1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 int au_naevent; 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_fsat(au_event_t); 85 static au_event_t aui_msgsys(au_event_t); 86 static au_event_t aui_shmsys(au_event_t); 87 static au_event_t aui_semsys(au_event_t); 88 static au_event_t aui_utssys(au_event_t); 89 static au_event_t aui_fcntl(au_event_t); 90 static au_event_t aui_execv(au_event_t); 91 static au_event_t aui_execve(au_event_t); 92 static au_event_t aui_memcntl(au_event_t); 93 static au_event_t aui_sysinfo(au_event_t); 94 static au_event_t aui_portfs(au_event_t); 95 static au_event_t aui_auditsys(au_event_t); 96 static au_event_t aui_modctl(au_event_t); 97 static au_event_t aui_acl(au_event_t); 98 static au_event_t aui_doorfs(au_event_t); 99 static au_event_t aui_privsys(au_event_t); 100 static au_event_t aui_forksys(au_event_t); 101 102 static void aus_open(struct t_audit_data *); 103 static void aus_acl(struct t_audit_data *); 104 static void aus_acct(struct t_audit_data *); 105 static void aus_chown(struct t_audit_data *); 106 static void aus_fchown(struct t_audit_data *); 107 static void aus_lchown(struct t_audit_data *); 108 static void aus_chmod(struct t_audit_data *); 109 static void aus_facl(struct t_audit_data *); 110 static void aus_fchmod(struct t_audit_data *); 111 static void aus_fcntl(struct t_audit_data *); 112 static void aus_fsat(struct t_audit_data *); 113 static void aus_mkdir(struct t_audit_data *); 114 static void aus_mknod(struct t_audit_data *); 115 static void aus_mount(struct t_audit_data *); 116 static void aus_umount(struct t_audit_data *); 117 static void aus_umount2(struct t_audit_data *); 118 static void aus_msgsys(struct t_audit_data *); 119 static void aus_semsys(struct t_audit_data *); 120 static void aus_close(struct t_audit_data *); 121 static void aus_fstatfs(struct t_audit_data *); 122 static void aus_setgid(struct t_audit_data *); 123 static void aus_setuid(struct t_audit_data *); 124 static void aus_shmsys(struct t_audit_data *); 125 static void aus_doorfs(struct t_audit_data *); 126 static void aus_ioctl(struct t_audit_data *); 127 static void aus_memcntl(struct t_audit_data *); 128 static void aus_mmap(struct t_audit_data *); 129 static void aus_munmap(struct t_audit_data *); 130 static void aus_priocntlsys(struct t_audit_data *); 131 static void aus_setegid(struct t_audit_data *); 132 static void aus_setgroups(struct t_audit_data *); 133 static void aus_seteuid(struct t_audit_data *); 134 static void aus_putmsg(struct t_audit_data *); 135 static void aus_putpmsg(struct t_audit_data *); 136 static void aus_getmsg(struct t_audit_data *); 137 static void aus_getpmsg(struct t_audit_data *); 138 static void aus_auditsys(struct t_audit_data *); 139 static void aus_sysinfo(struct t_audit_data *); 140 static void aus_modctl(struct t_audit_data *); 141 static void aus_kill(struct t_audit_data *); 142 static void aus_xmknod(struct t_audit_data *); 143 static void aus_setregid(struct t_audit_data *); 144 static void aus_setreuid(struct t_audit_data *); 145 146 static void auf_mknod(struct t_audit_data *, int, rval_t *); 147 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 148 static void auf_semsys(struct t_audit_data *, int, rval_t *); 149 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 150 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 151 static void auf_read(struct t_audit_data *, int, rval_t *); 152 static void auf_write(struct t_audit_data *, int, rval_t *); 153 154 static void aus_sigqueue(struct t_audit_data *); 155 static void aus_p_online(struct t_audit_data *); 156 static void aus_processor_bind(struct t_audit_data *); 157 static void aus_inst_sync(struct t_audit_data *); 158 static void aus_brandsys(struct t_audit_data *); 159 160 static void auf_accept(struct t_audit_data *, int, rval_t *); 161 162 static void auf_bind(struct t_audit_data *, int, rval_t *); 163 static void auf_connect(struct t_audit_data *, int, rval_t *); 164 static void aus_shutdown(struct t_audit_data *); 165 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 166 static void aus_sockconfig(struct t_audit_data *); 167 static void auf_recv(struct t_audit_data *, int, rval_t *); 168 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 169 static void auf_send(struct t_audit_data *, int, rval_t *); 170 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 171 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 172 static void auf_sendto(struct t_audit_data *, int, rval_t *); 173 static void aus_socket(struct t_audit_data *); 174 /* 175 * This table contains mapping information for converting system call numbers 176 * to audit event IDs. In several cases it is necessary to map a single system 177 * call to several events. 178 */ 179 180 #define aui_null NULL /* NULL initialize function */ 181 #define aus_null NULL /* NULL start function */ 182 #define auf_null NULL /* NULL finish function */ 183 184 struct audit_s2e audit_s2e[] = 185 { 186 /* 187 * ---------- ---------- ---------- ---------- 188 * INITIAL AUDIT START SYSTEM 189 * PROCESSING EVENT PROCESSING CALL 190 * ---------- ---------- ---------- ----------- 191 * FINISH EVENT 192 * PROCESSING CONTROL 193 * ---------------------------------------------------------- 194 */ 195 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 196 auf_null, 0, 197 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 198 auf_null, S2E_NPT, 199 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 200 auf_null, 0, 201 aui_null, AUE_READ, aus_null, /* 3 read */ 202 auf_read, S2E_PUB, 203 aui_null, AUE_WRITE, aus_null, /* 4 write */ 204 auf_write, 0, 205 aui_open, AUE_OPEN, aus_open, /* 5 open */ 206 auf_null, S2E_SP, 207 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 208 auf_null, 0, 209 aui_null, AUE_NULL, aus_null, /* 7 wait */ 210 auf_null, 0, 211 aui_null, AUE_CREAT, aus_null, /* 8 create */ 212 auf_null, S2E_SP, 213 aui_null, AUE_LINK, aus_null, /* 9 link */ 214 auf_null, 0, 215 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 216 auf_null, 0, 217 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 218 auf_null, S2E_MLD, 219 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 220 auf_null, S2E_SP, 221 aui_null, AUE_NULL, aus_null, /* 13 time */ 222 auf_null, 0, 223 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 224 auf_mknod, 0, 225 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 226 auf_null, 0, 227 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 228 auf_null, 0, 229 aui_null, AUE_NULL, aus_null, /* 17 brk */ 230 auf_null, 0, 231 aui_null, AUE_STAT, aus_null, /* 18 stat */ 232 auf_null, S2E_PUB, 233 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 234 auf_null, 0, 235 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 236 auf_null, 0, 237 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 238 auf_null, S2E_MLD, 239 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 240 auf_null, 0, 241 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 242 auf_null, 0, 243 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 244 auf_null, 0, 245 aui_null, AUE_STIME, aus_null, /* 25 stime */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 29 pause */ 254 auf_null, 0, 255 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 260 auf_null, 0, 261 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 262 auf_null, S2E_PUB, 263 aui_null, AUE_NICE, aus_null, /* 34 nice */ 264 auf_null, 0, 265 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 266 auf_null, S2E_PUB, 267 aui_null, AUE_NULL, aus_null, /* 36 sync */ 268 auf_null, 0, 269 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 270 auf_null, 0, 271 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 272 auf_null, S2E_PUB, 273 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 274 auf_null, 0, 275 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 276 auf_null, 0, 277 aui_null, AUE_NULL, aus_null, /* 41 dup */ 278 auf_null, 0, 279 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 43 times */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 44 profil */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 286 /* was proc lock */ 287 auf_null, 0, 288 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 289 auf_null, 0, 290 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 291 auf_null, 0, 292 aui_null, AUE_NULL, aus_null, /* 48 sig */ 293 auf_null, 0, 294 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 295 auf_msgsys, 0, 296 #if defined(__x86) 297 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 298 auf_null, 0, 299 #else 300 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 301 auf_null, 0, 302 #endif /* __x86 */ 303 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 304 auf_null, 0, 305 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 306 auf_shmsys, 0, 307 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 308 auf_semsys, 0, 309 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 310 auf_null, 0, 311 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 312 auf_null, 0, 313 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 314 auf_null, 0, 315 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 316 auf_null, 0, 317 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 318 auf_null, 0, 319 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 320 auf_null, S2E_MLD, 321 aui_null, AUE_NULL, aus_null, /* 60 umask */ 322 auf_null, 0, 323 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 324 auf_null, S2E_SP, 325 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 326 auf_null, 0, 327 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 328 auf_null, 0, 329 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 334 auf_null, 0, 335 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 336 /* file locking call */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 339 /* local system calls */ 340 auf_null, 0, 341 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 354 /* was sigret (SunOS) */ 355 auf_null, 0, 356 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 361 auf_null, 0, 362 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 363 auf_null, 0, 364 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 367 auf_null, 0, 368 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 369 /* was libattach */ 370 auf_null, 0, 371 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 372 /* was libdetach */ 373 auf_null, 0, 374 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 375 auf_null, 0, 376 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 377 auf_null, 0, 378 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 379 auf_null, 0, 380 aui_null, AUE_NULL, aus_null, /* 87 poll */ 381 auf_null, 0, 382 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 383 auf_null, S2E_PUB, 384 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 385 auf_null, 0, 386 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 389 auf_null, 0, 390 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 391 auf_null, 0, 392 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 393 auf_null, 0, 394 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 411 /* was evtrapret */ 412 auf_null, 0, 413 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 414 auf_null, S2E_PUB, 415 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 416 auf_null, 0, 417 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 424 auf_null, 0, 425 #if defined(__x86) 426 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 427 auf_null, 0, 428 #else 429 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 430 auf_null, 0, 431 #endif /* __x86 */ 432 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 433 auf_null, 0, 434 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 435 auf_null, 0, 436 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 437 auf_null, 0, /* 112 priocntlsys */ 438 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 439 auf_null, S2E_PUB, 440 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 441 auf_null, 0, 442 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 443 auf_null, 0, 444 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 445 auf_null, 0, 446 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 447 auf_null, 0, 448 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 449 auf_null, 0, 450 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 451 auf_null, 0, 452 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 453 auf_null, 0, 454 aui_null, AUE_READ, aus_null, /* 121 readv */ 455 auf_read, S2E_PUB, 456 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 457 auf_write, 0, 458 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 459 auf_null, S2E_PUB, 460 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 461 auf_null, S2E_PUB, 462 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 463 auf_null, 0, 464 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 465 auf_xmknod, 0, 466 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 467 auf_null, 0, 468 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 469 auf_null, 0, 470 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 471 auf_null, 0, 472 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 473 auf_null, 0, 474 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 475 auf_null, 0, 476 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 477 auf_null, 0, 478 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 479 auf_null, 0, 480 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 481 auf_null, 0, 482 aui_null, AUE_NULL, aus_null, /* 135 uname */ 483 auf_null, 0, 484 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 485 auf_null, 0, 486 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 487 auf_null, 0, 488 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 489 auf_null, 0, 490 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 491 auf_null, 0, 492 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 493 auf_null, 0, 494 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 495 auf_null, 0, 496 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 497 auf_null, 0, 498 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 499 auf_null, 0, 500 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 146 yield */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 515 auf_null, 0, 516 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 517 auf_null, 0, 518 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 519 auf_null, 0, 520 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 543 /* was lwp_setprivate */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 546 /* was lwp_getprivate */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 559 auf_null, 0, 560 aui_null, AUE_READ, aus_null, /* 173 pread */ 561 auf_read, S2E_PUB, 562 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 563 auf_write, 0, 564 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 565 auf_null, 0, 566 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 567 /* aus_inst_sync */ 568 auf_null, 0, 569 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 578 auf_null, 0, 579 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 580 auf_null, 0, 581 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 582 auf_null, 0, 583 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 584 auf_null, 0, 585 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 586 auf_null, 0, 587 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 588 auf_null, 0, 589 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 590 auf_null, 0, /* 187 processor_bind */ 591 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 592 auf_null, 0, 593 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 594 auf_null, 0, 595 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 598 auf_null, 0, 599 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 614 auf_null, 0, 615 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 616 auf_null, 0, 617 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 618 auf_null, 0, 619 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 620 auf_null, 0, 621 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 642 auf_null, 0, 643 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 644 auf_null, 0, 645 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 646 auf_null, S2E_PUB, 647 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 650 auf_null, 0, 651 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 652 auf_null, S2E_PUB, 653 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 654 auf_null, 0, 655 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 656 auf_null, 0, 657 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 660 auf_read, S2E_PUB, 661 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 662 auf_write, 0, 663 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 664 auf_null, S2E_SP, 665 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 666 auf_null, S2E_SP, 667 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 674 auf_null, 0, 675 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 676 auf_null, 0, 677 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 678 auf_null, 0, 679 aui_null, AUE_BIND, aus_null, /* 232 bind */ 680 auf_bind, 0, 681 aui_null, AUE_NULL, aus_null, /* 233 listen */ 682 auf_null, 0, 683 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 684 auf_accept, 0, 685 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 686 auf_connect, 0, 687 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 688 auf_null, 0, 689 aui_null, AUE_READ, aus_null, /* 237 recv */ 690 auf_recv, 0, 691 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 692 auf_recvfrom, 0, 693 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 694 auf_recvmsg, 0, 695 aui_null, AUE_WRITE, aus_null, /* 240 send */ 696 auf_send, 0, 697 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 698 auf_sendmsg, 0, 699 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 700 auf_sendto, 0, 701 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 702 auf_null, 0, 703 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 706 auf_null, 0, 707 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 708 auf_setsockopt, 0, 709 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 710 auf_null, 0, 711 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 712 auf_null, 0, 713 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 724 auf_null, 0, 725 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 726 auf_null, 0 727 }; 728 729 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 730 731 732 /* acct start function */ 733 /*ARGSUSED*/ 734 static void 735 aus_acct(struct t_audit_data *tad) 736 { 737 klwp_t *clwp = ttolwp(curthread); 738 uintptr_t fname; 739 740 struct a { 741 long fname; /* char * */ 742 } *uap = (struct a *)clwp->lwp_ap; 743 744 fname = (uintptr_t)uap->fname; 745 746 if (fname == 0) 747 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 748 } 749 750 /* chown start function */ 751 /*ARGSUSED*/ 752 static void 753 aus_chown(struct t_audit_data *tad) 754 { 755 klwp_t *clwp = ttolwp(curthread); 756 uint32_t uid, gid; 757 758 struct a { 759 long fname; /* char * */ 760 long uid; 761 long gid; 762 } *uap = (struct a *)clwp->lwp_ap; 763 764 uid = (uint32_t)uap->uid; 765 gid = (uint32_t)uap->gid; 766 767 au_uwrite(au_to_arg32(2, "new file uid", uid)); 768 au_uwrite(au_to_arg32(3, "new file gid", gid)); 769 } 770 771 /* fchown start function */ 772 /*ARGSUSED*/ 773 static void 774 aus_fchown(struct t_audit_data *tad) 775 { 776 klwp_t *clwp = ttolwp(curthread); 777 uint32_t uid, gid, fd; 778 struct file *fp; 779 struct vnode *vp; 780 struct f_audit_data *fad; 781 782 struct a { 783 long fd; 784 long uid; 785 long gid; 786 } *uap = (struct a *)clwp->lwp_ap; 787 788 fd = (uint32_t)uap->fd; 789 uid = (uint32_t)uap->uid; 790 gid = (uint32_t)uap->gid; 791 792 au_uwrite(au_to_arg32(2, "new file uid", uid)); 793 au_uwrite(au_to_arg32(3, "new file gid", gid)); 794 795 /* 796 * convert file pointer to file descriptor 797 * Note: fd ref count incremented here. 798 */ 799 if ((fp = getf(fd)) == NULL) 800 return; 801 802 /* get path from file struct here */ 803 fad = F2A(fp); 804 if (fad->fad_aupath != NULL) { 805 au_uwrite(au_to_path(fad->fad_aupath)); 806 } else { 807 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 808 } 809 810 vp = fp->f_vnode; 811 audit_attributes(vp); 812 813 /* decrement file descriptor reference count */ 814 releasef(fd); 815 } 816 817 /*ARGSUSED*/ 818 static void 819 aus_lchown(struct t_audit_data *tad) 820 { 821 klwp_t *clwp = ttolwp(curthread); 822 uint32_t uid, gid; 823 824 825 struct a { 826 long fname; /* char * */ 827 long uid; 828 long gid; 829 } *uap = (struct a *)clwp->lwp_ap; 830 831 uid = (uint32_t)uap->uid; 832 gid = (uint32_t)uap->gid; 833 834 au_uwrite(au_to_arg32(2, "new file uid", uid)); 835 au_uwrite(au_to_arg32(3, "new file gid", gid)); 836 } 837 838 /* chmod start function */ 839 /*ARGSUSED*/ 840 static void 841 aus_chmod(struct t_audit_data *tad) 842 { 843 klwp_t *clwp = ttolwp(curthread); 844 uint32_t fmode; 845 846 struct a { 847 long fname; /* char * */ 848 long fmode; 849 } *uap = (struct a *)clwp->lwp_ap; 850 851 fmode = (uint32_t)uap->fmode; 852 853 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 854 } 855 856 /* chmod start function */ 857 /*ARGSUSED*/ 858 static void 859 aus_fchmod(struct t_audit_data *tad) 860 { 861 klwp_t *clwp = ttolwp(curthread); 862 uint32_t fmode, fd; 863 struct file *fp; 864 struct vnode *vp; 865 struct f_audit_data *fad; 866 867 struct a { 868 long fd; 869 long fmode; 870 } *uap = (struct a *)clwp->lwp_ap; 871 872 fd = (uint32_t)uap->fd; 873 fmode = (uint32_t)uap->fmode; 874 875 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 876 877 /* 878 * convert file pointer to file descriptor 879 * Note: fd ref count incremented here. 880 */ 881 if ((fp = getf(fd)) == NULL) 882 return; 883 884 /* get path from file struct here */ 885 fad = F2A(fp); 886 if (fad->fad_aupath != NULL) { 887 au_uwrite(au_to_path(fad->fad_aupath)); 888 } else { 889 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 890 } 891 892 vp = fp->f_vnode; 893 audit_attributes(vp); 894 895 /* decrement file descriptor reference count */ 896 releasef(fd); 897 } 898 899 900 /* convert open to appropriate event */ 901 static au_event_t 902 aui_open(au_event_t e) 903 { 904 klwp_t *clwp = ttolwp(curthread); 905 uint_t fm; 906 907 struct a { 908 long fnamep; /* char * */ 909 long fmode; 910 long cmode; 911 } *uap = (struct a *)clwp->lwp_ap; 912 913 fm = (uint_t)uap->fmode; 914 915 if (fm & O_WRONLY) 916 e = AUE_OPEN_W; 917 else if (fm & O_RDWR) 918 e = AUE_OPEN_RW; 919 else 920 e = AUE_OPEN_R; 921 922 if (fm & O_CREAT) 923 e += 1; 924 if (fm & O_TRUNC) 925 e += 2; 926 927 return (e); 928 } 929 930 /*ARGSUSED*/ 931 static void 932 aus_open(struct t_audit_data *tad) 933 { 934 klwp_t *clwp = ttolwp(curthread); 935 uint_t fm; 936 937 struct a { 938 long fnamep; /* char * */ 939 long fmode; 940 long cmode; 941 } *uap = (struct a *)clwp->lwp_ap; 942 943 fm = (uint_t)uap->fmode; 944 945 /* If no write, create, or trunc modes, mark as a public op */ 946 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 947 tad->tad_ctrl |= PAD_PUBLIC_EV; 948 } 949 950 /* convert openat(2) to appropriate event */ 951 static au_event_t 952 aui_fsat(au_event_t e) 953 { 954 t_audit_data_t *tad = U2A(u); 955 klwp_t *clwp = ttolwp(curthread); 956 uint_t fmcode, fm; 957 struct a { 958 long id; 959 long arg1; 960 long arg2; 961 long arg3; 962 long arg4; 963 long arg5; 964 } *uap = (struct a *)clwp->lwp_ap; 965 966 fmcode = (uint_t)uap->id; 967 968 switch (fmcode) { 969 970 case 0: /* openat */ 971 case 1: /* openat64 */ 972 fm = (uint_t)uap->arg3; 973 if (fm & O_WRONLY) 974 e = AUE_OPENAT_W; 975 else if (fm & O_RDWR) 976 e = AUE_OPENAT_RW; 977 else 978 e = AUE_OPENAT_R; 979 980 /* 981 * openat modes are defined in the following order: 982 * Read only 983 * Read|Create 984 * Read|Trunc 985 * Read|Create|Trunc 986 * Write Only 987 * Write|Create 988 * Write|Trunc 989 * Write|Create|Trunc * RW Only 990 * RW|Create 991 * RW|Trunc 992 * RW|Create|Trunc 993 */ 994 if (fm & O_CREAT) 995 e += 1; /* increment to include CREAT in mode */ 996 if (fm & O_TRUNC) 997 e += 2; /* increment to include TRUNC in mode */ 998 999 /* convert to appropriate au_ctrl */ 1000 tad->tad_ctrl |= PAD_SAVPATH; 1001 if (fm & FXATTR) 1002 tad->tad_ctrl |= PAD_ATPATH; 1003 1004 1005 break; 1006 case 2: /* fstatat64 */ 1007 case 3: /* fstatat */ 1008 e = AUE_FSTATAT; 1009 break; 1010 case 4: /* fchownat */ 1011 e = AUE_FCHOWNAT; 1012 break; 1013 case 5: /* unlinkat */ 1014 e = AUE_UNLINKAT; 1015 break; 1016 case 6: /* futimesat */ 1017 e = AUE_FUTIMESAT; 1018 break; 1019 case 7: /* renameat */ 1020 e = AUE_RENAMEAT; 1021 break; 1022 case 9: /* __openattrdirat */ 1023 tad->tad_ctrl |= PAD_SAVPATH; 1024 /*FALLTHROUGH*/ 1025 default: 1026 e = AUE_NULL; 1027 break; 1028 } 1029 1030 return (e); 1031 } 1032 1033 /*ARGSUSED*/ 1034 static void 1035 aus_fsat(struct t_audit_data *tad) 1036 { 1037 klwp_t *clwp = ttolwp(curthread); 1038 uint_t fmcode, fm; 1039 struct a { 1040 long id; 1041 long arg1; 1042 long arg2; 1043 long arg3; 1044 long arg4; 1045 long arg5; 1046 } *uap = (struct a *)clwp->lwp_ap; 1047 1048 fmcode = (uint_t)uap->id; 1049 1050 switch (fmcode) { 1051 1052 case 0: /* openat */ 1053 case 1: /* openat64 */ 1054 fm = (uint_t)uap->arg3; 1055 /* If no write, create, or trunc modes, mark as a public op */ 1056 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1057 tad->tad_ctrl |= PAD_PUBLIC_EV; 1058 1059 break; 1060 case 2: /* fstatat64 */ 1061 case 3: /* fstatat */ 1062 tad->tad_ctrl |= PAD_PUBLIC_EV; 1063 break; 1064 default: 1065 break; 1066 } 1067 } 1068 1069 /* msgsys */ 1070 static au_event_t 1071 aui_msgsys(au_event_t e) 1072 { 1073 klwp_t *clwp = ttolwp(curthread); 1074 uint_t fm; 1075 1076 struct a { 1077 long id; /* function code id */ 1078 long ap; /* arg pointer for recvmsg */ 1079 } *uap = (struct a *)clwp->lwp_ap; 1080 1081 struct b { 1082 long msgid; 1083 long cmd; 1084 long buf; /* struct msqid_ds * */ 1085 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1086 1087 fm = (uint_t)uap->id; 1088 1089 switch (fm) { 1090 case 0: /* msgget */ 1091 e = AUE_MSGGET; 1092 break; 1093 case 1: /* msgctl */ 1094 switch ((uint_t)uap1->cmd) { 1095 case IPC_RMID: 1096 e = AUE_MSGCTL_RMID; 1097 break; 1098 case IPC_SET: 1099 e = AUE_MSGCTL_SET; 1100 break; 1101 case IPC_STAT: 1102 e = AUE_MSGCTL_STAT; 1103 break; 1104 default: 1105 e = AUE_MSGCTL; 1106 break; 1107 } 1108 break; 1109 case 2: /* msgrcv */ 1110 e = AUE_MSGRCV; 1111 break; 1112 case 3: /* msgsnd */ 1113 e = AUE_MSGSND; 1114 break; 1115 default: /* illegal system call */ 1116 e = AUE_NULL; 1117 break; 1118 } 1119 1120 return (e); 1121 } 1122 1123 1124 /* shmsys */ 1125 static au_event_t 1126 aui_shmsys(au_event_t e) 1127 { 1128 klwp_t *clwp = ttolwp(curthread); 1129 int fm; 1130 1131 struct a { /* shmsys */ 1132 long id; /* function code id */ 1133 } *uap = (struct a *)clwp->lwp_ap; 1134 1135 struct b { /* ctrl */ 1136 long shmid; 1137 long cmd; 1138 long arg; /* struct shmid_ds * */ 1139 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1140 fm = (uint_t)uap->id; 1141 1142 switch (fm) { 1143 case 0: /* shmat */ 1144 e = AUE_SHMAT; 1145 break; 1146 case 1: /* shmctl */ 1147 switch ((uint_t)uap1->cmd) { 1148 case IPC_RMID: 1149 e = AUE_SHMCTL_RMID; 1150 break; 1151 case IPC_SET: 1152 e = AUE_SHMCTL_SET; 1153 break; 1154 case IPC_STAT: 1155 e = AUE_SHMCTL_STAT; 1156 break; 1157 default: 1158 e = AUE_SHMCTL; 1159 break; 1160 } 1161 break; 1162 case 2: /* shmdt */ 1163 e = AUE_SHMDT; 1164 break; 1165 case 3: /* shmget */ 1166 e = AUE_SHMGET; 1167 break; 1168 default: /* illegal system call */ 1169 e = AUE_NULL; 1170 break; 1171 } 1172 1173 return (e); 1174 } 1175 1176 1177 /* semsys */ 1178 static au_event_t 1179 aui_semsys(au_event_t e) 1180 { 1181 klwp_t *clwp = ttolwp(curthread); 1182 uint_t fm; 1183 1184 struct a { /* semsys */ 1185 long id; 1186 } *uap = (struct a *)clwp->lwp_ap; 1187 1188 struct b { /* ctrl */ 1189 long semid; 1190 long semnum; 1191 long cmd; 1192 long arg; 1193 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1194 1195 fm = (uint_t)uap->id; 1196 1197 switch (fm) { 1198 case 0: /* semctl */ 1199 switch ((uint_t)uap1->cmd) { 1200 case IPC_RMID: 1201 e = AUE_SEMCTL_RMID; 1202 break; 1203 case IPC_SET: 1204 e = AUE_SEMCTL_SET; 1205 break; 1206 case IPC_STAT: 1207 e = AUE_SEMCTL_STAT; 1208 break; 1209 case GETNCNT: 1210 e = AUE_SEMCTL_GETNCNT; 1211 break; 1212 case GETPID: 1213 e = AUE_SEMCTL_GETPID; 1214 break; 1215 case GETVAL: 1216 e = AUE_SEMCTL_GETVAL; 1217 break; 1218 case GETALL: 1219 e = AUE_SEMCTL_GETALL; 1220 break; 1221 case GETZCNT: 1222 e = AUE_SEMCTL_GETZCNT; 1223 break; 1224 case SETVAL: 1225 e = AUE_SEMCTL_SETVAL; 1226 break; 1227 case SETALL: 1228 e = AUE_SEMCTL_SETALL; 1229 break; 1230 default: 1231 e = AUE_SEMCTL; 1232 break; 1233 } 1234 break; 1235 case 1: /* semget */ 1236 e = AUE_SEMGET; 1237 break; 1238 case 2: /* semop */ 1239 e = AUE_SEMOP; 1240 break; 1241 default: /* illegal system call */ 1242 e = AUE_NULL; 1243 break; 1244 } 1245 1246 return (e); 1247 } 1248 1249 /* utssys - uname(2), ustat(2), fusers(2) */ 1250 static au_event_t 1251 aui_utssys(au_event_t e) 1252 { 1253 klwp_t *clwp = ttolwp(curthread); 1254 uint_t type; 1255 1256 struct a { 1257 union { 1258 long cbuf; /* char * */ 1259 long ubuf; /* struct stat * */ 1260 } ub; 1261 union { 1262 long mv; /* for USTAT */ 1263 long flags; /* for FUSERS */ 1264 } un; 1265 long type; 1266 long outbp; /* char * for FUSERS */ 1267 } *uap = (struct a *)clwp->lwp_ap; 1268 1269 type = (uint_t)uap->type; 1270 1271 if (type == UTS_FUSERS) 1272 return (e); 1273 else 1274 return ((au_event_t)AUE_NULL); 1275 } 1276 1277 static au_event_t 1278 aui_fcntl(au_event_t e) 1279 { 1280 klwp_t *clwp = ttolwp(curthread); 1281 uint_t cmd; 1282 1283 struct a { 1284 long fdes; 1285 long cmd; 1286 long arg; 1287 } *uap = (struct a *)clwp->lwp_ap; 1288 1289 cmd = (uint_t)uap->cmd; 1290 1291 switch (cmd) { 1292 case F_GETLK: 1293 case F_SETLK: 1294 case F_SETLKW: 1295 break; 1296 case F_SETFL: 1297 case F_GETFL: 1298 case F_GETFD: 1299 break; 1300 default: 1301 e = (au_event_t)AUE_NULL; 1302 break; 1303 } 1304 return ((au_event_t)e); 1305 } 1306 1307 /* null function for now */ 1308 static au_event_t 1309 aui_execv(au_event_t e) 1310 { 1311 return (e); 1312 } 1313 1314 /* null function for now */ 1315 static au_event_t 1316 aui_execve(au_event_t e) 1317 { 1318 return (e); 1319 } 1320 1321 /*ARGSUSED*/ 1322 static void 1323 aus_fcntl(struct t_audit_data *tad) 1324 { 1325 klwp_t *clwp = ttolwp(curthread); 1326 uint32_t cmd, fd; 1327 struct file *fp; 1328 struct vnode *vp; 1329 struct f_audit_data *fad; 1330 1331 struct a { 1332 long fd; 1333 long cmd; 1334 long arg; 1335 } *uap = (struct a *)clwp->lwp_ap; 1336 1337 cmd = (uint32_t)uap->cmd; 1338 fd = (uint32_t)uap->fd; 1339 1340 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1341 1342 /* 1343 * convert file pointer to file descriptor 1344 * Note: fd ref count incremented here. 1345 */ 1346 if ((fp = getf(fd)) == NULL) 1347 return; 1348 1349 /* get path from file struct here */ 1350 fad = F2A(fp); 1351 if (fad->fad_aupath != NULL) { 1352 au_uwrite(au_to_path(fad->fad_aupath)); 1353 } else { 1354 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1355 } 1356 1357 vp = fp->f_vnode; 1358 audit_attributes(vp); 1359 1360 /* decrement file descriptor reference count */ 1361 releasef(fd); 1362 } 1363 1364 /*ARGSUSED*/ 1365 static void 1366 aus_kill(struct t_audit_data *tad) 1367 { 1368 klwp_t *clwp = ttolwp(curthread); 1369 struct proc *p; 1370 uint32_t signo; 1371 uid_t uid, ruid; 1372 gid_t gid, rgid; 1373 pid_t pid; 1374 const auditinfo_addr_t *ainfo; 1375 cred_t *cr; 1376 1377 struct a { 1378 long pid; 1379 long signo; 1380 } *uap = (struct a *)clwp->lwp_ap; 1381 1382 pid = (pid_t)uap->pid; 1383 signo = (uint32_t)uap->signo; 1384 1385 au_uwrite(au_to_arg32(2, "signal", signo)); 1386 if (pid > 0) { 1387 mutex_enter(&pidlock); 1388 if (((p = prfind(pid)) == (struct proc *)0) || 1389 (p->p_stat == SIDL)) { 1390 mutex_exit(&pidlock); 1391 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1392 return; 1393 } 1394 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1395 mutex_exit(&pidlock); 1396 1397 mutex_enter(&p->p_crlock); 1398 crhold(cr = p->p_cred); 1399 mutex_exit(&p->p_crlock); 1400 mutex_exit(&p->p_lock); 1401 1402 ainfo = crgetauinfo(cr); 1403 if (ainfo == NULL) { 1404 crfree(cr); 1405 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1406 return; 1407 } 1408 1409 uid = crgetuid(cr); 1410 gid = crgetgid(cr); 1411 ruid = crgetruid(cr); 1412 rgid = crgetrgid(cr); 1413 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1414 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1415 1416 if (is_system_labeled()) 1417 au_uwrite(au_to_label(CR_SL(cr))); 1418 1419 crfree(cr); 1420 } 1421 else 1422 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1423 } 1424 1425 /*ARGSUSED*/ 1426 static void 1427 aus_mkdir(struct t_audit_data *tad) 1428 { 1429 klwp_t *clwp = ttolwp(curthread); 1430 uint32_t dmode; 1431 1432 struct a { 1433 long dirnamep; /* char * */ 1434 long dmode; 1435 } *uap = (struct a *)clwp->lwp_ap; 1436 1437 dmode = (uint32_t)uap->dmode; 1438 1439 au_uwrite(au_to_arg32(2, "mode", dmode)); 1440 } 1441 1442 /*ARGSUSED*/ 1443 static void 1444 aus_mknod(struct t_audit_data *tad) 1445 { 1446 klwp_t *clwp = ttolwp(curthread); 1447 uint32_t fmode; 1448 dev_t dev; 1449 1450 struct a { 1451 long pnamep; /* char * */ 1452 long fmode; 1453 long dev; 1454 } *uap = (struct a *)clwp->lwp_ap; 1455 1456 fmode = (uint32_t)uap->fmode; 1457 dev = (dev_t)uap->dev; 1458 1459 au_uwrite(au_to_arg32(2, "mode", fmode)); 1460 #ifdef _LP64 1461 au_uwrite(au_to_arg64(3, "dev", dev)); 1462 #else 1463 au_uwrite(au_to_arg32(3, "dev", dev)); 1464 #endif 1465 } 1466 1467 /*ARGSUSED*/ 1468 static void 1469 aus_xmknod(struct t_audit_data *tad) 1470 { 1471 klwp_t *clwp = ttolwp(curthread); 1472 uint32_t fmode; 1473 dev_t dev; 1474 1475 struct a { 1476 long version; /* version */ 1477 long pnamep; /* char * */ 1478 long fmode; 1479 long dev; 1480 } *uap = (struct a *)clwp->lwp_ap; 1481 1482 fmode = (uint32_t)uap->fmode; 1483 dev = (dev_t)uap->dev; 1484 1485 au_uwrite(au_to_arg32(2, "mode", fmode)); 1486 #ifdef _LP64 1487 au_uwrite(au_to_arg64(3, "dev", dev)); 1488 #else 1489 au_uwrite(au_to_arg32(3, "dev", dev)); 1490 #endif 1491 } 1492 1493 /*ARGSUSED*/ 1494 static void 1495 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1496 { 1497 klwp_t *clwp = ttolwp(curthread); 1498 vnode_t *dvp; 1499 caddr_t pnamep; 1500 1501 struct a { 1502 long pnamep; /* char * */ 1503 long fmode; 1504 long dev; 1505 } *uap = (struct a *)clwp->lwp_ap; 1506 1507 /* no error, then already path token in audit record */ 1508 if (error != EPERM) 1509 return; 1510 1511 /* not auditing this event, nothing then to do */ 1512 if (tad->tad_flag == 0) 1513 return; 1514 1515 /* do the lookup to force generation of path token */ 1516 pnamep = (caddr_t)uap->pnamep; 1517 tad->tad_ctrl |= PAD_NOATTRB; 1518 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1519 if (error == 0) 1520 VN_RELE(dvp); 1521 } 1522 1523 /*ARGSUSED*/ 1524 static void 1525 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1526 { 1527 klwp_t *clwp = ttolwp(curthread); 1528 vnode_t *dvp; 1529 caddr_t pnamep; 1530 1531 struct a { 1532 long version; /* version */ 1533 long pnamep; /* char * */ 1534 long fmode; 1535 long dev; 1536 } *uap = (struct a *)clwp->lwp_arg; 1537 1538 1539 /* no error, then already path token in audit record */ 1540 if (error != EPERM) 1541 return; 1542 1543 /* not auditing this event, nothing then to do */ 1544 if (tad->tad_flag == 0) 1545 return; 1546 1547 /* do the lookup to force generation of path token */ 1548 pnamep = (caddr_t)uap->pnamep; 1549 tad->tad_ctrl |= PAD_NOATTRB; 1550 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1551 if (error == 0) 1552 VN_RELE(dvp); 1553 } 1554 1555 /*ARGSUSED*/ 1556 static void 1557 aus_mount(struct t_audit_data *tad) 1558 { /* AUS_START */ 1559 klwp_t *clwp = ttolwp(curthread); 1560 uint32_t flags; 1561 uintptr_t u_fstype, dataptr; 1562 STRUCT_DECL(nfs_args, nfsargs); 1563 size_t len; 1564 char *fstype, *hostname; 1565 1566 struct a { 1567 long spec; /* char * */ 1568 long dir; /* char * */ 1569 long flags; 1570 long fstype; /* char * */ 1571 long dataptr; /* char * */ 1572 long datalen; 1573 } *uap = (struct a *)clwp->lwp_ap; 1574 1575 u_fstype = (uintptr_t)uap->fstype; 1576 flags = (uint32_t)uap->flags; 1577 dataptr = (uintptr_t)uap->dataptr; 1578 1579 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1580 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1581 goto mount_free_fstype; 1582 1583 au_uwrite(au_to_arg32(3, "flags", flags)); 1584 au_uwrite(au_to_text(fstype)); 1585 1586 if (strncmp(fstype, "nfs", 3) == 0) { 1587 1588 STRUCT_INIT(nfsargs, get_udatamodel()); 1589 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1590 1591 if (copyin((caddr_t)dataptr, 1592 STRUCT_BUF(nfsargs), 1593 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1594 /* DEBUG debug_enter((char *)NULL); */ 1595 goto mount_free_fstype; 1596 } 1597 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1598 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1599 (caddr_t)hostname, 1600 MAXNAMELEN, &len)) { 1601 goto mount_free_hostname; 1602 } 1603 au_uwrite(au_to_text(hostname)); 1604 au_uwrite(au_to_arg32(3, "internal flags", 1605 (uint_t)STRUCT_FGET(nfsargs, flags))); 1606 1607 mount_free_hostname: 1608 kmem_free(hostname, MAXNAMELEN); 1609 } 1610 1611 mount_free_fstype: 1612 kmem_free(fstype, MAXNAMELEN); 1613 } /* AUS_MOUNT */ 1614 1615 static void 1616 aus_umount_path(caddr_t umount_dir) 1617 { 1618 char *dir_path; 1619 struct audit_path *path; 1620 size_t path_len, dir_len; 1621 1622 /* length alloc'd for two string pointers */ 1623 path_len = sizeof (struct audit_path) + sizeof (char *); 1624 path = kmem_alloc(path_len, KM_SLEEP); 1625 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1626 1627 if (copyinstr(umount_dir, (caddr_t)dir_path, 1628 MAXPATHLEN, &dir_len)) 1629 goto umount2_free_dir; 1630 1631 /* 1632 * the audit_path struct assumes that the buffer pointed to 1633 * by audp_sect[n] contains string 0 immediatedly followed 1634 * by string 1. 1635 */ 1636 path->audp_sect[0] = dir_path; 1637 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1638 path->audp_size = path_len; 1639 path->audp_ref = 1; /* not used */ 1640 path->audp_cnt = 1; /* one path string */ 1641 1642 au_uwrite(au_to_path(path)); 1643 1644 umount2_free_dir: 1645 kmem_free(dir_path, MAXPATHLEN); 1646 kmem_free(path, path_len); 1647 } 1648 1649 /* 1650 * the umount syscall is implemented as a call to umount2, but the args 1651 * are different... 1652 */ 1653 1654 /*ARGSUSED*/ 1655 static void 1656 aus_umount(struct t_audit_data *tad) 1657 { 1658 klwp_t *clwp = ttolwp(curthread); 1659 struct a { 1660 long dir; /* char * */ 1661 } *uap = (struct a *)clwp->lwp_ap; 1662 1663 aus_umount_path((caddr_t)uap->dir); 1664 } 1665 1666 /*ARGSUSED*/ 1667 static void 1668 aus_umount2(struct t_audit_data *tad) 1669 { 1670 klwp_t *clwp = ttolwp(curthread); 1671 struct a { 1672 long dir; /* char * */ 1673 long flags; 1674 } *uap = (struct a *)clwp->lwp_ap; 1675 1676 aus_umount_path((caddr_t)uap->dir); 1677 1678 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1679 } 1680 1681 static void 1682 aus_msgsys(struct t_audit_data *tad) 1683 { 1684 klwp_t *clwp = ttolwp(curthread); 1685 uint32_t msgid; 1686 1687 struct b { 1688 long msgid; 1689 long cmd; 1690 long buf; /* struct msqid_ds * */ 1691 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1692 1693 msgid = (uint32_t)uap1->msgid; 1694 1695 1696 switch (tad->tad_event) { 1697 case AUE_MSGGET: /* msgget */ 1698 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1699 break; 1700 case AUE_MSGCTL: /* msgctl */ 1701 case AUE_MSGCTL_RMID: /* msgctl */ 1702 case AUE_MSGCTL_STAT: /* msgctl */ 1703 case AUE_MSGRCV: /* msgrcv */ 1704 case AUE_MSGSND: /* msgsnd */ 1705 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1706 break; 1707 case AUE_MSGCTL_SET: /* msgctl */ 1708 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1709 break; 1710 } 1711 } 1712 1713 /*ARGSUSED*/ 1714 static void 1715 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1716 { 1717 int id; 1718 1719 if (error != 0) 1720 return; 1721 if (tad->tad_event == AUE_MSGGET) { 1722 uint32_t scid; 1723 uint32_t sy_flags; 1724 1725 /* need to determine type of executing binary */ 1726 scid = tad->tad_scid; 1727 #ifdef _SYSCALL32_IMPL 1728 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1729 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1730 else 1731 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1732 #else 1733 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1734 #endif 1735 if (sy_flags == SE_32RVAL1) 1736 id = rval->r_val1; 1737 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1738 id = rval->r_val1; 1739 if (sy_flags == SE_64RVAL) 1740 id = (int)rval->r_vals; 1741 1742 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1743 } 1744 } 1745 1746 static void 1747 aus_semsys(struct t_audit_data *tad) 1748 { 1749 klwp_t *clwp = ttolwp(curthread); 1750 uint32_t semid; 1751 1752 struct b { /* ctrl */ 1753 long semid; 1754 long semnum; 1755 long cmd; 1756 long arg; 1757 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1758 1759 semid = (uint32_t)uap1->semid; 1760 1761 switch (tad->tad_event) { 1762 case AUE_SEMCTL_RMID: 1763 case AUE_SEMCTL_STAT: 1764 case AUE_SEMCTL_GETNCNT: 1765 case AUE_SEMCTL_GETPID: 1766 case AUE_SEMCTL_GETVAL: 1767 case AUE_SEMCTL_GETALL: 1768 case AUE_SEMCTL_GETZCNT: 1769 case AUE_SEMCTL_SETVAL: 1770 case AUE_SEMCTL_SETALL: 1771 case AUE_SEMCTL: 1772 case AUE_SEMOP: 1773 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1774 break; 1775 case AUE_SEMCTL_SET: 1776 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1777 break; 1778 case AUE_SEMGET: 1779 au_uwrite(au_to_arg32(1, "sem key", semid)); 1780 break; 1781 } 1782 } 1783 1784 /*ARGSUSED*/ 1785 static void 1786 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1787 { 1788 int id; 1789 1790 if (error != 0) 1791 return; 1792 if (tad->tad_event == AUE_SEMGET) { 1793 uint32_t scid; 1794 uint32_t sy_flags; 1795 1796 /* need to determine type of executing binary */ 1797 scid = tad->tad_scid; 1798 #ifdef _SYSCALL32_IMPL 1799 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1800 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1801 else 1802 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1803 #else 1804 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1805 #endif 1806 if (sy_flags == SE_32RVAL1) 1807 id = rval->r_val1; 1808 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1809 id = rval->r_val1; 1810 if (sy_flags == SE_64RVAL) 1811 id = (int)rval->r_vals; 1812 1813 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1814 } 1815 } 1816 1817 /*ARGSUSED*/ 1818 static void 1819 aus_close(struct t_audit_data *tad) 1820 { 1821 klwp_t *clwp = ttolwp(curthread); 1822 uint32_t fd; 1823 struct file *fp; 1824 struct f_audit_data *fad; 1825 struct vnode *vp; 1826 struct vattr attr; 1827 au_kcontext_t *kctx = GET_KCTX_PZ; 1828 1829 struct a { 1830 long i; 1831 } *uap = (struct a *)clwp->lwp_ap; 1832 1833 fd = (uint32_t)uap->i; 1834 1835 attr.va_mask = 0; 1836 au_uwrite(au_to_arg32(1, "fd", fd)); 1837 1838 /* 1839 * convert file pointer to file descriptor 1840 * Note: fd ref count incremented here. 1841 */ 1842 if ((fp = getf(fd)) == NULL) 1843 return; 1844 1845 fad = F2A(fp); 1846 tad->tad_evmod = (short)fad->fad_flags; 1847 if (fad->fad_aupath != NULL) { 1848 au_uwrite(au_to_path(fad->fad_aupath)); 1849 if ((vp = fp->f_vnode) != NULL) { 1850 attr.va_mask = AT_ALL; 1851 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1852 /* 1853 * When write was not used and the file can be 1854 * considered public, skip the audit. 1855 */ 1856 if (((fp->f_flag & FWRITE) == 0) && 1857 file_is_public(&attr)) { 1858 tad->tad_flag = 0; 1859 tad->tad_evmod = 0; 1860 /* free any residual audit data */ 1861 au_close(kctx, &(u_ad), 0, 0, 0); 1862 releasef(fd); 1863 return; 1864 } 1865 au_uwrite(au_to_attr(&attr)); 1866 audit_sec_attributes(&(u_ad), vp); 1867 } 1868 } 1869 } 1870 1871 /* decrement file descriptor reference count */ 1872 releasef(fd); 1873 } 1874 1875 /*ARGSUSED*/ 1876 static void 1877 aus_fstatfs(struct t_audit_data *tad) 1878 { 1879 klwp_t *clwp = ttolwp(curthread); 1880 uint32_t fd; 1881 struct file *fp; 1882 struct vnode *vp; 1883 struct f_audit_data *fad; 1884 1885 struct a { 1886 long fd; 1887 long buf; /* struct statfs * */ 1888 } *uap = (struct a *)clwp->lwp_ap; 1889 1890 fd = (uint_t)uap->fd; 1891 1892 /* 1893 * convert file pointer to file descriptor 1894 * Note: fd ref count incremented here. 1895 */ 1896 if ((fp = getf(fd)) == NULL) 1897 return; 1898 1899 /* get path from file struct here */ 1900 fad = F2A(fp); 1901 if (fad->fad_aupath != NULL) { 1902 au_uwrite(au_to_path(fad->fad_aupath)); 1903 } else { 1904 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1905 } 1906 1907 vp = fp->f_vnode; 1908 audit_attributes(vp); 1909 1910 /* decrement file descriptor reference count */ 1911 releasef(fd); 1912 } 1913 1914 #ifdef NOTYET 1915 /*ARGSUSED*/ 1916 static void 1917 aus_setpgrp(struct t_audit_data *tad) 1918 { 1919 klwp_t *clwp = ttolwp(curthread); 1920 uint32_t pgrp; 1921 struct proc *p; 1922 uid_t uid, ruid; 1923 gid_t gid, rgid; 1924 pid_t pid; 1925 const auditinfo_addr_t *ainfo; 1926 cred_t *cr; 1927 1928 struct a { 1929 long pid; 1930 long pgrp; 1931 } *uap = (struct a *)clwp->lwp_ap; 1932 1933 pid = (pid_t)uap->pid; 1934 pgrp = (uint32_t)uap->pgrp; 1935 1936 /* current process? */ 1937 if (pid == 0) 1938 (return); 1939 1940 mutex_enter(&pidlock); 1941 p = prfind(pid); 1942 if (p == NULL || p->p_as == &kas) { 1943 mutex_exit(&pidlock); 1944 return; 1945 } 1946 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1947 mutex_exit(&pidlock); 1948 1949 mutex_enter(&p->p_crlock); 1950 crhold(cr = p->p_cred); 1951 mutex_exit(&p->p_crlock); 1952 mutex_exit(&p->p_lock); 1953 1954 ainfo = crgetauinfo(cr); 1955 if (ainfo == NULL) { 1956 crfree(cr); 1957 return; 1958 } 1959 1960 uid = crgetuid(cr); 1961 gid = crgetgid(cr); 1962 ruid = crgetruid(cr); 1963 rgid = crgetrgid(cr); 1964 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1965 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1966 crfree(cr); 1967 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1968 } 1969 #endif 1970 1971 /*ARGSUSED*/ 1972 static void 1973 aus_setregid(struct t_audit_data *tad) 1974 { 1975 klwp_t *clwp = ttolwp(curthread); 1976 uint32_t rgid, egid; 1977 1978 struct a { 1979 long rgid; 1980 long egid; 1981 } *uap = (struct a *)clwp->lwp_ap; 1982 1983 rgid = (uint32_t)uap->rgid; 1984 egid = (uint32_t)uap->egid; 1985 1986 au_uwrite(au_to_arg32(1, "rgid", rgid)); 1987 au_uwrite(au_to_arg32(2, "egid", egid)); 1988 } 1989 1990 /*ARGSUSED*/ 1991 static void 1992 aus_setgid(struct t_audit_data *tad) 1993 { 1994 klwp_t *clwp = ttolwp(curthread); 1995 uint32_t gid; 1996 1997 struct a { 1998 long gid; 1999 } *uap = (struct a *)clwp->lwp_ap; 2000 2001 gid = (uint32_t)uap->gid; 2002 2003 au_uwrite(au_to_arg32(1, "gid", gid)); 2004 } 2005 2006 2007 /*ARGSUSED*/ 2008 static void 2009 aus_setreuid(struct t_audit_data *tad) 2010 { 2011 klwp_t *clwp = ttolwp(curthread); 2012 uint32_t ruid, euid; 2013 2014 struct a { 2015 long ruid; 2016 long euid; 2017 } *uap = (struct a *)clwp->lwp_ap; 2018 2019 ruid = (uint32_t)uap->ruid; 2020 euid = (uint32_t)uap->euid; 2021 2022 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2023 au_uwrite(au_to_arg32(2, "euid", euid)); 2024 } 2025 2026 2027 /*ARGSUSED*/ 2028 static void 2029 aus_setuid(struct t_audit_data *tad) 2030 { 2031 klwp_t *clwp = ttolwp(curthread); 2032 uint32_t uid; 2033 2034 struct a { 2035 long uid; 2036 } *uap = (struct a *)clwp->lwp_ap; 2037 2038 uid = (uint32_t)uap->uid; 2039 2040 au_uwrite(au_to_arg32(1, "uid", uid)); 2041 } 2042 2043 /*ARGSUSED*/ 2044 static void 2045 aus_shmsys(struct t_audit_data *tad) 2046 { 2047 klwp_t *clwp = ttolwp(curthread); 2048 uint32_t id, cmd; 2049 2050 struct b { 2051 long id; 2052 long cmd; 2053 long buf; /* struct shmid_ds * */ 2054 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2055 2056 id = (uint32_t)uap1->id; 2057 cmd = (uint32_t)uap1->cmd; 2058 2059 switch (tad->tad_event) { 2060 case AUE_SHMGET: /* shmget */ 2061 au_uwrite(au_to_arg32(1, "shm key", id)); 2062 break; 2063 case AUE_SHMCTL: /* shmctl */ 2064 case AUE_SHMCTL_RMID: /* shmctl */ 2065 case AUE_SHMCTL_STAT: /* shmctl */ 2066 case AUE_SHMCTL_SET: /* shmctl */ 2067 au_uwrite(au_to_arg32(1, "shm ID", id)); 2068 break; 2069 case AUE_SHMDT: /* shmdt */ 2070 au_uwrite(au_to_arg32(1, "shm adr", id)); 2071 break; 2072 case AUE_SHMAT: /* shmat */ 2073 au_uwrite(au_to_arg32(1, "shm ID", id)); 2074 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2075 break; 2076 } 2077 } 2078 2079 /*ARGSUSED*/ 2080 static void 2081 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2082 { 2083 int id; 2084 2085 if (error != 0) 2086 return; 2087 if (tad->tad_event == AUE_SHMGET) { 2088 uint32_t scid; 2089 uint32_t sy_flags; 2090 2091 /* need to determine type of executing binary */ 2092 scid = tad->tad_scid; 2093 #ifdef _SYSCALL32_IMPL 2094 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2095 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2096 else 2097 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2098 #else 2099 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2100 #endif 2101 if (sy_flags == SE_32RVAL1) 2102 id = rval->r_val1; 2103 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2104 id = rval->r_val1; 2105 if (sy_flags == SE_64RVAL) 2106 id = (int)rval->r_vals; 2107 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2108 } 2109 } 2110 2111 2112 /*ARGSUSED*/ 2113 static void 2114 aus_ioctl(struct t_audit_data *tad) 2115 { 2116 klwp_t *clwp = ttolwp(curthread); 2117 struct file *fp; 2118 struct vnode *vp; 2119 struct f_audit_data *fad; 2120 uint32_t fd, cmd; 2121 uintptr_t cmarg; 2122 2123 /* XX64 */ 2124 struct a { 2125 long fd; 2126 long cmd; 2127 long cmarg; /* caddr_t */ 2128 } *uap = (struct a *)clwp->lwp_ap; 2129 2130 fd = (uint32_t)uap->fd; 2131 cmd = (uint32_t)uap->cmd; 2132 cmarg = (uintptr_t)uap->cmarg; 2133 2134 /* 2135 * convert file pointer to file descriptor 2136 * Note: fd ref count incremented here. 2137 */ 2138 if ((fp = getf(fd)) == NULL) { 2139 au_uwrite(au_to_arg32(1, "fd", fd)); 2140 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2141 #ifndef _LP64 2142 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2143 #else 2144 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2145 #endif 2146 return; 2147 } 2148 2149 /* get path from file struct here */ 2150 fad = F2A(fp); 2151 if (fad->fad_aupath != NULL) { 2152 au_uwrite(au_to_path(fad->fad_aupath)); 2153 } else { 2154 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2155 } 2156 2157 vp = fp->f_vnode; 2158 audit_attributes(vp); 2159 2160 /* decrement file descriptor reference count */ 2161 releasef(fd); 2162 2163 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2164 #ifndef _LP64 2165 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2166 #else 2167 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2168 #endif 2169 } 2170 2171 /* 2172 * null function for memcntl for now. We might want to limit memcntl() 2173 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2174 * require privileges. 2175 */ 2176 static au_event_t 2177 aui_memcntl(au_event_t e) 2178 { 2179 return (e); 2180 } 2181 2182 /*ARGSUSED*/ 2183 static au_event_t 2184 aui_privsys(au_event_t e) 2185 { 2186 klwp_t *clwp = ttolwp(curthread); 2187 2188 struct a { 2189 long opcode; 2190 } *uap = (struct a *)clwp->lwp_ap; 2191 2192 switch (uap->opcode) { 2193 case PRIVSYS_SETPPRIV: 2194 return (AUE_SETPPRIV); 2195 default: 2196 return (AUE_NULL); 2197 } 2198 } 2199 2200 /*ARGSUSED*/ 2201 static void 2202 aus_memcntl(struct t_audit_data *tad) 2203 { 2204 klwp_t *clwp = ttolwp(curthread); 2205 2206 struct a { 2207 long addr; 2208 long len; 2209 long cmd; 2210 long arg; 2211 long attr; 2212 long mask; 2213 } *uap = (struct a *)clwp->lwp_ap; 2214 2215 #ifdef _LP64 2216 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2217 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2218 #else 2219 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2220 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2221 #endif 2222 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2223 #ifdef _LP64 2224 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2225 #else 2226 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2227 #endif 2228 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2229 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2230 } 2231 2232 /*ARGSUSED*/ 2233 static void 2234 aus_mmap(struct t_audit_data *tad) 2235 { 2236 klwp_t *clwp = ttolwp(curthread); 2237 struct file *fp; 2238 struct f_audit_data *fad; 2239 struct vnode *vp; 2240 uint32_t fd; 2241 2242 struct a { 2243 long addr; 2244 long len; 2245 long prot; 2246 long flags; 2247 long fd; 2248 long pos; 2249 } *uap = (struct a *)clwp->lwp_ap; 2250 2251 fd = (uint32_t)uap->fd; 2252 2253 #ifdef _LP64 2254 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2255 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2256 #else 2257 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2258 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2259 #endif 2260 2261 if ((fp = getf(fd)) == NULL) { 2262 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2263 return; 2264 } 2265 2266 /* 2267 * Mark in the tad if write access is NOT requested... if 2268 * this is later detected (in audit_attributes) to be a 2269 * public object, the mmap event may be discarded. 2270 */ 2271 if (((uap->prot) & PROT_WRITE) == 0) { 2272 tad->tad_ctrl |= PAD_PUBLIC_EV; 2273 } 2274 2275 fad = F2A(fp); 2276 if (fad->fad_aupath != NULL) { 2277 au_uwrite(au_to_path(fad->fad_aupath)); 2278 } else { 2279 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2280 } 2281 2282 vp = (struct vnode *)fp->f_vnode; 2283 audit_attributes(vp); 2284 2285 /* mark READ/WRITE since we can't predict access */ 2286 if (uap->prot & PROT_READ) 2287 fad->fad_flags |= FAD_READ; 2288 if (uap->prot & PROT_WRITE) 2289 fad->fad_flags |= FAD_WRITE; 2290 2291 /* decrement file descriptor reference count */ 2292 releasef(fd); 2293 2294 } /* AUS_MMAP */ 2295 2296 2297 2298 2299 /*ARGSUSED*/ 2300 static void 2301 aus_munmap(struct t_audit_data *tad) 2302 { 2303 klwp_t *clwp = ttolwp(curthread); 2304 2305 struct a { 2306 long addr; 2307 long len; 2308 } *uap = (struct a *)clwp->lwp_ap; 2309 2310 #ifdef _LP64 2311 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2312 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2313 #else 2314 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2315 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2316 #endif 2317 2318 } /* AUS_MUNMAP */ 2319 2320 2321 2322 2323 2324 2325 2326 /*ARGSUSED*/ 2327 static void 2328 aus_priocntlsys(struct t_audit_data *tad) 2329 { 2330 klwp_t *clwp = ttolwp(curthread); 2331 2332 struct a { 2333 long pc_version; 2334 long psp; /* procset_t */ 2335 long cmd; 2336 long arg; 2337 } *uap = (struct a *)clwp->lwp_ap; 2338 2339 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2340 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2341 2342 } /* AUS_PRIOCNTLSYS */ 2343 2344 2345 /*ARGSUSED*/ 2346 static void 2347 aus_setegid(struct t_audit_data *tad) 2348 { 2349 klwp_t *clwp = ttolwp(curthread); 2350 uint32_t gid; 2351 2352 struct a { 2353 long gid; 2354 } *uap = (struct a *)clwp->lwp_ap; 2355 2356 gid = (uint32_t)uap->gid; 2357 2358 au_uwrite(au_to_arg32(1, "gid", gid)); 2359 } /* AUS_SETEGID */ 2360 2361 2362 2363 2364 /*ARGSUSED*/ 2365 static void 2366 aus_setgroups(struct t_audit_data *tad) 2367 { 2368 klwp_t *clwp = ttolwp(curthread); 2369 int i; 2370 int gidsetsize; 2371 uintptr_t gidset; 2372 gid_t *gidlist; 2373 2374 struct a { 2375 long gidsetsize; 2376 long gidset; 2377 } *uap = (struct a *)clwp->lwp_ap; 2378 2379 gidsetsize = (uint_t)uap->gidsetsize; 2380 gidset = (uintptr_t)uap->gidset; 2381 2382 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2383 return; 2384 if (gidsetsize != 0) { 2385 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2386 KM_SLEEP); 2387 if (copyin((caddr_t)gidset, gidlist, 2388 gidsetsize * sizeof (gid_t)) == 0) 2389 for (i = 0; i < gidsetsize; i++) 2390 au_uwrite(au_to_arg32(1, "setgroups", 2391 (uint32_t)gidlist[i])); 2392 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2393 } else 2394 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2395 2396 } /* AUS_SETGROUPS */ 2397 2398 2399 2400 2401 2402 /*ARGSUSED*/ 2403 static void 2404 aus_seteuid(struct t_audit_data *tad) 2405 { 2406 klwp_t *clwp = ttolwp(curthread); 2407 uint32_t uid; 2408 2409 struct a { 2410 long uid; 2411 } *uap = (struct a *)clwp->lwp_ap; 2412 2413 uid = (uint32_t)uap->uid; 2414 2415 au_uwrite(au_to_arg32(1, "euid", uid)); 2416 2417 } /* AUS_SETEUID */ 2418 2419 /*ARGSUSED*/ 2420 static void 2421 aus_putmsg(struct t_audit_data *tad) 2422 { 2423 klwp_t *clwp = ttolwp(curthread); 2424 uint32_t fd, pri; 2425 struct file *fp; 2426 struct f_audit_data *fad; 2427 2428 struct a { 2429 long fdes; 2430 long ctl; /* struct strbuf * */ 2431 long data; /* struct strbuf * */ 2432 long pri; 2433 } *uap = (struct a *)clwp->lwp_ap; 2434 2435 fd = (uint32_t)uap->fdes; 2436 pri = (uint32_t)uap->pri; 2437 2438 au_uwrite(au_to_arg32(1, "fd", fd)); 2439 2440 if ((fp = getf(fd)) != NULL) { 2441 fad = F2A(fp); 2442 2443 fad->fad_flags |= FAD_WRITE; 2444 2445 /* add path name to audit record */ 2446 if (fad->fad_aupath != NULL) { 2447 au_uwrite(au_to_path(fad->fad_aupath)); 2448 } 2449 audit_attributes(fp->f_vnode); 2450 2451 releasef(fd); 2452 } 2453 2454 au_uwrite(au_to_arg32(4, "pri", pri)); 2455 } 2456 2457 /*ARGSUSED*/ 2458 static void 2459 aus_putpmsg(struct t_audit_data *tad) 2460 { 2461 klwp_t *clwp = ttolwp(curthread); 2462 uint32_t fd, pri, flags; 2463 struct file *fp; 2464 struct f_audit_data *fad; 2465 2466 struct a { 2467 long fdes; 2468 long ctl; /* struct strbuf * */ 2469 long data; /* struct strbuf * */ 2470 long pri; 2471 long flags; 2472 } *uap = (struct a *)clwp->lwp_ap; 2473 2474 fd = (uint32_t)uap->fdes; 2475 pri = (uint32_t)uap->pri; 2476 flags = (uint32_t)uap->flags; 2477 2478 au_uwrite(au_to_arg32(1, "fd", fd)); 2479 2480 if ((fp = getf(fd)) != NULL) { 2481 fad = F2A(fp); 2482 2483 fad->fad_flags |= FAD_WRITE; 2484 2485 /* add path name to audit record */ 2486 if (fad->fad_aupath != NULL) { 2487 au_uwrite(au_to_path(fad->fad_aupath)); 2488 } 2489 audit_attributes(fp->f_vnode); 2490 2491 releasef(fd); 2492 } 2493 2494 2495 au_uwrite(au_to_arg32(4, "pri", pri)); 2496 au_uwrite(au_to_arg32(5, "flags", flags)); 2497 } 2498 2499 /*ARGSUSED*/ 2500 static void 2501 aus_getmsg(struct t_audit_data *tad) 2502 { 2503 klwp_t *clwp = ttolwp(curthread); 2504 uint32_t fd, pri; 2505 struct file *fp; 2506 struct f_audit_data *fad; 2507 2508 struct a { 2509 long fdes; 2510 long ctl; /* struct strbuf * */ 2511 long data; /* struct strbuf * */ 2512 long pri; 2513 } *uap = (struct a *)clwp->lwp_ap; 2514 2515 fd = (uint32_t)uap->fdes; 2516 pri = (uint32_t)uap->pri; 2517 2518 au_uwrite(au_to_arg32(1, "fd", fd)); 2519 2520 if ((fp = getf(fd)) != NULL) { 2521 fad = F2A(fp); 2522 2523 /* 2524 * read operation on this object 2525 */ 2526 fad->fad_flags |= FAD_READ; 2527 2528 /* add path name to audit record */ 2529 if (fad->fad_aupath != NULL) { 2530 au_uwrite(au_to_path(fad->fad_aupath)); 2531 } 2532 audit_attributes(fp->f_vnode); 2533 2534 releasef(fd); 2535 } 2536 2537 au_uwrite(au_to_arg32(4, "pri", pri)); 2538 } 2539 2540 /*ARGSUSED*/ 2541 static void 2542 aus_getpmsg(struct t_audit_data *tad) 2543 { 2544 klwp_t *clwp = ttolwp(curthread); 2545 uint32_t fd; 2546 struct file *fp; 2547 struct f_audit_data *fad; 2548 2549 struct a { 2550 long fdes; 2551 long ctl; /* struct strbuf * */ 2552 long data; /* struct strbuf * */ 2553 long pri; 2554 long flags; 2555 } *uap = (struct a *)clwp->lwp_ap; 2556 2557 fd = (uint32_t)uap->fdes; 2558 2559 au_uwrite(au_to_arg32(1, "fd", fd)); 2560 2561 if ((fp = getf(fd)) != NULL) { 2562 fad = F2A(fp); 2563 2564 /* 2565 * read operation on this object 2566 */ 2567 fad->fad_flags |= FAD_READ; 2568 2569 /* add path name to audit record */ 2570 if (fad->fad_aupath != NULL) { 2571 au_uwrite(au_to_path(fad->fad_aupath)); 2572 } 2573 audit_attributes(fp->f_vnode); 2574 2575 releasef(fd); 2576 } 2577 } 2578 2579 static au_event_t 2580 aui_auditsys(au_event_t e) 2581 { 2582 klwp_t *clwp = ttolwp(curthread); 2583 uint32_t code; 2584 2585 struct a { 2586 long code; 2587 long a1; 2588 long a2; 2589 long a3; 2590 long a4; 2591 long a5; 2592 long a6; 2593 long a7; 2594 } *uap = (struct a *)clwp->lwp_ap; 2595 2596 code = (uint32_t)uap->code; 2597 2598 switch (code) { 2599 2600 case BSM_GETAUID: 2601 e = AUE_GETAUID; 2602 break; 2603 case BSM_SETAUID: 2604 e = AUE_SETAUID; 2605 break; 2606 case BSM_GETAUDIT: 2607 e = AUE_GETAUDIT; 2608 break; 2609 case BSM_GETAUDIT_ADDR: 2610 e = AUE_GETAUDIT_ADDR; 2611 break; 2612 case BSM_SETAUDIT: 2613 e = AUE_SETAUDIT; 2614 break; 2615 case BSM_SETAUDIT_ADDR: 2616 e = AUE_SETAUDIT_ADDR; 2617 break; 2618 case BSM_AUDIT: 2619 e = AUE_AUDIT; 2620 break; 2621 case BSM_GETPORTAUDIT: 2622 e = AUE_GETPORTAUDIT; 2623 break; 2624 case BSM_AUDITON: 2625 case BSM_AUDITCTL: 2626 2627 switch ((uint_t)uap->a1) { 2628 2629 case A_GETPOLICY: 2630 e = AUE_AUDITON_GPOLICY; 2631 break; 2632 case A_SETPOLICY: 2633 e = AUE_AUDITON_SPOLICY; 2634 break; 2635 case A_GETKMASK: 2636 e = AUE_AUDITON_GETKMASK; 2637 break; 2638 case A_SETKMASK: 2639 e = AUE_AUDITON_SETKMASK; 2640 break; 2641 case A_GETQCTRL: 2642 e = AUE_AUDITON_GQCTRL; 2643 break; 2644 case A_SETQCTRL: 2645 e = AUE_AUDITON_SQCTRL; 2646 break; 2647 case A_GETCWD: 2648 e = AUE_AUDITON_GETCWD; 2649 break; 2650 case A_GETCAR: 2651 e = AUE_AUDITON_GETCAR; 2652 break; 2653 case A_GETSTAT: 2654 e = AUE_AUDITON_GETSTAT; 2655 break; 2656 case A_SETSTAT: 2657 e = AUE_AUDITON_SETSTAT; 2658 break; 2659 case A_SETUMASK: 2660 e = AUE_AUDITON_SETUMASK; 2661 break; 2662 case A_SETSMASK: 2663 e = AUE_AUDITON_SETSMASK; 2664 break; 2665 case A_GETCOND: 2666 e = AUE_AUDITON_GETCOND; 2667 break; 2668 case A_SETCOND: 2669 e = AUE_AUDITON_SETCOND; 2670 break; 2671 case A_GETCLASS: 2672 e = AUE_AUDITON_GETCLASS; 2673 break; 2674 case A_SETCLASS: 2675 e = AUE_AUDITON_SETCLASS; 2676 break; 2677 default: 2678 e = AUE_NULL; 2679 break; 2680 } 2681 break; 2682 default: 2683 e = AUE_NULL; 2684 break; 2685 } 2686 2687 return (e); 2688 2689 2690 2691 2692 } /* AUI_AUDITSYS */ 2693 2694 2695 2696 2697 2698 2699 2700 static void 2701 aus_auditsys(struct t_audit_data *tad) 2702 { 2703 klwp_t *clwp = ttolwp(curthread); 2704 uintptr_t a1, a2; 2705 STRUCT_DECL(auditinfo, ainfo); 2706 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2707 au_evclass_map_t event; 2708 au_mask_t mask; 2709 int auditstate, policy; 2710 au_id_t auid; 2711 2712 2713 struct a { 2714 long code; 2715 long a1; 2716 long a2; 2717 long a3; 2718 long a4; 2719 long a5; 2720 long a6; 2721 long a7; 2722 } *uap = (struct a *)clwp->lwp_ap; 2723 2724 a1 = (uintptr_t)uap->a1; 2725 a2 = (uintptr_t)uap->a2; 2726 2727 switch (tad->tad_event) { 2728 case AUE_SETAUID: 2729 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2730 return; 2731 au_uwrite(au_to_arg32(2, "setauid", auid)); 2732 break; 2733 case AUE_SETAUDIT: 2734 STRUCT_INIT(ainfo, get_udatamodel()); 2735 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2736 STRUCT_SIZE(ainfo))) { 2737 return; 2738 } 2739 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2740 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2741 #ifdef _LP64 2742 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2743 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2744 #else 2745 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2746 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2747 #endif 2748 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2749 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2750 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2751 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2752 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2753 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2754 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2755 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2756 break; 2757 case AUE_SETAUDIT_ADDR: 2758 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2759 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2760 STRUCT_SIZE(ainfo_addr))) { 2761 return; 2762 } 2763 au_uwrite(au_to_arg32((char)1, "auid", 2764 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2765 #ifdef _LP64 2766 au_uwrite(au_to_arg64((char)1, "port", 2767 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2768 #else 2769 au_uwrite(au_to_arg32((char)1, "port", 2770 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2771 #endif 2772 au_uwrite(au_to_arg32((char)1, "type", 2773 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2774 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2775 AU_IPv4) { 2776 au_uwrite(au_to_in_addr( 2777 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2778 ai_termid.at_addr))); 2779 } else { 2780 au_uwrite(au_to_in_addr_ex( 2781 (int32_t *)STRUCT_FGETP(ainfo_addr, 2782 ai_termid.at_addr))); 2783 } 2784 au_uwrite(au_to_arg32((char)1, "as_success", 2785 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2786 au_uwrite(au_to_arg32((char)1, "as_failure", 2787 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2788 au_uwrite(au_to_arg32((char)1, "asid", 2789 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2790 break; 2791 case AUE_AUDITON_SETKMASK: 2792 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2793 return; 2794 au_uwrite(au_to_arg32( 2795 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2796 au_uwrite(au_to_arg32( 2797 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2798 break; 2799 case AUE_AUDITON_SPOLICY: 2800 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2801 return; 2802 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2803 break; 2804 case AUE_AUDITON_SQCTRL: { 2805 STRUCT_DECL(au_qctrl, qctrl); 2806 model_t model; 2807 2808 model = get_udatamodel(); 2809 STRUCT_INIT(qctrl, model); 2810 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2811 return; 2812 if (model == DATAMODEL_ILP32) { 2813 au_uwrite(au_to_arg32( 2814 3, "setqctrl:aq_hiwater", 2815 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2816 au_uwrite(au_to_arg32( 2817 3, "setqctrl:aq_lowater", 2818 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2819 au_uwrite(au_to_arg32( 2820 3, "setqctrl:aq_bufsz", 2821 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2822 au_uwrite(au_to_arg32( 2823 3, "setqctrl:aq_delay", 2824 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2825 } else { 2826 au_uwrite(au_to_arg64( 2827 3, "setqctrl:aq_hiwater", 2828 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2829 au_uwrite(au_to_arg64( 2830 3, "setqctrl:aq_lowater", 2831 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2832 au_uwrite(au_to_arg64( 2833 3, "setqctrl:aq_bufsz", 2834 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2835 au_uwrite(au_to_arg64( 2836 3, "setqctrl:aq_delay", 2837 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2838 } 2839 break; 2840 } 2841 case AUE_AUDITON_SETUMASK: 2842 STRUCT_INIT(ainfo, get_udatamodel()); 2843 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2844 STRUCT_SIZE(ainfo))) { 2845 return; 2846 } 2847 au_uwrite(au_to_arg32(3, "setumask:as_success", 2848 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2849 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2850 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2851 break; 2852 case AUE_AUDITON_SETSMASK: 2853 STRUCT_INIT(ainfo, get_udatamodel()); 2854 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2855 STRUCT_SIZE(ainfo))) { 2856 return; 2857 } 2858 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2859 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2860 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2861 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2862 break; 2863 case AUE_AUDITON_SETCOND: 2864 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2865 return; 2866 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2867 break; 2868 case AUE_AUDITON_SETCLASS: 2869 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2870 return; 2871 au_uwrite(au_to_arg32( 2872 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2873 au_uwrite(au_to_arg32( 2874 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2875 break; 2876 case AUE_GETAUID: 2877 case AUE_GETAUDIT: 2878 case AUE_GETAUDIT_ADDR: 2879 case AUE_AUDIT: 2880 case AUE_GETPORTAUDIT: 2881 case AUE_AUDITON_GPOLICY: 2882 case AUE_AUDITON_GQCTRL: 2883 case AUE_AUDITON_GETKMASK: 2884 case AUE_AUDITON_GETCWD: 2885 case AUE_AUDITON_GETCAR: 2886 case AUE_AUDITON_GETSTAT: 2887 case AUE_AUDITON_SETSTAT: 2888 case AUE_AUDITON_GETCOND: 2889 case AUE_AUDITON_GETCLASS: 2890 break; 2891 default: 2892 break; 2893 } 2894 2895 } /* AUS_AUDITSYS */ 2896 2897 2898 /* only audit privileged operations for systeminfo(2) system call */ 2899 static au_event_t 2900 aui_sysinfo(au_event_t e) 2901 { 2902 klwp_t *clwp = ttolwp(curthread); 2903 uint32_t command; 2904 2905 struct a { 2906 long command; 2907 long buf; /* char * */ 2908 long count; 2909 } *uap = (struct a *)clwp->lwp_ap; 2910 2911 command = (uint32_t)uap->command; 2912 2913 switch (command) { 2914 case SI_SET_HOSTNAME: 2915 case SI_SET_SRPC_DOMAIN: 2916 e = (au_event_t)AUE_SYSINFO; 2917 break; 2918 default: 2919 e = (au_event_t)AUE_NULL; 2920 break; 2921 } 2922 return (e); 2923 } 2924 2925 /*ARGSUSED*/ 2926 static void 2927 aus_sysinfo(struct t_audit_data *tad) 2928 { 2929 klwp_t *clwp = ttolwp(curthread); 2930 uint32_t command; 2931 size_t len, maxlen; 2932 char *name; 2933 uintptr_t buf; 2934 2935 struct a { 2936 long command; 2937 long buf; /* char * */ 2938 long count; 2939 } *uap = (struct a *)clwp->lwp_ap; 2940 2941 command = (uint32_t)uap->command; 2942 buf = (uintptr_t)uap->buf; 2943 2944 au_uwrite(au_to_arg32(1, "cmd", command)); 2945 2946 switch (command) { 2947 case SI_SET_HOSTNAME: 2948 { 2949 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2950 return; 2951 2952 maxlen = SYS_NMLN; 2953 name = kmem_alloc(maxlen, KM_SLEEP); 2954 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 2955 break; 2956 2957 /* 2958 * Must be non-NULL string and string 2959 * must be less than SYS_NMLN chars. 2960 */ 2961 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 2962 break; 2963 2964 au_uwrite(au_to_text(name)); 2965 break; 2966 } 2967 2968 case SI_SET_SRPC_DOMAIN: 2969 { 2970 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2971 return; 2972 2973 maxlen = SYS_NMLN; 2974 name = kmem_alloc(maxlen, KM_SLEEP); 2975 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 2976 break; 2977 2978 /* 2979 * If string passed in is longer than length 2980 * allowed for domain name, fail. 2981 */ 2982 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 2983 break; 2984 2985 au_uwrite(au_to_text(name)); 2986 break; 2987 } 2988 2989 default: 2990 return; 2991 } 2992 2993 kmem_free(name, maxlen); 2994 } 2995 2996 static au_event_t 2997 aui_modctl(au_event_t e) 2998 { 2999 klwp_t *clwp = ttolwp(curthread); 3000 uint_t cmd; 3001 3002 struct a { 3003 long cmd; 3004 } *uap = (struct a *)clwp->lwp_ap; 3005 3006 cmd = (uint_t)uap->cmd; 3007 3008 switch (cmd) { 3009 case MODLOAD: 3010 e = AUE_MODLOAD; 3011 break; 3012 case MODUNLOAD: 3013 e = AUE_MODUNLOAD; 3014 break; 3015 case MODADDMAJBIND: 3016 e = AUE_MODADDMAJ; 3017 break; 3018 case MODSETDEVPOLICY: 3019 e = AUE_MODDEVPLCY; 3020 break; 3021 case MODALLOCPRIV: 3022 e = AUE_MODADDPRIV; 3023 break; 3024 default: 3025 e = AUE_NULL; 3026 break; 3027 } 3028 return (e); 3029 } 3030 3031 3032 /*ARGSUSED*/ 3033 static void 3034 aus_modctl(struct t_audit_data *tad) 3035 { 3036 klwp_t *clwp = ttolwp(curthread); 3037 void *a = clwp->lwp_ap; 3038 uint_t use_path; 3039 3040 switch (tad->tad_event) { 3041 case AUE_MODLOAD: { 3042 typedef struct { 3043 long cmd; 3044 long use_path; 3045 long filename; /* char * */ 3046 } modloada_t; 3047 3048 char *filenamep; 3049 uintptr_t fname; 3050 extern char *default_path; 3051 3052 fname = (uintptr_t)((modloada_t *)a)->filename; 3053 use_path = (uint_t)((modloada_t *)a)->use_path; 3054 3055 /* space to hold path */ 3056 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3057 /* get string */ 3058 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3059 /* free allocated path */ 3060 kmem_free(filenamep, MOD_MAXPATH); 3061 return; 3062 } 3063 /* ensure it's null terminated */ 3064 filenamep[MOD_MAXPATH - 1] = 0; 3065 3066 if (use_path) 3067 au_uwrite(au_to_text(default_path)); 3068 au_uwrite(au_to_text(filenamep)); 3069 3070 /* release temporary memory */ 3071 kmem_free(filenamep, MOD_MAXPATH); 3072 break; 3073 } 3074 case AUE_MODUNLOAD: { 3075 typedef struct { 3076 long cmd; 3077 long id; 3078 } modunloada_t; 3079 3080 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3081 3082 au_uwrite(au_to_arg32(1, "id", id)); 3083 break; 3084 } 3085 case AUE_MODADDMAJ: { 3086 STRUCT_DECL(modconfig, mc); 3087 typedef struct { 3088 long cmd; 3089 long subcmd; 3090 long data; /* int * */ 3091 } modconfiga_t; 3092 3093 STRUCT_DECL(aliases, alias); 3094 caddr_t ap; 3095 int i, num_aliases; 3096 char *drvname, *mc_drvname; 3097 char *name; 3098 extern char *ddi_major_to_name(major_t); 3099 model_t model; 3100 3101 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3102 3103 model = get_udatamodel(); 3104 STRUCT_INIT(mc, model); 3105 /* sanitize buffer */ 3106 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3107 /* get user arguments */ 3108 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3109 STRUCT_SIZE(mc)) != 0) 3110 return; 3111 3112 mc_drvname = STRUCT_FGET(mc, drvname); 3113 if ((drvname = ddi_major_to_name( 3114 (major_t)STRUCT_FGET(mc, major))) != NULL && 3115 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3116 /* safety */ 3117 if (mc_drvname[0] != '\0') { 3118 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3119 au_uwrite(au_to_text(mc_drvname)); 3120 } 3121 /* drvname != NULL from test above */ 3122 au_uwrite(au_to_text(drvname)); 3123 return; 3124 } 3125 3126 if (mc_drvname[0] != '\0') { 3127 /* safety */ 3128 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3129 au_uwrite(au_to_text(mc_drvname)); 3130 } else 3131 au_uwrite(au_to_text("no drvname")); 3132 3133 num_aliases = STRUCT_FGET(mc, num_aliases); 3134 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3135 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3136 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3137 STRUCT_INIT(alias, model); 3138 for (i = 0; i < num_aliases; i++) { 3139 bzero((caddr_t)STRUCT_BUF(alias), 3140 STRUCT_SIZE(alias)); 3141 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3142 STRUCT_SIZE(alias)) != 0) 3143 break; 3144 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3145 MAXMODCONFNAME, NULL) != 0) { 3146 break; 3147 } 3148 3149 au_uwrite(au_to_text(name)); 3150 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3151 } 3152 kmem_free(name, MAXMODCONFNAME); 3153 break; 3154 } 3155 default: 3156 break; 3157 } 3158 } 3159 3160 3161 /*ARGSUSED*/ 3162 static void 3163 auf_accept( 3164 struct t_audit_data *tad, 3165 int error, 3166 rval_t *rval) 3167 { 3168 uint32_t scid; 3169 uint32_t sy_flags; 3170 int fd; 3171 struct sonode *so; 3172 char so_laddr[sizeof (struct sockaddr_in6)]; 3173 char so_faddr[sizeof (struct sockaddr_in6)]; 3174 int err; 3175 int len; 3176 short so_family, so_type; 3177 int add_sock_token = 0; 3178 3179 /* need to determine type of executing binary */ 3180 scid = tad->tad_scid; 3181 #ifdef _SYSCALL32_IMPL 3182 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3183 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3184 else 3185 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3186 #else 3187 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3188 #endif 3189 if (sy_flags == SE_32RVAL1) 3190 fd = rval->r_val1; 3191 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3192 fd = rval->r_val1; 3193 if (sy_flags == SE_64RVAL) 3194 fd = (int)rval->r_vals; 3195 3196 if (error) { 3197 /* can't trust socket contents. Just return */ 3198 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3199 return; 3200 } 3201 3202 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3203 /* 3204 * not security relevant if doing a accept from non socket 3205 * so no extra tokens. Should probably turn off audit record 3206 * generation here. 3207 */ 3208 return; 3209 } 3210 3211 so_family = so->so_family; 3212 so_type = so->so_type; 3213 3214 switch (so_family) { 3215 case AF_INET: 3216 case AF_INET6: 3217 /* 3218 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3219 */ 3220 if (so->so_type == SOCK_STREAM) { 3221 3222 bzero((void *)so_laddr, sizeof (so_laddr)); 3223 bzero((void *)so_faddr, sizeof (so_faddr)); 3224 3225 /* 3226 * no local address then need to get it from lower 3227 * levels. only put out record on first read ala 3228 * AUE_WRITE. 3229 */ 3230 if (so->so_state & SS_ISBOUND) { 3231 /* only done once on a connection */ 3232 (void) SOP_GETSOCKNAME(so); 3233 (void) SOP_GETPEERNAME(so); 3234 3235 /* get local and foreign addresses */ 3236 mutex_enter(&so->so_lock); 3237 len = min(so->so_laddr_len, sizeof (so_laddr)); 3238 bcopy(so->so_laddr_sa, so_laddr, len); 3239 len = min(so->so_faddr_len, sizeof (so_faddr)); 3240 bcopy(so->so_faddr_sa, so_faddr, len); 3241 mutex_exit(&so->so_lock); 3242 } 3243 3244 add_sock_token = 1; 3245 } 3246 break; 3247 3248 default: 3249 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3250 break; 3251 } 3252 3253 releasef(fd); 3254 3255 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3256 3257 if (add_sock_token == 0) { 3258 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3259 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3260 return; 3261 } 3262 3263 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3264 3265 } 3266 3267 /*ARGSUSED*/ 3268 static void 3269 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3270 { 3271 struct a { 3272 long fd; 3273 long addr; 3274 long len; 3275 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3276 3277 struct sonode *so; 3278 char so_laddr[sizeof (struct sockaddr_in6)]; 3279 char so_faddr[sizeof (struct sockaddr_in6)]; 3280 int err, fd; 3281 int len; 3282 short so_family, so_type; 3283 int add_sock_token = 0; 3284 3285 fd = (int)uap->fd; 3286 3287 /* 3288 * bind failed, then nothing extra to add to audit record. 3289 */ 3290 if (error) { 3291 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3292 /* XXX may want to add failed address some day */ 3293 return; 3294 } 3295 3296 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3297 /* 3298 * not security relevant if doing a bind from non socket 3299 * so no extra tokens. Should probably turn off audit record 3300 * generation here. 3301 */ 3302 return; 3303 } 3304 3305 so_family = so->so_family; 3306 so_type = so->so_type; 3307 3308 switch (so_family) { 3309 case AF_INET: 3310 case AF_INET6: 3311 3312 bzero(so_faddr, sizeof (so_faddr)); 3313 3314 if (so->so_state & SS_ISBOUND) { 3315 /* only done once on a connection */ 3316 (void) SOP_GETSOCKNAME(so); 3317 } 3318 3319 mutex_enter(&so->so_lock); 3320 len = min(so->so_laddr_len, sizeof (so_laddr)); 3321 bcopy(so->so_laddr_sa, so_laddr, len); 3322 mutex_exit(&so->so_lock); 3323 3324 add_sock_token = 1; 3325 3326 break; 3327 3328 case AF_UNIX: 3329 /* token added by lookup */ 3330 break; 3331 default: 3332 /* AF_ROUTE, AF_KEY do not support accept */ 3333 break; 3334 } 3335 3336 releasef(fd); 3337 3338 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3339 3340 if (add_sock_token == 0) { 3341 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3342 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3343 return; 3344 } 3345 3346 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3347 3348 } 3349 3350 /*ARGSUSED*/ 3351 static void 3352 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3353 { 3354 struct a { 3355 long fd; 3356 long addr; 3357 long len; 3358 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3359 3360 struct sonode *so; 3361 char so_laddr[sizeof (struct sockaddr_in6)]; 3362 char so_faddr[sizeof (struct sockaddr_in6)]; 3363 int err, fd; 3364 int len; 3365 short so_family, so_type; 3366 int add_sock_token = 0; 3367 3368 fd = (int)uap->fd; 3369 3370 3371 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3372 /* 3373 * not security relevant if doing a connect from non socket 3374 * so no extra tokens. Should probably turn off audit record 3375 * generation here. 3376 */ 3377 return; 3378 } 3379 3380 so_family = so->so_family; 3381 so_type = so->so_type; 3382 3383 switch (so_family) { 3384 case AF_INET: 3385 case AF_INET6: 3386 /* 3387 * no local address then need to get it from lower 3388 * levels. 3389 */ 3390 if (so->so_state & SS_ISBOUND) { 3391 /* only done once on a connection */ 3392 (void) SOP_GETSOCKNAME(so); 3393 (void) SOP_GETPEERNAME(so); 3394 } 3395 3396 bzero(so_laddr, sizeof (so_laddr)); 3397 bzero(so_faddr, sizeof (so_faddr)); 3398 3399 mutex_enter(&so->so_lock); 3400 len = min(so->so_laddr_len, sizeof (so_laddr)); 3401 bcopy(so->so_laddr_sa, so_laddr, len); 3402 if (error) { 3403 mutex_exit(&so->so_lock); 3404 if (uap->addr == NULL) 3405 break; 3406 if (uap->len <= 0) 3407 break; 3408 len = min(uap->len, sizeof (so_faddr)); 3409 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3410 break; 3411 #ifdef NOTYET 3412 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3413 #endif 3414 } else { 3415 /* sanity check on length */ 3416 len = min(so->so_faddr_len, sizeof (so_faddr)); 3417 bcopy(so->so_faddr_sa, so_faddr, len); 3418 mutex_exit(&so->so_lock); 3419 } 3420 3421 add_sock_token = 1; 3422 3423 break; 3424 3425 case AF_UNIX: 3426 /* does a lookup on name */ 3427 break; 3428 3429 default: 3430 /* AF_ROUTE, AF_KEY do not support accept */ 3431 break; 3432 } 3433 3434 releasef(fd); 3435 3436 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3437 3438 if (add_sock_token == 0) { 3439 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3440 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3441 return; 3442 } 3443 3444 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3445 3446 } 3447 3448 /*ARGSUSED*/ 3449 static void 3450 aus_shutdown(struct t_audit_data *tad) 3451 { 3452 struct a { 3453 long fd; 3454 long how; 3455 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3456 3457 struct sonode *so; 3458 char so_laddr[sizeof (struct sockaddr_in6)]; 3459 char so_faddr[sizeof (struct sockaddr_in6)]; 3460 int err, fd; 3461 int len; 3462 short so_family, so_type; 3463 int add_sock_token = 0; 3464 file_t *fp; /* unix domain sockets */ 3465 struct f_audit_data *fad; /* unix domain sockets */ 3466 3467 fd = (int)uap->fd; 3468 3469 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3470 /* 3471 * not security relevant if doing a shutdown using non socket 3472 * so no extra tokens. Should probably turn off audit record 3473 * generation here. 3474 */ 3475 return; 3476 } 3477 3478 so_family = so->so_family; 3479 so_type = so->so_type; 3480 3481 switch (so_family) { 3482 case AF_INET: 3483 case AF_INET6: 3484 3485 bzero(so_laddr, sizeof (so_laddr)); 3486 bzero(so_faddr, sizeof (so_faddr)); 3487 3488 if (so->so_state & SS_ISBOUND) { 3489 /* 3490 * no local address then need to get it from lower 3491 * levels. 3492 */ 3493 if (so->so_laddr_len == 0) 3494 (void) SOP_GETSOCKNAME(so); 3495 if (so->so_faddr_len == 0) 3496 (void) SOP_GETPEERNAME(so); 3497 } 3498 3499 mutex_enter(&so->so_lock); 3500 len = min(so->so_laddr_len, sizeof (so_laddr)); 3501 bcopy(so->so_laddr_sa, so_laddr, len); 3502 len = min(so->so_faddr_len, sizeof (so_faddr)); 3503 bcopy(so->so_faddr_sa, so_faddr, len); 3504 mutex_exit(&so->so_lock); 3505 3506 add_sock_token = 1; 3507 3508 break; 3509 3510 case AF_UNIX: 3511 3512 /* get path from file struct here */ 3513 fad = F2A(fp); 3514 ASSERT(fad); 3515 3516 if (fad->fad_aupath != NULL) { 3517 au_uwrite(au_to_path(fad->fad_aupath)); 3518 } else { 3519 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3520 } 3521 3522 audit_attributes(fp->f_vnode); 3523 3524 break; 3525 3526 default: 3527 /* 3528 * AF_KEY and AF_ROUTE support shutdown. No socket token 3529 * added. 3530 */ 3531 break; 3532 } 3533 3534 releasef(fd); 3535 3536 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3537 3538 if (add_sock_token == 0) { 3539 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3540 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3541 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3542 return; 3543 } 3544 3545 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3546 3547 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3548 3549 } 3550 3551 /*ARGSUSED*/ 3552 static void 3553 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3554 { 3555 struct a { 3556 long fd; 3557 long level; 3558 long optname; 3559 long *optval; 3560 long optlen; 3561 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3562 3563 struct sonode *so; 3564 char so_laddr[sizeof (struct sockaddr_in6)]; 3565 char so_faddr[sizeof (struct sockaddr_in6)]; 3566 char val[AU_BUFSIZE]; 3567 int err, fd; 3568 int len; 3569 short so_family, so_type; 3570 int add_sock_token = 0; 3571 file_t *fp; /* unix domain sockets */ 3572 struct f_audit_data *fad; /* unix domain sockets */ 3573 3574 fd = (int)uap->fd; 3575 3576 if (error) { 3577 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3578 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3579 /* XXX may want to include other arguments */ 3580 return; 3581 } 3582 3583 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3584 /* 3585 * not security relevant if doing a setsockopt from non socket 3586 * so no extra tokens. Should probably turn off audit record 3587 * generation here. 3588 */ 3589 return; 3590 } 3591 3592 so_family = so->so_family; 3593 so_type = so->so_type; 3594 3595 switch (so_family) { 3596 case AF_INET: 3597 case AF_INET6: 3598 3599 bzero((void *)so_laddr, sizeof (so_laddr)); 3600 bzero((void *)so_faddr, sizeof (so_faddr)); 3601 3602 if (so->so_state & SS_ISBOUND) { 3603 if (so->so_laddr_len == 0) 3604 (void) SOP_GETSOCKNAME(so); 3605 if (so->so_faddr_len == 0) 3606 (void) SOP_GETPEERNAME(so); 3607 } 3608 3609 /* get local and foreign addresses */ 3610 mutex_enter(&so->so_lock); 3611 len = min(so->so_laddr_len, sizeof (so_laddr)); 3612 bcopy(so->so_laddr_sa, so_laddr, len); 3613 len = min(so->so_faddr_len, sizeof (so_faddr)); 3614 bcopy(so->so_faddr_sa, so_faddr, len); 3615 mutex_exit(&so->so_lock); 3616 3617 add_sock_token = 1; 3618 3619 break; 3620 3621 case AF_UNIX: 3622 3623 /* get path from file struct here */ 3624 fad = F2A(fp); 3625 ASSERT(fad); 3626 3627 if (fad->fad_aupath != NULL) { 3628 au_uwrite(au_to_path(fad->fad_aupath)); 3629 } else { 3630 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3631 } 3632 3633 audit_attributes(fp->f_vnode); 3634 3635 break; 3636 3637 default: 3638 /* 3639 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3640 * added. 3641 */ 3642 break; 3643 } 3644 3645 releasef(fd); 3646 3647 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3648 3649 if (add_sock_token == 0) { 3650 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3651 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3652 } 3653 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3654 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3655 3656 bzero(val, sizeof (val)); 3657 len = min(uap->optlen, sizeof (val)); 3658 if ((len > 0) && 3659 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3660 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3661 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3662 } 3663 3664 if (add_sock_token == 0) 3665 return; 3666 3667 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3668 3669 } 3670 3671 /*ARGSUSED*/ 3672 static void 3673 aus_sockconfig(tad) 3674 struct t_audit_data *tad; 3675 { 3676 struct a { 3677 long domain; 3678 long type; 3679 long protocol; 3680 long devpath; 3681 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3682 3683 char *kdevpath; 3684 int kdevpathlen = MAXPATHLEN + 1; 3685 size_t size; 3686 3687 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3688 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3689 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3690 3691 if (uap->devpath == 0) { 3692 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3693 } else { 3694 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3695 3696 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3697 &size)) { 3698 kmem_free(kdevpath, kdevpathlen); 3699 return; 3700 } 3701 3702 if (size > MAXPATHLEN) { 3703 kmem_free(kdevpath, kdevpathlen); 3704 return; 3705 } 3706 3707 au_uwrite(au_to_text(kdevpath)); 3708 kmem_free(kdevpath, kdevpathlen); 3709 } 3710 } 3711 3712 /* 3713 * only audit recvmsg when the system call represents the creation of a new 3714 * circuit. This effectively occurs for all UDP packets and may occur for 3715 * special TCP situations where the local host has not set a local address 3716 * in the socket structure. 3717 */ 3718 /*ARGSUSED*/ 3719 static void 3720 auf_recvmsg( 3721 struct t_audit_data *tad, 3722 int error, 3723 rval_t *rvp) 3724 { 3725 struct a { 3726 long fd; 3727 long msg; /* struct msghdr */ 3728 long flags; 3729 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3730 3731 struct sonode *so; 3732 STRUCT_DECL(msghdr, msg); 3733 caddr_t msg_name; 3734 socklen_t msg_namelen; 3735 int fd; 3736 int err; 3737 char so_laddr[sizeof (struct sockaddr_in6)]; 3738 char so_faddr[sizeof (struct sockaddr_in6)]; 3739 int len; 3740 file_t *fp; /* unix domain sockets */ 3741 struct f_audit_data *fad; /* unix domain sockets */ 3742 short so_family, so_type; 3743 int add_sock_token = 0; 3744 au_kcontext_t *kctx = GET_KCTX_PZ; 3745 3746 fd = (int)uap->fd; 3747 3748 /* bail if an error */ 3749 if (error) { 3750 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3751 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3752 return; 3753 } 3754 3755 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3756 /* 3757 * not security relevant if doing a recvmsg from non socket 3758 * so no extra tokens. Should probably turn off audit record 3759 * generation here. 3760 */ 3761 return; 3762 } 3763 3764 so_family = so->so_family; 3765 so_type = so->so_type; 3766 3767 /* 3768 * only putout SOCKET_EX token if INET/INET6 family. 3769 * XXX - what do we do about other families? 3770 */ 3771 3772 switch (so_family) { 3773 case AF_INET: 3774 case AF_INET6: 3775 3776 /* 3777 * if datagram type socket, then just use what is in 3778 * socket structure for local address. 3779 * XXX - what do we do for other types? 3780 */ 3781 if ((so->so_type == SOCK_DGRAM) || 3782 (so->so_type == SOCK_RAW)) { 3783 add_sock_token = 1; 3784 3785 bzero((void *)so_laddr, sizeof (so_laddr)); 3786 bzero((void *)so_faddr, sizeof (so_faddr)); 3787 3788 /* get local address */ 3789 mutex_enter(&so->so_lock); 3790 len = min(so->so_laddr_len, sizeof (so_laddr)); 3791 bcopy(so->so_laddr_sa, so_laddr, len); 3792 mutex_exit(&so->so_lock); 3793 3794 /* get peer address */ 3795 STRUCT_INIT(msg, get_udatamodel()); 3796 3797 if (copyin((caddr_t)(uap->msg), 3798 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3799 break; 3800 } 3801 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3802 if (msg_name == NULL) { 3803 break; 3804 } 3805 3806 /* length is value from recvmsg - sanity check */ 3807 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3808 if (msg_namelen == 0) { 3809 break; 3810 } 3811 if (copyin(msg_name, so_faddr, 3812 sizeof (so_faddr)) != 0) { 3813 break; 3814 } 3815 3816 } else if (so->so_type == SOCK_STREAM) { 3817 3818 /* get path from file struct here */ 3819 fad = F2A(fp); 3820 ASSERT(fad); 3821 3822 /* 3823 * already processed this file for read attempt 3824 */ 3825 if (fad->fad_flags & FAD_READ) { 3826 /* don't want to audit every recvmsg attempt */ 3827 tad->tad_flag = 0; 3828 /* free any residual audit data */ 3829 au_close(kctx, &(u_ad), 0, 0, 0); 3830 releasef(fd); 3831 return; 3832 } 3833 /* 3834 * mark things so we know what happened and don't 3835 * repeat things 3836 */ 3837 fad->fad_flags |= FAD_READ; 3838 3839 bzero((void *)so_laddr, sizeof (so_laddr)); 3840 bzero((void *)so_faddr, sizeof (so_faddr)); 3841 3842 if (so->so_state & SS_ISBOUND) { 3843 3844 if (so->so_laddr_len == 0) 3845 (void) SOP_GETSOCKNAME(so); 3846 if (so->so_faddr_len == 0) 3847 (void) SOP_GETPEERNAME(so); 3848 3849 /* get local and foreign addresses */ 3850 mutex_enter(&so->so_lock); 3851 len = min(so->so_laddr_len, sizeof (so_laddr)); 3852 bcopy(so->so_laddr_sa, so_laddr, len); 3853 len = min(so->so_faddr_len, sizeof (so_faddr)); 3854 bcopy(so->so_faddr_sa, so_faddr, len); 3855 mutex_exit(&so->so_lock); 3856 } 3857 3858 add_sock_token = 1; 3859 } 3860 3861 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3862 3863 break; 3864 3865 case AF_UNIX: 3866 /* 3867 * first check if this is first time through. Too much 3868 * duplicate code to put this in an aui_ routine. 3869 */ 3870 3871 /* get path from file struct here */ 3872 fad = F2A(fp); 3873 ASSERT(fad); 3874 3875 /* 3876 * already processed this file for read attempt 3877 */ 3878 if (fad->fad_flags & FAD_READ) { 3879 releasef(fd); 3880 /* don't want to audit every recvmsg attempt */ 3881 tad->tad_flag = 0; 3882 /* free any residual audit data */ 3883 au_close(kctx, &(u_ad), 0, 0, 0); 3884 return; 3885 } 3886 /* 3887 * mark things so we know what happened and don't 3888 * repeat things 3889 */ 3890 fad->fad_flags |= FAD_READ; 3891 3892 if (fad->fad_aupath != NULL) { 3893 au_uwrite(au_to_path(fad->fad_aupath)); 3894 } else { 3895 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3896 } 3897 3898 audit_attributes(fp->f_vnode); 3899 3900 releasef(fd); 3901 3902 return; 3903 3904 default: 3905 break; 3906 3907 } 3908 3909 releasef(fd); 3910 3911 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3912 3913 if (add_sock_token == 0) { 3914 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 3915 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 3916 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3917 return; 3918 } 3919 3920 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3921 3922 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3923 3924 } 3925 3926 /*ARGSUSED*/ 3927 static void 3928 auf_recvfrom( 3929 struct t_audit_data *tad, 3930 int error, 3931 rval_t *rvp) 3932 { 3933 3934 struct a { 3935 long fd; 3936 long msg; /* char */ 3937 long len; 3938 long flags; 3939 long from; /* struct sockaddr */ 3940 long fromlen; 3941 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3942 3943 socklen_t fromlen; 3944 struct sonode *so; 3945 char so_laddr[sizeof (struct sockaddr_in6)]; 3946 char so_faddr[sizeof (struct sockaddr_in6)]; 3947 int fd; 3948 short so_family, so_type; 3949 int add_sock_token = 0; 3950 int len; 3951 int err; 3952 struct file *fp; 3953 struct f_audit_data *fad; /* unix domain sockets */ 3954 au_kcontext_t *kctx = GET_KCTX_PZ; 3955 3956 fd = (int)uap->fd; 3957 3958 /* bail if an error */ 3959 if (error) { 3960 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3961 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3962 return; 3963 } 3964 3965 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3966 /* 3967 * not security relevant if doing a recvmsg from non socket 3968 * so no extra tokens. Should probably turn off audit record 3969 * generation here. 3970 */ 3971 return; 3972 } 3973 3974 so_family = so->so_family; 3975 so_type = so->so_type; 3976 3977 /* 3978 * only putout SOCKET_EX token if INET/INET6 family. 3979 * XXX - what do we do about other families? 3980 */ 3981 3982 switch (so_family) { 3983 case AF_INET: 3984 case AF_INET6: 3985 3986 /* 3987 * if datagram type socket, then just use what is in 3988 * socket structure for local address. 3989 * XXX - what do we do for other types? 3990 */ 3991 if ((so->so_type == SOCK_DGRAM) || 3992 (so->so_type == SOCK_RAW)) { 3993 add_sock_token = 1; 3994 3995 /* get local address */ 3996 mutex_enter(&so->so_lock); 3997 len = min(so->so_laddr_len, sizeof (so_laddr)); 3998 bcopy(so->so_laddr_sa, so_laddr, len); 3999 mutex_exit(&so->so_lock); 4000 4001 /* get peer address */ 4002 bzero((void *)so_faddr, sizeof (so_faddr)); 4003 4004 /* sanity check */ 4005 if (uap->from == NULL) 4006 break; 4007 4008 /* sanity checks */ 4009 if (uap->fromlen == 0) 4010 break; 4011 4012 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4013 sizeof (fromlen)) != 0) 4014 break; 4015 4016 if (fromlen == 0) 4017 break; 4018 4019 /* enforce maximum size */ 4020 if (fromlen > sizeof (so_faddr)) 4021 fromlen = sizeof (so_faddr); 4022 4023 if (copyin((caddr_t)(uap->from), so_faddr, 4024 fromlen) != 0) 4025 break; 4026 4027 } else if (so->so_type == SOCK_STREAM) { 4028 4029 /* get path from file struct here */ 4030 fad = F2A(fp); 4031 ASSERT(fad); 4032 4033 /* 4034 * already processed this file for read attempt 4035 */ 4036 if (fad->fad_flags & FAD_READ) { 4037 /* don't want to audit every recvfrom attempt */ 4038 tad->tad_flag = 0; 4039 /* free any residual audit data */ 4040 au_close(kctx, &(u_ad), 0, 0, 0); 4041 releasef(fd); 4042 return; 4043 } 4044 /* 4045 * mark things so we know what happened and don't 4046 * repeat things 4047 */ 4048 fad->fad_flags |= FAD_READ; 4049 4050 bzero((void *)so_laddr, sizeof (so_laddr)); 4051 bzero((void *)so_faddr, sizeof (so_faddr)); 4052 4053 if (so->so_state & SS_ISBOUND) { 4054 4055 if (so->so_laddr_len == 0) 4056 (void) SOP_GETSOCKNAME(so); 4057 if (so->so_faddr_len == 0) 4058 (void) SOP_GETPEERNAME(so); 4059 4060 /* get local and foreign addresses */ 4061 mutex_enter(&so->so_lock); 4062 len = min(so->so_laddr_len, sizeof (so_laddr)); 4063 bcopy(so->so_laddr_sa, so_laddr, len); 4064 len = min(so->so_faddr_len, sizeof (so_faddr)); 4065 bcopy(so->so_faddr_sa, so_faddr, len); 4066 mutex_exit(&so->so_lock); 4067 } 4068 4069 add_sock_token = 1; 4070 } 4071 4072 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4073 4074 break; 4075 4076 case AF_UNIX: 4077 /* 4078 * first check if this is first time through. Too much 4079 * duplicate code to put this in an aui_ routine. 4080 */ 4081 4082 /* get path from file struct here */ 4083 fad = F2A(fp); 4084 ASSERT(fad); 4085 4086 /* 4087 * already processed this file for read attempt 4088 */ 4089 if (fad->fad_flags & FAD_READ) { 4090 /* don't want to audit every recvfrom attempt */ 4091 tad->tad_flag = 0; 4092 /* free any residual audit data */ 4093 au_close(kctx, &(u_ad), 0, 0, 0); 4094 releasef(fd); 4095 return; 4096 } 4097 /* 4098 * mark things so we know what happened and don't 4099 * repeat things 4100 */ 4101 fad->fad_flags |= FAD_READ; 4102 4103 if (fad->fad_aupath != NULL) { 4104 au_uwrite(au_to_path(fad->fad_aupath)); 4105 } else { 4106 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4107 } 4108 4109 audit_attributes(fp->f_vnode); 4110 4111 releasef(fd); 4112 4113 return; 4114 4115 default: 4116 break; 4117 4118 } 4119 4120 releasef(fd); 4121 4122 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4123 4124 if (add_sock_token == 0) { 4125 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4126 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4127 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4128 return; 4129 } 4130 4131 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4132 4133 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4134 } 4135 4136 /*ARGSUSED*/ 4137 static void 4138 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4139 { 4140 struct a { 4141 long fd; 4142 long msg; /* struct msghdr */ 4143 long flags; 4144 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4145 4146 struct sonode *so; 4147 char so_laddr[sizeof (struct sockaddr_in6)]; 4148 char so_faddr[sizeof (struct sockaddr_in6)]; 4149 int err; 4150 int fd; 4151 short so_family, so_type; 4152 int add_sock_token = 0; 4153 int len; 4154 struct file *fp; 4155 struct f_audit_data *fad; 4156 caddr_t msg_name; 4157 socklen_t msg_namelen; 4158 STRUCT_DECL(msghdr, msg); 4159 au_kcontext_t *kctx = GET_KCTX_PZ; 4160 4161 fd = (int)uap->fd; 4162 4163 /* bail if an error */ 4164 if (error) { 4165 /* XXX include destination address from system call arguments */ 4166 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4167 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4168 return; 4169 } 4170 4171 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4172 /* 4173 * not security relevant if doing a sendmsg from non socket 4174 * so no extra tokens. Should probably turn off audit record 4175 * generation here. 4176 */ 4177 return; 4178 } 4179 4180 so_family = so->so_family; 4181 so_type = so->so_type; 4182 4183 switch (so_family) { 4184 case AF_INET: 4185 case AF_INET6: 4186 /* 4187 * if datagram type socket, then just use what is in 4188 * socket structure for local address. 4189 * XXX - what do we do for other types? 4190 */ 4191 if ((so->so_type == SOCK_DGRAM) || 4192 (so->so_type == SOCK_RAW)) { 4193 4194 bzero((void *)so_laddr, sizeof (so_laddr)); 4195 bzero((void *)so_faddr, sizeof (so_faddr)); 4196 4197 /* get local address */ 4198 mutex_enter(&so->so_lock); 4199 len = min(so->so_laddr_len, sizeof (so_laddr)); 4200 bcopy(so->so_laddr_sa, so_laddr, len); 4201 mutex_exit(&so->so_lock); 4202 4203 /* get peer address */ 4204 STRUCT_INIT(msg, get_udatamodel()); 4205 4206 if (copyin((caddr_t)(uap->msg), 4207 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4208 break; 4209 } 4210 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4211 if (msg_name == NULL) 4212 break; 4213 4214 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4215 /* length is value from recvmsg - sanity check */ 4216 if (msg_namelen == 0) 4217 break; 4218 4219 if (copyin(msg_name, so_faddr, 4220 sizeof (so_faddr)) != 0) 4221 break; 4222 4223 add_sock_token = 1; 4224 4225 } else if (so->so_type == SOCK_STREAM) { 4226 4227 /* get path from file struct here */ 4228 fad = F2A(fp); 4229 ASSERT(fad); 4230 4231 /* 4232 * already processed this file for write attempt 4233 */ 4234 if (fad->fad_flags & FAD_WRITE) { 4235 releasef(fd); 4236 /* don't want to audit every sendmsg attempt */ 4237 tad->tad_flag = 0; 4238 /* free any residual audit data */ 4239 au_close(kctx, &(u_ad), 0, 0, 0); 4240 return; 4241 } 4242 4243 /* 4244 * mark things so we know what happened and don't 4245 * repeat things 4246 */ 4247 fad->fad_flags |= FAD_WRITE; 4248 4249 bzero((void *)so_laddr, sizeof (so_laddr)); 4250 bzero((void *)so_faddr, sizeof (so_faddr)); 4251 4252 if (so->so_state & SS_ISBOUND) { 4253 4254 if (so->so_laddr_len == 0) 4255 (void) SOP_GETSOCKNAME(so); 4256 if (so->so_faddr_len == 0) 4257 (void) SOP_GETPEERNAME(so); 4258 4259 /* get local and foreign addresses */ 4260 mutex_enter(&so->so_lock); 4261 len = min(so->so_laddr_len, sizeof (so_laddr)); 4262 bcopy(so->so_laddr_sa, so_laddr, len); 4263 len = min(so->so_faddr_len, sizeof (so_faddr)); 4264 bcopy(so->so_faddr_sa, so_faddr, len); 4265 mutex_exit(&so->so_lock); 4266 } 4267 4268 add_sock_token = 1; 4269 } 4270 4271 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4272 4273 break; 4274 4275 case AF_UNIX: 4276 /* 4277 * first check if this is first time through. Too much 4278 * duplicate code to put this in an aui_ routine. 4279 */ 4280 4281 /* get path from file struct here */ 4282 fad = F2A(fp); 4283 ASSERT(fad); 4284 4285 /* 4286 * already processed this file for write attempt 4287 */ 4288 if (fad->fad_flags & FAD_WRITE) { 4289 releasef(fd); 4290 /* don't want to audit every sendmsg attempt */ 4291 tad->tad_flag = 0; 4292 /* free any residual audit data */ 4293 au_close(kctx, &(u_ad), 0, 0, 0); 4294 return; 4295 } 4296 /* 4297 * mark things so we know what happened and don't 4298 * repeat things 4299 */ 4300 fad->fad_flags |= FAD_WRITE; 4301 4302 if (fad->fad_aupath != NULL) { 4303 au_uwrite(au_to_path(fad->fad_aupath)); 4304 } else { 4305 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4306 } 4307 4308 audit_attributes(fp->f_vnode); 4309 4310 releasef(fd); 4311 4312 return; 4313 4314 default: 4315 break; 4316 } 4317 4318 releasef(fd); 4319 4320 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4321 4322 if (add_sock_token == 0) { 4323 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4324 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4325 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4326 return; 4327 } 4328 4329 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4330 4331 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4332 } 4333 4334 /*ARGSUSED*/ 4335 static void 4336 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4337 { 4338 struct a { 4339 long fd; 4340 long msg; /* char */ 4341 long len; 4342 long flags; 4343 long to; /* struct sockaddr */ 4344 long tolen; 4345 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4346 4347 struct sonode *so; 4348 char so_laddr[sizeof (struct sockaddr_in6)]; 4349 char so_faddr[sizeof (struct sockaddr_in6)]; 4350 socklen_t tolen; 4351 int err; 4352 int fd; 4353 int len; 4354 short so_family, so_type; 4355 int add_sock_token = 0; 4356 struct file *fp; 4357 struct f_audit_data *fad; 4358 au_kcontext_t *kctx = GET_KCTX_PZ; 4359 4360 fd = (int)uap->fd; 4361 4362 /* bail if an error */ 4363 if (error) { 4364 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4365 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4366 /* XXX include destination address from system call arguments */ 4367 return; 4368 } 4369 4370 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4371 /* 4372 * not security relevant if doing a sendto using non socket 4373 * so no extra tokens. Should probably turn off audit record 4374 * generation here. 4375 */ 4376 return; 4377 } 4378 4379 so_family = so->so_family; 4380 so_type = so->so_type; 4381 4382 /* 4383 * only putout SOCKET_EX token if INET/INET6 family. 4384 * XXX - what do we do about other families? 4385 */ 4386 4387 switch (so_family) { 4388 case AF_INET: 4389 case AF_INET6: 4390 4391 /* 4392 * if datagram type socket, then just use what is in 4393 * socket structure for local address. 4394 * XXX - what do we do for other types? 4395 */ 4396 if ((so->so_type == SOCK_DGRAM) || 4397 (so->so_type == SOCK_RAW)) { 4398 4399 bzero((void *)so_laddr, sizeof (so_laddr)); 4400 bzero((void *)so_faddr, sizeof (so_faddr)); 4401 4402 /* get local address */ 4403 mutex_enter(&so->so_lock); 4404 len = min(so->so_laddr_len, sizeof (so_laddr)); 4405 bcopy(so->so_laddr_sa, so_laddr, len); 4406 mutex_exit(&so->so_lock); 4407 4408 /* get peer address */ 4409 4410 /* sanity check */ 4411 if (uap->to == NULL) 4412 break; 4413 4414 /* sanity checks */ 4415 if (uap->tolen == 0) 4416 break; 4417 4418 tolen = (socklen_t)uap->tolen; 4419 4420 /* enforce maximum size */ 4421 if (tolen > sizeof (so_faddr)) 4422 tolen = sizeof (so_faddr); 4423 4424 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4425 break; 4426 4427 add_sock_token = 1; 4428 } else { 4429 /* 4430 * check if this is first time through. 4431 */ 4432 4433 /* get path from file struct here */ 4434 fad = F2A(fp); 4435 ASSERT(fad); 4436 4437 /* 4438 * already processed this file for write attempt 4439 */ 4440 if (fad->fad_flags & FAD_WRITE) { 4441 /* don't want to audit every sendto attempt */ 4442 tad->tad_flag = 0; 4443 /* free any residual audit data */ 4444 au_close(kctx, &(u_ad), 0, 0, 0); 4445 releasef(fd); 4446 return; 4447 } 4448 /* 4449 * mark things so we know what happened and don't 4450 * repeat things 4451 */ 4452 fad->fad_flags |= FAD_WRITE; 4453 4454 bzero((void *)so_laddr, sizeof (so_laddr)); 4455 bzero((void *)so_faddr, sizeof (so_faddr)); 4456 4457 if (so->so_state & SS_ISBOUND) { 4458 4459 if (so->so_laddr_len == 0) 4460 (void) SOP_GETSOCKNAME(so); 4461 if (so->so_faddr_len == 0) 4462 (void) SOP_GETPEERNAME(so); 4463 4464 /* get local and foreign addresses */ 4465 mutex_enter(&so->so_lock); 4466 len = min(so->so_laddr_len, sizeof (so_laddr)); 4467 bcopy(so->so_laddr_sa, so_laddr, len); 4468 len = min(so->so_faddr_len, sizeof (so_faddr)); 4469 bcopy(so->so_faddr_sa, so_faddr, len); 4470 mutex_exit(&so->so_lock); 4471 } 4472 4473 add_sock_token = 1; 4474 } 4475 4476 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4477 4478 break; 4479 4480 case AF_UNIX: 4481 /* 4482 * first check if this is first time through. Too much 4483 * duplicate code to put this in an aui_ routine. 4484 */ 4485 4486 /* get path from file struct here */ 4487 fad = F2A(fp); 4488 ASSERT(fad); 4489 4490 /* 4491 * already processed this file for write attempt 4492 */ 4493 if (fad->fad_flags & FAD_WRITE) { 4494 /* don't want to audit every sendto attempt */ 4495 tad->tad_flag = 0; 4496 /* free any residual audit data */ 4497 au_close(kctx, &(u_ad), 0, 0, 0); 4498 releasef(fd); 4499 return; 4500 } 4501 /* 4502 * mark things so we know what happened and don't 4503 * repeat things 4504 */ 4505 fad->fad_flags |= FAD_WRITE; 4506 4507 if (fad->fad_aupath != NULL) { 4508 au_uwrite(au_to_path(fad->fad_aupath)); 4509 } else { 4510 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4511 } 4512 4513 audit_attributes(fp->f_vnode); 4514 4515 releasef(fd); 4516 4517 return; 4518 4519 default: 4520 break; 4521 4522 } 4523 4524 releasef(fd); 4525 4526 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4527 4528 if (add_sock_token == 0) { 4529 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4530 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4531 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4532 return; 4533 } 4534 4535 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4536 4537 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4538 4539 } 4540 4541 /* 4542 * XXX socket(2) may be equivalent to open(2) on a unix domain 4543 * socket. This needs investigation. 4544 */ 4545 4546 /*ARGSUSED*/ 4547 static void 4548 aus_socket(struct t_audit_data *tad) 4549 { 4550 struct a { 4551 long domain; 4552 long type; 4553 long protocol; 4554 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4555 4556 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4557 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4558 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4559 } 4560 4561 /*ARGSUSED*/ 4562 static void 4563 aus_sigqueue(struct t_audit_data *tad) 4564 { 4565 struct a { 4566 long pid; 4567 long signo; 4568 long *val; 4569 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4570 struct proc *p; 4571 uid_t uid, ruid; 4572 gid_t gid, rgid; 4573 pid_t pid; 4574 const auditinfo_addr_t *ainfo; 4575 cred_t *cr; 4576 4577 pid = (pid_t)uap->pid; 4578 4579 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4580 if (pid > 0) { 4581 mutex_enter(&pidlock); 4582 if ((p = prfind(pid)) == (struct proc *)0) { 4583 mutex_exit(&pidlock); 4584 return; 4585 } 4586 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4587 mutex_exit(&pidlock); 4588 4589 mutex_enter(&p->p_crlock); 4590 crhold(cr = p->p_cred); 4591 mutex_exit(&p->p_crlock); 4592 mutex_exit(&p->p_lock); 4593 4594 ainfo = crgetauinfo(cr); 4595 if (ainfo == NULL) { 4596 crfree(cr); 4597 return; 4598 } 4599 4600 uid = crgetuid(cr); 4601 gid = crgetgid(cr); 4602 ruid = crgetruid(cr); 4603 rgid = crgetrgid(cr); 4604 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4605 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4606 crfree(cr); 4607 } 4608 else 4609 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4610 } 4611 4612 /*ARGSUSED*/ 4613 static void 4614 aus_inst_sync(struct t_audit_data *tad) 4615 { 4616 struct a { 4617 long name; /* char */ 4618 long flags; 4619 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4620 4621 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4622 } 4623 4624 /*ARGSUSED*/ 4625 static void 4626 aus_brandsys(struct t_audit_data *tad) 4627 { 4628 klwp_t *clwp = ttolwp(curthread); 4629 4630 struct a { 4631 long cmd; 4632 long arg1; 4633 long arg2; 4634 long arg3; 4635 long arg4; 4636 long arg5; 4637 long arg6; 4638 } *uap = (struct a *)clwp->lwp_ap; 4639 4640 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4641 #ifdef _LP64 4642 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4643 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4644 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4645 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4646 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4647 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4648 #else 4649 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4650 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4651 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4652 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4653 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4654 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4655 #endif 4656 } 4657 4658 /*ARGSUSED*/ 4659 static void 4660 aus_p_online(struct t_audit_data *tad) 4661 { 4662 struct a { 4663 long processor_id; 4664 long flag; 4665 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4666 4667 struct flags { 4668 int flag; 4669 char *cflag; 4670 } aflags[6] = { 4671 { P_ONLINE, "P_ONLINE"}, 4672 { P_OFFLINE, "P_OFFLINE"}, 4673 { P_NOINTR, "P_NOINTR"}, 4674 { P_SPARE, "P_SPARE"}, 4675 { P_FAULTED, "P_FAULTED"}, 4676 { P_STATUS, "P_STATUS"} 4677 }; 4678 int i; 4679 char *cflag; 4680 4681 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4682 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4683 4684 for (i = 0; i < 6; i++) { 4685 if (aflags[i].flag == uap->flag) 4686 break; 4687 } 4688 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4689 4690 au_uwrite(au_to_text(cflag)); 4691 } 4692 4693 /*ARGSUSED*/ 4694 static void 4695 aus_processor_bind(struct t_audit_data *tad) 4696 { 4697 struct a { 4698 long id_type; 4699 long id; 4700 long processor_id; 4701 long obind; 4702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4703 4704 struct proc *p; 4705 int lwpcnt; 4706 uid_t uid, ruid; 4707 gid_t gid, rgid; 4708 pid_t pid; 4709 const auditinfo_addr_t *ainfo; 4710 cred_t *cr; 4711 4712 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4713 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4714 if (uap->processor_id == PBIND_NONE) 4715 au_uwrite(au_to_text("PBIND_NONE")); 4716 else 4717 au_uwrite(au_to_arg32(3, "processor_id", 4718 (uint32_t)uap->processor_id)); 4719 4720 switch (uap->id_type) { 4721 case P_MYID: 4722 case P_LWPID: 4723 mutex_enter(&pidlock); 4724 p = ttoproc(curthread); 4725 if (p == NULL || p->p_as == &kas) { 4726 mutex_exit(&pidlock); 4727 return; 4728 } 4729 mutex_enter(&p->p_lock); 4730 mutex_exit(&pidlock); 4731 lwpcnt = p->p_lwpcnt; 4732 pid = p->p_pid; 4733 4734 mutex_enter(&p->p_crlock); 4735 crhold(cr = p->p_cred); 4736 mutex_exit(&p->p_crlock); 4737 mutex_exit(&p->p_lock); 4738 4739 ainfo = crgetauinfo(cr); 4740 if (ainfo == NULL) { 4741 crfree(cr); 4742 return; 4743 } 4744 4745 uid = crgetuid(cr); 4746 gid = crgetgid(cr); 4747 ruid = crgetruid(cr); 4748 rgid = crgetrgid(cr); 4749 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4750 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4751 crfree(cr); 4752 break; 4753 case P_PID: 4754 mutex_enter(&pidlock); 4755 p = prfind(uap->id); 4756 if (p == NULL || p->p_as == &kas) { 4757 mutex_exit(&pidlock); 4758 return; 4759 } 4760 mutex_enter(&p->p_lock); 4761 mutex_exit(&pidlock); 4762 lwpcnt = p->p_lwpcnt; 4763 pid = p->p_pid; 4764 4765 mutex_enter(&p->p_crlock); 4766 crhold(cr = p->p_cred); 4767 mutex_exit(&p->p_crlock); 4768 mutex_exit(&p->p_lock); 4769 4770 ainfo = crgetauinfo(cr); 4771 if (ainfo == NULL) { 4772 crfree(cr); 4773 return; 4774 } 4775 4776 uid = crgetuid(cr); 4777 gid = crgetgid(cr); 4778 ruid = crgetruid(cr); 4779 rgid = crgetrgid(cr); 4780 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4781 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4782 crfree(cr); 4783 4784 break; 4785 default: 4786 return; 4787 } 4788 4789 if (uap->processor_id == PBIND_NONE && 4790 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4791 au_uwrite(au_to_text("PBIND_NONE for process")); 4792 else 4793 au_uwrite(au_to_arg32(3, "processor_id", 4794 (uint32_t)uap->processor_id)); 4795 } 4796 4797 /*ARGSUSED*/ 4798 static au_event_t 4799 aui_doorfs(au_event_t e) 4800 { 4801 uint32_t code; 4802 4803 struct a { /* doorfs */ 4804 long a1; 4805 long a2; 4806 long a3; 4807 long a4; 4808 long a5; 4809 long code; 4810 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4811 4812 /* 4813 * audit formats for several of the 4814 * door calls have not yet been determined 4815 */ 4816 code = (uint32_t)uap->code; 4817 switch (code) { 4818 case DOOR_CALL: 4819 e = AUE_DOORFS_DOOR_CALL; 4820 break; 4821 case DOOR_RETURN: 4822 e = AUE_NULL; 4823 break; 4824 case DOOR_CREATE: 4825 e = AUE_DOORFS_DOOR_CREATE; 4826 break; 4827 case DOOR_REVOKE: 4828 e = AUE_DOORFS_DOOR_REVOKE; 4829 break; 4830 case DOOR_INFO: 4831 e = AUE_NULL; 4832 break; 4833 case DOOR_UCRED: 4834 e = AUE_NULL; 4835 break; 4836 case DOOR_BIND: 4837 e = AUE_NULL; 4838 break; 4839 case DOOR_UNBIND: 4840 e = AUE_NULL; 4841 break; 4842 case DOOR_GETPARAM: 4843 e = AUE_NULL; 4844 break; 4845 case DOOR_SETPARAM: 4846 e = AUE_NULL; 4847 break; 4848 default: /* illegal system call */ 4849 e = AUE_NULL; 4850 break; 4851 } 4852 4853 return (e); 4854 } 4855 4856 static door_node_t * 4857 au_door_lookup(int did) 4858 { 4859 vnode_t *vp; 4860 file_t *fp; 4861 4862 if ((fp = getf(did)) == NULL) 4863 return (NULL); 4864 /* 4865 * Use the underlying vnode (we may be namefs mounted) 4866 */ 4867 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4868 vp = fp->f_vnode; 4869 4870 if (vp == NULL || vp->v_type != VDOOR) { 4871 releasef(did); 4872 return (NULL); 4873 } 4874 4875 return (VTOD(vp)); 4876 } 4877 4878 /*ARGSUSED*/ 4879 static void 4880 aus_doorfs(struct t_audit_data *tad) 4881 { 4882 4883 struct a { /* doorfs */ 4884 long a1; 4885 long a2; 4886 long a3; 4887 long a4; 4888 long a5; 4889 long code; 4890 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4891 4892 door_node_t *dp; 4893 struct proc *p; 4894 uint32_t did; 4895 uid_t uid, ruid; 4896 gid_t gid, rgid; 4897 pid_t pid; 4898 const auditinfo_addr_t *ainfo; 4899 cred_t *cr; 4900 4901 did = (uint32_t)uap->a1; 4902 4903 switch (tad->tad_event) { 4904 case AUE_DOORFS_DOOR_CALL: 4905 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4906 if ((dp = au_door_lookup(did)) == NULL) 4907 break; 4908 4909 if (DOOR_INVALID(dp)) { 4910 releasef(did); 4911 break; 4912 } 4913 4914 if ((p = dp->door_target) == NULL) { 4915 releasef(did); 4916 break; 4917 } 4918 mutex_enter(&p->p_lock); 4919 releasef(did); 4920 4921 pid = p->p_pid; 4922 4923 mutex_enter(&p->p_crlock); 4924 crhold(cr = p->p_cred); 4925 mutex_exit(&p->p_crlock); 4926 mutex_exit(&p->p_lock); 4927 4928 ainfo = crgetauinfo(cr); 4929 if (ainfo == NULL) { 4930 crfree(cr); 4931 return; 4932 } 4933 uid = crgetuid(cr); 4934 gid = crgetgid(cr); 4935 ruid = crgetruid(cr); 4936 rgid = crgetrgid(cr); 4937 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4938 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4939 crfree(cr); 4940 break; 4941 case AUE_DOORFS_DOOR_RETURN: 4942 /* 4943 * We may want to write information about 4944 * all doors (if any) which will be copied 4945 * by this call to the user space 4946 */ 4947 break; 4948 case AUE_DOORFS_DOOR_CREATE: 4949 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 4950 break; 4951 case AUE_DOORFS_DOOR_REVOKE: 4952 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4953 break; 4954 case AUE_DOORFS_DOOR_INFO: 4955 break; 4956 case AUE_DOORFS_DOOR_CRED: 4957 break; 4958 case AUE_DOORFS_DOOR_BIND: 4959 break; 4960 case AUE_DOORFS_DOOR_UNBIND: { 4961 break; 4962 } 4963 default: /* illegal system call */ 4964 break; 4965 } 4966 } 4967 4968 /*ARGSUSED*/ 4969 static au_event_t 4970 aui_acl(au_event_t e) 4971 { 4972 struct a { 4973 union { 4974 long name; /* char */ 4975 long fd; 4976 } obj; 4977 4978 long cmd; 4979 long nentries; 4980 long arg; /* aclent_t */ 4981 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4982 4983 switch (uap->cmd) { 4984 case SETACL: 4985 case ACE_SETACL: 4986 /* 4987 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 4988 * are expected. 4989 */ 4990 break; 4991 case GETACL: 4992 case GETACLCNT: 4993 case ACE_GETACLCNT: 4994 /* do nothing for these two values. */ 4995 e = AUE_NULL; 4996 break; 4997 default: 4998 /* illegal system call */ 4999 break; 5000 } 5001 5002 return (e); 5003 } 5004 5005 static void 5006 au_acl(int cmd, int nentries, caddr_t bufp) 5007 { 5008 size_t a_size; 5009 aclent_t *aclbufp; 5010 ace_t *acebufp; 5011 int i; 5012 5013 switch (cmd) { 5014 case GETACL: 5015 case GETACLCNT: 5016 break; 5017 case SETACL: 5018 if (nentries < 3) 5019 break; 5020 5021 a_size = nentries * sizeof (aclent_t); 5022 5023 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5024 break; 5025 if (copyin(bufp, aclbufp, a_size)) { 5026 kmem_free(aclbufp, a_size); 5027 break; 5028 } 5029 for (i = 0; i < nentries; i++) { 5030 au_uwrite(au_to_acl(aclbufp + i)); 5031 } 5032 kmem_free(aclbufp, a_size); 5033 break; 5034 5035 case ACE_SETACL: 5036 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5037 break; 5038 5039 a_size = nentries * sizeof (ace_t); 5040 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5041 break; 5042 if (copyin(bufp, acebufp, a_size)) { 5043 kmem_free(acebufp, a_size); 5044 break; 5045 } 5046 for (i = 0; i < nentries; i++) { 5047 au_uwrite(au_to_ace(acebufp + i)); 5048 } 5049 kmem_free(acebufp, a_size); 5050 break; 5051 default: 5052 break; 5053 } 5054 } 5055 5056 /*ARGSUSED*/ 5057 static void 5058 aus_acl(struct t_audit_data *tad) 5059 { 5060 struct a { 5061 long fname; 5062 long cmd; 5063 long nentries; 5064 long aclbufp; 5065 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5066 5067 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5068 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5069 5070 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5071 } 5072 5073 /*ARGSUSED*/ 5074 static void 5075 aus_facl(struct t_audit_data *tad) 5076 { 5077 struct a { 5078 long fd; 5079 long cmd; 5080 long nentries; 5081 long aclbufp; 5082 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5083 struct file *fp; 5084 struct vnode *vp; 5085 struct f_audit_data *fad; 5086 int fd; 5087 5088 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5089 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5090 5091 fd = (int)uap->fd; 5092 5093 if ((fp = getf(fd)) == NULL) 5094 return; 5095 5096 /* get path from file struct here */ 5097 fad = F2A(fp); 5098 if (fad->fad_aupath != NULL) { 5099 au_uwrite(au_to_path(fad->fad_aupath)); 5100 } else { 5101 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5102 } 5103 5104 vp = fp->f_vnode; 5105 audit_attributes(vp); 5106 5107 /* decrement file descriptor reference count */ 5108 releasef(fd); 5109 5110 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5111 } 5112 5113 /*ARGSUSED*/ 5114 static void 5115 auf_read(tad, error, rval) 5116 struct t_audit_data *tad; 5117 int error; 5118 rval_t *rval; 5119 { 5120 struct file *fp; 5121 struct f_audit_data *fad; 5122 int fd; 5123 register struct a { 5124 long fd; 5125 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5126 au_kcontext_t *kctx = GET_KCTX_PZ; 5127 5128 fd = (int)uap->fd; 5129 5130 /* 5131 * convert file pointer to file descriptor 5132 * Note: fd ref count incremented here. 5133 */ 5134 if ((fp = getf(fd)) == NULL) 5135 return; 5136 5137 /* get path from file struct here */ 5138 fad = F2A(fp); 5139 ASSERT(fad); 5140 5141 /* 5142 * already processed this file for read attempt 5143 * 5144 * XXX might be better to turn off auditing in a aui_read() routine. 5145 */ 5146 if (fad->fad_flags & FAD_READ) { 5147 /* don't really want to audit every read attempt */ 5148 tad->tad_flag = 0; 5149 /* free any residual audit data */ 5150 au_close(kctx, &(u_ad), 0, 0, 0); 5151 releasef(fd); 5152 return; 5153 } 5154 /* mark things so we know what happened and don't repeat things */ 5155 fad->fad_flags |= FAD_READ; 5156 5157 if (fad->fad_aupath != NULL) { 5158 au_uwrite(au_to_path(fad->fad_aupath)); 5159 } else { 5160 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5161 } 5162 5163 /* include attributes */ 5164 audit_attributes(fp->f_vnode); 5165 5166 /* decrement file descriptor reference count */ 5167 releasef(fd); 5168 } 5169 5170 /*ARGSUSED*/ 5171 static void 5172 auf_write(tad, error, rval) 5173 struct t_audit_data *tad; 5174 int error; 5175 rval_t *rval; 5176 { 5177 struct file *fp; 5178 struct f_audit_data *fad; 5179 int fd; 5180 register struct a { 5181 long fd; 5182 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5183 au_kcontext_t *kctx = GET_KCTX_PZ; 5184 5185 fd = (int)uap->fd; 5186 5187 /* 5188 * convert file pointer to file descriptor 5189 * Note: fd ref count incremented here. 5190 */ 5191 if ((fp = getf(fd)) == NULL) 5192 return; 5193 5194 /* get path from file struct here */ 5195 fad = F2A(fp); 5196 ASSERT(fad); 5197 5198 /* 5199 * already processed this file for write attempt 5200 * 5201 * XXX might be better to turn off auditing in a aus_write() routine. 5202 */ 5203 if (fad->fad_flags & FAD_WRITE) { 5204 /* don't really want to audit every write attempt */ 5205 tad->tad_flag = 0; 5206 /* free any residual audit data */ 5207 au_close(kctx, &(u_ad), 0, 0, 0); 5208 releasef(fd); 5209 return; 5210 } 5211 /* mark things so we know what happened and don't repeat things */ 5212 fad->fad_flags |= FAD_WRITE; 5213 5214 if (fad->fad_aupath != NULL) { 5215 au_uwrite(au_to_path(fad->fad_aupath)); 5216 } else { 5217 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5218 } 5219 5220 /* include attributes */ 5221 audit_attributes(fp->f_vnode); 5222 5223 /* decrement file descriptor reference count */ 5224 releasef(fd); 5225 } 5226 5227 /*ARGSUSED*/ 5228 static void 5229 auf_recv(tad, error, rval) 5230 struct t_audit_data *tad; 5231 int error; 5232 rval_t *rval; 5233 { 5234 struct sonode *so; 5235 char so_laddr[sizeof (struct sockaddr_in6)]; 5236 char so_faddr[sizeof (struct sockaddr_in6)]; 5237 struct file *fp; 5238 struct f_audit_data *fad; 5239 int fd; 5240 int err; 5241 int len; 5242 short so_family, so_type; 5243 register struct a { 5244 long fd; 5245 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5246 au_kcontext_t *kctx = GET_KCTX_PZ; 5247 5248 /* 5249 * If there was an error, then nothing to do. Only generate 5250 * audit record on first successful recv. 5251 */ 5252 if (error) { 5253 /* Turn off audit record generation here. */ 5254 tad->tad_flag = 0; 5255 /* free any residual audit data */ 5256 au_close(kctx, &(u_ad), 0, 0, 0); 5257 return; 5258 } 5259 5260 fd = (int)uap->fd; 5261 5262 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5263 /* Turn off audit record generation here. */ 5264 tad->tad_flag = 0; 5265 /* free any residual audit data */ 5266 au_close(kctx, &(u_ad), 0, 0, 0); 5267 return; 5268 } 5269 5270 /* get path from file struct here */ 5271 fad = F2A(fp); 5272 ASSERT(fad); 5273 5274 /* 5275 * already processed this file for read attempt 5276 */ 5277 if (fad->fad_flags & FAD_READ) { 5278 releasef(fd); 5279 /* don't really want to audit every recv call */ 5280 tad->tad_flag = 0; 5281 /* free any residual audit data */ 5282 au_close(kctx, &(u_ad), 0, 0, 0); 5283 return; 5284 } 5285 5286 /* mark things so we know what happened and don't repeat things */ 5287 fad->fad_flags |= FAD_READ; 5288 5289 so_family = so->so_family; 5290 so_type = so->so_type; 5291 5292 switch (so_family) { 5293 case AF_INET: 5294 case AF_INET6: 5295 /* 5296 * Only for connections. 5297 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5298 */ 5299 if (so->so_state & SS_ISBOUND) { 5300 5301 bzero((void *)so_laddr, sizeof (so_laddr)); 5302 bzero((void *)so_faddr, sizeof (so_faddr)); 5303 5304 /* only done once on a connection */ 5305 (void) SOP_GETSOCKNAME(so); 5306 (void) SOP_GETPEERNAME(so); 5307 5308 /* get local and foreign addresses */ 5309 mutex_enter(&so->so_lock); 5310 len = min(so->so_laddr_len, sizeof (so_laddr)); 5311 bcopy(so->so_laddr_sa, so_laddr, len); 5312 len = min(so->so_faddr_len, sizeof (so_faddr)); 5313 bcopy(so->so_faddr_sa, so_faddr, len); 5314 mutex_exit(&so->so_lock); 5315 5316 /* 5317 * only way to drop out of switch. Note that we 5318 * we release fd below. 5319 */ 5320 5321 break; 5322 } 5323 5324 releasef(fd); 5325 5326 /* don't really want to audit every recv call */ 5327 tad->tad_flag = 0; 5328 /* free any residual audit data */ 5329 au_close(kctx, &(u_ad), 0, 0, 0); 5330 5331 return; 5332 5333 case AF_UNIX: 5334 5335 if (fad->fad_aupath != NULL) { 5336 au_uwrite(au_to_path(fad->fad_aupath)); 5337 } else { 5338 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5339 } 5340 5341 audit_attributes(fp->f_vnode); 5342 5343 releasef(fd); 5344 5345 return; 5346 5347 default: 5348 releasef(fd); 5349 5350 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5351 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5352 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5353 5354 return; 5355 } 5356 5357 releasef(fd); 5358 5359 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5360 5361 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5362 5363 } 5364 5365 /*ARGSUSED*/ 5366 static void 5367 auf_send(tad, error, rval) 5368 struct t_audit_data *tad; 5369 int error; 5370 rval_t *rval; 5371 { 5372 struct sonode *so; 5373 char so_laddr[sizeof (struct sockaddr_in6)]; 5374 char so_faddr[sizeof (struct sockaddr_in6)]; 5375 struct file *fp; 5376 struct f_audit_data *fad; 5377 int fd; 5378 int err; 5379 int len; 5380 short so_family, so_type; 5381 register struct a { 5382 long fd; 5383 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5384 au_kcontext_t *kctx = GET_KCTX_PZ; 5385 5386 fd = (int)uap->fd; 5387 5388 /* 5389 * If there was an error, then nothing to do. Only generate 5390 * audit record on first successful send. 5391 */ 5392 if (error != 0) { 5393 /* Turn off audit record generation here. */ 5394 tad->tad_flag = 0; 5395 /* free any residual audit data */ 5396 au_close(kctx, &(u_ad), 0, 0, 0); 5397 return; 5398 } 5399 5400 fd = (int)uap->fd; 5401 5402 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5403 /* Turn off audit record generation here. */ 5404 tad->tad_flag = 0; 5405 /* free any residual audit data */ 5406 au_close(kctx, &(u_ad), 0, 0, 0); 5407 return; 5408 } 5409 5410 /* get path from file struct here */ 5411 fad = F2A(fp); 5412 ASSERT(fad); 5413 5414 /* 5415 * already processed this file for write attempt 5416 */ 5417 if (fad->fad_flags & FAD_WRITE) { 5418 releasef(fd); 5419 /* don't really want to audit every send call */ 5420 tad->tad_flag = 0; 5421 /* free any residual audit data */ 5422 au_close(kctx, &(u_ad), 0, 0, 0); 5423 return; 5424 } 5425 5426 /* mark things so we know what happened and don't repeat things */ 5427 fad->fad_flags |= FAD_WRITE; 5428 5429 so_family = so->so_family; 5430 so_type = so->so_type; 5431 5432 switch (so_family) { 5433 case AF_INET: 5434 case AF_INET6: 5435 /* 5436 * Only for connections. 5437 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5438 */ 5439 if (so->so_state & SS_ISBOUND) { 5440 5441 bzero((void *)so_laddr, sizeof (so_laddr)); 5442 bzero((void *)so_faddr, sizeof (so_faddr)); 5443 5444 /* only done once on a connection */ 5445 (void) SOP_GETSOCKNAME(so); 5446 (void) SOP_GETPEERNAME(so); 5447 5448 /* get local and foreign addresses */ 5449 mutex_enter(&so->so_lock); 5450 len = min(so->so_laddr_len, sizeof (so_laddr)); 5451 bcopy(so->so_laddr_sa, so_laddr, len); 5452 len = min(so->so_faddr_len, sizeof (so_faddr)); 5453 bcopy(so->so_faddr_sa, so_faddr, len); 5454 mutex_exit(&so->so_lock); 5455 5456 /* 5457 * only way to drop out of switch. Note that we 5458 * we release fd below. 5459 */ 5460 5461 break; 5462 } 5463 5464 releasef(fd); 5465 /* don't really want to audit every send call */ 5466 tad->tad_flag = 0; 5467 /* free any residual audit data */ 5468 au_close(kctx, &(u_ad), 0, 0, 0); 5469 5470 return; 5471 5472 case AF_UNIX: 5473 5474 if (fad->fad_aupath != NULL) { 5475 au_uwrite(au_to_path(fad->fad_aupath)); 5476 } else { 5477 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5478 } 5479 5480 audit_attributes(fp->f_vnode); 5481 5482 releasef(fd); 5483 5484 return; 5485 5486 default: 5487 releasef(fd); 5488 5489 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5490 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5491 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5492 5493 return; 5494 } 5495 5496 releasef(fd); 5497 5498 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5499 5500 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5501 } 5502 5503 static au_event_t 5504 aui_forksys(au_event_t e) 5505 { 5506 struct a { 5507 long subcode; 5508 long flags; 5509 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5510 5511 switch ((uint_t)uap->subcode) { 5512 case 0: 5513 e = AUE_FORK1; 5514 break; 5515 case 1: 5516 e = AUE_FORKALL; 5517 break; 5518 case 2: 5519 e = AUE_VFORK; 5520 break; 5521 default: 5522 e = AUE_NULL; 5523 break; 5524 } 5525 5526 return (e); 5527 } 5528 5529 /*ARGSUSED*/ 5530 static au_event_t 5531 aui_portfs(au_event_t e) 5532 { 5533 struct a { /* portfs */ 5534 long a1; 5535 long a2; 5536 long a3; 5537 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5538 5539 /* 5540 * check opcode 5541 */ 5542 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5543 case PORT_ASSOCIATE: 5544 case PORT_DISSOCIATE: 5545 /* 5546 * check source 5547 */ 5548 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5549 e = AUE_PORTFS; 5550 } else { 5551 e = AUE_NULL; 5552 } 5553 break; 5554 default: 5555 e = AUE_NULL; 5556 } 5557 return (e); 5558 } 5559