 4602 default: 4603 break; 4604 4605 } 4606 4607 releasef(fd); 4608 4609 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4610 4611 if (add_sock_token == 0) { 4612 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4613 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4614 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4615 return; 4616 } 4617 4618 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4619 4620 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4621 4622 } 4623 4624 /* 4625 * XXX socket(2) may be equivilent to open(2) on a unix domain 4626 * socket. This needs investigation. 4627 */ 4628 4629 /*ARGSUSED*/ 4630 static void 4631 aus_socket(struct t_audit_data *tad) 4632 { 4633 struct a { 4634 long domain; 4635 long type; 4636 long protocol; 4637 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4638 4639 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4640 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4641 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4642 } 4643 4644 /*ARGSUSED*/ 4645 static void 4646 aus_sigqueue(struct t_audit_data *tad) 4647 { 4648 struct a { 4649 long pid; 4650 long signo; 4651 long *val; 4652 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4653 struct proc *p; 4654 uid_t uid, ruid; 4655 gid_t gid, rgid; 4656 pid_t pid; 4657 const auditinfo_addr_t *ainfo; 4658 cred_t *cr; 4659 4660 pid = (pid_t)uap->pid; 4661 4662 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4663 if (pid > 0) { 4664 mutex_enter(&pidlock); 4665 if ((p = prfind(pid)) == (struct proc *)0) { 4666 mutex_exit(&pidlock); 4667 return; 4668 } 4669 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4670 mutex_exit(&pidlock); 4671 4672 mutex_enter(&p->p_crlock); 4673 crhold(cr = p->p_cred); 4674 mutex_exit(&p->p_crlock); 4675 mutex_exit(&p->p_lock); 4676 4677 ainfo = crgetauinfo(cr); 4678 if (ainfo == NULL) { 4679 crfree(cr); 4680 return; 4681 } 4682 4683 uid = crgetuid(cr); 4684 gid = crgetgid(cr); 4685 ruid = crgetruid(cr); 4686 rgid = crgetrgid(cr); 4687 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4688 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4689 crfree(cr); 4690 } 4691 else 4692 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4693 } 4694 4695 /*ARGSUSED*/ 4696 static void 4697 aus_inst_sync(struct t_audit_data *tad) 4698 { 4699 struct a { 4700 long name; /* char */ 4701 long flags; 4702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4703 4704 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4705 } 4706 4707 /*ARGSUSED*/ 4708 static void 4709 aus_p_online(struct t_audit_data *tad) 4710 { 4711 struct a { 4712 long processor_id; 4713 long flag; 4714 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4715 4716 struct flags { 4717 int flag; 4718 char *cflag; 4719 } aflags[6] = { 4720 { P_ONLINE, "P_ONLINE"}, 4721 { P_OFFLINE, "P_OFFLINE"}, 4722 { P_NOINTR, "P_NOINTR"}, 4723 { P_SPARE, "P_SPARE"}, 4724 { P_FAULTED, "P_FAULTED"}, 4725 { P_STATUS, "P_STATUS"} 4726 }; 4727 int i; 4728 char *cflag; 4729 4730 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4731 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4732 4733 for (i = 0; i < 6; i++) { 4734 if (aflags[i].flag == uap->flag) 4735 break; 4736 } 4737 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4738 4739 au_uwrite(au_to_text(cflag)); 4740 } 4741 4742 /*ARGSUSED*/ 4743 static void 4744 aus_processor_bind(struct t_audit_data *tad) 4745 { 4746 struct a { 4747 long id_type; 4748 long id; 4749 long processor_id; 4750 long obind; 4751 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4752 4753 struct proc *p; 4754 int lwpcnt; 4755 uid_t uid, ruid; 4756 gid_t gid, rgid; 4757 pid_t pid; 4758 const auditinfo_addr_t *ainfo; 4759 cred_t *cr; 4760 4761 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4762 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4763 if (uap->processor_id == PBIND_NONE) 4764 au_uwrite(au_to_text("PBIND_NONE")); 4765 else 4766 au_uwrite(au_to_arg32(3, "processor_id", 4767 (uint32_t)uap->processor_id)); 4768 4769 switch (uap->id_type) { 4770 case P_MYID: 4771 case P_LWPID: 4772 mutex_enter(&pidlock); 4773 p = ttoproc(curthread); 4774 if (p == NULL || p->p_as == &kas) { 4775 mutex_exit(&pidlock); 4776 return; 4777 } 4778 mutex_enter(&p->p_lock); 4779 mutex_exit(&pidlock); 4780 lwpcnt = p->p_lwpcnt; 4781 pid = p->p_pid; 4782 4783 mutex_enter(&p->p_crlock); 4784 crhold(cr = p->p_cred); 4785 mutex_exit(&p->p_crlock); 4786 mutex_exit(&p->p_lock); 4787 4788 ainfo = crgetauinfo(cr); 4789 if (ainfo == NULL) { 4790 crfree(cr); 4791 return; 4792 } 4793 4794 uid = crgetuid(cr); 4795 gid = crgetgid(cr); 4796 ruid = crgetruid(cr); 4797 rgid = crgetrgid(cr); 4798 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4799 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4800 crfree(cr); 4801 break; 4802 case P_PID: 4803 mutex_enter(&pidlock); 4804 p = prfind(uap->id); 4805 if (p == NULL || p->p_as == &kas) { 4806 mutex_exit(&pidlock); 4807 return; 4808 } 4809 mutex_enter(&p->p_lock); 4810 mutex_exit(&pidlock); 4811 lwpcnt = p->p_lwpcnt; 4812 pid = p->p_pid; 4813 4814 mutex_enter(&p->p_crlock); 4815 crhold(cr = p->p_cred); 4816 mutex_exit(&p->p_crlock); 4817 mutex_exit(&p->p_lock); 4818 4819 ainfo = crgetauinfo(cr); 4820 if (ainfo == NULL) { 4821 crfree(cr); 4822 return; 4823 } 4824 4825 uid = crgetuid(cr); 4826 gid = crgetgid(cr); 4827 ruid = crgetruid(cr); 4828 rgid = crgetrgid(cr); 4829 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4830 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4831 crfree(cr); 4832 4833 break; 4834 default: 4835 return; 4836 } 4837 4838 if (uap->processor_id == PBIND_NONE && 4839 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4840 au_uwrite(au_to_text("PBIND_NONE for process")); 4841 else 4842 au_uwrite(au_to_arg32(3, "processor_id", 4843 (uint32_t)uap->processor_id)); 4844 } 4845 4846 /*ARGSUSED*/ 4847 static au_event_t 4848 aui_doorfs(au_event_t e) 4849 { 4850 uint32_t code; 4851 4852 struct a { /* doorfs */ 4853 long a1; 4854 long a2; 4855 long a3; 4856 long a4; 4857 long a5; 4858 long code; 4859 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4860 4861 /* 4862 * audit formats for several of the 4863 * door calls have not yet been determined 4864 */ 4865 code = (uint32_t)uap->code; 4866 switch (code) { 4867 case DOOR_CALL: 4868 e = AUE_DOORFS_DOOR_CALL; 4869 break; 4870 case DOOR_RETURN: 4871 e = AUE_NULL; 4872 break; 4873 case DOOR_CREATE: 4874 e = AUE_DOORFS_DOOR_CREATE; 4875 break; 4876 case DOOR_REVOKE: 4877 e = AUE_DOORFS_DOOR_REVOKE; 4878 break; 4879 case DOOR_INFO: 4880 e = AUE_NULL; 4881 break; 4882 case DOOR_UCRED: 4883 e = AUE_NULL; 4884 break; 4885 case DOOR_BIND: 4886 e = AUE_NULL; 4887 break; 4888 case DOOR_UNBIND: 4889 e = AUE_NULL; 4890 break; 4891 case DOOR_GETPARAM: 4892 e = AUE_NULL; 4893 break; 4894 case DOOR_SETPARAM: 4895 e = AUE_NULL; 4896 break; 4897 default: /* illegal system call */ 4898 e = AUE_NULL; 4899 break; 4900 } 4901 4902 return (e); 4903 } 4904 4905 static door_node_t * 4906 au_door_lookup(int did) 4907 { 4908 vnode_t *vp; 4909 file_t *fp; 4910 4911 if ((fp = getf(did)) == NULL) 4912 return (NULL); 4913 /* 4914 * Use the underlying vnode (we may be namefs mounted) 4915 */ 4916 if (VOP_REALVP(fp->f_vnode, &vp)) 4917 vp = fp->f_vnode; 4918 4919 if (vp == NULL || vp->v_type != VDOOR) { 4920 releasef(did); 4921 return (NULL); 4922 } 4923 4924 return (VTOD(vp)); 4925 } 4926 4927 /*ARGSUSED*/ 4928 static void 4929 aus_doorfs(struct t_audit_data *tad) 4930 { 4931 4932 struct a { /* doorfs */ 4933 long a1; 4934 long a2; 4935 long a3; 4936 long a4; 4937 long a5; 4938 long code; 4939 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4940 4941 door_node_t *dp; 4942 struct proc *p; 4943 uint32_t did; 4944 uid_t uid, ruid; 4945 gid_t gid, rgid; 4946 pid_t pid; 4947 const auditinfo_addr_t *ainfo; 4948 cred_t *cr; 4949 4950 did = (uint32_t)uap->a1; 4951 4952 switch (tad->tad_event) { 4953 case AUE_DOORFS_DOOR_CALL: 4954 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4955 if ((dp = au_door_lookup(did)) == NULL) 4956 break; 4957 4958 if (DOOR_INVALID(dp)) { 4959 releasef(did); 4960 break; 4961 } 4962 4963 if ((p = dp->door_target) == NULL) { 4964 releasef(did); 4965 break; 4966 } 4967 mutex_enter(&p->p_lock); 4968 releasef(did); 4969 4970 pid = p->p_pid; 4971 4972 mutex_enter(&p->p_crlock); 4973 crhold(cr = p->p_cred); 4974 mutex_exit(&p->p_crlock); 4975 mutex_exit(&p->p_lock); 4976 4977 ainfo = crgetauinfo(cr); 4978 if (ainfo == NULL) { 4979 crfree(cr); 4980 return; 4981 } 4982 uid = crgetuid(cr); 4983 gid = crgetgid(cr); 4984 ruid = crgetruid(cr); 4985 rgid = crgetrgid(cr); 4986 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4987 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4988 crfree(cr); 4989 break; 4990 case AUE_DOORFS_DOOR_RETURN: 4991 /* 4992 * We may want to write information about 4993 * all doors (if any) which will be copied 4994 * by this call to the user space 4995 */ 4996 break; 4997 case AUE_DOORFS_DOOR_CREATE: 4998 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 4999 break; 5000 case AUE_DOORFS_DOOR_REVOKE: 5001 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5002 break; 5003 case AUE_DOORFS_DOOR_INFO: 5004 break; 5005 case AUE_DOORFS_DOOR_CRED: 5006 break; 5007 case AUE_DOORFS_DOOR_BIND: 5008 break; 5009 case AUE_DOORFS_DOOR_UNBIND: { 5010 break; 5011 } 5012 default: /* illegal system call */ 5013 break; 5014 } 5015 } 5016 5017 /*ARGSUSED*/ 5018 static au_event_t 5019 aui_acl(au_event_t e) 5020 { 5021 struct a { 5022 union { 5023 long name; /* char */ 5024 long fd; 5025 } obj; 5026 5027 long cmd; 5028 long nentries; 5029 long arg; /* aclent_t */ 5030 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5031 5032 switch (uap->cmd) { 5033 case SETACL: 5034 /* ok, acl(SETACL, ...) and facl(SETACL, ...) are expected. */ 5035 break; 5036 case GETACL: 5037 case GETACLCNT: 5038 /* do nothing for these two values. */ 5039 e = AUE_NULL; 5040 break; 5041 default: 5042 /* illegal system call */ 5043 break; 5044 } 5045 5046 return (e); 5047 } 5048 5049 5050 /*ARGSUSED*/ 5051 static void 5052 aus_acl(struct t_audit_data *tad) 5053 { 5054 struct a { 5055 long fname; 5056 long cmd; 5057 long nentries; 5058 long aclbufp; 5059 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5060 struct acl *aclbufp; 5061 5062 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5063 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5064 5065 switch (uap->cmd) { 5066 case GETACL: 5067 case GETACLCNT: 5068 break; 5069 case SETACL: 5070 if (uap->nentries < 3) 5071 break; 5072 else { 5073 size_t a_size = uap->nentries * sizeof (struct acl); 5074 int i; 5075 5076 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5077 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5078 kmem_free(aclbufp, a_size); 5079 break; 5080 } 5081 for (i = 0; i < uap->nentries; i++) { 5082 au_uwrite(au_to_acl(aclbufp + i)); 5083 } 5084 kmem_free(aclbufp, a_size); 5085 break; 5086 } 5087 default: 5088 break; 5089 } 5090 } 5091 5092 /*ARGSUSED*/ 5093 static void 5094 aus_facl(struct t_audit_data *tad) 5095 { 5096 struct a { 5097 long fd; 5098 long cmd; 5099 long nentries; 5100 long aclbufp; 5101 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5102 struct file *fp; 5103 struct vnode *vp; 5104 struct f_audit_data *fad; 5105 struct acl *aclbufp; 5106 int fd; 5107 5108 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5109 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5110 5111 fd = (int)uap->fd; 5112 5113 if ((fp = getf(fd)) == NULL) 5114 return; 5115 5116 /* get path from file struct here */ 5117 fad = F2A(fp); 5118 if (fad->fad_aupath != NULL) { 5119 au_uwrite(au_to_path(fad->fad_aupath)); 5120 } else { 5121 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5122 } 5123 5124 vp = fp->f_vnode; 5125 audit_attributes(vp); 5126 5127 /* decrement file descriptor reference count */ 5128 releasef(fd); 5129 5130 switch (uap->cmd) { 5131 case GETACL: 5132 case GETACLCNT: 5133 break; 5134 case SETACL: 5135 if (uap->nentries < 3) 5136 break; 5137 else { 5138 size_t a_size = uap->nentries * sizeof (struct acl); 5139 int i; 5140 5141 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5142 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5143 kmem_free(aclbufp, a_size); 5144 break; 5145 } 5146 for (i = 0; i < uap->nentries; i++) { 5147 au_uwrite(au_to_acl(aclbufp + i)); 5148 } 5149 kmem_free(aclbufp, a_size); 5150 break; 5151 } 5152 default: 5153 break; 5154 } 5155 } 5156 5157 /*ARGSUSED*/ 5158 static void 5159 auf_read(tad, error, rval) 5160 struct t_audit_data *tad; 5161 int error; 5162 rval_t *rval; 5163 { 5164 struct file *fp; 5165 struct f_audit_data *fad; 5166 int fd; 5167 register struct a { 5168 long fd; 5169 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5170 au_kcontext_t *kctx = SET_KCTX_PZ; 5171 5172 fd = (int)uap->fd; 5173 5174 /* 5175 * convert file pointer to file descriptor 5176 * Note: fd ref count incremented here. 5177 */ 5178 if ((fp = getf(fd)) == NULL) 5179 return; 5180 5181 /* get path from file struct here */ 5182 fad = F2A(fp); 5183 ASSERT(fad); 5184 5185 /* 5186 * already processed this file for read attempt 5187 * 5188 * XXX might be better to turn off auditing in a aui_read() routine. 5189 */ 5190 if (fad->fad_flags & FAD_READ) { 5191 /* don't really want to audit every read attempt */ 5192 tad->tad_flag = 0; 5193 /* free any residual audit data */ 5194 au_close(kctx, &(u_ad), 0, 0, 0); 5195 releasef(fd); 5196 return; 5197 } 5198 /* mark things so we know what happened and don't repeat things */ 5199 fad->fad_flags |= FAD_READ; 5200 5201 if (fad->fad_aupath != NULL) { 5202 au_uwrite(au_to_path(fad->fad_aupath)); 5203 } else { 5204 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5205 } 5206 5207 /* include attributes */ 5208 audit_attributes(fp->f_vnode); 5209 5210 /* decrement file descriptor reference count */ 5211 releasef(fd); 5212 } 5213 5214 /*ARGSUSED*/ 5215 static void 5216 auf_write(tad, error, rval) 5217 struct t_audit_data *tad; 5218 int error; 5219 rval_t *rval; 5220 { 5221 struct file *fp; 5222 struct f_audit_data *fad; 5223 int fd; 5224 register struct a { 5225 long fd; 5226 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5227 au_kcontext_t *kctx = SET_KCTX_PZ; 5228 5229 fd = (int)uap->fd; 5230 5231 /* 5232 * convert file pointer to file descriptor 5233 * Note: fd ref count incremented here. 5234 */ 5235 if ((fp = getf(fd)) == NULL) 5236 return; 5237 5238 /* get path from file struct here */ 5239 fad = F2A(fp); 5240 ASSERT(fad); 5241 5242 /* 5243 * already processed this file for write attempt 5244 * 5245 * XXX might be better to turn off auditing in a aus_write() routine. 5246 */ 5247 if (fad->fad_flags & FAD_WRITE) { 5248 /* don't really want to audit every write attempt */ 5249 tad->tad_flag = 0; 5250 /* free any residual audit data */ 5251 au_close(kctx, &(u_ad), 0, 0, 0); 5252 releasef(fd); 5253 return; 5254 } 5255 /* mark things so we know what happened and don't repeat things */ 5256 fad->fad_flags |= FAD_WRITE; 5257 5258 if (fad->fad_aupath != NULL) { 5259 au_uwrite(au_to_path(fad->fad_aupath)); 5260 } else { 5261 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5262 } 5263 5264 /* include attributes */ 5265 audit_attributes(fp->f_vnode); 5266 5267 /* decrement file descriptor reference count */ 5268 releasef(fd); 5269 } 5270 5271 /*ARGSUSED*/ 5272 static void 5273 auf_recv(tad, error, rval) 5274 struct t_audit_data *tad; 5275 int error; 5276 rval_t *rval; 5277 { 5278 struct sonode *so; 5279 char so_laddr[sizeof (struct sockaddr_in6)]; 5280 char so_faddr[sizeof (struct sockaddr_in6)]; 5281 struct file *fp; 5282 struct f_audit_data *fad; 5283 int fd; 5284 int err; 5285 int len; 5286 short so_family, so_type; 5287 register struct a { 5288 long fd; 5289 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5290 au_kcontext_t *kctx = SET_KCTX_PZ; 5291 5292 /* 5293 * If there was an error, then nothing to do. Only generate 5294 * audit record on first successful recv. 5295 */ 5296 if (error) { 5297 /* Turn off audit record generation here. */ 5298 tad->tad_flag = 0; 5299 /* free any residual audit data */ 5300 au_close(kctx, &(u_ad), 0, 0, 0); 5301 return; 5302 } 5303 5304 fd = (int)uap->fd; 5305 5306 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5307 /* Turn off audit record generation here. */ 5308 tad->tad_flag = 0; 5309 /* free any residual audit data */ 5310 au_close(kctx, &(u_ad), 0, 0, 0); 5311 return; 5312 } 5313 5314 /* get path from file struct here */ 5315 fad = F2A(fp); 5316 ASSERT(fad); 5317 5318 /* 5319 * already processed this file for read attempt 5320 */ 5321 if (fad->fad_flags & FAD_READ) { 5322 releasef(fd); 5323 /* don't really want to audit every recv call */ 5324 tad->tad_flag = 0; 5325 /* free any residual audit data */ 5326 au_close(kctx, &(u_ad), 0, 0, 0); 5327 return; 5328 } 5329 5330 /* mark things so we know what happened and don't repeat things */ 5331 fad->fad_flags |= FAD_READ; 5332 5333 so_family = so->so_family; 5334 so_type = so->so_type; 5335 5336 switch (so_family) { 5337 case AF_INET: 5338 case AF_INET6: 5339 /* 5340 * Only for connections. 5341 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5342 */ 5343 if (so->so_state & SS_ISBOUND) { 5344 5345 bzero((void *)so_laddr, sizeof (so_laddr)); 5346 bzero((void *)so_faddr, sizeof (so_faddr)); 5347 5348 /* only done once on a connection */ 5349 (void) SOP_GETSOCKNAME(so); 5350 (void) SOP_GETPEERNAME(so); 5351 5352 /* get local and foreign addresses */ 5353 mutex_enter(&so->so_lock); 5354 len = min(so->so_laddr_len, sizeof (so_laddr)); 5355 bcopy(so->so_laddr_sa, so_laddr, len); 5356 len = min(so->so_faddr_len, sizeof (so_faddr)); 5357 bcopy(so->so_faddr_sa, so_faddr, len); 5358 mutex_exit(&so->so_lock); 5359 5360 /* 5361 * only way to drop out of switch. Note that we 5362 * we release fd below. 5363 */ 5364 5365 break; 5366 } 5367 5368 releasef(fd); 5369 5370 /* don't really want to audit every recv call */ 5371 tad->tad_flag = 0; 5372 /* free any residual audit data */ 5373 au_close(kctx, &(u_ad), 0, 0, 0); 5374 5375 return; 5376 5377 case AF_UNIX: 5378 5379 if (fad->fad_aupath != NULL) { 5380 au_uwrite(au_to_path(fad->fad_aupath)); 5381 } else { 5382 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5383 } 5384 5385 audit_attributes(fp->f_vnode); 5386 5387 releasef(fd); 5388 5389 return; 5390 5391 default: 5392 releasef(fd); 5393 5394 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5395 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5396 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5397 5398 return; 5399 } 5400 5401 releasef(fd); 5402 5403 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5404 5405 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5406 5407 } 5408 5409 /*ARGSUSED*/ 5410 static void 5411 auf_send(tad, error, rval) 5412 struct t_audit_data *tad; 5413 int error; 5414 rval_t *rval; 5415 { 5416 struct sonode *so; 5417 char so_laddr[sizeof (struct sockaddr_in6)]; 5418 char so_faddr[sizeof (struct sockaddr_in6)]; 5419 struct file *fp; 5420 struct f_audit_data *fad; 5421 int fd; 5422 int err; 5423 int len; 5424 short so_family, so_type; 5425 register struct a { 5426 long fd; 5427 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5428 au_kcontext_t *kctx = SET_KCTX_PZ; 5429 5430 fd = (int)uap->fd; 5431 5432 /* 5433 * If there was an error, then nothing to do. Only generate 5434 * audit record on first successful send. 5435 */ 5436 if (error != 0) { 5437 /* Turn off audit record generation here. */ 5438 tad->tad_flag = 0; 5439 /* free any residual audit data */ 5440 au_close(kctx, &(u_ad), 0, 0, 0); 5441 return; 5442 } 5443 5444 fd = (int)uap->fd; 5445 5446 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5447 /* Turn off audit record generation here. */ 5448 tad->tad_flag = 0; 5449 /* free any residual audit data */ 5450 au_close(kctx, &(u_ad), 0, 0, 0); 5451 return; 5452 } 5453 5454 /* get path from file struct here */ 5455 fad = F2A(fp); 5456 ASSERT(fad); 5457 5458 /* 5459 * already processed this file for write attempt 5460 */ 5461 if (fad->fad_flags & FAD_WRITE) { 5462 releasef(fd); 5463 /* don't really want to audit every send call */ 5464 tad->tad_flag = 0; 5465 /* free any residual audit data */ 5466 au_close(kctx, &(u_ad), 0, 0, 0); 5467 return; 5468 } 5469 5470 /* mark things so we know what happened and don't repeat things */ 5471 fad->fad_flags |= FAD_WRITE; 5472 5473 so_family = so->so_family; 5474 so_type = so->so_type; 5475 5476 switch (so_family) { 5477 case AF_INET: 5478 case AF_INET6: 5479 /* 5480 * Only for connections. 5481 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5482 */ 5483 if (so->so_state & SS_ISBOUND) { 5484 5485 bzero((void *)so_laddr, sizeof (so_laddr)); 5486 bzero((void *)so_faddr, sizeof (so_faddr)); 5487 5488 /* only done once on a connection */ 5489 (void) SOP_GETSOCKNAME(so); 5490 (void) SOP_GETPEERNAME(so); 5491 5492 /* get local and foreign addresses */ 5493 mutex_enter(&so->so_lock); 5494 len = min(so->so_laddr_len, sizeof (so_laddr)); 5495 bcopy(so->so_laddr_sa, so_laddr, len); 5496 len = min(so->so_faddr_len, sizeof (so_faddr)); 5497 bcopy(so->so_faddr_sa, so_faddr, len); 5498 mutex_exit(&so->so_lock); 5499 5500 /* 5501 * only way to drop out of switch. Note that we 5502 * we release fd below. 5503 */ 5504 5505 break; 5506 } 5507 5508 releasef(fd); 5509 /* don't really want to audit every send call */ 5510 tad->tad_flag = 0; 5511 /* free any residual audit data */ 5512 au_close(kctx, &(u_ad), 0, 0, 0); 5513 5514 return; 5515 5516 case AF_UNIX: 5517 5518 if (fad->fad_aupath != NULL) { 5519 au_uwrite(au_to_path(fad->fad_aupath)); 5520 } else { 5521 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5522 } 5523 5524 audit_attributes(fp->f_vnode); 5525 5526 releasef(fd); 5527 5528 return; 5529 5530 default: 5531 releasef(fd); 5532 5533 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5534 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5535 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5536 5537 return; 5538 } 5539 5540 releasef(fd); 5541 5542 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5543 5544 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5545 } 5546