1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_fchownat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 static void aus_exit(struct t_audit_data *); 108 static void aus_open(struct t_audit_data *); 109 static void aus_openat(struct t_audit_data *); 110 static void aus_acl(struct t_audit_data *); 111 static void aus_acct(struct t_audit_data *); 112 static void aus_chown(struct t_audit_data *); 113 static void aus_fchown(struct t_audit_data *); 114 static void aus_lchown(struct t_audit_data *); 115 static void aus_fchownat(struct t_audit_data *); 116 static void aus_chmod(struct t_audit_data *); 117 static void aus_facl(struct t_audit_data *); 118 static void aus_fchmod(struct t_audit_data *); 119 static void aus_fcntl(struct t_audit_data *); 120 static void aus_mkdir(struct t_audit_data *); 121 static void aus_mknod(struct t_audit_data *); 122 static void aus_mount(struct t_audit_data *); 123 static void aus_umount2(struct t_audit_data *); 124 static void aus_msgsys(struct t_audit_data *); 125 static void aus_semsys(struct t_audit_data *); 126 static void aus_close(struct t_audit_data *); 127 static void aus_fstatfs(struct t_audit_data *); 128 static void aus_setgid(struct t_audit_data *); 129 static void aus_setpgrp(struct t_audit_data *); 130 static void aus_setuid(struct t_audit_data *); 131 static void aus_shmsys(struct t_audit_data *); 132 static void aus_doorfs(struct t_audit_data *); 133 static void aus_ioctl(struct t_audit_data *); 134 static void aus_memcntl(struct t_audit_data *); 135 static void aus_mmap(struct t_audit_data *); 136 static void aus_munmap(struct t_audit_data *); 137 static void aus_priocntlsys(struct t_audit_data *); 138 static void aus_setegid(struct t_audit_data *); 139 static void aus_setgroups(struct t_audit_data *); 140 static void aus_seteuid(struct t_audit_data *); 141 static void aus_putmsg(struct t_audit_data *); 142 static void aus_putpmsg(struct t_audit_data *); 143 static void aus_getmsg(struct t_audit_data *); 144 static void aus_getpmsg(struct t_audit_data *); 145 static void aus_auditsys(struct t_audit_data *); 146 static void aus_sysinfo(struct t_audit_data *); 147 static void aus_modctl(struct t_audit_data *); 148 static void aus_kill(struct t_audit_data *); 149 static void aus_setregid(struct t_audit_data *); 150 static void aus_setreuid(struct t_audit_data *); 151 static void aus_labelsys(struct t_audit_data *); 152 153 static void auf_mknod(struct t_audit_data *, int, rval_t *); 154 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 155 static void auf_semsys(struct t_audit_data *, int, rval_t *); 156 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 157 static void auf_read(struct t_audit_data *, int, rval_t *); 158 static void auf_write(struct t_audit_data *, int, rval_t *); 159 160 static void aus_sigqueue(struct t_audit_data *); 161 static void aus_p_online(struct t_audit_data *); 162 static void aus_processor_bind(struct t_audit_data *); 163 static void aus_inst_sync(struct t_audit_data *); 164 static void aus_brandsys(struct t_audit_data *); 165 166 static void auf_accept(struct t_audit_data *, int, rval_t *); 167 168 static void auf_bind(struct t_audit_data *, int, rval_t *); 169 static void auf_connect(struct t_audit_data *, int, rval_t *); 170 static void aus_shutdown(struct t_audit_data *); 171 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 172 static void aus_sockconfig(struct t_audit_data *); 173 static void auf_recv(struct t_audit_data *, int, rval_t *); 174 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_send(struct t_audit_data *, int, rval_t *); 176 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 177 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 178 static void auf_sendto(struct t_audit_data *, int, rval_t *); 179 static void aus_socket(struct t_audit_data *); 180 /* 181 * This table contains mapping information for converting system call numbers 182 * to audit event IDs. In several cases it is necessary to map a single system 183 * call to several events. 184 */ 185 186 #define aui_null NULL /* NULL initialize function */ 187 #define aus_null NULL /* NULL start function */ 188 #define auf_null NULL /* NULL finish function */ 189 190 struct audit_s2e audit_s2e[] = 191 { 192 /* 193 * ---------- ---------- ---------- ---------- 194 * INITIAL AUDIT START SYSTEM 195 * PROCESSING EVENT PROCESSING CALL 196 * ---------- ---------- ---------- ----------- 197 * FINISH EVENT 198 * PROCESSING CONTROL 199 * ---------------------------------------------------------- 200 */ 201 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 202 auf_null, 0, 203 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 204 auf_null, S2E_NPT, 205 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 206 auf_null, 0, 207 aui_null, AUE_READ, aus_null, /* 3 read */ 208 auf_read, S2E_PUB, 209 aui_null, AUE_WRITE, aus_null, /* 4 write */ 210 auf_write, 0, 211 aui_open, AUE_OPEN, aus_open, /* 5 open */ 212 auf_null, S2E_SP, 213 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 214 auf_null, 0, 215 aui_null, AUE_NULL, aus_null, /* 7 (loadable) was wait */ 216 auf_null, 0, 217 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 218 auf_null, 0, 219 aui_null, AUE_LINK, aus_null, /* 9 link */ 220 auf_null, 0, 221 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 222 auf_null, 0, 223 aui_null, AUE_NULL, aus_null, /* 11 (loadable) was exec */ 224 auf_null, 0, 225 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 226 auf_null, S2E_SP, 227 aui_null, AUE_NULL, aus_null, /* 13 time */ 228 auf_null, 0, 229 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 230 auf_mknod, 0, 231 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 232 auf_null, 0, 233 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 234 auf_null, 0, 235 aui_null, AUE_NULL, aus_null, /* 17 brk */ 236 auf_null, 0, 237 aui_null, AUE_STAT, aus_null, /* 18 stat */ 238 auf_null, S2E_PUB, 239 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 240 auf_null, 0, 241 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 242 auf_null, 0, 243 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 244 auf_null, S2E_MLD, 245 aui_null, AUE_NULL, aus_null, /* 22 (loadable) was umount */ 246 auf_null, 0, 247 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 250 auf_null, 0, 251 aui_null, AUE_STIME, aus_null, /* 25 stime */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 29 pause */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 264 auf_null, 0, 265 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 266 auf_null, 0, 267 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 268 auf_null, S2E_PUB, 269 aui_null, AUE_NICE, aus_null, /* 34 nice */ 270 auf_null, 0, 271 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 272 auf_null, S2E_PUB, 273 aui_null, AUE_NULL, aus_null, /* 36 sync */ 274 auf_null, 0, 275 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 276 auf_null, 0, 277 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 278 auf_null, S2E_PUB, 279 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 284 auf_null, 0, 285 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 43 times */ 288 auf_null, 0, 289 aui_null, AUE_NULL, aus_null, /* 44 profil */ 290 auf_null, 0, 291 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 292 auf_null, S2E_PUB | S2E_ATC, 293 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 48 (loadable) was ssig */ 298 auf_null, 0, 299 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 300 auf_msgsys, 0, 301 #if defined(__x86) 302 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 303 auf_null, 0, 304 #else 305 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 306 auf_null, 0, 307 #endif /* __x86 */ 308 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 309 auf_null, 0, 310 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 311 auf_shmsys, 0, 312 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 313 auf_semsys, 0, 314 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 317 auf_null, 0, 318 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 319 auf_null, S2E_ATC, 320 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 321 auf_null, 0, 322 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 323 auf_null, 0, 324 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 325 auf_null, S2E_MLD, 326 aui_null, AUE_NULL, aus_null, /* 60 umask */ 327 auf_null, 0, 328 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 329 auf_null, S2E_SP, 330 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 333 auf_null, 0, 334 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 335 auf_null, S2E_ATC, 336 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 337 auf_null, S2E_ATC, 338 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 339 auf_null, S2E_PUB | S2E_ATC, 340 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 341 auf_null, S2E_PUB | S2E_ATC, 342 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 343 auf_null, S2E_SP | S2E_ATC, 344 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 345 auf_null, S2E_SP | S2E_ATC, 346 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 363 auf_null, 0, 364 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 365 auf_null, 0, 366 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 367 auf_null, 0, 368 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 369 auf_null, 0, 370 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 373 auf_null, 0, 374 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 375 auf_null, 0, 376 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 377 auf_null, 0, 378 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 379 auf_null, 0, 380 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 381 auf_null, 0, 382 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 383 auf_null, S2E_PUB, 384 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 385 auf_null, 0, 386 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 389 auf_null, 0, 390 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 391 auf_null, 0, 392 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 393 auf_null, 0, 394 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 101 (loadable) */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 411 auf_null, 0, 412 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 413 auf_null, S2E_PUB, 414 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 415 auf_null, 0, 416 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 423 auf_null, 0, 424 #if defined(__x86) 425 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 426 auf_null, 0, 427 #else 428 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 429 auf_null, 0, 430 #endif /* __x86 */ 431 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 432 auf_null, S2E_ATC, 433 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 434 auf_null, 0, 435 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 436 auf_null, 0, 437 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 438 auf_null, S2E_PUB, 439 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 440 auf_null, 0, 441 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 442 auf_null, 0, 443 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 444 auf_null, 0, 445 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 448 auf_null, 0, 449 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 450 auf_null, 0, 451 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 452 auf_null, 0, 453 aui_null, AUE_READ, aus_null, /* 121 readv */ 454 auf_read, S2E_PUB, 455 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 456 auf_write, 0, 457 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 458 auf_null, 0, 459 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 460 auf_null, 0, 461 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 464 auf_null, 0, 465 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 466 auf_null, 0, 467 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 468 auf_null, 0, 469 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 470 auf_null, 0, 471 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 472 auf_null, 0, 473 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 474 auf_null, 0, 475 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 476 auf_null, 0, 477 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 478 auf_null, 0, 479 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 480 auf_null, 0, 481 aui_null, AUE_NULL, aus_null, /* 135 uname */ 482 auf_null, 0, 483 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 486 auf_null, 0, 487 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 488 auf_null, 0, 489 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 490 auf_null, 0, 491 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 492 auf_null, 0, 493 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 494 auf_null, 0, 495 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 146 yield */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 506 /* was lwp_sema_wait */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 515 auf_null, 0, 516 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 517 auf_null, 0, 518 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 551 /* was lwp_mutex_lock */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 558 auf_null, 0, 559 aui_null, AUE_READ, aus_null, /* 173 pread */ 560 auf_read, S2E_PUB, 561 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 562 auf_write, 0, 563 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 564 auf_null, 0, 565 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 566 auf_null, 0, 567 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 568 auf_null, 0, 569 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 576 auf_null, 0, 577 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 578 auf_null, S2E_MLD, 579 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 580 auf_null, 0, 581 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 582 auf_null, 0, 583 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 584 auf_null, 0, 585 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 586 auf_null, 0, 587 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 588 auf_null, 0, 589 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 590 auf_null, 0, 591 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 594 auf_null, 0, 595 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 596 auf_null, 0, 597 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 612 auf_null, 0, 613 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 614 auf_null, 0, 615 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 616 auf_null, 0, 617 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 618 auf_null, 0, 619 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 620 auf_null, 0, 621 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 640 auf_null, 0, 641 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 642 auf_null, 0, 643 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 644 auf_null, S2E_PUB, 645 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 646 auf_null, S2E_PUB, 647 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 648 auf_null, 0, 649 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 652 auf_null, 0, 653 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 654 auf_null, 0, 655 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 656 auf_null, 0, 657 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 658 auf_read, S2E_PUB, 659 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 660 auf_write, 0, 661 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 662 auf_null, 0, 663 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 664 auf_null, S2E_SP, 665 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 666 auf_null, 0, 667 aui_null, AUE_NULL, aus_null, /* 227 zone */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 672 auf_null, 0, 673 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 676 auf_null, 0, 677 aui_null, AUE_BIND, aus_null, /* 232 bind */ 678 auf_bind, 0, 679 aui_null, AUE_NULL, aus_null, /* 233 listen */ 680 auf_null, 0, 681 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 682 auf_accept, 0, 683 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 684 auf_connect, 0, 685 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 686 auf_null, 0, 687 aui_null, AUE_READ, aus_null, /* 237 recv */ 688 auf_recv, 0, 689 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 690 auf_recvfrom, 0, 691 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 692 auf_recvmsg, 0, 693 aui_null, AUE_WRITE, aus_null, /* 240 send */ 694 auf_send, 0, 695 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 696 auf_sendmsg, 0, 697 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 698 auf_sendto, 0, 699 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 700 auf_null, 0, 701 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 702 auf_null, 0, 703 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 704 auf_null, 0, 705 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 706 auf_setsockopt, 0, 707 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 708 auf_null, 0, 709 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 710 auf_null, 0, 711 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 722 auf_null, 0, 723 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 724 auf_null, 0 725 }; 726 727 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 728 729 730 /* exit start function */ 731 /*ARGSUSED*/ 732 static void 733 aus_exit(struct t_audit_data *tad) 734 { 735 uint32_t rval; 736 struct a { 737 long rval; 738 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 739 740 rval = (uint32_t)uap->rval; 741 au_uwrite(au_to_arg32(1, "exit status", rval)); 742 } 743 744 /* acct start function */ 745 /*ARGSUSED*/ 746 static void 747 aus_acct(struct t_audit_data *tad) 748 { 749 klwp_t *clwp = ttolwp(curthread); 750 uintptr_t fname; 751 752 struct a { 753 long fname; /* char * */ 754 } *uap = (struct a *)clwp->lwp_ap; 755 756 fname = (uintptr_t)uap->fname; 757 758 if (fname == 0) 759 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 760 } 761 762 /* chown start function */ 763 /*ARGSUSED*/ 764 static void 765 aus_chown(struct t_audit_data *tad) 766 { 767 klwp_t *clwp = ttolwp(curthread); 768 uint32_t uid, gid; 769 770 struct a { 771 long fname; /* char * */ 772 long uid; 773 long gid; 774 } *uap = (struct a *)clwp->lwp_ap; 775 776 uid = (uint32_t)uap->uid; 777 gid = (uint32_t)uap->gid; 778 779 au_uwrite(au_to_arg32(2, "new file uid", uid)); 780 au_uwrite(au_to_arg32(3, "new file gid", gid)); 781 } 782 783 /* fchown start function */ 784 /*ARGSUSED*/ 785 static void 786 aus_fchown(struct t_audit_data *tad) 787 { 788 klwp_t *clwp = ttolwp(curthread); 789 uint32_t uid, gid, fd; 790 struct file *fp; 791 struct vnode *vp; 792 struct f_audit_data *fad; 793 794 struct a { 795 long fd; 796 long uid; 797 long gid; 798 } *uap = (struct a *)clwp->lwp_ap; 799 800 fd = (uint32_t)uap->fd; 801 uid = (uint32_t)uap->uid; 802 gid = (uint32_t)uap->gid; 803 804 au_uwrite(au_to_arg32(2, "new file uid", uid)); 805 au_uwrite(au_to_arg32(3, "new file gid", gid)); 806 807 /* 808 * convert file pointer to file descriptor 809 * Note: fd ref count incremented here. 810 */ 811 if ((fp = getf(fd)) == NULL) 812 return; 813 814 /* get path from file struct here */ 815 fad = F2A(fp); 816 if (fad->fad_aupath != NULL) { 817 au_uwrite(au_to_path(fad->fad_aupath)); 818 } else { 819 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 820 } 821 822 vp = fp->f_vnode; 823 audit_attributes(vp); 824 825 /* decrement file descriptor reference count */ 826 releasef(fd); 827 } 828 829 /*ARGSUSED*/ 830 static void 831 aus_lchown(struct t_audit_data *tad) 832 { 833 klwp_t *clwp = ttolwp(curthread); 834 uint32_t uid, gid; 835 836 837 struct a { 838 long fname; /* char * */ 839 long uid; 840 long gid; 841 } *uap = (struct a *)clwp->lwp_ap; 842 843 uid = (uint32_t)uap->uid; 844 gid = (uint32_t)uap->gid; 845 846 au_uwrite(au_to_arg32(2, "new file uid", uid)); 847 au_uwrite(au_to_arg32(3, "new file gid", gid)); 848 } 849 850 static au_event_t 851 aui_fchownat(au_event_t e) 852 { 853 klwp_t *clwp = ttolwp(curthread); 854 855 struct a { 856 long fd; 857 long fname; /* char * */ 858 long uid; 859 long gid; 860 long flags; 861 } *uap = (struct a *)clwp->lwp_ap; 862 863 if (uap->fname == NULL) 864 e = AUE_FCHOWN; 865 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 866 e = AUE_LCHOWN; 867 else 868 e = AUE_CHOWN; 869 870 return (e); 871 } 872 873 /*ARGSUSED*/ 874 static void 875 aus_fchownat(struct t_audit_data *tad) 876 { 877 klwp_t *clwp = ttolwp(curthread); 878 uint32_t uid, gid; 879 880 struct a { 881 long fd; 882 long fname; /* char * */ 883 long uid; 884 long gid; 885 long flags; 886 } *uap = (struct a *)clwp->lwp_ap; 887 888 uid = (uint32_t)uap->uid; 889 gid = (uint32_t)uap->gid; 890 891 au_uwrite(au_to_arg32(3, "new file uid", uid)); 892 au_uwrite(au_to_arg32(4, "new file gid", gid)); 893 } 894 895 /* chmod start function */ 896 /*ARGSUSED*/ 897 static void 898 aus_chmod(struct t_audit_data *tad) 899 { 900 klwp_t *clwp = ttolwp(curthread); 901 uint32_t fmode; 902 903 struct a { 904 long fname; /* char * */ 905 long fmode; 906 } *uap = (struct a *)clwp->lwp_ap; 907 908 fmode = (uint32_t)uap->fmode; 909 910 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 911 } 912 913 /* chmod start function */ 914 /*ARGSUSED*/ 915 static void 916 aus_fchmod(struct t_audit_data *tad) 917 { 918 klwp_t *clwp = ttolwp(curthread); 919 uint32_t fmode, fd; 920 struct file *fp; 921 struct vnode *vp; 922 struct f_audit_data *fad; 923 924 struct a { 925 long fd; 926 long fmode; 927 } *uap = (struct a *)clwp->lwp_ap; 928 929 fd = (uint32_t)uap->fd; 930 fmode = (uint32_t)uap->fmode; 931 932 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 933 934 /* 935 * convert file pointer to file descriptor 936 * Note: fd ref count incremented here. 937 */ 938 if ((fp = getf(fd)) == NULL) 939 return; 940 941 /* get path from file struct here */ 942 fad = F2A(fp); 943 if (fad->fad_aupath != NULL) { 944 au_uwrite(au_to_path(fad->fad_aupath)); 945 } else { 946 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 947 } 948 949 vp = fp->f_vnode; 950 audit_attributes(vp); 951 952 /* decrement file descriptor reference count */ 953 releasef(fd); 954 } 955 956 /* 957 * convert open mode to appropriate open event 958 */ 959 au_event_t 960 open_event(uint_t fm) 961 { 962 au_event_t e; 963 964 switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) { 965 case O_RDONLY: 966 e = AUE_OPEN_R; 967 break; 968 case O_RDONLY | O_CREAT: 969 e = AUE_OPEN_RC; 970 break; 971 case O_RDONLY | O_TRUNC: 972 e = AUE_OPEN_RT; 973 break; 974 case O_RDONLY | O_TRUNC | O_CREAT: 975 e = AUE_OPEN_RTC; 976 break; 977 case O_WRONLY: 978 e = AUE_OPEN_W; 979 break; 980 case O_WRONLY | O_CREAT: 981 e = AUE_OPEN_WC; 982 break; 983 case O_WRONLY | O_TRUNC: 984 e = AUE_OPEN_WT; 985 break; 986 case O_WRONLY | O_TRUNC | O_CREAT: 987 e = AUE_OPEN_WTC; 988 break; 989 case O_RDWR: 990 e = AUE_OPEN_RW; 991 break; 992 case O_RDWR | O_CREAT: 993 e = AUE_OPEN_RWC; 994 break; 995 case O_RDWR | O_TRUNC: 996 e = AUE_OPEN_RWT; 997 break; 998 case O_RDWR | O_TRUNC | O_CREAT: 999 e = AUE_OPEN_RWTC; 1000 break; 1001 default: 1002 e = AUE_NULL; 1003 break; 1004 } 1005 1006 return (e); 1007 } 1008 1009 /* ARGSUSED */ 1010 static au_event_t 1011 aui_open(au_event_t e) 1012 { 1013 t_audit_data_t *tad = T2A(curthread); 1014 klwp_t *clwp = ttolwp(curthread); 1015 uint_t fm; 1016 1017 struct a { 1018 long fnamep; /* char * */ 1019 long fmode; 1020 long cmode; 1021 } *uap = (struct a *)clwp->lwp_ap; 1022 1023 fm = (uint_t)uap->fmode; 1024 1025 /* convert to appropriate au_ctrl */ 1026 if (fm & (FXATTR | FXATTRDIROPEN)) 1027 tad->tad_ctrl |= PAD_ATTPATH; 1028 1029 return (open_event(fm)); 1030 } 1031 1032 static void 1033 aus_open(struct t_audit_data *tad) 1034 { 1035 klwp_t *clwp = ttolwp(curthread); 1036 uint_t fm; 1037 1038 struct a { 1039 long fnamep; /* char * */ 1040 long fmode; 1041 long cmode; 1042 } *uap = (struct a *)clwp->lwp_ap; 1043 1044 fm = (uint_t)uap->fmode; 1045 1046 /* If no write, create, or trunc modes, mark as a public op */ 1047 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1048 tad->tad_ctrl |= PAD_PUBLIC_EV; 1049 } 1050 1051 /* ARGSUSED */ 1052 static au_event_t 1053 aui_openat(au_event_t e) 1054 { 1055 t_audit_data_t *tad = T2A(curthread); 1056 klwp_t *clwp = ttolwp(curthread); 1057 uint_t fm; 1058 1059 struct a { 1060 long filedes; 1061 long fnamep; /* char * */ 1062 long fmode; 1063 long cmode; 1064 } *uap = (struct a *)clwp->lwp_ap; 1065 1066 fm = (uint_t)uap->fmode; 1067 1068 /* convert to appropriate au_ctrl */ 1069 if (fm & (FXATTR | FXATTRDIROPEN)) 1070 tad->tad_ctrl |= PAD_ATTPATH; 1071 1072 return (open_event(fm)); 1073 } 1074 1075 static void 1076 aus_openat(struct t_audit_data *tad) 1077 { 1078 klwp_t *clwp = ttolwp(curthread); 1079 uint_t fm; 1080 1081 struct a { 1082 long filedes; 1083 long fnamep; /* char * */ 1084 long fmode; 1085 long cmode; 1086 } *uap = (struct a *)clwp->lwp_ap; 1087 1088 fm = (uint_t)uap->fmode; 1089 1090 /* If no write, create, or trunc modes, mark as a public op */ 1091 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1092 tad->tad_ctrl |= PAD_PUBLIC_EV; 1093 } 1094 1095 static au_event_t 1096 aui_unlinkat(au_event_t e) 1097 { 1098 klwp_t *clwp = ttolwp(curthread); 1099 1100 struct a { 1101 long filedes; 1102 long fnamep; /* char * */ 1103 long flags; 1104 } *uap = (struct a *)clwp->lwp_ap; 1105 1106 if (uap->flags & AT_REMOVEDIR) 1107 e = AUE_RMDIR; 1108 else 1109 e = AUE_UNLINK; 1110 1111 return (e); 1112 } 1113 1114 static au_event_t 1115 aui_fstatat(au_event_t e) 1116 { 1117 klwp_t *clwp = ttolwp(curthread); 1118 1119 struct a { 1120 long filedes; 1121 long fnamep; /* char * */ 1122 long statb; 1123 long flags; 1124 } *uap = (struct a *)clwp->lwp_ap; 1125 1126 if (uap->fnamep == NULL) 1127 e = AUE_FSTAT; 1128 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1129 e = AUE_LSTAT; 1130 else 1131 e = AUE_STAT; 1132 1133 return (e); 1134 } 1135 1136 /* msgsys */ 1137 static au_event_t 1138 aui_msgsys(au_event_t e) 1139 { 1140 klwp_t *clwp = ttolwp(curthread); 1141 uint_t fm; 1142 1143 struct a { 1144 long id; /* function code id */ 1145 long ap; /* arg pointer for recvmsg */ 1146 } *uap = (struct a *)clwp->lwp_ap; 1147 1148 struct b { 1149 long msgid; 1150 long cmd; 1151 long buf; /* struct msqid_ds * */ 1152 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1153 1154 fm = (uint_t)uap->id; 1155 1156 switch (fm) { 1157 case 0: /* msgget */ 1158 e = AUE_MSGGET; 1159 break; 1160 case 1: /* msgctl */ 1161 switch ((uint_t)uap1->cmd) { 1162 case IPC_RMID: 1163 e = AUE_MSGCTL_RMID; 1164 break; 1165 case IPC_SET: 1166 e = AUE_MSGCTL_SET; 1167 break; 1168 case IPC_STAT: 1169 e = AUE_MSGCTL_STAT; 1170 break; 1171 default: 1172 e = AUE_MSGCTL; 1173 break; 1174 } 1175 break; 1176 case 2: /* msgrcv */ 1177 e = AUE_MSGRCV; 1178 break; 1179 case 3: /* msgsnd */ 1180 e = AUE_MSGSND; 1181 break; 1182 default: /* illegal system call */ 1183 e = AUE_NULL; 1184 break; 1185 } 1186 1187 return (e); 1188 } 1189 1190 1191 /* shmsys */ 1192 static au_event_t 1193 aui_shmsys(au_event_t e) 1194 { 1195 klwp_t *clwp = ttolwp(curthread); 1196 int fm; 1197 1198 struct a { /* shmsys */ 1199 long id; /* function code id */ 1200 } *uap = (struct a *)clwp->lwp_ap; 1201 1202 struct b { /* ctrl */ 1203 long shmid; 1204 long cmd; 1205 long arg; /* struct shmid_ds * */ 1206 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1207 fm = (uint_t)uap->id; 1208 1209 switch (fm) { 1210 case 0: /* shmat */ 1211 e = AUE_SHMAT; 1212 break; 1213 case 1: /* shmctl */ 1214 switch ((uint_t)uap1->cmd) { 1215 case IPC_RMID: 1216 e = AUE_SHMCTL_RMID; 1217 break; 1218 case IPC_SET: 1219 e = AUE_SHMCTL_SET; 1220 break; 1221 case IPC_STAT: 1222 e = AUE_SHMCTL_STAT; 1223 break; 1224 default: 1225 e = AUE_SHMCTL; 1226 break; 1227 } 1228 break; 1229 case 2: /* shmdt */ 1230 e = AUE_SHMDT; 1231 break; 1232 case 3: /* shmget */ 1233 e = AUE_SHMGET; 1234 break; 1235 default: /* illegal system call */ 1236 e = AUE_NULL; 1237 break; 1238 } 1239 1240 return (e); 1241 } 1242 1243 1244 /* semsys */ 1245 static au_event_t 1246 aui_semsys(au_event_t e) 1247 { 1248 klwp_t *clwp = ttolwp(curthread); 1249 uint_t fm; 1250 1251 struct a { /* semsys */ 1252 long id; 1253 } *uap = (struct a *)clwp->lwp_ap; 1254 1255 struct b { /* ctrl */ 1256 long semid; 1257 long semnum; 1258 long cmd; 1259 long arg; 1260 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1261 1262 fm = (uint_t)uap->id; 1263 1264 switch (fm) { 1265 case 0: /* semctl */ 1266 switch ((uint_t)uap1->cmd) { 1267 case IPC_RMID: 1268 e = AUE_SEMCTL_RMID; 1269 break; 1270 case IPC_SET: 1271 e = AUE_SEMCTL_SET; 1272 break; 1273 case IPC_STAT: 1274 e = AUE_SEMCTL_STAT; 1275 break; 1276 case GETNCNT: 1277 e = AUE_SEMCTL_GETNCNT; 1278 break; 1279 case GETPID: 1280 e = AUE_SEMCTL_GETPID; 1281 break; 1282 case GETVAL: 1283 e = AUE_SEMCTL_GETVAL; 1284 break; 1285 case GETALL: 1286 e = AUE_SEMCTL_GETALL; 1287 break; 1288 case GETZCNT: 1289 e = AUE_SEMCTL_GETZCNT; 1290 break; 1291 case SETVAL: 1292 e = AUE_SEMCTL_SETVAL; 1293 break; 1294 case SETALL: 1295 e = AUE_SEMCTL_SETALL; 1296 break; 1297 default: 1298 e = AUE_SEMCTL; 1299 break; 1300 } 1301 break; 1302 case 1: /* semget */ 1303 e = AUE_SEMGET; 1304 break; 1305 case 2: /* semop */ 1306 e = AUE_SEMOP; 1307 break; 1308 default: /* illegal system call */ 1309 e = AUE_NULL; 1310 break; 1311 } 1312 1313 return (e); 1314 } 1315 1316 /* utssys - uname(2), ustat(2), fusers(2) */ 1317 static au_event_t 1318 aui_utssys(au_event_t e) 1319 { 1320 klwp_t *clwp = ttolwp(curthread); 1321 uint_t type; 1322 1323 struct a { 1324 union { 1325 long cbuf; /* char * */ 1326 long ubuf; /* struct stat * */ 1327 } ub; 1328 union { 1329 long mv; /* for USTAT */ 1330 long flags; /* for FUSERS */ 1331 } un; 1332 long type; 1333 long outbp; /* char * for FUSERS */ 1334 } *uap = (struct a *)clwp->lwp_ap; 1335 1336 type = (uint_t)uap->type; 1337 1338 if (type == UTS_FUSERS) 1339 return (e); 1340 else 1341 return ((au_event_t)AUE_NULL); 1342 } 1343 1344 static au_event_t 1345 aui_fcntl(au_event_t e) 1346 { 1347 klwp_t *clwp = ttolwp(curthread); 1348 uint_t cmd; 1349 1350 struct a { 1351 long fdes; 1352 long cmd; 1353 long arg; 1354 } *uap = (struct a *)clwp->lwp_ap; 1355 1356 cmd = (uint_t)uap->cmd; 1357 1358 switch (cmd) { 1359 case F_GETLK: 1360 case F_SETLK: 1361 case F_SETLKW: 1362 break; 1363 case F_SETFL: 1364 case F_GETFL: 1365 case F_GETFD: 1366 break; 1367 default: 1368 e = (au_event_t)AUE_NULL; 1369 break; 1370 } 1371 return ((au_event_t)e); 1372 } 1373 1374 /* null function for now */ 1375 static au_event_t 1376 aui_execve(au_event_t e) 1377 { 1378 return (e); 1379 } 1380 1381 /*ARGSUSED*/ 1382 static void 1383 aus_fcntl(struct t_audit_data *tad) 1384 { 1385 klwp_t *clwp = ttolwp(curthread); 1386 uint32_t cmd, fd; 1387 struct file *fp; 1388 struct vnode *vp; 1389 struct f_audit_data *fad; 1390 1391 struct a { 1392 long fd; 1393 long cmd; 1394 long arg; 1395 } *uap = (struct a *)clwp->lwp_ap; 1396 1397 cmd = (uint32_t)uap->cmd; 1398 fd = (uint32_t)uap->fd; 1399 1400 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1401 1402 /* 1403 * convert file pointer to file descriptor 1404 * Note: fd ref count incremented here. 1405 */ 1406 if ((fp = getf(fd)) == NULL) 1407 return; 1408 1409 /* get path from file struct here */ 1410 fad = F2A(fp); 1411 if (fad->fad_aupath != NULL) { 1412 au_uwrite(au_to_path(fad->fad_aupath)); 1413 } else { 1414 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1415 } 1416 1417 vp = fp->f_vnode; 1418 audit_attributes(vp); 1419 1420 /* decrement file descriptor reference count */ 1421 releasef(fd); 1422 } 1423 1424 /*ARGSUSED*/ 1425 static void 1426 aus_kill(struct t_audit_data *tad) 1427 { 1428 klwp_t *clwp = ttolwp(curthread); 1429 struct proc *p; 1430 uint32_t signo; 1431 uid_t uid, ruid; 1432 gid_t gid, rgid; 1433 pid_t pid; 1434 const auditinfo_addr_t *ainfo; 1435 cred_t *cr; 1436 1437 struct a { 1438 long pid; 1439 long signo; 1440 } *uap = (struct a *)clwp->lwp_ap; 1441 1442 pid = (pid_t)uap->pid; 1443 signo = (uint32_t)uap->signo; 1444 1445 au_uwrite(au_to_arg32(2, "signal", signo)); 1446 if (pid > 0) { 1447 mutex_enter(&pidlock); 1448 if (((p = prfind(pid)) == (struct proc *)0) || 1449 (p->p_stat == SIDL)) { 1450 mutex_exit(&pidlock); 1451 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1452 return; 1453 } 1454 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1455 mutex_exit(&pidlock); 1456 1457 mutex_enter(&p->p_crlock); 1458 crhold(cr = p->p_cred); 1459 mutex_exit(&p->p_crlock); 1460 mutex_exit(&p->p_lock); 1461 1462 ainfo = crgetauinfo(cr); 1463 if (ainfo == NULL) { 1464 crfree(cr); 1465 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1466 return; 1467 } 1468 1469 uid = crgetuid(cr); 1470 gid = crgetgid(cr); 1471 ruid = crgetruid(cr); 1472 rgid = crgetrgid(cr); 1473 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1474 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1475 1476 if (is_system_labeled()) 1477 au_uwrite(au_to_label(CR_SL(cr))); 1478 1479 crfree(cr); 1480 } 1481 else 1482 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1483 } 1484 1485 /*ARGSUSED*/ 1486 static void 1487 aus_mkdir(struct t_audit_data *tad) 1488 { 1489 klwp_t *clwp = ttolwp(curthread); 1490 uint32_t dmode; 1491 1492 struct a { 1493 long dirnamep; /* char * */ 1494 long dmode; 1495 } *uap = (struct a *)clwp->lwp_ap; 1496 1497 dmode = (uint32_t)uap->dmode; 1498 1499 au_uwrite(au_to_arg32(2, "mode", dmode)); 1500 } 1501 1502 /*ARGSUSED*/ 1503 static void 1504 aus_mknod(struct t_audit_data *tad) 1505 { 1506 klwp_t *clwp = ttolwp(curthread); 1507 uint32_t fmode; 1508 dev_t dev; 1509 1510 struct a { 1511 long pnamep; /* char * */ 1512 long fmode; 1513 long dev; 1514 } *uap = (struct a *)clwp->lwp_ap; 1515 1516 fmode = (uint32_t)uap->fmode; 1517 dev = (dev_t)uap->dev; 1518 1519 au_uwrite(au_to_arg32(2, "mode", fmode)); 1520 #ifdef _LP64 1521 au_uwrite(au_to_arg64(3, "dev", dev)); 1522 #else 1523 au_uwrite(au_to_arg32(3, "dev", dev)); 1524 #endif 1525 } 1526 1527 /*ARGSUSED*/ 1528 static void 1529 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1530 { 1531 klwp_t *clwp = ttolwp(curthread); 1532 vnode_t *dvp; 1533 caddr_t pnamep; 1534 1535 struct a { 1536 long pnamep; /* char * */ 1537 long fmode; 1538 long dev; 1539 } *uap = (struct a *)clwp->lwp_ap; 1540 1541 /* no error, then already path token in audit record */ 1542 if (error != EPERM) 1543 return; 1544 1545 /* not auditing this event, nothing then to do */ 1546 if (tad->tad_flag == 0) 1547 return; 1548 1549 /* do the lookup to force generation of path token */ 1550 pnamep = (caddr_t)uap->pnamep; 1551 tad->tad_ctrl |= PAD_NOATTRB; 1552 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1553 if (error == 0) 1554 VN_RELE(dvp); 1555 } 1556 1557 /*ARGSUSED*/ 1558 static void 1559 aus_mount(struct t_audit_data *tad) 1560 { /* AUS_START */ 1561 klwp_t *clwp = ttolwp(curthread); 1562 uint32_t flags; 1563 uintptr_t u_fstype, dataptr; 1564 STRUCT_DECL(nfs_args, nfsargs); 1565 size_t len; 1566 char *fstype, *hostname; 1567 1568 struct a { 1569 long spec; /* char * */ 1570 long dir; /* char * */ 1571 long flags; 1572 long fstype; /* char * */ 1573 long dataptr; /* char * */ 1574 long datalen; 1575 } *uap = (struct a *)clwp->lwp_ap; 1576 1577 u_fstype = (uintptr_t)uap->fstype; 1578 flags = (uint32_t)uap->flags; 1579 dataptr = (uintptr_t)uap->dataptr; 1580 1581 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1582 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1583 goto mount_free_fstype; 1584 1585 au_uwrite(au_to_arg32(3, "flags", flags)); 1586 au_uwrite(au_to_text(fstype)); 1587 1588 if (strncmp(fstype, "nfs", 3) == 0) { 1589 1590 STRUCT_INIT(nfsargs, get_udatamodel()); 1591 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1592 1593 if (copyin((caddr_t)dataptr, 1594 STRUCT_BUF(nfsargs), 1595 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1596 /* DEBUG debug_enter((char *)NULL); */ 1597 goto mount_free_fstype; 1598 } 1599 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1600 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1601 (caddr_t)hostname, 1602 MAXNAMELEN, &len)) { 1603 goto mount_free_hostname; 1604 } 1605 au_uwrite(au_to_text(hostname)); 1606 au_uwrite(au_to_arg32(3, "internal flags", 1607 (uint_t)STRUCT_FGET(nfsargs, flags))); 1608 1609 mount_free_hostname: 1610 kmem_free(hostname, MAXNAMELEN); 1611 } 1612 1613 mount_free_fstype: 1614 kmem_free(fstype, MAXNAMELEN); 1615 } /* AUS_MOUNT */ 1616 1617 static void 1618 aus_umount_path(caddr_t umount_dir) 1619 { 1620 char *dir_path; 1621 struct audit_path *path; 1622 size_t path_len, dir_len; 1623 1624 /* length alloc'd for two string pointers */ 1625 path_len = sizeof (struct audit_path) + sizeof (char *); 1626 path = kmem_alloc(path_len, KM_SLEEP); 1627 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1628 1629 if (copyinstr(umount_dir, (caddr_t)dir_path, 1630 MAXPATHLEN, &dir_len)) 1631 goto umount2_free_dir; 1632 1633 /* 1634 * the audit_path struct assumes that the buffer pointed to 1635 * by audp_sect[n] contains string 0 immediatedly followed 1636 * by string 1. 1637 */ 1638 path->audp_sect[0] = dir_path; 1639 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1640 path->audp_size = path_len; 1641 path->audp_ref = 1; /* not used */ 1642 path->audp_cnt = 1; /* one path string */ 1643 1644 au_uwrite(au_to_path(path)); 1645 1646 umount2_free_dir: 1647 kmem_free(dir_path, MAXPATHLEN); 1648 kmem_free(path, path_len); 1649 } 1650 1651 /*ARGSUSED*/ 1652 static void 1653 aus_umount2(struct t_audit_data *tad) 1654 { 1655 klwp_t *clwp = ttolwp(curthread); 1656 struct a { 1657 long dir; /* char * */ 1658 long flags; 1659 } *uap = (struct a *)clwp->lwp_ap; 1660 1661 aus_umount_path((caddr_t)uap->dir); 1662 1663 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1664 } 1665 1666 static void 1667 aus_msgsys(struct t_audit_data *tad) 1668 { 1669 klwp_t *clwp = ttolwp(curthread); 1670 uint32_t msgid; 1671 1672 struct b { 1673 long msgid; 1674 long cmd; 1675 long buf; /* struct msqid_ds * */ 1676 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1677 1678 msgid = (uint32_t)uap1->msgid; 1679 1680 1681 switch (tad->tad_event) { 1682 case AUE_MSGGET: /* msgget */ 1683 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1684 break; 1685 case AUE_MSGCTL: /* msgctl */ 1686 case AUE_MSGCTL_RMID: /* msgctl */ 1687 case AUE_MSGCTL_SET: /* msgctl */ 1688 case AUE_MSGCTL_STAT: /* msgctl */ 1689 case AUE_MSGRCV: /* msgrcv */ 1690 case AUE_MSGSND: /* msgsnd */ 1691 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1692 break; 1693 } 1694 } 1695 1696 /*ARGSUSED*/ 1697 static void 1698 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1699 { 1700 int id; 1701 1702 if (error != 0) 1703 return; 1704 if (tad->tad_event == AUE_MSGGET) { 1705 uint32_t scid; 1706 uint32_t sy_flags; 1707 1708 /* need to determine type of executing binary */ 1709 scid = tad->tad_scid; 1710 #ifdef _SYSCALL32_IMPL 1711 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1712 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1713 else 1714 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1715 #else 1716 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1717 #endif 1718 if (sy_flags == SE_32RVAL1) 1719 id = rval->r_val1; 1720 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1721 id = rval->r_val1; 1722 if (sy_flags == SE_64RVAL) 1723 id = (int)rval->r_vals; 1724 1725 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1726 } 1727 } 1728 1729 static void 1730 aus_semsys(struct t_audit_data *tad) 1731 { 1732 klwp_t *clwp = ttolwp(curthread); 1733 uint32_t semid; 1734 1735 struct b { /* ctrl */ 1736 long semid; 1737 long semnum; 1738 long cmd; 1739 long arg; 1740 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1741 1742 semid = (uint32_t)uap1->semid; 1743 1744 switch (tad->tad_event) { 1745 case AUE_SEMCTL_RMID: 1746 case AUE_SEMCTL_STAT: 1747 case AUE_SEMCTL_GETNCNT: 1748 case AUE_SEMCTL_GETPID: 1749 case AUE_SEMCTL_GETVAL: 1750 case AUE_SEMCTL_GETALL: 1751 case AUE_SEMCTL_GETZCNT: 1752 case AUE_SEMCTL_SET: 1753 case AUE_SEMCTL_SETVAL: 1754 case AUE_SEMCTL_SETALL: 1755 case AUE_SEMCTL: 1756 case AUE_SEMOP: 1757 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1758 break; 1759 case AUE_SEMGET: 1760 au_uwrite(au_to_arg32(1, "sem key", semid)); 1761 break; 1762 } 1763 } 1764 1765 /*ARGSUSED*/ 1766 static void 1767 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1768 { 1769 int id; 1770 1771 if (error != 0) 1772 return; 1773 if (tad->tad_event == AUE_SEMGET) { 1774 uint32_t scid; 1775 uint32_t sy_flags; 1776 1777 /* need to determine type of executing binary */ 1778 scid = tad->tad_scid; 1779 #ifdef _SYSCALL32_IMPL 1780 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1781 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1782 else 1783 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1784 #else 1785 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1786 #endif 1787 if (sy_flags == SE_32RVAL1) 1788 id = rval->r_val1; 1789 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1790 id = rval->r_val1; 1791 if (sy_flags == SE_64RVAL) 1792 id = (int)rval->r_vals; 1793 1794 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1795 } 1796 } 1797 1798 /*ARGSUSED*/ 1799 static void 1800 aus_close(struct t_audit_data *tad) 1801 { 1802 klwp_t *clwp = ttolwp(curthread); 1803 uint32_t fd; 1804 struct file *fp; 1805 struct f_audit_data *fad; 1806 struct vnode *vp; 1807 struct vattr attr; 1808 au_kcontext_t *kctx = GET_KCTX_PZ; 1809 1810 struct a { 1811 long i; 1812 } *uap = (struct a *)clwp->lwp_ap; 1813 1814 fd = (uint32_t)uap->i; 1815 1816 attr.va_mask = 0; 1817 au_uwrite(au_to_arg32(1, "fd", fd)); 1818 1819 /* 1820 * convert file pointer to file descriptor 1821 * Note: fd ref count incremented here. 1822 */ 1823 if ((fp = getf(fd)) == NULL) 1824 return; 1825 1826 fad = F2A(fp); 1827 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1828 if (fad->fad_aupath != NULL) { 1829 au_uwrite(au_to_path(fad->fad_aupath)); 1830 if ((vp = fp->f_vnode) != NULL) { 1831 attr.va_mask = AT_ALL; 1832 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1833 /* 1834 * When write was not used and the file can be 1835 * considered public, skip the audit. 1836 */ 1837 if (((fp->f_flag & FWRITE) == 0) && 1838 file_is_public(&attr)) { 1839 tad->tad_flag = 0; 1840 tad->tad_evmod = 0; 1841 /* free any residual audit data */ 1842 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1843 releasef(fd); 1844 return; 1845 } 1846 au_uwrite(au_to_attr(&attr)); 1847 audit_sec_attributes(&(u_ad), vp); 1848 } 1849 } 1850 } 1851 1852 /* decrement file descriptor reference count */ 1853 releasef(fd); 1854 } 1855 1856 /*ARGSUSED*/ 1857 static void 1858 aus_fstatfs(struct t_audit_data *tad) 1859 { 1860 klwp_t *clwp = ttolwp(curthread); 1861 uint32_t fd; 1862 struct file *fp; 1863 struct vnode *vp; 1864 struct f_audit_data *fad; 1865 1866 struct a { 1867 long fd; 1868 long buf; /* struct statfs * */ 1869 } *uap = (struct a *)clwp->lwp_ap; 1870 1871 fd = (uint_t)uap->fd; 1872 1873 /* 1874 * convert file pointer to file descriptor 1875 * Note: fd ref count incremented here. 1876 */ 1877 if ((fp = getf(fd)) == NULL) 1878 return; 1879 1880 /* get path from file struct here */ 1881 fad = F2A(fp); 1882 if (fad->fad_aupath != NULL) { 1883 au_uwrite(au_to_path(fad->fad_aupath)); 1884 } else { 1885 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1886 } 1887 1888 vp = fp->f_vnode; 1889 audit_attributes(vp); 1890 1891 /* decrement file descriptor reference count */ 1892 releasef(fd); 1893 } 1894 1895 static au_event_t 1896 aui_setpgrp(au_event_t e) 1897 { 1898 klwp_t *clwp = ttolwp(curthread); 1899 int flag; 1900 1901 struct a { 1902 long flag; 1903 long pid; 1904 long pgid; 1905 } *uap = (struct a *)clwp->lwp_ap; 1906 1907 flag = (int)uap->flag; 1908 1909 1910 switch (flag) { 1911 1912 case 1: /* setpgrp() */ 1913 e = AUE_SETPGRP; 1914 break; 1915 1916 case 3: /* setsid() */ 1917 e = AUE_SETSID; 1918 break; 1919 1920 case 5: /* setpgid() */ 1921 e = AUE_SETPGID; 1922 break; 1923 1924 case 0: /* getpgrp() - not security relevant */ 1925 case 2: /* getsid() - not security relevant */ 1926 case 4: /* getpgid() - not security relevant */ 1927 e = AUE_NULL; 1928 break; 1929 1930 default: 1931 e = AUE_NULL; 1932 break; 1933 } 1934 1935 return (e); 1936 } 1937 1938 /*ARGSUSED*/ 1939 static void 1940 aus_setpgrp(struct t_audit_data *tad) 1941 { 1942 klwp_t *clwp = ttolwp(curthread); 1943 pid_t pgid; 1944 struct proc *p; 1945 uid_t uid, ruid; 1946 gid_t gid, rgid; 1947 pid_t pid; 1948 cred_t *cr; 1949 int flag; 1950 const auditinfo_addr_t *ainfo; 1951 1952 struct a { 1953 long flag; 1954 long pid; 1955 long pgid; 1956 } *uap = (struct a *)clwp->lwp_ap; 1957 1958 flag = (int)uap->flag; 1959 pid = (pid_t)uap->pid; 1960 pgid = (pid_t)uap->pgid; 1961 1962 1963 switch (flag) { 1964 1965 case 0: /* getpgrp() */ 1966 case 1: /* setpgrp() */ 1967 case 2: /* getsid() */ 1968 case 3: /* setsid() */ 1969 case 4: /* getpgid() */ 1970 break; 1971 1972 case 5: /* setpgid() */ 1973 1974 /* current process? */ 1975 if (pid == 0) { 1976 return; 1977 } 1978 1979 mutex_enter(&pidlock); 1980 p = prfind(pid); 1981 if (p == NULL || p->p_as == &kas || 1982 p->p_stat == SIDL || p->p_stat == SZOMB) { 1983 mutex_exit(&pidlock); 1984 return; 1985 } 1986 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1987 mutex_exit(&pidlock); 1988 1989 mutex_enter(&p->p_crlock); 1990 crhold(cr = p->p_cred); 1991 mutex_exit(&p->p_crlock); 1992 mutex_exit(&p->p_lock); 1993 1994 ainfo = crgetauinfo(cr); 1995 if (ainfo == NULL) { 1996 crfree(cr); 1997 return; 1998 } 1999 2000 uid = crgetuid(cr); 2001 gid = crgetgid(cr); 2002 ruid = crgetruid(cr); 2003 rgid = crgetrgid(cr); 2004 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2005 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2006 crfree(cr); 2007 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2008 break; 2009 2010 default: 2011 break; 2012 } 2013 } 2014 2015 2016 /*ARGSUSED*/ 2017 static void 2018 aus_setregid(struct t_audit_data *tad) 2019 { 2020 klwp_t *clwp = ttolwp(curthread); 2021 uint32_t rgid, egid; 2022 2023 struct a { 2024 long rgid; 2025 long egid; 2026 } *uap = (struct a *)clwp->lwp_ap; 2027 2028 rgid = (uint32_t)uap->rgid; 2029 egid = (uint32_t)uap->egid; 2030 2031 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2032 au_uwrite(au_to_arg32(2, "egid", egid)); 2033 } 2034 2035 /*ARGSUSED*/ 2036 static void 2037 aus_setgid(struct t_audit_data *tad) 2038 { 2039 klwp_t *clwp = ttolwp(curthread); 2040 uint32_t gid; 2041 2042 struct a { 2043 long gid; 2044 } *uap = (struct a *)clwp->lwp_ap; 2045 2046 gid = (uint32_t)uap->gid; 2047 2048 au_uwrite(au_to_arg32(1, "gid", gid)); 2049 } 2050 2051 2052 /*ARGSUSED*/ 2053 static void 2054 aus_setreuid(struct t_audit_data *tad) 2055 { 2056 klwp_t *clwp = ttolwp(curthread); 2057 uint32_t ruid, euid; 2058 2059 struct a { 2060 long ruid; 2061 long euid; 2062 } *uap = (struct a *)clwp->lwp_ap; 2063 2064 ruid = (uint32_t)uap->ruid; 2065 euid = (uint32_t)uap->euid; 2066 2067 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2068 au_uwrite(au_to_arg32(2, "euid", euid)); 2069 } 2070 2071 2072 /*ARGSUSED*/ 2073 static void 2074 aus_setuid(struct t_audit_data *tad) 2075 { 2076 klwp_t *clwp = ttolwp(curthread); 2077 uint32_t uid; 2078 2079 struct a { 2080 long uid; 2081 } *uap = (struct a *)clwp->lwp_ap; 2082 2083 uid = (uint32_t)uap->uid; 2084 2085 au_uwrite(au_to_arg32(1, "uid", uid)); 2086 } 2087 2088 /*ARGSUSED*/ 2089 static void 2090 aus_shmsys(struct t_audit_data *tad) 2091 { 2092 klwp_t *clwp = ttolwp(curthread); 2093 uint32_t id, cmd; 2094 2095 struct b { 2096 long id; 2097 long cmd; 2098 long buf; /* struct shmid_ds * */ 2099 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2100 2101 id = (uint32_t)uap1->id; 2102 cmd = (uint32_t)uap1->cmd; 2103 2104 switch (tad->tad_event) { 2105 case AUE_SHMGET: /* shmget */ 2106 au_uwrite(au_to_arg32(1, "shm key", id)); 2107 break; 2108 case AUE_SHMCTL: /* shmctl */ 2109 case AUE_SHMCTL_RMID: /* shmctl */ 2110 case AUE_SHMCTL_STAT: /* shmctl */ 2111 case AUE_SHMCTL_SET: /* shmctl */ 2112 au_uwrite(au_to_arg32(1, "shm ID", id)); 2113 break; 2114 case AUE_SHMDT: /* shmdt */ 2115 au_uwrite(au_to_arg32(1, "shm adr", id)); 2116 break; 2117 case AUE_SHMAT: /* shmat */ 2118 au_uwrite(au_to_arg32(1, "shm ID", id)); 2119 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2120 break; 2121 } 2122 } 2123 2124 /*ARGSUSED*/ 2125 static void 2126 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2127 { 2128 int id; 2129 2130 if (error != 0) 2131 return; 2132 if (tad->tad_event == AUE_SHMGET) { 2133 uint32_t scid; 2134 uint32_t sy_flags; 2135 2136 /* need to determine type of executing binary */ 2137 scid = tad->tad_scid; 2138 #ifdef _SYSCALL32_IMPL 2139 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2140 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2141 else 2142 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2143 #else 2144 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2145 #endif 2146 if (sy_flags == SE_32RVAL1) 2147 id = rval->r_val1; 2148 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2149 id = rval->r_val1; 2150 if (sy_flags == SE_64RVAL) 2151 id = (int)rval->r_vals; 2152 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2153 } 2154 } 2155 2156 2157 /*ARGSUSED*/ 2158 static void 2159 aus_ioctl(struct t_audit_data *tad) 2160 { 2161 klwp_t *clwp = ttolwp(curthread); 2162 struct file *fp; 2163 struct vnode *vp; 2164 struct f_audit_data *fad; 2165 uint32_t fd, cmd; 2166 uintptr_t cmarg; 2167 2168 /* XX64 */ 2169 struct a { 2170 long fd; 2171 long cmd; 2172 long cmarg; /* caddr_t */ 2173 } *uap = (struct a *)clwp->lwp_ap; 2174 2175 fd = (uint32_t)uap->fd; 2176 cmd = (uint32_t)uap->cmd; 2177 cmarg = (uintptr_t)uap->cmarg; 2178 2179 /* 2180 * convert file pointer to file descriptor 2181 * Note: fd ref count incremented here. 2182 */ 2183 if ((fp = getf(fd)) == NULL) { 2184 au_uwrite(au_to_arg32(1, "fd", fd)); 2185 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2186 #ifndef _LP64 2187 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2188 #else 2189 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2190 #endif 2191 return; 2192 } 2193 2194 /* get path from file struct here */ 2195 fad = F2A(fp); 2196 if (fad->fad_aupath != NULL) { 2197 au_uwrite(au_to_path(fad->fad_aupath)); 2198 } else { 2199 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2200 } 2201 2202 vp = fp->f_vnode; 2203 audit_attributes(vp); 2204 2205 /* decrement file descriptor reference count */ 2206 releasef(fd); 2207 2208 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2209 #ifndef _LP64 2210 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2211 #else 2212 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2213 #endif 2214 } 2215 2216 /* 2217 * null function for memcntl for now. We might want to limit memcntl() 2218 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2219 * require privileges. 2220 */ 2221 static au_event_t 2222 aui_memcntl(au_event_t e) 2223 { 2224 return (e); 2225 } 2226 2227 /*ARGSUSED*/ 2228 static au_event_t 2229 aui_privsys(au_event_t e) 2230 { 2231 klwp_t *clwp = ttolwp(curthread); 2232 2233 struct a { 2234 long opcode; 2235 } *uap = (struct a *)clwp->lwp_ap; 2236 2237 switch (uap->opcode) { 2238 case PRIVSYS_SETPPRIV: 2239 return (AUE_SETPPRIV); 2240 default: 2241 return (AUE_NULL); 2242 } 2243 } 2244 2245 /*ARGSUSED*/ 2246 static void 2247 aus_memcntl(struct t_audit_data *tad) 2248 { 2249 klwp_t *clwp = ttolwp(curthread); 2250 2251 struct a { 2252 long addr; 2253 long len; 2254 long cmd; 2255 long arg; 2256 long attr; 2257 long mask; 2258 } *uap = (struct a *)clwp->lwp_ap; 2259 2260 #ifdef _LP64 2261 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2262 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2263 #else 2264 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2265 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2266 #endif 2267 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2268 #ifdef _LP64 2269 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2270 #else 2271 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2272 #endif 2273 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2274 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2275 } 2276 2277 /*ARGSUSED*/ 2278 static void 2279 aus_mmap(struct t_audit_data *tad) 2280 { 2281 klwp_t *clwp = ttolwp(curthread); 2282 struct file *fp; 2283 struct f_audit_data *fad; 2284 struct vnode *vp; 2285 uint32_t fd; 2286 2287 struct a { 2288 long addr; 2289 long len; 2290 long prot; 2291 long flags; 2292 long fd; 2293 long pos; 2294 } *uap = (struct a *)clwp->lwp_ap; 2295 2296 fd = (uint32_t)uap->fd; 2297 2298 #ifdef _LP64 2299 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2300 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2301 #else 2302 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2303 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2304 #endif 2305 2306 if ((fp = getf(fd)) == NULL) { 2307 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2308 return; 2309 } 2310 2311 /* 2312 * Mark in the tad if write access is NOT requested... if 2313 * this is later detected (in audit_attributes) to be a 2314 * public object, the mmap event may be discarded. 2315 */ 2316 if (((uap->prot) & PROT_WRITE) == 0) { 2317 tad->tad_ctrl |= PAD_PUBLIC_EV; 2318 } 2319 2320 fad = F2A(fp); 2321 if (fad->fad_aupath != NULL) { 2322 au_uwrite(au_to_path(fad->fad_aupath)); 2323 } else { 2324 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2325 } 2326 2327 vp = (struct vnode *)fp->f_vnode; 2328 audit_attributes(vp); 2329 2330 /* mark READ/WRITE since we can't predict access */ 2331 if (uap->prot & PROT_READ) 2332 fad->fad_flags |= FAD_READ; 2333 if (uap->prot & PROT_WRITE) 2334 fad->fad_flags |= FAD_WRITE; 2335 2336 /* decrement file descriptor reference count */ 2337 releasef(fd); 2338 2339 } /* AUS_MMAP */ 2340 2341 2342 2343 2344 /*ARGSUSED*/ 2345 static void 2346 aus_munmap(struct t_audit_data *tad) 2347 { 2348 klwp_t *clwp = ttolwp(curthread); 2349 2350 struct a { 2351 long addr; 2352 long len; 2353 } *uap = (struct a *)clwp->lwp_ap; 2354 2355 #ifdef _LP64 2356 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2357 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2358 #else 2359 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2360 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2361 #endif 2362 2363 } /* AUS_MUNMAP */ 2364 2365 2366 2367 2368 2369 2370 2371 /*ARGSUSED*/ 2372 static void 2373 aus_priocntlsys(struct t_audit_data *tad) 2374 { 2375 klwp_t *clwp = ttolwp(curthread); 2376 2377 struct a { 2378 long pc_version; 2379 long psp; /* procset_t */ 2380 long cmd; 2381 long arg; 2382 } *uap = (struct a *)clwp->lwp_ap; 2383 2384 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2385 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2386 2387 } /* AUS_PRIOCNTLSYS */ 2388 2389 2390 /*ARGSUSED*/ 2391 static void 2392 aus_setegid(struct t_audit_data *tad) 2393 { 2394 klwp_t *clwp = ttolwp(curthread); 2395 uint32_t gid; 2396 2397 struct a { 2398 long gid; 2399 } *uap = (struct a *)clwp->lwp_ap; 2400 2401 gid = (uint32_t)uap->gid; 2402 2403 au_uwrite(au_to_arg32(1, "gid", gid)); 2404 } /* AUS_SETEGID */ 2405 2406 2407 2408 2409 /*ARGSUSED*/ 2410 static void 2411 aus_setgroups(struct t_audit_data *tad) 2412 { 2413 klwp_t *clwp = ttolwp(curthread); 2414 int i; 2415 int gidsetsize; 2416 uintptr_t gidset; 2417 gid_t *gidlist; 2418 2419 struct a { 2420 long gidsetsize; 2421 long gidset; 2422 } *uap = (struct a *)clwp->lwp_ap; 2423 2424 gidsetsize = (uint_t)uap->gidsetsize; 2425 gidset = (uintptr_t)uap->gidset; 2426 2427 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2428 return; 2429 if (gidsetsize != 0) { 2430 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2431 KM_SLEEP); 2432 if (copyin((caddr_t)gidset, gidlist, 2433 gidsetsize * sizeof (gid_t)) == 0) 2434 for (i = 0; i < gidsetsize; i++) 2435 au_uwrite(au_to_arg32(1, "setgroups", 2436 (uint32_t)gidlist[i])); 2437 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2438 } else 2439 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2440 2441 } /* AUS_SETGROUPS */ 2442 2443 2444 2445 2446 2447 /*ARGSUSED*/ 2448 static void 2449 aus_seteuid(struct t_audit_data *tad) 2450 { 2451 klwp_t *clwp = ttolwp(curthread); 2452 uint32_t uid; 2453 2454 struct a { 2455 long uid; 2456 } *uap = (struct a *)clwp->lwp_ap; 2457 2458 uid = (uint32_t)uap->uid; 2459 2460 au_uwrite(au_to_arg32(1, "euid", uid)); 2461 2462 } /* AUS_SETEUID */ 2463 2464 /*ARGSUSED*/ 2465 static void 2466 aus_putmsg(struct t_audit_data *tad) 2467 { 2468 klwp_t *clwp = ttolwp(curthread); 2469 uint32_t fd, pri; 2470 struct file *fp; 2471 struct f_audit_data *fad; 2472 2473 struct a { 2474 long fdes; 2475 long ctl; /* struct strbuf * */ 2476 long data; /* struct strbuf * */ 2477 long pri; 2478 } *uap = (struct a *)clwp->lwp_ap; 2479 2480 fd = (uint32_t)uap->fdes; 2481 pri = (uint32_t)uap->pri; 2482 2483 au_uwrite(au_to_arg32(1, "fd", fd)); 2484 2485 if ((fp = getf(fd)) != NULL) { 2486 fad = F2A(fp); 2487 2488 fad->fad_flags |= FAD_WRITE; 2489 2490 /* add path name to audit record */ 2491 if (fad->fad_aupath != NULL) { 2492 au_uwrite(au_to_path(fad->fad_aupath)); 2493 } 2494 audit_attributes(fp->f_vnode); 2495 2496 releasef(fd); 2497 } 2498 2499 au_uwrite(au_to_arg32(4, "pri", pri)); 2500 } 2501 2502 /*ARGSUSED*/ 2503 static void 2504 aus_putpmsg(struct t_audit_data *tad) 2505 { 2506 klwp_t *clwp = ttolwp(curthread); 2507 uint32_t fd, pri, flags; 2508 struct file *fp; 2509 struct f_audit_data *fad; 2510 2511 struct a { 2512 long fdes; 2513 long ctl; /* struct strbuf * */ 2514 long data; /* struct strbuf * */ 2515 long pri; 2516 long flags; 2517 } *uap = (struct a *)clwp->lwp_ap; 2518 2519 fd = (uint32_t)uap->fdes; 2520 pri = (uint32_t)uap->pri; 2521 flags = (uint32_t)uap->flags; 2522 2523 au_uwrite(au_to_arg32(1, "fd", fd)); 2524 2525 if ((fp = getf(fd)) != NULL) { 2526 fad = F2A(fp); 2527 2528 fad->fad_flags |= FAD_WRITE; 2529 2530 /* add path name to audit record */ 2531 if (fad->fad_aupath != NULL) { 2532 au_uwrite(au_to_path(fad->fad_aupath)); 2533 } 2534 audit_attributes(fp->f_vnode); 2535 2536 releasef(fd); 2537 } 2538 2539 2540 au_uwrite(au_to_arg32(4, "pri", pri)); 2541 au_uwrite(au_to_arg32(5, "flags", flags)); 2542 } 2543 2544 /*ARGSUSED*/ 2545 static void 2546 aus_getmsg(struct t_audit_data *tad) 2547 { 2548 klwp_t *clwp = ttolwp(curthread); 2549 uint32_t fd, pri; 2550 struct file *fp; 2551 struct f_audit_data *fad; 2552 2553 struct a { 2554 long fdes; 2555 long ctl; /* struct strbuf * */ 2556 long data; /* struct strbuf * */ 2557 long pri; 2558 } *uap = (struct a *)clwp->lwp_ap; 2559 2560 fd = (uint32_t)uap->fdes; 2561 pri = (uint32_t)uap->pri; 2562 2563 au_uwrite(au_to_arg32(1, "fd", fd)); 2564 2565 if ((fp = getf(fd)) != NULL) { 2566 fad = F2A(fp); 2567 2568 /* 2569 * read operation on this object 2570 */ 2571 fad->fad_flags |= FAD_READ; 2572 2573 /* add path name to audit record */ 2574 if (fad->fad_aupath != NULL) { 2575 au_uwrite(au_to_path(fad->fad_aupath)); 2576 } 2577 audit_attributes(fp->f_vnode); 2578 2579 releasef(fd); 2580 } 2581 2582 au_uwrite(au_to_arg32(4, "pri", pri)); 2583 } 2584 2585 /*ARGSUSED*/ 2586 static void 2587 aus_getpmsg(struct t_audit_data *tad) 2588 { 2589 klwp_t *clwp = ttolwp(curthread); 2590 uint32_t fd; 2591 struct file *fp; 2592 struct f_audit_data *fad; 2593 2594 struct a { 2595 long fdes; 2596 long ctl; /* struct strbuf * */ 2597 long data; /* struct strbuf * */ 2598 long pri; 2599 long flags; 2600 } *uap = (struct a *)clwp->lwp_ap; 2601 2602 fd = (uint32_t)uap->fdes; 2603 2604 au_uwrite(au_to_arg32(1, "fd", fd)); 2605 2606 if ((fp = getf(fd)) != NULL) { 2607 fad = F2A(fp); 2608 2609 /* 2610 * read operation on this object 2611 */ 2612 fad->fad_flags |= FAD_READ; 2613 2614 /* add path name to audit record */ 2615 if (fad->fad_aupath != NULL) { 2616 au_uwrite(au_to_path(fad->fad_aupath)); 2617 } 2618 audit_attributes(fp->f_vnode); 2619 2620 releasef(fd); 2621 } 2622 } 2623 2624 static au_event_t 2625 aui_labelsys(au_event_t e) 2626 { 2627 klwp_t *clwp = ttolwp(curthread); 2628 uint32_t code; 2629 uint32_t cmd; 2630 2631 struct a { 2632 long code; 2633 long cmd; 2634 } *uap = (struct a *)clwp->lwp_ap; 2635 2636 code = (uint32_t)uap->code; 2637 cmd = (uint32_t)uap->cmd; 2638 2639 /* not security relevant if not changing kernel cache */ 2640 if (cmd == TNDB_GET) 2641 return (AUE_NULL); 2642 2643 switch (code) { 2644 case TSOL_TNRH: 2645 e = AUE_LABELSYS_TNRH; 2646 break; 2647 case TSOL_TNRHTP: 2648 e = AUE_LABELSYS_TNRHTP; 2649 break; 2650 case TSOL_TNMLP: 2651 e = AUE_LABELSYS_TNMLP; 2652 break; 2653 default: 2654 e = AUE_NULL; 2655 break; 2656 } 2657 2658 return (e); 2659 2660 } 2661 2662 static void 2663 aus_labelsys(struct t_audit_data *tad) 2664 { 2665 klwp_t *clwp = ttolwp(curthread); 2666 uint32_t cmd; 2667 uintptr_t a2; 2668 2669 struct a { 2670 long code; 2671 long cmd; 2672 long a2; 2673 } *uap = (struct a *)clwp->lwp_ap; 2674 2675 cmd = (uint32_t)uap->cmd; 2676 a2 = (uintptr_t)uap->a2; 2677 2678 switch (tad->tad_event) { 2679 case AUE_LABELSYS_TNRH: 2680 { 2681 tsol_rhent_t *rhent; 2682 tnaddr_t *rh_addr; 2683 2684 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2685 2686 /* Remaining args don't apply for FLUSH, so skip */ 2687 if (cmd == TNDB_FLUSH) 2688 break; 2689 2690 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2691 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2692 kmem_free(rhent, sizeof (tsol_rhent_t)); 2693 return; 2694 } 2695 2696 rh_addr = &rhent->rh_address; 2697 if (rh_addr->ta_family == AF_INET) { 2698 struct in_addr *ipaddr; 2699 2700 ipaddr = &(rh_addr->ta_addr_v4); 2701 au_uwrite(au_to_in_addr(ipaddr)); 2702 } else if (rh_addr->ta_family == AF_INET6) { 2703 int32_t *ipaddr; 2704 2705 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2706 au_uwrite(au_to_in_addr_ex(ipaddr)); 2707 } 2708 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2709 2710 kmem_free(rhent, sizeof (tsol_rhent_t)); 2711 2712 break; 2713 } 2714 case AUE_LABELSYS_TNRHTP: 2715 { 2716 tsol_tpent_t *tpent; 2717 2718 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2719 2720 /* Remaining args don't apply for FLUSH, so skip */ 2721 if (cmd == TNDB_FLUSH) 2722 break; 2723 2724 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2725 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2726 kmem_free(tpent, sizeof (tsol_tpent_t)); 2727 return; 2728 } 2729 2730 /* Make sure that the template name is null-terminated. */ 2731 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2732 2733 au_uwrite(au_to_text(tpent->name)); 2734 kmem_free(tpent, sizeof (tsol_tpent_t)); 2735 2736 break; 2737 } 2738 case AUE_LABELSYS_TNMLP: 2739 { 2740 tsol_mlpent_t *mlpent; 2741 2742 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2743 2744 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2745 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2746 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2747 return; 2748 } 2749 2750 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2751 au_uwrite(au_to_text("shared")); 2752 } else { 2753 zone_t *zone; 2754 2755 zone = zone_find_by_id(mlpent->tsme_zoneid); 2756 if (zone != NULL) { 2757 au_uwrite(au_to_text(zone->zone_name)); 2758 zone_rele(zone); 2759 } 2760 } 2761 2762 /* Remaining args don't apply for FLUSH, so skip */ 2763 if (cmd == TNDB_FLUSH) { 2764 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2765 break; 2766 } 2767 2768 au_uwrite(au_to_arg32(2, "proto num", 2769 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2770 au_uwrite(au_to_arg32(2, "mlp_port", 2771 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2772 2773 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2774 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2775 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2776 2777 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2778 2779 break; 2780 } 2781 default: 2782 break; 2783 } 2784 } 2785 2786 2787 static au_event_t 2788 aui_auditsys(au_event_t e) 2789 { 2790 klwp_t *clwp = ttolwp(curthread); 2791 uint32_t code; 2792 2793 struct a { 2794 long code; 2795 long a1; 2796 long a2; 2797 long a3; 2798 long a4; 2799 long a5; 2800 long a6; 2801 long a7; 2802 } *uap = (struct a *)clwp->lwp_ap; 2803 2804 code = (uint32_t)uap->code; 2805 2806 switch (code) { 2807 2808 case BSM_GETAUID: 2809 e = AUE_GETAUID; 2810 break; 2811 case BSM_SETAUID: 2812 e = AUE_SETAUID; 2813 break; 2814 case BSM_GETAUDIT: 2815 e = AUE_GETAUDIT; 2816 break; 2817 case BSM_GETAUDIT_ADDR: 2818 e = AUE_GETAUDIT_ADDR; 2819 break; 2820 case BSM_SETAUDIT: 2821 e = AUE_SETAUDIT; 2822 break; 2823 case BSM_SETAUDIT_ADDR: 2824 e = AUE_SETAUDIT_ADDR; 2825 break; 2826 case BSM_AUDIT: 2827 e = AUE_AUDIT; 2828 break; 2829 case BSM_AUDITCTL: 2830 switch ((uint_t)uap->a1) { 2831 2832 case A_GETPOLICY: 2833 e = AUE_AUDITON_GPOLICY; 2834 break; 2835 case A_SETPOLICY: 2836 e = AUE_AUDITON_SPOLICY; 2837 break; 2838 case A_GETKMASK: 2839 e = AUE_AUDITON_GETKMASK; 2840 break; 2841 case A_SETKMASK: 2842 e = AUE_AUDITON_SETKMASK; 2843 break; 2844 case A_GETQCTRL: 2845 e = AUE_AUDITON_GQCTRL; 2846 break; 2847 case A_SETQCTRL: 2848 e = AUE_AUDITON_SQCTRL; 2849 break; 2850 case A_GETCWD: 2851 e = AUE_AUDITON_GETCWD; 2852 break; 2853 case A_GETCAR: 2854 e = AUE_AUDITON_GETCAR; 2855 break; 2856 case A_GETSTAT: 2857 e = AUE_AUDITON_GETSTAT; 2858 break; 2859 case A_SETSTAT: 2860 e = AUE_AUDITON_SETSTAT; 2861 break; 2862 case A_SETUMASK: 2863 e = AUE_AUDITON_SETUMASK; 2864 break; 2865 case A_SETSMASK: 2866 e = AUE_AUDITON_SETSMASK; 2867 break; 2868 case A_GETCOND: 2869 e = AUE_AUDITON_GETCOND; 2870 break; 2871 case A_SETCOND: 2872 e = AUE_AUDITON_SETCOND; 2873 break; 2874 case A_GETCLASS: 2875 e = AUE_AUDITON_GETCLASS; 2876 break; 2877 case A_SETCLASS: 2878 e = AUE_AUDITON_SETCLASS; 2879 break; 2880 default: 2881 e = AUE_NULL; 2882 break; 2883 } 2884 break; 2885 default: 2886 e = AUE_NULL; 2887 break; 2888 } 2889 2890 return (e); 2891 2892 } /* AUI_AUDITSYS */ 2893 2894 2895 static void 2896 aus_auditsys(struct t_audit_data *tad) 2897 { 2898 klwp_t *clwp = ttolwp(curthread); 2899 uintptr_t a1, a2; 2900 STRUCT_DECL(auditinfo, ainfo); 2901 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2902 au_evclass_map_t event; 2903 au_mask_t mask; 2904 int auditstate, policy; 2905 au_id_t auid; 2906 2907 2908 struct a { 2909 long code; 2910 long a1; 2911 long a2; 2912 long a3; 2913 long a4; 2914 long a5; 2915 long a6; 2916 long a7; 2917 } *uap = (struct a *)clwp->lwp_ap; 2918 2919 a1 = (uintptr_t)uap->a1; 2920 a2 = (uintptr_t)uap->a2; 2921 2922 switch (tad->tad_event) { 2923 case AUE_SETAUID: 2924 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2925 return; 2926 au_uwrite(au_to_arg32(2, "setauid", auid)); 2927 break; 2928 case AUE_SETAUDIT: 2929 STRUCT_INIT(ainfo, get_udatamodel()); 2930 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2931 STRUCT_SIZE(ainfo))) { 2932 return; 2933 } 2934 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2935 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2936 #ifdef _LP64 2937 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2938 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2939 #else 2940 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2941 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2942 #endif 2943 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2944 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2945 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2946 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2947 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2948 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2949 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2950 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2951 break; 2952 case AUE_SETAUDIT_ADDR: 2953 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2954 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2955 STRUCT_SIZE(ainfo_addr))) { 2956 return; 2957 } 2958 au_uwrite(au_to_arg32((char)1, "auid", 2959 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2960 #ifdef _LP64 2961 au_uwrite(au_to_arg64((char)1, "port", 2962 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2963 #else 2964 au_uwrite(au_to_arg32((char)1, "port", 2965 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2966 #endif 2967 au_uwrite(au_to_arg32((char)1, "type", 2968 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2969 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2970 AU_IPv4) { 2971 au_uwrite(au_to_in_addr( 2972 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2973 ai_termid.at_addr))); 2974 } else { 2975 au_uwrite(au_to_in_addr_ex( 2976 (int32_t *)STRUCT_FGETP(ainfo_addr, 2977 ai_termid.at_addr))); 2978 } 2979 au_uwrite(au_to_arg32((char)1, "as_success", 2980 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2981 au_uwrite(au_to_arg32((char)1, "as_failure", 2982 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2983 au_uwrite(au_to_arg32((char)1, "asid", 2984 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2985 break; 2986 case AUE_AUDITON_SETKMASK: 2987 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2988 return; 2989 au_uwrite(au_to_arg32( 2990 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2991 au_uwrite(au_to_arg32( 2992 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2993 break; 2994 case AUE_AUDITON_SPOLICY: 2995 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2996 return; 2997 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2998 break; 2999 case AUE_AUDITON_SQCTRL: { 3000 STRUCT_DECL(au_qctrl, qctrl); 3001 model_t model; 3002 3003 model = get_udatamodel(); 3004 STRUCT_INIT(qctrl, model); 3005 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3006 return; 3007 if (model == DATAMODEL_ILP32) { 3008 au_uwrite(au_to_arg32( 3009 3, "setqctrl:aq_hiwater", 3010 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3011 au_uwrite(au_to_arg32( 3012 3, "setqctrl:aq_lowater", 3013 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3014 au_uwrite(au_to_arg32( 3015 3, "setqctrl:aq_bufsz", 3016 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3017 au_uwrite(au_to_arg32( 3018 3, "setqctrl:aq_delay", 3019 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3020 } else { 3021 au_uwrite(au_to_arg64( 3022 3, "setqctrl:aq_hiwater", 3023 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3024 au_uwrite(au_to_arg64( 3025 3, "setqctrl:aq_lowater", 3026 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3027 au_uwrite(au_to_arg64( 3028 3, "setqctrl:aq_bufsz", 3029 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3030 au_uwrite(au_to_arg64( 3031 3, "setqctrl:aq_delay", 3032 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3033 } 3034 break; 3035 } 3036 case AUE_AUDITON_SETUMASK: 3037 STRUCT_INIT(ainfo, get_udatamodel()); 3038 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3039 STRUCT_SIZE(ainfo))) { 3040 return; 3041 } 3042 au_uwrite(au_to_arg32(3, "setumask:as_success", 3043 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3044 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3045 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3046 break; 3047 case AUE_AUDITON_SETSMASK: 3048 STRUCT_INIT(ainfo, get_udatamodel()); 3049 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3050 STRUCT_SIZE(ainfo))) { 3051 return; 3052 } 3053 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3054 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3055 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3056 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3057 break; 3058 case AUE_AUDITON_SETCOND: 3059 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3060 return; 3061 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3062 break; 3063 case AUE_AUDITON_SETCLASS: 3064 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3065 return; 3066 au_uwrite(au_to_arg32( 3067 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3068 au_uwrite(au_to_arg32( 3069 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3070 break; 3071 case AUE_GETAUID: 3072 case AUE_GETAUDIT: 3073 case AUE_GETAUDIT_ADDR: 3074 case AUE_AUDIT: 3075 case AUE_AUDITON_GPOLICY: 3076 case AUE_AUDITON_GQCTRL: 3077 case AUE_AUDITON_GETKMASK: 3078 case AUE_AUDITON_GETCWD: 3079 case AUE_AUDITON_GETCAR: 3080 case AUE_AUDITON_GETSTAT: 3081 case AUE_AUDITON_SETSTAT: 3082 case AUE_AUDITON_GETCOND: 3083 case AUE_AUDITON_GETCLASS: 3084 break; 3085 default: 3086 break; 3087 } 3088 3089 } /* AUS_AUDITSYS */ 3090 3091 3092 /* only audit privileged operations for systeminfo(2) system call */ 3093 static au_event_t 3094 aui_sysinfo(au_event_t e) 3095 { 3096 klwp_t *clwp = ttolwp(curthread); 3097 uint32_t command; 3098 3099 struct a { 3100 long command; 3101 long buf; /* char * */ 3102 long count; 3103 } *uap = (struct a *)clwp->lwp_ap; 3104 3105 command = (uint32_t)uap->command; 3106 3107 switch (command) { 3108 case SI_SET_HOSTNAME: 3109 case SI_SET_SRPC_DOMAIN: 3110 e = (au_event_t)AUE_SYSINFO; 3111 break; 3112 default: 3113 e = (au_event_t)AUE_NULL; 3114 break; 3115 } 3116 return (e); 3117 } 3118 3119 /*ARGSUSED*/ 3120 static void 3121 aus_sysinfo(struct t_audit_data *tad) 3122 { 3123 klwp_t *clwp = ttolwp(curthread); 3124 uint32_t command; 3125 size_t len, maxlen; 3126 char *name; 3127 uintptr_t buf; 3128 3129 struct a { 3130 long command; 3131 long buf; /* char * */ 3132 long count; 3133 } *uap = (struct a *)clwp->lwp_ap; 3134 3135 command = (uint32_t)uap->command; 3136 buf = (uintptr_t)uap->buf; 3137 3138 au_uwrite(au_to_arg32(1, "cmd", command)); 3139 3140 switch (command) { 3141 case SI_SET_HOSTNAME: 3142 { 3143 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3144 return; 3145 3146 maxlen = SYS_NMLN; 3147 name = kmem_alloc(maxlen, KM_SLEEP); 3148 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3149 break; 3150 3151 /* 3152 * Must be non-NULL string and string 3153 * must be less than SYS_NMLN chars. 3154 */ 3155 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3156 break; 3157 3158 au_uwrite(au_to_text(name)); 3159 break; 3160 } 3161 3162 case SI_SET_SRPC_DOMAIN: 3163 { 3164 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3165 return; 3166 3167 maxlen = SYS_NMLN; 3168 name = kmem_alloc(maxlen, KM_SLEEP); 3169 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3170 break; 3171 3172 /* 3173 * If string passed in is longer than length 3174 * allowed for domain name, fail. 3175 */ 3176 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3177 break; 3178 3179 au_uwrite(au_to_text(name)); 3180 break; 3181 } 3182 3183 default: 3184 return; 3185 } 3186 3187 kmem_free(name, maxlen); 3188 } 3189 3190 static au_event_t 3191 aui_modctl(au_event_t e) 3192 { 3193 klwp_t *clwp = ttolwp(curthread); 3194 uint_t cmd; 3195 3196 struct a { 3197 long cmd; 3198 } *uap = (struct a *)clwp->lwp_ap; 3199 3200 cmd = (uint_t)uap->cmd; 3201 3202 switch (cmd) { 3203 case MODLOAD: 3204 e = AUE_MODLOAD; 3205 break; 3206 case MODUNLOAD: 3207 e = AUE_MODUNLOAD; 3208 break; 3209 case MODADDMAJBIND: 3210 e = AUE_MODADDMAJ; 3211 break; 3212 case MODSETDEVPOLICY: 3213 e = AUE_MODDEVPLCY; 3214 break; 3215 case MODALLOCPRIV: 3216 e = AUE_MODADDPRIV; 3217 break; 3218 default: 3219 e = AUE_NULL; 3220 break; 3221 } 3222 return (e); 3223 } 3224 3225 3226 /*ARGSUSED*/ 3227 static void 3228 aus_modctl(struct t_audit_data *tad) 3229 { 3230 klwp_t *clwp = ttolwp(curthread); 3231 void *a = clwp->lwp_ap; 3232 uint_t use_path; 3233 3234 switch (tad->tad_event) { 3235 case AUE_MODLOAD: { 3236 typedef struct { 3237 long cmd; 3238 long use_path; 3239 long filename; /* char * */ 3240 } modloada_t; 3241 3242 char *filenamep; 3243 uintptr_t fname; 3244 extern char *default_path; 3245 3246 fname = (uintptr_t)((modloada_t *)a)->filename; 3247 use_path = (uint_t)((modloada_t *)a)->use_path; 3248 3249 /* space to hold path */ 3250 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3251 /* get string */ 3252 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3253 /* free allocated path */ 3254 kmem_free(filenamep, MOD_MAXPATH); 3255 return; 3256 } 3257 /* ensure it's null terminated */ 3258 filenamep[MOD_MAXPATH - 1] = 0; 3259 3260 if (use_path) 3261 au_uwrite(au_to_text(default_path)); 3262 au_uwrite(au_to_text(filenamep)); 3263 3264 /* release temporary memory */ 3265 kmem_free(filenamep, MOD_MAXPATH); 3266 break; 3267 } 3268 case AUE_MODUNLOAD: { 3269 typedef struct { 3270 long cmd; 3271 long id; 3272 } modunloada_t; 3273 3274 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3275 3276 au_uwrite(au_to_arg32(1, "id", id)); 3277 break; 3278 } 3279 case AUE_MODADDMAJ: { 3280 STRUCT_DECL(modconfig, mc); 3281 typedef struct { 3282 long cmd; 3283 long subcmd; 3284 long data; /* int * */ 3285 } modconfiga_t; 3286 3287 STRUCT_DECL(aliases, alias); 3288 caddr_t ap; 3289 int i, num_aliases; 3290 char *drvname, *mc_drvname; 3291 char *name; 3292 extern char *ddi_major_to_name(major_t); 3293 model_t model; 3294 3295 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3296 3297 model = get_udatamodel(); 3298 STRUCT_INIT(mc, model); 3299 /* sanitize buffer */ 3300 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3301 /* get user arguments */ 3302 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3303 STRUCT_SIZE(mc)) != 0) 3304 return; 3305 3306 mc_drvname = STRUCT_FGET(mc, drvname); 3307 if ((drvname = ddi_major_to_name( 3308 (major_t)STRUCT_FGET(mc, major))) != NULL && 3309 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3310 /* safety */ 3311 if (mc_drvname[0] != '\0') { 3312 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3313 au_uwrite(au_to_text(mc_drvname)); 3314 } 3315 /* drvname != NULL from test above */ 3316 au_uwrite(au_to_text(drvname)); 3317 return; 3318 } 3319 3320 if (mc_drvname[0] != '\0') { 3321 /* safety */ 3322 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3323 au_uwrite(au_to_text(mc_drvname)); 3324 } else 3325 au_uwrite(au_to_text("no drvname")); 3326 3327 num_aliases = STRUCT_FGET(mc, num_aliases); 3328 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3329 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3330 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3331 STRUCT_INIT(alias, model); 3332 for (i = 0; i < num_aliases; i++) { 3333 bzero((caddr_t)STRUCT_BUF(alias), 3334 STRUCT_SIZE(alias)); 3335 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3336 STRUCT_SIZE(alias)) != 0) 3337 break; 3338 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3339 MAXMODCONFNAME, NULL) != 0) { 3340 break; 3341 } 3342 3343 au_uwrite(au_to_text(name)); 3344 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3345 } 3346 kmem_free(name, MAXMODCONFNAME); 3347 break; 3348 } 3349 default: 3350 break; 3351 } 3352 } 3353 3354 3355 /*ARGSUSED*/ 3356 static void 3357 auf_accept( 3358 struct t_audit_data *tad, 3359 int error, 3360 rval_t *rval) 3361 { 3362 uint32_t scid; 3363 uint32_t sy_flags; 3364 int fd; 3365 struct sonode *so; 3366 char so_laddr[sizeof (struct sockaddr_in6)]; 3367 char so_faddr[sizeof (struct sockaddr_in6)]; 3368 int err; 3369 short so_family, so_type; 3370 int add_sock_token = 0; 3371 3372 /* need to determine type of executing binary */ 3373 scid = tad->tad_scid; 3374 #ifdef _SYSCALL32_IMPL 3375 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3376 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3377 else 3378 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3379 #else 3380 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3381 #endif 3382 if (sy_flags == SE_32RVAL1) 3383 fd = rval->r_val1; 3384 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3385 fd = rval->r_val1; 3386 if (sy_flags == SE_64RVAL) 3387 fd = (int)rval->r_vals; 3388 3389 if (error) { 3390 /* can't trust socket contents. Just return */ 3391 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3392 return; 3393 } 3394 3395 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3396 /* 3397 * not security relevant if doing a accept from non socket 3398 * so no extra tokens. Should probably turn off audit record 3399 * generation here. 3400 */ 3401 return; 3402 } 3403 3404 so_family = so->so_family; 3405 so_type = so->so_type; 3406 3407 switch (so_family) { 3408 case AF_INET: 3409 case AF_INET6: 3410 /* 3411 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3412 */ 3413 if (so->so_type == SOCK_STREAM) { 3414 socklen_t len; 3415 3416 bzero((void *)so_laddr, sizeof (so_laddr)); 3417 bzero((void *)so_faddr, sizeof (so_faddr)); 3418 3419 len = sizeof (so_laddr); 3420 (void) socket_getsockname(so, 3421 (struct sockaddr *)so_laddr, &len, CRED()); 3422 len = sizeof (so_faddr); 3423 (void) socket_getpeername(so, 3424 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3425 3426 add_sock_token = 1; 3427 } 3428 break; 3429 3430 default: 3431 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3432 break; 3433 } 3434 3435 releasef(fd); 3436 3437 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3438 3439 if (add_sock_token == 0) { 3440 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3441 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3442 return; 3443 } 3444 3445 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3446 3447 } 3448 3449 /*ARGSUSED*/ 3450 static void 3451 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3452 { 3453 struct a { 3454 long fd; 3455 long addr; 3456 long len; 3457 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3458 3459 struct sonode *so; 3460 char so_laddr[sizeof (struct sockaddr_in6)]; 3461 char so_faddr[sizeof (struct sockaddr_in6)]; 3462 int err, fd; 3463 socklen_t len; 3464 short so_family, so_type; 3465 int add_sock_token = 0; 3466 3467 fd = (int)uap->fd; 3468 3469 /* 3470 * bind failed, then nothing extra to add to audit record. 3471 */ 3472 if (error) { 3473 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3474 /* XXX may want to add failed address some day */ 3475 return; 3476 } 3477 3478 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3479 /* 3480 * not security relevant if doing a bind from non socket 3481 * so no extra tokens. Should probably turn off audit record 3482 * generation here. 3483 */ 3484 return; 3485 } 3486 3487 so_family = so->so_family; 3488 so_type = so->so_type; 3489 3490 switch (so_family) { 3491 case AF_INET: 3492 case AF_INET6: 3493 3494 bzero(so_faddr, sizeof (so_faddr)); 3495 len = sizeof (so_faddr); 3496 3497 (void) socket_getpeername(so, 3498 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3499 add_sock_token = 1; 3500 3501 break; 3502 3503 case AF_UNIX: 3504 /* token added by lookup */ 3505 break; 3506 default: 3507 /* AF_ROUTE, AF_KEY do not support accept */ 3508 break; 3509 } 3510 3511 releasef(fd); 3512 3513 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3514 3515 if (add_sock_token == 0) { 3516 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3517 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3518 return; 3519 } 3520 3521 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3522 3523 } 3524 3525 /*ARGSUSED*/ 3526 static void 3527 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3528 { 3529 struct a { 3530 long fd; 3531 long addr; 3532 long len; 3533 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3534 3535 struct sonode *so; 3536 char so_laddr[sizeof (struct sockaddr_in6)]; 3537 char so_faddr[sizeof (struct sockaddr_in6)]; 3538 int err, fd; 3539 socklen_t len; 3540 short so_family, so_type; 3541 int add_sock_token = 0; 3542 3543 fd = (int)uap->fd; 3544 3545 3546 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3547 /* 3548 * not security relevant if doing a connect from non socket 3549 * so no extra tokens. Should probably turn off audit record 3550 * generation here. 3551 */ 3552 return; 3553 } 3554 3555 so_family = so->so_family; 3556 so_type = so->so_type; 3557 3558 switch (so_family) { 3559 case AF_INET: 3560 case AF_INET6: 3561 3562 bzero(so_laddr, sizeof (so_laddr)); 3563 bzero(so_faddr, sizeof (so_faddr)); 3564 3565 len = sizeof (so_laddr); 3566 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3567 &len, CRED()); 3568 if (error) { 3569 if (uap->addr == NULL) 3570 break; 3571 if (uap->len <= 0) 3572 break; 3573 len = min(uap->len, sizeof (so_faddr)); 3574 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3575 break; 3576 #ifdef NOTYET 3577 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3578 #endif 3579 } else { 3580 /* sanity check on length */ 3581 len = sizeof (so_faddr); 3582 (void) socket_getpeername(so, 3583 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3584 } 3585 3586 add_sock_token = 1; 3587 3588 break; 3589 3590 case AF_UNIX: 3591 /* does a lookup on name */ 3592 break; 3593 3594 default: 3595 /* AF_ROUTE, AF_KEY do not support accept */ 3596 break; 3597 } 3598 3599 releasef(fd); 3600 3601 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3602 3603 if (add_sock_token == 0) { 3604 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3605 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3606 return; 3607 } 3608 3609 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3610 3611 } 3612 3613 /*ARGSUSED*/ 3614 static void 3615 aus_shutdown(struct t_audit_data *tad) 3616 { 3617 struct a { 3618 long fd; 3619 long how; 3620 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3621 3622 struct sonode *so; 3623 char so_laddr[sizeof (struct sockaddr_in6)]; 3624 char so_faddr[sizeof (struct sockaddr_in6)]; 3625 int err, fd; 3626 socklen_t len; 3627 short so_family, so_type; 3628 int add_sock_token = 0; 3629 file_t *fp; /* unix domain sockets */ 3630 struct f_audit_data *fad; /* unix domain sockets */ 3631 3632 fd = (int)uap->fd; 3633 3634 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3635 /* 3636 * not security relevant if doing a shutdown using non socket 3637 * so no extra tokens. Should probably turn off audit record 3638 * generation here. 3639 */ 3640 return; 3641 } 3642 3643 so_family = so->so_family; 3644 so_type = so->so_type; 3645 3646 switch (so_family) { 3647 case AF_INET: 3648 case AF_INET6: 3649 3650 bzero(so_laddr, sizeof (so_laddr)); 3651 bzero(so_faddr, sizeof (so_faddr)); 3652 3653 len = sizeof (so_laddr); 3654 (void) socket_getsockname(so, 3655 (struct sockaddr *)so_laddr, &len, CRED()); 3656 len = sizeof (so_faddr); 3657 (void) socket_getpeername(so, 3658 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3659 3660 add_sock_token = 1; 3661 3662 break; 3663 3664 case AF_UNIX: 3665 3666 /* get path from file struct here */ 3667 fad = F2A(fp); 3668 ASSERT(fad); 3669 3670 if (fad->fad_aupath != NULL) { 3671 au_uwrite(au_to_path(fad->fad_aupath)); 3672 } else { 3673 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3674 } 3675 3676 audit_attributes(fp->f_vnode); 3677 3678 break; 3679 3680 default: 3681 /* 3682 * AF_KEY and AF_ROUTE support shutdown. No socket token 3683 * added. 3684 */ 3685 break; 3686 } 3687 3688 releasef(fd); 3689 3690 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3691 3692 if (add_sock_token == 0) { 3693 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3694 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3695 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3696 return; 3697 } 3698 3699 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3700 3701 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3702 3703 } 3704 3705 /*ARGSUSED*/ 3706 static void 3707 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3708 { 3709 struct a { 3710 long fd; 3711 long level; 3712 long optname; 3713 long *optval; 3714 long optlen; 3715 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3716 3717 struct sonode *so; 3718 char so_laddr[sizeof (struct sockaddr_in6)]; 3719 char so_faddr[sizeof (struct sockaddr_in6)]; 3720 char val[AU_BUFSIZE]; 3721 int err, fd; 3722 socklen_t len; 3723 short so_family, so_type; 3724 int add_sock_token = 0; 3725 file_t *fp; /* unix domain sockets */ 3726 struct f_audit_data *fad; /* unix domain sockets */ 3727 3728 fd = (int)uap->fd; 3729 3730 if (error) { 3731 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3732 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3733 /* XXX may want to include other arguments */ 3734 return; 3735 } 3736 3737 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3738 /* 3739 * not security relevant if doing a setsockopt from non socket 3740 * so no extra tokens. Should probably turn off audit record 3741 * generation here. 3742 */ 3743 return; 3744 } 3745 3746 so_family = so->so_family; 3747 so_type = so->so_type; 3748 3749 switch (so_family) { 3750 case AF_INET: 3751 case AF_INET6: 3752 bzero((void *)so_laddr, sizeof (so_laddr)); 3753 bzero((void *)so_faddr, sizeof (so_faddr)); 3754 3755 /* get local and foreign addresses */ 3756 len = sizeof (so_laddr); 3757 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3758 &len, CRED()); 3759 len = sizeof (so_faddr); 3760 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3761 &len, B_FALSE, CRED()); 3762 3763 add_sock_token = 1; 3764 3765 break; 3766 3767 case AF_UNIX: 3768 3769 /* get path from file struct here */ 3770 fad = F2A(fp); 3771 ASSERT(fad); 3772 3773 if (fad->fad_aupath != NULL) { 3774 au_uwrite(au_to_path(fad->fad_aupath)); 3775 } else { 3776 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3777 } 3778 3779 audit_attributes(fp->f_vnode); 3780 3781 break; 3782 3783 default: 3784 /* 3785 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3786 * added. 3787 */ 3788 break; 3789 } 3790 3791 releasef(fd); 3792 3793 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3794 3795 if (add_sock_token == 0) { 3796 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3797 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3798 } 3799 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3800 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3801 3802 bzero(val, sizeof (val)); 3803 len = min(uap->optlen, sizeof (val)); 3804 if ((len > 0) && 3805 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3806 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3807 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3808 } 3809 3810 if (add_sock_token == 0) 3811 return; 3812 3813 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3814 3815 } 3816 3817 /*ARGSUSED*/ 3818 static void 3819 aus_sockconfig(tad) 3820 struct t_audit_data *tad; 3821 { 3822 struct a { 3823 long domain; 3824 long type; 3825 long protocol; 3826 long devpath; 3827 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3828 3829 char *kdevpath; 3830 int kdevpathlen = MAXPATHLEN + 1; 3831 size_t size; 3832 3833 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3834 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3835 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3836 3837 if (uap->devpath == 0) { 3838 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3839 } else { 3840 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3841 3842 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3843 &size)) { 3844 kmem_free(kdevpath, kdevpathlen); 3845 return; 3846 } 3847 3848 if (size > MAXPATHLEN) { 3849 kmem_free(kdevpath, kdevpathlen); 3850 return; 3851 } 3852 3853 au_uwrite(au_to_text(kdevpath)); 3854 kmem_free(kdevpath, kdevpathlen); 3855 } 3856 } 3857 3858 /* 3859 * only audit recvmsg when the system call represents the creation of a new 3860 * circuit. This effectively occurs for all UDP packets and may occur for 3861 * special TCP situations where the local host has not set a local address 3862 * in the socket structure. 3863 */ 3864 /*ARGSUSED*/ 3865 static void 3866 auf_recvmsg( 3867 struct t_audit_data *tad, 3868 int error, 3869 rval_t *rvp) 3870 { 3871 struct a { 3872 long fd; 3873 long msg; /* struct msghdr */ 3874 long flags; 3875 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3876 3877 struct sonode *so; 3878 STRUCT_DECL(msghdr, msg); 3879 caddr_t msg_name; 3880 socklen_t msg_namelen; 3881 int fd; 3882 int err; 3883 char so_laddr[sizeof (struct sockaddr_in6)]; 3884 char so_faddr[sizeof (struct sockaddr_in6)]; 3885 socklen_t len; 3886 file_t *fp; /* unix domain sockets */ 3887 struct f_audit_data *fad; /* unix domain sockets */ 3888 short so_family, so_type; 3889 int add_sock_token = 0; 3890 au_kcontext_t *kctx = GET_KCTX_PZ; 3891 3892 fd = (int)uap->fd; 3893 3894 /* bail if an error */ 3895 if (error) { 3896 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3897 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3898 return; 3899 } 3900 3901 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3902 /* 3903 * not security relevant if doing a recvmsg from non socket 3904 * so no extra tokens. Should probably turn off audit record 3905 * generation here. 3906 */ 3907 return; 3908 } 3909 3910 so_family = so->so_family; 3911 so_type = so->so_type; 3912 3913 /* 3914 * only putout SOCKET_EX token if INET/INET6 family. 3915 * XXX - what do we do about other families? 3916 */ 3917 3918 switch (so_family) { 3919 case AF_INET: 3920 case AF_INET6: 3921 3922 /* 3923 * if datagram type socket, then just use what is in 3924 * socket structure for local address. 3925 * XXX - what do we do for other types? 3926 */ 3927 if ((so->so_type == SOCK_DGRAM) || 3928 (so->so_type == SOCK_RAW)) { 3929 add_sock_token = 1; 3930 3931 bzero((void *)so_laddr, sizeof (so_laddr)); 3932 bzero((void *)so_faddr, sizeof (so_faddr)); 3933 3934 /* get local address */ 3935 len = sizeof (so_laddr); 3936 (void) socket_getsockname(so, 3937 (struct sockaddr *)so_laddr, &len, CRED()); 3938 3939 /* get peer address */ 3940 STRUCT_INIT(msg, get_udatamodel()); 3941 3942 if (copyin((caddr_t)(uap->msg), 3943 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3944 break; 3945 } 3946 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3947 if (msg_name == NULL) { 3948 break; 3949 } 3950 3951 /* length is value from recvmsg - sanity check */ 3952 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3953 if (msg_namelen == 0) { 3954 break; 3955 } 3956 if (copyin(msg_name, so_faddr, 3957 sizeof (so_faddr)) != 0) { 3958 break; 3959 } 3960 3961 } else if (so->so_type == SOCK_STREAM) { 3962 3963 /* get path from file struct here */ 3964 fad = F2A(fp); 3965 ASSERT(fad); 3966 3967 /* 3968 * already processed this file for read attempt 3969 */ 3970 if (fad->fad_flags & FAD_READ) { 3971 /* don't want to audit every recvmsg attempt */ 3972 tad->tad_flag = 0; 3973 /* free any residual audit data */ 3974 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 3975 releasef(fd); 3976 return; 3977 } 3978 /* 3979 * mark things so we know what happened and don't 3980 * repeat things 3981 */ 3982 fad->fad_flags |= FAD_READ; 3983 3984 bzero((void *)so_laddr, sizeof (so_laddr)); 3985 bzero((void *)so_faddr, sizeof (so_faddr)); 3986 3987 /* get local and foreign addresses */ 3988 len = sizeof (so_laddr); 3989 (void) socket_getsockname(so, 3990 (struct sockaddr *)so_laddr, &len, CRED()); 3991 len = sizeof (so_faddr); 3992 (void) socket_getpeername(so, 3993 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3994 3995 add_sock_token = 1; 3996 } 3997 3998 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3999 4000 break; 4001 4002 case AF_UNIX: 4003 /* 4004 * first check if this is first time through. Too much 4005 * duplicate code to put this in an aui_ routine. 4006 */ 4007 4008 /* get path from file struct here */ 4009 fad = F2A(fp); 4010 ASSERT(fad); 4011 4012 /* 4013 * already processed this file for read attempt 4014 */ 4015 if (fad->fad_flags & FAD_READ) { 4016 releasef(fd); 4017 /* don't want to audit every recvmsg attempt */ 4018 tad->tad_flag = 0; 4019 /* free any residual audit data */ 4020 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4021 return; 4022 } 4023 /* 4024 * mark things so we know what happened and don't 4025 * repeat things 4026 */ 4027 fad->fad_flags |= FAD_READ; 4028 4029 if (fad->fad_aupath != NULL) { 4030 au_uwrite(au_to_path(fad->fad_aupath)); 4031 } else { 4032 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4033 } 4034 4035 audit_attributes(fp->f_vnode); 4036 4037 releasef(fd); 4038 4039 return; 4040 4041 default: 4042 break; 4043 4044 } 4045 4046 releasef(fd); 4047 4048 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4049 4050 if (add_sock_token == 0) { 4051 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4052 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4053 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4054 return; 4055 } 4056 4057 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4058 4059 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4060 4061 } 4062 4063 /*ARGSUSED*/ 4064 static void 4065 auf_recvfrom( 4066 struct t_audit_data *tad, 4067 int error, 4068 rval_t *rvp) 4069 { 4070 4071 struct a { 4072 long fd; 4073 long msg; /* char */ 4074 long len; 4075 long flags; 4076 long from; /* struct sockaddr */ 4077 long fromlen; 4078 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4079 4080 socklen_t fromlen; 4081 struct sonode *so; 4082 char so_laddr[sizeof (struct sockaddr_in6)]; 4083 char so_faddr[sizeof (struct sockaddr_in6)]; 4084 int fd; 4085 short so_family, so_type; 4086 int add_sock_token = 0; 4087 socklen_t len; 4088 int err; 4089 struct file *fp; 4090 struct f_audit_data *fad; /* unix domain sockets */ 4091 au_kcontext_t *kctx = GET_KCTX_PZ; 4092 4093 fd = (int)uap->fd; 4094 4095 /* bail if an error */ 4096 if (error) { 4097 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4098 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4099 return; 4100 } 4101 4102 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4103 /* 4104 * not security relevant if doing a recvmsg from non socket 4105 * so no extra tokens. Should probably turn off audit record 4106 * generation here. 4107 */ 4108 return; 4109 } 4110 4111 so_family = so->so_family; 4112 so_type = so->so_type; 4113 4114 /* 4115 * only putout SOCKET_EX token if INET/INET6 family. 4116 * XXX - what do we do about other families? 4117 */ 4118 4119 switch (so_family) { 4120 case AF_INET: 4121 case AF_INET6: 4122 4123 /* 4124 * if datagram type socket, then just use what is in 4125 * socket structure for local address. 4126 * XXX - what do we do for other types? 4127 */ 4128 if ((so->so_type == SOCK_DGRAM) || 4129 (so->so_type == SOCK_RAW)) { 4130 add_sock_token = 1; 4131 4132 /* get local address */ 4133 len = sizeof (so_laddr); 4134 (void) socket_getsockname(so, 4135 (struct sockaddr *)so_laddr, &len, CRED()); 4136 4137 /* get peer address */ 4138 bzero((void *)so_faddr, sizeof (so_faddr)); 4139 4140 /* sanity check */ 4141 if (uap->from == NULL) 4142 break; 4143 4144 /* sanity checks */ 4145 if (uap->fromlen == 0) 4146 break; 4147 4148 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4149 sizeof (fromlen)) != 0) 4150 break; 4151 4152 if (fromlen == 0) 4153 break; 4154 4155 /* enforce maximum size */ 4156 if (fromlen > sizeof (so_faddr)) 4157 fromlen = sizeof (so_faddr); 4158 4159 if (copyin((caddr_t)(uap->from), so_faddr, 4160 fromlen) != 0) 4161 break; 4162 4163 } else if (so->so_type == SOCK_STREAM) { 4164 4165 /* get path from file struct here */ 4166 fad = F2A(fp); 4167 ASSERT(fad); 4168 4169 /* 4170 * already processed this file for read attempt 4171 */ 4172 if (fad->fad_flags & FAD_READ) { 4173 /* don't want to audit every recvfrom attempt */ 4174 tad->tad_flag = 0; 4175 /* free any residual audit data */ 4176 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4177 releasef(fd); 4178 return; 4179 } 4180 /* 4181 * mark things so we know what happened and don't 4182 * repeat things 4183 */ 4184 fad->fad_flags |= FAD_READ; 4185 4186 bzero((void *)so_laddr, sizeof (so_laddr)); 4187 bzero((void *)so_faddr, sizeof (so_faddr)); 4188 4189 /* get local and foreign addresses */ 4190 len = sizeof (so_laddr); 4191 (void) socket_getsockname(so, 4192 (struct sockaddr *)so_laddr, &len, CRED()); 4193 len = sizeof (so_faddr); 4194 (void) socket_getpeername(so, 4195 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4196 4197 add_sock_token = 1; 4198 } 4199 4200 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4201 4202 break; 4203 4204 case AF_UNIX: 4205 /* 4206 * first check if this is first time through. Too much 4207 * duplicate code to put this in an aui_ routine. 4208 */ 4209 4210 /* get path from file struct here */ 4211 fad = F2A(fp); 4212 ASSERT(fad); 4213 4214 /* 4215 * already processed this file for read attempt 4216 */ 4217 if (fad->fad_flags & FAD_READ) { 4218 /* don't want to audit every recvfrom attempt */ 4219 tad->tad_flag = 0; 4220 /* free any residual audit data */ 4221 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4222 releasef(fd); 4223 return; 4224 } 4225 /* 4226 * mark things so we know what happened and don't 4227 * repeat things 4228 */ 4229 fad->fad_flags |= FAD_READ; 4230 4231 if (fad->fad_aupath != NULL) { 4232 au_uwrite(au_to_path(fad->fad_aupath)); 4233 } else { 4234 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4235 } 4236 4237 audit_attributes(fp->f_vnode); 4238 4239 releasef(fd); 4240 4241 return; 4242 4243 default: 4244 break; 4245 4246 } 4247 4248 releasef(fd); 4249 4250 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4251 4252 if (add_sock_token == 0) { 4253 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4254 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4255 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4256 return; 4257 } 4258 4259 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4260 4261 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4262 } 4263 4264 /*ARGSUSED*/ 4265 static void 4266 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4267 { 4268 struct a { 4269 long fd; 4270 long msg; /* struct msghdr */ 4271 long flags; 4272 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4273 4274 struct sonode *so; 4275 char so_laddr[sizeof (struct sockaddr_in6)]; 4276 char so_faddr[sizeof (struct sockaddr_in6)]; 4277 int err; 4278 int fd; 4279 short so_family, so_type; 4280 int add_sock_token = 0; 4281 socklen_t len; 4282 struct file *fp; 4283 struct f_audit_data *fad; 4284 caddr_t msg_name; 4285 socklen_t msg_namelen; 4286 STRUCT_DECL(msghdr, msg); 4287 au_kcontext_t *kctx = GET_KCTX_PZ; 4288 4289 fd = (int)uap->fd; 4290 4291 /* bail if an error */ 4292 if (error) { 4293 /* XXX include destination address from system call arguments */ 4294 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4295 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4296 return; 4297 } 4298 4299 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4300 /* 4301 * not security relevant if doing a sendmsg from non socket 4302 * so no extra tokens. Should probably turn off audit record 4303 * generation here. 4304 */ 4305 return; 4306 } 4307 4308 so_family = so->so_family; 4309 so_type = so->so_type; 4310 4311 switch (so_family) { 4312 case AF_INET: 4313 case AF_INET6: 4314 /* 4315 * if datagram type socket, then just use what is in 4316 * socket structure for local address. 4317 * XXX - what do we do for other types? 4318 */ 4319 if ((so->so_type == SOCK_DGRAM) || 4320 (so->so_type == SOCK_RAW)) { 4321 4322 bzero((void *)so_laddr, sizeof (so_laddr)); 4323 bzero((void *)so_faddr, sizeof (so_faddr)); 4324 4325 /* get local address */ 4326 len = sizeof (so_laddr); 4327 (void) socket_getsockname(so, 4328 (struct sockaddr *)so_laddr, &len, CRED()); 4329 4330 /* get peer address */ 4331 STRUCT_INIT(msg, get_udatamodel()); 4332 4333 if (copyin((caddr_t)(uap->msg), 4334 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4335 break; 4336 } 4337 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4338 if (msg_name == NULL) 4339 break; 4340 4341 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4342 /* length is value from recvmsg - sanity check */ 4343 if (msg_namelen == 0) 4344 break; 4345 4346 if (copyin(msg_name, so_faddr, 4347 sizeof (so_faddr)) != 0) 4348 break; 4349 4350 add_sock_token = 1; 4351 4352 } else if (so->so_type == SOCK_STREAM) { 4353 4354 /* get path from file struct here */ 4355 fad = F2A(fp); 4356 ASSERT(fad); 4357 4358 /* 4359 * already processed this file for write attempt 4360 */ 4361 if (fad->fad_flags & FAD_WRITE) { 4362 releasef(fd); 4363 /* don't want to audit every sendmsg attempt */ 4364 tad->tad_flag = 0; 4365 /* free any residual audit data */ 4366 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4367 return; 4368 } 4369 4370 /* 4371 * mark things so we know what happened and don't 4372 * repeat things 4373 */ 4374 fad->fad_flags |= FAD_WRITE; 4375 4376 bzero((void *)so_laddr, sizeof (so_laddr)); 4377 bzero((void *)so_faddr, sizeof (so_faddr)); 4378 4379 /* get local and foreign addresses */ 4380 len = sizeof (so_laddr); 4381 (void) socket_getsockname(so, 4382 (struct sockaddr *)so_laddr, &len, CRED()); 4383 len = sizeof (so_faddr); 4384 (void) socket_getpeername(so, 4385 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4386 4387 add_sock_token = 1; 4388 } 4389 4390 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4391 4392 break; 4393 4394 case AF_UNIX: 4395 /* 4396 * first check if this is first time through. Too much 4397 * duplicate code to put this in an aui_ routine. 4398 */ 4399 4400 /* get path from file struct here */ 4401 fad = F2A(fp); 4402 ASSERT(fad); 4403 4404 /* 4405 * already processed this file for write attempt 4406 */ 4407 if (fad->fad_flags & FAD_WRITE) { 4408 releasef(fd); 4409 /* don't want to audit every sendmsg attempt */ 4410 tad->tad_flag = 0; 4411 /* free any residual audit data */ 4412 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4413 return; 4414 } 4415 /* 4416 * mark things so we know what happened and don't 4417 * repeat things 4418 */ 4419 fad->fad_flags |= FAD_WRITE; 4420 4421 if (fad->fad_aupath != NULL) { 4422 au_uwrite(au_to_path(fad->fad_aupath)); 4423 } else { 4424 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4425 } 4426 4427 audit_attributes(fp->f_vnode); 4428 4429 releasef(fd); 4430 4431 return; 4432 4433 default: 4434 break; 4435 } 4436 4437 releasef(fd); 4438 4439 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4440 4441 if (add_sock_token == 0) { 4442 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4443 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4444 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4445 return; 4446 } 4447 4448 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4449 4450 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4451 } 4452 4453 /*ARGSUSED*/ 4454 static void 4455 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4456 { 4457 struct a { 4458 long fd; 4459 long msg; /* char */ 4460 long len; 4461 long flags; 4462 long to; /* struct sockaddr */ 4463 long tolen; 4464 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4465 4466 struct sonode *so; 4467 char so_laddr[sizeof (struct sockaddr_in6)]; 4468 char so_faddr[sizeof (struct sockaddr_in6)]; 4469 socklen_t tolen; 4470 int err; 4471 int fd; 4472 socklen_t len; 4473 short so_family, so_type; 4474 int add_sock_token = 0; 4475 struct file *fp; 4476 struct f_audit_data *fad; 4477 au_kcontext_t *kctx = GET_KCTX_PZ; 4478 4479 fd = (int)uap->fd; 4480 4481 /* bail if an error */ 4482 if (error) { 4483 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4484 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4485 /* XXX include destination address from system call arguments */ 4486 return; 4487 } 4488 4489 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4490 /* 4491 * not security relevant if doing a sendto using non socket 4492 * so no extra tokens. Should probably turn off audit record 4493 * generation here. 4494 */ 4495 return; 4496 } 4497 4498 so_family = so->so_family; 4499 so_type = so->so_type; 4500 4501 /* 4502 * only putout SOCKET_EX token if INET/INET6 family. 4503 * XXX - what do we do about other families? 4504 */ 4505 4506 switch (so_family) { 4507 case AF_INET: 4508 case AF_INET6: 4509 4510 /* 4511 * if datagram type socket, then just use what is in 4512 * socket structure for local address. 4513 * XXX - what do we do for other types? 4514 */ 4515 if ((so->so_type == SOCK_DGRAM) || 4516 (so->so_type == SOCK_RAW)) { 4517 4518 bzero((void *)so_laddr, sizeof (so_laddr)); 4519 bzero((void *)so_faddr, sizeof (so_faddr)); 4520 4521 /* get local address */ 4522 len = sizeof (so_laddr); 4523 (void) socket_getsockname(so, 4524 (struct sockaddr *)so_laddr, &len, CRED()); 4525 4526 /* get peer address */ 4527 4528 /* sanity check */ 4529 if (uap->to == NULL) 4530 break; 4531 4532 /* sanity checks */ 4533 if (uap->tolen == 0) 4534 break; 4535 4536 tolen = (socklen_t)uap->tolen; 4537 4538 /* enforce maximum size */ 4539 if (tolen > sizeof (so_faddr)) 4540 tolen = sizeof (so_faddr); 4541 4542 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4543 break; 4544 4545 add_sock_token = 1; 4546 } else { 4547 /* 4548 * check if this is first time through. 4549 */ 4550 4551 /* get path from file struct here */ 4552 fad = F2A(fp); 4553 ASSERT(fad); 4554 4555 /* 4556 * already processed this file for write attempt 4557 */ 4558 if (fad->fad_flags & FAD_WRITE) { 4559 /* don't want to audit every sendto attempt */ 4560 tad->tad_flag = 0; 4561 /* free any residual audit data */ 4562 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4563 releasef(fd); 4564 return; 4565 } 4566 /* 4567 * mark things so we know what happened and don't 4568 * repeat things 4569 */ 4570 fad->fad_flags |= FAD_WRITE; 4571 4572 bzero((void *)so_laddr, sizeof (so_laddr)); 4573 bzero((void *)so_faddr, sizeof (so_faddr)); 4574 4575 /* get local and foreign addresses */ 4576 len = sizeof (so_laddr); 4577 (void) socket_getsockname(so, 4578 (struct sockaddr *)so_laddr, &len, CRED()); 4579 len = sizeof (so_faddr); 4580 (void) socket_getpeername(so, 4581 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4582 4583 add_sock_token = 1; 4584 } 4585 4586 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4587 4588 break; 4589 4590 case AF_UNIX: 4591 /* 4592 * first check if this is first time through. Too much 4593 * duplicate code to put this in an aui_ routine. 4594 */ 4595 4596 /* get path from file struct here */ 4597 fad = F2A(fp); 4598 ASSERT(fad); 4599 4600 /* 4601 * already processed this file for write attempt 4602 */ 4603 if (fad->fad_flags & FAD_WRITE) { 4604 /* don't want to audit every sendto attempt */ 4605 tad->tad_flag = 0; 4606 /* free any residual audit data */ 4607 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4608 releasef(fd); 4609 return; 4610 } 4611 /* 4612 * mark things so we know what happened and don't 4613 * repeat things 4614 */ 4615 fad->fad_flags |= FAD_WRITE; 4616 4617 if (fad->fad_aupath != NULL) { 4618 au_uwrite(au_to_path(fad->fad_aupath)); 4619 } else { 4620 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4621 } 4622 4623 audit_attributes(fp->f_vnode); 4624 4625 releasef(fd); 4626 4627 return; 4628 4629 default: 4630 break; 4631 4632 } 4633 4634 releasef(fd); 4635 4636 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4637 4638 if (add_sock_token == 0) { 4639 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4640 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4641 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4642 return; 4643 } 4644 4645 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4646 4647 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4648 4649 } 4650 4651 /* 4652 * XXX socket(2) may be equivalent to open(2) on a unix domain 4653 * socket. This needs investigation. 4654 */ 4655 4656 /*ARGSUSED*/ 4657 static void 4658 aus_socket(struct t_audit_data *tad) 4659 { 4660 struct a { 4661 long domain; 4662 long type; 4663 long protocol; 4664 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4665 4666 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4667 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4668 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4669 } 4670 4671 /*ARGSUSED*/ 4672 static void 4673 aus_sigqueue(struct t_audit_data *tad) 4674 { 4675 struct a { 4676 long pid; 4677 long signo; 4678 long *val; 4679 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4680 struct proc *p; 4681 uid_t uid, ruid; 4682 gid_t gid, rgid; 4683 pid_t pid; 4684 const auditinfo_addr_t *ainfo; 4685 cred_t *cr; 4686 4687 pid = (pid_t)uap->pid; 4688 4689 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4690 if (pid > 0) { 4691 mutex_enter(&pidlock); 4692 if ((p = prfind(pid)) == (struct proc *)0) { 4693 mutex_exit(&pidlock); 4694 return; 4695 } 4696 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4697 mutex_exit(&pidlock); 4698 4699 mutex_enter(&p->p_crlock); 4700 crhold(cr = p->p_cred); 4701 mutex_exit(&p->p_crlock); 4702 mutex_exit(&p->p_lock); 4703 4704 ainfo = crgetauinfo(cr); 4705 if (ainfo == NULL) { 4706 crfree(cr); 4707 return; 4708 } 4709 4710 uid = crgetuid(cr); 4711 gid = crgetgid(cr); 4712 ruid = crgetruid(cr); 4713 rgid = crgetrgid(cr); 4714 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4715 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4716 crfree(cr); 4717 } 4718 else 4719 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4720 } 4721 4722 /*ARGSUSED*/ 4723 static void 4724 aus_inst_sync(struct t_audit_data *tad) 4725 { 4726 struct a { 4727 long name; /* char */ 4728 long flags; 4729 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4730 4731 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4732 } 4733 4734 /*ARGSUSED*/ 4735 static void 4736 aus_brandsys(struct t_audit_data *tad) 4737 { 4738 klwp_t *clwp = ttolwp(curthread); 4739 4740 struct a { 4741 long cmd; 4742 long arg1; 4743 long arg2; 4744 long arg3; 4745 long arg4; 4746 long arg5; 4747 long arg6; 4748 } *uap = (struct a *)clwp->lwp_ap; 4749 4750 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4751 #ifdef _LP64 4752 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4753 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4754 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4755 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4756 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4757 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4758 #else 4759 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4760 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4761 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4762 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4763 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4764 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4765 #endif 4766 } 4767 4768 /*ARGSUSED*/ 4769 static void 4770 aus_p_online(struct t_audit_data *tad) 4771 { 4772 struct a { 4773 long processor_id; 4774 long flag; 4775 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4776 4777 struct flags { 4778 int flag; 4779 char *cflag; 4780 } aflags[6] = { 4781 { P_ONLINE, "P_ONLINE"}, 4782 { P_OFFLINE, "P_OFFLINE"}, 4783 { P_NOINTR, "P_NOINTR"}, 4784 { P_SPARE, "P_SPARE"}, 4785 { P_FAULTED, "P_FAULTED"}, 4786 { P_STATUS, "P_STATUS"} 4787 }; 4788 int i; 4789 char *cflag; 4790 4791 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4792 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4793 4794 for (i = 0; i < 6; i++) { 4795 if (aflags[i].flag == uap->flag) 4796 break; 4797 } 4798 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4799 4800 au_uwrite(au_to_text(cflag)); 4801 } 4802 4803 /*ARGSUSED*/ 4804 static void 4805 aus_processor_bind(struct t_audit_data *tad) 4806 { 4807 struct a { 4808 long id_type; 4809 long id; 4810 long processor_id; 4811 long obind; 4812 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4813 4814 struct proc *p; 4815 int lwpcnt; 4816 uid_t uid, ruid; 4817 gid_t gid, rgid; 4818 pid_t pid; 4819 const auditinfo_addr_t *ainfo; 4820 cred_t *cr; 4821 4822 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4823 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4824 if (uap->processor_id == PBIND_NONE) 4825 au_uwrite(au_to_text("PBIND_NONE")); 4826 else 4827 au_uwrite(au_to_arg32(3, "processor_id", 4828 (uint32_t)uap->processor_id)); 4829 4830 switch (uap->id_type) { 4831 case P_MYID: 4832 case P_LWPID: 4833 mutex_enter(&pidlock); 4834 p = ttoproc(curthread); 4835 if (p == NULL || p->p_as == &kas) { 4836 mutex_exit(&pidlock); 4837 return; 4838 } 4839 mutex_enter(&p->p_lock); 4840 mutex_exit(&pidlock); 4841 lwpcnt = p->p_lwpcnt; 4842 pid = p->p_pid; 4843 4844 mutex_enter(&p->p_crlock); 4845 crhold(cr = p->p_cred); 4846 mutex_exit(&p->p_crlock); 4847 mutex_exit(&p->p_lock); 4848 4849 ainfo = crgetauinfo(cr); 4850 if (ainfo == NULL) { 4851 crfree(cr); 4852 return; 4853 } 4854 4855 uid = crgetuid(cr); 4856 gid = crgetgid(cr); 4857 ruid = crgetruid(cr); 4858 rgid = crgetrgid(cr); 4859 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4860 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4861 crfree(cr); 4862 break; 4863 case P_PID: 4864 mutex_enter(&pidlock); 4865 p = prfind(uap->id); 4866 if (p == NULL || p->p_as == &kas) { 4867 mutex_exit(&pidlock); 4868 return; 4869 } 4870 mutex_enter(&p->p_lock); 4871 mutex_exit(&pidlock); 4872 lwpcnt = p->p_lwpcnt; 4873 pid = p->p_pid; 4874 4875 mutex_enter(&p->p_crlock); 4876 crhold(cr = p->p_cred); 4877 mutex_exit(&p->p_crlock); 4878 mutex_exit(&p->p_lock); 4879 4880 ainfo = crgetauinfo(cr); 4881 if (ainfo == NULL) { 4882 crfree(cr); 4883 return; 4884 } 4885 4886 uid = crgetuid(cr); 4887 gid = crgetgid(cr); 4888 ruid = crgetruid(cr); 4889 rgid = crgetrgid(cr); 4890 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4891 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4892 crfree(cr); 4893 4894 break; 4895 default: 4896 return; 4897 } 4898 4899 if (uap->processor_id == PBIND_NONE && 4900 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4901 au_uwrite(au_to_text("PBIND_NONE for process")); 4902 else 4903 au_uwrite(au_to_arg32(3, "processor_id", 4904 (uint32_t)uap->processor_id)); 4905 } 4906 4907 /*ARGSUSED*/ 4908 static au_event_t 4909 aui_doorfs(au_event_t e) 4910 { 4911 uint32_t code; 4912 4913 struct a { /* doorfs */ 4914 long a1; 4915 long a2; 4916 long a3; 4917 long a4; 4918 long a5; 4919 long code; 4920 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4921 4922 /* 4923 * audit formats for several of the 4924 * door calls have not yet been determined 4925 */ 4926 code = (uint32_t)uap->code; 4927 switch (code) { 4928 case DOOR_CALL: 4929 e = AUE_DOORFS_DOOR_CALL; 4930 break; 4931 case DOOR_RETURN: 4932 e = AUE_NULL; 4933 break; 4934 case DOOR_CREATE: 4935 e = AUE_DOORFS_DOOR_CREATE; 4936 break; 4937 case DOOR_REVOKE: 4938 e = AUE_DOORFS_DOOR_REVOKE; 4939 break; 4940 case DOOR_INFO: 4941 e = AUE_NULL; 4942 break; 4943 case DOOR_UCRED: 4944 e = AUE_NULL; 4945 break; 4946 case DOOR_BIND: 4947 e = AUE_NULL; 4948 break; 4949 case DOOR_UNBIND: 4950 e = AUE_NULL; 4951 break; 4952 case DOOR_GETPARAM: 4953 e = AUE_NULL; 4954 break; 4955 case DOOR_SETPARAM: 4956 e = AUE_NULL; 4957 break; 4958 default: /* illegal system call */ 4959 e = AUE_NULL; 4960 break; 4961 } 4962 4963 return (e); 4964 } 4965 4966 static door_node_t * 4967 au_door_lookup(int did) 4968 { 4969 vnode_t *vp; 4970 file_t *fp; 4971 4972 if ((fp = getf(did)) == NULL) 4973 return (NULL); 4974 /* 4975 * Use the underlying vnode (we may be namefs mounted) 4976 */ 4977 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4978 vp = fp->f_vnode; 4979 4980 if (vp == NULL || vp->v_type != VDOOR) { 4981 releasef(did); 4982 return (NULL); 4983 } 4984 4985 return (VTOD(vp)); 4986 } 4987 4988 /*ARGSUSED*/ 4989 static void 4990 aus_doorfs(struct t_audit_data *tad) 4991 { 4992 4993 struct a { /* doorfs */ 4994 long a1; 4995 long a2; 4996 long a3; 4997 long a4; 4998 long a5; 4999 long code; 5000 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5001 5002 door_node_t *dp; 5003 struct proc *p; 5004 uint32_t did; 5005 uid_t uid, ruid; 5006 gid_t gid, rgid; 5007 pid_t pid; 5008 const auditinfo_addr_t *ainfo; 5009 cred_t *cr; 5010 5011 did = (uint32_t)uap->a1; 5012 5013 switch (tad->tad_event) { 5014 case AUE_DOORFS_DOOR_CALL: 5015 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5016 if ((dp = au_door_lookup(did)) == NULL) 5017 break; 5018 5019 if (DOOR_INVALID(dp)) { 5020 releasef(did); 5021 break; 5022 } 5023 5024 if ((p = dp->door_target) == NULL) { 5025 releasef(did); 5026 break; 5027 } 5028 mutex_enter(&p->p_lock); 5029 releasef(did); 5030 5031 pid = p->p_pid; 5032 5033 mutex_enter(&p->p_crlock); 5034 crhold(cr = p->p_cred); 5035 mutex_exit(&p->p_crlock); 5036 mutex_exit(&p->p_lock); 5037 5038 ainfo = crgetauinfo(cr); 5039 if (ainfo == NULL) { 5040 crfree(cr); 5041 return; 5042 } 5043 uid = crgetuid(cr); 5044 gid = crgetgid(cr); 5045 ruid = crgetruid(cr); 5046 rgid = crgetrgid(cr); 5047 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5048 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5049 crfree(cr); 5050 break; 5051 case AUE_DOORFS_DOOR_RETURN: 5052 /* 5053 * We may want to write information about 5054 * all doors (if any) which will be copied 5055 * by this call to the user space 5056 */ 5057 break; 5058 case AUE_DOORFS_DOOR_CREATE: 5059 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5060 break; 5061 case AUE_DOORFS_DOOR_REVOKE: 5062 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5063 break; 5064 case AUE_DOORFS_DOOR_INFO: 5065 break; 5066 case AUE_DOORFS_DOOR_CRED: 5067 break; 5068 case AUE_DOORFS_DOOR_BIND: 5069 break; 5070 case AUE_DOORFS_DOOR_UNBIND: { 5071 break; 5072 } 5073 default: /* illegal system call */ 5074 break; 5075 } 5076 } 5077 5078 /*ARGSUSED*/ 5079 static au_event_t 5080 aui_acl(au_event_t e) 5081 { 5082 struct a { 5083 union { 5084 long name; /* char */ 5085 long fd; 5086 } obj; 5087 5088 long cmd; 5089 long nentries; 5090 long arg; /* aclent_t */ 5091 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5092 5093 switch (uap->cmd) { 5094 case SETACL: 5095 case ACE_SETACL: 5096 /* 5097 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5098 * are expected. 5099 */ 5100 break; 5101 case GETACL: 5102 case GETACLCNT: 5103 case ACE_GETACL: 5104 case ACE_GETACLCNT: 5105 /* do nothing for these four values. */ 5106 e = AUE_NULL; 5107 break; 5108 default: 5109 /* illegal system call */ 5110 break; 5111 } 5112 5113 return (e); 5114 } 5115 5116 static void 5117 au_acl(int cmd, int nentries, caddr_t bufp) 5118 { 5119 size_t a_size; 5120 aclent_t *aclbufp; 5121 ace_t *acebufp; 5122 int i; 5123 5124 switch (cmd) { 5125 case GETACL: 5126 case GETACLCNT: 5127 break; 5128 case SETACL: 5129 if (nentries < 3) 5130 break; 5131 5132 a_size = nentries * sizeof (aclent_t); 5133 5134 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5135 break; 5136 if (copyin(bufp, aclbufp, a_size)) { 5137 kmem_free(aclbufp, a_size); 5138 break; 5139 } 5140 for (i = 0; i < nentries; i++) { 5141 au_uwrite(au_to_acl(aclbufp + i)); 5142 } 5143 kmem_free(aclbufp, a_size); 5144 break; 5145 5146 case ACE_SETACL: 5147 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5148 break; 5149 5150 a_size = nentries * sizeof (ace_t); 5151 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5152 break; 5153 if (copyin(bufp, acebufp, a_size)) { 5154 kmem_free(acebufp, a_size); 5155 break; 5156 } 5157 for (i = 0; i < nentries; i++) { 5158 au_uwrite(au_to_ace(acebufp + i)); 5159 } 5160 kmem_free(acebufp, a_size); 5161 break; 5162 default: 5163 break; 5164 } 5165 } 5166 5167 /*ARGSUSED*/ 5168 static void 5169 aus_acl(struct t_audit_data *tad) 5170 { 5171 struct a { 5172 long fname; 5173 long cmd; 5174 long nentries; 5175 long aclbufp; 5176 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5177 5178 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5179 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5180 5181 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5182 } 5183 5184 /*ARGSUSED*/ 5185 static void 5186 aus_facl(struct t_audit_data *tad) 5187 { 5188 struct a { 5189 long fd; 5190 long cmd; 5191 long nentries; 5192 long aclbufp; 5193 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5194 struct file *fp; 5195 struct vnode *vp; 5196 struct f_audit_data *fad; 5197 int fd; 5198 5199 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5200 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5201 5202 fd = (int)uap->fd; 5203 5204 if ((fp = getf(fd)) == NULL) 5205 return; 5206 5207 /* get path from file struct here */ 5208 fad = F2A(fp); 5209 if (fad->fad_aupath != NULL) { 5210 au_uwrite(au_to_path(fad->fad_aupath)); 5211 } else { 5212 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5213 } 5214 5215 vp = fp->f_vnode; 5216 audit_attributes(vp); 5217 5218 /* decrement file descriptor reference count */ 5219 releasef(fd); 5220 5221 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5222 } 5223 5224 /*ARGSUSED*/ 5225 static void 5226 auf_read(tad, error, rval) 5227 struct t_audit_data *tad; 5228 int error; 5229 rval_t *rval; 5230 { 5231 struct file *fp; 5232 struct f_audit_data *fad; 5233 int fd; 5234 register struct a { 5235 long fd; 5236 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5237 au_kcontext_t *kctx = GET_KCTX_PZ; 5238 5239 fd = (int)uap->fd; 5240 5241 /* 5242 * convert file pointer to file descriptor 5243 * Note: fd ref count incremented here. 5244 */ 5245 if ((fp = getf(fd)) == NULL) 5246 return; 5247 5248 /* get path from file struct here */ 5249 fad = F2A(fp); 5250 ASSERT(fad); 5251 5252 /* 5253 * already processed this file for read attempt 5254 * 5255 * XXX might be better to turn off auditing in a aui_read() routine. 5256 */ 5257 if (fad->fad_flags & FAD_READ) { 5258 /* don't really want to audit every read attempt */ 5259 tad->tad_flag = 0; 5260 /* free any residual audit data */ 5261 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5262 releasef(fd); 5263 return; 5264 } 5265 /* mark things so we know what happened and don't repeat things */ 5266 fad->fad_flags |= FAD_READ; 5267 5268 if (fad->fad_aupath != NULL) { 5269 au_uwrite(au_to_path(fad->fad_aupath)); 5270 } else { 5271 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5272 } 5273 5274 /* include attributes */ 5275 audit_attributes(fp->f_vnode); 5276 5277 /* decrement file descriptor reference count */ 5278 releasef(fd); 5279 } 5280 5281 /*ARGSUSED*/ 5282 static void 5283 auf_write(tad, error, rval) 5284 struct t_audit_data *tad; 5285 int error; 5286 rval_t *rval; 5287 { 5288 struct file *fp; 5289 struct f_audit_data *fad; 5290 int fd; 5291 register struct a { 5292 long fd; 5293 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5294 au_kcontext_t *kctx = GET_KCTX_PZ; 5295 5296 fd = (int)uap->fd; 5297 5298 /* 5299 * convert file pointer to file descriptor 5300 * Note: fd ref count incremented here. 5301 */ 5302 if ((fp = getf(fd)) == NULL) 5303 return; 5304 5305 /* get path from file struct here */ 5306 fad = F2A(fp); 5307 ASSERT(fad); 5308 5309 /* 5310 * already processed this file for write attempt 5311 * 5312 * XXX might be better to turn off auditing in a aus_write() routine. 5313 */ 5314 if (fad->fad_flags & FAD_WRITE) { 5315 /* don't really want to audit every write attempt */ 5316 tad->tad_flag = 0; 5317 /* free any residual audit data */ 5318 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5319 releasef(fd); 5320 return; 5321 } 5322 /* mark things so we know what happened and don't repeat things */ 5323 fad->fad_flags |= FAD_WRITE; 5324 5325 if (fad->fad_aupath != NULL) { 5326 au_uwrite(au_to_path(fad->fad_aupath)); 5327 } else { 5328 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5329 } 5330 5331 /* include attributes */ 5332 audit_attributes(fp->f_vnode); 5333 5334 /* decrement file descriptor reference count */ 5335 releasef(fd); 5336 } 5337 5338 /*ARGSUSED*/ 5339 static void 5340 auf_recv(tad, error, rval) 5341 struct t_audit_data *tad; 5342 int error; 5343 rval_t *rval; 5344 { 5345 struct sonode *so; 5346 char so_laddr[sizeof (struct sockaddr_in6)]; 5347 char so_faddr[sizeof (struct sockaddr_in6)]; 5348 struct file *fp; 5349 struct f_audit_data *fad; 5350 int fd; 5351 int err; 5352 socklen_t len; 5353 short so_family, so_type; 5354 register struct a { 5355 long fd; 5356 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5357 au_kcontext_t *kctx = GET_KCTX_PZ; 5358 5359 /* 5360 * If there was an error, then nothing to do. Only generate 5361 * audit record on first successful recv. 5362 */ 5363 if (error) { 5364 /* Turn off audit record generation here. */ 5365 tad->tad_flag = 0; 5366 /* free any residual audit data */ 5367 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5368 return; 5369 } 5370 5371 fd = (int)uap->fd; 5372 5373 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5374 /* Turn off audit record generation here. */ 5375 tad->tad_flag = 0; 5376 /* free any residual audit data */ 5377 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5378 return; 5379 } 5380 5381 /* get path from file struct here */ 5382 fad = F2A(fp); 5383 ASSERT(fad); 5384 5385 /* 5386 * already processed this file for read attempt 5387 */ 5388 if (fad->fad_flags & FAD_READ) { 5389 releasef(fd); 5390 /* don't really want to audit every recv call */ 5391 tad->tad_flag = 0; 5392 /* free any residual audit data */ 5393 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5394 return; 5395 } 5396 5397 /* mark things so we know what happened and don't repeat things */ 5398 fad->fad_flags |= FAD_READ; 5399 5400 so_family = so->so_family; 5401 so_type = so->so_type; 5402 5403 switch (so_family) { 5404 case AF_INET: 5405 case AF_INET6: 5406 /* 5407 * Only for connections. 5408 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5409 */ 5410 if (so->so_state & SS_ISBOUND) { 5411 5412 bzero((void *)so_laddr, sizeof (so_laddr)); 5413 bzero((void *)so_faddr, sizeof (so_faddr)); 5414 5415 /* get local and foreign addresses */ 5416 len = sizeof (so_laddr); 5417 (void) socket_getsockname(so, 5418 (struct sockaddr *)so_laddr, &len, CRED()); 5419 len = sizeof (so_faddr); 5420 (void) socket_getpeername(so, 5421 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5422 5423 /* 5424 * only way to drop out of switch. Note that we 5425 * we release fd below. 5426 */ 5427 5428 break; 5429 } 5430 5431 releasef(fd); 5432 5433 /* don't really want to audit every recv call */ 5434 tad->tad_flag = 0; 5435 /* free any residual audit data */ 5436 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5437 5438 return; 5439 5440 case AF_UNIX: 5441 5442 if (fad->fad_aupath != NULL) { 5443 au_uwrite(au_to_path(fad->fad_aupath)); 5444 } else { 5445 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5446 } 5447 5448 audit_attributes(fp->f_vnode); 5449 5450 releasef(fd); 5451 5452 return; 5453 5454 default: 5455 releasef(fd); 5456 5457 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5458 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5459 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5460 5461 return; 5462 } 5463 5464 releasef(fd); 5465 5466 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5467 5468 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5469 5470 } 5471 5472 /*ARGSUSED*/ 5473 static void 5474 auf_send(tad, error, rval) 5475 struct t_audit_data *tad; 5476 int error; 5477 rval_t *rval; 5478 { 5479 struct sonode *so; 5480 char so_laddr[sizeof (struct sockaddr_in6)]; 5481 char so_faddr[sizeof (struct sockaddr_in6)]; 5482 struct file *fp; 5483 struct f_audit_data *fad; 5484 int fd; 5485 int err; 5486 socklen_t len; 5487 short so_family, so_type; 5488 register struct a { 5489 long fd; 5490 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5491 au_kcontext_t *kctx = GET_KCTX_PZ; 5492 5493 fd = (int)uap->fd; 5494 5495 /* 5496 * If there was an error, then nothing to do. Only generate 5497 * audit record on first successful send. 5498 */ 5499 if (error != 0) { 5500 /* Turn off audit record generation here. */ 5501 tad->tad_flag = 0; 5502 /* free any residual audit data */ 5503 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5504 return; 5505 } 5506 5507 fd = (int)uap->fd; 5508 5509 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5510 /* Turn off audit record generation here. */ 5511 tad->tad_flag = 0; 5512 /* free any residual audit data */ 5513 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5514 return; 5515 } 5516 5517 /* get path from file struct here */ 5518 fad = F2A(fp); 5519 ASSERT(fad); 5520 5521 /* 5522 * already processed this file for write attempt 5523 */ 5524 if (fad->fad_flags & FAD_WRITE) { 5525 releasef(fd); 5526 /* don't really want to audit every send call */ 5527 tad->tad_flag = 0; 5528 /* free any residual audit data */ 5529 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5530 return; 5531 } 5532 5533 /* mark things so we know what happened and don't repeat things */ 5534 fad->fad_flags |= FAD_WRITE; 5535 5536 so_family = so->so_family; 5537 so_type = so->so_type; 5538 5539 switch (so_family) { 5540 case AF_INET: 5541 case AF_INET6: 5542 /* 5543 * Only for connections. 5544 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5545 */ 5546 if (so->so_state & SS_ISBOUND) { 5547 5548 bzero((void *)so_laddr, sizeof (so_laddr)); 5549 bzero((void *)so_faddr, sizeof (so_faddr)); 5550 5551 /* get local and foreign addresses */ 5552 len = sizeof (so_laddr); 5553 (void) socket_getsockname(so, 5554 (struct sockaddr *)so_laddr, &len, CRED()); 5555 len = sizeof (so_faddr); 5556 (void) socket_getpeername(so, 5557 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5558 5559 /* 5560 * only way to drop out of switch. Note that we 5561 * we release fd below. 5562 */ 5563 5564 break; 5565 } 5566 5567 releasef(fd); 5568 /* don't really want to audit every send call */ 5569 tad->tad_flag = 0; 5570 /* free any residual audit data */ 5571 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5572 5573 return; 5574 5575 case AF_UNIX: 5576 5577 if (fad->fad_aupath != NULL) { 5578 au_uwrite(au_to_path(fad->fad_aupath)); 5579 } else { 5580 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5581 } 5582 5583 audit_attributes(fp->f_vnode); 5584 5585 releasef(fd); 5586 5587 return; 5588 5589 default: 5590 releasef(fd); 5591 5592 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5593 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5594 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5595 5596 return; 5597 } 5598 5599 releasef(fd); 5600 5601 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5602 5603 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5604 } 5605 5606 static au_event_t 5607 aui_forksys(au_event_t e) 5608 { 5609 struct a { 5610 long subcode; 5611 long flags; 5612 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5613 5614 switch ((uint_t)uap->subcode) { 5615 case 0: 5616 e = AUE_FORK1; 5617 break; 5618 case 1: 5619 e = AUE_FORKALL; 5620 break; 5621 case 2: 5622 e = AUE_VFORK; 5623 break; 5624 default: 5625 e = AUE_NULL; 5626 break; 5627 } 5628 5629 return (e); 5630 } 5631 5632 /*ARGSUSED*/ 5633 static au_event_t 5634 aui_portfs(au_event_t e) 5635 { 5636 struct a { /* portfs */ 5637 long a1; 5638 long a2; 5639 long a3; 5640 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5641 5642 /* 5643 * check opcode 5644 */ 5645 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5646 case PORT_ASSOCIATE: 5647 /* check source */ 5648 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5649 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5650 e = AUE_PORTFS_ASSOCIATE; 5651 } else { 5652 e = AUE_NULL; 5653 } 5654 break; 5655 case PORT_DISSOCIATE: 5656 /* check source */ 5657 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5658 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5659 e = AUE_PORTFS_DISSOCIATE; 5660 } else { 5661 e = AUE_NULL; 5662 } 5663 break; 5664 default: 5665 e = AUE_NULL; 5666 } 5667 return (e); 5668 } 5669