1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_open(struct t_audit_data *); 106 static void aus_acl(struct t_audit_data *); 107 static void aus_acct(struct t_audit_data *); 108 static void aus_chown(struct t_audit_data *); 109 static void aus_fchown(struct t_audit_data *); 110 static void aus_lchown(struct t_audit_data *); 111 static void aus_chmod(struct t_audit_data *); 112 static void aus_facl(struct t_audit_data *); 113 static void aus_fchmod(struct t_audit_data *); 114 static void aus_fcntl(struct t_audit_data *); 115 static void aus_fsat(struct t_audit_data *); 116 static void aus_mkdir(struct t_audit_data *); 117 static void aus_mknod(struct t_audit_data *); 118 static void aus_mount(struct t_audit_data *); 119 static void aus_umount(struct t_audit_data *); 120 static void aus_umount2(struct t_audit_data *); 121 static void aus_msgsys(struct t_audit_data *); 122 static void aus_semsys(struct t_audit_data *); 123 static void aus_close(struct t_audit_data *); 124 static void aus_fstatfs(struct t_audit_data *); 125 static void aus_setgid(struct t_audit_data *); 126 static void aus_setpgrp(struct t_audit_data *); 127 static void aus_setuid(struct t_audit_data *); 128 static void aus_shmsys(struct t_audit_data *); 129 static void aus_doorfs(struct t_audit_data *); 130 static void aus_ioctl(struct t_audit_data *); 131 static void aus_memcntl(struct t_audit_data *); 132 static void aus_mmap(struct t_audit_data *); 133 static void aus_munmap(struct t_audit_data *); 134 static void aus_priocntlsys(struct t_audit_data *); 135 static void aus_setegid(struct t_audit_data *); 136 static void aus_setgroups(struct t_audit_data *); 137 static void aus_seteuid(struct t_audit_data *); 138 static void aus_putmsg(struct t_audit_data *); 139 static void aus_putpmsg(struct t_audit_data *); 140 static void aus_getmsg(struct t_audit_data *); 141 static void aus_getpmsg(struct t_audit_data *); 142 static void aus_auditsys(struct t_audit_data *); 143 static void aus_sysinfo(struct t_audit_data *); 144 static void aus_modctl(struct t_audit_data *); 145 static void aus_kill(struct t_audit_data *); 146 static void aus_xmknod(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 static void aus_labelsys(struct t_audit_data *); 150 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 156 static void auf_read(struct t_audit_data *, int, rval_t *); 157 static void auf_write(struct t_audit_data *, int, rval_t *); 158 159 static void aus_sigqueue(struct t_audit_data *); 160 static void aus_p_online(struct t_audit_data *); 161 static void aus_processor_bind(struct t_audit_data *); 162 static void aus_inst_sync(struct t_audit_data *); 163 static void aus_brandsys(struct t_audit_data *); 164 165 static void auf_accept(struct t_audit_data *, int, rval_t *); 166 167 static void auf_bind(struct t_audit_data *, int, rval_t *); 168 static void auf_connect(struct t_audit_data *, int, rval_t *); 169 static void aus_shutdown(struct t_audit_data *); 170 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 171 static void aus_sockconfig(struct t_audit_data *); 172 static void auf_recv(struct t_audit_data *, int, rval_t *); 173 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_send(struct t_audit_data *, int, rval_t *); 175 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 176 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 177 static void auf_sendto(struct t_audit_data *, int, rval_t *); 178 static void aus_socket(struct t_audit_data *); 179 /* 180 * This table contains mapping information for converting system call numbers 181 * to audit event IDs. In several cases it is necessary to map a single system 182 * call to several events. 183 */ 184 185 #define aui_null NULL /* NULL initialize function */ 186 #define aus_null NULL /* NULL start function */ 187 #define auf_null NULL /* NULL finish function */ 188 189 struct audit_s2e audit_s2e[] = 190 { 191 /* 192 * ---------- ---------- ---------- ---------- 193 * INITIAL AUDIT START SYSTEM 194 * PROCESSING EVENT PROCESSING CALL 195 * ---------- ---------- ---------- ----------- 196 * FINISH EVENT 197 * PROCESSING CONTROL 198 * ---------------------------------------------------------- 199 */ 200 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 201 auf_null, 0, 202 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 203 auf_null, S2E_NPT, 204 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 205 auf_null, 0, 206 aui_null, AUE_READ, aus_null, /* 3 read */ 207 auf_read, S2E_PUB, 208 aui_null, AUE_WRITE, aus_null, /* 4 write */ 209 auf_write, 0, 210 aui_open, AUE_OPEN, aus_open, /* 5 open */ 211 auf_null, S2E_SP, 212 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 213 auf_null, 0, 214 aui_null, AUE_NULL, aus_null, /* 7 wait */ 215 auf_null, 0, 216 aui_null, AUE_CREAT, aus_null, /* 8 create */ 217 auf_null, S2E_SP, 218 aui_null, AUE_LINK, aus_null, /* 9 link */ 219 auf_null, 0, 220 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 221 auf_null, 0, 222 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 223 auf_null, S2E_MLD, 224 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 225 auf_null, S2E_SP, 226 aui_null, AUE_NULL, aus_null, /* 13 time */ 227 auf_null, 0, 228 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 229 auf_mknod, 0, 230 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 231 auf_null, 0, 232 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 233 auf_null, 0, 234 aui_null, AUE_NULL, aus_null, /* 17 brk */ 235 auf_null, 0, 236 aui_null, AUE_STAT, aus_null, /* 18 stat */ 237 auf_null, S2E_PUB, 238 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 239 auf_null, 0, 240 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 241 auf_null, 0, 242 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 243 auf_null, S2E_MLD, 244 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 245 auf_null, 0, 246 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 249 auf_null, 0, 250 aui_null, AUE_STIME, aus_null, /* 25 stime */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 29 pause */ 259 auf_null, 0, 260 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 263 auf_null, 0, 264 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 265 auf_null, 0, 266 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NICE, aus_null, /* 34 nice */ 269 auf_null, 0, 270 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 271 auf_null, S2E_PUB, 272 aui_null, AUE_NULL, aus_null, /* 36 sync */ 273 auf_null, 0, 274 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 275 auf_null, 0, 276 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 277 auf_null, S2E_PUB, 278 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 41 dup */ 283 auf_null, 0, 284 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 43 times */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 44 profil */ 289 auf_null, 0, 290 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 291 /* was proc lock */ 292 auf_null, 0, 293 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 48 sig */ 298 auf_null, 0, 299 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 300 auf_msgsys, 0, 301 #if defined(__x86) 302 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 303 auf_null, 0, 304 #else 305 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 306 auf_null, 0, 307 #endif /* __x86 */ 308 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 309 auf_null, 0, 310 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 311 auf_shmsys, 0, 312 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 313 auf_semsys, 0, 314 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 319 auf_null, 0, 320 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 321 auf_null, 0, 322 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 323 auf_null, 0, 324 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 325 auf_null, S2E_MLD, 326 aui_null, AUE_NULL, aus_null, /* 60 umask */ 327 auf_null, 0, 328 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 329 auf_null, S2E_SP, 330 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 341 /* file locking call */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 344 /* local system calls */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 359 /* was sigret (SunOS) */ 360 auf_null, 0, 361 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 364 auf_null, 0, 365 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 366 auf_null, 0, 367 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 368 auf_null, 0, 369 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 370 auf_null, 0, 371 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 372 auf_null, 0, 373 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 374 /* was libattach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 377 /* was libdetach */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 380 auf_null, 0, 381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 382 auf_null, 0, 383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 384 auf_null, 0, 385 aui_null, AUE_NULL, aus_null, /* 87 poll */ 386 auf_null, 0, 387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 390 auf_null, 0, 391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 392 auf_null, S2E_PUB, 393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 396 auf_null, 0, 397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 398 auf_null, 0, 399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 412 auf_null, 0, 413 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 414 auf_null, 0, 415 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 416 /* was evtrapret */ 417 auf_null, 0, 418 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 419 auf_null, S2E_PUB, 420 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 427 auf_null, 0, 428 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 429 auf_null, 0, 430 #if defined(__x86) 431 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 432 auf_null, 0, 433 #else 434 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 435 auf_null, 0, 436 #endif /* __x86 */ 437 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 438 auf_null, 0, 439 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 440 auf_null, 0, 441 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 442 auf_null, 0, /* 112 priocntlsys */ 443 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 444 auf_null, S2E_PUB, 445 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 446 auf_null, 0, 447 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 450 auf_null, 0, 451 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 452 auf_null, 0, 453 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 454 auf_null, 0, 455 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 456 auf_null, 0, 457 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 458 auf_null, 0, 459 aui_null, AUE_READ, aus_null, /* 121 readv */ 460 auf_read, S2E_PUB, 461 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 462 auf_write, 0, 463 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 464 auf_null, S2E_PUB, 465 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 466 auf_null, S2E_PUB, 467 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 468 auf_null, 0, 469 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 470 auf_xmknod, 0, 471 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 472 auf_null, 0, 473 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 474 auf_null, 0, 475 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 476 auf_null, 0, 477 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 478 auf_null, 0, 479 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 480 auf_null, 0, 481 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 482 auf_null, 0, 483 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 484 auf_null, 0, 485 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 135 uname */ 488 auf_null, 0, 489 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 490 auf_null, 0, 491 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 492 auf_null, 0, 493 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 494 auf_null, 0, 495 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 498 auf_null, 0, 499 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 500 auf_null, 0, 501 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 502 auf_null, 0, 503 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 146 yield */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 518 auf_null, 0, 519 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 520 auf_null, 0, 521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 522 auf_null, 0, 523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 524 auf_null, 0, 525 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 548 /* was lwp_setprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 551 /* was lwp_getprivate */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 562 auf_null, 0, 563 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 564 auf_null, 0, 565 aui_null, AUE_READ, aus_null, /* 173 pread */ 566 auf_read, S2E_PUB, 567 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 568 auf_write, 0, 569 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 570 auf_null, 0, 571 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 572 /* aus_inst_sync */ 573 auf_null, 0, 574 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 583 auf_null, 0, 584 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 585 auf_null, S2E_MLD, 586 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 587 auf_null, 0, 588 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 589 auf_null, 0, 590 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 591 auf_null, 0, 592 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 593 auf_null, 0, 594 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 595 auf_null, 0, /* 187 processor_bind */ 596 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 597 auf_null, 0, 598 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 603 auf_null, 0, 604 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 617 auf_null, 0, 618 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 619 auf_null, 0, 620 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 621 auf_null, 0, 622 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 623 auf_null, 0, 624 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 625 auf_null, 0, 626 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 645 auf_null, 0, 646 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 647 auf_null, 0, 648 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 649 auf_null, 0, 650 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 653 auf_null, S2E_PUB, 654 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 655 auf_null, 0, 656 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 657 auf_null, S2E_PUB, 658 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 659 auf_null, 0, 660 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 663 auf_null, 0, 664 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 665 auf_read, S2E_PUB, 666 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 667 auf_write, 0, 668 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 669 auf_null, S2E_SP, 670 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 671 auf_null, S2E_SP, 672 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 677 auf_null, 0, 678 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 679 auf_null, 0, 680 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 681 auf_null, 0, 682 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 683 auf_null, 0, 684 aui_null, AUE_BIND, aus_null, /* 232 bind */ 685 auf_bind, 0, 686 aui_null, AUE_NULL, aus_null, /* 233 listen */ 687 auf_null, 0, 688 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 689 auf_accept, 0, 690 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 691 auf_connect, 0, 692 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 693 auf_null, 0, 694 aui_null, AUE_READ, aus_null, /* 237 recv */ 695 auf_recv, 0, 696 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 697 auf_recvfrom, 0, 698 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 699 auf_recvmsg, 0, 700 aui_null, AUE_WRITE, aus_null, /* 240 send */ 701 auf_send, 0, 702 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 703 auf_sendmsg, 0, 704 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 705 auf_sendto, 0, 706 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 709 auf_null, 0, 710 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 711 auf_null, 0, 712 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 713 auf_setsockopt, 0, 714 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 717 auf_null, 0, 718 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 727 auf_null, 0, 728 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 729 auf_null, 0, 730 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 731 auf_null, 0 732 }; 733 734 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 735 736 737 /* acct start function */ 738 /*ARGSUSED*/ 739 static void 740 aus_acct(struct t_audit_data *tad) 741 { 742 klwp_t *clwp = ttolwp(curthread); 743 uintptr_t fname; 744 745 struct a { 746 long fname; /* char * */ 747 } *uap = (struct a *)clwp->lwp_ap; 748 749 fname = (uintptr_t)uap->fname; 750 751 if (fname == 0) 752 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 753 } 754 755 /* chown start function */ 756 /*ARGSUSED*/ 757 static void 758 aus_chown(struct t_audit_data *tad) 759 { 760 klwp_t *clwp = ttolwp(curthread); 761 uint32_t uid, gid; 762 763 struct a { 764 long fname; /* char * */ 765 long uid; 766 long gid; 767 } *uap = (struct a *)clwp->lwp_ap; 768 769 uid = (uint32_t)uap->uid; 770 gid = (uint32_t)uap->gid; 771 772 au_uwrite(au_to_arg32(2, "new file uid", uid)); 773 au_uwrite(au_to_arg32(3, "new file gid", gid)); 774 } 775 776 /* fchown start function */ 777 /*ARGSUSED*/ 778 static void 779 aus_fchown(struct t_audit_data *tad) 780 { 781 klwp_t *clwp = ttolwp(curthread); 782 uint32_t uid, gid, fd; 783 struct file *fp; 784 struct vnode *vp; 785 struct f_audit_data *fad; 786 787 struct a { 788 long fd; 789 long uid; 790 long gid; 791 } *uap = (struct a *)clwp->lwp_ap; 792 793 fd = (uint32_t)uap->fd; 794 uid = (uint32_t)uap->uid; 795 gid = (uint32_t)uap->gid; 796 797 au_uwrite(au_to_arg32(2, "new file uid", uid)); 798 au_uwrite(au_to_arg32(3, "new file gid", gid)); 799 800 /* 801 * convert file pointer to file descriptor 802 * Note: fd ref count incremented here. 803 */ 804 if ((fp = getf(fd)) == NULL) 805 return; 806 807 /* get path from file struct here */ 808 fad = F2A(fp); 809 if (fad->fad_aupath != NULL) { 810 au_uwrite(au_to_path(fad->fad_aupath)); 811 } else { 812 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 813 } 814 815 vp = fp->f_vnode; 816 audit_attributes(vp); 817 818 /* decrement file descriptor reference count */ 819 releasef(fd); 820 } 821 822 /*ARGSUSED*/ 823 static void 824 aus_lchown(struct t_audit_data *tad) 825 { 826 klwp_t *clwp = ttolwp(curthread); 827 uint32_t uid, gid; 828 829 830 struct a { 831 long fname; /* char * */ 832 long uid; 833 long gid; 834 } *uap = (struct a *)clwp->lwp_ap; 835 836 uid = (uint32_t)uap->uid; 837 gid = (uint32_t)uap->gid; 838 839 au_uwrite(au_to_arg32(2, "new file uid", uid)); 840 au_uwrite(au_to_arg32(3, "new file gid", gid)); 841 } 842 843 /* chmod start function */ 844 /*ARGSUSED*/ 845 static void 846 aus_chmod(struct t_audit_data *tad) 847 { 848 klwp_t *clwp = ttolwp(curthread); 849 uint32_t fmode; 850 851 struct a { 852 long fname; /* char * */ 853 long fmode; 854 } *uap = (struct a *)clwp->lwp_ap; 855 856 fmode = (uint32_t)uap->fmode; 857 858 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 859 } 860 861 /* chmod start function */ 862 /*ARGSUSED*/ 863 static void 864 aus_fchmod(struct t_audit_data *tad) 865 { 866 klwp_t *clwp = ttolwp(curthread); 867 uint32_t fmode, fd; 868 struct file *fp; 869 struct vnode *vp; 870 struct f_audit_data *fad; 871 872 struct a { 873 long fd; 874 long fmode; 875 } *uap = (struct a *)clwp->lwp_ap; 876 877 fd = (uint32_t)uap->fd; 878 fmode = (uint32_t)uap->fmode; 879 880 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 881 882 /* 883 * convert file pointer to file descriptor 884 * Note: fd ref count incremented here. 885 */ 886 if ((fp = getf(fd)) == NULL) 887 return; 888 889 /* get path from file struct here */ 890 fad = F2A(fp); 891 if (fad->fad_aupath != NULL) { 892 au_uwrite(au_to_path(fad->fad_aupath)); 893 } else { 894 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 895 } 896 897 vp = fp->f_vnode; 898 audit_attributes(vp); 899 900 /* decrement file descriptor reference count */ 901 releasef(fd); 902 } 903 904 905 /* convert open to appropriate event */ 906 static au_event_t 907 aui_open(au_event_t e) 908 { 909 klwp_t *clwp = ttolwp(curthread); 910 uint_t fm; 911 912 struct a { 913 long fnamep; /* char * */ 914 long fmode; 915 long cmode; 916 } *uap = (struct a *)clwp->lwp_ap; 917 918 fm = (uint_t)uap->fmode; 919 920 if (fm & O_WRONLY) 921 e = AUE_OPEN_W; 922 else if (fm & O_RDWR) 923 e = AUE_OPEN_RW; 924 else 925 e = AUE_OPEN_R; 926 927 if (fm & O_CREAT) 928 e += 1; 929 if (fm & O_TRUNC) 930 e += 2; 931 932 return (e); 933 } 934 935 /*ARGSUSED*/ 936 static void 937 aus_open(struct t_audit_data *tad) 938 { 939 klwp_t *clwp = ttolwp(curthread); 940 uint_t fm; 941 942 struct a { 943 long fnamep; /* char * */ 944 long fmode; 945 long cmode; 946 } *uap = (struct a *)clwp->lwp_ap; 947 948 fm = (uint_t)uap->fmode; 949 950 /* If no write, create, or trunc modes, mark as a public op */ 951 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 952 tad->tad_ctrl |= PAD_PUBLIC_EV; 953 } 954 955 /* convert openat(2) to appropriate event */ 956 static au_event_t 957 aui_fsat(au_event_t e) 958 { 959 t_audit_data_t *tad = U2A(u); 960 klwp_t *clwp = ttolwp(curthread); 961 uint_t fmcode, fm; 962 struct a { 963 long id; 964 long arg1; 965 long arg2; 966 long arg3; 967 long arg4; 968 long arg5; 969 } *uap = (struct a *)clwp->lwp_ap; 970 971 fmcode = (uint_t)uap->id; 972 973 switch (fmcode) { 974 975 case 0: /* openat */ 976 case 1: /* openat64 */ 977 fm = (uint_t)uap->arg3; 978 if (fm & O_WRONLY) 979 e = AUE_OPENAT_W; 980 else if (fm & O_RDWR) 981 e = AUE_OPENAT_RW; 982 else 983 e = AUE_OPENAT_R; 984 985 /* 986 * openat modes are defined in the following order: 987 * Read only 988 * Read|Create 989 * Read|Trunc 990 * Read|Create|Trunc 991 * Write Only 992 * Write|Create 993 * Write|Trunc 994 * Write|Create|Trunc * RW Only 995 * RW|Create 996 * RW|Trunc 997 * RW|Create|Trunc 998 */ 999 if (fm & O_CREAT) 1000 e += 1; /* increment to include CREAT in mode */ 1001 if (fm & O_TRUNC) 1002 e += 2; /* increment to include TRUNC in mode */ 1003 1004 /* convert to appropriate au_ctrl */ 1005 tad->tad_ctrl |= PAD_SAVPATH; 1006 if (fm & FXATTR) 1007 tad->tad_ctrl |= PAD_ATPATH; 1008 1009 1010 break; 1011 case 2: /* fstatat64 */ 1012 case 3: /* fstatat */ 1013 e = AUE_FSTATAT; 1014 break; 1015 case 4: /* fchownat */ 1016 e = AUE_FCHOWNAT; 1017 break; 1018 case 5: /* unlinkat */ 1019 e = AUE_UNLINKAT; 1020 break; 1021 case 6: /* futimesat */ 1022 e = AUE_FUTIMESAT; 1023 break; 1024 case 7: /* renameat */ 1025 e = AUE_RENAMEAT; 1026 break; 1027 case 8: /* faccessat */ 1028 e = AUE_FACCESSAT; 1029 break; 1030 case 9: /* __openattrdirat */ 1031 tad->tad_ctrl |= PAD_SAVPATH; 1032 /*FALLTHROUGH*/ 1033 default: 1034 e = AUE_NULL; 1035 break; 1036 } 1037 1038 return (e); 1039 } 1040 1041 /*ARGSUSED*/ 1042 static void 1043 aus_fsat(struct t_audit_data *tad) 1044 { 1045 klwp_t *clwp = ttolwp(curthread); 1046 uint_t fmcode, fm; 1047 struct a { 1048 long id; 1049 long arg1; 1050 long arg2; 1051 long arg3; 1052 long arg4; 1053 long arg5; 1054 } *uap = (struct a *)clwp->lwp_ap; 1055 1056 fmcode = (uint_t)uap->id; 1057 1058 switch (fmcode) { 1059 1060 case 0: /* openat */ 1061 case 1: /* openat64 */ 1062 fm = (uint_t)uap->arg3; 1063 /* If no write, create, or trunc modes, mark as a public op */ 1064 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1065 tad->tad_ctrl |= PAD_PUBLIC_EV; 1066 1067 break; 1068 case 2: /* fstatat64 */ 1069 case 3: /* fstatat */ 1070 tad->tad_ctrl |= PAD_PUBLIC_EV; 1071 break; 1072 default: 1073 break; 1074 } 1075 } 1076 1077 /* msgsys */ 1078 static au_event_t 1079 aui_msgsys(au_event_t e) 1080 { 1081 klwp_t *clwp = ttolwp(curthread); 1082 uint_t fm; 1083 1084 struct a { 1085 long id; /* function code id */ 1086 long ap; /* arg pointer for recvmsg */ 1087 } *uap = (struct a *)clwp->lwp_ap; 1088 1089 struct b { 1090 long msgid; 1091 long cmd; 1092 long buf; /* struct msqid_ds * */ 1093 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1094 1095 fm = (uint_t)uap->id; 1096 1097 switch (fm) { 1098 case 0: /* msgget */ 1099 e = AUE_MSGGET; 1100 break; 1101 case 1: /* msgctl */ 1102 switch ((uint_t)uap1->cmd) { 1103 case IPC_RMID: 1104 e = AUE_MSGCTL_RMID; 1105 break; 1106 case IPC_SET: 1107 e = AUE_MSGCTL_SET; 1108 break; 1109 case IPC_STAT: 1110 e = AUE_MSGCTL_STAT; 1111 break; 1112 default: 1113 e = AUE_MSGCTL; 1114 break; 1115 } 1116 break; 1117 case 2: /* msgrcv */ 1118 e = AUE_MSGRCV; 1119 break; 1120 case 3: /* msgsnd */ 1121 e = AUE_MSGSND; 1122 break; 1123 default: /* illegal system call */ 1124 e = AUE_NULL; 1125 break; 1126 } 1127 1128 return (e); 1129 } 1130 1131 1132 /* shmsys */ 1133 static au_event_t 1134 aui_shmsys(au_event_t e) 1135 { 1136 klwp_t *clwp = ttolwp(curthread); 1137 int fm; 1138 1139 struct a { /* shmsys */ 1140 long id; /* function code id */ 1141 } *uap = (struct a *)clwp->lwp_ap; 1142 1143 struct b { /* ctrl */ 1144 long shmid; 1145 long cmd; 1146 long arg; /* struct shmid_ds * */ 1147 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1148 fm = (uint_t)uap->id; 1149 1150 switch (fm) { 1151 case 0: /* shmat */ 1152 e = AUE_SHMAT; 1153 break; 1154 case 1: /* shmctl */ 1155 switch ((uint_t)uap1->cmd) { 1156 case IPC_RMID: 1157 e = AUE_SHMCTL_RMID; 1158 break; 1159 case IPC_SET: 1160 e = AUE_SHMCTL_SET; 1161 break; 1162 case IPC_STAT: 1163 e = AUE_SHMCTL_STAT; 1164 break; 1165 default: 1166 e = AUE_SHMCTL; 1167 break; 1168 } 1169 break; 1170 case 2: /* shmdt */ 1171 e = AUE_SHMDT; 1172 break; 1173 case 3: /* shmget */ 1174 e = AUE_SHMGET; 1175 break; 1176 default: /* illegal system call */ 1177 e = AUE_NULL; 1178 break; 1179 } 1180 1181 return (e); 1182 } 1183 1184 1185 /* semsys */ 1186 static au_event_t 1187 aui_semsys(au_event_t e) 1188 { 1189 klwp_t *clwp = ttolwp(curthread); 1190 uint_t fm; 1191 1192 struct a { /* semsys */ 1193 long id; 1194 } *uap = (struct a *)clwp->lwp_ap; 1195 1196 struct b { /* ctrl */ 1197 long semid; 1198 long semnum; 1199 long cmd; 1200 long arg; 1201 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1202 1203 fm = (uint_t)uap->id; 1204 1205 switch (fm) { 1206 case 0: /* semctl */ 1207 switch ((uint_t)uap1->cmd) { 1208 case IPC_RMID: 1209 e = AUE_SEMCTL_RMID; 1210 break; 1211 case IPC_SET: 1212 e = AUE_SEMCTL_SET; 1213 break; 1214 case IPC_STAT: 1215 e = AUE_SEMCTL_STAT; 1216 break; 1217 case GETNCNT: 1218 e = AUE_SEMCTL_GETNCNT; 1219 break; 1220 case GETPID: 1221 e = AUE_SEMCTL_GETPID; 1222 break; 1223 case GETVAL: 1224 e = AUE_SEMCTL_GETVAL; 1225 break; 1226 case GETALL: 1227 e = AUE_SEMCTL_GETALL; 1228 break; 1229 case GETZCNT: 1230 e = AUE_SEMCTL_GETZCNT; 1231 break; 1232 case SETVAL: 1233 e = AUE_SEMCTL_SETVAL; 1234 break; 1235 case SETALL: 1236 e = AUE_SEMCTL_SETALL; 1237 break; 1238 default: 1239 e = AUE_SEMCTL; 1240 break; 1241 } 1242 break; 1243 case 1: /* semget */ 1244 e = AUE_SEMGET; 1245 break; 1246 case 2: /* semop */ 1247 e = AUE_SEMOP; 1248 break; 1249 default: /* illegal system call */ 1250 e = AUE_NULL; 1251 break; 1252 } 1253 1254 return (e); 1255 } 1256 1257 /* utssys - uname(2), ustat(2), fusers(2) */ 1258 static au_event_t 1259 aui_utssys(au_event_t e) 1260 { 1261 klwp_t *clwp = ttolwp(curthread); 1262 uint_t type; 1263 1264 struct a { 1265 union { 1266 long cbuf; /* char * */ 1267 long ubuf; /* struct stat * */ 1268 } ub; 1269 union { 1270 long mv; /* for USTAT */ 1271 long flags; /* for FUSERS */ 1272 } un; 1273 long type; 1274 long outbp; /* char * for FUSERS */ 1275 } *uap = (struct a *)clwp->lwp_ap; 1276 1277 type = (uint_t)uap->type; 1278 1279 if (type == UTS_FUSERS) 1280 return (e); 1281 else 1282 return ((au_event_t)AUE_NULL); 1283 } 1284 1285 static au_event_t 1286 aui_fcntl(au_event_t e) 1287 { 1288 klwp_t *clwp = ttolwp(curthread); 1289 uint_t cmd; 1290 1291 struct a { 1292 long fdes; 1293 long cmd; 1294 long arg; 1295 } *uap = (struct a *)clwp->lwp_ap; 1296 1297 cmd = (uint_t)uap->cmd; 1298 1299 switch (cmd) { 1300 case F_GETLK: 1301 case F_SETLK: 1302 case F_SETLKW: 1303 break; 1304 case F_SETFL: 1305 case F_GETFL: 1306 case F_GETFD: 1307 break; 1308 default: 1309 e = (au_event_t)AUE_NULL; 1310 break; 1311 } 1312 return ((au_event_t)e); 1313 } 1314 1315 /* null function for now */ 1316 static au_event_t 1317 aui_execv(au_event_t e) 1318 { 1319 return (e); 1320 } 1321 1322 /* null function for now */ 1323 static au_event_t 1324 aui_execve(au_event_t e) 1325 { 1326 return (e); 1327 } 1328 1329 /*ARGSUSED*/ 1330 static void 1331 aus_fcntl(struct t_audit_data *tad) 1332 { 1333 klwp_t *clwp = ttolwp(curthread); 1334 uint32_t cmd, fd; 1335 struct file *fp; 1336 struct vnode *vp; 1337 struct f_audit_data *fad; 1338 1339 struct a { 1340 long fd; 1341 long cmd; 1342 long arg; 1343 } *uap = (struct a *)clwp->lwp_ap; 1344 1345 cmd = (uint32_t)uap->cmd; 1346 fd = (uint32_t)uap->fd; 1347 1348 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1349 1350 /* 1351 * convert file pointer to file descriptor 1352 * Note: fd ref count incremented here. 1353 */ 1354 if ((fp = getf(fd)) == NULL) 1355 return; 1356 1357 /* get path from file struct here */ 1358 fad = F2A(fp); 1359 if (fad->fad_aupath != NULL) { 1360 au_uwrite(au_to_path(fad->fad_aupath)); 1361 } else { 1362 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1363 } 1364 1365 vp = fp->f_vnode; 1366 audit_attributes(vp); 1367 1368 /* decrement file descriptor reference count */ 1369 releasef(fd); 1370 } 1371 1372 /*ARGSUSED*/ 1373 static void 1374 aus_kill(struct t_audit_data *tad) 1375 { 1376 klwp_t *clwp = ttolwp(curthread); 1377 struct proc *p; 1378 uint32_t signo; 1379 uid_t uid, ruid; 1380 gid_t gid, rgid; 1381 pid_t pid; 1382 const auditinfo_addr_t *ainfo; 1383 cred_t *cr; 1384 1385 struct a { 1386 long pid; 1387 long signo; 1388 } *uap = (struct a *)clwp->lwp_ap; 1389 1390 pid = (pid_t)uap->pid; 1391 signo = (uint32_t)uap->signo; 1392 1393 au_uwrite(au_to_arg32(2, "signal", signo)); 1394 if (pid > 0) { 1395 mutex_enter(&pidlock); 1396 if (((p = prfind(pid)) == (struct proc *)0) || 1397 (p->p_stat == SIDL)) { 1398 mutex_exit(&pidlock); 1399 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1400 return; 1401 } 1402 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1403 mutex_exit(&pidlock); 1404 1405 mutex_enter(&p->p_crlock); 1406 crhold(cr = p->p_cred); 1407 mutex_exit(&p->p_crlock); 1408 mutex_exit(&p->p_lock); 1409 1410 ainfo = crgetauinfo(cr); 1411 if (ainfo == NULL) { 1412 crfree(cr); 1413 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1414 return; 1415 } 1416 1417 uid = crgetuid(cr); 1418 gid = crgetgid(cr); 1419 ruid = crgetruid(cr); 1420 rgid = crgetrgid(cr); 1421 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1422 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1423 1424 if (is_system_labeled()) 1425 au_uwrite(au_to_label(CR_SL(cr))); 1426 1427 crfree(cr); 1428 } 1429 else 1430 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1431 } 1432 1433 /*ARGSUSED*/ 1434 static void 1435 aus_mkdir(struct t_audit_data *tad) 1436 { 1437 klwp_t *clwp = ttolwp(curthread); 1438 uint32_t dmode; 1439 1440 struct a { 1441 long dirnamep; /* char * */ 1442 long dmode; 1443 } *uap = (struct a *)clwp->lwp_ap; 1444 1445 dmode = (uint32_t)uap->dmode; 1446 1447 au_uwrite(au_to_arg32(2, "mode", dmode)); 1448 } 1449 1450 /*ARGSUSED*/ 1451 static void 1452 aus_mknod(struct t_audit_data *tad) 1453 { 1454 klwp_t *clwp = ttolwp(curthread); 1455 uint32_t fmode; 1456 dev_t dev; 1457 1458 struct a { 1459 long pnamep; /* char * */ 1460 long fmode; 1461 long dev; 1462 } *uap = (struct a *)clwp->lwp_ap; 1463 1464 fmode = (uint32_t)uap->fmode; 1465 dev = (dev_t)uap->dev; 1466 1467 au_uwrite(au_to_arg32(2, "mode", fmode)); 1468 #ifdef _LP64 1469 au_uwrite(au_to_arg64(3, "dev", dev)); 1470 #else 1471 au_uwrite(au_to_arg32(3, "dev", dev)); 1472 #endif 1473 } 1474 1475 /*ARGSUSED*/ 1476 static void 1477 aus_xmknod(struct t_audit_data *tad) 1478 { 1479 klwp_t *clwp = ttolwp(curthread); 1480 uint32_t fmode; 1481 dev_t dev; 1482 1483 struct a { 1484 long version; /* version */ 1485 long pnamep; /* char * */ 1486 long fmode; 1487 long dev; 1488 } *uap = (struct a *)clwp->lwp_ap; 1489 1490 fmode = (uint32_t)uap->fmode; 1491 dev = (dev_t)uap->dev; 1492 1493 au_uwrite(au_to_arg32(2, "mode", fmode)); 1494 #ifdef _LP64 1495 au_uwrite(au_to_arg64(3, "dev", dev)); 1496 #else 1497 au_uwrite(au_to_arg32(3, "dev", dev)); 1498 #endif 1499 } 1500 1501 /*ARGSUSED*/ 1502 static void 1503 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1504 { 1505 klwp_t *clwp = ttolwp(curthread); 1506 vnode_t *dvp; 1507 caddr_t pnamep; 1508 1509 struct a { 1510 long pnamep; /* char * */ 1511 long fmode; 1512 long dev; 1513 } *uap = (struct a *)clwp->lwp_ap; 1514 1515 /* no error, then already path token in audit record */ 1516 if (error != EPERM) 1517 return; 1518 1519 /* not auditing this event, nothing then to do */ 1520 if (tad->tad_flag == 0) 1521 return; 1522 1523 /* do the lookup to force generation of path token */ 1524 pnamep = (caddr_t)uap->pnamep; 1525 tad->tad_ctrl |= PAD_NOATTRB; 1526 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1527 if (error == 0) 1528 VN_RELE(dvp); 1529 } 1530 1531 /*ARGSUSED*/ 1532 static void 1533 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1534 { 1535 klwp_t *clwp = ttolwp(curthread); 1536 vnode_t *dvp; 1537 caddr_t pnamep; 1538 1539 struct a { 1540 long version; /* version */ 1541 long pnamep; /* char * */ 1542 long fmode; 1543 long dev; 1544 } *uap = (struct a *)clwp->lwp_arg; 1545 1546 1547 /* no error, then already path token in audit record */ 1548 if (error != EPERM) 1549 return; 1550 1551 /* not auditing this event, nothing then to do */ 1552 if (tad->tad_flag == 0) 1553 return; 1554 1555 /* do the lookup to force generation of path token */ 1556 pnamep = (caddr_t)uap->pnamep; 1557 tad->tad_ctrl |= PAD_NOATTRB; 1558 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1559 if (error == 0) 1560 VN_RELE(dvp); 1561 } 1562 1563 /*ARGSUSED*/ 1564 static void 1565 aus_mount(struct t_audit_data *tad) 1566 { /* AUS_START */ 1567 klwp_t *clwp = ttolwp(curthread); 1568 uint32_t flags; 1569 uintptr_t u_fstype, dataptr; 1570 STRUCT_DECL(nfs_args, nfsargs); 1571 size_t len; 1572 char *fstype, *hostname; 1573 1574 struct a { 1575 long spec; /* char * */ 1576 long dir; /* char * */ 1577 long flags; 1578 long fstype; /* char * */ 1579 long dataptr; /* char * */ 1580 long datalen; 1581 } *uap = (struct a *)clwp->lwp_ap; 1582 1583 u_fstype = (uintptr_t)uap->fstype; 1584 flags = (uint32_t)uap->flags; 1585 dataptr = (uintptr_t)uap->dataptr; 1586 1587 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1588 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1589 goto mount_free_fstype; 1590 1591 au_uwrite(au_to_arg32(3, "flags", flags)); 1592 au_uwrite(au_to_text(fstype)); 1593 1594 if (strncmp(fstype, "nfs", 3) == 0) { 1595 1596 STRUCT_INIT(nfsargs, get_udatamodel()); 1597 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1598 1599 if (copyin((caddr_t)dataptr, 1600 STRUCT_BUF(nfsargs), 1601 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1602 /* DEBUG debug_enter((char *)NULL); */ 1603 goto mount_free_fstype; 1604 } 1605 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1606 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1607 (caddr_t)hostname, 1608 MAXNAMELEN, &len)) { 1609 goto mount_free_hostname; 1610 } 1611 au_uwrite(au_to_text(hostname)); 1612 au_uwrite(au_to_arg32(3, "internal flags", 1613 (uint_t)STRUCT_FGET(nfsargs, flags))); 1614 1615 mount_free_hostname: 1616 kmem_free(hostname, MAXNAMELEN); 1617 } 1618 1619 mount_free_fstype: 1620 kmem_free(fstype, MAXNAMELEN); 1621 } /* AUS_MOUNT */ 1622 1623 static void 1624 aus_umount_path(caddr_t umount_dir) 1625 { 1626 char *dir_path; 1627 struct audit_path *path; 1628 size_t path_len, dir_len; 1629 1630 /* length alloc'd for two string pointers */ 1631 path_len = sizeof (struct audit_path) + sizeof (char *); 1632 path = kmem_alloc(path_len, KM_SLEEP); 1633 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1634 1635 if (copyinstr(umount_dir, (caddr_t)dir_path, 1636 MAXPATHLEN, &dir_len)) 1637 goto umount2_free_dir; 1638 1639 /* 1640 * the audit_path struct assumes that the buffer pointed to 1641 * by audp_sect[n] contains string 0 immediatedly followed 1642 * by string 1. 1643 */ 1644 path->audp_sect[0] = dir_path; 1645 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1646 path->audp_size = path_len; 1647 path->audp_ref = 1; /* not used */ 1648 path->audp_cnt = 1; /* one path string */ 1649 1650 au_uwrite(au_to_path(path)); 1651 1652 umount2_free_dir: 1653 kmem_free(dir_path, MAXPATHLEN); 1654 kmem_free(path, path_len); 1655 } 1656 1657 /* 1658 * the umount syscall is implemented as a call to umount2, but the args 1659 * are different... 1660 */ 1661 1662 /*ARGSUSED*/ 1663 static void 1664 aus_umount(struct t_audit_data *tad) 1665 { 1666 klwp_t *clwp = ttolwp(curthread); 1667 struct a { 1668 long dir; /* char * */ 1669 } *uap = (struct a *)clwp->lwp_ap; 1670 1671 aus_umount_path((caddr_t)uap->dir); 1672 } 1673 1674 /*ARGSUSED*/ 1675 static void 1676 aus_umount2(struct t_audit_data *tad) 1677 { 1678 klwp_t *clwp = ttolwp(curthread); 1679 struct a { 1680 long dir; /* char * */ 1681 long flags; 1682 } *uap = (struct a *)clwp->lwp_ap; 1683 1684 aus_umount_path((caddr_t)uap->dir); 1685 1686 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1687 } 1688 1689 static void 1690 aus_msgsys(struct t_audit_data *tad) 1691 { 1692 klwp_t *clwp = ttolwp(curthread); 1693 uint32_t msgid; 1694 1695 struct b { 1696 long msgid; 1697 long cmd; 1698 long buf; /* struct msqid_ds * */ 1699 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1700 1701 msgid = (uint32_t)uap1->msgid; 1702 1703 1704 switch (tad->tad_event) { 1705 case AUE_MSGGET: /* msgget */ 1706 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1707 break; 1708 case AUE_MSGCTL: /* msgctl */ 1709 case AUE_MSGCTL_RMID: /* msgctl */ 1710 case AUE_MSGCTL_SET: /* msgctl */ 1711 case AUE_MSGCTL_STAT: /* msgctl */ 1712 case AUE_MSGRCV: /* msgrcv */ 1713 case AUE_MSGSND: /* msgsnd */ 1714 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1715 break; 1716 } 1717 } 1718 1719 /*ARGSUSED*/ 1720 static void 1721 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1722 { 1723 int id; 1724 1725 if (error != 0) 1726 return; 1727 if (tad->tad_event == AUE_MSGGET) { 1728 uint32_t scid; 1729 uint32_t sy_flags; 1730 1731 /* need to determine type of executing binary */ 1732 scid = tad->tad_scid; 1733 #ifdef _SYSCALL32_IMPL 1734 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1735 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1736 else 1737 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1738 #else 1739 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1740 #endif 1741 if (sy_flags == SE_32RVAL1) 1742 id = rval->r_val1; 1743 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1744 id = rval->r_val1; 1745 if (sy_flags == SE_64RVAL) 1746 id = (int)rval->r_vals; 1747 1748 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1749 } 1750 } 1751 1752 static void 1753 aus_semsys(struct t_audit_data *tad) 1754 { 1755 klwp_t *clwp = ttolwp(curthread); 1756 uint32_t semid; 1757 1758 struct b { /* ctrl */ 1759 long semid; 1760 long semnum; 1761 long cmd; 1762 long arg; 1763 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1764 1765 semid = (uint32_t)uap1->semid; 1766 1767 switch (tad->tad_event) { 1768 case AUE_SEMCTL_RMID: 1769 case AUE_SEMCTL_STAT: 1770 case AUE_SEMCTL_GETNCNT: 1771 case AUE_SEMCTL_GETPID: 1772 case AUE_SEMCTL_GETVAL: 1773 case AUE_SEMCTL_GETALL: 1774 case AUE_SEMCTL_GETZCNT: 1775 case AUE_SEMCTL_SET: 1776 case AUE_SEMCTL_SETVAL: 1777 case AUE_SEMCTL_SETALL: 1778 case AUE_SEMCTL: 1779 case AUE_SEMOP: 1780 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1781 break; 1782 case AUE_SEMGET: 1783 au_uwrite(au_to_arg32(1, "sem key", semid)); 1784 break; 1785 } 1786 } 1787 1788 /*ARGSUSED*/ 1789 static void 1790 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1791 { 1792 int id; 1793 1794 if (error != 0) 1795 return; 1796 if (tad->tad_event == AUE_SEMGET) { 1797 uint32_t scid; 1798 uint32_t sy_flags; 1799 1800 /* need to determine type of executing binary */ 1801 scid = tad->tad_scid; 1802 #ifdef _SYSCALL32_IMPL 1803 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1804 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1805 else 1806 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1807 #else 1808 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1809 #endif 1810 if (sy_flags == SE_32RVAL1) 1811 id = rval->r_val1; 1812 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1813 id = rval->r_val1; 1814 if (sy_flags == SE_64RVAL) 1815 id = (int)rval->r_vals; 1816 1817 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1818 } 1819 } 1820 1821 /*ARGSUSED*/ 1822 static void 1823 aus_close(struct t_audit_data *tad) 1824 { 1825 klwp_t *clwp = ttolwp(curthread); 1826 uint32_t fd; 1827 struct file *fp; 1828 struct f_audit_data *fad; 1829 struct vnode *vp; 1830 struct vattr attr; 1831 au_kcontext_t *kctx = GET_KCTX_PZ; 1832 1833 struct a { 1834 long i; 1835 } *uap = (struct a *)clwp->lwp_ap; 1836 1837 fd = (uint32_t)uap->i; 1838 1839 attr.va_mask = 0; 1840 au_uwrite(au_to_arg32(1, "fd", fd)); 1841 1842 /* 1843 * convert file pointer to file descriptor 1844 * Note: fd ref count incremented here. 1845 */ 1846 if ((fp = getf(fd)) == NULL) 1847 return; 1848 1849 fad = F2A(fp); 1850 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1851 if (fad->fad_aupath != NULL) { 1852 au_uwrite(au_to_path(fad->fad_aupath)); 1853 if ((vp = fp->f_vnode) != NULL) { 1854 attr.va_mask = AT_ALL; 1855 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1856 /* 1857 * When write was not used and the file can be 1858 * considered public, skip the audit. 1859 */ 1860 if (((fp->f_flag & FWRITE) == 0) && 1861 file_is_public(&attr)) { 1862 tad->tad_flag = 0; 1863 tad->tad_evmod = 0; 1864 /* free any residual audit data */ 1865 au_close(kctx, &(u_ad), 0, 0, 0); 1866 releasef(fd); 1867 return; 1868 } 1869 au_uwrite(au_to_attr(&attr)); 1870 audit_sec_attributes(&(u_ad), vp); 1871 } 1872 } 1873 } 1874 1875 /* decrement file descriptor reference count */ 1876 releasef(fd); 1877 } 1878 1879 /*ARGSUSED*/ 1880 static void 1881 aus_fstatfs(struct t_audit_data *tad) 1882 { 1883 klwp_t *clwp = ttolwp(curthread); 1884 uint32_t fd; 1885 struct file *fp; 1886 struct vnode *vp; 1887 struct f_audit_data *fad; 1888 1889 struct a { 1890 long fd; 1891 long buf; /* struct statfs * */ 1892 } *uap = (struct a *)clwp->lwp_ap; 1893 1894 fd = (uint_t)uap->fd; 1895 1896 /* 1897 * convert file pointer to file descriptor 1898 * Note: fd ref count incremented here. 1899 */ 1900 if ((fp = getf(fd)) == NULL) 1901 return; 1902 1903 /* get path from file struct here */ 1904 fad = F2A(fp); 1905 if (fad->fad_aupath != NULL) { 1906 au_uwrite(au_to_path(fad->fad_aupath)); 1907 } else { 1908 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1909 } 1910 1911 vp = fp->f_vnode; 1912 audit_attributes(vp); 1913 1914 /* decrement file descriptor reference count */ 1915 releasef(fd); 1916 } 1917 1918 static au_event_t 1919 aui_setpgrp(au_event_t e) 1920 { 1921 klwp_t *clwp = ttolwp(curthread); 1922 int flag; 1923 1924 struct a { 1925 long flag; 1926 long pid; 1927 long pgid; 1928 } *uap = (struct a *)clwp->lwp_ap; 1929 1930 flag = (int)uap->flag; 1931 1932 1933 switch (flag) { 1934 1935 case 1: /* setpgrp() */ 1936 e = AUE_SETPGRP; 1937 break; 1938 1939 case 3: /* setsid() */ 1940 e = AUE_SETSID; 1941 break; 1942 1943 case 5: /* setpgid() */ 1944 e = AUE_SETPGID; 1945 break; 1946 1947 case 0: /* getpgrp() - not security relevant */ 1948 case 2: /* getsid() - not security relevant */ 1949 case 4: /* getpgid() - not security relevant */ 1950 e = AUE_NULL; 1951 break; 1952 1953 default: 1954 e = AUE_NULL; 1955 break; 1956 } 1957 1958 return (e); 1959 } 1960 1961 /*ARGSUSED*/ 1962 static void 1963 aus_setpgrp(struct t_audit_data *tad) 1964 { 1965 klwp_t *clwp = ttolwp(curthread); 1966 pid_t pgid; 1967 struct proc *p; 1968 uid_t uid, ruid; 1969 gid_t gid, rgid; 1970 pid_t pid; 1971 cred_t *cr; 1972 int flag; 1973 const auditinfo_addr_t *ainfo; 1974 1975 struct a { 1976 long flag; 1977 long pid; 1978 long pgid; 1979 } *uap = (struct a *)clwp->lwp_ap; 1980 1981 flag = (int)uap->flag; 1982 pid = (pid_t)uap->pid; 1983 pgid = (pid_t)uap->pgid; 1984 1985 1986 switch (flag) { 1987 1988 case 0: /* getpgrp() */ 1989 case 1: /* setpgrp() */ 1990 case 2: /* getsid() */ 1991 case 3: /* setsid() */ 1992 case 4: /* getpgid() */ 1993 break; 1994 1995 case 5: /* setpgid() */ 1996 1997 /* current process? */ 1998 if (pid == 0) { 1999 return; 2000 } 2001 2002 mutex_enter(&pidlock); 2003 p = prfind(pid); 2004 if (p == NULL || p->p_as == &kas || 2005 p->p_stat == SIDL || p->p_stat == SZOMB) { 2006 mutex_exit(&pidlock); 2007 return; 2008 } 2009 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2010 mutex_exit(&pidlock); 2011 2012 mutex_enter(&p->p_crlock); 2013 crhold(cr = p->p_cred); 2014 mutex_exit(&p->p_crlock); 2015 mutex_exit(&p->p_lock); 2016 2017 ainfo = crgetauinfo(cr); 2018 if (ainfo == NULL) { 2019 crfree(cr); 2020 return; 2021 } 2022 2023 uid = crgetuid(cr); 2024 gid = crgetgid(cr); 2025 ruid = crgetruid(cr); 2026 rgid = crgetrgid(cr); 2027 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2028 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2029 crfree(cr); 2030 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2031 break; 2032 2033 default: 2034 break; 2035 } 2036 } 2037 2038 2039 /*ARGSUSED*/ 2040 static void 2041 aus_setregid(struct t_audit_data *tad) 2042 { 2043 klwp_t *clwp = ttolwp(curthread); 2044 uint32_t rgid, egid; 2045 2046 struct a { 2047 long rgid; 2048 long egid; 2049 } *uap = (struct a *)clwp->lwp_ap; 2050 2051 rgid = (uint32_t)uap->rgid; 2052 egid = (uint32_t)uap->egid; 2053 2054 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2055 au_uwrite(au_to_arg32(2, "egid", egid)); 2056 } 2057 2058 /*ARGSUSED*/ 2059 static void 2060 aus_setgid(struct t_audit_data *tad) 2061 { 2062 klwp_t *clwp = ttolwp(curthread); 2063 uint32_t gid; 2064 2065 struct a { 2066 long gid; 2067 } *uap = (struct a *)clwp->lwp_ap; 2068 2069 gid = (uint32_t)uap->gid; 2070 2071 au_uwrite(au_to_arg32(1, "gid", gid)); 2072 } 2073 2074 2075 /*ARGSUSED*/ 2076 static void 2077 aus_setreuid(struct t_audit_data *tad) 2078 { 2079 klwp_t *clwp = ttolwp(curthread); 2080 uint32_t ruid, euid; 2081 2082 struct a { 2083 long ruid; 2084 long euid; 2085 } *uap = (struct a *)clwp->lwp_ap; 2086 2087 ruid = (uint32_t)uap->ruid; 2088 euid = (uint32_t)uap->euid; 2089 2090 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2091 au_uwrite(au_to_arg32(2, "euid", euid)); 2092 } 2093 2094 2095 /*ARGSUSED*/ 2096 static void 2097 aus_setuid(struct t_audit_data *tad) 2098 { 2099 klwp_t *clwp = ttolwp(curthread); 2100 uint32_t uid; 2101 2102 struct a { 2103 long uid; 2104 } *uap = (struct a *)clwp->lwp_ap; 2105 2106 uid = (uint32_t)uap->uid; 2107 2108 au_uwrite(au_to_arg32(1, "uid", uid)); 2109 } 2110 2111 /*ARGSUSED*/ 2112 static void 2113 aus_shmsys(struct t_audit_data *tad) 2114 { 2115 klwp_t *clwp = ttolwp(curthread); 2116 uint32_t id, cmd; 2117 2118 struct b { 2119 long id; 2120 long cmd; 2121 long buf; /* struct shmid_ds * */ 2122 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2123 2124 id = (uint32_t)uap1->id; 2125 cmd = (uint32_t)uap1->cmd; 2126 2127 switch (tad->tad_event) { 2128 case AUE_SHMGET: /* shmget */ 2129 au_uwrite(au_to_arg32(1, "shm key", id)); 2130 break; 2131 case AUE_SHMCTL: /* shmctl */ 2132 case AUE_SHMCTL_RMID: /* shmctl */ 2133 case AUE_SHMCTL_STAT: /* shmctl */ 2134 case AUE_SHMCTL_SET: /* shmctl */ 2135 au_uwrite(au_to_arg32(1, "shm ID", id)); 2136 break; 2137 case AUE_SHMDT: /* shmdt */ 2138 au_uwrite(au_to_arg32(1, "shm adr", id)); 2139 break; 2140 case AUE_SHMAT: /* shmat */ 2141 au_uwrite(au_to_arg32(1, "shm ID", id)); 2142 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2143 break; 2144 } 2145 } 2146 2147 /*ARGSUSED*/ 2148 static void 2149 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2150 { 2151 int id; 2152 2153 if (error != 0) 2154 return; 2155 if (tad->tad_event == AUE_SHMGET) { 2156 uint32_t scid; 2157 uint32_t sy_flags; 2158 2159 /* need to determine type of executing binary */ 2160 scid = tad->tad_scid; 2161 #ifdef _SYSCALL32_IMPL 2162 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2163 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2164 else 2165 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2166 #else 2167 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2168 #endif 2169 if (sy_flags == SE_32RVAL1) 2170 id = rval->r_val1; 2171 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2172 id = rval->r_val1; 2173 if (sy_flags == SE_64RVAL) 2174 id = (int)rval->r_vals; 2175 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2176 } 2177 } 2178 2179 2180 /*ARGSUSED*/ 2181 static void 2182 aus_ioctl(struct t_audit_data *tad) 2183 { 2184 klwp_t *clwp = ttolwp(curthread); 2185 struct file *fp; 2186 struct vnode *vp; 2187 struct f_audit_data *fad; 2188 uint32_t fd, cmd; 2189 uintptr_t cmarg; 2190 2191 /* XX64 */ 2192 struct a { 2193 long fd; 2194 long cmd; 2195 long cmarg; /* caddr_t */ 2196 } *uap = (struct a *)clwp->lwp_ap; 2197 2198 fd = (uint32_t)uap->fd; 2199 cmd = (uint32_t)uap->cmd; 2200 cmarg = (uintptr_t)uap->cmarg; 2201 2202 /* 2203 * convert file pointer to file descriptor 2204 * Note: fd ref count incremented here. 2205 */ 2206 if ((fp = getf(fd)) == NULL) { 2207 au_uwrite(au_to_arg32(1, "fd", fd)); 2208 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2209 #ifndef _LP64 2210 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2211 #else 2212 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2213 #endif 2214 return; 2215 } 2216 2217 /* get path from file struct here */ 2218 fad = F2A(fp); 2219 if (fad->fad_aupath != NULL) { 2220 au_uwrite(au_to_path(fad->fad_aupath)); 2221 } else { 2222 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2223 } 2224 2225 vp = fp->f_vnode; 2226 audit_attributes(vp); 2227 2228 /* decrement file descriptor reference count */ 2229 releasef(fd); 2230 2231 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2232 #ifndef _LP64 2233 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2234 #else 2235 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2236 #endif 2237 } 2238 2239 /* 2240 * null function for memcntl for now. We might want to limit memcntl() 2241 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2242 * require privileges. 2243 */ 2244 static au_event_t 2245 aui_memcntl(au_event_t e) 2246 { 2247 return (e); 2248 } 2249 2250 /*ARGSUSED*/ 2251 static au_event_t 2252 aui_privsys(au_event_t e) 2253 { 2254 klwp_t *clwp = ttolwp(curthread); 2255 2256 struct a { 2257 long opcode; 2258 } *uap = (struct a *)clwp->lwp_ap; 2259 2260 switch (uap->opcode) { 2261 case PRIVSYS_SETPPRIV: 2262 return (AUE_SETPPRIV); 2263 default: 2264 return (AUE_NULL); 2265 } 2266 } 2267 2268 /*ARGSUSED*/ 2269 static void 2270 aus_memcntl(struct t_audit_data *tad) 2271 { 2272 klwp_t *clwp = ttolwp(curthread); 2273 2274 struct a { 2275 long addr; 2276 long len; 2277 long cmd; 2278 long arg; 2279 long attr; 2280 long mask; 2281 } *uap = (struct a *)clwp->lwp_ap; 2282 2283 #ifdef _LP64 2284 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2285 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2286 #else 2287 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2288 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2289 #endif 2290 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2291 #ifdef _LP64 2292 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2293 #else 2294 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2295 #endif 2296 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2297 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2298 } 2299 2300 /*ARGSUSED*/ 2301 static void 2302 aus_mmap(struct t_audit_data *tad) 2303 { 2304 klwp_t *clwp = ttolwp(curthread); 2305 struct file *fp; 2306 struct f_audit_data *fad; 2307 struct vnode *vp; 2308 uint32_t fd; 2309 2310 struct a { 2311 long addr; 2312 long len; 2313 long prot; 2314 long flags; 2315 long fd; 2316 long pos; 2317 } *uap = (struct a *)clwp->lwp_ap; 2318 2319 fd = (uint32_t)uap->fd; 2320 2321 #ifdef _LP64 2322 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2323 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2324 #else 2325 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2326 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2327 #endif 2328 2329 if ((fp = getf(fd)) == NULL) { 2330 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2331 return; 2332 } 2333 2334 /* 2335 * Mark in the tad if write access is NOT requested... if 2336 * this is later detected (in audit_attributes) to be a 2337 * public object, the mmap event may be discarded. 2338 */ 2339 if (((uap->prot) & PROT_WRITE) == 0) { 2340 tad->tad_ctrl |= PAD_PUBLIC_EV; 2341 } 2342 2343 fad = F2A(fp); 2344 if (fad->fad_aupath != NULL) { 2345 au_uwrite(au_to_path(fad->fad_aupath)); 2346 } else { 2347 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2348 } 2349 2350 vp = (struct vnode *)fp->f_vnode; 2351 audit_attributes(vp); 2352 2353 /* mark READ/WRITE since we can't predict access */ 2354 if (uap->prot & PROT_READ) 2355 fad->fad_flags |= FAD_READ; 2356 if (uap->prot & PROT_WRITE) 2357 fad->fad_flags |= FAD_WRITE; 2358 2359 /* decrement file descriptor reference count */ 2360 releasef(fd); 2361 2362 } /* AUS_MMAP */ 2363 2364 2365 2366 2367 /*ARGSUSED*/ 2368 static void 2369 aus_munmap(struct t_audit_data *tad) 2370 { 2371 klwp_t *clwp = ttolwp(curthread); 2372 2373 struct a { 2374 long addr; 2375 long len; 2376 } *uap = (struct a *)clwp->lwp_ap; 2377 2378 #ifdef _LP64 2379 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2380 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2381 #else 2382 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2383 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2384 #endif 2385 2386 } /* AUS_MUNMAP */ 2387 2388 2389 2390 2391 2392 2393 2394 /*ARGSUSED*/ 2395 static void 2396 aus_priocntlsys(struct t_audit_data *tad) 2397 { 2398 klwp_t *clwp = ttolwp(curthread); 2399 2400 struct a { 2401 long pc_version; 2402 long psp; /* procset_t */ 2403 long cmd; 2404 long arg; 2405 } *uap = (struct a *)clwp->lwp_ap; 2406 2407 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2408 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2409 2410 } /* AUS_PRIOCNTLSYS */ 2411 2412 2413 /*ARGSUSED*/ 2414 static void 2415 aus_setegid(struct t_audit_data *tad) 2416 { 2417 klwp_t *clwp = ttolwp(curthread); 2418 uint32_t gid; 2419 2420 struct a { 2421 long gid; 2422 } *uap = (struct a *)clwp->lwp_ap; 2423 2424 gid = (uint32_t)uap->gid; 2425 2426 au_uwrite(au_to_arg32(1, "gid", gid)); 2427 } /* AUS_SETEGID */ 2428 2429 2430 2431 2432 /*ARGSUSED*/ 2433 static void 2434 aus_setgroups(struct t_audit_data *tad) 2435 { 2436 klwp_t *clwp = ttolwp(curthread); 2437 int i; 2438 int gidsetsize; 2439 uintptr_t gidset; 2440 gid_t *gidlist; 2441 2442 struct a { 2443 long gidsetsize; 2444 long gidset; 2445 } *uap = (struct a *)clwp->lwp_ap; 2446 2447 gidsetsize = (uint_t)uap->gidsetsize; 2448 gidset = (uintptr_t)uap->gidset; 2449 2450 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2451 return; 2452 if (gidsetsize != 0) { 2453 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2454 KM_SLEEP); 2455 if (copyin((caddr_t)gidset, gidlist, 2456 gidsetsize * sizeof (gid_t)) == 0) 2457 for (i = 0; i < gidsetsize; i++) 2458 au_uwrite(au_to_arg32(1, "setgroups", 2459 (uint32_t)gidlist[i])); 2460 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2461 } else 2462 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2463 2464 } /* AUS_SETGROUPS */ 2465 2466 2467 2468 2469 2470 /*ARGSUSED*/ 2471 static void 2472 aus_seteuid(struct t_audit_data *tad) 2473 { 2474 klwp_t *clwp = ttolwp(curthread); 2475 uint32_t uid; 2476 2477 struct a { 2478 long uid; 2479 } *uap = (struct a *)clwp->lwp_ap; 2480 2481 uid = (uint32_t)uap->uid; 2482 2483 au_uwrite(au_to_arg32(1, "euid", uid)); 2484 2485 } /* AUS_SETEUID */ 2486 2487 /*ARGSUSED*/ 2488 static void 2489 aus_putmsg(struct t_audit_data *tad) 2490 { 2491 klwp_t *clwp = ttolwp(curthread); 2492 uint32_t fd, pri; 2493 struct file *fp; 2494 struct f_audit_data *fad; 2495 2496 struct a { 2497 long fdes; 2498 long ctl; /* struct strbuf * */ 2499 long data; /* struct strbuf * */ 2500 long pri; 2501 } *uap = (struct a *)clwp->lwp_ap; 2502 2503 fd = (uint32_t)uap->fdes; 2504 pri = (uint32_t)uap->pri; 2505 2506 au_uwrite(au_to_arg32(1, "fd", fd)); 2507 2508 if ((fp = getf(fd)) != NULL) { 2509 fad = F2A(fp); 2510 2511 fad->fad_flags |= FAD_WRITE; 2512 2513 /* add path name to audit record */ 2514 if (fad->fad_aupath != NULL) { 2515 au_uwrite(au_to_path(fad->fad_aupath)); 2516 } 2517 audit_attributes(fp->f_vnode); 2518 2519 releasef(fd); 2520 } 2521 2522 au_uwrite(au_to_arg32(4, "pri", pri)); 2523 } 2524 2525 /*ARGSUSED*/ 2526 static void 2527 aus_putpmsg(struct t_audit_data *tad) 2528 { 2529 klwp_t *clwp = ttolwp(curthread); 2530 uint32_t fd, pri, flags; 2531 struct file *fp; 2532 struct f_audit_data *fad; 2533 2534 struct a { 2535 long fdes; 2536 long ctl; /* struct strbuf * */ 2537 long data; /* struct strbuf * */ 2538 long pri; 2539 long flags; 2540 } *uap = (struct a *)clwp->lwp_ap; 2541 2542 fd = (uint32_t)uap->fdes; 2543 pri = (uint32_t)uap->pri; 2544 flags = (uint32_t)uap->flags; 2545 2546 au_uwrite(au_to_arg32(1, "fd", fd)); 2547 2548 if ((fp = getf(fd)) != NULL) { 2549 fad = F2A(fp); 2550 2551 fad->fad_flags |= FAD_WRITE; 2552 2553 /* add path name to audit record */ 2554 if (fad->fad_aupath != NULL) { 2555 au_uwrite(au_to_path(fad->fad_aupath)); 2556 } 2557 audit_attributes(fp->f_vnode); 2558 2559 releasef(fd); 2560 } 2561 2562 2563 au_uwrite(au_to_arg32(4, "pri", pri)); 2564 au_uwrite(au_to_arg32(5, "flags", flags)); 2565 } 2566 2567 /*ARGSUSED*/ 2568 static void 2569 aus_getmsg(struct t_audit_data *tad) 2570 { 2571 klwp_t *clwp = ttolwp(curthread); 2572 uint32_t fd, pri; 2573 struct file *fp; 2574 struct f_audit_data *fad; 2575 2576 struct a { 2577 long fdes; 2578 long ctl; /* struct strbuf * */ 2579 long data; /* struct strbuf * */ 2580 long pri; 2581 } *uap = (struct a *)clwp->lwp_ap; 2582 2583 fd = (uint32_t)uap->fdes; 2584 pri = (uint32_t)uap->pri; 2585 2586 au_uwrite(au_to_arg32(1, "fd", fd)); 2587 2588 if ((fp = getf(fd)) != NULL) { 2589 fad = F2A(fp); 2590 2591 /* 2592 * read operation on this object 2593 */ 2594 fad->fad_flags |= FAD_READ; 2595 2596 /* add path name to audit record */ 2597 if (fad->fad_aupath != NULL) { 2598 au_uwrite(au_to_path(fad->fad_aupath)); 2599 } 2600 audit_attributes(fp->f_vnode); 2601 2602 releasef(fd); 2603 } 2604 2605 au_uwrite(au_to_arg32(4, "pri", pri)); 2606 } 2607 2608 /*ARGSUSED*/ 2609 static void 2610 aus_getpmsg(struct t_audit_data *tad) 2611 { 2612 klwp_t *clwp = ttolwp(curthread); 2613 uint32_t fd; 2614 struct file *fp; 2615 struct f_audit_data *fad; 2616 2617 struct a { 2618 long fdes; 2619 long ctl; /* struct strbuf * */ 2620 long data; /* struct strbuf * */ 2621 long pri; 2622 long flags; 2623 } *uap = (struct a *)clwp->lwp_ap; 2624 2625 fd = (uint32_t)uap->fdes; 2626 2627 au_uwrite(au_to_arg32(1, "fd", fd)); 2628 2629 if ((fp = getf(fd)) != NULL) { 2630 fad = F2A(fp); 2631 2632 /* 2633 * read operation on this object 2634 */ 2635 fad->fad_flags |= FAD_READ; 2636 2637 /* add path name to audit record */ 2638 if (fad->fad_aupath != NULL) { 2639 au_uwrite(au_to_path(fad->fad_aupath)); 2640 } 2641 audit_attributes(fp->f_vnode); 2642 2643 releasef(fd); 2644 } 2645 } 2646 2647 static au_event_t 2648 aui_labelsys(au_event_t e) 2649 { 2650 klwp_t *clwp = ttolwp(curthread); 2651 uint32_t code; 2652 uint32_t cmd; 2653 2654 struct a { 2655 long code; 2656 long cmd; 2657 } *uap = (struct a *)clwp->lwp_ap; 2658 2659 code = (uint32_t)uap->code; 2660 cmd = (uint32_t)uap->cmd; 2661 2662 /* not security relevant if not changing kernel cache */ 2663 if (cmd == TNDB_GET) 2664 return (AUE_NULL); 2665 2666 switch (code) { 2667 case TSOL_TNRH: 2668 e = AUE_LABELSYS_TNRH; 2669 break; 2670 case TSOL_TNRHTP: 2671 e = AUE_LABELSYS_TNRHTP; 2672 break; 2673 case TSOL_TNMLP: 2674 e = AUE_LABELSYS_TNMLP; 2675 break; 2676 default: 2677 e = AUE_NULL; 2678 break; 2679 } 2680 2681 return (e); 2682 2683 } 2684 2685 static void 2686 aus_labelsys(struct t_audit_data *tad) 2687 { 2688 klwp_t *clwp = ttolwp(curthread); 2689 uint32_t cmd; 2690 uintptr_t a2; 2691 2692 struct a { 2693 long code; 2694 long cmd; 2695 long a2; 2696 } *uap = (struct a *)clwp->lwp_ap; 2697 2698 cmd = (uint32_t)uap->cmd; 2699 a2 = (uintptr_t)uap->a2; 2700 2701 switch (tad->tad_event) { 2702 case AUE_LABELSYS_TNRH: 2703 { 2704 tsol_rhent_t *rhent; 2705 tnaddr_t *rh_addr; 2706 2707 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2708 2709 /* Remaining args don't apply for FLUSH, so skip */ 2710 if (cmd == TNDB_FLUSH) 2711 break; 2712 2713 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2714 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2715 kmem_free(rhent, sizeof (tsol_rhent_t)); 2716 return; 2717 } 2718 2719 rh_addr = &rhent->rh_address; 2720 if (rh_addr->ta_family == AF_INET) { 2721 struct in_addr *ipaddr; 2722 2723 ipaddr = &(rh_addr->ta_addr_v4); 2724 au_uwrite(au_to_in_addr(ipaddr)); 2725 } else if (rh_addr->ta_family == AF_INET6) { 2726 int32_t *ipaddr; 2727 2728 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2729 au_uwrite(au_to_in_addr_ex(ipaddr)); 2730 } 2731 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2732 2733 kmem_free(rhent, sizeof (tsol_rhent_t)); 2734 2735 break; 2736 } 2737 case AUE_LABELSYS_TNRHTP: 2738 { 2739 tsol_tpent_t *tpent; 2740 2741 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2742 2743 /* Remaining args don't apply for FLUSH, so skip */ 2744 if (cmd == TNDB_FLUSH) 2745 break; 2746 2747 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2748 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2749 kmem_free(tpent, sizeof (tsol_tpent_t)); 2750 return; 2751 } 2752 2753 /* Make sure that the template name is null-terminated. */ 2754 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2755 2756 au_uwrite(au_to_text(tpent->name)); 2757 kmem_free(tpent, sizeof (tsol_tpent_t)); 2758 2759 break; 2760 } 2761 case AUE_LABELSYS_TNMLP: 2762 { 2763 tsol_mlpent_t *mlpent; 2764 2765 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2766 2767 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2768 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2769 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2770 return; 2771 } 2772 2773 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2774 au_uwrite(au_to_text("shared")); 2775 } else { 2776 zone_t *zone; 2777 2778 zone = zone_find_by_id(mlpent->tsme_zoneid); 2779 if (zone != NULL) { 2780 au_uwrite(au_to_text(zone->zone_name)); 2781 zone_rele(zone); 2782 } 2783 } 2784 2785 /* Remaining args don't apply for FLUSH, so skip */ 2786 if (cmd == TNDB_FLUSH) { 2787 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2788 break; 2789 } 2790 2791 au_uwrite(au_to_arg32(2, "proto num", 2792 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2793 au_uwrite(au_to_arg32(2, "mlp_port", 2794 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2795 2796 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2797 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2798 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2799 2800 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2801 2802 break; 2803 } 2804 default: 2805 break; 2806 } 2807 } 2808 2809 2810 static au_event_t 2811 aui_auditsys(au_event_t e) 2812 { 2813 klwp_t *clwp = ttolwp(curthread); 2814 uint32_t code; 2815 2816 struct a { 2817 long code; 2818 long a1; 2819 long a2; 2820 long a3; 2821 long a4; 2822 long a5; 2823 long a6; 2824 long a7; 2825 } *uap = (struct a *)clwp->lwp_ap; 2826 2827 code = (uint32_t)uap->code; 2828 2829 switch (code) { 2830 2831 case BSM_GETAUID: 2832 e = AUE_GETAUID; 2833 break; 2834 case BSM_SETAUID: 2835 e = AUE_SETAUID; 2836 break; 2837 case BSM_GETAUDIT: 2838 e = AUE_GETAUDIT; 2839 break; 2840 case BSM_GETAUDIT_ADDR: 2841 e = AUE_GETAUDIT_ADDR; 2842 break; 2843 case BSM_SETAUDIT: 2844 e = AUE_SETAUDIT; 2845 break; 2846 case BSM_SETAUDIT_ADDR: 2847 e = AUE_SETAUDIT_ADDR; 2848 break; 2849 case BSM_AUDIT: 2850 e = AUE_AUDIT; 2851 break; 2852 case BSM_AUDITON: 2853 case BSM_AUDITCTL: 2854 2855 switch ((uint_t)uap->a1) { 2856 2857 case A_GETPOLICY: 2858 e = AUE_AUDITON_GPOLICY; 2859 break; 2860 case A_SETPOLICY: 2861 e = AUE_AUDITON_SPOLICY; 2862 break; 2863 case A_GETKMASK: 2864 e = AUE_AUDITON_GETKMASK; 2865 break; 2866 case A_SETKMASK: 2867 e = AUE_AUDITON_SETKMASK; 2868 break; 2869 case A_GETQCTRL: 2870 e = AUE_AUDITON_GQCTRL; 2871 break; 2872 case A_SETQCTRL: 2873 e = AUE_AUDITON_SQCTRL; 2874 break; 2875 case A_GETCWD: 2876 e = AUE_AUDITON_GETCWD; 2877 break; 2878 case A_GETCAR: 2879 e = AUE_AUDITON_GETCAR; 2880 break; 2881 case A_GETSTAT: 2882 e = AUE_AUDITON_GETSTAT; 2883 break; 2884 case A_SETSTAT: 2885 e = AUE_AUDITON_SETSTAT; 2886 break; 2887 case A_SETUMASK: 2888 e = AUE_AUDITON_SETUMASK; 2889 break; 2890 case A_SETSMASK: 2891 e = AUE_AUDITON_SETSMASK; 2892 break; 2893 case A_GETCOND: 2894 e = AUE_AUDITON_GETCOND; 2895 break; 2896 case A_SETCOND: 2897 e = AUE_AUDITON_SETCOND; 2898 break; 2899 case A_GETCLASS: 2900 e = AUE_AUDITON_GETCLASS; 2901 break; 2902 case A_SETCLASS: 2903 e = AUE_AUDITON_SETCLASS; 2904 break; 2905 default: 2906 e = AUE_NULL; 2907 break; 2908 } 2909 break; 2910 default: 2911 e = AUE_NULL; 2912 break; 2913 } 2914 2915 return (e); 2916 2917 } /* AUI_AUDITSYS */ 2918 2919 2920 static void 2921 aus_auditsys(struct t_audit_data *tad) 2922 { 2923 klwp_t *clwp = ttolwp(curthread); 2924 uintptr_t a1, a2; 2925 STRUCT_DECL(auditinfo, ainfo); 2926 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2927 au_evclass_map_t event; 2928 au_mask_t mask; 2929 int auditstate, policy; 2930 au_id_t auid; 2931 2932 2933 struct a { 2934 long code; 2935 long a1; 2936 long a2; 2937 long a3; 2938 long a4; 2939 long a5; 2940 long a6; 2941 long a7; 2942 } *uap = (struct a *)clwp->lwp_ap; 2943 2944 a1 = (uintptr_t)uap->a1; 2945 a2 = (uintptr_t)uap->a2; 2946 2947 switch (tad->tad_event) { 2948 case AUE_SETAUID: 2949 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2950 return; 2951 au_uwrite(au_to_arg32(2, "setauid", auid)); 2952 break; 2953 case AUE_SETAUDIT: 2954 STRUCT_INIT(ainfo, get_udatamodel()); 2955 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2956 STRUCT_SIZE(ainfo))) { 2957 return; 2958 } 2959 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2960 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2961 #ifdef _LP64 2962 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2963 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2964 #else 2965 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2966 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2967 #endif 2968 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2969 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2970 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2971 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2972 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2973 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2974 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2975 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2976 break; 2977 case AUE_SETAUDIT_ADDR: 2978 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2979 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2980 STRUCT_SIZE(ainfo_addr))) { 2981 return; 2982 } 2983 au_uwrite(au_to_arg32((char)1, "auid", 2984 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2985 #ifdef _LP64 2986 au_uwrite(au_to_arg64((char)1, "port", 2987 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2988 #else 2989 au_uwrite(au_to_arg32((char)1, "port", 2990 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2991 #endif 2992 au_uwrite(au_to_arg32((char)1, "type", 2993 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2994 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2995 AU_IPv4) { 2996 au_uwrite(au_to_in_addr( 2997 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2998 ai_termid.at_addr))); 2999 } else { 3000 au_uwrite(au_to_in_addr_ex( 3001 (int32_t *)STRUCT_FGETP(ainfo_addr, 3002 ai_termid.at_addr))); 3003 } 3004 au_uwrite(au_to_arg32((char)1, "as_success", 3005 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3006 au_uwrite(au_to_arg32((char)1, "as_failure", 3007 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3008 au_uwrite(au_to_arg32((char)1, "asid", 3009 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3010 break; 3011 case AUE_AUDITON_SETKMASK: 3012 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3013 return; 3014 au_uwrite(au_to_arg32( 3015 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3016 au_uwrite(au_to_arg32( 3017 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3018 break; 3019 case AUE_AUDITON_SPOLICY: 3020 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3021 return; 3022 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3023 break; 3024 case AUE_AUDITON_SQCTRL: { 3025 STRUCT_DECL(au_qctrl, qctrl); 3026 model_t model; 3027 3028 model = get_udatamodel(); 3029 STRUCT_INIT(qctrl, model); 3030 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3031 return; 3032 if (model == DATAMODEL_ILP32) { 3033 au_uwrite(au_to_arg32( 3034 3, "setqctrl:aq_hiwater", 3035 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3036 au_uwrite(au_to_arg32( 3037 3, "setqctrl:aq_lowater", 3038 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3039 au_uwrite(au_to_arg32( 3040 3, "setqctrl:aq_bufsz", 3041 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3042 au_uwrite(au_to_arg32( 3043 3, "setqctrl:aq_delay", 3044 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3045 } else { 3046 au_uwrite(au_to_arg64( 3047 3, "setqctrl:aq_hiwater", 3048 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3049 au_uwrite(au_to_arg64( 3050 3, "setqctrl:aq_lowater", 3051 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3052 au_uwrite(au_to_arg64( 3053 3, "setqctrl:aq_bufsz", 3054 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3055 au_uwrite(au_to_arg64( 3056 3, "setqctrl:aq_delay", 3057 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3058 } 3059 break; 3060 } 3061 case AUE_AUDITON_SETUMASK: 3062 STRUCT_INIT(ainfo, get_udatamodel()); 3063 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3064 STRUCT_SIZE(ainfo))) { 3065 return; 3066 } 3067 au_uwrite(au_to_arg32(3, "setumask:as_success", 3068 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3069 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3070 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3071 break; 3072 case AUE_AUDITON_SETSMASK: 3073 STRUCT_INIT(ainfo, get_udatamodel()); 3074 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3075 STRUCT_SIZE(ainfo))) { 3076 return; 3077 } 3078 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3079 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3080 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3081 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3082 break; 3083 case AUE_AUDITON_SETCOND: 3084 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3085 return; 3086 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3087 break; 3088 case AUE_AUDITON_SETCLASS: 3089 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3090 return; 3091 au_uwrite(au_to_arg32( 3092 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3093 au_uwrite(au_to_arg32( 3094 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3095 break; 3096 case AUE_GETAUID: 3097 case AUE_GETAUDIT: 3098 case AUE_GETAUDIT_ADDR: 3099 case AUE_AUDIT: 3100 case AUE_AUDITON_GPOLICY: 3101 case AUE_AUDITON_GQCTRL: 3102 case AUE_AUDITON_GETKMASK: 3103 case AUE_AUDITON_GETCWD: 3104 case AUE_AUDITON_GETCAR: 3105 case AUE_AUDITON_GETSTAT: 3106 case AUE_AUDITON_SETSTAT: 3107 case AUE_AUDITON_GETCOND: 3108 case AUE_AUDITON_GETCLASS: 3109 break; 3110 default: 3111 break; 3112 } 3113 3114 } /* AUS_AUDITSYS */ 3115 3116 3117 /* only audit privileged operations for systeminfo(2) system call */ 3118 static au_event_t 3119 aui_sysinfo(au_event_t e) 3120 { 3121 klwp_t *clwp = ttolwp(curthread); 3122 uint32_t command; 3123 3124 struct a { 3125 long command; 3126 long buf; /* char * */ 3127 long count; 3128 } *uap = (struct a *)clwp->lwp_ap; 3129 3130 command = (uint32_t)uap->command; 3131 3132 switch (command) { 3133 case SI_SET_HOSTNAME: 3134 case SI_SET_SRPC_DOMAIN: 3135 e = (au_event_t)AUE_SYSINFO; 3136 break; 3137 default: 3138 e = (au_event_t)AUE_NULL; 3139 break; 3140 } 3141 return (e); 3142 } 3143 3144 /*ARGSUSED*/ 3145 static void 3146 aus_sysinfo(struct t_audit_data *tad) 3147 { 3148 klwp_t *clwp = ttolwp(curthread); 3149 uint32_t command; 3150 size_t len, maxlen; 3151 char *name; 3152 uintptr_t buf; 3153 3154 struct a { 3155 long command; 3156 long buf; /* char * */ 3157 long count; 3158 } *uap = (struct a *)clwp->lwp_ap; 3159 3160 command = (uint32_t)uap->command; 3161 buf = (uintptr_t)uap->buf; 3162 3163 au_uwrite(au_to_arg32(1, "cmd", command)); 3164 3165 switch (command) { 3166 case SI_SET_HOSTNAME: 3167 { 3168 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3169 return; 3170 3171 maxlen = SYS_NMLN; 3172 name = kmem_alloc(maxlen, KM_SLEEP); 3173 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3174 break; 3175 3176 /* 3177 * Must be non-NULL string and string 3178 * must be less than SYS_NMLN chars. 3179 */ 3180 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3181 break; 3182 3183 au_uwrite(au_to_text(name)); 3184 break; 3185 } 3186 3187 case SI_SET_SRPC_DOMAIN: 3188 { 3189 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3190 return; 3191 3192 maxlen = SYS_NMLN; 3193 name = kmem_alloc(maxlen, KM_SLEEP); 3194 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3195 break; 3196 3197 /* 3198 * If string passed in is longer than length 3199 * allowed for domain name, fail. 3200 */ 3201 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3202 break; 3203 3204 au_uwrite(au_to_text(name)); 3205 break; 3206 } 3207 3208 default: 3209 return; 3210 } 3211 3212 kmem_free(name, maxlen); 3213 } 3214 3215 static au_event_t 3216 aui_modctl(au_event_t e) 3217 { 3218 klwp_t *clwp = ttolwp(curthread); 3219 uint_t cmd; 3220 3221 struct a { 3222 long cmd; 3223 } *uap = (struct a *)clwp->lwp_ap; 3224 3225 cmd = (uint_t)uap->cmd; 3226 3227 switch (cmd) { 3228 case MODLOAD: 3229 e = AUE_MODLOAD; 3230 break; 3231 case MODUNLOAD: 3232 e = AUE_MODUNLOAD; 3233 break; 3234 case MODADDMAJBIND: 3235 e = AUE_MODADDMAJ; 3236 break; 3237 case MODSETDEVPOLICY: 3238 e = AUE_MODDEVPLCY; 3239 break; 3240 case MODALLOCPRIV: 3241 e = AUE_MODADDPRIV; 3242 break; 3243 default: 3244 e = AUE_NULL; 3245 break; 3246 } 3247 return (e); 3248 } 3249 3250 3251 /*ARGSUSED*/ 3252 static void 3253 aus_modctl(struct t_audit_data *tad) 3254 { 3255 klwp_t *clwp = ttolwp(curthread); 3256 void *a = clwp->lwp_ap; 3257 uint_t use_path; 3258 3259 switch (tad->tad_event) { 3260 case AUE_MODLOAD: { 3261 typedef struct { 3262 long cmd; 3263 long use_path; 3264 long filename; /* char * */ 3265 } modloada_t; 3266 3267 char *filenamep; 3268 uintptr_t fname; 3269 extern char *default_path; 3270 3271 fname = (uintptr_t)((modloada_t *)a)->filename; 3272 use_path = (uint_t)((modloada_t *)a)->use_path; 3273 3274 /* space to hold path */ 3275 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3276 /* get string */ 3277 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3278 /* free allocated path */ 3279 kmem_free(filenamep, MOD_MAXPATH); 3280 return; 3281 } 3282 /* ensure it's null terminated */ 3283 filenamep[MOD_MAXPATH - 1] = 0; 3284 3285 if (use_path) 3286 au_uwrite(au_to_text(default_path)); 3287 au_uwrite(au_to_text(filenamep)); 3288 3289 /* release temporary memory */ 3290 kmem_free(filenamep, MOD_MAXPATH); 3291 break; 3292 } 3293 case AUE_MODUNLOAD: { 3294 typedef struct { 3295 long cmd; 3296 long id; 3297 } modunloada_t; 3298 3299 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3300 3301 au_uwrite(au_to_arg32(1, "id", id)); 3302 break; 3303 } 3304 case AUE_MODADDMAJ: { 3305 STRUCT_DECL(modconfig, mc); 3306 typedef struct { 3307 long cmd; 3308 long subcmd; 3309 long data; /* int * */ 3310 } modconfiga_t; 3311 3312 STRUCT_DECL(aliases, alias); 3313 caddr_t ap; 3314 int i, num_aliases; 3315 char *drvname, *mc_drvname; 3316 char *name; 3317 extern char *ddi_major_to_name(major_t); 3318 model_t model; 3319 3320 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3321 3322 model = get_udatamodel(); 3323 STRUCT_INIT(mc, model); 3324 /* sanitize buffer */ 3325 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3326 /* get user arguments */ 3327 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3328 STRUCT_SIZE(mc)) != 0) 3329 return; 3330 3331 mc_drvname = STRUCT_FGET(mc, drvname); 3332 if ((drvname = ddi_major_to_name( 3333 (major_t)STRUCT_FGET(mc, major))) != NULL && 3334 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3335 /* safety */ 3336 if (mc_drvname[0] != '\0') { 3337 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3338 au_uwrite(au_to_text(mc_drvname)); 3339 } 3340 /* drvname != NULL from test above */ 3341 au_uwrite(au_to_text(drvname)); 3342 return; 3343 } 3344 3345 if (mc_drvname[0] != '\0') { 3346 /* safety */ 3347 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3348 au_uwrite(au_to_text(mc_drvname)); 3349 } else 3350 au_uwrite(au_to_text("no drvname")); 3351 3352 num_aliases = STRUCT_FGET(mc, num_aliases); 3353 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3354 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3355 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3356 STRUCT_INIT(alias, model); 3357 for (i = 0; i < num_aliases; i++) { 3358 bzero((caddr_t)STRUCT_BUF(alias), 3359 STRUCT_SIZE(alias)); 3360 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3361 STRUCT_SIZE(alias)) != 0) 3362 break; 3363 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3364 MAXMODCONFNAME, NULL) != 0) { 3365 break; 3366 } 3367 3368 au_uwrite(au_to_text(name)); 3369 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3370 } 3371 kmem_free(name, MAXMODCONFNAME); 3372 break; 3373 } 3374 default: 3375 break; 3376 } 3377 } 3378 3379 3380 /*ARGSUSED*/ 3381 static void 3382 auf_accept( 3383 struct t_audit_data *tad, 3384 int error, 3385 rval_t *rval) 3386 { 3387 uint32_t scid; 3388 uint32_t sy_flags; 3389 int fd; 3390 struct sonode *so; 3391 char so_laddr[sizeof (struct sockaddr_in6)]; 3392 char so_faddr[sizeof (struct sockaddr_in6)]; 3393 int err; 3394 short so_family, so_type; 3395 int add_sock_token = 0; 3396 3397 /* need to determine type of executing binary */ 3398 scid = tad->tad_scid; 3399 #ifdef _SYSCALL32_IMPL 3400 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3401 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3402 else 3403 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3404 #else 3405 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3406 #endif 3407 if (sy_flags == SE_32RVAL1) 3408 fd = rval->r_val1; 3409 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3410 fd = rval->r_val1; 3411 if (sy_flags == SE_64RVAL) 3412 fd = (int)rval->r_vals; 3413 3414 if (error) { 3415 /* can't trust socket contents. Just return */ 3416 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3417 return; 3418 } 3419 3420 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3421 /* 3422 * not security relevant if doing a accept from non socket 3423 * so no extra tokens. Should probably turn off audit record 3424 * generation here. 3425 */ 3426 return; 3427 } 3428 3429 so_family = so->so_family; 3430 so_type = so->so_type; 3431 3432 switch (so_family) { 3433 case AF_INET: 3434 case AF_INET6: 3435 /* 3436 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3437 */ 3438 if (so->so_type == SOCK_STREAM) { 3439 socklen_t len; 3440 3441 bzero((void *)so_laddr, sizeof (so_laddr)); 3442 bzero((void *)so_faddr, sizeof (so_faddr)); 3443 3444 len = sizeof (so_laddr); 3445 (void) socket_getsockname(so, 3446 (struct sockaddr *)so_laddr, &len, CRED()); 3447 len = sizeof (so_faddr); 3448 (void) socket_getpeername(so, 3449 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3450 3451 add_sock_token = 1; 3452 } 3453 break; 3454 3455 default: 3456 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3457 break; 3458 } 3459 3460 releasef(fd); 3461 3462 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3463 3464 if (add_sock_token == 0) { 3465 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3466 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3467 return; 3468 } 3469 3470 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3471 3472 } 3473 3474 /*ARGSUSED*/ 3475 static void 3476 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3477 { 3478 struct a { 3479 long fd; 3480 long addr; 3481 long len; 3482 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3483 3484 struct sonode *so; 3485 char so_laddr[sizeof (struct sockaddr_in6)]; 3486 char so_faddr[sizeof (struct sockaddr_in6)]; 3487 int err, fd; 3488 socklen_t len; 3489 short so_family, so_type; 3490 int add_sock_token = 0; 3491 3492 fd = (int)uap->fd; 3493 3494 /* 3495 * bind failed, then nothing extra to add to audit record. 3496 */ 3497 if (error) { 3498 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3499 /* XXX may want to add failed address some day */ 3500 return; 3501 } 3502 3503 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3504 /* 3505 * not security relevant if doing a bind from non socket 3506 * so no extra tokens. Should probably turn off audit record 3507 * generation here. 3508 */ 3509 return; 3510 } 3511 3512 so_family = so->so_family; 3513 so_type = so->so_type; 3514 3515 switch (so_family) { 3516 case AF_INET: 3517 case AF_INET6: 3518 3519 bzero(so_faddr, sizeof (so_faddr)); 3520 len = sizeof (so_faddr); 3521 3522 (void) socket_getpeername(so, 3523 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3524 add_sock_token = 1; 3525 3526 break; 3527 3528 case AF_UNIX: 3529 /* token added by lookup */ 3530 break; 3531 default: 3532 /* AF_ROUTE, AF_KEY do not support accept */ 3533 break; 3534 } 3535 3536 releasef(fd); 3537 3538 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3539 3540 if (add_sock_token == 0) { 3541 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3542 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3543 return; 3544 } 3545 3546 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3547 3548 } 3549 3550 /*ARGSUSED*/ 3551 static void 3552 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3553 { 3554 struct a { 3555 long fd; 3556 long addr; 3557 long len; 3558 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3559 3560 struct sonode *so; 3561 char so_laddr[sizeof (struct sockaddr_in6)]; 3562 char so_faddr[sizeof (struct sockaddr_in6)]; 3563 int err, fd; 3564 socklen_t len; 3565 short so_family, so_type; 3566 int add_sock_token = 0; 3567 3568 fd = (int)uap->fd; 3569 3570 3571 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3572 /* 3573 * not security relevant if doing a connect from non socket 3574 * so no extra tokens. Should probably turn off audit record 3575 * generation here. 3576 */ 3577 return; 3578 } 3579 3580 so_family = so->so_family; 3581 so_type = so->so_type; 3582 3583 switch (so_family) { 3584 case AF_INET: 3585 case AF_INET6: 3586 3587 bzero(so_laddr, sizeof (so_laddr)); 3588 bzero(so_faddr, sizeof (so_faddr)); 3589 3590 len = sizeof (so_laddr); 3591 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3592 &len, CRED()); 3593 if (error) { 3594 if (uap->addr == NULL) 3595 break; 3596 if (uap->len <= 0) 3597 break; 3598 len = min(uap->len, sizeof (so_faddr)); 3599 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3600 break; 3601 #ifdef NOTYET 3602 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3603 #endif 3604 } else { 3605 /* sanity check on length */ 3606 len = sizeof (so_faddr); 3607 (void) socket_getpeername(so, 3608 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3609 } 3610 3611 add_sock_token = 1; 3612 3613 break; 3614 3615 case AF_UNIX: 3616 /* does a lookup on name */ 3617 break; 3618 3619 default: 3620 /* AF_ROUTE, AF_KEY do not support accept */ 3621 break; 3622 } 3623 3624 releasef(fd); 3625 3626 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3627 3628 if (add_sock_token == 0) { 3629 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3630 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3631 return; 3632 } 3633 3634 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3635 3636 } 3637 3638 /*ARGSUSED*/ 3639 static void 3640 aus_shutdown(struct t_audit_data *tad) 3641 { 3642 struct a { 3643 long fd; 3644 long how; 3645 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3646 3647 struct sonode *so; 3648 char so_laddr[sizeof (struct sockaddr_in6)]; 3649 char so_faddr[sizeof (struct sockaddr_in6)]; 3650 int err, fd; 3651 socklen_t len; 3652 short so_family, so_type; 3653 int add_sock_token = 0; 3654 file_t *fp; /* unix domain sockets */ 3655 struct f_audit_data *fad; /* unix domain sockets */ 3656 3657 fd = (int)uap->fd; 3658 3659 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3660 /* 3661 * not security relevant if doing a shutdown using non socket 3662 * so no extra tokens. Should probably turn off audit record 3663 * generation here. 3664 */ 3665 return; 3666 } 3667 3668 so_family = so->so_family; 3669 so_type = so->so_type; 3670 3671 switch (so_family) { 3672 case AF_INET: 3673 case AF_INET6: 3674 3675 bzero(so_laddr, sizeof (so_laddr)); 3676 bzero(so_faddr, sizeof (so_faddr)); 3677 3678 len = sizeof (so_laddr); 3679 (void) socket_getsockname(so, 3680 (struct sockaddr *)so_laddr, &len, CRED()); 3681 len = sizeof (so_faddr); 3682 (void) socket_getpeername(so, 3683 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3684 3685 add_sock_token = 1; 3686 3687 break; 3688 3689 case AF_UNIX: 3690 3691 /* get path from file struct here */ 3692 fad = F2A(fp); 3693 ASSERT(fad); 3694 3695 if (fad->fad_aupath != NULL) { 3696 au_uwrite(au_to_path(fad->fad_aupath)); 3697 } else { 3698 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3699 } 3700 3701 audit_attributes(fp->f_vnode); 3702 3703 break; 3704 3705 default: 3706 /* 3707 * AF_KEY and AF_ROUTE support shutdown. No socket token 3708 * added. 3709 */ 3710 break; 3711 } 3712 3713 releasef(fd); 3714 3715 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3716 3717 if (add_sock_token == 0) { 3718 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3719 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3720 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3721 return; 3722 } 3723 3724 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3725 3726 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3727 3728 } 3729 3730 /*ARGSUSED*/ 3731 static void 3732 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3733 { 3734 struct a { 3735 long fd; 3736 long level; 3737 long optname; 3738 long *optval; 3739 long optlen; 3740 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3741 3742 struct sonode *so; 3743 char so_laddr[sizeof (struct sockaddr_in6)]; 3744 char so_faddr[sizeof (struct sockaddr_in6)]; 3745 char val[AU_BUFSIZE]; 3746 int err, fd; 3747 socklen_t len; 3748 short so_family, so_type; 3749 int add_sock_token = 0; 3750 file_t *fp; /* unix domain sockets */ 3751 struct f_audit_data *fad; /* unix domain sockets */ 3752 3753 fd = (int)uap->fd; 3754 3755 if (error) { 3756 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3757 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3758 /* XXX may want to include other arguments */ 3759 return; 3760 } 3761 3762 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3763 /* 3764 * not security relevant if doing a setsockopt from non socket 3765 * so no extra tokens. Should probably turn off audit record 3766 * generation here. 3767 */ 3768 return; 3769 } 3770 3771 so_family = so->so_family; 3772 so_type = so->so_type; 3773 3774 switch (so_family) { 3775 case AF_INET: 3776 case AF_INET6: 3777 bzero((void *)so_laddr, sizeof (so_laddr)); 3778 bzero((void *)so_faddr, sizeof (so_faddr)); 3779 3780 /* get local and foreign addresses */ 3781 len = sizeof (so_laddr); 3782 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3783 &len, CRED()); 3784 len = sizeof (so_faddr); 3785 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3786 &len, B_FALSE, CRED()); 3787 3788 add_sock_token = 1; 3789 3790 break; 3791 3792 case AF_UNIX: 3793 3794 /* get path from file struct here */ 3795 fad = F2A(fp); 3796 ASSERT(fad); 3797 3798 if (fad->fad_aupath != NULL) { 3799 au_uwrite(au_to_path(fad->fad_aupath)); 3800 } else { 3801 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3802 } 3803 3804 audit_attributes(fp->f_vnode); 3805 3806 break; 3807 3808 default: 3809 /* 3810 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3811 * added. 3812 */ 3813 break; 3814 } 3815 3816 releasef(fd); 3817 3818 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3819 3820 if (add_sock_token == 0) { 3821 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3822 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3823 } 3824 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3825 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3826 3827 bzero(val, sizeof (val)); 3828 len = min(uap->optlen, sizeof (val)); 3829 if ((len > 0) && 3830 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3831 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3832 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3833 } 3834 3835 if (add_sock_token == 0) 3836 return; 3837 3838 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3839 3840 } 3841 3842 /*ARGSUSED*/ 3843 static void 3844 aus_sockconfig(tad) 3845 struct t_audit_data *tad; 3846 { 3847 struct a { 3848 long domain; 3849 long type; 3850 long protocol; 3851 long devpath; 3852 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3853 3854 char *kdevpath; 3855 int kdevpathlen = MAXPATHLEN + 1; 3856 size_t size; 3857 3858 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3859 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3860 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3861 3862 if (uap->devpath == 0) { 3863 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3864 } else { 3865 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3866 3867 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3868 &size)) { 3869 kmem_free(kdevpath, kdevpathlen); 3870 return; 3871 } 3872 3873 if (size > MAXPATHLEN) { 3874 kmem_free(kdevpath, kdevpathlen); 3875 return; 3876 } 3877 3878 au_uwrite(au_to_text(kdevpath)); 3879 kmem_free(kdevpath, kdevpathlen); 3880 } 3881 } 3882 3883 /* 3884 * only audit recvmsg when the system call represents the creation of a new 3885 * circuit. This effectively occurs for all UDP packets and may occur for 3886 * special TCP situations where the local host has not set a local address 3887 * in the socket structure. 3888 */ 3889 /*ARGSUSED*/ 3890 static void 3891 auf_recvmsg( 3892 struct t_audit_data *tad, 3893 int error, 3894 rval_t *rvp) 3895 { 3896 struct a { 3897 long fd; 3898 long msg; /* struct msghdr */ 3899 long flags; 3900 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3901 3902 struct sonode *so; 3903 STRUCT_DECL(msghdr, msg); 3904 caddr_t msg_name; 3905 socklen_t msg_namelen; 3906 int fd; 3907 int err; 3908 char so_laddr[sizeof (struct sockaddr_in6)]; 3909 char so_faddr[sizeof (struct sockaddr_in6)]; 3910 socklen_t len; 3911 file_t *fp; /* unix domain sockets */ 3912 struct f_audit_data *fad; /* unix domain sockets */ 3913 short so_family, so_type; 3914 int add_sock_token = 0; 3915 au_kcontext_t *kctx = GET_KCTX_PZ; 3916 3917 fd = (int)uap->fd; 3918 3919 /* bail if an error */ 3920 if (error) { 3921 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3922 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3923 return; 3924 } 3925 3926 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3927 /* 3928 * not security relevant if doing a recvmsg from non socket 3929 * so no extra tokens. Should probably turn off audit record 3930 * generation here. 3931 */ 3932 return; 3933 } 3934 3935 so_family = so->so_family; 3936 so_type = so->so_type; 3937 3938 /* 3939 * only putout SOCKET_EX token if INET/INET6 family. 3940 * XXX - what do we do about other families? 3941 */ 3942 3943 switch (so_family) { 3944 case AF_INET: 3945 case AF_INET6: 3946 3947 /* 3948 * if datagram type socket, then just use what is in 3949 * socket structure for local address. 3950 * XXX - what do we do for other types? 3951 */ 3952 if ((so->so_type == SOCK_DGRAM) || 3953 (so->so_type == SOCK_RAW)) { 3954 add_sock_token = 1; 3955 3956 bzero((void *)so_laddr, sizeof (so_laddr)); 3957 bzero((void *)so_faddr, sizeof (so_faddr)); 3958 3959 /* get local address */ 3960 len = sizeof (so_laddr); 3961 (void) socket_getsockname(so, 3962 (struct sockaddr *)so_laddr, &len, CRED()); 3963 3964 /* get peer address */ 3965 STRUCT_INIT(msg, get_udatamodel()); 3966 3967 if (copyin((caddr_t)(uap->msg), 3968 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3969 break; 3970 } 3971 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3972 if (msg_name == NULL) { 3973 break; 3974 } 3975 3976 /* length is value from recvmsg - sanity check */ 3977 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3978 if (msg_namelen == 0) { 3979 break; 3980 } 3981 if (copyin(msg_name, so_faddr, 3982 sizeof (so_faddr)) != 0) { 3983 break; 3984 } 3985 3986 } else if (so->so_type == SOCK_STREAM) { 3987 3988 /* get path from file struct here */ 3989 fad = F2A(fp); 3990 ASSERT(fad); 3991 3992 /* 3993 * already processed this file for read attempt 3994 */ 3995 if (fad->fad_flags & FAD_READ) { 3996 /* don't want to audit every recvmsg attempt */ 3997 tad->tad_flag = 0; 3998 /* free any residual audit data */ 3999 au_close(kctx, &(u_ad), 0, 0, 0); 4000 releasef(fd); 4001 return; 4002 } 4003 /* 4004 * mark things so we know what happened and don't 4005 * repeat things 4006 */ 4007 fad->fad_flags |= FAD_READ; 4008 4009 bzero((void *)so_laddr, sizeof (so_laddr)); 4010 bzero((void *)so_faddr, sizeof (so_faddr)); 4011 4012 /* get local and foreign addresses */ 4013 len = sizeof (so_laddr); 4014 (void) socket_getsockname(so, 4015 (struct sockaddr *)so_laddr, &len, CRED()); 4016 len = sizeof (so_faddr); 4017 (void) socket_getpeername(so, 4018 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4019 4020 add_sock_token = 1; 4021 } 4022 4023 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4024 4025 break; 4026 4027 case AF_UNIX: 4028 /* 4029 * first check if this is first time through. Too much 4030 * duplicate code to put this in an aui_ routine. 4031 */ 4032 4033 /* get path from file struct here */ 4034 fad = F2A(fp); 4035 ASSERT(fad); 4036 4037 /* 4038 * already processed this file for read attempt 4039 */ 4040 if (fad->fad_flags & FAD_READ) { 4041 releasef(fd); 4042 /* don't want to audit every recvmsg attempt */ 4043 tad->tad_flag = 0; 4044 /* free any residual audit data */ 4045 au_close(kctx, &(u_ad), 0, 0, 0); 4046 return; 4047 } 4048 /* 4049 * mark things so we know what happened and don't 4050 * repeat things 4051 */ 4052 fad->fad_flags |= FAD_READ; 4053 4054 if (fad->fad_aupath != NULL) { 4055 au_uwrite(au_to_path(fad->fad_aupath)); 4056 } else { 4057 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4058 } 4059 4060 audit_attributes(fp->f_vnode); 4061 4062 releasef(fd); 4063 4064 return; 4065 4066 default: 4067 break; 4068 4069 } 4070 4071 releasef(fd); 4072 4073 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4074 4075 if (add_sock_token == 0) { 4076 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4077 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4078 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4079 return; 4080 } 4081 4082 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4083 4084 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4085 4086 } 4087 4088 /*ARGSUSED*/ 4089 static void 4090 auf_recvfrom( 4091 struct t_audit_data *tad, 4092 int error, 4093 rval_t *rvp) 4094 { 4095 4096 struct a { 4097 long fd; 4098 long msg; /* char */ 4099 long len; 4100 long flags; 4101 long from; /* struct sockaddr */ 4102 long fromlen; 4103 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4104 4105 socklen_t fromlen; 4106 struct sonode *so; 4107 char so_laddr[sizeof (struct sockaddr_in6)]; 4108 char so_faddr[sizeof (struct sockaddr_in6)]; 4109 int fd; 4110 short so_family, so_type; 4111 int add_sock_token = 0; 4112 socklen_t len; 4113 int err; 4114 struct file *fp; 4115 struct f_audit_data *fad; /* unix domain sockets */ 4116 au_kcontext_t *kctx = GET_KCTX_PZ; 4117 4118 fd = (int)uap->fd; 4119 4120 /* bail if an error */ 4121 if (error) { 4122 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4123 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4124 return; 4125 } 4126 4127 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4128 /* 4129 * not security relevant if doing a recvmsg from non socket 4130 * so no extra tokens. Should probably turn off audit record 4131 * generation here. 4132 */ 4133 return; 4134 } 4135 4136 so_family = so->so_family; 4137 so_type = so->so_type; 4138 4139 /* 4140 * only putout SOCKET_EX token if INET/INET6 family. 4141 * XXX - what do we do about other families? 4142 */ 4143 4144 switch (so_family) { 4145 case AF_INET: 4146 case AF_INET6: 4147 4148 /* 4149 * if datagram type socket, then just use what is in 4150 * socket structure for local address. 4151 * XXX - what do we do for other types? 4152 */ 4153 if ((so->so_type == SOCK_DGRAM) || 4154 (so->so_type == SOCK_RAW)) { 4155 add_sock_token = 1; 4156 4157 /* get local address */ 4158 len = sizeof (so_laddr); 4159 (void) socket_getsockname(so, 4160 (struct sockaddr *)so_laddr, &len, CRED()); 4161 4162 /* get peer address */ 4163 bzero((void *)so_faddr, sizeof (so_faddr)); 4164 4165 /* sanity check */ 4166 if (uap->from == NULL) 4167 break; 4168 4169 /* sanity checks */ 4170 if (uap->fromlen == 0) 4171 break; 4172 4173 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4174 sizeof (fromlen)) != 0) 4175 break; 4176 4177 if (fromlen == 0) 4178 break; 4179 4180 /* enforce maximum size */ 4181 if (fromlen > sizeof (so_faddr)) 4182 fromlen = sizeof (so_faddr); 4183 4184 if (copyin((caddr_t)(uap->from), so_faddr, 4185 fromlen) != 0) 4186 break; 4187 4188 } else if (so->so_type == SOCK_STREAM) { 4189 4190 /* get path from file struct here */ 4191 fad = F2A(fp); 4192 ASSERT(fad); 4193 4194 /* 4195 * already processed this file for read attempt 4196 */ 4197 if (fad->fad_flags & FAD_READ) { 4198 /* don't want to audit every recvfrom attempt */ 4199 tad->tad_flag = 0; 4200 /* free any residual audit data */ 4201 au_close(kctx, &(u_ad), 0, 0, 0); 4202 releasef(fd); 4203 return; 4204 } 4205 /* 4206 * mark things so we know what happened and don't 4207 * repeat things 4208 */ 4209 fad->fad_flags |= FAD_READ; 4210 4211 bzero((void *)so_laddr, sizeof (so_laddr)); 4212 bzero((void *)so_faddr, sizeof (so_faddr)); 4213 4214 /* get local and foreign addresses */ 4215 len = sizeof (so_laddr); 4216 (void) socket_getsockname(so, 4217 (struct sockaddr *)so_laddr, &len, CRED()); 4218 len = sizeof (so_faddr); 4219 (void) socket_getpeername(so, 4220 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4221 4222 add_sock_token = 1; 4223 } 4224 4225 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4226 4227 break; 4228 4229 case AF_UNIX: 4230 /* 4231 * first check if this is first time through. Too much 4232 * duplicate code to put this in an aui_ routine. 4233 */ 4234 4235 /* get path from file struct here */ 4236 fad = F2A(fp); 4237 ASSERT(fad); 4238 4239 /* 4240 * already processed this file for read attempt 4241 */ 4242 if (fad->fad_flags & FAD_READ) { 4243 /* don't want to audit every recvfrom attempt */ 4244 tad->tad_flag = 0; 4245 /* free any residual audit data */ 4246 au_close(kctx, &(u_ad), 0, 0, 0); 4247 releasef(fd); 4248 return; 4249 } 4250 /* 4251 * mark things so we know what happened and don't 4252 * repeat things 4253 */ 4254 fad->fad_flags |= FAD_READ; 4255 4256 if (fad->fad_aupath != NULL) { 4257 au_uwrite(au_to_path(fad->fad_aupath)); 4258 } else { 4259 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4260 } 4261 4262 audit_attributes(fp->f_vnode); 4263 4264 releasef(fd); 4265 4266 return; 4267 4268 default: 4269 break; 4270 4271 } 4272 4273 releasef(fd); 4274 4275 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4276 4277 if (add_sock_token == 0) { 4278 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4279 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4280 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4281 return; 4282 } 4283 4284 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4285 4286 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4287 } 4288 4289 /*ARGSUSED*/ 4290 static void 4291 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4292 { 4293 struct a { 4294 long fd; 4295 long msg; /* struct msghdr */ 4296 long flags; 4297 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4298 4299 struct sonode *so; 4300 char so_laddr[sizeof (struct sockaddr_in6)]; 4301 char so_faddr[sizeof (struct sockaddr_in6)]; 4302 int err; 4303 int fd; 4304 short so_family, so_type; 4305 int add_sock_token = 0; 4306 socklen_t len; 4307 struct file *fp; 4308 struct f_audit_data *fad; 4309 caddr_t msg_name; 4310 socklen_t msg_namelen; 4311 STRUCT_DECL(msghdr, msg); 4312 au_kcontext_t *kctx = GET_KCTX_PZ; 4313 4314 fd = (int)uap->fd; 4315 4316 /* bail if an error */ 4317 if (error) { 4318 /* XXX include destination address from system call arguments */ 4319 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4320 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4321 return; 4322 } 4323 4324 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4325 /* 4326 * not security relevant if doing a sendmsg from non socket 4327 * so no extra tokens. Should probably turn off audit record 4328 * generation here. 4329 */ 4330 return; 4331 } 4332 4333 so_family = so->so_family; 4334 so_type = so->so_type; 4335 4336 switch (so_family) { 4337 case AF_INET: 4338 case AF_INET6: 4339 /* 4340 * if datagram type socket, then just use what is in 4341 * socket structure for local address. 4342 * XXX - what do we do for other types? 4343 */ 4344 if ((so->so_type == SOCK_DGRAM) || 4345 (so->so_type == SOCK_RAW)) { 4346 4347 bzero((void *)so_laddr, sizeof (so_laddr)); 4348 bzero((void *)so_faddr, sizeof (so_faddr)); 4349 4350 /* get local address */ 4351 len = sizeof (so_laddr); 4352 (void) socket_getsockname(so, 4353 (struct sockaddr *)so_laddr, &len, CRED()); 4354 4355 /* get peer address */ 4356 STRUCT_INIT(msg, get_udatamodel()); 4357 4358 if (copyin((caddr_t)(uap->msg), 4359 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4360 break; 4361 } 4362 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4363 if (msg_name == NULL) 4364 break; 4365 4366 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4367 /* length is value from recvmsg - sanity check */ 4368 if (msg_namelen == 0) 4369 break; 4370 4371 if (copyin(msg_name, so_faddr, 4372 sizeof (so_faddr)) != 0) 4373 break; 4374 4375 add_sock_token = 1; 4376 4377 } else if (so->so_type == SOCK_STREAM) { 4378 4379 /* get path from file struct here */ 4380 fad = F2A(fp); 4381 ASSERT(fad); 4382 4383 /* 4384 * already processed this file for write attempt 4385 */ 4386 if (fad->fad_flags & FAD_WRITE) { 4387 releasef(fd); 4388 /* don't want to audit every sendmsg attempt */ 4389 tad->tad_flag = 0; 4390 /* free any residual audit data */ 4391 au_close(kctx, &(u_ad), 0, 0, 0); 4392 return; 4393 } 4394 4395 /* 4396 * mark things so we know what happened and don't 4397 * repeat things 4398 */ 4399 fad->fad_flags |= FAD_WRITE; 4400 4401 bzero((void *)so_laddr, sizeof (so_laddr)); 4402 bzero((void *)so_faddr, sizeof (so_faddr)); 4403 4404 /* get local and foreign addresses */ 4405 len = sizeof (so_laddr); 4406 (void) socket_getsockname(so, 4407 (struct sockaddr *)so_laddr, &len, CRED()); 4408 len = sizeof (so_faddr); 4409 (void) socket_getpeername(so, 4410 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4411 4412 add_sock_token = 1; 4413 } 4414 4415 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4416 4417 break; 4418 4419 case AF_UNIX: 4420 /* 4421 * first check if this is first time through. Too much 4422 * duplicate code to put this in an aui_ routine. 4423 */ 4424 4425 /* get path from file struct here */ 4426 fad = F2A(fp); 4427 ASSERT(fad); 4428 4429 /* 4430 * already processed this file for write attempt 4431 */ 4432 if (fad->fad_flags & FAD_WRITE) { 4433 releasef(fd); 4434 /* don't want to audit every sendmsg attempt */ 4435 tad->tad_flag = 0; 4436 /* free any residual audit data */ 4437 au_close(kctx, &(u_ad), 0, 0, 0); 4438 return; 4439 } 4440 /* 4441 * mark things so we know what happened and don't 4442 * repeat things 4443 */ 4444 fad->fad_flags |= FAD_WRITE; 4445 4446 if (fad->fad_aupath != NULL) { 4447 au_uwrite(au_to_path(fad->fad_aupath)); 4448 } else { 4449 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4450 } 4451 4452 audit_attributes(fp->f_vnode); 4453 4454 releasef(fd); 4455 4456 return; 4457 4458 default: 4459 break; 4460 } 4461 4462 releasef(fd); 4463 4464 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4465 4466 if (add_sock_token == 0) { 4467 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4468 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4469 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4470 return; 4471 } 4472 4473 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4474 4475 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4476 } 4477 4478 /*ARGSUSED*/ 4479 static void 4480 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4481 { 4482 struct a { 4483 long fd; 4484 long msg; /* char */ 4485 long len; 4486 long flags; 4487 long to; /* struct sockaddr */ 4488 long tolen; 4489 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4490 4491 struct sonode *so; 4492 char so_laddr[sizeof (struct sockaddr_in6)]; 4493 char so_faddr[sizeof (struct sockaddr_in6)]; 4494 socklen_t tolen; 4495 int err; 4496 int fd; 4497 socklen_t len; 4498 short so_family, so_type; 4499 int add_sock_token = 0; 4500 struct file *fp; 4501 struct f_audit_data *fad; 4502 au_kcontext_t *kctx = GET_KCTX_PZ; 4503 4504 fd = (int)uap->fd; 4505 4506 /* bail if an error */ 4507 if (error) { 4508 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4509 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4510 /* XXX include destination address from system call arguments */ 4511 return; 4512 } 4513 4514 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4515 /* 4516 * not security relevant if doing a sendto using non socket 4517 * so no extra tokens. Should probably turn off audit record 4518 * generation here. 4519 */ 4520 return; 4521 } 4522 4523 so_family = so->so_family; 4524 so_type = so->so_type; 4525 4526 /* 4527 * only putout SOCKET_EX token if INET/INET6 family. 4528 * XXX - what do we do about other families? 4529 */ 4530 4531 switch (so_family) { 4532 case AF_INET: 4533 case AF_INET6: 4534 4535 /* 4536 * if datagram type socket, then just use what is in 4537 * socket structure for local address. 4538 * XXX - what do we do for other types? 4539 */ 4540 if ((so->so_type == SOCK_DGRAM) || 4541 (so->so_type == SOCK_RAW)) { 4542 4543 bzero((void *)so_laddr, sizeof (so_laddr)); 4544 bzero((void *)so_faddr, sizeof (so_faddr)); 4545 4546 /* get local address */ 4547 len = sizeof (so_laddr); 4548 (void) socket_getsockname(so, 4549 (struct sockaddr *)so_laddr, &len, CRED()); 4550 4551 /* get peer address */ 4552 4553 /* sanity check */ 4554 if (uap->to == NULL) 4555 break; 4556 4557 /* sanity checks */ 4558 if (uap->tolen == 0) 4559 break; 4560 4561 tolen = (socklen_t)uap->tolen; 4562 4563 /* enforce maximum size */ 4564 if (tolen > sizeof (so_faddr)) 4565 tolen = sizeof (so_faddr); 4566 4567 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4568 break; 4569 4570 add_sock_token = 1; 4571 } else { 4572 /* 4573 * check if this is first time through. 4574 */ 4575 4576 /* get path from file struct here */ 4577 fad = F2A(fp); 4578 ASSERT(fad); 4579 4580 /* 4581 * already processed this file for write attempt 4582 */ 4583 if (fad->fad_flags & FAD_WRITE) { 4584 /* don't want to audit every sendto attempt */ 4585 tad->tad_flag = 0; 4586 /* free any residual audit data */ 4587 au_close(kctx, &(u_ad), 0, 0, 0); 4588 releasef(fd); 4589 return; 4590 } 4591 /* 4592 * mark things so we know what happened and don't 4593 * repeat things 4594 */ 4595 fad->fad_flags |= FAD_WRITE; 4596 4597 bzero((void *)so_laddr, sizeof (so_laddr)); 4598 bzero((void *)so_faddr, sizeof (so_faddr)); 4599 4600 /* get local and foreign addresses */ 4601 len = sizeof (so_laddr); 4602 (void) socket_getsockname(so, 4603 (struct sockaddr *)so_laddr, &len, CRED()); 4604 len = sizeof (so_faddr); 4605 (void) socket_getpeername(so, 4606 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4607 4608 add_sock_token = 1; 4609 } 4610 4611 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4612 4613 break; 4614 4615 case AF_UNIX: 4616 /* 4617 * first check if this is first time through. Too much 4618 * duplicate code to put this in an aui_ routine. 4619 */ 4620 4621 /* get path from file struct here */ 4622 fad = F2A(fp); 4623 ASSERT(fad); 4624 4625 /* 4626 * already processed this file for write attempt 4627 */ 4628 if (fad->fad_flags & FAD_WRITE) { 4629 /* don't want to audit every sendto attempt */ 4630 tad->tad_flag = 0; 4631 /* free any residual audit data */ 4632 au_close(kctx, &(u_ad), 0, 0, 0); 4633 releasef(fd); 4634 return; 4635 } 4636 /* 4637 * mark things so we know what happened and don't 4638 * repeat things 4639 */ 4640 fad->fad_flags |= FAD_WRITE; 4641 4642 if (fad->fad_aupath != NULL) { 4643 au_uwrite(au_to_path(fad->fad_aupath)); 4644 } else { 4645 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4646 } 4647 4648 audit_attributes(fp->f_vnode); 4649 4650 releasef(fd); 4651 4652 return; 4653 4654 default: 4655 break; 4656 4657 } 4658 4659 releasef(fd); 4660 4661 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4662 4663 if (add_sock_token == 0) { 4664 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4665 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4666 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4667 return; 4668 } 4669 4670 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4671 4672 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4673 4674 } 4675 4676 /* 4677 * XXX socket(2) may be equivalent to open(2) on a unix domain 4678 * socket. This needs investigation. 4679 */ 4680 4681 /*ARGSUSED*/ 4682 static void 4683 aus_socket(struct t_audit_data *tad) 4684 { 4685 struct a { 4686 long domain; 4687 long type; 4688 long protocol; 4689 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4690 4691 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4692 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4693 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4694 } 4695 4696 /*ARGSUSED*/ 4697 static void 4698 aus_sigqueue(struct t_audit_data *tad) 4699 { 4700 struct a { 4701 long pid; 4702 long signo; 4703 long *val; 4704 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4705 struct proc *p; 4706 uid_t uid, ruid; 4707 gid_t gid, rgid; 4708 pid_t pid; 4709 const auditinfo_addr_t *ainfo; 4710 cred_t *cr; 4711 4712 pid = (pid_t)uap->pid; 4713 4714 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4715 if (pid > 0) { 4716 mutex_enter(&pidlock); 4717 if ((p = prfind(pid)) == (struct proc *)0) { 4718 mutex_exit(&pidlock); 4719 return; 4720 } 4721 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4722 mutex_exit(&pidlock); 4723 4724 mutex_enter(&p->p_crlock); 4725 crhold(cr = p->p_cred); 4726 mutex_exit(&p->p_crlock); 4727 mutex_exit(&p->p_lock); 4728 4729 ainfo = crgetauinfo(cr); 4730 if (ainfo == NULL) { 4731 crfree(cr); 4732 return; 4733 } 4734 4735 uid = crgetuid(cr); 4736 gid = crgetgid(cr); 4737 ruid = crgetruid(cr); 4738 rgid = crgetrgid(cr); 4739 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4740 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4741 crfree(cr); 4742 } 4743 else 4744 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4745 } 4746 4747 /*ARGSUSED*/ 4748 static void 4749 aus_inst_sync(struct t_audit_data *tad) 4750 { 4751 struct a { 4752 long name; /* char */ 4753 long flags; 4754 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4755 4756 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4757 } 4758 4759 /*ARGSUSED*/ 4760 static void 4761 aus_brandsys(struct t_audit_data *tad) 4762 { 4763 klwp_t *clwp = ttolwp(curthread); 4764 4765 struct a { 4766 long cmd; 4767 long arg1; 4768 long arg2; 4769 long arg3; 4770 long arg4; 4771 long arg5; 4772 long arg6; 4773 } *uap = (struct a *)clwp->lwp_ap; 4774 4775 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4776 #ifdef _LP64 4777 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4778 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4779 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4780 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4781 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4782 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4783 #else 4784 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4785 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4786 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4787 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4788 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4789 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4790 #endif 4791 } 4792 4793 /*ARGSUSED*/ 4794 static void 4795 aus_p_online(struct t_audit_data *tad) 4796 { 4797 struct a { 4798 long processor_id; 4799 long flag; 4800 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4801 4802 struct flags { 4803 int flag; 4804 char *cflag; 4805 } aflags[6] = { 4806 { P_ONLINE, "P_ONLINE"}, 4807 { P_OFFLINE, "P_OFFLINE"}, 4808 { P_NOINTR, "P_NOINTR"}, 4809 { P_SPARE, "P_SPARE"}, 4810 { P_FAULTED, "P_FAULTED"}, 4811 { P_STATUS, "P_STATUS"} 4812 }; 4813 int i; 4814 char *cflag; 4815 4816 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4817 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4818 4819 for (i = 0; i < 6; i++) { 4820 if (aflags[i].flag == uap->flag) 4821 break; 4822 } 4823 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4824 4825 au_uwrite(au_to_text(cflag)); 4826 } 4827 4828 /*ARGSUSED*/ 4829 static void 4830 aus_processor_bind(struct t_audit_data *tad) 4831 { 4832 struct a { 4833 long id_type; 4834 long id; 4835 long processor_id; 4836 long obind; 4837 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4838 4839 struct proc *p; 4840 int lwpcnt; 4841 uid_t uid, ruid; 4842 gid_t gid, rgid; 4843 pid_t pid; 4844 const auditinfo_addr_t *ainfo; 4845 cred_t *cr; 4846 4847 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4848 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4849 if (uap->processor_id == PBIND_NONE) 4850 au_uwrite(au_to_text("PBIND_NONE")); 4851 else 4852 au_uwrite(au_to_arg32(3, "processor_id", 4853 (uint32_t)uap->processor_id)); 4854 4855 switch (uap->id_type) { 4856 case P_MYID: 4857 case P_LWPID: 4858 mutex_enter(&pidlock); 4859 p = ttoproc(curthread); 4860 if (p == NULL || p->p_as == &kas) { 4861 mutex_exit(&pidlock); 4862 return; 4863 } 4864 mutex_enter(&p->p_lock); 4865 mutex_exit(&pidlock); 4866 lwpcnt = p->p_lwpcnt; 4867 pid = p->p_pid; 4868 4869 mutex_enter(&p->p_crlock); 4870 crhold(cr = p->p_cred); 4871 mutex_exit(&p->p_crlock); 4872 mutex_exit(&p->p_lock); 4873 4874 ainfo = crgetauinfo(cr); 4875 if (ainfo == NULL) { 4876 crfree(cr); 4877 return; 4878 } 4879 4880 uid = crgetuid(cr); 4881 gid = crgetgid(cr); 4882 ruid = crgetruid(cr); 4883 rgid = crgetrgid(cr); 4884 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4885 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4886 crfree(cr); 4887 break; 4888 case P_PID: 4889 mutex_enter(&pidlock); 4890 p = prfind(uap->id); 4891 if (p == NULL || p->p_as == &kas) { 4892 mutex_exit(&pidlock); 4893 return; 4894 } 4895 mutex_enter(&p->p_lock); 4896 mutex_exit(&pidlock); 4897 lwpcnt = p->p_lwpcnt; 4898 pid = p->p_pid; 4899 4900 mutex_enter(&p->p_crlock); 4901 crhold(cr = p->p_cred); 4902 mutex_exit(&p->p_crlock); 4903 mutex_exit(&p->p_lock); 4904 4905 ainfo = crgetauinfo(cr); 4906 if (ainfo == NULL) { 4907 crfree(cr); 4908 return; 4909 } 4910 4911 uid = crgetuid(cr); 4912 gid = crgetgid(cr); 4913 ruid = crgetruid(cr); 4914 rgid = crgetrgid(cr); 4915 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4916 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4917 crfree(cr); 4918 4919 break; 4920 default: 4921 return; 4922 } 4923 4924 if (uap->processor_id == PBIND_NONE && 4925 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4926 au_uwrite(au_to_text("PBIND_NONE for process")); 4927 else 4928 au_uwrite(au_to_arg32(3, "processor_id", 4929 (uint32_t)uap->processor_id)); 4930 } 4931 4932 /*ARGSUSED*/ 4933 static au_event_t 4934 aui_doorfs(au_event_t e) 4935 { 4936 uint32_t code; 4937 4938 struct a { /* doorfs */ 4939 long a1; 4940 long a2; 4941 long a3; 4942 long a4; 4943 long a5; 4944 long code; 4945 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4946 4947 /* 4948 * audit formats for several of the 4949 * door calls have not yet been determined 4950 */ 4951 code = (uint32_t)uap->code; 4952 switch (code) { 4953 case DOOR_CALL: 4954 e = AUE_DOORFS_DOOR_CALL; 4955 break; 4956 case DOOR_RETURN: 4957 e = AUE_NULL; 4958 break; 4959 case DOOR_CREATE: 4960 e = AUE_DOORFS_DOOR_CREATE; 4961 break; 4962 case DOOR_REVOKE: 4963 e = AUE_DOORFS_DOOR_REVOKE; 4964 break; 4965 case DOOR_INFO: 4966 e = AUE_NULL; 4967 break; 4968 case DOOR_UCRED: 4969 e = AUE_NULL; 4970 break; 4971 case DOOR_BIND: 4972 e = AUE_NULL; 4973 break; 4974 case DOOR_UNBIND: 4975 e = AUE_NULL; 4976 break; 4977 case DOOR_GETPARAM: 4978 e = AUE_NULL; 4979 break; 4980 case DOOR_SETPARAM: 4981 e = AUE_NULL; 4982 break; 4983 default: /* illegal system call */ 4984 e = AUE_NULL; 4985 break; 4986 } 4987 4988 return (e); 4989 } 4990 4991 static door_node_t * 4992 au_door_lookup(int did) 4993 { 4994 vnode_t *vp; 4995 file_t *fp; 4996 4997 if ((fp = getf(did)) == NULL) 4998 return (NULL); 4999 /* 5000 * Use the underlying vnode (we may be namefs mounted) 5001 */ 5002 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5003 vp = fp->f_vnode; 5004 5005 if (vp == NULL || vp->v_type != VDOOR) { 5006 releasef(did); 5007 return (NULL); 5008 } 5009 5010 return (VTOD(vp)); 5011 } 5012 5013 /*ARGSUSED*/ 5014 static void 5015 aus_doorfs(struct t_audit_data *tad) 5016 { 5017 5018 struct a { /* doorfs */ 5019 long a1; 5020 long a2; 5021 long a3; 5022 long a4; 5023 long a5; 5024 long code; 5025 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5026 5027 door_node_t *dp; 5028 struct proc *p; 5029 uint32_t did; 5030 uid_t uid, ruid; 5031 gid_t gid, rgid; 5032 pid_t pid; 5033 const auditinfo_addr_t *ainfo; 5034 cred_t *cr; 5035 5036 did = (uint32_t)uap->a1; 5037 5038 switch (tad->tad_event) { 5039 case AUE_DOORFS_DOOR_CALL: 5040 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5041 if ((dp = au_door_lookup(did)) == NULL) 5042 break; 5043 5044 if (DOOR_INVALID(dp)) { 5045 releasef(did); 5046 break; 5047 } 5048 5049 if ((p = dp->door_target) == NULL) { 5050 releasef(did); 5051 break; 5052 } 5053 mutex_enter(&p->p_lock); 5054 releasef(did); 5055 5056 pid = p->p_pid; 5057 5058 mutex_enter(&p->p_crlock); 5059 crhold(cr = p->p_cred); 5060 mutex_exit(&p->p_crlock); 5061 mutex_exit(&p->p_lock); 5062 5063 ainfo = crgetauinfo(cr); 5064 if (ainfo == NULL) { 5065 crfree(cr); 5066 return; 5067 } 5068 uid = crgetuid(cr); 5069 gid = crgetgid(cr); 5070 ruid = crgetruid(cr); 5071 rgid = crgetrgid(cr); 5072 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5073 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5074 crfree(cr); 5075 break; 5076 case AUE_DOORFS_DOOR_RETURN: 5077 /* 5078 * We may want to write information about 5079 * all doors (if any) which will be copied 5080 * by this call to the user space 5081 */ 5082 break; 5083 case AUE_DOORFS_DOOR_CREATE: 5084 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5085 break; 5086 case AUE_DOORFS_DOOR_REVOKE: 5087 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5088 break; 5089 case AUE_DOORFS_DOOR_INFO: 5090 break; 5091 case AUE_DOORFS_DOOR_CRED: 5092 break; 5093 case AUE_DOORFS_DOOR_BIND: 5094 break; 5095 case AUE_DOORFS_DOOR_UNBIND: { 5096 break; 5097 } 5098 default: /* illegal system call */ 5099 break; 5100 } 5101 } 5102 5103 /*ARGSUSED*/ 5104 static au_event_t 5105 aui_acl(au_event_t e) 5106 { 5107 struct a { 5108 union { 5109 long name; /* char */ 5110 long fd; 5111 } obj; 5112 5113 long cmd; 5114 long nentries; 5115 long arg; /* aclent_t */ 5116 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5117 5118 switch (uap->cmd) { 5119 case SETACL: 5120 case ACE_SETACL: 5121 /* 5122 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5123 * are expected. 5124 */ 5125 break; 5126 case GETACL: 5127 case GETACLCNT: 5128 case ACE_GETACL: 5129 case ACE_GETACLCNT: 5130 /* do nothing for these four values. */ 5131 e = AUE_NULL; 5132 break; 5133 default: 5134 /* illegal system call */ 5135 break; 5136 } 5137 5138 return (e); 5139 } 5140 5141 static void 5142 au_acl(int cmd, int nentries, caddr_t bufp) 5143 { 5144 size_t a_size; 5145 aclent_t *aclbufp; 5146 ace_t *acebufp; 5147 int i; 5148 5149 switch (cmd) { 5150 case GETACL: 5151 case GETACLCNT: 5152 break; 5153 case SETACL: 5154 if (nentries < 3) 5155 break; 5156 5157 a_size = nentries * sizeof (aclent_t); 5158 5159 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5160 break; 5161 if (copyin(bufp, aclbufp, a_size)) { 5162 kmem_free(aclbufp, a_size); 5163 break; 5164 } 5165 for (i = 0; i < nentries; i++) { 5166 au_uwrite(au_to_acl(aclbufp + i)); 5167 } 5168 kmem_free(aclbufp, a_size); 5169 break; 5170 5171 case ACE_SETACL: 5172 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5173 break; 5174 5175 a_size = nentries * sizeof (ace_t); 5176 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5177 break; 5178 if (copyin(bufp, acebufp, a_size)) { 5179 kmem_free(acebufp, a_size); 5180 break; 5181 } 5182 for (i = 0; i < nentries; i++) { 5183 au_uwrite(au_to_ace(acebufp + i)); 5184 } 5185 kmem_free(acebufp, a_size); 5186 break; 5187 default: 5188 break; 5189 } 5190 } 5191 5192 /*ARGSUSED*/ 5193 static void 5194 aus_acl(struct t_audit_data *tad) 5195 { 5196 struct a { 5197 long fname; 5198 long cmd; 5199 long nentries; 5200 long aclbufp; 5201 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5202 5203 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5204 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5205 5206 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5207 } 5208 5209 /*ARGSUSED*/ 5210 static void 5211 aus_facl(struct t_audit_data *tad) 5212 { 5213 struct a { 5214 long fd; 5215 long cmd; 5216 long nentries; 5217 long aclbufp; 5218 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5219 struct file *fp; 5220 struct vnode *vp; 5221 struct f_audit_data *fad; 5222 int fd; 5223 5224 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5225 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5226 5227 fd = (int)uap->fd; 5228 5229 if ((fp = getf(fd)) == NULL) 5230 return; 5231 5232 /* get path from file struct here */ 5233 fad = F2A(fp); 5234 if (fad->fad_aupath != NULL) { 5235 au_uwrite(au_to_path(fad->fad_aupath)); 5236 } else { 5237 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5238 } 5239 5240 vp = fp->f_vnode; 5241 audit_attributes(vp); 5242 5243 /* decrement file descriptor reference count */ 5244 releasef(fd); 5245 5246 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5247 } 5248 5249 /*ARGSUSED*/ 5250 static void 5251 auf_read(tad, error, rval) 5252 struct t_audit_data *tad; 5253 int error; 5254 rval_t *rval; 5255 { 5256 struct file *fp; 5257 struct f_audit_data *fad; 5258 int fd; 5259 register struct a { 5260 long fd; 5261 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5262 au_kcontext_t *kctx = GET_KCTX_PZ; 5263 5264 fd = (int)uap->fd; 5265 5266 /* 5267 * convert file pointer to file descriptor 5268 * Note: fd ref count incremented here. 5269 */ 5270 if ((fp = getf(fd)) == NULL) 5271 return; 5272 5273 /* get path from file struct here */ 5274 fad = F2A(fp); 5275 ASSERT(fad); 5276 5277 /* 5278 * already processed this file for read attempt 5279 * 5280 * XXX might be better to turn off auditing in a aui_read() routine. 5281 */ 5282 if (fad->fad_flags & FAD_READ) { 5283 /* don't really want to audit every read attempt */ 5284 tad->tad_flag = 0; 5285 /* free any residual audit data */ 5286 au_close(kctx, &(u_ad), 0, 0, 0); 5287 releasef(fd); 5288 return; 5289 } 5290 /* mark things so we know what happened and don't repeat things */ 5291 fad->fad_flags |= FAD_READ; 5292 5293 if (fad->fad_aupath != NULL) { 5294 au_uwrite(au_to_path(fad->fad_aupath)); 5295 } else { 5296 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5297 } 5298 5299 /* include attributes */ 5300 audit_attributes(fp->f_vnode); 5301 5302 /* decrement file descriptor reference count */ 5303 releasef(fd); 5304 } 5305 5306 /*ARGSUSED*/ 5307 static void 5308 auf_write(tad, error, rval) 5309 struct t_audit_data *tad; 5310 int error; 5311 rval_t *rval; 5312 { 5313 struct file *fp; 5314 struct f_audit_data *fad; 5315 int fd; 5316 register struct a { 5317 long fd; 5318 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5319 au_kcontext_t *kctx = GET_KCTX_PZ; 5320 5321 fd = (int)uap->fd; 5322 5323 /* 5324 * convert file pointer to file descriptor 5325 * Note: fd ref count incremented here. 5326 */ 5327 if ((fp = getf(fd)) == NULL) 5328 return; 5329 5330 /* get path from file struct here */ 5331 fad = F2A(fp); 5332 ASSERT(fad); 5333 5334 /* 5335 * already processed this file for write attempt 5336 * 5337 * XXX might be better to turn off auditing in a aus_write() routine. 5338 */ 5339 if (fad->fad_flags & FAD_WRITE) { 5340 /* don't really want to audit every write attempt */ 5341 tad->tad_flag = 0; 5342 /* free any residual audit data */ 5343 au_close(kctx, &(u_ad), 0, 0, 0); 5344 releasef(fd); 5345 return; 5346 } 5347 /* mark things so we know what happened and don't repeat things */ 5348 fad->fad_flags |= FAD_WRITE; 5349 5350 if (fad->fad_aupath != NULL) { 5351 au_uwrite(au_to_path(fad->fad_aupath)); 5352 } else { 5353 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5354 } 5355 5356 /* include attributes */ 5357 audit_attributes(fp->f_vnode); 5358 5359 /* decrement file descriptor reference count */ 5360 releasef(fd); 5361 } 5362 5363 /*ARGSUSED*/ 5364 static void 5365 auf_recv(tad, error, rval) 5366 struct t_audit_data *tad; 5367 int error; 5368 rval_t *rval; 5369 { 5370 struct sonode *so; 5371 char so_laddr[sizeof (struct sockaddr_in6)]; 5372 char so_faddr[sizeof (struct sockaddr_in6)]; 5373 struct file *fp; 5374 struct f_audit_data *fad; 5375 int fd; 5376 int err; 5377 socklen_t len; 5378 short so_family, so_type; 5379 register struct a { 5380 long fd; 5381 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5382 au_kcontext_t *kctx = GET_KCTX_PZ; 5383 5384 /* 5385 * If there was an error, then nothing to do. Only generate 5386 * audit record on first successful recv. 5387 */ 5388 if (error) { 5389 /* Turn off audit record generation here. */ 5390 tad->tad_flag = 0; 5391 /* free any residual audit data */ 5392 au_close(kctx, &(u_ad), 0, 0, 0); 5393 return; 5394 } 5395 5396 fd = (int)uap->fd; 5397 5398 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5399 /* Turn off audit record generation here. */ 5400 tad->tad_flag = 0; 5401 /* free any residual audit data */ 5402 au_close(kctx, &(u_ad), 0, 0, 0); 5403 return; 5404 } 5405 5406 /* get path from file struct here */ 5407 fad = F2A(fp); 5408 ASSERT(fad); 5409 5410 /* 5411 * already processed this file for read attempt 5412 */ 5413 if (fad->fad_flags & FAD_READ) { 5414 releasef(fd); 5415 /* don't really want to audit every recv call */ 5416 tad->tad_flag = 0; 5417 /* free any residual audit data */ 5418 au_close(kctx, &(u_ad), 0, 0, 0); 5419 return; 5420 } 5421 5422 /* mark things so we know what happened and don't repeat things */ 5423 fad->fad_flags |= FAD_READ; 5424 5425 so_family = so->so_family; 5426 so_type = so->so_type; 5427 5428 switch (so_family) { 5429 case AF_INET: 5430 case AF_INET6: 5431 /* 5432 * Only for connections. 5433 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5434 */ 5435 if (so->so_state & SS_ISBOUND) { 5436 5437 bzero((void *)so_laddr, sizeof (so_laddr)); 5438 bzero((void *)so_faddr, sizeof (so_faddr)); 5439 5440 /* get local and foreign addresses */ 5441 len = sizeof (so_laddr); 5442 (void) socket_getsockname(so, 5443 (struct sockaddr *)so_laddr, &len, CRED()); 5444 len = sizeof (so_faddr); 5445 (void) socket_getpeername(so, 5446 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5447 5448 /* 5449 * only way to drop out of switch. Note that we 5450 * we release fd below. 5451 */ 5452 5453 break; 5454 } 5455 5456 releasef(fd); 5457 5458 /* don't really want to audit every recv call */ 5459 tad->tad_flag = 0; 5460 /* free any residual audit data */ 5461 au_close(kctx, &(u_ad), 0, 0, 0); 5462 5463 return; 5464 5465 case AF_UNIX: 5466 5467 if (fad->fad_aupath != NULL) { 5468 au_uwrite(au_to_path(fad->fad_aupath)); 5469 } else { 5470 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5471 } 5472 5473 audit_attributes(fp->f_vnode); 5474 5475 releasef(fd); 5476 5477 return; 5478 5479 default: 5480 releasef(fd); 5481 5482 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5483 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5484 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5485 5486 return; 5487 } 5488 5489 releasef(fd); 5490 5491 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5492 5493 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5494 5495 } 5496 5497 /*ARGSUSED*/ 5498 static void 5499 auf_send(tad, error, rval) 5500 struct t_audit_data *tad; 5501 int error; 5502 rval_t *rval; 5503 { 5504 struct sonode *so; 5505 char so_laddr[sizeof (struct sockaddr_in6)]; 5506 char so_faddr[sizeof (struct sockaddr_in6)]; 5507 struct file *fp; 5508 struct f_audit_data *fad; 5509 int fd; 5510 int err; 5511 socklen_t len; 5512 short so_family, so_type; 5513 register struct a { 5514 long fd; 5515 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5516 au_kcontext_t *kctx = GET_KCTX_PZ; 5517 5518 fd = (int)uap->fd; 5519 5520 /* 5521 * If there was an error, then nothing to do. Only generate 5522 * audit record on first successful send. 5523 */ 5524 if (error != 0) { 5525 /* Turn off audit record generation here. */ 5526 tad->tad_flag = 0; 5527 /* free any residual audit data */ 5528 au_close(kctx, &(u_ad), 0, 0, 0); 5529 return; 5530 } 5531 5532 fd = (int)uap->fd; 5533 5534 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5535 /* Turn off audit record generation here. */ 5536 tad->tad_flag = 0; 5537 /* free any residual audit data */ 5538 au_close(kctx, &(u_ad), 0, 0, 0); 5539 return; 5540 } 5541 5542 /* get path from file struct here */ 5543 fad = F2A(fp); 5544 ASSERT(fad); 5545 5546 /* 5547 * already processed this file for write attempt 5548 */ 5549 if (fad->fad_flags & FAD_WRITE) { 5550 releasef(fd); 5551 /* don't really want to audit every send call */ 5552 tad->tad_flag = 0; 5553 /* free any residual audit data */ 5554 au_close(kctx, &(u_ad), 0, 0, 0); 5555 return; 5556 } 5557 5558 /* mark things so we know what happened and don't repeat things */ 5559 fad->fad_flags |= FAD_WRITE; 5560 5561 so_family = so->so_family; 5562 so_type = so->so_type; 5563 5564 switch (so_family) { 5565 case AF_INET: 5566 case AF_INET6: 5567 /* 5568 * Only for connections. 5569 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5570 */ 5571 if (so->so_state & SS_ISBOUND) { 5572 5573 bzero((void *)so_laddr, sizeof (so_laddr)); 5574 bzero((void *)so_faddr, sizeof (so_faddr)); 5575 5576 /* get local and foreign addresses */ 5577 len = sizeof (so_laddr); 5578 (void) socket_getsockname(so, 5579 (struct sockaddr *)so_laddr, &len, CRED()); 5580 len = sizeof (so_faddr); 5581 (void) socket_getpeername(so, 5582 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5583 5584 /* 5585 * only way to drop out of switch. Note that we 5586 * we release fd below. 5587 */ 5588 5589 break; 5590 } 5591 5592 releasef(fd); 5593 /* don't really want to audit every send call */ 5594 tad->tad_flag = 0; 5595 /* free any residual audit data */ 5596 au_close(kctx, &(u_ad), 0, 0, 0); 5597 5598 return; 5599 5600 case AF_UNIX: 5601 5602 if (fad->fad_aupath != NULL) { 5603 au_uwrite(au_to_path(fad->fad_aupath)); 5604 } else { 5605 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5606 } 5607 5608 audit_attributes(fp->f_vnode); 5609 5610 releasef(fd); 5611 5612 return; 5613 5614 default: 5615 releasef(fd); 5616 5617 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5618 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5619 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5620 5621 return; 5622 } 5623 5624 releasef(fd); 5625 5626 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5627 5628 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5629 } 5630 5631 static au_event_t 5632 aui_forksys(au_event_t e) 5633 { 5634 struct a { 5635 long subcode; 5636 long flags; 5637 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5638 5639 switch ((uint_t)uap->subcode) { 5640 case 0: 5641 e = AUE_FORK1; 5642 break; 5643 case 1: 5644 e = AUE_FORKALL; 5645 break; 5646 case 2: 5647 e = AUE_VFORK; 5648 break; 5649 default: 5650 e = AUE_NULL; 5651 break; 5652 } 5653 5654 return (e); 5655 } 5656 5657 /*ARGSUSED*/ 5658 static au_event_t 5659 aui_portfs(au_event_t e) 5660 { 5661 struct a { /* portfs */ 5662 long a1; 5663 long a2; 5664 long a3; 5665 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5666 5667 /* 5668 * check opcode 5669 */ 5670 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5671 case PORT_ASSOCIATE: 5672 /* check source */ 5673 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5674 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5675 e = AUE_PORTFS_ASSOCIATE; 5676 } else { 5677 e = AUE_NULL; 5678 } 5679 break; 5680 case PORT_DISSOCIATE: 5681 /* check source */ 5682 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5683 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5684 e = AUE_PORTFS_DISSOCIATE; 5685 } else { 5686 e = AUE_NULL; 5687 } 5688 break; 5689 default: 5690 e = AUE_NULL; 5691 } 5692 return (e); 5693 } 5694