1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 static au_event_t aui_fchownat(au_event_t); 82 static au_event_t aui_fchmodat(au_event_t); 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_openat(au_event_t); 85 static au_event_t aui_unlinkat(au_event_t); 86 static au_event_t aui_fstatat(au_event_t); 87 static au_event_t aui_msgsys(au_event_t); 88 static au_event_t aui_shmsys(au_event_t); 89 static au_event_t aui_semsys(au_event_t); 90 static au_event_t aui_utssys(au_event_t); 91 static au_event_t aui_fcntl(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_exit(struct t_audit_data *); 106 static void aus_open(struct t_audit_data *); 107 static void aus_openat(struct t_audit_data *); 108 static void aus_acl(struct t_audit_data *); 109 static void aus_acct(struct t_audit_data *); 110 static void aus_chown(struct t_audit_data *); 111 static void aus_fchown(struct t_audit_data *); 112 static void aus_lchown(struct t_audit_data *); 113 static void aus_fchownat(struct t_audit_data *); 114 static void aus_chmod(struct t_audit_data *); 115 static void aus_facl(struct t_audit_data *); 116 static void aus_fchmod(struct t_audit_data *); 117 static void aus_fchmodat(struct t_audit_data *); 118 static void aus_fcntl(struct t_audit_data *); 119 static void aus_mkdir(struct t_audit_data *); 120 static void aus_mkdirat(struct t_audit_data *); 121 static void aus_mknod(struct t_audit_data *); 122 static void aus_mknodat(struct t_audit_data *); 123 static void aus_mount(struct t_audit_data *); 124 static void aus_umount2(struct t_audit_data *); 125 static void aus_msgsys(struct t_audit_data *); 126 static void aus_semsys(struct t_audit_data *); 127 static void aus_close(struct t_audit_data *); 128 static void aus_fstatfs(struct t_audit_data *); 129 static void aus_setgid(struct t_audit_data *); 130 static void aus_setpgrp(struct t_audit_data *); 131 static void aus_setuid(struct t_audit_data *); 132 static void aus_shmsys(struct t_audit_data *); 133 static void aus_doorfs(struct t_audit_data *); 134 static void aus_ioctl(struct t_audit_data *); 135 static void aus_memcntl(struct t_audit_data *); 136 static void aus_mmap(struct t_audit_data *); 137 static void aus_munmap(struct t_audit_data *); 138 static void aus_priocntlsys(struct t_audit_data *); 139 static void aus_setegid(struct t_audit_data *); 140 static void aus_setgroups(struct t_audit_data *); 141 static void aus_seteuid(struct t_audit_data *); 142 static void aus_putmsg(struct t_audit_data *); 143 static void aus_putpmsg(struct t_audit_data *); 144 static void aus_getmsg(struct t_audit_data *); 145 static void aus_getpmsg(struct t_audit_data *); 146 static void aus_auditsys(struct t_audit_data *); 147 static void aus_sysinfo(struct t_audit_data *); 148 static void aus_modctl(struct t_audit_data *); 149 static void aus_kill(struct t_audit_data *); 150 static void aus_setregid(struct t_audit_data *); 151 static void aus_setreuid(struct t_audit_data *); 152 static void aus_labelsys(struct t_audit_data *); 153 154 static void auf_mknod(struct t_audit_data *, int, rval_t *); 155 static void auf_mknodat(struct t_audit_data *, int, rval_t *); 156 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 157 static void auf_semsys(struct t_audit_data *, int, rval_t *); 158 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 159 static void auf_read(struct t_audit_data *, int, rval_t *); 160 static void auf_write(struct t_audit_data *, int, rval_t *); 161 162 static void aus_sigqueue(struct t_audit_data *); 163 static void aus_p_online(struct t_audit_data *); 164 static void aus_processor_bind(struct t_audit_data *); 165 static void aus_inst_sync(struct t_audit_data *); 166 static void aus_brandsys(struct t_audit_data *); 167 168 static void auf_accept(struct t_audit_data *, int, rval_t *); 169 170 static void auf_bind(struct t_audit_data *, int, rval_t *); 171 static void auf_connect(struct t_audit_data *, int, rval_t *); 172 static void aus_shutdown(struct t_audit_data *); 173 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 174 static void aus_sockconfig(struct t_audit_data *); 175 static void auf_recv(struct t_audit_data *, int, rval_t *); 176 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 177 static void auf_send(struct t_audit_data *, int, rval_t *); 178 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 179 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 180 static void auf_sendto(struct t_audit_data *, int, rval_t *); 181 static void aus_socket(struct t_audit_data *); 182 /* 183 * This table contains mapping information for converting system call numbers 184 * to audit event IDs. In several cases it is necessary to map a single system 185 * call to several events. 186 */ 187 188 #define aui_null NULL /* NULL initialize function */ 189 #define aus_null NULL /* NULL start function */ 190 #define auf_null NULL /* NULL finish function */ 191 192 struct audit_s2e audit_s2e[] = 193 { 194 /* 195 * ---------- ---------- ---------- ---------- 196 * INITIAL AUDIT START SYSTEM 197 * PROCESSING EVENT PROCESSING CALL 198 * ---------- ---------- ---------- ----------- 199 * FINISH EVENT 200 * PROCESSING CONTROL 201 * ---------------------------------------------------------- 202 */ 203 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 204 auf_null, 0, 205 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 206 auf_null, S2E_NPT, 207 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 208 auf_null, 0, 209 aui_null, AUE_READ, aus_null, /* 3 read */ 210 auf_read, S2E_PUB, 211 aui_null, AUE_WRITE, aus_null, /* 4 write */ 212 auf_write, 0, 213 aui_open, AUE_OPEN, aus_open, /* 5 open */ 214 auf_null, S2E_SP, 215 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 216 auf_null, 0, 217 aui_null, AUE_LINK, aus_null, /* 7 linkat */ 218 auf_null, 0, 219 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 220 auf_null, 0, 221 aui_null, AUE_LINK, aus_null, /* 9 link */ 222 auf_null, 0, 223 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 224 auf_null, 0, 225 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */ 226 auf_null, 0, 227 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 228 auf_null, S2E_SP, 229 aui_null, AUE_NULL, aus_null, /* 13 time */ 230 auf_null, 0, 231 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 232 auf_mknod, S2E_MLD, 233 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 234 auf_null, 0, 235 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 236 auf_null, 0, 237 aui_null, AUE_NULL, aus_null, /* 17 brk */ 238 auf_null, 0, 239 aui_null, AUE_STAT, aus_null, /* 18 stat */ 240 auf_null, S2E_PUB, 241 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 242 auf_null, 0, 243 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 244 auf_null, 0, 245 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 246 auf_null, S2E_MLD, 247 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */ 248 auf_null, S2E_PUB, 249 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 252 auf_null, 0, 253 aui_null, AUE_STIME, aus_null, /* 25 stime */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 29 pause */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 264 auf_null, 0, 265 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 266 auf_null, 0, 267 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 268 auf_null, 0, 269 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_NICE, aus_null, /* 34 nice */ 272 auf_null, 0, 273 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 274 auf_null, S2E_PUB, 275 aui_null, AUE_NULL, aus_null, /* 36 sync */ 276 auf_null, 0, 277 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 278 auf_null, 0, 279 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 280 auf_null, S2E_PUB, 281 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 286 auf_null, 0, 287 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 288 auf_null, 0, 289 aui_null, AUE_NULL, aus_null, /* 43 times */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 44 profil */ 292 auf_null, 0, 293 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 294 auf_null, S2E_PUB, 295 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 298 auf_null, 0, 299 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */ 300 auf_mknodat, S2E_MLD, 301 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 302 auf_msgsys, 0, 303 #if defined(__x86) 304 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 305 auf_null, 0, 306 #else 307 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 308 auf_null, 0, 309 #endif /* __x86 */ 310 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 311 auf_null, 0, 312 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 313 auf_shmsys, 0, 314 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 315 auf_semsys, 0, 316 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 319 auf_null, 0, 320 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 321 auf_null, 0, 322 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 323 auf_null, 0, 324 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 325 auf_null, 0, 326 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 327 auf_null, S2E_MLD, 328 aui_null, AUE_NULL, aus_null, /* 60 umask */ 329 auf_null, 0, 330 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 331 auf_null, S2E_SP, 332 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 335 auf_null, 0, 336 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 337 auf_null, 0, 338 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 339 auf_null, 0, 340 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 341 auf_null, S2E_PUB, 342 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 343 auf_null, S2E_PUB, 344 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 345 auf_null, S2E_SP, 346 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 347 auf_null, S2E_SP, 348 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 365 auf_null, 0, 366 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 367 auf_null, 0, 368 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 371 auf_null, 0, 372 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 373 auf_null, 0, 374 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 377 auf_null, 0, 378 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 379 auf_null, 0, 380 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 381 auf_null, 0, 382 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 383 auf_null, 0, 384 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 387 auf_null, 0, 388 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 389 auf_null, S2E_PUB, 390 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 391 auf_null, 0, 392 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 393 auf_null, 0, 394 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 395 auf_null, 0, 396 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 409 auf_null, 0, 410 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */ 411 auf_null, 0, 412 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */ 413 auf_null, 0, 414 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 415 auf_null, S2E_PUB, 416 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 425 auf_null, 0, 426 #if defined(__x86) 427 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 428 auf_null, 0, 429 #else 430 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 431 auf_null, 0, 432 #endif /* __x86 */ 433 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 434 auf_null, 0, 435 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 436 auf_null, 0, 437 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 438 auf_null, 0, 439 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 440 auf_null, S2E_PUB, 441 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 442 auf_null, 0, 443 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 444 auf_null, 0, 445 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 446 auf_null, 0, 447 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 450 auf_null, 0, 451 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 452 auf_null, 0, 453 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 454 auf_null, 0, 455 aui_null, AUE_READ, aus_null, /* 121 readv */ 456 auf_read, S2E_PUB, 457 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 458 auf_write, 0, 459 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 460 auf_null, 0, 461 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 464 auf_null, 0, 465 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 468 auf_null, 0, 469 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 470 auf_null, 0, 471 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 472 auf_null, 0, 473 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 474 auf_null, 0, 475 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 476 auf_null, 0, 477 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 478 auf_null, 0, 479 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 480 auf_null, 0, 481 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 482 auf_null, 0, 483 aui_null, AUE_NULL, aus_null, /* 135 uname */ 484 auf_null, 0, 485 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 488 auf_null, 0, 489 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 490 auf_null, 0, 491 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 492 auf_null, 0, 493 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 494 auf_null, 0, 495 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 496 auf_null, 0, 497 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 146 yield */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 508 /* was lwp_sema_wait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 517 auf_null, 0, 518 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 519 auf_null, 0, 520 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 553 /* was lwp_mutex_lock */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 560 auf_null, 0, 561 aui_null, AUE_READ, aus_null, /* 173 pread */ 562 auf_read, S2E_PUB, 563 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 564 auf_write, 0, 565 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 566 auf_null, 0, 567 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 568 auf_null, 0, 569 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 578 auf_null, 0, 579 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 580 auf_null, S2E_MLD, 581 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 582 auf_null, 0, 583 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 584 auf_null, 0, 585 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 586 auf_null, 0, 587 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 588 auf_null, 0, 589 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 590 auf_null, 0, 591 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 592 auf_null, 0, 593 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 594 auf_null, 0, 595 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 598 auf_null, 0, 599 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 614 auf_null, 0, 615 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 616 auf_null, 0, 617 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 618 auf_null, 0, 619 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 620 auf_null, 0, 621 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 642 auf_null, 0, 643 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 644 auf_null, 0, 645 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 646 auf_null, S2E_PUB, 647 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 650 auf_null, 0, 651 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 652 auf_null, S2E_PUB, 653 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 654 auf_null, 0, 655 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 656 auf_null, 0, 657 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 660 auf_read, S2E_PUB, 661 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 662 auf_write, 0, 663 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 664 auf_null, 0, 665 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 666 auf_null, S2E_SP, 667 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 227 zone */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 674 auf_null, 0, 675 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 676 auf_null, 0, 677 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 678 auf_null, 0, 679 aui_null, AUE_BIND, aus_null, /* 232 bind */ 680 auf_bind, 0, 681 aui_null, AUE_NULL, aus_null, /* 233 listen */ 682 auf_null, 0, 683 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 684 auf_accept, 0, 685 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 686 auf_connect, 0, 687 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 688 auf_null, 0, 689 aui_null, AUE_READ, aus_null, /* 237 recv */ 690 auf_recv, 0, 691 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 692 auf_recvfrom, 0, 693 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 694 auf_recvmsg, 0, 695 aui_null, AUE_WRITE, aus_null, /* 240 send */ 696 auf_send, 0, 697 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 698 auf_sendmsg, 0, 699 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 700 auf_sendto, 0, 701 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 702 auf_null, 0, 703 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 706 auf_null, 0, 707 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 708 auf_setsockopt, 0, 709 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 710 auf_null, 0, 711 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 712 auf_null, 0, 713 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 724 auf_null, 0, 725 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 726 auf_null, 0 727 }; 728 729 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 730 731 732 /* exit start function */ 733 /*ARGSUSED*/ 734 static void 735 aus_exit(struct t_audit_data *tad) 736 { 737 uint32_t rval; 738 struct a { 739 long rval; 740 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 741 742 rval = (uint32_t)uap->rval; 743 au_uwrite(au_to_arg32(1, "exit status", rval)); 744 } 745 746 /* acct start function */ 747 /*ARGSUSED*/ 748 static void 749 aus_acct(struct t_audit_data *tad) 750 { 751 klwp_t *clwp = ttolwp(curthread); 752 uintptr_t fname; 753 754 struct a { 755 long fname; /* char * */ 756 } *uap = (struct a *)clwp->lwp_ap; 757 758 fname = (uintptr_t)uap->fname; 759 760 if (fname == 0) 761 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 762 } 763 764 /* chown start function */ 765 /*ARGSUSED*/ 766 static void 767 aus_chown(struct t_audit_data *tad) 768 { 769 klwp_t *clwp = ttolwp(curthread); 770 uint32_t uid, gid; 771 772 struct a { 773 long fname; /* char * */ 774 long uid; 775 long gid; 776 } *uap = (struct a *)clwp->lwp_ap; 777 778 uid = (uint32_t)uap->uid; 779 gid = (uint32_t)uap->gid; 780 781 au_uwrite(au_to_arg32(2, "new file uid", uid)); 782 au_uwrite(au_to_arg32(3, "new file gid", gid)); 783 } 784 785 /* fchown start function */ 786 /*ARGSUSED*/ 787 static void 788 aus_fchown(struct t_audit_data *tad) 789 { 790 klwp_t *clwp = ttolwp(curthread); 791 uint32_t uid, gid, fd; 792 struct file *fp; 793 struct vnode *vp; 794 struct f_audit_data *fad; 795 796 struct a { 797 long fd; 798 long uid; 799 long gid; 800 } *uap = (struct a *)clwp->lwp_ap; 801 802 fd = (uint32_t)uap->fd; 803 uid = (uint32_t)uap->uid; 804 gid = (uint32_t)uap->gid; 805 806 au_uwrite(au_to_arg32(2, "new file uid", uid)); 807 au_uwrite(au_to_arg32(3, "new file gid", gid)); 808 809 /* 810 * convert file pointer to file descriptor 811 * Note: fd ref count incremented here. 812 */ 813 if ((fp = getf(fd)) == NULL) 814 return; 815 816 /* get path from file struct here */ 817 fad = F2A(fp); 818 if (fad->fad_aupath != NULL) { 819 au_uwrite(au_to_path(fad->fad_aupath)); 820 } else { 821 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 822 } 823 824 vp = fp->f_vnode; 825 audit_attributes(vp); 826 827 /* decrement file descriptor reference count */ 828 releasef(fd); 829 } 830 831 /*ARGSUSED*/ 832 static void 833 aus_lchown(struct t_audit_data *tad) 834 { 835 klwp_t *clwp = ttolwp(curthread); 836 uint32_t uid, gid; 837 838 839 struct a { 840 long fname; /* char * */ 841 long uid; 842 long gid; 843 } *uap = (struct a *)clwp->lwp_ap; 844 845 uid = (uint32_t)uap->uid; 846 gid = (uint32_t)uap->gid; 847 848 au_uwrite(au_to_arg32(2, "new file uid", uid)); 849 au_uwrite(au_to_arg32(3, "new file gid", gid)); 850 } 851 852 static au_event_t 853 aui_fchownat(au_event_t e) 854 { 855 klwp_t *clwp = ttolwp(curthread); 856 857 struct a { 858 long fd; 859 long fname; /* char * */ 860 long uid; 861 long gid; 862 long flags; 863 } *uap = (struct a *)clwp->lwp_ap; 864 865 if (uap->fname == NULL) 866 e = AUE_FCHOWN; 867 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 868 e = AUE_LCHOWN; 869 else 870 e = AUE_CHOWN; 871 872 return (e); 873 } 874 875 /*ARGSUSED*/ 876 static void 877 aus_fchownat(struct t_audit_data *tad) 878 { 879 klwp_t *clwp = ttolwp(curthread); 880 uint32_t uid, gid; 881 882 struct a { 883 long fd; 884 long fname; /* char * */ 885 long uid; 886 long gid; 887 long flags; 888 } *uap = (struct a *)clwp->lwp_ap; 889 890 uid = (uint32_t)uap->uid; 891 gid = (uint32_t)uap->gid; 892 893 au_uwrite(au_to_arg32(3, "new file uid", uid)); 894 au_uwrite(au_to_arg32(4, "new file gid", gid)); 895 } 896 897 /*ARGSUSED*/ 898 static void 899 aus_chmod(struct t_audit_data *tad) 900 { 901 klwp_t *clwp = ttolwp(curthread); 902 uint32_t fmode; 903 904 struct a { 905 long fname; /* char * */ 906 long fmode; 907 } *uap = (struct a *)clwp->lwp_ap; 908 909 fmode = (uint32_t)uap->fmode; 910 911 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 912 } 913 914 /*ARGSUSED*/ 915 static void 916 aus_fchmod(struct t_audit_data *tad) 917 { 918 klwp_t *clwp = ttolwp(curthread); 919 uint32_t fmode, fd; 920 struct file *fp; 921 struct vnode *vp; 922 struct f_audit_data *fad; 923 924 struct a { 925 long fd; 926 long fmode; 927 } *uap = (struct a *)clwp->lwp_ap; 928 929 fd = (uint32_t)uap->fd; 930 fmode = (uint32_t)uap->fmode; 931 932 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 933 934 /* 935 * convert file pointer to file descriptor 936 * Note: fd ref count incremented here. 937 */ 938 if ((fp = getf(fd)) == NULL) 939 return; 940 941 /* get path from file struct here */ 942 fad = F2A(fp); 943 if (fad->fad_aupath != NULL) { 944 au_uwrite(au_to_path(fad->fad_aupath)); 945 } else { 946 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 947 } 948 949 vp = fp->f_vnode; 950 audit_attributes(vp); 951 952 /* decrement file descriptor reference count */ 953 releasef(fd); 954 } 955 956 static au_event_t 957 aui_fchmodat(au_event_t e) 958 { 959 klwp_t *clwp = ttolwp(curthread); 960 961 struct a { 962 long fd; 963 long fname; /* char * */ 964 long fmode; 965 long flag; 966 } *uap = (struct a *)clwp->lwp_ap; 967 968 if (uap->fname == NULL) 969 e = AUE_FCHMOD; 970 else 971 e = AUE_CHMOD; 972 973 return (e); 974 } 975 976 /*ARGSUSED*/ 977 static void 978 aus_fchmodat(struct t_audit_data *tad) 979 { 980 klwp_t *clwp = ttolwp(curthread); 981 uint32_t fmode; 982 uint32_t fd; 983 struct file *fp; 984 struct vnode *vp; 985 struct f_audit_data *fad; 986 987 struct a { 988 long fd; 989 long fname; /* char * */ 990 long fmode; 991 long flag; 992 } *uap = (struct a *)clwp->lwp_ap; 993 994 fd = (uint32_t)uap->fd; 995 fmode = (uint32_t)uap->fmode; 996 997 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 998 999 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */ 1000 return; 1001 1002 /* 1003 * convert file pointer to file descriptor 1004 * Note: fd ref count incremented here. 1005 */ 1006 if ((fp = getf(fd)) == NULL) 1007 return; 1008 1009 /* get path from file struct here */ 1010 fad = F2A(fp); 1011 if (fad->fad_aupath != NULL) { 1012 au_uwrite(au_to_path(fad->fad_aupath)); 1013 } else { 1014 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1015 } 1016 1017 vp = fp->f_vnode; 1018 audit_attributes(vp); 1019 1020 /* decrement file descriptor reference count */ 1021 releasef(fd); 1022 } 1023 1024 /* 1025 * convert open mode to appropriate open event 1026 */ 1027 au_event_t 1028 open_event(uint_t fm) 1029 { 1030 au_event_t e; 1031 1032 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) { 1033 case O_RDONLY: 1034 e = AUE_OPEN_R; 1035 break; 1036 case O_RDONLY | O_CREAT: 1037 e = AUE_OPEN_RC; 1038 break; 1039 case O_RDONLY | O_TRUNC: 1040 e = AUE_OPEN_RT; 1041 break; 1042 case O_RDONLY | O_TRUNC | O_CREAT: 1043 e = AUE_OPEN_RTC; 1044 break; 1045 case O_WRONLY: 1046 e = AUE_OPEN_W; 1047 break; 1048 case O_WRONLY | O_CREAT: 1049 e = AUE_OPEN_WC; 1050 break; 1051 case O_WRONLY | O_TRUNC: 1052 e = AUE_OPEN_WT; 1053 break; 1054 case O_WRONLY | O_TRUNC | O_CREAT: 1055 e = AUE_OPEN_WTC; 1056 break; 1057 case O_RDWR: 1058 e = AUE_OPEN_RW; 1059 break; 1060 case O_RDWR | O_CREAT: 1061 e = AUE_OPEN_RWC; 1062 break; 1063 case O_RDWR | O_TRUNC: 1064 e = AUE_OPEN_RWT; 1065 break; 1066 case O_RDWR | O_TRUNC | O_CREAT: 1067 e = AUE_OPEN_RWTC; 1068 break; 1069 case O_SEARCH: 1070 e = AUE_OPEN_S; 1071 break; 1072 case O_EXEC: 1073 e = AUE_OPEN_E; 1074 break; 1075 default: 1076 e = AUE_NULL; 1077 break; 1078 } 1079 1080 return (e); 1081 } 1082 1083 /* ARGSUSED */ 1084 static au_event_t 1085 aui_open(au_event_t e) 1086 { 1087 klwp_t *clwp = ttolwp(curthread); 1088 uint_t fm; 1089 1090 struct a { 1091 long fnamep; /* char * */ 1092 long fmode; 1093 long cmode; 1094 } *uap = (struct a *)clwp->lwp_ap; 1095 1096 fm = (uint_t)uap->fmode; 1097 1098 return (open_event(fm)); 1099 } 1100 1101 static void 1102 aus_open(struct t_audit_data *tad) 1103 { 1104 klwp_t *clwp = ttolwp(curthread); 1105 uint_t fm; 1106 1107 struct a { 1108 long fnamep; /* char * */ 1109 long fmode; 1110 long cmode; 1111 } *uap = (struct a *)clwp->lwp_ap; 1112 1113 fm = (uint_t)uap->fmode; 1114 1115 /* If no write, create, or trunc modes, mark as a public op */ 1116 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1117 tad->tad_ctrl |= TAD_PUBLIC_EV; 1118 } 1119 1120 /* ARGSUSED */ 1121 static au_event_t 1122 aui_openat(au_event_t e) 1123 { 1124 t_audit_data_t *tad = T2A(curthread); 1125 klwp_t *clwp = ttolwp(curthread); 1126 uint_t fm; 1127 1128 struct a { 1129 long filedes; 1130 long fnamep; /* char * */ 1131 long fmode; 1132 long cmode; 1133 } *uap = (struct a *)clwp->lwp_ap; 1134 1135 fm = (uint_t)uap->fmode; 1136 1137 /* 1138 * __openattrdirat() does an extra pathname lookup in order to 1139 * enter the extended system attribute namespace of the referenced 1140 * extended attribute filename. 1141 */ 1142 if (fm & FXATTRDIROPEN) 1143 tad->tad_ctrl |= TAD_MLD; 1144 1145 return (open_event(fm)); 1146 } 1147 1148 static void 1149 aus_openat(struct t_audit_data *tad) 1150 { 1151 klwp_t *clwp = ttolwp(curthread); 1152 uint_t fm; 1153 1154 struct a { 1155 long filedes; 1156 long fnamep; /* char * */ 1157 long fmode; 1158 long cmode; 1159 } *uap = (struct a *)clwp->lwp_ap; 1160 1161 fm = (uint_t)uap->fmode; 1162 1163 /* If no write, create, or trunc modes, mark as a public op */ 1164 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1165 tad->tad_ctrl |= TAD_PUBLIC_EV; 1166 } 1167 1168 static au_event_t 1169 aui_unlinkat(au_event_t e) 1170 { 1171 klwp_t *clwp = ttolwp(curthread); 1172 1173 struct a { 1174 long filedes; 1175 long fnamep; /* char * */ 1176 long flags; 1177 } *uap = (struct a *)clwp->lwp_ap; 1178 1179 if (uap->flags & AT_REMOVEDIR) 1180 e = AUE_RMDIR; 1181 else 1182 e = AUE_UNLINK; 1183 1184 return (e); 1185 } 1186 1187 static au_event_t 1188 aui_fstatat(au_event_t e) 1189 { 1190 klwp_t *clwp = ttolwp(curthread); 1191 1192 struct a { 1193 long filedes; 1194 long fnamep; /* char * */ 1195 long statb; 1196 long flags; 1197 } *uap = (struct a *)clwp->lwp_ap; 1198 1199 if (uap->fnamep == NULL) 1200 e = AUE_FSTAT; 1201 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1202 e = AUE_LSTAT; 1203 else 1204 e = AUE_STAT; 1205 1206 return (e); 1207 } 1208 1209 /* msgsys */ 1210 static au_event_t 1211 aui_msgsys(au_event_t e) 1212 { 1213 klwp_t *clwp = ttolwp(curthread); 1214 uint_t fm; 1215 1216 struct a { 1217 long id; /* function code id */ 1218 long ap; /* arg pointer for recvmsg */ 1219 } *uap = (struct a *)clwp->lwp_ap; 1220 1221 struct b { 1222 long msgid; 1223 long cmd; 1224 long buf; /* struct msqid_ds * */ 1225 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1226 1227 fm = (uint_t)uap->id; 1228 1229 switch (fm) { 1230 case 0: /* msgget */ 1231 e = AUE_MSGGET; 1232 break; 1233 case 1: /* msgctl */ 1234 switch ((uint_t)uap1->cmd) { 1235 case IPC_RMID: 1236 e = AUE_MSGCTL_RMID; 1237 break; 1238 case IPC_SET: 1239 e = AUE_MSGCTL_SET; 1240 break; 1241 case IPC_STAT: 1242 e = AUE_MSGCTL_STAT; 1243 break; 1244 default: 1245 e = AUE_MSGCTL; 1246 break; 1247 } 1248 break; 1249 case 2: /* msgrcv */ 1250 e = AUE_MSGRCV; 1251 break; 1252 case 3: /* msgsnd */ 1253 e = AUE_MSGSND; 1254 break; 1255 default: /* illegal system call */ 1256 e = AUE_NULL; 1257 break; 1258 } 1259 1260 return (e); 1261 } 1262 1263 1264 /* shmsys */ 1265 static au_event_t 1266 aui_shmsys(au_event_t e) 1267 { 1268 klwp_t *clwp = ttolwp(curthread); 1269 int fm; 1270 1271 struct a { /* shmsys */ 1272 long id; /* function code id */ 1273 } *uap = (struct a *)clwp->lwp_ap; 1274 1275 struct b { /* ctrl */ 1276 long shmid; 1277 long cmd; 1278 long arg; /* struct shmid_ds * */ 1279 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1280 fm = (uint_t)uap->id; 1281 1282 switch (fm) { 1283 case 0: /* shmat */ 1284 e = AUE_SHMAT; 1285 break; 1286 case 1: /* shmctl */ 1287 switch ((uint_t)uap1->cmd) { 1288 case IPC_RMID: 1289 e = AUE_SHMCTL_RMID; 1290 break; 1291 case IPC_SET: 1292 e = AUE_SHMCTL_SET; 1293 break; 1294 case IPC_STAT: 1295 e = AUE_SHMCTL_STAT; 1296 break; 1297 default: 1298 e = AUE_SHMCTL; 1299 break; 1300 } 1301 break; 1302 case 2: /* shmdt */ 1303 e = AUE_SHMDT; 1304 break; 1305 case 3: /* shmget */ 1306 e = AUE_SHMGET; 1307 break; 1308 default: /* illegal system call */ 1309 e = AUE_NULL; 1310 break; 1311 } 1312 1313 return (e); 1314 } 1315 1316 1317 /* semsys */ 1318 static au_event_t 1319 aui_semsys(au_event_t e) 1320 { 1321 klwp_t *clwp = ttolwp(curthread); 1322 uint_t fm; 1323 1324 struct a { /* semsys */ 1325 long id; 1326 } *uap = (struct a *)clwp->lwp_ap; 1327 1328 struct b { /* ctrl */ 1329 long semid; 1330 long semnum; 1331 long cmd; 1332 long arg; 1333 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1334 1335 fm = (uint_t)uap->id; 1336 1337 switch (fm) { 1338 case 0: /* semctl */ 1339 switch ((uint_t)uap1->cmd) { 1340 case IPC_RMID: 1341 e = AUE_SEMCTL_RMID; 1342 break; 1343 case IPC_SET: 1344 e = AUE_SEMCTL_SET; 1345 break; 1346 case IPC_STAT: 1347 e = AUE_SEMCTL_STAT; 1348 break; 1349 case GETNCNT: 1350 e = AUE_SEMCTL_GETNCNT; 1351 break; 1352 case GETPID: 1353 e = AUE_SEMCTL_GETPID; 1354 break; 1355 case GETVAL: 1356 e = AUE_SEMCTL_GETVAL; 1357 break; 1358 case GETALL: 1359 e = AUE_SEMCTL_GETALL; 1360 break; 1361 case GETZCNT: 1362 e = AUE_SEMCTL_GETZCNT; 1363 break; 1364 case SETVAL: 1365 e = AUE_SEMCTL_SETVAL; 1366 break; 1367 case SETALL: 1368 e = AUE_SEMCTL_SETALL; 1369 break; 1370 default: 1371 e = AUE_SEMCTL; 1372 break; 1373 } 1374 break; 1375 case 1: /* semget */ 1376 e = AUE_SEMGET; 1377 break; 1378 case 2: /* semop */ 1379 e = AUE_SEMOP; 1380 break; 1381 default: /* illegal system call */ 1382 e = AUE_NULL; 1383 break; 1384 } 1385 1386 return (e); 1387 } 1388 1389 /* utssys - uname(2), ustat(2), fusers(2) */ 1390 static au_event_t 1391 aui_utssys(au_event_t e) 1392 { 1393 klwp_t *clwp = ttolwp(curthread); 1394 uint_t type; 1395 1396 struct a { 1397 union { 1398 long cbuf; /* char * */ 1399 long ubuf; /* struct stat * */ 1400 } ub; 1401 union { 1402 long mv; /* for USTAT */ 1403 long flags; /* for FUSERS */ 1404 } un; 1405 long type; 1406 long outbp; /* char * for FUSERS */ 1407 } *uap = (struct a *)clwp->lwp_ap; 1408 1409 type = (uint_t)uap->type; 1410 1411 if (type == UTS_FUSERS) 1412 return (e); 1413 else 1414 return ((au_event_t)AUE_NULL); 1415 } 1416 1417 static au_event_t 1418 aui_fcntl(au_event_t e) 1419 { 1420 klwp_t *clwp = ttolwp(curthread); 1421 uint_t cmd; 1422 1423 struct a { 1424 long fdes; 1425 long cmd; 1426 long arg; 1427 } *uap = (struct a *)clwp->lwp_ap; 1428 1429 cmd = (uint_t)uap->cmd; 1430 1431 switch (cmd) { 1432 case F_GETLK: 1433 case F_SETLK: 1434 case F_SETLKW: 1435 break; 1436 case F_SETFL: 1437 case F_GETFL: 1438 case F_GETFD: 1439 break; 1440 default: 1441 e = (au_event_t)AUE_NULL; 1442 break; 1443 } 1444 return ((au_event_t)e); 1445 } 1446 1447 /* null function for now */ 1448 static au_event_t 1449 aui_execve(au_event_t e) 1450 { 1451 return (e); 1452 } 1453 1454 /*ARGSUSED*/ 1455 static void 1456 aus_fcntl(struct t_audit_data *tad) 1457 { 1458 klwp_t *clwp = ttolwp(curthread); 1459 uint32_t cmd, fd, flags; 1460 struct file *fp; 1461 struct vnode *vp; 1462 struct f_audit_data *fad; 1463 1464 struct a { 1465 long fd; 1466 long cmd; 1467 long arg; 1468 } *uap = (struct a *)clwp->lwp_ap; 1469 1470 cmd = (uint32_t)uap->cmd; 1471 fd = (uint32_t)uap->fd; 1472 flags = (uint32_t)uap->arg; 1473 1474 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1475 1476 if (cmd == F_SETFL) 1477 au_uwrite(au_to_arg32(3, "flags", flags)); 1478 1479 /* 1480 * convert file pointer to file descriptor 1481 * Note: fd ref count incremented here. 1482 */ 1483 if ((fp = getf(fd)) == NULL) 1484 return; 1485 1486 /* get path from file struct here */ 1487 fad = F2A(fp); 1488 if (fad->fad_aupath != NULL) { 1489 au_uwrite(au_to_path(fad->fad_aupath)); 1490 } else { 1491 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1492 } 1493 1494 vp = fp->f_vnode; 1495 audit_attributes(vp); 1496 1497 /* decrement file descriptor reference count */ 1498 releasef(fd); 1499 } 1500 1501 /*ARGSUSED*/ 1502 static void 1503 aus_kill(struct t_audit_data *tad) 1504 { 1505 klwp_t *clwp = ttolwp(curthread); 1506 struct proc *p; 1507 uint32_t signo; 1508 uid_t uid, ruid; 1509 gid_t gid, rgid; 1510 pid_t pid; 1511 const auditinfo_addr_t *ainfo; 1512 cred_t *cr; 1513 1514 struct a { 1515 long pid; 1516 long signo; 1517 } *uap = (struct a *)clwp->lwp_ap; 1518 1519 pid = (pid_t)uap->pid; 1520 signo = (uint32_t)uap->signo; 1521 1522 au_uwrite(au_to_arg32(2, "signal", signo)); 1523 if (pid > 0) { 1524 mutex_enter(&pidlock); 1525 if (((p = prfind(pid)) == (struct proc *)0) || 1526 (p->p_stat == SIDL)) { 1527 mutex_exit(&pidlock); 1528 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1529 return; 1530 } 1531 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1532 mutex_exit(&pidlock); 1533 1534 mutex_enter(&p->p_crlock); 1535 crhold(cr = p->p_cred); 1536 mutex_exit(&p->p_crlock); 1537 mutex_exit(&p->p_lock); 1538 1539 ainfo = crgetauinfo(cr); 1540 if (ainfo == NULL) { 1541 crfree(cr); 1542 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1543 return; 1544 } 1545 1546 uid = crgetuid(cr); 1547 gid = crgetgid(cr); 1548 ruid = crgetruid(cr); 1549 rgid = crgetrgid(cr); 1550 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1551 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1552 1553 if (is_system_labeled()) 1554 au_uwrite(au_to_label(CR_SL(cr))); 1555 1556 crfree(cr); 1557 } 1558 else 1559 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1560 } 1561 1562 /*ARGSUSED*/ 1563 static void 1564 aus_mkdir(struct t_audit_data *tad) 1565 { 1566 klwp_t *clwp = ttolwp(curthread); 1567 uint32_t dmode; 1568 1569 struct a { 1570 long dirnamep; /* char * */ 1571 long dmode; 1572 } *uap = (struct a *)clwp->lwp_ap; 1573 1574 dmode = (uint32_t)uap->dmode; 1575 1576 au_uwrite(au_to_arg32(2, "mode", dmode)); 1577 } 1578 1579 /*ARGSUSED*/ 1580 static void 1581 aus_mkdirat(struct t_audit_data *tad) 1582 { 1583 klwp_t *clwp = ttolwp(curthread); 1584 uint32_t dmode; 1585 1586 struct a { 1587 long fd; 1588 long dirnamep; /* char * */ 1589 long dmode; 1590 } *uap = (struct a *)clwp->lwp_ap; 1591 1592 dmode = (uint32_t)uap->dmode; 1593 1594 au_uwrite(au_to_arg32(2, "mode", dmode)); 1595 } 1596 1597 /*ARGSUSED*/ 1598 static void 1599 aus_mknod(struct t_audit_data *tad) 1600 { 1601 klwp_t *clwp = ttolwp(curthread); 1602 uint32_t fmode; 1603 dev_t dev; 1604 1605 struct a { 1606 long pnamep; /* char * */ 1607 long fmode; 1608 long dev; 1609 } *uap = (struct a *)clwp->lwp_ap; 1610 1611 fmode = (uint32_t)uap->fmode; 1612 dev = (dev_t)uap->dev; 1613 1614 au_uwrite(au_to_arg32(2, "mode", fmode)); 1615 #ifdef _LP64 1616 au_uwrite(au_to_arg64(3, "dev", dev)); 1617 #else 1618 au_uwrite(au_to_arg32(3, "dev", dev)); 1619 #endif 1620 } 1621 1622 /*ARGSUSED*/ 1623 static void 1624 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1625 { 1626 klwp_t *clwp = ttolwp(curthread); 1627 vnode_t *dvp; 1628 caddr_t pnamep; 1629 1630 struct a { 1631 long pnamep; /* char * */ 1632 long fmode; 1633 long dev; 1634 } *uap = (struct a *)clwp->lwp_ap; 1635 1636 /* no error, then already path token in audit record */ 1637 if (error != EPERM && error != EINVAL) 1638 return; 1639 1640 /* do the lookup to force generation of path token */ 1641 pnamep = (caddr_t)uap->pnamep; 1642 tad->tad_ctrl |= TAD_NOATTRB; 1643 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1644 if (error == 0) 1645 VN_RELE(dvp); 1646 } 1647 1648 /*ARGSUSED*/ 1649 static void 1650 aus_mknodat(struct t_audit_data *tad) 1651 { 1652 klwp_t *clwp = ttolwp(curthread); 1653 uint32_t fmode; 1654 dev_t dev; 1655 1656 struct a { 1657 long fd; 1658 long pnamep; /* char * */ 1659 long fmode; 1660 long dev; 1661 } *uap = (struct a *)clwp->lwp_ap; 1662 1663 fmode = (uint32_t)uap->fmode; 1664 dev = (dev_t)uap->dev; 1665 1666 au_uwrite(au_to_arg32(2, "mode", fmode)); 1667 #ifdef _LP64 1668 au_uwrite(au_to_arg64(3, "dev", dev)); 1669 #else 1670 au_uwrite(au_to_arg32(3, "dev", dev)); 1671 #endif 1672 } 1673 1674 /*ARGSUSED*/ 1675 static void 1676 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval) 1677 { 1678 klwp_t *clwp = ttolwp(curthread); 1679 vnode_t *startvp; 1680 vnode_t *dvp; 1681 caddr_t pnamep; 1682 int fd; 1683 1684 struct a { 1685 long fd; 1686 long pnamep; /* char * */ 1687 long fmode; 1688 long dev; 1689 } *uap = (struct a *)clwp->lwp_ap; 1690 1691 /* no error, then already path token in audit record */ 1692 if (error != EPERM && error != EINVAL) 1693 return; 1694 1695 /* do the lookup to force generation of path token */ 1696 fd = (int)uap->fd; 1697 pnamep = (caddr_t)uap->pnamep; 1698 if (pnamep == NULL || 1699 fgetstartvp(fd, pnamep, &startvp) != 0) 1700 return; 1701 tad->tad_ctrl |= TAD_NOATTRB; 1702 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP, 1703 startvp); 1704 if (error == 0) 1705 VN_RELE(dvp); 1706 if (startvp != NULL) 1707 VN_RELE(startvp); 1708 } 1709 1710 /*ARGSUSED*/ 1711 static void 1712 aus_mount(struct t_audit_data *tad) 1713 { /* AUS_START */ 1714 klwp_t *clwp = ttolwp(curthread); 1715 uint32_t flags; 1716 uintptr_t u_fstype, dataptr; 1717 STRUCT_DECL(nfs_args, nfsargs); 1718 size_t len; 1719 char *fstype, *hostname; 1720 1721 struct a { 1722 long spec; /* char * */ 1723 long dir; /* char * */ 1724 long flags; 1725 long fstype; /* char * */ 1726 long dataptr; /* char * */ 1727 long datalen; 1728 } *uap = (struct a *)clwp->lwp_ap; 1729 1730 u_fstype = (uintptr_t)uap->fstype; 1731 flags = (uint32_t)uap->flags; 1732 dataptr = (uintptr_t)uap->dataptr; 1733 1734 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1735 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1736 goto mount_free_fstype; 1737 1738 au_uwrite(au_to_arg32(3, "flags", flags)); 1739 au_uwrite(au_to_text(fstype)); 1740 1741 if (strncmp(fstype, "nfs", 3) == 0) { 1742 1743 STRUCT_INIT(nfsargs, get_udatamodel()); 1744 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1745 1746 if (copyin((caddr_t)dataptr, 1747 STRUCT_BUF(nfsargs), 1748 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1749 /* DEBUG debug_enter((char *)NULL); */ 1750 goto mount_free_fstype; 1751 } 1752 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1753 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1754 (caddr_t)hostname, 1755 MAXNAMELEN, &len)) { 1756 goto mount_free_hostname; 1757 } 1758 au_uwrite(au_to_text(hostname)); 1759 au_uwrite(au_to_arg32(3, "internal flags", 1760 (uint_t)STRUCT_FGET(nfsargs, flags))); 1761 1762 mount_free_hostname: 1763 kmem_free(hostname, MAXNAMELEN); 1764 } 1765 1766 mount_free_fstype: 1767 kmem_free(fstype, MAXNAMELEN); 1768 } /* AUS_MOUNT */ 1769 1770 static void 1771 aus_umount_path(caddr_t umount_dir) 1772 { 1773 char *dir_path; 1774 struct audit_path *path; 1775 size_t path_len, dir_len; 1776 1777 /* length alloc'd for two string pointers */ 1778 path_len = sizeof (struct audit_path) + sizeof (char *); 1779 path = kmem_alloc(path_len, KM_SLEEP); 1780 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1781 1782 if (copyinstr(umount_dir, (caddr_t)dir_path, 1783 MAXPATHLEN, &dir_len)) 1784 goto umount2_free_dir; 1785 1786 /* 1787 * the audit_path struct assumes that the buffer pointed to 1788 * by audp_sect[n] contains string 0 immediatedly followed 1789 * by string 1. 1790 */ 1791 path->audp_sect[0] = dir_path; 1792 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1793 path->audp_size = path_len; 1794 path->audp_ref = 1; /* not used */ 1795 path->audp_cnt = 1; /* one path string */ 1796 1797 au_uwrite(au_to_path(path)); 1798 1799 umount2_free_dir: 1800 kmem_free(dir_path, MAXPATHLEN); 1801 kmem_free(path, path_len); 1802 } 1803 1804 /*ARGSUSED*/ 1805 static void 1806 aus_umount2(struct t_audit_data *tad) 1807 { 1808 klwp_t *clwp = ttolwp(curthread); 1809 struct a { 1810 long dir; /* char * */ 1811 long flags; 1812 } *uap = (struct a *)clwp->lwp_ap; 1813 1814 aus_umount_path((caddr_t)uap->dir); 1815 1816 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1817 } 1818 1819 static void 1820 aus_msgsys(struct t_audit_data *tad) 1821 { 1822 klwp_t *clwp = ttolwp(curthread); 1823 uint32_t msgid; 1824 1825 struct b { 1826 long msgid; 1827 long cmd; 1828 long buf; /* struct msqid_ds * */ 1829 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1830 1831 msgid = (uint32_t)uap1->msgid; 1832 1833 1834 switch (tad->tad_event) { 1835 case AUE_MSGGET: /* msgget */ 1836 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1837 break; 1838 case AUE_MSGCTL: /* msgctl */ 1839 case AUE_MSGCTL_RMID: /* msgctl */ 1840 case AUE_MSGCTL_SET: /* msgctl */ 1841 case AUE_MSGCTL_STAT: /* msgctl */ 1842 case AUE_MSGRCV: /* msgrcv */ 1843 case AUE_MSGSND: /* msgsnd */ 1844 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1845 break; 1846 } 1847 } 1848 1849 /*ARGSUSED*/ 1850 static void 1851 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1852 { 1853 int id; 1854 1855 if (error != 0) 1856 return; 1857 if (tad->tad_event == AUE_MSGGET) { 1858 uint32_t scid; 1859 uint32_t sy_flags; 1860 1861 /* need to determine type of executing binary */ 1862 scid = tad->tad_scid; 1863 #ifdef _SYSCALL32_IMPL 1864 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1865 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1866 else 1867 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1868 #else 1869 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1870 #endif 1871 if (sy_flags == SE_32RVAL1) 1872 id = rval->r_val1; 1873 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1874 id = rval->r_val1; 1875 if (sy_flags == SE_64RVAL) 1876 id = (int)rval->r_vals; 1877 1878 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1879 } 1880 } 1881 1882 static void 1883 aus_semsys(struct t_audit_data *tad) 1884 { 1885 klwp_t *clwp = ttolwp(curthread); 1886 uint32_t semid; 1887 1888 struct b { /* ctrl */ 1889 long semid; 1890 long semnum; 1891 long cmd; 1892 long arg; 1893 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1894 1895 semid = (uint32_t)uap1->semid; 1896 1897 switch (tad->tad_event) { 1898 case AUE_SEMCTL_RMID: 1899 case AUE_SEMCTL_STAT: 1900 case AUE_SEMCTL_GETNCNT: 1901 case AUE_SEMCTL_GETPID: 1902 case AUE_SEMCTL_GETVAL: 1903 case AUE_SEMCTL_GETALL: 1904 case AUE_SEMCTL_GETZCNT: 1905 case AUE_SEMCTL_SET: 1906 case AUE_SEMCTL_SETVAL: 1907 case AUE_SEMCTL_SETALL: 1908 case AUE_SEMCTL: 1909 case AUE_SEMOP: 1910 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1911 break; 1912 case AUE_SEMGET: 1913 au_uwrite(au_to_arg32(1, "sem key", semid)); 1914 break; 1915 } 1916 } 1917 1918 /*ARGSUSED*/ 1919 static void 1920 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1921 { 1922 int id; 1923 1924 if (error != 0) 1925 return; 1926 if (tad->tad_event == AUE_SEMGET) { 1927 uint32_t scid; 1928 uint32_t sy_flags; 1929 1930 /* need to determine type of executing binary */ 1931 scid = tad->tad_scid; 1932 #ifdef _SYSCALL32_IMPL 1933 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1934 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1935 else 1936 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1937 #else 1938 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1939 #endif 1940 if (sy_flags == SE_32RVAL1) 1941 id = rval->r_val1; 1942 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1943 id = rval->r_val1; 1944 if (sy_flags == SE_64RVAL) 1945 id = (int)rval->r_vals; 1946 1947 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1948 } 1949 } 1950 1951 /*ARGSUSED*/ 1952 static void 1953 aus_close(struct t_audit_data *tad) 1954 { 1955 klwp_t *clwp = ttolwp(curthread); 1956 uint32_t fd; 1957 struct file *fp; 1958 struct f_audit_data *fad; 1959 struct vnode *vp; 1960 struct vattr attr; 1961 au_kcontext_t *kctx = GET_KCTX_PZ; 1962 1963 struct a { 1964 long i; 1965 } *uap = (struct a *)clwp->lwp_ap; 1966 1967 fd = (uint32_t)uap->i; 1968 1969 attr.va_mask = 0; 1970 au_uwrite(au_to_arg32(1, "fd", fd)); 1971 1972 /* 1973 * convert file pointer to file descriptor 1974 * Note: fd ref count incremented here. 1975 */ 1976 if ((fp = getf(fd)) == NULL) 1977 return; 1978 1979 fad = F2A(fp); 1980 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1981 if (fad->fad_aupath != NULL) { 1982 au_uwrite(au_to_path(fad->fad_aupath)); 1983 if ((vp = fp->f_vnode) != NULL) { 1984 attr.va_mask = AT_ALL; 1985 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1986 /* 1987 * When write was not used and the file can be 1988 * considered public, skip the audit. 1989 */ 1990 if (((fp->f_flag & FWRITE) == 0) && 1991 object_is_public(&attr)) { 1992 tad->tad_flag = 0; 1993 tad->tad_evmod = 0; 1994 /* free any residual audit data */ 1995 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1996 releasef(fd); 1997 return; 1998 } 1999 au_uwrite(au_to_attr(&attr)); 2000 audit_sec_attributes(&(u_ad), vp); 2001 } 2002 } 2003 } 2004 2005 /* decrement file descriptor reference count */ 2006 releasef(fd); 2007 } 2008 2009 /*ARGSUSED*/ 2010 static void 2011 aus_fstatfs(struct t_audit_data *tad) 2012 { 2013 klwp_t *clwp = ttolwp(curthread); 2014 uint32_t fd; 2015 struct file *fp; 2016 struct vnode *vp; 2017 struct f_audit_data *fad; 2018 2019 struct a { 2020 long fd; 2021 long buf; /* struct statfs * */ 2022 } *uap = (struct a *)clwp->lwp_ap; 2023 2024 fd = (uint_t)uap->fd; 2025 2026 /* 2027 * convert file pointer to file descriptor 2028 * Note: fd ref count incremented here. 2029 */ 2030 if ((fp = getf(fd)) == NULL) 2031 return; 2032 2033 /* get path from file struct here */ 2034 fad = F2A(fp); 2035 if (fad->fad_aupath != NULL) { 2036 au_uwrite(au_to_path(fad->fad_aupath)); 2037 } else { 2038 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2039 } 2040 2041 vp = fp->f_vnode; 2042 audit_attributes(vp); 2043 2044 /* decrement file descriptor reference count */ 2045 releasef(fd); 2046 } 2047 2048 static au_event_t 2049 aui_setpgrp(au_event_t e) 2050 { 2051 klwp_t *clwp = ttolwp(curthread); 2052 int flag; 2053 2054 struct a { 2055 long flag; 2056 long pid; 2057 long pgid; 2058 } *uap = (struct a *)clwp->lwp_ap; 2059 2060 flag = (int)uap->flag; 2061 2062 2063 switch (flag) { 2064 2065 case 1: /* setpgrp() */ 2066 e = AUE_SETPGRP; 2067 break; 2068 2069 case 3: /* setsid() */ 2070 e = AUE_SETSID; 2071 break; 2072 2073 case 5: /* setpgid() */ 2074 e = AUE_SETPGID; 2075 break; 2076 2077 case 0: /* getpgrp() - not security relevant */ 2078 case 2: /* getsid() - not security relevant */ 2079 case 4: /* getpgid() - not security relevant */ 2080 e = AUE_NULL; 2081 break; 2082 2083 default: 2084 e = AUE_NULL; 2085 break; 2086 } 2087 2088 return (e); 2089 } 2090 2091 /*ARGSUSED*/ 2092 static void 2093 aus_setpgrp(struct t_audit_data *tad) 2094 { 2095 klwp_t *clwp = ttolwp(curthread); 2096 pid_t pgid; 2097 struct proc *p; 2098 uid_t uid, ruid; 2099 gid_t gid, rgid; 2100 pid_t pid; 2101 cred_t *cr; 2102 int flag; 2103 const auditinfo_addr_t *ainfo; 2104 2105 struct a { 2106 long flag; 2107 long pid; 2108 long pgid; 2109 } *uap = (struct a *)clwp->lwp_ap; 2110 2111 flag = (int)uap->flag; 2112 pid = (pid_t)uap->pid; 2113 pgid = (pid_t)uap->pgid; 2114 2115 2116 switch (flag) { 2117 2118 case 0: /* getpgrp() */ 2119 case 1: /* setpgrp() */ 2120 case 2: /* getsid() */ 2121 case 3: /* setsid() */ 2122 case 4: /* getpgid() */ 2123 break; 2124 2125 case 5: /* setpgid() */ 2126 2127 /* current process? */ 2128 if (pid == 0) { 2129 return; 2130 } 2131 2132 mutex_enter(&pidlock); 2133 p = prfind(pid); 2134 if (p == NULL || p->p_as == &kas || 2135 p->p_stat == SIDL || p->p_stat == SZOMB) { 2136 mutex_exit(&pidlock); 2137 return; 2138 } 2139 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2140 mutex_exit(&pidlock); 2141 2142 mutex_enter(&p->p_crlock); 2143 crhold(cr = p->p_cred); 2144 mutex_exit(&p->p_crlock); 2145 mutex_exit(&p->p_lock); 2146 2147 ainfo = crgetauinfo(cr); 2148 if (ainfo == NULL) { 2149 crfree(cr); 2150 return; 2151 } 2152 2153 uid = crgetuid(cr); 2154 gid = crgetgid(cr); 2155 ruid = crgetruid(cr); 2156 rgid = crgetrgid(cr); 2157 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2158 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2159 crfree(cr); 2160 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2161 break; 2162 2163 default: 2164 break; 2165 } 2166 } 2167 2168 2169 /*ARGSUSED*/ 2170 static void 2171 aus_setregid(struct t_audit_data *tad) 2172 { 2173 klwp_t *clwp = ttolwp(curthread); 2174 uint32_t rgid, egid; 2175 2176 struct a { 2177 long rgid; 2178 long egid; 2179 } *uap = (struct a *)clwp->lwp_ap; 2180 2181 rgid = (uint32_t)uap->rgid; 2182 egid = (uint32_t)uap->egid; 2183 2184 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2185 au_uwrite(au_to_arg32(2, "egid", egid)); 2186 } 2187 2188 /*ARGSUSED*/ 2189 static void 2190 aus_setgid(struct t_audit_data *tad) 2191 { 2192 klwp_t *clwp = ttolwp(curthread); 2193 uint32_t gid; 2194 2195 struct a { 2196 long gid; 2197 } *uap = (struct a *)clwp->lwp_ap; 2198 2199 gid = (uint32_t)uap->gid; 2200 2201 au_uwrite(au_to_arg32(1, "gid", gid)); 2202 } 2203 2204 2205 /*ARGSUSED*/ 2206 static void 2207 aus_setreuid(struct t_audit_data *tad) 2208 { 2209 klwp_t *clwp = ttolwp(curthread); 2210 uint32_t ruid, euid; 2211 2212 struct a { 2213 long ruid; 2214 long euid; 2215 } *uap = (struct a *)clwp->lwp_ap; 2216 2217 ruid = (uint32_t)uap->ruid; 2218 euid = (uint32_t)uap->euid; 2219 2220 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2221 au_uwrite(au_to_arg32(2, "euid", euid)); 2222 } 2223 2224 2225 /*ARGSUSED*/ 2226 static void 2227 aus_setuid(struct t_audit_data *tad) 2228 { 2229 klwp_t *clwp = ttolwp(curthread); 2230 uint32_t uid; 2231 2232 struct a { 2233 long uid; 2234 } *uap = (struct a *)clwp->lwp_ap; 2235 2236 uid = (uint32_t)uap->uid; 2237 2238 au_uwrite(au_to_arg32(1, "uid", uid)); 2239 } 2240 2241 /*ARGSUSED*/ 2242 static void 2243 aus_shmsys(struct t_audit_data *tad) 2244 { 2245 klwp_t *clwp = ttolwp(curthread); 2246 uint32_t id, cmd; 2247 2248 struct b { 2249 long id; 2250 long cmd; 2251 long buf; /* struct shmid_ds * */ 2252 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2253 2254 id = (uint32_t)uap1->id; 2255 cmd = (uint32_t)uap1->cmd; 2256 2257 switch (tad->tad_event) { 2258 case AUE_SHMGET: /* shmget */ 2259 au_uwrite(au_to_arg32(1, "shm key", id)); 2260 break; 2261 case AUE_SHMCTL: /* shmctl */ 2262 case AUE_SHMCTL_RMID: /* shmctl */ 2263 case AUE_SHMCTL_STAT: /* shmctl */ 2264 case AUE_SHMCTL_SET: /* shmctl */ 2265 au_uwrite(au_to_arg32(1, "shm ID", id)); 2266 break; 2267 case AUE_SHMDT: /* shmdt */ 2268 au_uwrite(au_to_arg32(1, "shm adr", id)); 2269 break; 2270 case AUE_SHMAT: /* shmat */ 2271 au_uwrite(au_to_arg32(1, "shm ID", id)); 2272 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2273 break; 2274 } 2275 } 2276 2277 /*ARGSUSED*/ 2278 static void 2279 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2280 { 2281 int id; 2282 2283 if (error != 0) 2284 return; 2285 if (tad->tad_event == AUE_SHMGET) { 2286 uint32_t scid; 2287 uint32_t sy_flags; 2288 2289 /* need to determine type of executing binary */ 2290 scid = tad->tad_scid; 2291 #ifdef _SYSCALL32_IMPL 2292 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2293 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2294 else 2295 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2296 #else 2297 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2298 #endif 2299 if (sy_flags == SE_32RVAL1) 2300 id = rval->r_val1; 2301 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2302 id = rval->r_val1; 2303 if (sy_flags == SE_64RVAL) 2304 id = (int)rval->r_vals; 2305 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2306 } 2307 } 2308 2309 2310 /*ARGSUSED*/ 2311 static void 2312 aus_ioctl(struct t_audit_data *tad) 2313 { 2314 klwp_t *clwp = ttolwp(curthread); 2315 struct file *fp; 2316 struct vnode *vp; 2317 struct f_audit_data *fad; 2318 uint32_t fd, cmd; 2319 uintptr_t cmarg; 2320 2321 /* XX64 */ 2322 struct a { 2323 long fd; 2324 long cmd; 2325 long cmarg; /* caddr_t */ 2326 } *uap = (struct a *)clwp->lwp_ap; 2327 2328 fd = (uint32_t)uap->fd; 2329 cmd = (uint32_t)uap->cmd; 2330 cmarg = (uintptr_t)uap->cmarg; 2331 2332 /* 2333 * convert file pointer to file descriptor 2334 * Note: fd ref count incremented here. 2335 */ 2336 if ((fp = getf(fd)) == NULL) { 2337 au_uwrite(au_to_arg32(1, "fd", fd)); 2338 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2339 #ifndef _LP64 2340 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2341 #else 2342 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2343 #endif 2344 return; 2345 } 2346 2347 /* get path from file struct here */ 2348 fad = F2A(fp); 2349 if (fad->fad_aupath != NULL) { 2350 au_uwrite(au_to_path(fad->fad_aupath)); 2351 } else { 2352 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2353 } 2354 2355 vp = fp->f_vnode; 2356 audit_attributes(vp); 2357 2358 /* decrement file descriptor reference count */ 2359 releasef(fd); 2360 2361 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2362 #ifndef _LP64 2363 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2364 #else 2365 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2366 #endif 2367 } 2368 2369 /* 2370 * null function for memcntl for now. We might want to limit memcntl() 2371 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2372 * require privileges. 2373 */ 2374 static au_event_t 2375 aui_memcntl(au_event_t e) 2376 { 2377 return (e); 2378 } 2379 2380 /*ARGSUSED*/ 2381 static au_event_t 2382 aui_privsys(au_event_t e) 2383 { 2384 klwp_t *clwp = ttolwp(curthread); 2385 2386 struct a { 2387 long opcode; 2388 } *uap = (struct a *)clwp->lwp_ap; 2389 2390 switch (uap->opcode) { 2391 case PRIVSYS_SETPPRIV: 2392 return (AUE_SETPPRIV); 2393 default: 2394 return (AUE_NULL); 2395 } 2396 } 2397 2398 /*ARGSUSED*/ 2399 static void 2400 aus_memcntl(struct t_audit_data *tad) 2401 { 2402 klwp_t *clwp = ttolwp(curthread); 2403 2404 struct a { 2405 long addr; 2406 long len; 2407 long cmd; 2408 long arg; 2409 long attr; 2410 long mask; 2411 } *uap = (struct a *)clwp->lwp_ap; 2412 2413 #ifdef _LP64 2414 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2415 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2416 #else 2417 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2418 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2419 #endif 2420 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2421 #ifdef _LP64 2422 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2423 #else 2424 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2425 #endif 2426 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2427 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2428 } 2429 2430 /*ARGSUSED*/ 2431 static void 2432 aus_mmap(struct t_audit_data *tad) 2433 { 2434 klwp_t *clwp = ttolwp(curthread); 2435 struct file *fp; 2436 struct f_audit_data *fad; 2437 struct vnode *vp; 2438 uint32_t fd; 2439 2440 struct a { 2441 long addr; 2442 long len; 2443 long prot; 2444 long flags; 2445 long fd; 2446 long pos; 2447 } *uap = (struct a *)clwp->lwp_ap; 2448 2449 fd = (uint32_t)uap->fd; 2450 2451 #ifdef _LP64 2452 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2453 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2454 #else 2455 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2456 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2457 #endif 2458 2459 if ((fp = getf(fd)) == NULL) { 2460 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2461 return; 2462 } 2463 2464 /* 2465 * Mark in the tad if write access is NOT requested... if 2466 * this is later detected (in audit_attributes) to be a 2467 * public object, the mmap event may be discarded. 2468 */ 2469 if (((uap->prot) & PROT_WRITE) == 0) { 2470 tad->tad_ctrl |= TAD_PUBLIC_EV; 2471 } 2472 2473 fad = F2A(fp); 2474 if (fad->fad_aupath != NULL) { 2475 au_uwrite(au_to_path(fad->fad_aupath)); 2476 } else { 2477 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2478 } 2479 2480 vp = (struct vnode *)fp->f_vnode; 2481 audit_attributes(vp); 2482 2483 /* mark READ/WRITE since we can't predict access */ 2484 if (uap->prot & PROT_READ) 2485 fad->fad_flags |= FAD_READ; 2486 if (uap->prot & PROT_WRITE) 2487 fad->fad_flags |= FAD_WRITE; 2488 2489 /* decrement file descriptor reference count */ 2490 releasef(fd); 2491 2492 } /* AUS_MMAP */ 2493 2494 2495 2496 2497 /*ARGSUSED*/ 2498 static void 2499 aus_munmap(struct t_audit_data *tad) 2500 { 2501 klwp_t *clwp = ttolwp(curthread); 2502 2503 struct a { 2504 long addr; 2505 long len; 2506 } *uap = (struct a *)clwp->lwp_ap; 2507 2508 #ifdef _LP64 2509 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2510 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2511 #else 2512 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2513 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2514 #endif 2515 2516 } /* AUS_MUNMAP */ 2517 2518 2519 2520 2521 2522 2523 2524 /*ARGSUSED*/ 2525 static void 2526 aus_priocntlsys(struct t_audit_data *tad) 2527 { 2528 klwp_t *clwp = ttolwp(curthread); 2529 2530 struct a { 2531 long pc_version; 2532 long psp; /* procset_t */ 2533 long cmd; 2534 long arg; 2535 } *uap = (struct a *)clwp->lwp_ap; 2536 2537 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2538 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2539 2540 } /* AUS_PRIOCNTLSYS */ 2541 2542 2543 /*ARGSUSED*/ 2544 static void 2545 aus_setegid(struct t_audit_data *tad) 2546 { 2547 klwp_t *clwp = ttolwp(curthread); 2548 uint32_t gid; 2549 2550 struct a { 2551 long gid; 2552 } *uap = (struct a *)clwp->lwp_ap; 2553 2554 gid = (uint32_t)uap->gid; 2555 2556 au_uwrite(au_to_arg32(1, "gid", gid)); 2557 } /* AUS_SETEGID */ 2558 2559 2560 2561 2562 /*ARGSUSED*/ 2563 static void 2564 aus_setgroups(struct t_audit_data *tad) 2565 { 2566 klwp_t *clwp = ttolwp(curthread); 2567 int i; 2568 int gidsetsize; 2569 uintptr_t gidset; 2570 gid_t *gidlist; 2571 2572 struct a { 2573 long gidsetsize; 2574 long gidset; 2575 } *uap = (struct a *)clwp->lwp_ap; 2576 2577 gidsetsize = (uint_t)uap->gidsetsize; 2578 gidset = (uintptr_t)uap->gidset; 2579 2580 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2581 return; 2582 if (gidsetsize != 0) { 2583 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2584 KM_SLEEP); 2585 if (copyin((caddr_t)gidset, gidlist, 2586 gidsetsize * sizeof (gid_t)) == 0) 2587 for (i = 0; i < gidsetsize; i++) 2588 au_uwrite(au_to_arg32(1, "setgroups", 2589 (uint32_t)gidlist[i])); 2590 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2591 } else 2592 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2593 2594 } /* AUS_SETGROUPS */ 2595 2596 2597 2598 2599 2600 /*ARGSUSED*/ 2601 static void 2602 aus_seteuid(struct t_audit_data *tad) 2603 { 2604 klwp_t *clwp = ttolwp(curthread); 2605 uint32_t uid; 2606 2607 struct a { 2608 long uid; 2609 } *uap = (struct a *)clwp->lwp_ap; 2610 2611 uid = (uint32_t)uap->uid; 2612 2613 au_uwrite(au_to_arg32(1, "euid", uid)); 2614 2615 } /* AUS_SETEUID */ 2616 2617 /*ARGSUSED*/ 2618 static void 2619 aus_putmsg(struct t_audit_data *tad) 2620 { 2621 klwp_t *clwp = ttolwp(curthread); 2622 uint32_t fd, pri; 2623 struct file *fp; 2624 struct f_audit_data *fad; 2625 2626 struct a { 2627 long fdes; 2628 long ctl; /* struct strbuf * */ 2629 long data; /* struct strbuf * */ 2630 long pri; 2631 } *uap = (struct a *)clwp->lwp_ap; 2632 2633 fd = (uint32_t)uap->fdes; 2634 pri = (uint32_t)uap->pri; 2635 2636 au_uwrite(au_to_arg32(1, "fd", fd)); 2637 2638 if ((fp = getf(fd)) != NULL) { 2639 fad = F2A(fp); 2640 2641 fad->fad_flags |= FAD_WRITE; 2642 2643 /* add path name to audit record */ 2644 if (fad->fad_aupath != NULL) { 2645 au_uwrite(au_to_path(fad->fad_aupath)); 2646 } 2647 audit_attributes(fp->f_vnode); 2648 2649 releasef(fd); 2650 } 2651 2652 au_uwrite(au_to_arg32(4, "pri", pri)); 2653 } 2654 2655 /*ARGSUSED*/ 2656 static void 2657 aus_putpmsg(struct t_audit_data *tad) 2658 { 2659 klwp_t *clwp = ttolwp(curthread); 2660 uint32_t fd, pri, flags; 2661 struct file *fp; 2662 struct f_audit_data *fad; 2663 2664 struct a { 2665 long fdes; 2666 long ctl; /* struct strbuf * */ 2667 long data; /* struct strbuf * */ 2668 long pri; 2669 long flags; 2670 } *uap = (struct a *)clwp->lwp_ap; 2671 2672 fd = (uint32_t)uap->fdes; 2673 pri = (uint32_t)uap->pri; 2674 flags = (uint32_t)uap->flags; 2675 2676 au_uwrite(au_to_arg32(1, "fd", fd)); 2677 2678 if ((fp = getf(fd)) != NULL) { 2679 fad = F2A(fp); 2680 2681 fad->fad_flags |= FAD_WRITE; 2682 2683 /* add path name to audit record */ 2684 if (fad->fad_aupath != NULL) { 2685 au_uwrite(au_to_path(fad->fad_aupath)); 2686 } 2687 audit_attributes(fp->f_vnode); 2688 2689 releasef(fd); 2690 } 2691 2692 2693 au_uwrite(au_to_arg32(4, "pri", pri)); 2694 au_uwrite(au_to_arg32(5, "flags", flags)); 2695 } 2696 2697 /*ARGSUSED*/ 2698 static void 2699 aus_getmsg(struct t_audit_data *tad) 2700 { 2701 klwp_t *clwp = ttolwp(curthread); 2702 uint32_t fd, pri; 2703 struct file *fp; 2704 struct f_audit_data *fad; 2705 2706 struct a { 2707 long fdes; 2708 long ctl; /* struct strbuf * */ 2709 long data; /* struct strbuf * */ 2710 long pri; 2711 } *uap = (struct a *)clwp->lwp_ap; 2712 2713 fd = (uint32_t)uap->fdes; 2714 pri = (uint32_t)uap->pri; 2715 2716 au_uwrite(au_to_arg32(1, "fd", fd)); 2717 2718 if ((fp = getf(fd)) != NULL) { 2719 fad = F2A(fp); 2720 2721 /* 2722 * read operation on this object 2723 */ 2724 fad->fad_flags |= FAD_READ; 2725 2726 /* add path name to audit record */ 2727 if (fad->fad_aupath != NULL) { 2728 au_uwrite(au_to_path(fad->fad_aupath)); 2729 } 2730 audit_attributes(fp->f_vnode); 2731 2732 releasef(fd); 2733 } 2734 2735 au_uwrite(au_to_arg32(4, "pri", pri)); 2736 } 2737 2738 /*ARGSUSED*/ 2739 static void 2740 aus_getpmsg(struct t_audit_data *tad) 2741 { 2742 klwp_t *clwp = ttolwp(curthread); 2743 uint32_t fd; 2744 struct file *fp; 2745 struct f_audit_data *fad; 2746 2747 struct a { 2748 long fdes; 2749 long ctl; /* struct strbuf * */ 2750 long data; /* struct strbuf * */ 2751 long pri; 2752 long flags; 2753 } *uap = (struct a *)clwp->lwp_ap; 2754 2755 fd = (uint32_t)uap->fdes; 2756 2757 au_uwrite(au_to_arg32(1, "fd", fd)); 2758 2759 if ((fp = getf(fd)) != NULL) { 2760 fad = F2A(fp); 2761 2762 /* 2763 * read operation on this object 2764 */ 2765 fad->fad_flags |= FAD_READ; 2766 2767 /* add path name to audit record */ 2768 if (fad->fad_aupath != NULL) { 2769 au_uwrite(au_to_path(fad->fad_aupath)); 2770 } 2771 audit_attributes(fp->f_vnode); 2772 2773 releasef(fd); 2774 } 2775 } 2776 2777 static au_event_t 2778 aui_labelsys(au_event_t e) 2779 { 2780 klwp_t *clwp = ttolwp(curthread); 2781 uint32_t code; 2782 uint32_t cmd; 2783 2784 struct a { 2785 long code; 2786 long cmd; 2787 } *uap = (struct a *)clwp->lwp_ap; 2788 2789 code = (uint32_t)uap->code; 2790 cmd = (uint32_t)uap->cmd; 2791 2792 /* not security relevant if not changing kernel cache */ 2793 if (cmd == TNDB_GET) 2794 return (AUE_NULL); 2795 2796 switch (code) { 2797 case TSOL_TNRH: 2798 e = AUE_LABELSYS_TNRH; 2799 break; 2800 case TSOL_TNRHTP: 2801 e = AUE_LABELSYS_TNRHTP; 2802 break; 2803 case TSOL_TNMLP: 2804 e = AUE_LABELSYS_TNMLP; 2805 break; 2806 default: 2807 e = AUE_NULL; 2808 break; 2809 } 2810 2811 return (e); 2812 2813 } 2814 2815 static void 2816 aus_labelsys(struct t_audit_data *tad) 2817 { 2818 klwp_t *clwp = ttolwp(curthread); 2819 uint32_t cmd; 2820 uintptr_t a2; 2821 2822 struct a { 2823 long code; 2824 long cmd; 2825 long a2; 2826 } *uap = (struct a *)clwp->lwp_ap; 2827 2828 cmd = (uint32_t)uap->cmd; 2829 a2 = (uintptr_t)uap->a2; 2830 2831 switch (tad->tad_event) { 2832 case AUE_LABELSYS_TNRH: 2833 { 2834 tsol_rhent_t *rhent; 2835 tnaddr_t *rh_addr; 2836 2837 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2838 2839 /* Remaining args don't apply for FLUSH, so skip */ 2840 if (cmd == TNDB_FLUSH) 2841 break; 2842 2843 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2844 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2845 kmem_free(rhent, sizeof (tsol_rhent_t)); 2846 return; 2847 } 2848 2849 rh_addr = &rhent->rh_address; 2850 if (rh_addr->ta_family == AF_INET) { 2851 struct in_addr *ipaddr; 2852 2853 ipaddr = &(rh_addr->ta_addr_v4); 2854 au_uwrite(au_to_in_addr(ipaddr)); 2855 } else if (rh_addr->ta_family == AF_INET6) { 2856 int32_t *ipaddr; 2857 2858 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2859 au_uwrite(au_to_in_addr_ex(ipaddr)); 2860 } 2861 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2862 2863 kmem_free(rhent, sizeof (tsol_rhent_t)); 2864 2865 break; 2866 } 2867 case AUE_LABELSYS_TNRHTP: 2868 { 2869 tsol_tpent_t *tpent; 2870 2871 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2872 2873 /* Remaining args don't apply for FLUSH, so skip */ 2874 if (cmd == TNDB_FLUSH) 2875 break; 2876 2877 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2878 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2879 kmem_free(tpent, sizeof (tsol_tpent_t)); 2880 return; 2881 } 2882 2883 /* Make sure that the template name is null-terminated. */ 2884 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2885 2886 au_uwrite(au_to_text(tpent->name)); 2887 kmem_free(tpent, sizeof (tsol_tpent_t)); 2888 2889 break; 2890 } 2891 case AUE_LABELSYS_TNMLP: 2892 { 2893 tsol_mlpent_t *mlpent; 2894 2895 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2896 2897 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2898 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2899 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2900 return; 2901 } 2902 2903 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2904 au_uwrite(au_to_text("shared")); 2905 } else { 2906 zone_t *zone; 2907 2908 zone = zone_find_by_id(mlpent->tsme_zoneid); 2909 if (zone != NULL) { 2910 au_uwrite(au_to_text(zone->zone_name)); 2911 zone_rele(zone); 2912 } 2913 } 2914 2915 /* Remaining args don't apply for FLUSH, so skip */ 2916 if (cmd == TNDB_FLUSH) { 2917 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2918 break; 2919 } 2920 2921 au_uwrite(au_to_arg32(2, "proto num", 2922 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2923 au_uwrite(au_to_arg32(2, "mlp_port", 2924 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2925 2926 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2927 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2928 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2929 2930 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2931 2932 break; 2933 } 2934 default: 2935 break; 2936 } 2937 } 2938 2939 2940 static au_event_t 2941 aui_auditsys(au_event_t e) 2942 { 2943 klwp_t *clwp = ttolwp(curthread); 2944 uint32_t code; 2945 2946 struct a { 2947 long code; 2948 long a1; 2949 long a2; 2950 long a3; 2951 long a4; 2952 long a5; 2953 long a6; 2954 long a7; 2955 } *uap = (struct a *)clwp->lwp_ap; 2956 2957 code = (uint32_t)uap->code; 2958 2959 switch (code) { 2960 2961 case BSM_GETAUID: 2962 e = AUE_GETAUID; 2963 break; 2964 case BSM_SETAUID: 2965 e = AUE_SETAUID; 2966 break; 2967 case BSM_GETAUDIT: 2968 e = AUE_GETAUDIT; 2969 break; 2970 case BSM_GETAUDIT_ADDR: 2971 e = AUE_GETAUDIT_ADDR; 2972 break; 2973 case BSM_SETAUDIT: 2974 e = AUE_SETAUDIT; 2975 break; 2976 case BSM_SETAUDIT_ADDR: 2977 e = AUE_SETAUDIT_ADDR; 2978 break; 2979 case BSM_AUDIT: 2980 e = AUE_AUDIT; 2981 break; 2982 case BSM_AUDITCTL: 2983 switch ((uint_t)uap->a1) { 2984 2985 case A_GETPOLICY: 2986 e = AUE_AUDITON_GPOLICY; 2987 break; 2988 case A_SETPOLICY: 2989 e = AUE_AUDITON_SPOLICY; 2990 break; 2991 case A_GETAMASK: 2992 e = AUE_AUDITON_GETAMASK; 2993 break; 2994 case A_SETAMASK: 2995 e = AUE_AUDITON_SETAMASK; 2996 break; 2997 case A_GETKMASK: 2998 e = AUE_AUDITON_GETKMASK; 2999 break; 3000 case A_SETKMASK: 3001 e = AUE_AUDITON_SETKMASK; 3002 break; 3003 case A_GETQCTRL: 3004 e = AUE_AUDITON_GQCTRL; 3005 break; 3006 case A_SETQCTRL: 3007 e = AUE_AUDITON_SQCTRL; 3008 break; 3009 case A_GETCWD: 3010 e = AUE_AUDITON_GETCWD; 3011 break; 3012 case A_GETCAR: 3013 e = AUE_AUDITON_GETCAR; 3014 break; 3015 case A_GETSTAT: 3016 e = AUE_AUDITON_GETSTAT; 3017 break; 3018 case A_SETSTAT: 3019 e = AUE_AUDITON_SETSTAT; 3020 break; 3021 case A_SETUMASK: 3022 e = AUE_AUDITON_SETUMASK; 3023 break; 3024 case A_SETSMASK: 3025 e = AUE_AUDITON_SETSMASK; 3026 break; 3027 case A_GETCOND: 3028 e = AUE_AUDITON_GETCOND; 3029 break; 3030 case A_SETCOND: 3031 e = AUE_AUDITON_SETCOND; 3032 break; 3033 case A_GETCLASS: 3034 e = AUE_AUDITON_GETCLASS; 3035 break; 3036 case A_SETCLASS: 3037 e = AUE_AUDITON_SETCLASS; 3038 break; 3039 default: 3040 e = AUE_NULL; 3041 break; 3042 } 3043 break; 3044 default: 3045 e = AUE_NULL; 3046 break; 3047 } 3048 3049 return (e); 3050 3051 } /* AUI_AUDITSYS */ 3052 3053 3054 static void 3055 aus_auditsys(struct t_audit_data *tad) 3056 { 3057 klwp_t *clwp = ttolwp(curthread); 3058 uintptr_t a1, a2; 3059 STRUCT_DECL(auditinfo, ainfo); 3060 STRUCT_DECL(auditinfo_addr, ainfo_addr); 3061 au_evclass_map_t event; 3062 au_mask_t mask; 3063 int auditstate, policy; 3064 au_id_t auid; 3065 3066 3067 struct a { 3068 long code; 3069 long a1; 3070 long a2; 3071 long a3; 3072 long a4; 3073 long a5; 3074 long a6; 3075 long a7; 3076 } *uap = (struct a *)clwp->lwp_ap; 3077 3078 a1 = (uintptr_t)uap->a1; 3079 a2 = (uintptr_t)uap->a2; 3080 3081 switch (tad->tad_event) { 3082 case AUE_SETAUID: 3083 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 3084 return; 3085 au_uwrite(au_to_arg32(2, "setauid", auid)); 3086 break; 3087 case AUE_SETAUDIT: 3088 STRUCT_INIT(ainfo, get_udatamodel()); 3089 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 3090 STRUCT_SIZE(ainfo))) { 3091 return; 3092 } 3093 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 3094 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 3095 #ifdef _LP64 3096 au_uwrite(au_to_arg64((char)1, "setaudit:port", 3097 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 3098 #else 3099 au_uwrite(au_to_arg32((char)1, "setaudit:port", 3100 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 3101 #endif 3102 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 3103 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 3104 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 3105 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3106 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 3107 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3108 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 3109 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 3110 break; 3111 case AUE_SETAUDIT_ADDR: 3112 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3113 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3114 STRUCT_SIZE(ainfo_addr))) { 3115 return; 3116 } 3117 au_uwrite(au_to_arg32((char)1, "auid", 3118 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3119 #ifdef _LP64 3120 au_uwrite(au_to_arg64((char)1, "port", 3121 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3122 #else 3123 au_uwrite(au_to_arg32((char)1, "port", 3124 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3125 #endif 3126 au_uwrite(au_to_arg32((char)1, "type", 3127 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3128 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3129 AU_IPv4) { 3130 au_uwrite(au_to_in_addr( 3131 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3132 ai_termid.at_addr))); 3133 } else { 3134 au_uwrite(au_to_in_addr_ex( 3135 (int32_t *)STRUCT_FGETP(ainfo_addr, 3136 ai_termid.at_addr))); 3137 } 3138 au_uwrite(au_to_arg32((char)1, "as_success", 3139 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3140 au_uwrite(au_to_arg32((char)1, "as_failure", 3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3142 au_uwrite(au_to_arg32((char)1, "asid", 3143 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3144 break; 3145 case AUE_AUDITON_SETAMASK: 3146 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3147 return; 3148 au_uwrite(au_to_arg32( 3149 2, "setamask:as_success", (uint32_t)mask.as_success)); 3150 au_uwrite(au_to_arg32( 3151 2, "setamask:as_failure", (uint32_t)mask.as_failure)); 3152 break; 3153 case AUE_AUDITON_SETKMASK: 3154 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3155 return; 3156 au_uwrite(au_to_arg32( 3157 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3158 au_uwrite(au_to_arg32( 3159 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3160 break; 3161 case AUE_AUDITON_SPOLICY: 3162 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3163 return; 3164 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3165 break; 3166 case AUE_AUDITON_SQCTRL: { 3167 STRUCT_DECL(au_qctrl, qctrl); 3168 model_t model; 3169 3170 model = get_udatamodel(); 3171 STRUCT_INIT(qctrl, model); 3172 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3173 return; 3174 if (model == DATAMODEL_ILP32) { 3175 au_uwrite(au_to_arg32( 3176 3, "setqctrl:aq_hiwater", 3177 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3178 au_uwrite(au_to_arg32( 3179 3, "setqctrl:aq_lowater", 3180 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3181 au_uwrite(au_to_arg32( 3182 3, "setqctrl:aq_bufsz", 3183 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3184 au_uwrite(au_to_arg32( 3185 3, "setqctrl:aq_delay", 3186 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3187 } else { 3188 au_uwrite(au_to_arg64( 3189 3, "setqctrl:aq_hiwater", 3190 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3191 au_uwrite(au_to_arg64( 3192 3, "setqctrl:aq_lowater", 3193 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3194 au_uwrite(au_to_arg64( 3195 3, "setqctrl:aq_bufsz", 3196 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3197 au_uwrite(au_to_arg64( 3198 3, "setqctrl:aq_delay", 3199 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3200 } 3201 break; 3202 } 3203 case AUE_AUDITON_SETUMASK: 3204 STRUCT_INIT(ainfo, get_udatamodel()); 3205 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3206 STRUCT_SIZE(ainfo))) { 3207 return; 3208 } 3209 au_uwrite(au_to_arg32(3, "setumask:as_success", 3210 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3211 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3212 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3213 break; 3214 case AUE_AUDITON_SETSMASK: 3215 STRUCT_INIT(ainfo, get_udatamodel()); 3216 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3217 STRUCT_SIZE(ainfo))) { 3218 return; 3219 } 3220 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3221 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3222 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3223 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3224 break; 3225 case AUE_AUDITON_SETCOND: 3226 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3227 return; 3228 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3229 break; 3230 case AUE_AUDITON_SETCLASS: 3231 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3232 return; 3233 au_uwrite(au_to_arg32( 3234 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3235 au_uwrite(au_to_arg32( 3236 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3237 break; 3238 case AUE_GETAUID: 3239 case AUE_GETAUDIT: 3240 case AUE_GETAUDIT_ADDR: 3241 case AUE_AUDIT: 3242 case AUE_AUDITON_GPOLICY: 3243 case AUE_AUDITON_GQCTRL: 3244 case AUE_AUDITON_GETAMASK: 3245 case AUE_AUDITON_GETKMASK: 3246 case AUE_AUDITON_GETCWD: 3247 case AUE_AUDITON_GETCAR: 3248 case AUE_AUDITON_GETSTAT: 3249 case AUE_AUDITON_SETSTAT: 3250 case AUE_AUDITON_GETCOND: 3251 case AUE_AUDITON_GETCLASS: 3252 break; 3253 default: 3254 break; 3255 } 3256 3257 } /* AUS_AUDITSYS */ 3258 3259 3260 /* only audit privileged operations for systeminfo(2) system call */ 3261 static au_event_t 3262 aui_sysinfo(au_event_t e) 3263 { 3264 klwp_t *clwp = ttolwp(curthread); 3265 uint32_t command; 3266 3267 struct a { 3268 long command; 3269 long buf; /* char * */ 3270 long count; 3271 } *uap = (struct a *)clwp->lwp_ap; 3272 3273 command = (uint32_t)uap->command; 3274 3275 switch (command) { 3276 case SI_SET_HOSTNAME: 3277 case SI_SET_SRPC_DOMAIN: 3278 e = (au_event_t)AUE_SYSINFO; 3279 break; 3280 default: 3281 e = (au_event_t)AUE_NULL; 3282 break; 3283 } 3284 return (e); 3285 } 3286 3287 /*ARGSUSED*/ 3288 static void 3289 aus_sysinfo(struct t_audit_data *tad) 3290 { 3291 klwp_t *clwp = ttolwp(curthread); 3292 uint32_t command; 3293 size_t len, maxlen; 3294 char *name; 3295 uintptr_t buf; 3296 3297 struct a { 3298 long command; 3299 long buf; /* char * */ 3300 long count; 3301 } *uap = (struct a *)clwp->lwp_ap; 3302 3303 command = (uint32_t)uap->command; 3304 buf = (uintptr_t)uap->buf; 3305 3306 au_uwrite(au_to_arg32(1, "cmd", command)); 3307 3308 switch (command) { 3309 case SI_SET_HOSTNAME: 3310 { 3311 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3312 return; 3313 3314 maxlen = SYS_NMLN; 3315 name = kmem_alloc(maxlen, KM_SLEEP); 3316 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3317 break; 3318 3319 /* 3320 * Must be non-NULL string and string 3321 * must be less than SYS_NMLN chars. 3322 */ 3323 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3324 break; 3325 3326 au_uwrite(au_to_text(name)); 3327 break; 3328 } 3329 3330 case SI_SET_SRPC_DOMAIN: 3331 { 3332 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3333 return; 3334 3335 maxlen = SYS_NMLN; 3336 name = kmem_alloc(maxlen, KM_SLEEP); 3337 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3338 break; 3339 3340 /* 3341 * If string passed in is longer than length 3342 * allowed for domain name, fail. 3343 */ 3344 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3345 break; 3346 3347 au_uwrite(au_to_text(name)); 3348 break; 3349 } 3350 3351 default: 3352 return; 3353 } 3354 3355 kmem_free(name, maxlen); 3356 } 3357 3358 static au_event_t 3359 aui_modctl(au_event_t e) 3360 { 3361 klwp_t *clwp = ttolwp(curthread); 3362 uint_t cmd; 3363 3364 struct a { 3365 long cmd; 3366 } *uap = (struct a *)clwp->lwp_ap; 3367 3368 cmd = (uint_t)uap->cmd; 3369 3370 switch (cmd) { 3371 case MODLOAD: 3372 e = AUE_MODLOAD; 3373 break; 3374 case MODUNLOAD: 3375 e = AUE_MODUNLOAD; 3376 break; 3377 case MODADDMAJBIND: 3378 e = AUE_MODADDMAJ; 3379 break; 3380 case MODSETDEVPOLICY: 3381 e = AUE_MODDEVPLCY; 3382 break; 3383 case MODALLOCPRIV: 3384 e = AUE_MODADDPRIV; 3385 break; 3386 default: 3387 e = AUE_NULL; 3388 break; 3389 } 3390 return (e); 3391 } 3392 3393 3394 /*ARGSUSED*/ 3395 static void 3396 aus_modctl(struct t_audit_data *tad) 3397 { 3398 klwp_t *clwp = ttolwp(curthread); 3399 void *a = clwp->lwp_ap; 3400 uint_t use_path; 3401 3402 switch (tad->tad_event) { 3403 case AUE_MODLOAD: { 3404 typedef struct { 3405 long cmd; 3406 long use_path; 3407 long filename; /* char * */ 3408 } modloada_t; 3409 3410 char *filenamep; 3411 uintptr_t fname; 3412 extern char *default_path; 3413 3414 fname = (uintptr_t)((modloada_t *)a)->filename; 3415 use_path = (uint_t)((modloada_t *)a)->use_path; 3416 3417 /* space to hold path */ 3418 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3419 /* get string */ 3420 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3421 /* free allocated path */ 3422 kmem_free(filenamep, MOD_MAXPATH); 3423 return; 3424 } 3425 /* ensure it's null terminated */ 3426 filenamep[MOD_MAXPATH - 1] = 0; 3427 3428 if (use_path) 3429 au_uwrite(au_to_text(default_path)); 3430 au_uwrite(au_to_text(filenamep)); 3431 3432 /* release temporary memory */ 3433 kmem_free(filenamep, MOD_MAXPATH); 3434 break; 3435 } 3436 case AUE_MODUNLOAD: { 3437 typedef struct { 3438 long cmd; 3439 long id; 3440 } modunloada_t; 3441 3442 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3443 3444 au_uwrite(au_to_arg32(1, "id", id)); 3445 break; 3446 } 3447 case AUE_MODADDMAJ: { 3448 STRUCT_DECL(modconfig, mc); 3449 typedef struct { 3450 long cmd; 3451 long subcmd; 3452 long data; /* int * */ 3453 } modconfiga_t; 3454 3455 STRUCT_DECL(aliases, alias); 3456 caddr_t ap; 3457 int i, num_aliases; 3458 char *drvname, *mc_drvname; 3459 char *name; 3460 extern char *ddi_major_to_name(major_t); 3461 model_t model; 3462 3463 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3464 3465 model = get_udatamodel(); 3466 STRUCT_INIT(mc, model); 3467 /* sanitize buffer */ 3468 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3469 /* get user arguments */ 3470 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3471 STRUCT_SIZE(mc)) != 0) 3472 return; 3473 3474 mc_drvname = STRUCT_FGET(mc, drvname); 3475 if ((drvname = ddi_major_to_name( 3476 (major_t)STRUCT_FGET(mc, major))) != NULL && 3477 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3478 /* safety */ 3479 if (mc_drvname[0] != '\0') { 3480 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3481 au_uwrite(au_to_text(mc_drvname)); 3482 } 3483 /* drvname != NULL from test above */ 3484 au_uwrite(au_to_text(drvname)); 3485 return; 3486 } 3487 3488 if (mc_drvname[0] != '\0') { 3489 /* safety */ 3490 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3491 au_uwrite(au_to_text(mc_drvname)); 3492 } else 3493 au_uwrite(au_to_text("no drvname")); 3494 3495 num_aliases = STRUCT_FGET(mc, num_aliases); 3496 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3497 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3498 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3499 STRUCT_INIT(alias, model); 3500 for (i = 0; i < num_aliases; i++) { 3501 bzero((caddr_t)STRUCT_BUF(alias), 3502 STRUCT_SIZE(alias)); 3503 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3504 STRUCT_SIZE(alias)) != 0) 3505 break; 3506 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3507 MAXMODCONFNAME, NULL) != 0) { 3508 break; 3509 } 3510 3511 au_uwrite(au_to_text(name)); 3512 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3513 } 3514 kmem_free(name, MAXMODCONFNAME); 3515 break; 3516 } 3517 default: 3518 break; 3519 } 3520 } 3521 3522 3523 /*ARGSUSED*/ 3524 static void 3525 auf_accept( 3526 struct t_audit_data *tad, 3527 int error, 3528 rval_t *rval) 3529 { 3530 uint32_t scid; 3531 uint32_t sy_flags; 3532 int fd; 3533 struct sonode *so; 3534 char so_laddr[sizeof (struct sockaddr_in6)]; 3535 char so_faddr[sizeof (struct sockaddr_in6)]; 3536 int err; 3537 short so_family, so_type; 3538 int add_sock_token = 0; 3539 3540 /* need to determine type of executing binary */ 3541 scid = tad->tad_scid; 3542 #ifdef _SYSCALL32_IMPL 3543 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3544 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3545 else 3546 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3547 #else 3548 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3549 #endif 3550 switch (sy_flags) { 3551 case SE_32RVAL1: 3552 /* FALLTHRU */ 3553 case SE_32RVAL2|SE_32RVAL1: 3554 fd = rval->r_val1; 3555 break; 3556 case SE_64RVAL: 3557 fd = (int)rval->r_vals; 3558 break; 3559 default: 3560 /* 3561 * should never happen, seems to be an internal error 3562 * in sysent => no fd, nothing to audit here, returning 3563 */ 3564 return; 3565 } 3566 3567 if (error) { 3568 /* can't trust socket contents. Just return */ 3569 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3570 return; 3571 } 3572 3573 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3574 /* 3575 * not security relevant if doing a accept from non socket 3576 * so no extra tokens. Should probably turn off audit record 3577 * generation here. 3578 */ 3579 return; 3580 } 3581 3582 so_family = so->so_family; 3583 so_type = so->so_type; 3584 3585 switch (so_family) { 3586 case AF_INET: 3587 case AF_INET6: 3588 /* 3589 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3590 */ 3591 if (so->so_type == SOCK_STREAM) { 3592 socklen_t len; 3593 3594 bzero((void *)so_laddr, sizeof (so_laddr)); 3595 bzero((void *)so_faddr, sizeof (so_faddr)); 3596 3597 len = sizeof (so_laddr); 3598 (void) socket_getsockname(so, 3599 (struct sockaddr *)so_laddr, &len, CRED()); 3600 len = sizeof (so_faddr); 3601 (void) socket_getpeername(so, 3602 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3603 3604 add_sock_token = 1; 3605 } 3606 break; 3607 3608 default: 3609 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3610 break; 3611 } 3612 3613 releasef(fd); 3614 3615 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3616 3617 if (add_sock_token == 0) { 3618 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3619 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3620 return; 3621 } 3622 3623 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3624 3625 } 3626 3627 /*ARGSUSED*/ 3628 static void 3629 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3630 { 3631 struct a { 3632 long fd; 3633 long addr; 3634 long len; 3635 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3636 3637 struct sonode *so; 3638 char so_laddr[sizeof (struct sockaddr_in6)]; 3639 char so_faddr[sizeof (struct sockaddr_in6)]; 3640 int err, fd; 3641 socklen_t len; 3642 short so_family, so_type; 3643 int add_sock_token = 0; 3644 3645 fd = (int)uap->fd; 3646 3647 /* 3648 * bind failed, then nothing extra to add to audit record. 3649 */ 3650 if (error) { 3651 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3652 /* XXX may want to add failed address some day */ 3653 return; 3654 } 3655 3656 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3657 /* 3658 * not security relevant if doing a bind from non socket 3659 * so no extra tokens. Should probably turn off audit record 3660 * generation here. 3661 */ 3662 return; 3663 } 3664 3665 so_family = so->so_family; 3666 so_type = so->so_type; 3667 3668 switch (so_family) { 3669 case AF_INET: 3670 case AF_INET6: 3671 3672 bzero(so_faddr, sizeof (so_faddr)); 3673 len = sizeof (so_faddr); 3674 3675 (void) socket_getpeername(so, 3676 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3677 add_sock_token = 1; 3678 3679 break; 3680 3681 case AF_UNIX: 3682 /* token added by lookup */ 3683 break; 3684 default: 3685 /* AF_ROUTE, AF_KEY do not support accept */ 3686 break; 3687 } 3688 3689 releasef(fd); 3690 3691 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3692 3693 if (add_sock_token == 0) { 3694 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3695 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3696 return; 3697 } 3698 3699 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3700 3701 } 3702 3703 /*ARGSUSED*/ 3704 static void 3705 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3706 { 3707 struct a { 3708 long fd; 3709 long addr; 3710 long len; 3711 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3712 3713 struct sonode *so; 3714 char so_laddr[sizeof (struct sockaddr_in6)]; 3715 char so_faddr[sizeof (struct sockaddr_in6)]; 3716 int err, fd; 3717 socklen_t len; 3718 short so_family, so_type; 3719 int add_sock_token = 0; 3720 3721 fd = (int)uap->fd; 3722 3723 3724 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3725 /* 3726 * not security relevant if doing a connect from non socket 3727 * so no extra tokens. Should probably turn off audit record 3728 * generation here. 3729 */ 3730 return; 3731 } 3732 3733 so_family = so->so_family; 3734 so_type = so->so_type; 3735 3736 switch (so_family) { 3737 case AF_INET: 3738 case AF_INET6: 3739 3740 bzero(so_laddr, sizeof (so_laddr)); 3741 bzero(so_faddr, sizeof (so_faddr)); 3742 3743 len = sizeof (so_laddr); 3744 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3745 &len, CRED()); 3746 if (error) { 3747 if (uap->addr == NULL) 3748 break; 3749 if (uap->len <= 0) 3750 break; 3751 len = min(uap->len, sizeof (so_faddr)); 3752 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3753 break; 3754 #ifdef NOTYET 3755 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3756 #endif 3757 } else { 3758 /* sanity check on length */ 3759 len = sizeof (so_faddr); 3760 (void) socket_getpeername(so, 3761 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3762 } 3763 3764 add_sock_token = 1; 3765 3766 break; 3767 3768 case AF_UNIX: 3769 /* does a lookup on name */ 3770 break; 3771 3772 default: 3773 /* AF_ROUTE, AF_KEY do not support accept */ 3774 break; 3775 } 3776 3777 releasef(fd); 3778 3779 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3780 3781 if (add_sock_token == 0) { 3782 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3783 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3784 return; 3785 } 3786 3787 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3788 3789 } 3790 3791 /*ARGSUSED*/ 3792 static void 3793 aus_shutdown(struct t_audit_data *tad) 3794 { 3795 struct a { 3796 long fd; 3797 long how; 3798 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3799 3800 struct sonode *so; 3801 char so_laddr[sizeof (struct sockaddr_in6)]; 3802 char so_faddr[sizeof (struct sockaddr_in6)]; 3803 int err, fd; 3804 socklen_t len; 3805 short so_family, so_type; 3806 int add_sock_token = 0; 3807 file_t *fp; /* unix domain sockets */ 3808 struct f_audit_data *fad; /* unix domain sockets */ 3809 3810 fd = (int)uap->fd; 3811 3812 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3813 /* 3814 * not security relevant if doing a shutdown using non socket 3815 * so no extra tokens. Should probably turn off audit record 3816 * generation here. 3817 */ 3818 return; 3819 } 3820 3821 so_family = so->so_family; 3822 so_type = so->so_type; 3823 3824 switch (so_family) { 3825 case AF_INET: 3826 case AF_INET6: 3827 3828 bzero(so_laddr, sizeof (so_laddr)); 3829 bzero(so_faddr, sizeof (so_faddr)); 3830 3831 len = sizeof (so_laddr); 3832 (void) socket_getsockname(so, 3833 (struct sockaddr *)so_laddr, &len, CRED()); 3834 len = sizeof (so_faddr); 3835 (void) socket_getpeername(so, 3836 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3837 3838 add_sock_token = 1; 3839 3840 break; 3841 3842 case AF_UNIX: 3843 3844 /* get path from file struct here */ 3845 fad = F2A(fp); 3846 ASSERT(fad); 3847 3848 if (fad->fad_aupath != NULL) { 3849 au_uwrite(au_to_path(fad->fad_aupath)); 3850 } else { 3851 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3852 } 3853 3854 audit_attributes(fp->f_vnode); 3855 3856 break; 3857 3858 default: 3859 /* 3860 * AF_KEY and AF_ROUTE support shutdown. No socket token 3861 * added. 3862 */ 3863 break; 3864 } 3865 3866 releasef(fd); 3867 3868 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3869 3870 if (add_sock_token == 0) { 3871 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3872 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3873 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3874 return; 3875 } 3876 3877 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3878 3879 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3880 3881 } 3882 3883 /*ARGSUSED*/ 3884 static void 3885 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3886 { 3887 struct a { 3888 long fd; 3889 long level; 3890 long optname; 3891 long *optval; 3892 long optlen; 3893 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3894 3895 struct sonode *so; 3896 char so_laddr[sizeof (struct sockaddr_in6)]; 3897 char so_faddr[sizeof (struct sockaddr_in6)]; 3898 char val[AU_BUFSIZE]; 3899 int err, fd; 3900 socklen_t len; 3901 short so_family, so_type; 3902 int add_sock_token = 0; 3903 file_t *fp; /* unix domain sockets */ 3904 struct f_audit_data *fad; /* unix domain sockets */ 3905 3906 fd = (int)uap->fd; 3907 3908 if (error) { 3909 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3910 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3911 /* XXX may want to include other arguments */ 3912 return; 3913 } 3914 3915 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3916 /* 3917 * not security relevant if doing a setsockopt from non socket 3918 * so no extra tokens. Should probably turn off audit record 3919 * generation here. 3920 */ 3921 return; 3922 } 3923 3924 so_family = so->so_family; 3925 so_type = so->so_type; 3926 3927 switch (so_family) { 3928 case AF_INET: 3929 case AF_INET6: 3930 bzero((void *)so_laddr, sizeof (so_laddr)); 3931 bzero((void *)so_faddr, sizeof (so_faddr)); 3932 3933 /* get local and foreign addresses */ 3934 len = sizeof (so_laddr); 3935 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3936 &len, CRED()); 3937 len = sizeof (so_faddr); 3938 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3939 &len, B_FALSE, CRED()); 3940 3941 add_sock_token = 1; 3942 3943 break; 3944 3945 case AF_UNIX: 3946 3947 /* get path from file struct here */ 3948 fad = F2A(fp); 3949 ASSERT(fad); 3950 3951 if (fad->fad_aupath != NULL) { 3952 au_uwrite(au_to_path(fad->fad_aupath)); 3953 } else { 3954 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3955 } 3956 3957 audit_attributes(fp->f_vnode); 3958 3959 break; 3960 3961 default: 3962 /* 3963 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3964 * added. 3965 */ 3966 break; 3967 } 3968 3969 releasef(fd); 3970 3971 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3972 3973 if (add_sock_token == 0) { 3974 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3975 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3976 } 3977 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3978 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3979 3980 bzero(val, sizeof (val)); 3981 len = min(uap->optlen, sizeof (val)); 3982 if ((len > 0) && 3983 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3984 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3985 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3986 } 3987 3988 if (add_sock_token == 0) 3989 return; 3990 3991 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3992 3993 } 3994 3995 /*ARGSUSED*/ 3996 static void 3997 aus_sockconfig(tad) 3998 struct t_audit_data *tad; 3999 { 4000 struct a { 4001 long cmd; 4002 long arg1; 4003 long arg2; 4004 long arg3; 4005 long arg4; 4006 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4007 4008 char *buf; 4009 int buflen; 4010 size_t size; 4011 4012 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4013 switch (uap->cmd) { 4014 case SOCKCONFIG_ADD_SOCK: 4015 case SOCKCONFIG_REMOVE_SOCK: 4016 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 4017 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 4018 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 4019 4020 if (uap->arg4 == 0) { 4021 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 4022 } else { 4023 buflen = MAXPATHLEN + 1; 4024 buf = kmem_alloc(buflen, KM_SLEEP); 4025 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 4026 &size)) { 4027 kmem_free(buf, buflen); 4028 return; 4029 } 4030 4031 if (size > MAXPATHLEN) { 4032 kmem_free(buf, buflen); 4033 return; 4034 } 4035 4036 au_uwrite(au_to_text(buf)); 4037 kmem_free(buf, buflen); 4038 } 4039 break; 4040 case SOCKCONFIG_ADD_FILTER: 4041 case SOCKCONFIG_REMOVE_FILTER: 4042 buflen = FILNAME_MAX; 4043 buf = kmem_alloc(buflen, KM_SLEEP); 4044 4045 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 4046 kmem_free(buf, buflen); 4047 return; 4048 } 4049 4050 au_uwrite(au_to_text(buf)); 4051 kmem_free(buf, buflen); 4052 break; 4053 default: 4054 break; 4055 } 4056 } 4057 4058 /* 4059 * only audit recvmsg when the system call represents the creation of a new 4060 * circuit. This effectively occurs for all UDP packets and may occur for 4061 * special TCP situations where the local host has not set a local address 4062 * in the socket structure. 4063 */ 4064 /*ARGSUSED*/ 4065 static void 4066 auf_recvmsg( 4067 struct t_audit_data *tad, 4068 int error, 4069 rval_t *rvp) 4070 { 4071 struct a { 4072 long fd; 4073 long msg; /* struct msghdr */ 4074 long flags; 4075 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4076 4077 struct sonode *so; 4078 STRUCT_DECL(msghdr, msg); 4079 caddr_t msg_name; 4080 socklen_t msg_namelen; 4081 int fd; 4082 int err; 4083 char so_laddr[sizeof (struct sockaddr_in6)]; 4084 char so_faddr[sizeof (struct sockaddr_in6)]; 4085 socklen_t len; 4086 file_t *fp; /* unix domain sockets */ 4087 struct f_audit_data *fad; /* unix domain sockets */ 4088 short so_family, so_type; 4089 int add_sock_token = 0; 4090 au_kcontext_t *kctx = GET_KCTX_PZ; 4091 4092 fd = (int)uap->fd; 4093 4094 /* bail if an error */ 4095 if (error) { 4096 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4097 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4098 return; 4099 } 4100 4101 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4102 /* 4103 * not security relevant if doing a recvmsg from non socket 4104 * so no extra tokens. Should probably turn off audit record 4105 * generation here. 4106 */ 4107 return; 4108 } 4109 4110 so_family = so->so_family; 4111 so_type = so->so_type; 4112 4113 /* 4114 * only putout SOCKET_EX token if INET/INET6 family. 4115 * XXX - what do we do about other families? 4116 */ 4117 4118 switch (so_family) { 4119 case AF_INET: 4120 case AF_INET6: 4121 4122 /* 4123 * if datagram type socket, then just use what is in 4124 * socket structure for local address. 4125 * XXX - what do we do for other types? 4126 */ 4127 if ((so->so_type == SOCK_DGRAM) || 4128 (so->so_type == SOCK_RAW)) { 4129 add_sock_token = 1; 4130 4131 bzero((void *)so_laddr, sizeof (so_laddr)); 4132 bzero((void *)so_faddr, sizeof (so_faddr)); 4133 4134 /* get local address */ 4135 len = sizeof (so_laddr); 4136 (void) socket_getsockname(so, 4137 (struct sockaddr *)so_laddr, &len, CRED()); 4138 4139 /* get peer address */ 4140 STRUCT_INIT(msg, get_udatamodel()); 4141 4142 if (copyin((caddr_t)(uap->msg), 4143 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4144 break; 4145 } 4146 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4147 if (msg_name == NULL) { 4148 break; 4149 } 4150 4151 /* length is value from recvmsg - sanity check */ 4152 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4153 if (msg_namelen == 0) { 4154 break; 4155 } 4156 if (copyin(msg_name, so_faddr, 4157 sizeof (so_faddr)) != 0) { 4158 break; 4159 } 4160 4161 } else if (so->so_type == SOCK_STREAM) { 4162 4163 /* get path from file struct here */ 4164 fad = F2A(fp); 4165 ASSERT(fad); 4166 4167 /* 4168 * already processed this file for read attempt 4169 */ 4170 if (fad->fad_flags & FAD_READ) { 4171 /* don't want to audit every recvmsg attempt */ 4172 tad->tad_flag = 0; 4173 /* free any residual audit data */ 4174 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4175 releasef(fd); 4176 return; 4177 } 4178 /* 4179 * mark things so we know what happened and don't 4180 * repeat things 4181 */ 4182 fad->fad_flags |= FAD_READ; 4183 4184 bzero((void *)so_laddr, sizeof (so_laddr)); 4185 bzero((void *)so_faddr, sizeof (so_faddr)); 4186 4187 /* get local and foreign addresses */ 4188 len = sizeof (so_laddr); 4189 (void) socket_getsockname(so, 4190 (struct sockaddr *)so_laddr, &len, CRED()); 4191 len = sizeof (so_faddr); 4192 (void) socket_getpeername(so, 4193 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4194 4195 add_sock_token = 1; 4196 } 4197 4198 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4199 4200 break; 4201 4202 case AF_UNIX: 4203 /* 4204 * first check if this is first time through. Too much 4205 * duplicate code to put this in an aui_ routine. 4206 */ 4207 4208 /* get path from file struct here */ 4209 fad = F2A(fp); 4210 ASSERT(fad); 4211 4212 /* 4213 * already processed this file for read attempt 4214 */ 4215 if (fad->fad_flags & FAD_READ) { 4216 releasef(fd); 4217 /* don't want to audit every recvmsg attempt */ 4218 tad->tad_flag = 0; 4219 /* free any residual audit data */ 4220 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4221 return; 4222 } 4223 /* 4224 * mark things so we know what happened and don't 4225 * repeat things 4226 */ 4227 fad->fad_flags |= FAD_READ; 4228 4229 if (fad->fad_aupath != NULL) { 4230 au_uwrite(au_to_path(fad->fad_aupath)); 4231 } else { 4232 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4233 } 4234 4235 audit_attributes(fp->f_vnode); 4236 4237 releasef(fd); 4238 4239 return; 4240 4241 default: 4242 break; 4243 4244 } 4245 4246 releasef(fd); 4247 4248 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4249 4250 if (add_sock_token == 0) { 4251 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4252 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4253 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4254 return; 4255 } 4256 4257 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4258 4259 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4260 4261 } 4262 4263 /*ARGSUSED*/ 4264 static void 4265 auf_recvfrom( 4266 struct t_audit_data *tad, 4267 int error, 4268 rval_t *rvp) 4269 { 4270 4271 struct a { 4272 long fd; 4273 long msg; /* char */ 4274 long len; 4275 long flags; 4276 long from; /* struct sockaddr */ 4277 long fromlen; 4278 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4279 4280 socklen_t fromlen; 4281 struct sonode *so; 4282 char so_laddr[sizeof (struct sockaddr_in6)]; 4283 char so_faddr[sizeof (struct sockaddr_in6)]; 4284 int fd; 4285 short so_family, so_type; 4286 int add_sock_token = 0; 4287 socklen_t len; 4288 int err; 4289 struct file *fp; 4290 struct f_audit_data *fad; /* unix domain sockets */ 4291 au_kcontext_t *kctx = GET_KCTX_PZ; 4292 4293 fd = (int)uap->fd; 4294 4295 /* bail if an error */ 4296 if (error) { 4297 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4298 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4299 return; 4300 } 4301 4302 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4303 /* 4304 * not security relevant if doing a recvmsg from non socket 4305 * so no extra tokens. Should probably turn off audit record 4306 * generation here. 4307 */ 4308 return; 4309 } 4310 4311 so_family = so->so_family; 4312 so_type = so->so_type; 4313 4314 /* 4315 * only putout SOCKET_EX token if INET/INET6 family. 4316 * XXX - what do we do about other families? 4317 */ 4318 4319 switch (so_family) { 4320 case AF_INET: 4321 case AF_INET6: 4322 4323 /* 4324 * if datagram type socket, then just use what is in 4325 * socket structure for local address. 4326 * XXX - what do we do for other types? 4327 */ 4328 if ((so->so_type == SOCK_DGRAM) || 4329 (so->so_type == SOCK_RAW)) { 4330 add_sock_token = 1; 4331 4332 /* get local address */ 4333 len = sizeof (so_laddr); 4334 (void) socket_getsockname(so, 4335 (struct sockaddr *)so_laddr, &len, CRED()); 4336 4337 /* get peer address */ 4338 bzero((void *)so_faddr, sizeof (so_faddr)); 4339 4340 /* sanity check */ 4341 if (uap->from == NULL) 4342 break; 4343 4344 /* sanity checks */ 4345 if (uap->fromlen == 0) 4346 break; 4347 4348 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4349 sizeof (fromlen)) != 0) 4350 break; 4351 4352 if (fromlen == 0) 4353 break; 4354 4355 /* enforce maximum size */ 4356 if (fromlen > sizeof (so_faddr)) 4357 fromlen = sizeof (so_faddr); 4358 4359 if (copyin((caddr_t)(uap->from), so_faddr, 4360 fromlen) != 0) 4361 break; 4362 4363 } else if (so->so_type == SOCK_STREAM) { 4364 4365 /* get path from file struct here */ 4366 fad = F2A(fp); 4367 ASSERT(fad); 4368 4369 /* 4370 * already processed this file for read attempt 4371 */ 4372 if (fad->fad_flags & FAD_READ) { 4373 /* don't want to audit every recvfrom attempt */ 4374 tad->tad_flag = 0; 4375 /* free any residual audit data */ 4376 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4377 releasef(fd); 4378 return; 4379 } 4380 /* 4381 * mark things so we know what happened and don't 4382 * repeat things 4383 */ 4384 fad->fad_flags |= FAD_READ; 4385 4386 bzero((void *)so_laddr, sizeof (so_laddr)); 4387 bzero((void *)so_faddr, sizeof (so_faddr)); 4388 4389 /* get local and foreign addresses */ 4390 len = sizeof (so_laddr); 4391 (void) socket_getsockname(so, 4392 (struct sockaddr *)so_laddr, &len, CRED()); 4393 len = sizeof (so_faddr); 4394 (void) socket_getpeername(so, 4395 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4396 4397 add_sock_token = 1; 4398 } 4399 4400 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4401 4402 break; 4403 4404 case AF_UNIX: 4405 /* 4406 * first check if this is first time through. Too much 4407 * duplicate code to put this in an aui_ routine. 4408 */ 4409 4410 /* get path from file struct here */ 4411 fad = F2A(fp); 4412 ASSERT(fad); 4413 4414 /* 4415 * already processed this file for read attempt 4416 */ 4417 if (fad->fad_flags & FAD_READ) { 4418 /* don't want to audit every recvfrom attempt */ 4419 tad->tad_flag = 0; 4420 /* free any residual audit data */ 4421 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4422 releasef(fd); 4423 return; 4424 } 4425 /* 4426 * mark things so we know what happened and don't 4427 * repeat things 4428 */ 4429 fad->fad_flags |= FAD_READ; 4430 4431 if (fad->fad_aupath != NULL) { 4432 au_uwrite(au_to_path(fad->fad_aupath)); 4433 } else { 4434 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4435 } 4436 4437 audit_attributes(fp->f_vnode); 4438 4439 releasef(fd); 4440 4441 return; 4442 4443 default: 4444 break; 4445 4446 } 4447 4448 releasef(fd); 4449 4450 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4451 4452 if (add_sock_token == 0) { 4453 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4454 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4455 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4456 return; 4457 } 4458 4459 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4460 4461 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4462 } 4463 4464 /*ARGSUSED*/ 4465 static void 4466 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4467 { 4468 struct a { 4469 long fd; 4470 long msg; /* struct msghdr */ 4471 long flags; 4472 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4473 4474 struct sonode *so; 4475 char so_laddr[sizeof (struct sockaddr_in6)]; 4476 char so_faddr[sizeof (struct sockaddr_in6)]; 4477 int err; 4478 int fd; 4479 short so_family, so_type; 4480 int add_sock_token = 0; 4481 socklen_t len; 4482 struct file *fp; 4483 struct f_audit_data *fad; 4484 caddr_t msg_name; 4485 socklen_t msg_namelen; 4486 STRUCT_DECL(msghdr, msg); 4487 au_kcontext_t *kctx = GET_KCTX_PZ; 4488 4489 fd = (int)uap->fd; 4490 4491 /* bail if an error */ 4492 if (error) { 4493 /* XXX include destination address from system call arguments */ 4494 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4495 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4496 return; 4497 } 4498 4499 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4500 /* 4501 * not security relevant if doing a sendmsg from non socket 4502 * so no extra tokens. Should probably turn off audit record 4503 * generation here. 4504 */ 4505 return; 4506 } 4507 4508 so_family = so->so_family; 4509 so_type = so->so_type; 4510 4511 switch (so_family) { 4512 case AF_INET: 4513 case AF_INET6: 4514 /* 4515 * if datagram type socket, then just use what is in 4516 * socket structure for local address. 4517 * XXX - what do we do for other types? 4518 */ 4519 if ((so->so_type == SOCK_DGRAM) || 4520 (so->so_type == SOCK_RAW)) { 4521 4522 bzero((void *)so_laddr, sizeof (so_laddr)); 4523 bzero((void *)so_faddr, sizeof (so_faddr)); 4524 4525 /* get local address */ 4526 len = sizeof (so_laddr); 4527 (void) socket_getsockname(so, 4528 (struct sockaddr *)so_laddr, &len, CRED()); 4529 4530 /* get peer address */ 4531 STRUCT_INIT(msg, get_udatamodel()); 4532 4533 if (copyin((caddr_t)(uap->msg), 4534 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4535 break; 4536 } 4537 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4538 if (msg_name == NULL) 4539 break; 4540 4541 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4542 /* length is value from recvmsg - sanity check */ 4543 if (msg_namelen == 0) 4544 break; 4545 4546 if (copyin(msg_name, so_faddr, 4547 sizeof (so_faddr)) != 0) 4548 break; 4549 4550 add_sock_token = 1; 4551 4552 } else if (so->so_type == SOCK_STREAM) { 4553 4554 /* get path from file struct here */ 4555 fad = F2A(fp); 4556 ASSERT(fad); 4557 4558 /* 4559 * already processed this file for write attempt 4560 */ 4561 if (fad->fad_flags & FAD_WRITE) { 4562 releasef(fd); 4563 /* don't want to audit every sendmsg attempt */ 4564 tad->tad_flag = 0; 4565 /* free any residual audit data */ 4566 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4567 return; 4568 } 4569 4570 /* 4571 * mark things so we know what happened and don't 4572 * repeat things 4573 */ 4574 fad->fad_flags |= FAD_WRITE; 4575 4576 bzero((void *)so_laddr, sizeof (so_laddr)); 4577 bzero((void *)so_faddr, sizeof (so_faddr)); 4578 4579 /* get local and foreign addresses */ 4580 len = sizeof (so_laddr); 4581 (void) socket_getsockname(so, 4582 (struct sockaddr *)so_laddr, &len, CRED()); 4583 len = sizeof (so_faddr); 4584 (void) socket_getpeername(so, 4585 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4586 4587 add_sock_token = 1; 4588 } 4589 4590 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4591 4592 break; 4593 4594 case AF_UNIX: 4595 /* 4596 * first check if this is first time through. Too much 4597 * duplicate code to put this in an aui_ routine. 4598 */ 4599 4600 /* get path from file struct here */ 4601 fad = F2A(fp); 4602 ASSERT(fad); 4603 4604 /* 4605 * already processed this file for write attempt 4606 */ 4607 if (fad->fad_flags & FAD_WRITE) { 4608 releasef(fd); 4609 /* don't want to audit every sendmsg attempt */ 4610 tad->tad_flag = 0; 4611 /* free any residual audit data */ 4612 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4613 return; 4614 } 4615 /* 4616 * mark things so we know what happened and don't 4617 * repeat things 4618 */ 4619 fad->fad_flags |= FAD_WRITE; 4620 4621 if (fad->fad_aupath != NULL) { 4622 au_uwrite(au_to_path(fad->fad_aupath)); 4623 } else { 4624 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4625 } 4626 4627 audit_attributes(fp->f_vnode); 4628 4629 releasef(fd); 4630 4631 return; 4632 4633 default: 4634 break; 4635 } 4636 4637 releasef(fd); 4638 4639 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4640 4641 if (add_sock_token == 0) { 4642 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4643 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4644 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4645 return; 4646 } 4647 4648 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4649 4650 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4651 } 4652 4653 /*ARGSUSED*/ 4654 static void 4655 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4656 { 4657 struct a { 4658 long fd; 4659 long msg; /* char */ 4660 long len; 4661 long flags; 4662 long to; /* struct sockaddr */ 4663 long tolen; 4664 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4665 4666 struct sonode *so; 4667 char so_laddr[sizeof (struct sockaddr_in6)]; 4668 char so_faddr[sizeof (struct sockaddr_in6)]; 4669 socklen_t tolen; 4670 int err; 4671 int fd; 4672 socklen_t len; 4673 short so_family, so_type; 4674 int add_sock_token = 0; 4675 struct file *fp; 4676 struct f_audit_data *fad; 4677 au_kcontext_t *kctx = GET_KCTX_PZ; 4678 4679 fd = (int)uap->fd; 4680 4681 /* bail if an error */ 4682 if (error) { 4683 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4684 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4685 /* XXX include destination address from system call arguments */ 4686 return; 4687 } 4688 4689 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4690 /* 4691 * not security relevant if doing a sendto using non socket 4692 * so no extra tokens. Should probably turn off audit record 4693 * generation here. 4694 */ 4695 return; 4696 } 4697 4698 so_family = so->so_family; 4699 so_type = so->so_type; 4700 4701 /* 4702 * only putout SOCKET_EX token if INET/INET6 family. 4703 * XXX - what do we do about other families? 4704 */ 4705 4706 switch (so_family) { 4707 case AF_INET: 4708 case AF_INET6: 4709 4710 /* 4711 * if datagram type socket, then just use what is in 4712 * socket structure for local address. 4713 * XXX - what do we do for other types? 4714 */ 4715 if ((so->so_type == SOCK_DGRAM) || 4716 (so->so_type == SOCK_RAW)) { 4717 4718 bzero((void *)so_laddr, sizeof (so_laddr)); 4719 bzero((void *)so_faddr, sizeof (so_faddr)); 4720 4721 /* get local address */ 4722 len = sizeof (so_laddr); 4723 (void) socket_getsockname(so, 4724 (struct sockaddr *)so_laddr, &len, CRED()); 4725 4726 /* get peer address */ 4727 4728 /* sanity check */ 4729 if (uap->to == NULL) 4730 break; 4731 4732 /* sanity checks */ 4733 if (uap->tolen == 0) 4734 break; 4735 4736 tolen = (socklen_t)uap->tolen; 4737 4738 /* enforce maximum size */ 4739 if (tolen > sizeof (so_faddr)) 4740 tolen = sizeof (so_faddr); 4741 4742 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4743 break; 4744 4745 add_sock_token = 1; 4746 } else { 4747 /* 4748 * check if this is first time through. 4749 */ 4750 4751 /* get path from file struct here */ 4752 fad = F2A(fp); 4753 ASSERT(fad); 4754 4755 /* 4756 * already processed this file for write attempt 4757 */ 4758 if (fad->fad_flags & FAD_WRITE) { 4759 /* don't want to audit every sendto attempt */ 4760 tad->tad_flag = 0; 4761 /* free any residual audit data */ 4762 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4763 releasef(fd); 4764 return; 4765 } 4766 /* 4767 * mark things so we know what happened and don't 4768 * repeat things 4769 */ 4770 fad->fad_flags |= FAD_WRITE; 4771 4772 bzero((void *)so_laddr, sizeof (so_laddr)); 4773 bzero((void *)so_faddr, sizeof (so_faddr)); 4774 4775 /* get local and foreign addresses */ 4776 len = sizeof (so_laddr); 4777 (void) socket_getsockname(so, 4778 (struct sockaddr *)so_laddr, &len, CRED()); 4779 len = sizeof (so_faddr); 4780 (void) socket_getpeername(so, 4781 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4782 4783 add_sock_token = 1; 4784 } 4785 4786 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4787 4788 break; 4789 4790 case AF_UNIX: 4791 /* 4792 * first check if this is first time through. Too much 4793 * duplicate code to put this in an aui_ routine. 4794 */ 4795 4796 /* get path from file struct here */ 4797 fad = F2A(fp); 4798 ASSERT(fad); 4799 4800 /* 4801 * already processed this file for write attempt 4802 */ 4803 if (fad->fad_flags & FAD_WRITE) { 4804 /* don't want to audit every sendto attempt */ 4805 tad->tad_flag = 0; 4806 /* free any residual audit data */ 4807 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4808 releasef(fd); 4809 return; 4810 } 4811 /* 4812 * mark things so we know what happened and don't 4813 * repeat things 4814 */ 4815 fad->fad_flags |= FAD_WRITE; 4816 4817 if (fad->fad_aupath != NULL) { 4818 au_uwrite(au_to_path(fad->fad_aupath)); 4819 } else { 4820 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4821 } 4822 4823 audit_attributes(fp->f_vnode); 4824 4825 releasef(fd); 4826 4827 return; 4828 4829 default: 4830 break; 4831 4832 } 4833 4834 releasef(fd); 4835 4836 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4837 4838 if (add_sock_token == 0) { 4839 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4840 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4841 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4842 return; 4843 } 4844 4845 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4846 4847 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4848 4849 } 4850 4851 /* 4852 * XXX socket(2) may be equivalent to open(2) on a unix domain 4853 * socket. This needs investigation. 4854 */ 4855 4856 /*ARGSUSED*/ 4857 static void 4858 aus_socket(struct t_audit_data *tad) 4859 { 4860 struct a { 4861 long domain; 4862 long type; 4863 long protocol; 4864 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4865 4866 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4867 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4868 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4869 } 4870 4871 /*ARGSUSED*/ 4872 static void 4873 aus_sigqueue(struct t_audit_data *tad) 4874 { 4875 struct a { 4876 long pid; 4877 long signo; 4878 long *val; 4879 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4880 struct proc *p; 4881 uid_t uid, ruid; 4882 gid_t gid, rgid; 4883 pid_t pid; 4884 const auditinfo_addr_t *ainfo; 4885 cred_t *cr; 4886 4887 pid = (pid_t)uap->pid; 4888 4889 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4890 if (pid > 0) { 4891 mutex_enter(&pidlock); 4892 if ((p = prfind(pid)) == (struct proc *)0) { 4893 mutex_exit(&pidlock); 4894 return; 4895 } 4896 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4897 mutex_exit(&pidlock); 4898 4899 mutex_enter(&p->p_crlock); 4900 crhold(cr = p->p_cred); 4901 mutex_exit(&p->p_crlock); 4902 mutex_exit(&p->p_lock); 4903 4904 ainfo = crgetauinfo(cr); 4905 if (ainfo == NULL) { 4906 crfree(cr); 4907 return; 4908 } 4909 4910 uid = crgetuid(cr); 4911 gid = crgetgid(cr); 4912 ruid = crgetruid(cr); 4913 rgid = crgetrgid(cr); 4914 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4915 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4916 crfree(cr); 4917 } 4918 else 4919 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4920 } 4921 4922 /*ARGSUSED*/ 4923 static void 4924 aus_inst_sync(struct t_audit_data *tad) 4925 { 4926 struct a { 4927 long name; /* char */ 4928 long flags; 4929 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4930 4931 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4932 } 4933 4934 /*ARGSUSED*/ 4935 static void 4936 aus_brandsys(struct t_audit_data *tad) 4937 { 4938 klwp_t *clwp = ttolwp(curthread); 4939 4940 struct a { 4941 long cmd; 4942 long arg1; 4943 long arg2; 4944 long arg3; 4945 long arg4; 4946 long arg5; 4947 long arg6; 4948 } *uap = (struct a *)clwp->lwp_ap; 4949 4950 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4951 #ifdef _LP64 4952 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4953 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4954 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4955 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4956 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4957 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4958 #else 4959 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4960 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4961 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4962 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4963 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4964 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4965 #endif 4966 } 4967 4968 /*ARGSUSED*/ 4969 static void 4970 aus_p_online(struct t_audit_data *tad) 4971 { 4972 struct a { 4973 long processor_id; 4974 long flag; 4975 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4976 4977 struct flags { 4978 int flag; 4979 char *cflag; 4980 } aflags[6] = { 4981 { P_ONLINE, "P_ONLINE"}, 4982 { P_OFFLINE, "P_OFFLINE"}, 4983 { P_NOINTR, "P_NOINTR"}, 4984 { P_SPARE, "P_SPARE"}, 4985 { P_FAULTED, "P_FAULTED"}, 4986 { P_STATUS, "P_STATUS"} 4987 }; 4988 int i; 4989 char *cflag; 4990 4991 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4992 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4993 4994 for (i = 0; i < 6; i++) { 4995 if (aflags[i].flag == uap->flag) 4996 break; 4997 } 4998 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4999 5000 au_uwrite(au_to_text(cflag)); 5001 } 5002 5003 /*ARGSUSED*/ 5004 static void 5005 aus_processor_bind(struct t_audit_data *tad) 5006 { 5007 struct a { 5008 long id_type; 5009 long id; 5010 long processor_id; 5011 long obind; 5012 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5013 5014 struct proc *p; 5015 int lwpcnt; 5016 uid_t uid, ruid; 5017 gid_t gid, rgid; 5018 pid_t pid; 5019 const auditinfo_addr_t *ainfo; 5020 cred_t *cr; 5021 5022 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 5023 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 5024 if (uap->processor_id == PBIND_NONE) 5025 au_uwrite(au_to_text("PBIND_NONE")); 5026 else 5027 au_uwrite(au_to_arg32(3, "processor_id", 5028 (uint32_t)uap->processor_id)); 5029 5030 switch (uap->id_type) { 5031 case P_MYID: 5032 case P_LWPID: 5033 mutex_enter(&pidlock); 5034 p = ttoproc(curthread); 5035 if (p == NULL || p->p_as == &kas) { 5036 mutex_exit(&pidlock); 5037 return; 5038 } 5039 mutex_enter(&p->p_lock); 5040 mutex_exit(&pidlock); 5041 lwpcnt = p->p_lwpcnt; 5042 pid = p->p_pid; 5043 5044 mutex_enter(&p->p_crlock); 5045 crhold(cr = p->p_cred); 5046 mutex_exit(&p->p_crlock); 5047 mutex_exit(&p->p_lock); 5048 5049 ainfo = crgetauinfo(cr); 5050 if (ainfo == NULL) { 5051 crfree(cr); 5052 return; 5053 } 5054 5055 uid = crgetuid(cr); 5056 gid = crgetgid(cr); 5057 ruid = crgetruid(cr); 5058 rgid = crgetrgid(cr); 5059 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5060 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5061 crfree(cr); 5062 break; 5063 case P_PID: 5064 mutex_enter(&pidlock); 5065 p = prfind(uap->id); 5066 if (p == NULL || p->p_as == &kas) { 5067 mutex_exit(&pidlock); 5068 return; 5069 } 5070 mutex_enter(&p->p_lock); 5071 mutex_exit(&pidlock); 5072 lwpcnt = p->p_lwpcnt; 5073 pid = p->p_pid; 5074 5075 mutex_enter(&p->p_crlock); 5076 crhold(cr = p->p_cred); 5077 mutex_exit(&p->p_crlock); 5078 mutex_exit(&p->p_lock); 5079 5080 ainfo = crgetauinfo(cr); 5081 if (ainfo == NULL) { 5082 crfree(cr); 5083 return; 5084 } 5085 5086 uid = crgetuid(cr); 5087 gid = crgetgid(cr); 5088 ruid = crgetruid(cr); 5089 rgid = crgetrgid(cr); 5090 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5091 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5092 crfree(cr); 5093 5094 break; 5095 default: 5096 return; 5097 } 5098 5099 if (uap->processor_id == PBIND_NONE && 5100 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 5101 au_uwrite(au_to_text("PBIND_NONE for process")); 5102 else 5103 au_uwrite(au_to_arg32(3, "processor_id", 5104 (uint32_t)uap->processor_id)); 5105 } 5106 5107 /*ARGSUSED*/ 5108 static au_event_t 5109 aui_doorfs(au_event_t e) 5110 { 5111 uint32_t code; 5112 5113 struct a { /* doorfs */ 5114 long a1; 5115 long a2; 5116 long a3; 5117 long a4; 5118 long a5; 5119 long code; 5120 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5121 5122 /* 5123 * audit formats for several of the 5124 * door calls have not yet been determined 5125 */ 5126 code = (uint32_t)uap->code; 5127 switch (code) { 5128 case DOOR_CALL: 5129 e = AUE_DOORFS_DOOR_CALL; 5130 break; 5131 case DOOR_RETURN: 5132 e = AUE_NULL; 5133 break; 5134 case DOOR_CREATE: 5135 e = AUE_DOORFS_DOOR_CREATE; 5136 break; 5137 case DOOR_REVOKE: 5138 e = AUE_DOORFS_DOOR_REVOKE; 5139 break; 5140 case DOOR_INFO: 5141 e = AUE_NULL; 5142 break; 5143 case DOOR_UCRED: 5144 e = AUE_NULL; 5145 break; 5146 case DOOR_BIND: 5147 e = AUE_NULL; 5148 break; 5149 case DOOR_UNBIND: 5150 e = AUE_NULL; 5151 break; 5152 case DOOR_GETPARAM: 5153 e = AUE_NULL; 5154 break; 5155 case DOOR_SETPARAM: 5156 e = AUE_NULL; 5157 break; 5158 default: /* illegal system call */ 5159 e = AUE_NULL; 5160 break; 5161 } 5162 5163 return (e); 5164 } 5165 5166 static door_node_t * 5167 au_door_lookup(int did) 5168 { 5169 vnode_t *vp; 5170 file_t *fp; 5171 5172 if ((fp = getf(did)) == NULL) 5173 return (NULL); 5174 /* 5175 * Use the underlying vnode (we may be namefs mounted) 5176 */ 5177 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5178 vp = fp->f_vnode; 5179 5180 if (vp == NULL || vp->v_type != VDOOR) { 5181 releasef(did); 5182 return (NULL); 5183 } 5184 5185 return (VTOD(vp)); 5186 } 5187 5188 /*ARGSUSED*/ 5189 static void 5190 aus_doorfs(struct t_audit_data *tad) 5191 { 5192 5193 struct a { /* doorfs */ 5194 long a1; 5195 long a2; 5196 long a3; 5197 long a4; 5198 long a5; 5199 long code; 5200 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5201 5202 door_node_t *dp; 5203 struct proc *p; 5204 uint32_t did; 5205 uid_t uid, ruid; 5206 gid_t gid, rgid; 5207 pid_t pid; 5208 const auditinfo_addr_t *ainfo; 5209 cred_t *cr; 5210 5211 did = (uint32_t)uap->a1; 5212 5213 switch (tad->tad_event) { 5214 case AUE_DOORFS_DOOR_CALL: 5215 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5216 if ((dp = au_door_lookup(did)) == NULL) 5217 break; 5218 5219 if (DOOR_INVALID(dp)) { 5220 releasef(did); 5221 break; 5222 } 5223 5224 if ((p = dp->door_target) == NULL) { 5225 releasef(did); 5226 break; 5227 } 5228 mutex_enter(&p->p_lock); 5229 releasef(did); 5230 5231 pid = p->p_pid; 5232 5233 mutex_enter(&p->p_crlock); 5234 crhold(cr = p->p_cred); 5235 mutex_exit(&p->p_crlock); 5236 mutex_exit(&p->p_lock); 5237 5238 ainfo = crgetauinfo(cr); 5239 if (ainfo == NULL) { 5240 crfree(cr); 5241 return; 5242 } 5243 uid = crgetuid(cr); 5244 gid = crgetgid(cr); 5245 ruid = crgetruid(cr); 5246 rgid = crgetrgid(cr); 5247 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5248 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5249 crfree(cr); 5250 break; 5251 case AUE_DOORFS_DOOR_RETURN: 5252 /* 5253 * We may want to write information about 5254 * all doors (if any) which will be copied 5255 * by this call to the user space 5256 */ 5257 break; 5258 case AUE_DOORFS_DOOR_CREATE: 5259 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5260 break; 5261 case AUE_DOORFS_DOOR_REVOKE: 5262 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5263 break; 5264 case AUE_DOORFS_DOOR_INFO: 5265 break; 5266 case AUE_DOORFS_DOOR_CRED: 5267 break; 5268 case AUE_DOORFS_DOOR_BIND: 5269 break; 5270 case AUE_DOORFS_DOOR_UNBIND: { 5271 break; 5272 } 5273 default: /* illegal system call */ 5274 break; 5275 } 5276 } 5277 5278 /*ARGSUSED*/ 5279 static au_event_t 5280 aui_acl(au_event_t e) 5281 { 5282 struct a { 5283 union { 5284 long name; /* char */ 5285 long fd; 5286 } obj; 5287 5288 long cmd; 5289 long nentries; 5290 long arg; /* aclent_t */ 5291 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5292 5293 switch (uap->cmd) { 5294 case SETACL: 5295 case ACE_SETACL: 5296 /* 5297 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5298 * are expected. 5299 */ 5300 break; 5301 case GETACL: 5302 case GETACLCNT: 5303 case ACE_GETACL: 5304 case ACE_GETACLCNT: 5305 /* do nothing for these four values. */ 5306 e = AUE_NULL; 5307 break; 5308 default: 5309 /* illegal system call */ 5310 break; 5311 } 5312 5313 return (e); 5314 } 5315 5316 static void 5317 au_acl(int cmd, int nentries, caddr_t bufp) 5318 { 5319 size_t a_size; 5320 aclent_t *aclbufp; 5321 ace_t *acebufp; 5322 int i; 5323 5324 switch (cmd) { 5325 case GETACL: 5326 case GETACLCNT: 5327 break; 5328 case SETACL: 5329 if (nentries < 3) 5330 break; 5331 5332 a_size = nentries * sizeof (aclent_t); 5333 5334 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5335 break; 5336 if (copyin(bufp, aclbufp, a_size)) { 5337 kmem_free(aclbufp, a_size); 5338 break; 5339 } 5340 for (i = 0; i < nentries; i++) { 5341 au_uwrite(au_to_acl(aclbufp + i)); 5342 } 5343 kmem_free(aclbufp, a_size); 5344 break; 5345 5346 case ACE_SETACL: 5347 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5348 break; 5349 5350 a_size = nentries * sizeof (ace_t); 5351 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5352 break; 5353 if (copyin(bufp, acebufp, a_size)) { 5354 kmem_free(acebufp, a_size); 5355 break; 5356 } 5357 for (i = 0; i < nentries; i++) { 5358 au_uwrite(au_to_ace(acebufp + i)); 5359 } 5360 kmem_free(acebufp, a_size); 5361 break; 5362 default: 5363 break; 5364 } 5365 } 5366 5367 /*ARGSUSED*/ 5368 static void 5369 aus_acl(struct t_audit_data *tad) 5370 { 5371 struct a { 5372 long fname; 5373 long cmd; 5374 long nentries; 5375 long aclbufp; 5376 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5377 5378 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5379 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5380 5381 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5382 } 5383 5384 /*ARGSUSED*/ 5385 static void 5386 aus_facl(struct t_audit_data *tad) 5387 { 5388 struct a { 5389 long fd; 5390 long cmd; 5391 long nentries; 5392 long aclbufp; 5393 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5394 struct file *fp; 5395 struct vnode *vp; 5396 struct f_audit_data *fad; 5397 int fd; 5398 5399 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5400 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5401 5402 fd = (int)uap->fd; 5403 5404 if ((fp = getf(fd)) == NULL) 5405 return; 5406 5407 /* get path from file struct here */ 5408 fad = F2A(fp); 5409 if (fad->fad_aupath != NULL) { 5410 au_uwrite(au_to_path(fad->fad_aupath)); 5411 } else { 5412 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5413 } 5414 5415 vp = fp->f_vnode; 5416 audit_attributes(vp); 5417 5418 /* decrement file descriptor reference count */ 5419 releasef(fd); 5420 5421 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5422 } 5423 5424 /*ARGSUSED*/ 5425 static void 5426 auf_read(tad, error, rval) 5427 struct t_audit_data *tad; 5428 int error; 5429 rval_t *rval; 5430 { 5431 struct file *fp; 5432 struct f_audit_data *fad; 5433 int fd; 5434 register struct a { 5435 long fd; 5436 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5437 au_kcontext_t *kctx = GET_KCTX_PZ; 5438 5439 fd = (int)uap->fd; 5440 5441 /* 5442 * convert file pointer to file descriptor 5443 * Note: fd ref count incremented here. 5444 */ 5445 if ((fp = getf(fd)) == NULL) 5446 return; 5447 5448 /* get path from file struct here */ 5449 fad = F2A(fp); 5450 ASSERT(fad); 5451 5452 /* 5453 * already processed this file for read attempt 5454 * 5455 * XXX might be better to turn off auditing in a aui_read() routine. 5456 */ 5457 if (fad->fad_flags & FAD_READ) { 5458 /* don't really want to audit every read attempt */ 5459 tad->tad_flag = 0; 5460 /* free any residual audit data */ 5461 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5462 releasef(fd); 5463 return; 5464 } 5465 /* mark things so we know what happened and don't repeat things */ 5466 fad->fad_flags |= FAD_READ; 5467 5468 if (fad->fad_aupath != NULL) { 5469 au_uwrite(au_to_path(fad->fad_aupath)); 5470 } else { 5471 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5472 } 5473 5474 /* include attributes */ 5475 audit_attributes(fp->f_vnode); 5476 5477 /* decrement file descriptor reference count */ 5478 releasef(fd); 5479 } 5480 5481 /*ARGSUSED*/ 5482 static void 5483 auf_write(tad, error, rval) 5484 struct t_audit_data *tad; 5485 int error; 5486 rval_t *rval; 5487 { 5488 struct file *fp; 5489 struct f_audit_data *fad; 5490 int fd; 5491 register struct a { 5492 long fd; 5493 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5494 au_kcontext_t *kctx = GET_KCTX_PZ; 5495 5496 fd = (int)uap->fd; 5497 5498 /* 5499 * convert file pointer to file descriptor 5500 * Note: fd ref count incremented here. 5501 */ 5502 if ((fp = getf(fd)) == NULL) 5503 return; 5504 5505 /* get path from file struct here */ 5506 fad = F2A(fp); 5507 ASSERT(fad); 5508 5509 /* 5510 * already processed this file for write attempt 5511 * 5512 * XXX might be better to turn off auditing in a aus_write() routine. 5513 */ 5514 if (fad->fad_flags & FAD_WRITE) { 5515 /* don't really want to audit every write attempt */ 5516 tad->tad_flag = 0; 5517 /* free any residual audit data */ 5518 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5519 releasef(fd); 5520 return; 5521 } 5522 /* mark things so we know what happened and don't repeat things */ 5523 fad->fad_flags |= FAD_WRITE; 5524 5525 if (fad->fad_aupath != NULL) { 5526 au_uwrite(au_to_path(fad->fad_aupath)); 5527 } else { 5528 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5529 } 5530 5531 /* include attributes */ 5532 audit_attributes(fp->f_vnode); 5533 5534 /* decrement file descriptor reference count */ 5535 releasef(fd); 5536 } 5537 5538 /*ARGSUSED*/ 5539 static void 5540 auf_recv(tad, error, rval) 5541 struct t_audit_data *tad; 5542 int error; 5543 rval_t *rval; 5544 { 5545 struct sonode *so; 5546 char so_laddr[sizeof (struct sockaddr_in6)]; 5547 char so_faddr[sizeof (struct sockaddr_in6)]; 5548 struct file *fp; 5549 struct f_audit_data *fad; 5550 int fd; 5551 int err; 5552 socklen_t len; 5553 short so_family, so_type; 5554 register struct a { 5555 long fd; 5556 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5557 au_kcontext_t *kctx = GET_KCTX_PZ; 5558 5559 /* 5560 * If there was an error, then nothing to do. Only generate 5561 * audit record on first successful recv. 5562 */ 5563 if (error) { 5564 /* Turn off audit record generation here. */ 5565 tad->tad_flag = 0; 5566 /* free any residual audit data */ 5567 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5568 return; 5569 } 5570 5571 fd = (int)uap->fd; 5572 5573 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5574 /* Turn off audit record generation here. */ 5575 tad->tad_flag = 0; 5576 /* free any residual audit data */ 5577 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5578 return; 5579 } 5580 5581 /* get path from file struct here */ 5582 fad = F2A(fp); 5583 ASSERT(fad); 5584 5585 /* 5586 * already processed this file for read attempt 5587 */ 5588 if (fad->fad_flags & FAD_READ) { 5589 releasef(fd); 5590 /* don't really want to audit every recv call */ 5591 tad->tad_flag = 0; 5592 /* free any residual audit data */ 5593 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5594 return; 5595 } 5596 5597 /* mark things so we know what happened and don't repeat things */ 5598 fad->fad_flags |= FAD_READ; 5599 5600 so_family = so->so_family; 5601 so_type = so->so_type; 5602 5603 switch (so_family) { 5604 case AF_INET: 5605 case AF_INET6: 5606 /* 5607 * Only for connections. 5608 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5609 */ 5610 if (so->so_state & SS_ISBOUND) { 5611 5612 bzero((void *)so_laddr, sizeof (so_laddr)); 5613 bzero((void *)so_faddr, sizeof (so_faddr)); 5614 5615 /* get local and foreign addresses */ 5616 len = sizeof (so_laddr); 5617 (void) socket_getsockname(so, 5618 (struct sockaddr *)so_laddr, &len, CRED()); 5619 len = sizeof (so_faddr); 5620 (void) socket_getpeername(so, 5621 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5622 5623 /* 5624 * only way to drop out of switch. Note that we 5625 * we release fd below. 5626 */ 5627 5628 break; 5629 } 5630 5631 releasef(fd); 5632 5633 /* don't really want to audit every recv call */ 5634 tad->tad_flag = 0; 5635 /* free any residual audit data */ 5636 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5637 5638 return; 5639 5640 case AF_UNIX: 5641 5642 if (fad->fad_aupath != NULL) { 5643 au_uwrite(au_to_path(fad->fad_aupath)); 5644 } else { 5645 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5646 } 5647 5648 audit_attributes(fp->f_vnode); 5649 5650 releasef(fd); 5651 5652 return; 5653 5654 default: 5655 releasef(fd); 5656 5657 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5658 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5659 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5660 5661 return; 5662 } 5663 5664 releasef(fd); 5665 5666 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5667 5668 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5669 5670 } 5671 5672 /*ARGSUSED*/ 5673 static void 5674 auf_send(tad, error, rval) 5675 struct t_audit_data *tad; 5676 int error; 5677 rval_t *rval; 5678 { 5679 struct sonode *so; 5680 char so_laddr[sizeof (struct sockaddr_in6)]; 5681 char so_faddr[sizeof (struct sockaddr_in6)]; 5682 struct file *fp; 5683 struct f_audit_data *fad; 5684 int fd; 5685 int err; 5686 socklen_t len; 5687 short so_family, so_type; 5688 register struct a { 5689 long fd; 5690 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5691 au_kcontext_t *kctx = GET_KCTX_PZ; 5692 5693 fd = (int)uap->fd; 5694 5695 /* 5696 * If there was an error, then nothing to do. Only generate 5697 * audit record on first successful send. 5698 */ 5699 if (error != 0) { 5700 /* Turn off audit record generation here. */ 5701 tad->tad_flag = 0; 5702 /* free any residual audit data */ 5703 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5704 return; 5705 } 5706 5707 fd = (int)uap->fd; 5708 5709 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5710 /* Turn off audit record generation here. */ 5711 tad->tad_flag = 0; 5712 /* free any residual audit data */ 5713 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5714 return; 5715 } 5716 5717 /* get path from file struct here */ 5718 fad = F2A(fp); 5719 ASSERT(fad); 5720 5721 /* 5722 * already processed this file for write attempt 5723 */ 5724 if (fad->fad_flags & FAD_WRITE) { 5725 releasef(fd); 5726 /* don't really want to audit every send call */ 5727 tad->tad_flag = 0; 5728 /* free any residual audit data */ 5729 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5730 return; 5731 } 5732 5733 /* mark things so we know what happened and don't repeat things */ 5734 fad->fad_flags |= FAD_WRITE; 5735 5736 so_family = so->so_family; 5737 so_type = so->so_type; 5738 5739 switch (so_family) { 5740 case AF_INET: 5741 case AF_INET6: 5742 /* 5743 * Only for connections. 5744 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5745 */ 5746 if (so->so_state & SS_ISBOUND) { 5747 5748 bzero((void *)so_laddr, sizeof (so_laddr)); 5749 bzero((void *)so_faddr, sizeof (so_faddr)); 5750 5751 /* get local and foreign addresses */ 5752 len = sizeof (so_laddr); 5753 (void) socket_getsockname(so, 5754 (struct sockaddr *)so_laddr, &len, CRED()); 5755 len = sizeof (so_faddr); 5756 (void) socket_getpeername(so, 5757 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5758 5759 /* 5760 * only way to drop out of switch. Note that we 5761 * we release fd below. 5762 */ 5763 5764 break; 5765 } 5766 5767 releasef(fd); 5768 /* don't really want to audit every send call */ 5769 tad->tad_flag = 0; 5770 /* free any residual audit data */ 5771 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5772 5773 return; 5774 5775 case AF_UNIX: 5776 5777 if (fad->fad_aupath != NULL) { 5778 au_uwrite(au_to_path(fad->fad_aupath)); 5779 } else { 5780 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5781 } 5782 5783 audit_attributes(fp->f_vnode); 5784 5785 releasef(fd); 5786 5787 return; 5788 5789 default: 5790 releasef(fd); 5791 5792 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5793 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5794 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5795 5796 return; 5797 } 5798 5799 releasef(fd); 5800 5801 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5802 5803 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5804 } 5805 5806 static au_event_t 5807 aui_forksys(au_event_t e) 5808 { 5809 struct a { 5810 long subcode; 5811 long flags; 5812 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5813 5814 switch ((uint_t)uap->subcode) { 5815 case 0: 5816 e = AUE_FORK1; 5817 break; 5818 case 1: 5819 e = AUE_FORKALL; 5820 break; 5821 case 2: 5822 e = AUE_VFORK; 5823 break; 5824 default: 5825 e = AUE_NULL; 5826 break; 5827 } 5828 5829 return (e); 5830 } 5831 5832 /*ARGSUSED*/ 5833 static au_event_t 5834 aui_portfs(au_event_t e) 5835 { 5836 struct a { /* portfs */ 5837 long a1; 5838 long a2; 5839 long a3; 5840 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5841 5842 /* 5843 * check opcode 5844 */ 5845 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5846 case PORT_ASSOCIATE: 5847 /* check source */ 5848 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5849 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5850 e = AUE_PORTFS_ASSOCIATE; 5851 } else { 5852 e = AUE_NULL; 5853 } 5854 break; 5855 case PORT_DISSOCIATE: 5856 /* check source */ 5857 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5858 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5859 e = AUE_PORTFS_DISSOCIATE; 5860 } else { 5861 e = AUE_NULL; 5862 } 5863 break; 5864 default: 5865 e = AUE_NULL; 5866 } 5867 return (e); 5868 } 5869